This post I'm writing is mostly in response to the discussion happening on a GitHub issue I filed against dokku. As will all security matters, I've done the best job I can, but it's important to have other eyes look at it too, so if I'm wrong anywhere in here, let me know.
In a previous post, I wrote about keeping the base image under apps deployed on Dokku up to date. When using Dokku, it's important to understand that it's not enough to keep the host OS up to date, you need to keep all the services and libraries installed in all the containers that your app uses up to date as well.
The first area of complexity is that you have two systems to keep up to date: The host OS and the OS inside the container.
The Host OS
The Container OS
Dokku now provides
herokuish packages for dokku, the latter of which theoretically keeps the container environment up to date. Your app containter is build on the
herokuish container, which is built on the
heroku/cedar:14 container, which is built on the
ubuntu-debootstrap container. What this means is that if there's any poor security update policy anywhere in that chain, your app will run insecure software.
ubuntu-debootstrap container is maintained by a contributor to Docker Hub, and if you look at the history of the manifest, you can see that it isn't updated all that often. The good news is that it doesn't matter! The
heroku/cedar:14 image, when it is built, does an
apt-get update && apt-get upgrade, so all security updated packages will be brought up to date. This means we're effectively insulated from the poor update cycle on
What we're not isolated from, however, is the poor update cycle on
heroku/cedar:14. As of the time of writing, the most recent entry on
heroku/cedar:14's build list is from Octover 2nd. Since then, there have been vulnerabilities addressed in OpenJDK, for example. Comparing the GitHub repo history and the
heroku/cedar build history it looks like they aren't re-building when there are new security updates, but only when there are new commits.
What this means is that the basis for
gliderlabs/herokuish is insecure, and can't be trusted, as the
herokuish build process does not do an
apt-get update && apt-get upgrade when building.
What can we do?
Manually build the images. :(
Here's the script that I'm now using, updated for the newer version of
This script is running daily, rebuilding my images to make sure the window of any vulnerabilities on my box are as low as possible.