When running a Debian/Ubuntu-based server, it’s relatively easy to figure out whether updates need to be installed. Tools based on
apt work very well in this regard and even offer advanced features like unattended updates. Not so with services running in Docker containers.
When working with Docker, you typically don’t want to log into your containers and run
aptitude command lines – instead, you want to find out which of them are eligible for updates without changing their state. Then you re-create the underlying image with updated packages, destroy the running containers and create new containers based on the updated image.
I have started a proof-of-concept implementation for Ubuntu that solves the problem of detecting which containers need updating. You can use this as a starting point to build your own tools.