[taeric]

The problem is when there is a vulnerability in some part of an earlier layer. You have to rebuild the entire stack.

I honestly don't think this is necessarily a terrible thing. But, the idea that your common layers are stable is a dangerously bad assumption.

[cpuguy83]

What are you defining as stable? Never changing? That's not something that should even hinted at.

The fact that you can login to a VM and update a package does not make the system stable either (and of course you can actually do this with running containers as well). Add to that you still need to restart running applications to take advantage of the package update (assuming the packages is a shared lib).

Meanwhile you can push new base images, automatically trigger rebuilds and roll out the update when ready.

[taeric]

I suspect we mostly agree with each other. My experience with folks in containers so far has proven to be that this is often hoped, though.

Specifically, we had devs talking about how we wouldn't have to worry about system patching anymore, because the containers would take care of that. With no answer for how we trace versions and patches through our systems.

If you are already tooled enough such that you can completely redeploy a full stack easily without worrying about some in place modifications, the difference between a VM and a container are relatively minimal, all told. Especially since you have to be ready to pull down the host of the containers anyway.

[cpuguy83]

The main difference is the container is focused on an application and a VM is focused on a machine.

Generally the patching problem can be solved with image scanning, of which there are tools out there to deal with this, both FLOSS and pay for.