APT usage in Dockerfile violates best practices ( apt-get upgrade used, not pairing apt-get update and install )

[original-brownbear]

The current Dockerfile violates best practices for apt use, documented here, in two ways that need to be fixed together.

apt-get upgrade use

At the end of the Dockerfile it contains the snippet

# One more time, right before the end
RUN apt-get update -y
RUN apt-get upgrade -qq -y

The Docker documentation states:

You should avoid RUN apt-get upgrade or dist-upgrade, as many of the “essential” packages from the base images won’t upgrade inside an unprivileged container.

Given the removal of the --privileged flag in the Rultor Docker run in #1008, apt-get upgrade should be removed from the Dockerfile.

The functionality it provides needs to be substituted by by correctly grouping apt-get update and apt-get install in the same run command and pinning the versions as suggested by Docker docs:

Using apt-get update alone in a RUN statement causes caching issues and subsequent apt-get install instructions fail.

Example:
Lines like these:

RUN apt-get update
RUN apt-get install -y wget bcrypt curl
RUN apt-get install -y unzip zip

Should in order to keep the build stable and make it deterministic become:

RUN apt-get update && apt-get install -y \
 wget=1.15-1ubuntu1.14.04.1 \
 bcrypt=1.1-8 \
 curl=7.35.0-1ubuntu2.6 \
 unzip=6.0-9ubuntu1.5 \
 zip=3.0-8

• Versions taken from the last successful Docker build here.

[alex-palevsky]

@original-brownbear tag "bug" added

[alex-palevsky]

@original-brownbear milestone set to 2.0 (correct me if I am wrong)

[alex-palevsky]

@original-brownbear thanks for this report, I added 30 mins to your account, in transaction AP-9HD17243DB712122L

[original-brownbear]

@alex-palevsky this depends on #1039

[alex-palevsky]

@alex-palevsky this depends on #1039

@original-brownbear right, let's wait for #1039

[original-brownbear]

@alex-palevsky this is postponed.

[alex-palevsky]

@alex-palevsky this is postponed.

@original-brownbear got it, "postponed" label here

[alex-palevsky]

@alex-palevsky this is postponed.

@original-brownbear I will try to find someone else

[alex-palevsky]

@original-brownbear #1039 is closed, it was an impediment

[original-brownbear]

@alex-palevsky assign me here

[original-brownbear]

@alex-palevsky this is not postponed :)

[alex-palevsky]

@alex-palevsky assign me here

@original-brownbear the task is yours, please proceed

[alex-palevsky]

@alex-palevsky assign me here

@original-brownbear in the future, try to avoid assigning yourself to your own tasks

[alex-palevsky]

@alex-palevsky this is not postponed :)

@original-brownbear got it, "postponed" tag removed from here

[alex-palevsky]

@original-brownbear just a reminder that you are working with this task for 15 days already

-30 added to your rating, at the moment it is: +3538

[original-brownbear]

@alex-palevsky more time please, still blocked by decisively more critical tasks :/

[alex-palevsky]

@alex-palevsky more time please, still blocked by decisively more critical tasks :/

@original-brownbear yes, take your time, thanks for letting me know