Dockerfile Updater.
This Python script updates both the base image and included software in a Dockerfile. It uses the output of nvchecker to determine what to update.
This image, working with snw35/nvchecker, automatically updates itself.
This script reads the output of nvchecker. It supports both old (1.x) and new (2.x) output formats, and can also search into arbitary JSON for software package names and versions.
A new_ver.json file generated by nvchecker must exist inside the root of the repository, and it should contain entries for all of the software packages that should be updated, as well as the container base image.
Please see snw35/nvchecker for further instructions on how to configure nvchecker to generate a new_ver.json file that dfupdate can use.
You can update the base image of your container using nvchecker and dfupdate. A suitable entry is required for nvchecker to check an upstream container registry for a newer base image, such as (for the 'python' image):
[BASE]
source = "container"
container = "library/python"
include_regex = "\\d+\\.\\d+\\.?\\d?-alpine\\d\\.\\d+"
Note that the entry must be called 'BASE' for dfupate to recognise it. The script will update the Dockerfile directly with any newer base image found.
For multi-stage Dockerfiles, dfupdate will attempt to update every FROM line. By default it treats the final stage as BASE. Earlier stages are matched using the stage name, stage index, or both:
- If the stage is named (e.g.
FROM node:22-alpine AS builder), useBASE_<NAME>or<NAME>_BASE, for exampleBASE_BUILDER. - All stages can also be addressed by index with
BASE_STAGE_<index>orBASE<index>, where the firstFROMis index0. - If none of the above are present, the final stage falls back to
BASE.
Example nvchecker.toml for a two-stage build:
[BASE_BUILDER]
source = "container"
container = "library/node"
include_regex = "\\d+\\.\\d+-alpine\\d+\\.\\d+"
[BASE]
source = "container"
container = "library/python"
include_regex = "\\d+\\.\\d+\\.?\\d?-alpine\\d\\.\\d+"
You can update included software in your Dockerfile using nvchecker and dfupdate.
Install software in your Dockerfile using the following ENV vars:
- SOFTWARE_VERSION - the bare version number, e.g 1.2.3
- SOFTWARE_URL - the base download URL without the filename. Can include $SOFTWARE_VERSION if necessary.
- SOFTWARE_FILENAME - the filename (last part) of the download URL. Can include $SOFTWARE_VERSION if necessary.
- SOFTWARE_SHA256 - the expected sha256 of the retrieved file.
This will result in a block similar to e.g, for kubectl:
ENV KUBECTL_VERSION 1.16.1
ENV KUBECTL_URL https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64
ENV KUBECTL_FILENAME kubectl
ENV KUBECTL_SHA256 69cfb3eeaa0b77cc4923428855acdfc9ca9786544eeaff9c21913be830869d29
RUN wget $KUBECTL_URL/$KUBECTL_FILENAME \
&& echo "$KUBECTL_SHA256 ./$KUBECTL_FILENAME" | sha256sum -c - \
&& chmod +x ./$KUBECTL_FILENAME
- SOFTWARE_VERSION - the bare version number, e.g 1.2.3
This will result in, e.g for pip:
ENV REQUESTS_VERSION 2.22.0
ENV DOCKERFILE_PARSE_VERSION 0.0.15
RUN pip3 install --no-cache-dir \
requests==${REQUESTS_VERSION} \
dockerfile_parse==${DOCKERFILE_PARSE_VERSION} \
You must include an nvchecker configuration section for the software as well (see snw35/nvchecker for complete instructions).
For example:
[KUBECTL]
source = "cmd"
cmd = "wget -qO- https://storage.googleapis.com/kubernetes-release/release/stable.txt"
prefix = "v"
If you first run nvchecker against your repository to update the veresions inside new_ver.json, and then run this script, it will update the ENV variables inside the Dockerfile directly including downloading the new binary package and taking the sha256sum.
While in the root directory of a compatible project, run the container with the current directory bind-mounted to /data:
docker run -it --rm --mount type=bind,source=${PWD},target=/data/ -w /data snw35/dfupdate:latest