Running update of your package manager in a single RUN instruction stores the cache index in the file system. This cache
is not needed for the installed software to work properly.
Why is this an issue?
Leaving unnecessary files in Docker image increases its size. The Docker images should be small and only contain necessary data. The cache index is
obsolete after installation.
How to fix it
Code examples
Noncompliant code example
RUN apk update
RUN apt-get update
RUN aptitude update
Here each line represents an update command for the most popular package managers. Each of them stores the cache index in the newly created
layer.
Compliant solution
RUN apk update && apk add ...
RUN apt-get update && apt-get install ...
RUN aptitude update && aptitude install ...
Here in each line after the update, the package installation is executed. However, it happens in single RUN instruction so only one
layer is created. After installing all packages the cleanup of the cache index should be done. For more details please see rule
S6587.
How does this work?
Each execution of RUN instruction creates a new layer in Docker. If a single command apt-get update or equivalent is
executed, the cache is stored in the new layer. This increases the size of the final image. Even removing those cache in the next RUN
instruction doesn’t decrease the size of the final image. This overhead is not needed in the Docker image. Updating the cache and installing packages
should be executed in one step (one RUN instruction).
Resources
Documentation
