The update parameter - xing/fpm-fry GitHub Wiki

On debian based systems fpm-fry issues this hint: /var/lib/apt/lists is not empty, you could try to speed up builds with --update=never. I have to be honest that this hint is not very obvious.

What does it do?

--update=never tells fpm-fry not insert apt-get --yes update before it installs packages. This setting is very beneficial in some circumstances.

Small excursion: Caching

Docker relies heavily on caching build steps. Caching inherently has two possible problems: false misses and false hits.

  • False misses are bad performance-wise but the results can be recalculated correctly
  • False hits are very good performance-wise but the results may be wrong

So if you think about that false hits are the bigger issue for package building. Therefore the cache and cache invalidation should be designed to avoid false hits.

Docker caching

When using a Dockerfile docker determines if its cache is valid by looking at the image id and the command used . Now most apt based Dockerfiles one finds around in the internet pretty much look the same. They use a base image that rarely changes ( and therefore rarely contains current package lists ) and they contain a line like this:

run apt-get --yes update && apt-get install ....

This works if you define "works" by "not gives an error". However, this line is prone to generate false hits. Consider you ran this Dockerfile some time ago. In the mean time the package lists on the server have changed. The base image sadly wasn't updated or regenerated. So if you run this Dockerfile again you get a cache hit because like neither the image id nor the command has changed :boom: .

But how bad is this? Well this depends heavily on the packages you install. The worst case is that the image contains outdated packages without you noticing it. Manual cache invalidation is not a solution to the problem because as I said you don't notice the problem.

We use --update=never

We build our own base images whenever the package lists change ( and don't clean /var/lib/apt ). Before each package build we then pull the base image. This way the docker cache is properly invalidated and a new clean image is build containing the correct packages if needed. The system works quite well. None of our images contain an apt-get update and our build hosts never needed a manual cache invalidation. Logically we build all our packages with --update=never.

Why --update=never is not the default

Very few docker base images are build like ours. So it's unlikely that this setting works for an arbitrary image. To make it easier for beginners to use fpm-fry we chose a working default which is to update but hint the user.