Ensuring the latest patches are included

Our next steps, apt-get upgrade and apt-get dist-upgrade, are a bit controversial in the current Docker world, but I think they are a good addition, and I'll explain why. On a regular deb package-based Linux distribution (that is, Debian, Ubuntu, and so on), these two commands ensure that your system is fully up to date with the currently released packages for your version of the system. This means that any package that isn't the newest version will be upgraded and any obsolete packages will be replaced with newer ones. Since the general maxim of Docker is that the containers are more or less disposable, updating your container this way seems to be somewhat frowned upon, but it's not without its faults.

Since most Docker images on Docker Hub are only built when the base source files or Dockerfile itself changes, many of these images have older and/or unpatched system libraries, so when the service uses them as a dynamic library, it may be vulnerable to any bugs that have since been fixed. To ensure that we are not behind on this security hardening, we make sure that we update the system before we do anything else. While there is a small risk of the service breaking due to the system API possibly changing and there is an increase in image size due to the additional changes applied, the trade-off is, in my opinion, not good enough to leave the service unprotected, but feel free to use your best judgment here.