Configuring automatic base image updates for Cloud Run enables Googleto make security patches to the operating system and language runtime componentsof the base image automatically. You don't have to rebuild or redeploy yourservice for the base image to be updated. No new revision is created when thebase image is updated.

To learn about setting security update policies on functionscreated usinggcloud functions commands ortheCloud Functions v2 API, seeExecution environment security.

The following diagram shows how your application code and dependencies("app image") are layered on top of the language runtime, OS packages andOperating System ("base image").The components of the base image are automatically updated by Google.

Security update policy

• Automatic updates: Updates and security patches to the runtime environmentare published in new versions of the runtime image. After a period of testing forstability and reliability, the updated runtime is rolled out to all servicesresulting in a zero downtime update. To take on language-level security fixes,you may need to rebuild functions or services that use compiled languages suchas Go or Java.

• On deployment updates: Updates and security patches are appliedto runtimes only when services are deployed or redeployed, unlessotherwise noted. Updates on deployment are available on bothCloud Run functions (1st gen) and Cloud Run functions.

By default, automatic security updates are enabled for functions deployed using:

• gcloud functions
• Cloud Functions v2 API
• gcloud run with the--functions flag and the--base-image flag

Configuration overview

To configure automatic base image updates, do the following:

• Select a compatible Cloud Run base image.
• Build and deploy your application image in a waythat preserves the ability to safely rebase your running service.

Select a base image

A base image is the starting point for most container-based developmentworkflows. Developers start with a base image and layer on top of it thenecessary libraries, binaries, and configuration files used to run theirapplication.

Google Cloud's buildpacks publishes and maintainsbase images for building Serverless applications. These base images are built ontop of the Ubuntu Linux distribution.

Cloud Run only supports automatic base images that useGoogle Cloud's buildpacks base images.

You must consider the following when choosing a buildpacks baseimage:

• Stack: Astack is made up of a Linuxdistribution version and system packages, such as OpenSSL and curl.
• Language: The specific version of the programming language used by yourapplication.

Reviewruntime base imagesto learn more about base image variations.

Build the application image

Services with automatic updates enabled will need to provide an applicationimage that omits the base operating system layers. There are two ways to dothis:

• Use Cloud Run deploy from source(recommended)
• Using a build system, copy your application onto ascratch image

Deploy from source

You can use the Cloud Runsource deployment option to build anddeploy your code so that your service is compatible with receiving automaticupdates. To do this, you must supply the--base-image flag when creating yourapplication.

For example, to deploy a Node.js service with automatic base image updatesenabled, you would use the following command:

gcloudrundeploy\--source.\--base-imagenodejs24\--automatic-updates

Todeploy a function, you must specify the--function flag with the function entry point from your source code.

Build onscratch

You can also use your build toolchain to create an application container imagethat is compatible with automatic base image updates.

When you deploy a Cloud Run service with automatic base image updates,your application container image is layered on top of a base container image.The application container image should only include your application, notthe operating system or runtime, which are provided in the base container image.

To create the application container image, do the following:

1. Create a multi-stage Dockerfile that:
   1. Builds the application using an appropriate base image with requireddependencies.
   2. Copies the built components onto ascratch image.
2. Build the application container image and push it to Artifact Registry.
3. Deploy the application container image to Cloud Run and specify abase image.

Create a multi-stage Dockerfile

We will use a Node.js application for this guide. This guide is not languagespecific, and can be customized for your application and language.

• Create aDockerfile in the root directory of our project with thefollowing:

  # This Dockerfile will produce an image that only includes the Node.js app and *not* the Node.js runtime.# The resulting image will not run locally. It is intended at being layered on top of a Node.js base image.FROMnode:24-slimasbuilder# Create and change to the app directory.WORKDIR/usr/src/app# Copy application dependency manifests to the container image and install# production dependencies.COPYpackage*.json./RUNnpminstall--only=production# Copy local code to the container image.COPY../# Copy the application source code and dependencies onto a scratch image.FROMscratchWORKDIR/workspaceCOPY--from=builder--chown=33:33/usr/src/app/./USER33:33# Run the web service on container startup.CMD["node","index.js"]

This Dockerfile uses amulti-stage build to copythe application source code and dependencies onto ascratch image that omitsthe operating system, packages, and runtime components that will be supplied atruntime by the Cloud Run managed base image.

Build your application image

Build your application image and upload it into Artifact Registry. Refer tobuildingcontainers for details on how to build aDockerfile with Cloud Build and uploading it to Artifact Registry.

Deploy the application image

You are now ready to deploy your application image with automatic updatesenabled using the most compatible base image for your application. The followingexample uses thenodejs24 runtime andeurope-west1region. To learn more about base image variations, reviewruntime base images.

Refer todeploy from source codefor additional details on required roles and permissions.

resource"google_cloud_run_v2_service""default"{name="SERVICE"location="REGION"template{containers{image="IMAGE_URL"base_image_uri="BASE_IMAGE"}}}

Reassemble container images to run locally

Application container images used with automatic base image updates are built onscratchand cannot be run outside of Cloud Run with base image updates enabled.You can make your application image runnable by rebasing the application image on top of a compatible base image.

1. InstallDocker Community Edition (CE)on your workstation.

2. Download the application image:

   dockerpullAPP_IMAGE

   ReplaceAPP_IMAGE with the URL of your containerimage.

3. Download the base image:

   dockerpullBASE_IMAGE

   ReplaceBASE_IMAGE with the full image path of acompatible base image. SeeGoogle Cloud's buildpacks base images for alist of available base images.

4. Re-assemble the image:

   Use aDockerfile to copy all the files from the app image back onto the base image:

   ARGAPP_IMAGEARGNEW_BASE_IMAGE# first copy all files from the app image onto the builder imageFROM${APP_IMAGE}ASappFROM${NEW_BASE_IMAGE}ASbuilderCOPY--from=app//# restore the app image config by copying everything from previous step back# back onto the app imageFROM${APP_IMAGE}COPY--from=builder//

   Build the image:

   dockerbuild\-tIMAGE\--build-argAPP_IMAGE=APP_IMAGE\--build-argNEW_BASE_IMAGE=BASE_IMAGE\.

   ReplaceIMAGE with the name of your reassembled image.

   If you see warnings thatARG ${APP_IMAGE} andARG ${NEW_BASE_IMAGE}are not valid base images, you can safely ignore those and run the image:

   dockerrun-p8080:8080IMAGE

Disable automatic updates

When deploying from source

When deployingfrom source, you can disable automaticbase image updates by using the--no-automatic-updates flag. The followingexample shows how to disable automatic base image updates for a Node.js service:

gcloudrundeploySERVICE\--source.\--base-imagenodejs24\--no-automatic-updates

When deploying a container image

To disable base image updates for a service that uses a container image built onscratch, you must deploy a new container image that includesthe base image and remove the base image:

View the base image version

To view the base image version that is used to serve your application, view theLogEntry.labels.run.googleapis.com/base_image_versions resourcein Cloud Run service logs.

Known limitations

• Automatic base image updates only supportGoogle Cloud's buildpacks base images.It is not possible to use your own base images.

• Applications using compiled languages won't be recompiled as a result of anautomatic base image update.

• Security scans on your application image might be incomplete. Because yourapplication image is now built onscratch, security scanners will only scanthe application portion of your image. To get a more complete image of yourcontainer security, you must run scans on the correspondingGoogle-provided base image as well. You can download the base image and useopen source tools to run a scan.