They're both kinda dumb though. Updating will create a new layer, but the old binaries will still be a part of the image as part of the history.
The only correct way is to either rebuild the base image from scratch or just fetch a new base image.
My suggestion would be the latter, just run docker pull again for the baseimage and use that, without running update.
The only correct way is to either rebuild the base image from scratch or just fetch a new base image. My suggestion would be the latter, just run docker pull again for the baseimage and use that, without running update.