Fabio Hernandez asked when we update the operating system in our distributed containers (lsstsqre/centos-7-stack-lsst_distrib and therefore nublado derived from it). Nominally, according to the Dev Guide we aim to update within 6 months of CentOS minor releases. But we are currently 2 minor releases behind.
The OS-level base container is built from the official centos:7 container as-is, without doing yum update at any point. This container is then used to create a lsst-newinstall container containing rubin-env, with updates to the latter occurring either when lsst/lsst is modified or when manually triggered. The newinstall container then becomes the base for installing Science Pipelines tarballs using eups distrib.
Note that updating the OS base container more frequently or doing a yum update at a higher level in the chain would increase the storage required, as layers could no longer be shared between containers.
Option 0 is to maintain the status quo, updating the OS base only when someone complains or remembers.
Option 1 is to more carefully monitor CentOS releases and plan to manually rebuild the OS base container within 6 months, as stated in the Dev Guide.
Option 2 is to automatically rebuild the OS base container periodically, perhaps once a quarter.
Option 3 is to not rebuild the base container but instead do yum update in the newinstall container or even in the stack-lsst_distrib container.
I think the DM-CCB needs to discuss the trade-offs between these.
In any case, it would seem that we should have a "bleed build" that uses the latest OS as well as rubin-env to discover problems before they occur in the development builds and releases.