Docker image Package Patch within Dockerfile

In order to understand what constitutes an image, you need to look at a Dockerfile in a different way:

• Every step (with the exception of FROM) creates a new image, with the results of the previous step as a base.
• FROM doesn't use the previous step, but an explicitly specified one.

Now, looking at your Dockerfile, you seem to wonder why RUN yum -y update curl doesn't work as expected. For easier understanding, let's trace it backwards:

• RUN yum -y update curl
• RUN /usr/local/bin/python -m pip install --upgrade pip \ && pip install -r requirements.txt
• WORKDIR /app
• COPY . /app/
• COPY --from=build /usr/local/ /usr/local/
• ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib
• FROM base -- at this point, the previous step is changed to the last step of base
• FROM centos:7 AS base -- here, the previous step is changed to centos:7

As you see, nowhere in the earlier steps is yum update -y curl!

BTW: Typing this, I'm wondering what your precise question is, i.e. whether this works or doesn't or whether you wonder why it's necessary. Are you aware of the difference between yum update and yum update curl even?

docker build and friends have a cache system, based on the text of the input. So if the text of the command yum -y update doesn't change, it will continue using the same cached version of the output forever (or until the cache is deleted). Try running the build with --no-cache and see if that helps.