Skip to content

dockerfile: update to Debian Trixie #11006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

dockerfile: update to Debian Trixie #11006

wants to merge 2 commits into from
+11 −11

Conversation

patrick-stephens
Copy link
Collaborator

@patrick-stephens patrick-stephens commented Oct 9, 2025
edited by coderabbitai bot
Loading

Distroless containers for Trixie/13 are now available to test: GoogleContainerTools/distroless#1851 (comment)

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • Chores

    • Upgraded container bases to Debian 13 (Trixie) across builder, extractor, production, and debug stages.
    • Switched APT backports and system libraries to Trixie equivalents and simplified systemd-related package choices.
    • Updated distroless production base to Debian 13.

  • Impact

    • Improved security and updated system packages.
    • Better long-term compatibility with newer dependencies.
    • No user-facing functionality changes.

@patrick-stephens
dockerfile: update to Debian Trixie
f87db22 
Signed-off-by: Patrick Stephens <[email protected]>
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 9, 2025
edited
Loading

Walkthrough

Swaps Debian base images from bookworm to trixie across Dockerfile stages, updates APT backports references from bookworm-backports to trixie-backports, adjusts systemd-related package names accordingly, and updates the distroless production base from cc-debian12 to cc-debian13.

Changes

Cohort / File(s) Summary
Docker base and backports migration
dockerfiles/Dockerfile		 Replaced Debian bookworm-slim with trixie-slim across builder, extractor, production, and debug stages; changed APT backports from bookworm-backports to trixie-backports; replaced backport-specific systemd package variants with standard libsystemd-dev/libsystemd0; updated distroless base from cc-debian12 to cc-debian13.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

ci/integration-docker-ok

Suggested reviewers

  • niedbalski
  • celalettin1286

Poem

I’m a rabbit in a Docker lair,
Swapping bookworm coats for trixie’s air.
Backports retuned, distroless to thirteen,
Containers hop lighter, tidy and clean.
🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title “dockerfile: update to Debian Trixie” succinctly and accurately summarizes the primary change in the pull request, which is swapping the base images and apt sources to Debian Trixie across all Docker build stages. It is concise, specific, and aligns directly with the detailed changes in the Dockerfile.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch update_debian_13

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 9, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
dockerfiles/Dockerfile (2)

232-263: Replace dnsutils with bind9-dnsutils in debug stage
dnsutils isn’t available on Debian trixie; bind9-dnsutils is. librtmp1 remains valid.

125-172: Fix invalid package names and remove unnecessary runtime tools
apt-get download will fail on Trixie for these names:
• libssl3, libcurl4, libssh2-1, libpsl5, libgnutls30, libunistring2, libnettle8, libhogweed6, libldap-2.6-0
Verify and update each to the correct Debian package (e.g. via apt-cache) before commit.
librtmp1 exists on Trixie; only remove if your app doesn’t need it. Drop pkg-config from the distroless runtime.

🧹 Nitpick comments (2)
dockerfiles/Dockerfile (2)

38-52: Backports enablement OK; prefer dedicated sources.list.d entry.
Current approach works; for hygiene, write backports to /etc/apt/sources.list.d/backports.list instead of appending to the main sources.list.

-RUN echo "deb http://deb.debian.org/debian trixie-backports main" >> /etc/apt/sources.list && \
+RUN echo "deb http://deb.debian.org/debian trixie-backports main" > /etc/apt/sources.list.d/backports.list && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
     ...

180-180: Consider pinning distroless base by digest.
Improves supply-chain integrity and reproducibility; you already ignore DL3006 in hadolint, but pinning is recommended.

-FROM gcr.io/distroless/cc-debian13 AS production
+# Example (replace with current digest):
+# FROM gcr.io/distroless/cc-debian13@sha256:<digest> AS production
+FROM gcr.io/distroless/cc-debian13 AS production
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f87db22 and 48bcf99.

📒 Files selected for processing (1)
  • dockerfiles/Dockerfile (10 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: PR - Docker windows build test, windows 2022 and 2025 (2025)
  • GitHub Check: PR - Docker windows build test, windows 2022 and 2025 (2022)
  • GitHub Check: PR - Classic docker build test
🔇 Additional comments (3)
dockerfiles/Dockerfile (3)

22-22: Base image bump to trixie looks good.
No issues spotted with switching builder base to Debian 13.

117-117: Extractor base image bump to trixie looks good.
No concerns with aligning extractor to Debian 13.

211-211: Debug base image bump to trixie looks good.
No concerns with aligning debug image to Debian 13.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@niedbalski niedbalski Awaiting requested review from niedbalski niedbalski is a code owner

@celalettin1286 celalettin1286 Awaiting requested review from celalettin1286 celalettin1286 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@patrick-stephens