Merge branch 'neo/drop-zfs08-images' into 'master'

chore(engine): drop ZFS 0.8 build artifacts

Closes #710

See merge request postgres-ai/database-lab!1145

Author: agneum

SECURITY.md

@@ -30,7 +30,6 @@ Some third-party CVEs cannot yet be patched in DBLab Engine for reasons outside
 |-----------|--------|-------|
 | `github.com/docker/docker` v28.5.2+incompatible (Go module) | [CVE-2026-34040](https://nvd.nist.gov/vuln/detail/CVE-2026-34040) | No v29 tag is published for this module. Upstream has moved to `github.com/moby/moby/v2`, still in beta at the time of writing. Will be resolved once a stable v29 release or the v2 migration is available. |
 | `docker:29.x` base-image embedded binaries (`containerd`, `ctr`, `dockerd`, `compose`, `buildx`) | Multiple — see the [Docker Hub `docker` image advisories](https://hub.docker.com/_/docker/tags) and upstream tracker pages for [containerd](https://github.com/containerd/containerd/security/advisories) and [buildx](https://github.com/docker/buildx/security/advisories) | Depends on Docker Inc. rebuilding `docker:29.x` with updated internals. Tracked and refreshed together with each base-image bump; images are pinned by digest so any rebuild lands via an explicit commit. |
-| `Dockerfile.dblab-server-zfs08` (ZFS 0.8 legacy variant) | Inherits base-image CVEs from `docker:27.5.1` ([CVE-2025-15558](https://nvd.nist.gov/vuln/detail/CVE-2025-15558) in docker/cli) and Alpine v3.12 package CVEs not covered by `apk upgrade` ([CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390) musl, [CVE-2026-40200](https://nvd.nist.gov/vuln/detail/CVE-2026-40200) openssl, [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184) zlib) | The ZFS 0.8 variant is retained for users on legacy ZFS pools. Alpine v3.12 and `docker:27.5.1` are end-of-life, so upgrading the base image would break the ZFS 0.8 compatibility guarantee. A separate track will deprecate or rebuild this variant. |
 
 Operators should subscribe to upstream advisories for the affected components and re-deploy once DBLab Engine images built against patched versions are published.
 

engine/.gitlab-ci.yml

@@ -206,17 +206,6 @@ build-image-feature-server:
     DOCKER_NAME: "${CI_REGISTRY}/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}/dblab-server"
     TAGS: "${DOCKER_NAME}:${CI_COMMIT_REF_SLUG}"
 
-build-image-feature-server-zfs08:
-  <<: *build_image_definition
-  <<: *only_feature
-  variables:
-    REGISTRY_USER: "${CI_REGISTRY_USER}"
-    REGISTRY_PASSWORD: "${CI_REGISTRY_PASSWORD}"
-    REGISTRY: "${CI_REGISTRY}"
-    DOCKER_FILE: "Dockerfile.dblab-server-zfs08"
-    DOCKER_NAME: "${CI_REGISTRY}/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}/dblab-server"
-    TAGS: "${DOCKER_NAME}:${CI_COMMIT_REF_SLUG}-zfs0.8"
-
 build-image-feature-ci-checker:
   <<: *build_image_definition
   <<: *only_feature
@@ -258,14 +247,6 @@ build-image-master-server:
     DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-server"
     TAGS: "${DOCKER_NAME}:master,${DOCKER_NAME}:master-${CI_COMMIT_SHORT_SHA}"
 
-build-image-master-server-zfs08:
-  <<: *build_image_definition
-  <<: *only_master
-  variables:    
-    DOCKER_FILE: "Dockerfile.dblab-server-zfs08"
-    DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-server"
-    TAGS: "${DOCKER_NAME}:master-zfs0.8,${DOCKER_NAME}:master-${CI_COMMIT_SHORT_SHA}-zfs0.8"
-
 build-image-master-ci-checker:
   <<: *build_image_definition
   <<: *only_master
@@ -303,19 +284,6 @@ build-image-latest-server:
     - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
     - export LATEST_TAG=$(echo ${CLEAN_TAG%.*}-latest)
     - export TAGS="${DOCKER_NAME}:${LATEST_TAG},${DOCKER_NAME}:${CLEAN_TAG}"
-build-image-latest-server-zfs08:
-  <<: *build_image_definition
-  <<: *only_tag_release
-  variables:
-    REGISTRY_USER: "${DH_CI_REGISTRY_USER}"
-    REGISTRY_PASSWORD: "${DH_CI_REGISTRY_PASSWORD}"
-    REGISTRY: "${DH_CI_REGISTRY}"
-    DOCKER_FILE: "Dockerfile.dblab-server-zfs08"
-    DOCKER_NAME: "postgresai/dblab-server"
-  before_script:
-    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
-    - export LATEST_TAG=$(echo ${CLEAN_TAG%.*}-latest)
-    - export TAGS="${DOCKER_NAME}:${LATEST_TAG}-zfs0.8,${DOCKER_NAME}:${CLEAN_TAG}-zfs0.8"
 
 build-image-latest-server-dev:
   <<: *build_image_definition
@@ -411,18 +379,6 @@ build-image-rc-server:
     DOCKER_FILE: "Dockerfile.dblab-server"
     DOCKER_NAME: "postgresai/dblab-server"
 
-build-image-rc-server-zfs08:
-  <<: *build_image_definition
-  <<: *only_tag_rc
-  before_script:
-    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
-    - export TAGS="${DOCKER_NAME}:${CLEAN_TAG}-zfs0.8"
-  variables:
-    REGISTRY_USER: "${DH_CI_REGISTRY_USER}"
-    REGISTRY_PASSWORD: "${DH_CI_REGISTRY_PASSWORD}"
-    REGISTRY: "${DH_CI_REGISTRY}"
-    DOCKER_FILE: "Dockerfile.dblab-server-zfs08"
-    DOCKER_NAME: "postgresai/dblab-server"
 build-image-rc-server-dev:
   <<: *build_image_definition
   <<: *only_tag_rc
@@ -435,18 +391,7 @@ build-image-rc-server-dev:
     REGISTRY: "${CI_REGISTRY}"
     DOCKER_FILE: "Dockerfile.dblab-server"
     DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-server"
-build-image-rc-server-dev-zfs08:
-  <<: *build_image_definition
-  <<: *only_tag_rc
-  before_script:
-    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
-    - export TAGS="${DOCKER_NAME}:${CLEAN_TAG}-zfs0.8"
-  variables:
-    REGISTRY_USER: "${CI_REGISTRY_USER}"
-    REGISTRY_PASSWORD: "${CI_REGISTRY_PASSWORD}"
-    REGISTRY: "${CI_REGISTRY}"
-    DOCKER_FILE: "Dockerfile.dblab-server-zfs08"
-    DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-server"
+
 build-image-rc-ci-checker:
   <<: *build_image_definition
   <<: *only_tag_rc
@@ -459,6 +404,7 @@ build-image-rc-ci-checker:
     REGISTRY: "${DH_CI_REGISTRY}"
     DOCKER_FILE: "Dockerfile.ci-checker"
     DOCKER_NAME: "postgresai/dblab-ci-checker"
+
 build-image-rc-ci-checker-dev:
   <<: *build_image_definition
   <<: *only_tag_rc
@@ -510,6 +456,7 @@ build-image-rc-client:
     REGISTRY: "${DH_CI_REGISTRY}"
     DOCKER_FILE: "Dockerfile.dblab-cli"
     DOCKER_NAME: "postgresai/dblab"
+
 build-image-swagger-release:
   <<: *build_image_definition
   <<: *only_tag_release

engine/Dockerfile.dblab-server-zfs08

@@ -32,17 +32,13 @@ set +x
 #   2. ZFS-bearing images still ship a working `zfs` binary. We use
 #      `zfs --help` instead of `zfs --version` because the latter exits
 #      non-zero when the kernel module is absent (the CI builder is DinD,
-#      which has none) — `--help` only exercises the userspace binary, so
-#      it surfaces musl / libblkid ABI breakage without the false negative.
+#      which has none) — `--help` only exercises the userspace binary.
 #   3. None of the daemon / runtime / compose binaries that ship in the
 #      full `docker:*` image (and are NOT needed in a CLI-only runtime)
 #      have crept back in. The forbidden list is daemon-side only —
 #      the `docker` CLI itself is required and stays.
-# The zfs08 case is the noisiest because the v3.12 zfs binary now runs
-# against the alpine:3.23 musl / libblkid; the help-exit check pins this
-# at build time.
 case "$docker_file" in
-  Dockerfile.dblab-server|Dockerfile.dblab-server-debug|Dockerfile.dblab-server-zfs08|Dockerfile.dblab-cli|Dockerfile.ci-checker)
+  Dockerfile.dblab-server|Dockerfile.dblab-server-debug|Dockerfile.dblab-cli|Dockerfile.ci-checker)
     if [ "${#ADDR[@]}" -eq 0 ] || [ -z "${ADDR[0]:-}" ]; then
       echo "ERROR: smoke test cannot run, TAGS is empty" >&2
       exit 1
@@ -52,7 +48,7 @@ case "$docker_file" in
     docker run --rm "$smoke_image" docker --version
     set +x
     case "$docker_file" in
-      Dockerfile.dblab-server|Dockerfile.dblab-server-debug|Dockerfile.dblab-server-zfs08)
+      Dockerfile.dblab-server|Dockerfile.dblab-server-debug)
         set -x
         docker run --rm "$smoke_image" zfs --help >/dev/null
         set +x