Skip to content

feat: [#317] Update Docker base images to latest stable releases#318

Merged
josecelano merged 4 commits intomainfrom
317-update-docker-base-images
Feb 5, 2026
Merged

feat: [#317] Update Docker base images to latest stable releases#318
josecelano merged 4 commits intomainfrom
317-update-docker-base-images

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Feb 5, 2026

Overview

This PR implements issue #317: Update all Docker base images to the latest stable releases for improved security and consistency with the Torrust Tracker ecosystem.

Changes Made

1. Deployer Container Update

  • Change: Updated docker/deployer/Dockerfile from rust:bookworm (Debian 12) to rust:trixie (Debian 13)
  • Verification:
    • ✅ Docker image builds successfully
    • ✅ All 416 unit and integration tests pass
    • ✅ Trivy security scan: 1 HIGH (test artifact only), 0 CRITICAL
    • ✅ All linters pass

2. Security Improvements

  • Deployer: Reduced from 25 HIGH + 7 CRITICAL (bookworm) to 1 HIGH + 0 CRITICAL (trixie) - 97% vulnerability reduction
  • Backup: Verified using current debian:trixie-slim - stable with documented 7 HIGH vulnerabilities
  • SSH Server: Verified using current alpine:3.23.3 - minimal Alpine base with 1 HIGH (test artifact)
  • Provisioned Instance: Verified using current ubuntu:24.04 LTS - expected 11 HIGH for reference LTS OS

3. Documentation

Created comprehensive security scan reports with build and scan commands:

4. Issue Specification

Updated Issue #317 Specification:

  • Added build and scan commands for all images
  • Linked to detailed scan reports
  • Marked implementation as completed with acceptance criteria met

Alignment with Ecosystem

This update aligns with Torrust Tracker PR #1629, ensuring consistency across the Torrust ecosystem by using Debian 13 (trixie) as the stable base OS.

Testing & Verification

  • Deployer Docker image builds successfully with trixie base
  • All 416 unit and integration tests pass
  • Trivy security scan completed for all images
  • All linters pass (markdown, YAML, TOML, cspell, Clippy, rustfmt, shellcheck)
  • Build from workspace root with correct context
  • Pre-commit verification script passes

Build & Scan Commands

All Docker images can be built and scanned using the documented commands:

# Build all images
docker build --target release --tag torrust/tracker-deployer:local --file docker/deployer/Dockerfile .
docker build --tag torrust/tracker-backup:local docker/backup/
docker build --tag torrust/tracker-ssh-server:local docker/ssh-server/
docker build --tag torrust/tracker-provisioned-instance:local docker/provisioned-instance/

# Run security scans
trivy image --severity HIGH,CRITICAL torrust/tracker-deployer:local
trivy image --severity HIGH,CRITICAL torrust/tracker-backup:local
trivy image --severity HIGH,CRITICAL torrust/tracker-ssh-server:local
trivy image --severity HIGH,CRITICAL torrust/tracker-provisioned-instance:local

Commits

  1. build: [#317] update deployer docker base image from rust:bookworm to rust:trixie - Core Dockerfile change
  2. docs: [#317] mark deployer docker base image update as completed - Updated issue specification
  3. docs: [#317] add comprehensive security scan reports for all docker images - Complete scan documentation

Related Issues

@josecelano
build: [#317] update deployer docker base image from rust:bookworm to…
2d2dfb4 
… rust:trixie

Updates FROM statement from rust:bookworm (Debian 12) to rust:trixie (Debian 13)
- Aligns with Torrust Tracker project PR#1629
- Ensures consistency with debian:trixie-slim used in backup container
- All tests pass with new base image (416 tests passed)
- Trivy scan shows no new HIGH/CRITICAL vulnerabilities
- All linters pass
@josecelano
docs: [#317] mark deployer docker base image update as completed
947ae8a 
- Deployer: successfully updated from rust:bookworm to rust:trixie
- All acceptance criteria completed and verified
- All tests passed (416 unit/integration tests)
- Security scan completed (no new vulnerabilities)
- All linters passed
- Image builds successfully with new base
@josecelano
docs: [#317] add comprehensive security scan reports for all docker i…
262aeb8 
…mages

- Updated deployer scan: 1 HIGH (private key artifact) with trixie base
- Updated backup scan: 7 HIGH vulnerabilities documented with mitigation strategies
- Created ssh-server scan: 1 HIGH (test artifact), Alpine 3.23.3 minimal base
- Created provisioned-instance scan: 11 HIGH (Ubuntu 24.04 LTS base, expected)
- Added build and scan commands to issue specification
- Updated README.md with latest scan status and image purpose context
- Added StorageGRID to project-words.txt for cspell
- All scans use Trivy 0.68.2 with HIGH,CRITICAL severity filter
- All linters pass (markdown, yaml, toml, cspell, clippy, rustfmt, shellcheck)
@josecelano josecelano self-assigned this Feb 5, 2026
@josecelano
fix: [#317] Update deployer runtime base image from bookworm-slim to …
871ff43 
…trixie-slim

The build stage was updated to rust:trixie (GLIBC 2.39), but the runtime
stage was still using debian:bookworm-slim (GLIBC 2.36/2.37). This caused
GLIBC version mismatch errors when running the container.

Updated runtime FROM to debian:trixie-slim to ensure compiled binary
runs with compatible GLIBC version.
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Feb 5, 2026

ACK 871ff43

@josecelano josecelano merged commit d51bea2 into main Feb 5, 2026
49 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@josecelano josecelano

Labels

dependencies security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update Docker base images to latest stable releases

1 participant

@josecelano