Proper way to upgrade docker OS (bullseye)

I need to upgrade the current OS Debian(bullseye) in efforts to update packages that are being flagged. Is there documentation on this or steps?

Thanks

This isn’t a Discourse issue, but an OS issue. There are many sites describing how to upgrade your OS.

My recommendation is to create a new VM with a new OS and then Move a Discourse site to another VPS with rsync

2 Likes

The docker OS that was installed during the discourse installation, not the host OS.

You can add the usual commands to app.yml

1 Like

You want to upgrade Debian inside the container?

What’s being flagged by whom?

But if that’s what you mean you can

./launcher enter app
apt-get update
apt-get upgrade

and it probably won’t break anything. I wouldn’t recommend it, though.

And if that’s what you really mean, then you can add those as exec stanzas, you can look at templates/import/mysql-dep.template.yml for an example.

Yes, Debian inside the container b/c I see that as my only option.

For instance, our security team has flagged vulnerabilities with Node.js 18.x, libcurl, openssl. Take libcurl my current version is 7.4 which seems to be the most current version in bullseye but for compliance it needs to be 8.4 and other packages follow suit.

./launcher enter app
apt-get update
apt-get upgrade

I have run these command to update bullseye but to no avail

Yeah. It’s not that simple. There is no “proper way to upgrade docker OS (bullseye)”.

You can conceivably modify https://github.com/discourse/discourse_docker/blob/main/image/base/slim.Dockerfile to build an image that your IT team will approve. I guess I’d start by using the latest Debian as the base image. I’d likely budget a week to do it, but it could easily take half or twice as long, if the Discourse code base even works with the newer versions (it probably does, but there’s no way to know).

Building an image that works and satisfies your compliance issues will be time consuming and likely more dangerous than using the standard image, which is tested by the Discourse team and works on thousands of sites. You’ll instead by running an image that only you know about. When it’s broken, you won’t be able to get any support here since it’ll be impossible to know if the issue is with the code or some library that Discourse isn’t supporting yet.

Every time you upgrade, you’ll need to budget time to see if the Discourse updates work with your image.

If your IT folks insist on these updates then you should probably consider another platform.

Hey, so over here a prominent developerr says he always uses the latest Node LTS in his development version, suggesting that there should be no problem with that.

So that means hyour Node issue should be totally safe.

It seems highly improbable that libcurl would break things in a non-backward compatible way, so maybe your task isn’t as hard as I’d imagined. So, maybe just 1-5 hours work for someone familiar with the various pieces.

So I think you’d just need to fork discourse_docker and change a few lines in slim.Dockerfile and maybe it’ll just work and not be a big deal after all.