From 67f22a200d0c4d2ea396e7052aba0ef86cc4527d Mon Sep 17 00:00:00 2001 From: Ben Banfield-Zanin Date: Mon, 20 Oct 2025 16:49:17 +0100 Subject: [PATCH] Update Docker images to use Debian trixie (13) and thus Python 3.13 (#19064) --- changelog.d/19064.docker | 1 + docker/Dockerfile | 11 +++-------- docker/Dockerfile-workers | 32 +++++++++++++++++++------------- docker/complement/Dockerfile | 10 +++++----- docker/editable.Dockerfile | 6 +++--- docs/upgrade.md | 8 ++++++++ 6 files changed, 39 insertions(+), 29 deletions(-) create mode 100644 changelog.d/19064.docker diff --git a/changelog.d/19064.docker b/changelog.d/19064.docker new file mode 100644 index 0000000000..cc220a8d49 --- /dev/null +++ b/changelog.d/19064.docker @@ -0,0 +1 @@ +Update docker image to use Debian trixie as the base and thus Python 3.13. diff --git a/docker/Dockerfile b/docker/Dockerfile index 727bc8bf5d..f83486036d 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -20,8 +20,8 @@ # `poetry export | pip install -r /dev/stdin`, but beware: we have experienced bugs in # in `poetry export` in the past. -ARG DEBIAN_VERSION=bookworm -ARG PYTHON_VERSION=3.12 +ARG DEBIAN_VERSION=trixie +ARG PYTHON_VERSION=3.13 ARG POETRY_VERSION=2.1.1 ### @@ -142,10 +142,10 @@ RUN \ libwebp7 \ xmlsec1 \ libjemalloc2 \ - libicu \ | grep '^\w' > /tmp/pkg-list && \ for arch in arm64 amd64; do \ mkdir -p /tmp/debs-${arch} && \ + chown _apt:root /tmp/debs-${arch} && \ cd /tmp/debs-${arch} && \ apt-get -o APT::Architecture="${arch}" download $(cat /tmp/pkg-list); \ done @@ -176,11 +176,6 @@ LABEL org.opencontainers.image.documentation='https://element-hq.github.io/synap LABEL org.opencontainers.image.source='https://github.com/element-hq/synapse.git' LABEL org.opencontainers.image.licenses='AGPL-3.0-or-later OR LicenseRef-Element-Commercial' -# On the runtime image, /lib is a symlink to /usr/lib, so we need to copy the -# libraries to the right place, else the `COPY` won't work. -# On amd64, we'll also have a /lib64 folder with ld-linux-x86-64.so.2, which is -# already present in the runtime image. -COPY --from=runtime-deps /install-${TARGETARCH}/lib /usr/lib COPY --from=runtime-deps /install-${TARGETARCH}/etc /etc COPY --from=runtime-deps /install-${TARGETARCH}/usr /usr COPY --from=runtime-deps /install-${TARGETARCH}/var /var diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index 6d0fc1440b..ba8bb3b753 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -1,9 +1,10 @@ -# syntax=docker/dockerfile:1 +# syntax=docker/dockerfile:1-labs ARG SYNAPSE_VERSION=latest ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION -ARG DEBIAN_VERSION=bookworm -ARG PYTHON_VERSION=3.12 +ARG DEBIAN_VERSION=trixie +ARG PYTHON_VERSION=3.13 +ARG REDIS_VERSION=7.2 # first of all, we create a base image with dependencies which we can copy into the # target image. For repeated rebuilds, this is much faster than apt installing @@ -11,15 +12,27 @@ ARG PYTHON_VERSION=3.12 FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base + ARG DEBIAN_VERSION + ARG REDIS_VERSION + # Tell apt to keep downloaded package files, as we're using cache mounts. RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache + # The upstream redis-server deb has fewer dynamic libraries than Debian's package which makes it easier to copy later on + RUN \ + curl -fsSL https://packages.redis.io/gpg | gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg && \ + chmod 644 /usr/share/keyrings/redis-archive-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb ${DEBIAN_VERSION} main" | tee /etc/apt/sources.list.d/redis.list + RUN \ --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ apt-get update -qq && \ DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \ - nginx-light + nginx-light \ + redis-server="6:${REDIS_VERSION}.*" redis-tools="6:${REDIS_VERSION}.*" \ + # libicu is required by postgres, see `docker/complement/Dockerfile` + libicu76 RUN \ # remove default page @@ -35,19 +48,12 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base RUN mkdir -p /uv/etc/supervisor/conf.d -# Similarly, a base to copy the redis server from. -# -# The redis docker image has fewer dynamic libraries than the debian package, -# which makes it much easier to copy (but we need to make sure we use an image -# based on the same debian version as the synapse image, to make sure we get -# the expected version of libc. -FROM docker.io/library/redis:7-${DEBIAN_VERSION} AS redis_base - # now build the final image, based on the the regular Synapse docker image FROM $FROM # Copy over dependencies - COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin + COPY --from=deps_base --parents /usr/lib/*-linux-gnu/libicu* / + COPY --from=deps_base /usr/bin/redis-server /usr/local/bin COPY --from=deps_base /uv / COPY --from=deps_base /usr/sbin/nginx /usr/sbin COPY --from=deps_base /usr/share/nginx /usr/share/nginx diff --git a/docker/complement/Dockerfile b/docker/complement/Dockerfile index 6ed084fe5d..8766f14454 100644 --- a/docker/complement/Dockerfile +++ b/docker/complement/Dockerfile @@ -9,7 +9,7 @@ ARG SYNAPSE_VERSION=latest # This is an intermediate image, to be built locally (not pulled from a registry). ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION -ARG DEBIAN_VERSION=bookworm +ARG DEBIAN_VERSION=trixie FROM docker.io/library/postgres:13-${DEBIAN_VERSION} AS postgres_base @@ -18,10 +18,10 @@ FROM $FROM # since for repeated rebuilds, this is much faster than apt installing # postgres each time. -# This trick only works because (a) the Synapse image happens to have all the -# shared libraries that postgres wants, (b) we use a postgres image based on -# the same debian version as Synapse's docker image (so the versions of the -# shared libraries match). +# This trick only works because we use a postgres image based on the same +# debian version as Synapse's docker image (so the versions of the shared +# libraries match). Any missing libraries need to be added to either the +# Synapse image or docker/Dockerfile-workers. RUN adduser --system --uid 999 postgres --home /var/lib/postgresql COPY --from=postgres_base /usr/lib/postgresql /usr/lib/postgresql COPY --from=postgres_base /usr/share/postgresql /usr/share/postgresql diff --git a/docker/editable.Dockerfile b/docker/editable.Dockerfile index f18cf6a5d9..7e5da4e4f4 100644 --- a/docker/editable.Dockerfile +++ b/docker/editable.Dockerfile @@ -8,9 +8,9 @@ ARG PYTHON_VERSION=3.9 ### ### Stage 0: generate requirements.txt ### -# We hardcode the use of Debian bookworm here because this could change upstream -# and other Dockerfiles used for testing are expecting bookworm. -FROM docker.io/library/python:${PYTHON_VERSION}-slim-bookworm +# We hardcode the use of Debian trixie here because this could change upstream +# and other Dockerfiles used for testing are expecting trixie. +FROM docker.io/library/python:${PYTHON_VERSION}-slim-trixie # Install Rust and other dependencies (stolen from normal Dockerfile) # install the OS build deps diff --git a/docs/upgrade.md b/docs/upgrade.md index c049a50984..63d567505f 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -117,6 +117,14 @@ each upgrade are complete before moving on to the next upgrade, to avoid stacking them up. You can monitor the currently running background updates with [the Admin API](usage/administration/admin_api/background_updates.html#status). +# Upgrading to v1.141.0 + +## Docker images now based on Debian `trixie` with Python 3.13 + +The Docker images are now based on Debian `trixie` and use Python 3.13. If you +are using the Docker images as a base image you may need to e.g. adjust the +paths you mount any additional Python packages at. + # Upgrading to v1.140.0 ## Users of `synapse-s3-storage-provider` must update the module to `v1.6.0`