Docker: Update to Debian 13 (#812)

Author: Proximyst

CHANGELOG.md

@@ -1,38 +1,4 @@
-FROM debian:12-slim@sha256:b1a741487078b369e78119849663d7f1a5341ef2768798f7b7406c4240f86aef AS debian-updated
-
-SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
-
-# If we ever need to bust the cache, just change the date here.
-# While we don't cache anything in Drone, that might not be true when we migrate to GitHub Actions where some action might automatically enable layer caching.
-# This is fine, but is terrible in situations where we want to _force_ an update of a package.
-RUN echo 'cachebuster 2025-10-17' && apt-get update
-
-FROM debian-updated AS debs
-
-ARG CHROMIUM_VERSION=141.0.7390.107
-RUN apt-cache depends chromium=${CHROMIUM_VERSION} chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash util-linux openssl tini ca-certificates locales libnss3-tools \
-  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
-RUN mkdir /dpkg && \
-  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
-
-FROM debian:testing-slim@sha256:12ce5b90ca703a11ebaae907649af9b000e616f49199a2115340e0cdf007e42a AS ca-certs
-
-RUN apt-get update
-RUN apt-cache depends ca-certificates \
-  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
-RUN mkdir /dpkg && \
-  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
-
-# While we can't move to Debian 13 yet for the final image, use its new build of busybox with security fixes.
-FROM debian:13-slim@sha256:c85a2732e97694ea77237c61304b3bb410e0e961dd6ee945997a06c788c545bb AS busybox
-
-RUN apt-get update
-RUN apt-cache depends busybox-static \
-  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
-RUN mkdir /dpkg && \
-  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
-
-FROM node:22-alpine@sha256:1b2479dd35a99687d6638f5976fd235e26c5b37e8122f786fcd5fe231d63de5b AS build
+FROM node:22-trixie AS build
 
 WORKDIR /src
 COPY . ./
@@ -41,48 +7,49 @@ RUN yarn install --pure-lockfile
 RUN yarn run build
 RUN rm -rf node_modules/ && yarn install --pure-lockfile --production
 
-FROM gcr.io/distroless/nodejs22-debian12:nonroot@sha256:8929dbab735ee399ff886ba7d81419dbe7df002993a7d69715e1c16b7d41c531
+FROM node:22-trixie AS output_image
 
 LABEL maintainer="Grafana team <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/grafana/grafana-image-renderer/tree/master/Dockerfile"
 
-COPY --from=debs /dpkg /
-COPY --from=busybox /dpkg/usr/bin/busybox /bin/busybox
-COPY --from=busybox /dpkg/usr/bin/busybox /usr/bin/busybox
-COPY --from=ca-certs /dpkg/usr/share/ca-certificates /usr/share/ca-certificates
+# If we ever need to bust the cache, just change the date here.
+RUN echo 'cachebuster 2025-10-17' && apt-get update
+
+RUN apt-get install -y --no-install-recommends --no-install-suggests \
+  fonts-ipaexfont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst-one fonts-freefont-ttf \
+  libxss1 unifont fonts-open-sans fonts-roboto fonts-inter fonts-recommended \
+  bash util-linux openssl tini ca-certificates locales libnss3-tools ca-certificates
+
+ARG CHROMIUM_VERSION=141.0.7390.107
+RUN apt-get satisfy -y --no-install-recommends --no-install-suggests \
+  "chromium (>=${CHROMIUM_VERSION}), chromium-driver (>=${CHROMIUM_VERSION}), chromium-shell (>=${CHROMIUM_VERSION}), chromium-sandbox (>=${CHROMIUM_VERSION})"
+RUN apt-get clean && rm -rf /var/lib/apt/lists/*
 
-USER root
-SHELL ["/bin/busybox", "sh", "-c"]
-RUN /bin/busybox --install
-# Verify that the browser was actually installed.
-RUN /usr/bin/chromium --version
 # This is so the browser can write file names that contain non-ASCII characters.
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen en_US.UTF-8
 RUN fc-cache -fr
 RUN update-ca-certificates --fresh
-USER nonroot
 
-ENV CHROME_BIN="/usr/bin/chromium"
-ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD="true"
-ENV NODE_ENV=production
-ENV LANG=en_US.UTF-8
-ENV LC_ALL=en_US.UTF-8
+USER root
+RUN useradd --create-home --system --uid 65532 --user-group nonroot
+RUN chgrp -R 0 /home/nonroot && chmod -R g=u /home/nonroot
+WORKDIR /home/nonroot
+USER 65532
 
 COPY --from=build /src/node_modules node_modules
 COPY --from=build /src/build build
 COPY --from=build /src/proto proto
 COPY --from=build /src/default.json config.json
 COPY --from=build /src/plugin.json plugin.json
 
-USER root
-
-RUN chgrp -R 0 /home/nonroot && chmod -R g=u /home/nonroot
-
-USER 65532
-
 EXPOSE 8081
 
-ENTRYPOINT ["tini", "--", "/nodejs/bin/node"]
+ENV CHROME_BIN="/usr/bin/chromium"
+ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD="true"
+ENV NODE_ENV=production
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
+ENTRYPOINT ["tini", "--", "node"]
 CMD ["build/app.js", "server", "--config=config.json"]
 HEALTHCHECK --interval=10s --retries=3 --timeout=3s \
   CMD ["wget", "-O-", "-q", "http://localhost:8081/"]

Dockerfile

@@ -16,58 +16,41 @@ RUN --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build \
   -ldflags '-s -w -extldflags "-static"' \
   .
 
-FROM debian:12-slim@sha256:b1a741487078b369e78119849663d7f1a5341ef2768798f7b7406c4240f86aef AS debs
+FROM debian:13 AS output_image
 
-SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+LABEL maintainer="Grafana team <[email protected]>"
+LABEL org.opencontainers.image.source="https://github.com/grafana/grafana-image-renderer/tree/master/go.Dockerfile"
 
 # If we ever need to bust the cache, just change the date here.
-# While we don't cache anything in Drone, that might not be true when we migrate to GitHub Actions where some action might automatically enable layer caching.
-# This is fine, but is terrible in situations where we want to _force_ an update of a package.
 RUN echo 'cachebuster 2025-10-17' && apt-get update
 
-ARG CHROMIUM_VERSION=141.0.7390.107
-RUN apt-cache depends chromium=${CHROMIUM_VERSION} chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash busybox util-linux openssl tini ca-certificates locales libnss3-tools \
-  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
-RUN mkdir /dpkg && \
-  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
-
-FROM debian:testing-slim@sha256:12ce5b90ca703a11ebaae907649af9b000e616f49199a2115340e0cdf007e42a AS ca-certs
-
-RUN apt-get update
-RUN apt-cache depends ca-certificates \
-  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
-RUN mkdir /dpkg && \
-  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
-
-FROM gcr.io/distroless/base-debian12:nonroot AS output_image
+RUN apt-get install -y --no-install-recommends --no-install-suggests \
+  fonts-ipaexfont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst-one fonts-freefont-ttf \
+  libxss1 unifont fonts-open-sans fonts-roboto fonts-inter fonts-recommended \
+  bash util-linux openssl tini ca-certificates locales libnss3-tools ca-certificates
 
-LABEL maintainer="Grafana team <[email protected]>"
-LABEL org.opencontainers.image.source="https://github.com/grafana/grafana-image-renderer/tree/master/go.Dockerfile"
-
-COPY --from=debs /dpkg /
-COPY --from=ca-certs /dpkg/usr/share/ca-certificates /usr/share/ca-certificates
+ARG CHROMIUM_VERSION=141.0.7390.107
+RUN apt-get satisfy -y --no-install-recommends --no-install-suggests \
+  "chromium (>=${CHROMIUM_VERSION}), chromium-driver (>=${CHROMIUM_VERSION}), chromium-shell (>=${CHROMIUM_VERSION}), chromium-sandbox (>=${CHROMIUM_VERSION})"
+RUN apt-get clean && rm -rf /var/lib/apt/lists/*
 
-USER root
-SHELL ["/bin/busybox", "sh", "-c"]
-RUN /bin/busybox --install
-# Verify that the browser was actually installed.
-RUN /usr/bin/chromium --version
 # This is so the browser can write file names that contain non-ASCII characters.
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen en_US.UTF-8
 RUN fc-cache -fr
 RUN update-ca-certificates --fresh
-USER nonroot
 
-ENV CHROME_BIN="/usr/bin/chromium"
-ENV LANG=en_US.UTF-8
-ENV LC_ALL=en_US.UTF-8
-
-USER root
+RUN useradd --create-home --system --uid 65532 --user-group nonroot
 RUN chgrp -R 0 /home/nonroot && chmod -R g=u /home/nonroot
-COPY --from=app /src/grafana-image-renderer /usr/bin/grafana-image-renderer
+WORKDIR /home/nonroot
 USER 65532
+
+COPY --from=app /src/grafana-image-renderer /usr/bin/grafana-image-renderer
+
 EXPOSE 8081
 
+ENV CHROME_BIN="/usr/bin/chromium"
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
 ENTRYPOINT ["tini", "--", "/usr/bin/grafana-image-renderer"]
 CMD ["server"]
 HEALTHCHECK --interval=10s --retries=3 --timeout=3s --start-interval=250ms --start-period=30s \

go.Dockerfile

@@ -24,7 +24,7 @@
         "url": "https://github.com/grafana/grafana-image-renderer/blob/master/LICENSE"
       }
     ],
-    "version": "4.0.20",
+    "version": "4.1.0",
     "updated": "2025-10-17"
   },
   "dependencies": {