From 9ec3fc37c27a0b8fc8a6b4be4b78636ed1ee25bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=83=A1=E7=8E=AE=E6=96=87?= <huweiwen.hww@alibaba-inc.com>
Date: Thu, 13 Nov 2025 01:26:08 +0800
Subject: [PATCH] upgrade base image to debian 13

Now all binaries are under /usr, we can remove the logic to search both.
---
 build/gather-node-deps.sh    | 10 +----
 build/multi/Dockerfile.multi | 14 +++---
 hack/base-image-deps.txt     | 84 ++++++++++++++++++------------------
 hack/update-dockerfile.sh    |  6 +--
 pkg/utils/util.go            |  1 +
 5 files changed, 57 insertions(+), 58 deletions(-)

diff --git a/build/gather-node-deps.sh b/build/gather-node-deps.sh
index 120774fdd..fb48689f5 100755
--- a/build/gather-node-deps.sh
+++ b/build/gather-node-deps.sh
@@ -6,10 +6,10 @@ mkdir -p /staging-node/var/lib/dpkg/status.d
 
 DEPS=(
     /etc/netconfig
-    /etc/mke2fs.conf /sbin/{fsck,mkfs,mount,umount}.{ext{2,3,4},xfs,nfs}
+    /etc/mke2fs.conf /usr/sbin/{fsck,mkfs,mount,umount}.{ext{2,3,4},xfs,nfs}
     /usr/bin/{mount,umount,lspci,lsof,chmod,grep,tail,partx}
     /usr/sbin/{fsck,mkfs,sfdisk,losetup}
-    /sbin/resize2fs
+    /usr/sbin/resize2fs
     /usr/sbin/xfs_growfs
 )
 
@@ -31,12 +31,6 @@ gather_dep() {
 
     # find the package that contains the source
     pkg=${FILE_PACKAGES[$source]}
-    if [ -z "$pkg" ] && [[ "$source" = /usr/* ]]; then
-        # retry without /usr prefix
-        # use source path matching dpkg for SBOM to work, because /lib is not linked to /usr/lib in distroless
-        source="${source#/usr}"
-        pkg=${FILE_PACKAGES[$source]}
-    fi
     if [ -z "$pkg" ]; then
         echo "failed to find package for $source"
         return 1
diff --git a/build/multi/Dockerfile.multi b/build/multi/Dockerfile.multi
index 0dece3d65..bd3e8cc90 100644
--- a/build/multi/Dockerfile.multi
+++ b/build/multi/Dockerfile.multi
@@ -15,7 +15,7 @@ RUN --mount=type=bind,target=. \
         -o /out/plugin.csi.alibabacloud.com && \
     go build -trimpath -o /out/csiplugin-connector ./build/lib/csiplugin-connector.go
 
-FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/ack-base/distroless/base-debian12:latest@sha256:9e9b50d2048db3741f86a48d939b4e4cc775f5889b3496439343301ff54cdba8 as distroless-base
+FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/ack-base/distroless/base-debian13:latest@sha256:894e78799ebace28d56fc226a05d76a601685e1382421299eed8b7a95b90fa9e as distroless-base
 LABEL maintainers="Alibaba Cloud Authors" description="Alibaba Cloud CSI Plugin"
 LABEL defaultOssfsImageTag="v1.91.8.ack.3-b0e4403" defaultOssfs2ImageTag="v2.0.4.ack.1-5073ed2"
 
@@ -23,7 +23,7 @@ FROM distroless-base as csi-base
 COPY --link --from=build /out/plugin.csi.alibabacloud.com /usr/bin/plugin.csi.alibabacloud.com
 ENTRYPOINT ["/usr/bin/plugin.csi.alibabacloud.com"]
 
-FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/debian:bookworm-20251020-slim as debian
+FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/debian:trixie-20251103-slim as debian
 
 ARG TARGETARCH
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=apt-cache-$TARGETARCH \
@@ -42,7 +42,7 @@ RUN --mount=type=bind,from=distroless-base,target=/base \
 FROM distroless-base as dep-list
 COPY --link --from=debian /staging-node /
 
-FROM --platform=$BUILDPLATFORM registry-cn-hangzhou.ack.aliyuncs.com/dev/debian:bookworm-20251020-slim as build-0
+FROM --platform=$BUILDPLATFORM registry-cn-hangzhou.ack.aliyuncs.com/dev/debian:trixie-20251103-slim as build-0
 ARG BUILDARCH
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=apt-cache-$BUILDARCH \
     --mount=type=cache,target=/var/lib/apt,sharing=locked,id=apt-lib-$BUILDARCH \
@@ -50,7 +50,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=apt-cache-$BUILDA
     echo 'Acquire::Check-Valid-Until false;' > /etc/apt/apt.conf.d/snapshot && \
     sed -i '/^URIs:/d; s|^# \(http://snapshot.debian.org/\)|URIs: \1|' /etc/apt/sources.list.d/debian.sources && \
     apt-get update && \
-    apt-get install -y tar xz-utils make diffutils
+    apt-get install -y tar xz-utils make diffutils gcc
+# We need to install gcc in addition to gcc-${HOST} below.
+# On e.g. amd64, gcc-x86-64-linux-gnu depends on "binutils-x86-64-linux-gnu", but it calls `as`, which is in "binutils" and not installed by default.
+# See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083135 
 
 FROM build-0 as build-util-linux-amd64
 ENV HOST=x86_64-linux-gnu
@@ -77,7 +80,8 @@ SOURCE_DATE_EPOCH=$(stat -c %Y /src.tar.xz)
 export SOURCE_DATE_EPOCH
 echo "util-linux released at $(date --date "@$SOURCE_DATE_EPOCH" --iso-8601=seconds)"
 ./configure --disable-all-programs --enable-blkid --enable-libblkid --prefix=/usr/local \
-    --disable-nls --disable-bash-completion --disable-asciidoc --disable-dependency-tracking --disable-static --host=$HOST
+    --disable-nls --disable-bash-completion --disable-asciidoc --disable-dependency-tracking --disable-static --host=$HOST || \
+    { RET=$?; echo "content of ./config.log:"; cat ./config.log; exit $RET; }
 make -j
 make install-strip DESTDIR=/out
 cd /out/usr/local && rm -r include share lib/pkgconfig
diff --git a/hack/base-image-deps.txt b/hack/base-image-deps.txt
index 495830d5b..0b7f3cee5 100644
--- a/hack/base-image-deps.txt
+++ b/hack/base-image-deps.txt
@@ -1,42 +1,42 @@
-base-files 12.4+deb12u12
-coreutils 9.1-1
-e2fsprogs 1.47.0-2+b2
-fdisk 2.38.1-5+deb12u3
-grep 3.8-5
-libblkid1 2.38.1-5+deb12u3
-libc6 2.36-9+deb12u13
-libcom-err2 1.47.0-2+b2
-libext2fs2 1.47.0-2+b2
-libfdisk1 2.38.1-5+deb12u3
-libgssapi-krb5-2 1.20.1-2+deb12u4
-libinih1 55-1
-libk5crypto3 1.20.1-2+deb12u4
-libkeyutils1 1.6.3-2
-libkmod2 30+20221128-1
-libkrb5-3 1.20.1-2+deb12u4
-libkrb5support0 1.20.1-2+deb12u4
-liblzma5 5.4.1-1
-libmount1 2.38.1-5+deb12u3
-libpci3 1:3.9.0-4
-libpcre2-8-0 10.42-1
-libreadline8 8.2-1.3
-libselinux1 3.4-1+b6
-libsmartcols1 2.38.1-5+deb12u3
-libssl3 3.0.17-1~deb12u3
-libtinfo6 6.4-4
-libtirpc-common 1.3.3+ds-1
-libtirpc3 1.3.3+ds-1
-libudev1 252.39-1~deb12u1
-liburcu8 0.13.2-1
-libuuid1 2.38.1-5+deb12u3
-libzstd1 1.5.4+dfsg2-5
-lsof 4.95.0-1
-media-types 10.0.0
-mount 2.38.1-5+deb12u3
-netbase 6.4
-nfs-common 1:2.6.2-4+deb12u1
-pciutils 1:3.9.0-4
-tzdata 2025b-0+deb12u2
-util-linux 2.38.1-5+deb12u3
-xfsprogs 6.1.0-1
-zlib1g 1:1.2.13.dfsg-1
+base-files 13.8+deb13u1
+coreutils 9.7-3
+e2fsprogs 1.47.2-3+b3
+fdisk 2.41-5
+grep 3.11-4
+libblkid1 2.41-5
+libc6 2.41-12
+libcap2 1:2.75-10+b1
+libcom-err2 1.47.2-3+b3
+libext2fs2t64 1.47.2-3+b3
+libfdisk1 2.41-5
+libgssapi-krb5-2 1.21.3-5
+libinih1 59-1
+libk5crypto3 1.21.3-5
+libkeyutils1 1.6.3-6
+libkmod2 34.2-2
+libkrb5-3 1.21.3-5
+libkrb5support0 1.21.3-5
+libmount1 2.41-5
+libpci3 1:3.13.0-2
+libpcre2-8-0 10.46-1~deb13u1
+libreadline8t64 8.2-6
+libselinux1 3.8.1-1
+libsmartcols1 2.41-5
+libssl3t64 3.5.1-1+deb13u1
+libtinfo6 6.5+20250216-2
+libtirpc-common 1.3.6+ds-1
+libtirpc3t64 1.3.6+ds-1
+libudev1 257.8-1~deb13u2
+liburcu8t64 0.15.2-2
+libuuid1 2.41-5
+libzstd1 1.5.7+dfsg-1
+lsof 4.99.4+dfsg-2
+media-types 13.0.0
+mount 2.41-5
+netbase 6.5
+nfs-common 1:2.8.3-1
+pciutils 1:3.13.0-2
+tzdata 2025b-4+deb13u1
+util-linux 2.41-5
+xfsprogs 6.13.0-2+b1
+zlib1g 1:1.3.dfsg+really1.3.1-1+b1
diff --git a/hack/update-dockerfile.sh b/hack/update-dockerfile.sh
index 721de5af8..c144787ad 100755
--- a/hack/update-dockerfile.sh
+++ b/hack/update-dockerfile.sh
@@ -8,18 +8,18 @@ skopeo() {
 
 DOCKERFILE=build/multi/Dockerfile.multi
 
-DISTROLESS=registry-cn-hangzhou.ack.aliyuncs.com/dev/ack-base/distroless/base-debian12
+DISTROLESS=registry-cn-hangzhou.ack.aliyuncs.com/dev/ack-base/distroless/base-debian13
 DEBIAN=registry-cn-hangzhou.ack.aliyuncs.com/dev/debian
 
 if [ "$UPSTREAM" ]; then
-    DISTROLESS=gcr.io/distroless/base-debian12
+    DISTROLESS=gcr.io/distroless/base-debian13
     DEBIAN=docker.io/debian
 fi
 
 DISTROLESS_DIGEST=$(skopeo inspect docker://$DISTROLESS --format '{{.Digest}}')
 echo "The latest distroless digest is $DISTROLESS_DIGEST"
 
-DEBIAN_TAG=$(skopeo list-tags docker://$DEBIAN | jq -r '.Tags|map(select(test("^bookworm-.+-slim$"))) | sort | last')
+DEBIAN_TAG=$(skopeo list-tags docker://$DEBIAN | jq -r '.Tags|map(select(test("^trixie-.+-slim$"))) | sort | last')
 echo "The latest debian tag is $DEBIAN_TAG"
 
 sed -i "
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index 4e6ca3d29..6249d84e7 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -673,6 +673,7 @@ func mkfsDefaultArgs(fstype, source string) (args []string) {
 	} else if fstype == "xfs" {
 		args = []string{
 			"-f",
+			"-i", "nrext64=0", // This requires kernel v5.19, so disable for now.
 			source,
 		}
 	}