Update Docker Images to Latest Stable Versions

[josecelano]

Overview

Update Docker images in the docker-compose template to their latest versions, prioritizing long-term support and active maintenance windows to ensure production stability.

Strategy: Balance security, support lifecycle, and maintenance status:

• ✅ All current images have zero HIGH/CRITICAL vulnerabilities
• 🎯 Prefer versions with extended support windows (LTS releases)
• 📅 Choose actively maintained versions with reasonable update cadences

References:

• End of Life: MySQL | Prometheus | Grafana
• Docker Hub: Prometheus | Grafana | MySQL

This task includes verifying compatibility with the Torrust Tracker application and documenting security scan results.

Specification

See detailed specification: docs/issues/253-update-docker-images-to-latest-versions.md

Current Status

Docker Images Analysis (December 23, 2025)

Image	Current Version	Recommended Version	Support EOL	Status	Security
prom/prometheus	v3.0.1	v3.5.0 (LTS)	Jul 31, 2026	⚠️ Update to LTS (7 months support)	✅ 0 HIGH/CRITICAL
grafana/grafana	11.4.0	12.3.1	Feb 24, 2026	⚠️ Update to latest major	✅ 0 HIGH/CRITICAL
mysql	8.0 (generic)	8.4 (LTS)	Apr 30, 2032	⚠️ Update to explicit LTS version	✅ 0 HIGH/CRITICAL

Support Lifecycle Notes:

• Prometheus: 6-week release cycle. LTS v3.5 gets 1-year support (ends Jul 31, 2026). Latest v3.8.1 only has 2.5 weeks support (ends Jan 9, 2026).
• Grafana: Bi-monthly releases. Version 12.3.1 is latest major version patch.
• MySQL: LTS versions (8.4) get 5 years premier + 3 years extended support. MySQL 8.0 Premier Support ended April 2025 (Extended only until April 2026). Innovation releases (9.x) have 3-4 month lifecycles.

Security Status

✅ All current images are secure - No HIGH or CRITICAL vulnerabilities detected in any version.

Trivy Scan Summary (December 23, 2025):

• Prometheus v3.0.1: 0 HIGH/CRITICAL vulnerabilities
• Prometheus v3.5.0: 0 HIGH/CRITICAL vulnerabilities
• Grafana 11.4.0: 0 HIGH/CRITICAL vulnerabilities
• Grafana 12.3.1: 0 HIGH/CRITICAL vulnerabilities
• MySQL 8.0: 0 HIGH/CRITICAL vulnerabilities
• MySQL 8.4: 0 HIGH/CRITICAL vulnerabilities (LTS until April 2032)

MySQL Version Decision: Update to MySQL 8.4 LTS (not generic 8.0, not innovation 9.x)

Rationale:

• MySQL 8.0: Premier Support ended April 30, 2025, Extended Support ends April 30, 2026 (4 months remaining)
• MySQL 8.4 LTS: Premier Support until April 30, 2029 (3+ years), Extended Support until April 30, 2032 (6+ years)
• MySQL 9.x: Innovation releases with 3-4 month lifecycles. MySQL 9.0/9.1 already EOL, MySQL 9.5 EOL ~Feb 2026 (2-3 months)

🏗️ Architecture Requirements

DDD Layer: Infrastructure (template files)
Module Path: templates/docker-compose/
Pattern: Static template files (no code changes required)

Architectural Constraints

• No changes to environment variable injection pattern (see ADR: docs/decisions/environment-variable-injection-in-docker-compose.md)
• Preserve three-network segmentation security architecture
• Maintain Docker port binding and health check configurations

Implementation Plan

Phase 0: Add Tracker Version Comment (estimated: 5 minutes)

Note: Actual Tracker version update will be in separate issue after v4.0.0 release.

• Add TODO comment in docker-compose template about pinning to v4.0.0
• Create follow-up issue for Tracker version update

Phase 1: Update Prometheus to v3.5 LTS (estimated: 30 minutes)

Version Details:

• Current: prom/prometheus:v3.0.1
• Updated: prom/prometheus:v3.5.0
• Released: July 14, 2025
• LTS Version: 1-year support window
• Support EOL: July 31, 2026 (7 months remaining)
• Security: 0 HIGH/CRITICAL vulnerabilities
• Why LTS: v3.5 LTS provides 7 months support vs v3.8.1 with only 2.5 weeks (Jan 9, 2026). LTS minimizes required updates.
• References: Docker Hub | EOL Info

Tasks:

• Update templates/docker-compose/docker-compose.yml.tera - Change image version to v3.5.0
• Regenerate docker-compose template for testing environment
• Run E2E tests to verify Prometheus functionality
• Verify Prometheus health checks pass
• Verify Grafana can query Prometheus data source

Phase 2: Update Grafana to 12.3.1 (estimated: 30 minutes)

Version Details:

• Current: grafana/grafana:11.4.0
• Updated: grafana/grafana:12.3.1
• Released: Nov 19, 2025 (1 month ago)
• Latest Major: Version 12.x series (latest patch: 12.3.1)
• Support EOL: Feb 24, 2026 (2 months remaining)
• Security: 0 HIGH/CRITICAL vulnerabilities
• Why 12.3.1: Latest major version with newest features. Staying on 11.x would lose support sooner as 12.x matures.
• References: Docker Hub | EOL Info

Tasks:

• Update templates/docker-compose/docker-compose.yml.tera - Change image version to 12.3.1
• Regenerate docker-compose template for testing environment
• Run E2E tests to verify Grafana functionality
• Verify Grafana health checks pass
• Verify Grafana dashboards load correctly
• Verify Grafana can query Prometheus metrics

Phase 3: Update MySQL to 8.4 LTS (estimated: 45 minutes)

Version Details:

• Current: mysql:8.0 (generic tag, Premier Support ended April 2025, Extended Support ends April 2026 - 4 months remaining)
• Updated: mysql:8.4 (explicit LTS version)
• Released: April 10, 2024
• Premier Support EOL: April 30, 2029 (3+ years remaining)
• Extended Support EOL: April 30, 2032 (6+ years remaining)
• Security: 0 HIGH/CRITICAL vulnerabilities

Why 8.4 and NOT 8.0 or 9.x:

• 8.0: Premier Support ended April 2025, only Extended Support until April 2026 (4 months)
• 8.4: Full Premier Support for 3+ years, Extended Support for 6+ years
• 9.x: Innovation releases with 3-4 month lifecycles (9.0/9.1 already EOL, 9.5 EOL ~Feb 2026)
• References: Docker Hub | EOL Info

Tasks:

• Update templates/docker-compose/docker-compose.yml.tera to mysql:8.4
• Document version lifecycle rationale in commit message
• Run Trivy scan on mysql:8.4 (verify 0 HIGH/CRITICAL)
• Run E2E tests with MySQL 8.4
• Verify health checks pass

Acceptance Criteria

Note for Contributors: These criteria define what the PR reviewer will check. Use this as your pre-review checklist before submitting the PR to minimize back-and-forth iterations.

Quality Checks:

• Pre-commit checks pass: ./scripts/pre-commit.sh

Image Update Criteria:

• Comment added in docker-compose template about Tracker v4.0.0
• Follow-up issue created for Tracker version update
• Prometheus image updated to v3.5.0 in templates/docker-compose/docker-compose.yml.tera
• Grafana image updated to 12.3.1 in templates/docker-compose/docker-compose.yml.tera
• MySQL updated to 8.4 LTS (explicit version, EOL 2032)
• All E2E tests pass with updated images
• Health checks pass for all services (Prometheus, Grafana, MySQL)
• Network segmentation configuration remains unchanged
• Environment variable injection pattern preserved

Functional Verification Criteria:

• Prometheus starts successfully and health check passes
• Grafana starts successfully and health check passes
• MySQL starts successfully and health check passes
• Grafana can query Prometheus data source successfully
• Tracker can connect to MySQL database successfully
• Prometheus can scrape metrics from Tracker
• All Docker networks function correctly (database_network, metrics_network, visualization_network)

Related

• Roadmap: Roadmap #1 (Project Roadmap)
• Specification: docs/issues/253-update-docker-images-to-latest-versions.md

Related Documentation

• Docker Compose Template
• ADR: Environment Variable Injection in Docker Compose
• ADR: Docker UFW Firewall Security Strategy
• Analysis: Docker Network Segmentation
• Torrust Tracker README - MySQL Support