Skip to content

Upgrade distroless base from Debian 12 to Debian 13#101678

Merged
motsc merged 1 commit intoClickHouse:masterfrom
motsc:distroless-debian13
Apr 3, 2026
Merged

Upgrade distroless base from Debian 12 to Debian 13#101678
motsc merged 1 commit intoClickHouse:masterfrom
motsc:distroless-debian13

Conversation

@motsc
Copy link
Copy Markdown
Contributor

@motsc motsc commented Apr 2, 2026

Upgrades the distroless base image for server and keeper from
gcr.io/distroless/cc-debian12 to gcr.io/distroless/cc-debian13.

This brings glibc from 2.36 to 2.41 and OpenSSL from 3.0.18 to 3.5.5,
eliminating all reachable CVEs reported by Mend (14 reachable on Debian 12
→ 0 reachable on Debian 13). The 12 remaining findings on Debian 13 are
all ancient disputed glibc issues (2010–2019) marked unreachable.

Changelog category (leave one):

  • Improvement

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Upgrade distroless Docker image base from Debian 12 (glibc 2.36, OpenSSL 3.0) to Debian 13 (glibc 2.41, OpenSSL 3.5), reducing CVE surface to zero reachable vulnerabilities.

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

@motsc
feat: upgrade distroless base from Debian 12 to Debian 13
5c30fd9 
Upgrades the distroless base image from `cc-debian12` to `cc-debian13`
for both server and keeper. This brings glibc from 2.36 to 2.41 and
OpenSSL from 3.0.18 to 3.5.5, eliminating all reachable CVEs found by
Mend (18 total on Debian 12, 14 reachable → 12 total on Debian 13,
0 reachable).
@clickhouse-gh
Copy link
Copy Markdown
Contributor

clickhouse-gh Bot commented Apr 2, 2026
edited
Loading

Workflow [PR], commit [5c30fd9]

Summary:

AI Review

Summary

This PR updates docker/server/Dockerfile.distroless and docker/keeper/Dockerfile.distroless to pinned Debian 13 distroless bases (production and debug variants). The change is scoped, symmetric across server/keeper, and preserves digest pinning, so supply-chain immutability remains intact. I did not find correctness, safety, performance, or compatibility issues in the modified code.

ClickHouse Rules
Item Status Notes
Deletion logging
Serialization versioning
Core-area scrutiny
No test removal
Experimental gate
No magic constants
Backward compatibility
SettingsChangesHistory.cpp
PR metadata quality
Safe rollout
Compilation time
Final Verdict
  • Status: ✅ Approve

@clickhouse-gh clickhouse-gh Bot added the pr-improvement Pull request with some product improvements label Apr 2, 2026
@motsc motsc requested a review from maxknv April 3, 2026 00:58
@motsc motsc added this pull request to the merge queue Apr 3, 2026
Merged via the queue into ClickHouse:master with commit 67f06eb Apr 3, 2026
163 checks passed
@motsc motsc deleted the distroless-debian13 branch April 3, 2026 01:10
@robot-clickhouse-ci-1 robot-clickhouse-ci-1 added the pr-synced-to-cloud The PR is synced to the cloud repo label Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxknv maxknv Awaiting requested review from maxknv

Assignees

No one assigned

Labels

pr-improvement Pull request with some product improvements pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@motsc @robot-clickhouse-ci-1