chore: update to Debian 13 #4536
Conversation
georglauterbach
added
area/scripts
area/features
area/documentation
area/configuration (file)
kind/update
polarathene
left a comment
polarathene
left a comment
There was a problem hiding this comment.
Please clarify these changes
- disabled Rspamd upstream repository
The associated commits and PR description on this change has limited context as to why? Could you clarify please?
Associated commits:
EDIT: Presumably because Rspamd has not published a package yet for Trixie 😅
UPDATE: Upstream may be against offering a package repo with multiple versions for reproducibility, might be worthwhile defaulting to Debian package with opt-in build for newer upstream release like we have for Dovecot?
- added fallback for
DOVECOT_COMMUNITY_REPO:-0
This should always inherit the ARG default set within our Dockerfile? Is it just an added precaution for some reason, or a code smell you're tackling? (I'm not against it, just seeking clarification)
Line 7 in e448b5e
- fixed LZ4 package name for Amavis
Was this only an issue with Debian 13? Did the package name change, or have we been installing the wrong package? 🤔
TODO: Cherry-pick / refactor out of the PR?
Given this upgrade has some notable breaking changes from packages like Dovecot 2.3 => 2.4 alone, I'd rather the PR stays minimally focused on the changes pertaining to the actual blockers of the upgrade to Debian 13 being resolved.
Anything else is noise to the diff for reviewers 😓
- bumped versions of
jaqandstep
chore: bump version of jaq and step - Newer versions may be released closer to this PR getting merged, these don't pertain to any blockers either?
- removed Pyzor and Razor for easier installation maintenance
Likewise, probably worth extracting chore: remove Pyzor and Razor to a separate PR?
- switched to
.sourcesformat (from.list)
Likewise with the APT third-party repos .list format migration to DEB822 .sources, which as I've documented previously is already in use with Debian 12 official repos.
Same for some changes made that the PR description hasn't mentioned, like:
- Resolving the Postfix DH params file warning/deprecation which isn't necessary in this PR to resolve blockers from tests. I've opened a separate issue for that task.
fix: Postfix: disable_dns_lookups => smtp_dns_support_level(old setting was superseded) which is for Amavismaster.cfSMTP service, to send filtered mail back into Postfix queue. Refs:disable_dns_lookups(defaultno)smtp_dns_support_level(effectively defaults toenabled, unless either setting is set explicitly)
| # path given in the mail_driver+mail_path settings. | ||
|
|
||
| # ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_driver | ||
| mail_driver = maildir | ||
| # ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_path | ||
| mail_path = /var/mail/%d/%n |
There was a problem hiding this comment.
NOTE: This comment is for reference only.
mail_location setting was split into multiple individual settings, where we use mail_driver + mail_path.
Documented in Dovecot 2.3 => 2.4 changes required for DMS under General mail settings: #4447
There was a problem hiding this comment.
As my issue on the Dovecot migration detailed (and a related user comment), the shorthand vars like %d and %n are not valid anymore.
| # path given in the mail_driver+mail_path settings. | |
| # ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_driver | |
| mail_driver = maildir | |
| # ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_path | |
| mail_path = /var/mail/%d/%n | |
| # path of `mail_path`. | |
| # ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_driver | |
| mail_driver = maildir | |
| # ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_path | |
| mail_path = /var/mail/%{user | domain}/%{user | username} |
NOTE: The comment change is a bit incomplete to suggest via the GH web UI diff suggestion above, as the whole comment block probably needs to be revised for Dovecot 2.4.
- Mailbox root detection seems to rely on scanning fixed paths unless explicitly set via
mail_path(previously derived from a substring ofmail_locationin Dovecot 2.3). - While our docs (and tests) have some mention of
mboxsupport, Dovecot has more visible deprecation warnings of it's support and it's "mail location" section likewise discourages it in favor ofdboxor our DMS default,maildir. - That block comment is about
mbox, and I don't think we really see much user engagement about it's usage so I think it's safe for us to drop any support of such officially on our end 🤔
NOTE: While we're only configuring mail_driver + mail_path here, it seems that mail_path can be absolute or refer to mail_home as a base/prefix via ~ (which Dovecot 2.3 also supported via %h), as is shown in the Dovecot 2.4 Quick start example:
mail_home = /srv/mail/%{user}
mail_driver = sdbox
mail_path = ~/mail
mail_path docs insist on an absolute path, and I assume the ~ syntax for mail_home as a prefix is still considered an absolute path in that sense.
Contrary to advice there for mail_path to be a subdirectory, we seem to have configured the inverse by having mail_home refer to a subdirectory instead:
mail_home = /var/mail/%d/%n/home/
mail_path = /var/mail/%d/%n
instead of:
mail_home = /var/mail/%d/%n
mail_path = ~/mail
Too late to mess with that though 😓
There was a problem hiding this comment.
TODO: mail_home will also need to be updated as well due to usage of the shorthand vars:
mail_home = /var/mail/%{user | domain}/%{user | username}/home
| fields { | ||
| uid:default = docker | ||
| gid:default = docker | ||
| home:default = /var/mail/%{user | domain}/%{user | username}/home/ |
There was a problem hiding this comment.
While %{user | username} is desirable, it is not a migration specific change but rather a separate bug fix to consider. As you'll notice we had %u (aka %{user}) not %n (aka %{user | username}), but since this field should be set already I think in this case it may be fine.
Possibly been an issue in DMS with LDAP I think (fairly sure I've seen a problem somewhere, but I'm also not sure if the setting here is assumed to be the prior setting). Might need to consider deferring the change to a separate PR with changelog entry 🤔
There was a problem hiding this comment.
NOTE: This comment is for reference only.
Documented in Dovecot 2.3 => 2.4 changes required for DMS under AUTH subsections PassDB + UserDB: #4447
| # we need this early for the creation of accounts like 'clamav' | ||
| adduser |
There was a problem hiding this comment.
I was unable to find context for why this was no longer available in existing Debian 13 changelog/notes 🤔 Seems odd, perhaps it'll return upon actual release 🤷♂️
There was a problem hiding this comment.
I found that strange too, but it is still missing in the latest trixie-slim image.
|
There are some suggestions I made that I'll apply, I can tackle below tasks as well, this comment just serves as a more condensed overview of my verbose review. Actionables:
|
Tasks
|
|
PS: I've started rebasing this branch and removing commits that already or will soon belong to individual PRs. |
georglauterbach
force-pushed
the
debian-13
branch
from
d73fa60 to
ae4efa5
Compare
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
This is required because `adduser` is not available by default on Debian 13. Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Error as posted by Postfix: ```txt postconf: warning: /etc/postfix/main.cf: support for parameter "smtpd_tls_dh1024_param_file" will be removed; instead, do not specify (leave at default) ``` Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
Signed-off-by: Georg Lauterbach <[email protected]>
georglauterbach
force-pushed
the
debian-13
branch
from
ae4efa5 to
73ca10c
Compare
|
Documentation preview for this PR is ready! 🎉 Built with commit: 73ca10c |
github-actions
bot
added
the
meta/stale
polarathene
added
stale-bot/ignore
Description
Important
This PR is currently a draft. We can use it to adopt changes with the upcoming release of Debian 13 early. We will not be merging this PR before Debian 13.1 has been released, approximately in September, 2025.
Maintainers are welcome to contribute to this PR. No need to ask for permission :)
This PR updates our base image to Debian 13. This includes the following changes
FROMdirectivepackage.shVERSION_CODENAMEDockerfilebecauseaddusernow needs to be installed firstDOVECOT_COMMUNITY_REPO:-0Open Tasks
pluginssection still existpassdbdefinitions were updatedCloses Issues
Closes #4447
Fixes #4466
Resolves #4512
Type of change
Checklist
docs/)CHANGELOG.md