Skip to content

F.15: Pin all bundle image tags to verified upstream semver#22

Open
kh0pper wants to merge 1 commit intof14-fediverse-admin-panelfrom
f15-image-tag-pins
Open

F.15: Pin all bundle image tags to verified upstream semver#22
kh0pper wants to merge 1 commit intof14-fediverse-admin-panelfrom
f15-image-tag-pins

Conversation

@kh0pper
Copy link
Copy Markdown
Owner

@kh0pper kh0pper commented Apr 12, 2026

Summary

Follow-up #3 after Phase 2. Pre-merge image-tag hygiene pass. Every floating / unverified tag in the federated-bundle compose files now points at a specific semver version verified on Docker Hub as of 2026-04-12.

Also fixes a material image-name bug from F.4 Funkwhale — the original compose referenced funkwhale/funkwhale:1.4 and funkwhale/nginx:1.4, neither of which exist on Docker Hub. Funkwhale 2.x split the old monolithic image into funkwhale/api + funkwhale/front; this PR swaps in the real images pinned to 2.0.1.

Pin table

Bundle Before After
peertube chocobozzz/peertube:production-bookworm :v8.1.5-bookworm
pixelfed zknt/pixelfed:0.12 :2026-03-24 (zknt switched to date tags)
lemmy dessalines/lemmy:0.19 :0.19.17
lemmy-ui dessalines/lemmy-ui:0.19 :0.19.17
pict-rs asonix/pictrs:0.5 :0.5.23
dendrite :v0.13.8 :v0.15.2
gotosocial :0.18.0 :0.21.2
writefreely :0.15 (didn't exist) :0.12.0
mautrix/signal :latest :v0.8.0
mautrix/telegram :latest :v0.15.3
mautrix/whatsapp :latest :v0.11.2

postgres:15-alpine, postgres:16-alpine, redis:7-alpine keep their alpine-major floats per policy (security patches within a major without breaking changes).

Funkwhale — material bug fix

funkwhale/funkwhale:1.4 doesn't exist — that repo stops at 1.2.10. Funkwhale 2.x split into:

  • funkwhale/api:2.0.1 — Django backend (gunicorn on :5000)
  • funkwhale/front:2.0.1 — Static SPA (nginx-served on :80)

funkwhale/nginx never existed as a standalone image. The official Funkwhale compose has no nginx sidecar; it assumes operator-layer reverse-proxy handles the split.

This PR:

  • Swaps api/celeryworker/celerybeat to funkwhale/api:2.0.1
  • Replaces the phantom nginx service with a real funkwhale/front:2.0.1 service
  • Updates the manifest note and compose header to document the new Caddy split-routing requirement: /api/*, /federation/*, /.well-known/webfinger → api:5000; everything else → front:80
  • A dedicated Caddy funkwhale profile that codifies path-based split is deferred to a follow-up (the existing activitypub profile is single-upstream)

Verified

  • docker compose config --quiet clean on all 9 bundles with required env vars
  • Tag existence for non-mautrix images verified via hub.docker.com API
  • mautrix tags cross-referenced against the project's documented release lines
  • npm run check passes

What this PR does NOT do

  • Not @sha256: pinned. Semver is sufficient for policy + reviewable diffs; full digest pinning is a separate hardening pass.
  • Not live-tested. Dendrite v0.13 → v0.15, mastodon v4.3, funkwhale 2.x migration each need care on real hosts.
  • Not resource-profile-updated. Manifest min_ram_mb / recommended_ram_mb values are unchanged; newer versions may have shifted footprints.

Rollout position

Stacked on F.14.

🤖 Generated with Claude Code

F.15: Pin all bundle image tags to verified upstream semver
ab81d6f 
Follow-up #3 after Phase 2. Replaces floating / unverified image tags
with concrete pinned versions per the plan's image-tag policy. All
pins verified against Docker Hub tag listings on 2026-04-12 (the
exception is mautrix/* which lives on dock.mau.dev's GitLab registry
and requires auth to list — those are pinned from the mautrix project
release notes).

**Pins**

  chocobozzz/peertube:production-bookworm   → :v8.1.5-bookworm
  zknt/pixelfed:0.12                        → :2026-03-24
    (zknt switched to date-stamp tags; 0.12 semver line doesn't exist)
  dessalines/lemmy:0.19                     → :0.19.17
  dessalines/lemmy-ui:0.19                  → :0.19.17
  asonix/pictrs:0.5                         → :0.5.23
  matrixdotorg/dendrite-monolith:v0.13.8    → :v0.15.2
  superseriousbusiness/gotosocial:0.18.0    → :0.21.2
  writeas/writefreely:0.15                  → :0.12.0
    (0.15 didn't exist — latest is 0.12.0 per Docker Hub)
  dock.mau.dev/mautrix/signal:latest        → :v0.8.0
  dock.mau.dev/mautrix/telegram:latest      → :v0.15.3
  dock.mau.dev/mautrix/whatsapp:latest      → :v0.11.2

Postgres + Redis base images keep their alpine-major float (:15-alpine,
:16-alpine, :7-alpine) — these are policy-appropriate as they auto-
receive security patches within a major without breaking changes.

**Funkwhale — fixed a material image-name bug from F.4**

The F.4 compose referenced `funkwhale/funkwhale:1.4` and
`funkwhale/nginx:1.4`. Neither image exists on Docker Hub:

  - `funkwhale/funkwhale` stops at 1.2.10. Funkwhale 2.x split into
    `funkwhale/api` (Django backend) + `funkwhale/front` (SPA).
  - `funkwhale/nginx` never existed as a separate image — the official
    Funkwhale compose has no nginx sidecar; it expects the operator's
    reverse-proxy (Caddy in our case) to split-route API vs frontend.

This PR swaps in the real 2.x images pinned to `2.0.1` (current stable
matched across api + front), drops the phantom nginx service, and
adds a new `front` service that serves the SPA. The manifest note and
compose file header both document the new routing requirement: Caddy
must split `/api/*`, `/federation/*`, `/.well-known/webfinger` →
funkwhale-api:5000, everything else → funkwhale-front:80. A dedicated
Caddy `funkwhale` profile that codifies this lands in a follow-up
(the current `activitypub` profile is single-upstream; doesn't support
path-based split without per-path matchers).

**Verified**

- `docker compose config --quiet` passes on all 9 bundles with
  required env vars set (signal fed back from the CLI run — no
  warnings, clean exit)
- Tag existence verified via hub.docker.com API for non-mautrix images
- mautrix tags cross-referenced against the mautrix project's
  publicly-documented release cadence (signal 0.8, telegram 0.15,
  whatsapp 0.11 were the stable lines at implementation time)
- npm run check still passes

**What this does NOT do**

- Does not pin to @sha256: digests. Semver tags are sufficient for
  policy + reviewable-diff purposes; full digest pinning is a
  separate hardening pass that needs a `docker pull` environment.
- Does not verify each target app boots with the new image. That's
  a live-install verification task that needs real hosts + network
  egress (mastodon v4.3.0, dendrite v0.15.2 bump, funkwhale 2.x
  migration — each requires care).
- Does not bump any manifest min_ram_mb / recommended_ram_mb values.
  New versions may have shifted resource profiles; worth a separate
  profiling pass on a live host.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kh0pper