dockerfile: update to Debian Trixie

[patrick-stephens]

Distroless containers for Trixie/13 are now available to test: GoogleContainerTools/distroless#1851 (comment)

Most of the work was done downstream with integration testing there as well: FluentDo/agent#139

Note that Debian 13 images are still in preview so should not be merged until GA: https://github.com/GoogleContainerTools/distroless?tab=readme-ov-file#debian-13-preview

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Chores

  • Upgraded container bases to Debian 13 (Trixie) across builder, extractor, debug, and production stages; production now uses a Debian 13 distroless variant.
  • Replaced backports-specific packages with standard Trixie equivalents and aligned runtime/build library selections across all stages.

• Impact

  • Updated system libraries and metadata for improved security, compatibility, and consistency.
  • No user-facing functionality changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Replaces Debian Bookworm images and bookworm-backports usage with Debian Trixie variants across all Dockerfile stages; updates many library package names to Trixie-era equivalents and bumps the distroless production base from gcr.io/distroless/cc-debian12 to gcr.io/distroless/cc-debian13.

Changes

Cohort / File(s)

Summary

Docker base and package migration dockerfiles/Dockerfile

Swapped bookworm images for trixie in builder, extractor, deb-extractor, production, and debug stages; removed bookworm-backports apt usage; replaced backport-specific package references with standard Trixie equivalents; renamed multiple libraries to Trixie-era names (examples: libssl3→libssl3t64, libcurl4→libcurl4t64, libgnutls30→libgnutls30t64, libunistring2→libunistring5); added/updated several runtime packages (e.g., libnghttp3-9, libldap2, libsystemd0); updated production base from gcr.io/distroless/cc-debian12 to gcr.io/distroless/cc-debian13.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify renamed packages for correct ABI/runtime compatibility and that package names match Trixie repositories.
• Ensure removal of bookworm-backports doesn't omit required newer versions.
• Confirm gcr.io/distroless/cc-debian13 works with the native libraries included.
• Check debug/extractor stages for any missing tooling after package renames.

Suggested reviewers

• niedbalski
• edsiper
• celalettin1286

Poem

I’m a rabbit in a Docker den,
I hopped from Bookworm to Trixie then.
Packages renamed, images take flight,
Distroless thirteen snug and light.
🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating Dockerfiles from Debian bookworm to Debian Trixie across multiple stages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update_debian_13

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6110b14 and a55ea05.

📒 Files selected for processing (1)

• dockerfiles/Dockerfile (9 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-14T09:46:09.531Z

Learnt from: aminvakil
Repo: fluent/fluent-bit PR: 10844
File: conf/fluent-bit:13-15
Timestamp: 2025-09-14T09:46:09.531Z
Learning: For fluent-bit Debian packaging, /opt/fluent-bit/bin/ is the appropriate installation path since the package may be installed from non-official Debian sources, making /opt compliant with FHS for optional software packages.

Applied to files:

• dockerfiles/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: PR - Docker windows build test, windows 2022 and 2025 (2025)
• GitHub Check: PR - Docker windows build test, windows 2022 and 2025 (2022)
• GitHub Check: PR - Buildkit docker build test
• GitHub Check: PR - Classic docker build test

🔇 Additional comments (3)

dockerfiles/Dockerfile (3)

22-22: Bookworm-backports reference cleanly removed.

The builder-base stage now correctly pulls libsystemd-dev from the main Trixie repo without requiring backports, simplifying the dependency chain. The cmake version constraint handling is preserved.

Also applies to: 38-50

---

145-145: Verify libldap package duplication in deb-extractor.

The deb-extractor stage downloads both libldap-2.5 (line 145) and libldap2 (line 164), which are distinct OpenLDAP library versions. This duplication may cause unnecessary artifact bloat or symbol conflicts when the extracted libraries are copied to the production stage (line 197).

Verify whether both packages are intentional (e.g., for compatibility with different build tools) or if one should be removed for consistency.

Also applies to: 164-164

---

234-240: Debug stage t64 naming consistency verified and fixed.

The debug stage runtime packages now correctly use Trixie t64 suffixes: libssl3t64, libcurl4t64, libssh2-1t64, and libpsl5t64 (line 240—resolved from a prior review comment flagging inconsistency). The build-time -dev packages (line 260) are correctly unprefixed. Consistency with the deb-extractor stage is achieved.

Also applies to: 251-251, 260-260

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[patrick-stephens]

Postgres dependencies are always the pain :(

[patrick-stephens]

Seems to be ok and stable so going to merge to at least get things available for folks to test