--- id: task-012 title: 'Update critical container base images' status: To Do assignee: [] created_date: '2026-03-15 08:30' labels: - dev-ops - enhancement dependencies: - task-010 priority: high --- ## Description Multiple containers are running severely outdated base images with known vulnerabilities. Prioritized upgrade list from infrastructure audit on 2026-03-15. Many compose files are on host-only paths (not accessible from claude-dev container). ## Acceptance Criteria - [ ] #1 CRITICAL: Upgrade p2pwiki-elasticsearch from 7.10.2 to opensearch:2.x (5 years old, Log4Shell era) - [ ] #2 CRITICAL: Upgrade WordPress stack (5 containers) from 6.4-php8.2 to 6.7-php8.3 (compose at /opt/p2pfoundation/) - [ ] #3 CRITICAL: Upgrade Gitea from 1.21 to 1.23 (compose at /root/gitea/) - [ ] #4 HIGH: Upgrade ERPNext Redis from 6.2-alpine to 7-alpine (compose at /opt/erpnext/) - [ ] #5 HIGH: Upgrade MediaWiki 1.40/1.41 to 1.42 LTS (compose at /opt/websites/p2pwiki/ and /opt/p2pfoundation/) - [ ] #6 HIGH: Upgrade ERPNext MariaDB from 10.6 to 10.11 (compose at /opt/erpnext/) - [ ] #7 HIGH: Upgrade p2pwiki-db MariaDB from 10.6 to 10.11 (compose at /opt/websites/p2pwiki/) - [ ] #8 MEDIUM: Upgrade Qdrant from 1.7.4 to 1.13 (compose at /root/semantic-search/) - [ ] #9 MEDIUM: Plan Traefik v2 to v3 migration (compose at /root/traefik/) - [ ] #10 MEDIUM: Re-pull stale :latest images (ollama, n8n, syncthing, *arr stack, jellyfin) ## Notes ### Upgrade procedures **Redis 6.2 → 7 (drop-in):** ```bash # In /opt/erpnext/docker-compose.yml, change: # image: redis:6.2-alpine → image: redis:7-alpine cd /opt/erpnext && docker compose up -d redis-cache redis-queue ``` **Gitea 1.21 → 1.23:** ```bash # Backup first! docker exec gitea-db pg_dumpall -U gitea > /tmp/gitea-backup.sql # In /root/gitea/docker-compose.yml, change: # image: gitea/gitea:1.21 → image: gitea/gitea:1.23 cd /root/gitea && docker compose up -d # Gitea handles DB migrations automatically on startup ``` **WordPress 6.4 → 6.7:** ```bash # Backup databases first docker exec p2p-db mariadb-dump -u root -pp2p_secure_root_2025 --all-databases > /tmp/p2p-db-backup.sql # In /opt/p2pfoundation/docker-compose.yml, change: # image: wordpress:6.4-php8.2-apache → image: wordpress:6.7-php8.3-apache cd /opt/p2pfoundation && docker compose up -d # WP handles DB upgrades via wp-admin/upgrade.php ``` **MariaDB 10.6 → 10.11:** ```bash # Backup first, then change image tag # MariaDB handles upgrades automatically, but run mysql_upgrade after docker exec mariadb-upgrade -u root -p ``` **Elasticsearch 7.10 → OpenSearch 2.x:** This is the most complex upgrade — requires: 1. Full index backup/snapshot 2. Config migration (different env vars, plugins) 3. MediaWiki CirrusSearch extension config update 4. Reindex all content Plan as a dedicated maintenance window. **Traefik v2 → v3:** Requires config migration (middleware syntax changes, entrypoint format). Use `traefik migration v2-to-v3` tool. Plan as dedicated task. ### Accessible from claude-dev container - `/opt/websites/p2pwiki/` — p2pwiki compose (MariaDB, MediaWiki, Elasticsearch) ### Requires host access - `/opt/erpnext/` — ERPNext (Redis, MariaDB) - `/root/gitea/` — Gitea - `/opt/p2pfoundation/` — WordPress stack, p2p-db - `/root/semantic-search/` — Qdrant - `/root/traefik/` — Traefik