jeffemmett
/
backlog-md
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
backlog-md/backlog/tasks/task-012 - Update-critical-...

3.4 KiB
Raw Blame History

id title status assignee created_date labels dependencies priority
task-012 Update critical container base images To Do
2026-03-15 08:30
dev-ops
enhancement
task-010
high

Description

Multiple containers are running severely outdated base images with known vulnerabilities. Prioritized upgrade list from infrastructure audit on 2026-03-15. Many compose files are on host-only paths (not accessible from claude-dev container).

Acceptance Criteria

  • #1 CRITICAL: Upgrade p2pwiki-elasticsearch from 7.10.2 to opensearch:2.x (5 years old, Log4Shell era)
  • #2 CRITICAL: Upgrade WordPress stack (5 containers) from 6.4-php8.2 to 6.7-php8.3 (compose at /opt/p2pfoundation/)
  • #3 CRITICAL: Upgrade Gitea from 1.21 to 1.23 (compose at /root/gitea/)
  • #4 HIGH: Upgrade ERPNext Redis from 6.2-alpine to 7-alpine (compose at /opt/erpnext/)
  • #5 HIGH: Upgrade MediaWiki 1.40/1.41 to 1.42 LTS (compose at /opt/websites/p2pwiki/ and /opt/p2pfoundation/)
  • #6 HIGH: Upgrade ERPNext MariaDB from 10.6 to 10.11 (compose at /opt/erpnext/)
  • #7 HIGH: Upgrade p2pwiki-db MariaDB from 10.6 to 10.11 (compose at /opt/websites/p2pwiki/)
  • #8 MEDIUM: Upgrade Qdrant from 1.7.4 to 1.13 (compose at /root/semantic-search/)
  • #9 MEDIUM: Plan Traefik v2 to v3 migration (compose at /root/traefik/)
  • #10 MEDIUM: Re-pull stale :latest images (ollama, n8n, syncthing, *arr stack, jellyfin)

Notes

Upgrade procedures

Redis 6.2 → 7 (drop-in):

# In /opt/erpnext/docker-compose.yml, change:
#   image: redis:6.2-alpine → image: redis:7-alpine
cd /opt/erpnext && docker compose up -d redis-cache redis-queue

Gitea 1.21 → 1.23:

# Backup first!
docker exec gitea-db pg_dumpall -U gitea > /tmp/gitea-backup.sql
# In /root/gitea/docker-compose.yml, change:
#   image: gitea/gitea:1.21 → image: gitea/gitea:1.23
cd /root/gitea && docker compose up -d
# Gitea handles DB migrations automatically on startup

WordPress 6.4 → 6.7:

# Backup databases first
docker exec p2p-db mariadb-dump -u root -pp2p_secure_root_2025 --all-databases > /tmp/p2p-db-backup.sql
# In /opt/p2pfoundation/docker-compose.yml, change:
#   image: wordpress:6.4-php8.2-apache → image: wordpress:6.7-php8.3-apache
cd /opt/p2pfoundation && docker compose up -d
# WP handles DB upgrades via wp-admin/upgrade.php

MariaDB 10.6 → 10.11:

# Backup first, then change image tag
# MariaDB handles upgrades automatically, but run mysql_upgrade after
docker exec <container> mariadb-upgrade -u root -p<password>

Elasticsearch 7.10 → OpenSearch 2.x: This is the most complex upgrade — requires:

  1. Full index backup/snapshot
  2. Config migration (different env vars, plugins)
  3. MediaWiki CirrusSearch extension config update
  4. Reindex all content Plan as a dedicated maintenance window.

Traefik v2 → v3: Requires config migration (middleware syntax changes, entrypoint format). Use traefik migration v2-to-v3 tool. Plan as dedicated task.

Accessible from claude-dev container

  • /opt/websites/p2pwiki/ — p2pwiki compose (MariaDB, MediaWiki, Elasticsearch)

Requires host access

  • /opt/erpnext/ — ERPNext (Redis, MariaDB)
  • /root/gitea/ — Gitea
  • /opt/p2pfoundation/ — WordPress stack, p2p-db
  • /root/semantic-search/ — Qdrant
  • /root/traefik/ — Traefik