chore(deps): update ubuntu docker tag to v26 #1021

doubleword-code · 2026-05-15T15:03:24Z

Non-blocking: Base image size increase consideration.

Why it matters: According to Docker Hub data, ubuntu:26.04 is approximately 39.63 MB (amd64) compared to ubuntu:24.04 at 28.36 MB—an ~11 MB (~40%) increase. While this is acceptable for most deployments, it's worth being aware of for environments with many containers or bandwidth-constrained deployments.

Suggested fix: No code change required. Simply acknowledge this tradeoff. The newer LTS version provides updated security patches and extends the support window through 2031 (standard) and 2036 (with ESM).

doubleword-code · 2026-05-19T09:47:58Z

Non-blocking: Verify this base image upgrade works correctly before deploying to production.

Why it matters: Ubuntu 26.04 LTS (Resolute Raccoon) was released on April 23, 2026 - only about a month ago. While it's an official LTS release with proper Docker Hub support, upgrading to such a recent base OS carries risks:

Package availability: Runtime packages (ca-certificates, curl, libxml2, tzdata) and build packages (pkg-config, libssl-dev) need to be verified as available with compatible versions

Binary compatibility: The glibc and OpenSSL versions in Ubuntu 26.04 may differ from 24.04, potentially affecting the compiled Rust binary

User existence: The ubuntu user (used in line 64 for chown) is conventionally created in Ubuntu Docker images, but this should be verified for 26.04

Suggested fix: Build the Docker image locally with this change and run the full test suite:

docker build -t test-control-layer:ubuntu26 . docker run --rm test-control-layer:ubuntu26 --help # Run integration tests against the container

Once verified working, this change can be safely merged. Consider adding a comment or documentation note about the Ubuntu version requirement for future maintainers.

doubleword-code · 2026-05-20T16:24:08Z

Non-blocking: Ubuntu 26.04 LTS is only ~1 month old (released April 21, 2026). While it's now the official latest tag, adopting such a new base OS for production carries some risk.

Why it matters: New LTS releases can have undiscovered bugs, package incompatibilities, or security issues that take time to surface. For a production AI gateway handling sensitive requests, stability should be prioritized over being on the cutting edge.

The current runtime dependencies (ca-certificates, curl, libxml2, tzdata) should work fine, but version differences between 24.04 and 26.04 could introduce subtle behavioral changes.

Suggested fix: Either:

Wait 2-3 more months before merging (re-evaluate in Q3 2026), OR

Merge now but ensure thorough testing in staging environment with representative load before deploying to production, OR

Add a comment in the Dockerfile noting when this was updated and why, for future maintainers

doubleword-code · 2026-06-01T11:22:49Z

Blocking: This change will break the Docker build.

Why it matters: In Ubuntu 26.04 (resolute), the libxml2 package has been renamed to libxml2-16 to reflect the library's major version (2.15.2). The current Dockerfile specifies libxml2 on line 50, which will fail with "Unable to locate package libxml2" when building with Ubuntu 26.04.

Evidence from Ubuntu package database:

Ubuntu 24.04 (noble): libxml2 (2.9.14)

Ubuntu 26.04 (resolute): libxml2-16 (2.15.2) - note there is no libxml2 package in resolute

Suggested fix: Update line 50 to use libxml2-16 instead of libxml2:

RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ libxml2-16 \ tzdata \ && rm -rf /var/lib/apt/lists/*

Alternatively, consider using a more stable base like ubuntu:latest or pinning to an LTS version that won't have breaking package renames during the project's lifecycle.

doubleword-code · 2026-06-01T15:22:04Z

Non-blocking: Base image updated to Ubuntu 26.04 LTS (Resolute Raccoon, released April 2026).

Why it matters: This is a major version jump from 24.04 LTS. While Ubuntu 26.04 is a valid LTS release, any base image change should be validated to ensure:

The runtime dependencies (ca-certificates, curl, libxml2, tzdata) install without issues

The compiled binary runs correctly in the new environment

No unexpected library incompatibilities between the Debian-based builder stage and Ubuntu 26.04 runtime

The cargo-chef builder uses Debian slim (lukemathwalker/cargo-chef:latest-rust-1.93.0-slim), so the binary is compiled against glibc and libraries from Debian. Running it on Ubuntu 26.04 should work (both are glibc-based and generally compatible), but this cross-distro pattern is worth validating.

Suggested fix: After building the image, run a quick smoke test:

docker build -t control-layer:test . docker run --rm control-layer:test --help

Verify the binary starts and can establish database connectivity.

doubleword-code · 2026-06-02T09:52:05Z

Non-blocking: Base image update from ubuntu:24.04 to ubuntu:26.04.

Why it matters: Ubuntu 26.04 LTS is a valid stable release (April 2026) with security support until 2031. However:

Image size increase: ubuntu:26.04 base is ~39.63 MB vs ubuntu:24.04 at ~28.36 MB (~40% larger)

Library compatibility: The binary compiled in the builder stage must be compatible with glibc and other system libraries in ubuntu:26.04

Release maturity: At only 2 months old, some edge cases or third-party integrations may not be fully tested

Suggested fix: Before merging:

Build the Docker image and run ldd /app/dwctl inside the container to verify all dynamic library dependencies resolve correctly

Test the image in staging to confirm no runtime errors

Consider documenting the rationale for this update (specific CVEs addressed, new features required, etc.) in the commit message or PR description

doubleword-code · 2026-06-02T12:53:58Z

Non-blocking: Consider verifying that Ubuntu 26.04's support lifecycle matches your production requirements.

Why it matters: Ubuntu follows an LTS (Long Term Support) release pattern where LTS versions (like 24.04) receive 5 years of security updates, while interim releases (like 26.04) typically receive only 9 months of support. Since this is a production container, you'll need to ensure timely upgrades to stay supported.

According to Ubuntu's release policy, 26.04 "Plucky Puffin" is an interim release (April 2026), meaning it will reach end-of-life around January 2027. This requires either:

Planning to upgrade to Ubuntu 26.10 when released, or

Switching back to an LTS version (next would be 28.04 in April 2028)

Suggested fix: If long-term stability is preferred over having the latest base image, consider pinning to ubuntu:24.04 (LTS) until 28.04 is released. If you're comfortable with more frequent base image updates, this change is fine as-is.

doubleword-code · 2026-06-03T14:16:38Z

Blocking: Upgrading to Ubuntu 26.04 LTS immediately after its GA release (April 2026) introduces unnecessary production risk without clear justification.

Why it matters: Ubuntu 26.04 was released only ~2 months ago. New LTS releases often have early-adopter bugs that are addressed in the first point release (.1). The current base (ubuntu:24.04) has standard security support until May 2029, so there's no urgency to upgrade. For production infrastructure, the conservative approach is to either (a) stay on the mature LTS until it nears EOL, or (b) wait for the first point release that addresses early bugs.

Suggested fix: Revert to FROM ubuntu:24.04 and revisit this upgrade after Ubuntu 26.04.1 is released. If there's a specific security vulnerability or feature requirement driving this change, document it in the PR description.

doubleword-code · 2026-06-15T14:35:47Z

Blocking: Ubuntu 26.04 ("Resolute") is a non-LTS interim release, not a Long Term Support release.

Why it matters: Ubuntu LTS releases (like 24.04 Noble Numbat) receive 5 years of security updates and are designed for production/server workloads. Non-LTS releases only receive 9 months of support and are intended for desktop users wanting newer packages. Using a non-LTS base in production creates:

Frequent forced upgrades to stay secure

Less stability testing

Potential supply chain churn

Additionally, your CI runners use depot-ubuntu-24.04, creating a build/runtime environment mismatch.

Suggested fix: Revert to FROM ubuntu:24.04 or FROM ubuntu:noble (the current LTS). Add a comment documenting the LTS choice:

# Use LTS release for production stability (5-year support window) FROM ubuntu:24.04

If there's a specific technical requirement for 26.04, please document it.

doubleword-code · 2026-06-15T15:11:27Z

Blocking: Verify runtime library compatibility before merging.

Why it matters: Ubuntu 26.04 ships with newer versions of core libraries (glibc, libssl, etc.) compared to 24.04. While the Rust binary itself should be portable, the runtime dependencies installed in this layer (libxml2, curl, ca-certificates, tzdata) may have different versions or ABI characteristics. The base image also increased by ~11 MB (28 MB → 40 MB), which suggests meaningful underlying changes.

Without testing the actual container runtime behavior, there's risk of:

Missing or incompatible shared libraries that the binary indirectly depends on

Changed default behaviors in installed packages (e.g., certificate paths, timezone data formats)

Unexpected interaction with the onwards routing layer or outlet-postgres middleware if they have implicit OS assumptions

Suggested fix: Run a quick integration test:

# Build with new base image docker build -t dwctl:test . # Run smoke test docker run --rm dwctl:test ./dwctl --help # Verify health endpoint if possible docker run --rm -p 3001:3001 dwctl:test & curl http://localhost:3001/health

Alternatively, consider staying on ubuntu:24.04 until 26.04 has been validated in a staging environment, since 24.04 remains fully supported until 2029.

doubleword-code · 2026-06-16T11:50:56Z

Non-blocking: Ubuntu 26.04 ("Resolute Reindeer") is a very recent LTS release (April 2026). While all required packages (libssl-dev 3.5.5, libxml2 2.15.2, ca-certificates, curl, tzdata) are confirmed available, this is bleeding-edge for production use.

Why it matters: New LTS releases may have undiscovered issues that only surface after extended production use. Ubuntu 24.04 has had ~2 years of stabilization, while 26.04 has limited real-world validation. That said, the security benefits of newer base images (updated packages, security patches) often outweigh this concern, and your CI security scan with Grype will catch any known vulnerabilities.

Suggested fix: No code change required. Monitor the vulnerability counts reported by the Grype security scan in CI (security-scan job in .github/workflows/ci.yaml:288-327) after merging. If critical/high counts increase significantly compared to 24.04 baseline, consider holding at 24.04 until 26.04 matures.

doubleword-code · 2026-06-16T15:18:39Z

Non-blocking: Base image updated to Ubuntu 26.04 LTS.

Why it matters: Ubuntu 26.04 is a valid LTS release (April 2026) with security support through 2031. However, this is a relatively new release, and there could be unforeseen compatibility issues with:

Runtime package versions (ca-certificates, curl, libxml2, tzdata) - though these are standard packages expected to work

The glibc version in 26.04 vs what the binary was compiled against in the builder stage

Any subtle behavioral changes in the OS that could affect the application

The ~11MB image size increase (39.63 MB vs 28.36 MB compressed) is a minor trade-off for staying current.

Suggested fix: Before merging, verify that:

The Docker build completes successfully with ubuntu:26.04

Smoke tests pass in a staging environment

No runtime errors appear related to missing libraries or incompatible glibc versions

If the project has automated Docker build + test pipelines, those should provide sufficient validation. If not, a quick manual verification would be prudent.

doubleword-code · 2026-06-17T17:44:14Z

Blocking: glibc ABI compatibility risk between builder and runtime stages.

Why it matters: The builder stage uses lukemathwalker/cargo-chef:latest-rust-1.93.0-slim (Debian bookworm-based, glibc ~2.36) while this runtime stage uses Ubuntu 26.04 (glibc 2.43). Rust binaries compiled against an older glibc should generally work on newer glibc systems due to backward compatibility, but this is not guaranteed — especially if any dynamic linking occurs or if the builder pulls in libraries with newer glibc requirements.

If incompatible, the container will fail at runtime with errors like:

/usr/bin/dwctl: /lib/x86_64-linux-gnu/libc.so.6: version 'GLIBC_2.43' not found

Suggested fix: Either:

Align builder and runtime bases: FROM ubuntu:26.04 AS chef for consistency

Use fully static musl-linked binaries (x86_64-unknown-linux-musl target)

At minimum: thoroughly test the built image to verify it starts and all system calls work correctly

doubleword-code · 2026-06-18T08:35:42Z

Non-blocking: Ubuntu 26.04 is a recent LTS release (April 2026) and represents a ~40% increase in base image size compared to 24.04 (39.63 MB vs 28.36 MB for amd64).

Why it matters: New LTS releases can have undiscovered bugs in the first few months. Additionally, the larger image size impacts pull times and storage costs, especially in CI/CD pipelines and multi-region deployments. Per Docker Hub data, ubuntu:24.04 images are still actively maintained (last pushed 16 days ago), so there's no urgency to upgrade for security reasons alone.

Suggested fix:

Verify that Ubuntu 26.04 has passed your organization's production validation criteria (or add a comment documenting why this upgrade is needed).

Consider pinning to a specific snapshot tag like ubuntu:26.04-20260509 for reproducibility instead of the floating 26.04 tag.

If image size is a concern, investigate whether ubuntu:26.04-slim or a distroless alternative meets your runtime requirements.

doubleword-code · 2026-06-18T10:06:42Z

Blocking: Base image version mismatch with CI runners.

Why it matters: The GitHub Actions workflows (release.yml:10, build-staging.yml:22) use depot-ubuntu-24.04 runners. When building this Docker image in CI, the build runs on Ubuntu 24.04 hosts but produces an image targeting Ubuntu 26.04. This creates a testing gap:

The CI cannot validate that the compiled binary actually runs on Ubuntu 26.04 (glibc, libssl, and other system library versions differ between releases)

Runtime dependencies installed via apt-get in the Docker build may behave differently than what the CI host provides

Multi-platform builds for linux/arm64 may not be properly validated if the runner architecture doesn't match

This has caused production incidents in other repositories where binaries compiled against older glibc failed on newer Ubuntu releases, or vice versa.

Suggested fix: Update the CI runner labels to match the target base image:

.github/workflows/release.yml: Change runs-on: depot-ubuntu-24.04 to runs-on: depot-ubuntu-26.04

.github/workflows/build-staging.yml: Same change

If depot-ubuntu-26.04 runners are not yet available, either: (a) coordinate with Depot to provision them first, or (b) defer this base image update until they are.

doubleword-code · 2026-06-19T11:35:26Z

Non-blocking: Consider staying on ubuntu:24.04 for production stability.

Why it matters: Ubuntu 26.04 LTS was released in April 2026, only 2 months ago. While it's the latest LTS, early adoption carries risks:

Limited real-world testing: Fewer production deployments mean undiscovered bugs may exist

Tooling compatibility: Some third-party tools or libraries may not yet be fully tested on 26.04

No urgency: Ubuntu 24.04 LTS has standard security support until May 2029 (3+ years remaining)

The CI runners also use depot-ubuntu-24.04, so keeping the runtime aligned with the build environment reduces potential compatibility issues.

Suggested fix: Revert to FROM ubuntu:24.04 unless there's a specific requirement for 26.04. If upgrading is intentional, document the rationale in the PR description (e.g., specific package requirement, compliance need).

-Original file line number
+Diff line change
@@ Expand Up / @@ -41,7 +41,7 @@ ENV SQLX_OFFLINE=true @@
     RUN cargo build --release -p dwctl
     # Runtime stage
-    FROM ubuntu:24.04
+    FROM ubuntu:26.04
     # Install runtime dependencies
     RUN apt-get update && apt-get install -y \
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update ubuntu docker tag to v26 #1021

Diff view

Diff view

There are no files selected for viewing

doubleword-code Bot May 15, 2026

Uh oh!

doubleword-code Bot May 19, 2026

Uh oh!

doubleword-code Bot May 20, 2026

Uh oh!

doubleword-code Bot Jun 1, 2026

Uh oh!

doubleword-code Bot Jun 1, 2026

Uh oh!

doubleword-code Bot Jun 2, 2026

Uh oh!

doubleword-code Bot Jun 2, 2026

Uh oh!

doubleword-code Bot Jun 3, 2026

Uh oh!

doubleword-code Bot Jun 15, 2026

Uh oh!

doubleword-code Bot Jun 15, 2026

Uh oh!

doubleword-code Bot Jun 16, 2026

Uh oh!

doubleword-code Bot Jun 16, 2026

Uh oh!

doubleword-code Bot Jun 17, 2026

Uh oh!

doubleword-code Bot Jun 18, 2026

Uh oh!

doubleword-code Bot Jun 18, 2026

Uh oh!

doubleword-code Bot Jun 19, 2026

Uh oh!

Uh oh!

chore(deps): update ubuntu docker tag to v26 #1021

Are you sure you want to change the base?

chore(deps): update ubuntu docker tag to v26 #1021

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

doubleword-code Bot May 15, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot May 19, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot May 20, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 1, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 1, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 2, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 2, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 3, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

doubleword-code Bot Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!