starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-03-01 11:20:59 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

Docker images should rebuild periodically to pull in OS security updates #962

New Issue
Closed
opened 2026-02-06 20:18:54 +03:00 by OVERLORD · 17 comments
OVERLORD commented 2026-02-06 20:18:54 +03:00
Owner
Copy Link

Originally created by @nevado on GitHub (Oct 7, 2019).

Describe the bug
Docker stable images are only built once at release time, and there can be several weeks / months between releases. In this time the underlying OS will receive security updates which won't get applied.

E.g. the 10.3.7 image has 40 outstanding security updates accumulated by the time of the 10.4.0 release.

To Reproduce

  1. Install jellyfin:latest (or jellyfin:10.3.7 to see straight away)
  2. Wait
  3. Manually check for OS updates in the Jellyfin docker w/ e.g. apt update; apt full-upgrade.

Expected behavior
Ideally the jellyfin:latest image would automatically rebuild the unchanged Jellyfin stable release onto the latest OS images periodically, say weekly or fortnightly, to pull in security fixes and build them into the latest docker image.

Logs
n/a

Screenshots
n/a

System (please complete the following information):

  • OS: Docker

Additional context
n/a

Originally created by @nevado on GitHub (Oct 7, 2019). **Describe the bug** Docker stable images are only built once at release time, and there can be several weeks / months between releases. In this time the underlying OS will receive security updates which won't get applied. E.g. the 10.3.7 image has 40 outstanding security updates accumulated by the time of the 10.4.0 release. **To Reproduce** 1. Install jellyfin:latest (or jellyfin:10.3.7 to see straight away) 2. Wait 3. Manually check for OS updates in the Jellyfin docker w/ e.g. apt update; apt full-upgrade. **Expected behavior** Ideally the jellyfin:latest image would automatically rebuild the unchanged Jellyfin stable release onto the latest OS images periodically, say weekly or fortnightly, to pull in security fixes and build them into the latest docker image. **Logs** n/a **Screenshots** n/a **System (please complete the following information):** - OS: Docker **Additional context** n/a
OVERLORD added the backendbugstale labels 2026-02-06 20:18:54 +03:00
OVERLORD commented 2026-02-06 20:18:58 +03:00
Author
Owner
Copy Link

@agilob commented on GitHub (Oct 7, 2019):

This will make docker images less reproducible and it assumes you make new docker-image releases not linked to new versions of the content delivered.

jellyfin:latest this isn't goal of latest, tag, I think you mean something more specific like latest-stable-rebuild-from-alpine or latest-stable-rebuild-from-stretch, people would start wondering why their latest-stable-rebuild-from-alpine is different from your latest-stable-rebuild-from-alpine, as not everyone pulls new version of same tag on a schedule.

10.3.7 image has 40 outstanding security updates accumulated by the time of the 10.4.0

That's not really an issue for jellyfin to investigate, rather for baseimage repo.

I don't think delivery pipeline of jellyfin should care about bugs in glibc in debian/alpine. Time should be rather invested into not implementing bugs and vulnerabilities in jellyfin.

It would be also good to know what vulns these are, because unless they are remote-DoS on inside-docker level or RCE in ffmpeg, it's pretty much not even worth to build new image for some double-free error in a library that's just in the docker, but never used.

@agilob commented on GitHub (Oct 7, 2019): This will make docker images less reproducible and it assumes you make new docker-image releases not linked to new versions of the content delivered. ` jellyfin:latest` this isn't goal of `latest`, tag, I think you mean something more specific like `latest-stable-rebuild-from-alpine` or `latest-stable-rebuild-from-stretch`, people would start wondering why their `latest-stable-rebuild-from-alpine` is different from your `latest-stable-rebuild-from-alpine`, as not everyone pulls new version of same tag on a schedule. > 10.3.7 image has 40 outstanding security updates accumulated by the time of the 10.4.0 That's not really an issue for jellyfin to investigate, rather for baseimage repo. I don't think delivery pipeline of jellyfin should care about bugs in glibc in debian/alpine. Time should be rather invested into not implementing bugs and vulnerabilities in jellyfin. It would be also good to know what vulns these are, because unless they are remote-DoS on inside-docker level or RCE in ffmpeg, it's pretty much not even worth to build new image for some double-free error in a library that's just in the docker, but never used.
OVERLORD commented 2026-02-06 20:19:00 +03:00
Author
Owner
Copy Link

@joshuaboniface commented on GitHub (Oct 7, 2019):

This right here is frankly why I hate containers as a distribution mechanism. There is zero easy solution to this problem except to constantly rebuild the image over and over again. It might be possible to set up some sort of automated process to do so, but that adds a bunch of load and potential issues to the build infrastructure.

@joshuaboniface commented on GitHub (Oct 7, 2019): This right here is frankly why I hate containers as a distribution mechanism. There is zero easy solution to this problem except to constantly rebuild the image over and over again. It might be possible to set up some sort of automated process to do so, but that adds a bunch of load and potential issues to the build infrastructure.
OVERLORD commented 2026-02-06 20:19:01 +03:00
Author
Owner
Copy Link

@nevado commented on GitHub (Oct 7, 2019):

No idea what the vulns are, that's the point, at some point there will be a vuln that does affect an internet facing Jellyfin setup so it would be best practice to just keep rebuilding the image periodically. It's crap but that's how docker works :-)

If anyone did want to look at this, I was thinking along the lines of the linuxserver.io dockers which rebuild periodically using a new tag, then :latest and :version get pointed at the latest stable up to date image of that version. See https://github.com/linuxserver/docker-jellyfin/tags. Users then pick up security updates when they update or they could use a specific build.

Agree lots of work and not high priority, just a wishlist item for future so feel free to close if it's not going to happen.

@nevado commented on GitHub (Oct 7, 2019): No idea what the vulns are, that's the point, at some point there *will* be a vuln that does affect an internet facing Jellyfin setup so it would be best practice to just keep rebuilding the image periodically. It's crap but that's how docker works :-) If anyone did want to look at this, I was thinking along the lines of the linuxserver.io dockers which rebuild periodically using a new tag, then :latest and :*version* get pointed at the latest stable up to date image of that version. See https://github.com/linuxserver/docker-jellyfin/tags. Users then pick up security updates when they update or they could use a specific build. Agree lots of work and not high priority, just a wishlist item for future so feel free to close if it's not going to happen.
OVERLORD commented 2026-02-06 20:19:02 +03:00
Author
Owner
Copy Link

@agilob commented on GitHub (Oct 7, 2019):

No idea what the vulns are

Please close this issue than, it's not an issue or is lacking many details that would make this an issue ;)

No idea what the vulns are, that's the point, at some point there will be a vuln that does affect an internet

Sure, that's just inevitable, not only for jellyfin scale, but for the whole internet.

It's crap but that's how docker works :-)

Well... but yea, docker isn't designed to solve these problems. What you want is vagrant of VBOX, docker is intended for microservices, where a docker image weights 20Mb, not 550Mb, docker images are intended to scale horizontally, not for massive services like jellyfin, so of course if you use shovel to clean your head you're gonna hit yourself at some point.

the linuxserver.io dockers which rebuild periodically using a new tag, then :latest and :version get pointed at the latest stable up to date image of that version

Exactly! Why even bother duplicating the work if someone else already is committed to this?

I only used the latest jellyfin for a few minutes and already found a few bugs in webui, so maybe it would be better to commit this time to test, code review and fix old bugs? ;)

// no sarcasm indented.

@agilob commented on GitHub (Oct 7, 2019): >No idea what the vulns are Please close this issue than, it's not an issue or is lacking many details that would make this an issue ;) >No idea what the vulns are, that's the point, at some point there will be a vuln that does affect an internet Sure, that's just inevitable, not only for jellyfin scale, but for the whole internet. >It's crap but that's how docker works :-) Well... but yea, docker isn't designed to solve these problems. What you want is vagrant of VBOX, docker is intended for microservices, where a docker image weights 20Mb, not 550Mb, docker images are intended to scale horizontally, not for massive services like jellyfin, so of course if you use shovel to clean your head you're gonna hit yourself at some point. >the linuxserver.io dockers which rebuild periodically using a new tag, then :latest and :version get pointed at the latest stable up to date image of that version Exactly! Why even bother duplicating the work if someone else already is committed to this? I only used the latest jellyfin for a few minutes and already found a few bugs in webui, so maybe it would be better to commit this time to test, code review and fix old bugs? ;) // no sarcasm indented.
OVERLORD commented 2026-02-06 20:19:03 +03:00
Author
Owner
Copy Link

@nevado commented on GitHub (Oct 7, 2019):

Not really looking to debate pros and cons of Docker here...

Facts are:

  • there is an official Jellyfin provided Docker image
  • people do use it
  • it doesn't pick up security fixes because it doesn't get rebuilt against newer base images
  • those vulnerabilities could affect Jellyfin
  • this issue is merely a suggestion to improve the Jellyfin official Docker build by rebuilding periodically against newer base images and pulling in fixes to those vulnerabilities.

If you found other bugs, want to suggest a VBOX build, or you think no one should put effort into the official Jellyfin Docker build because there are other Jellyfin Docker builds out there, it might be more constructive to raise separate issues to discuss those.

@nevado commented on GitHub (Oct 7, 2019): Not really looking to debate pros and cons of Docker here... Facts are: - there is an official Jellyfin provided Docker image - people do use it - it doesn't pick up security fixes because it doesn't get rebuilt against newer base images - those vulnerabilities could affect Jellyfin - this issue is merely a suggestion to improve the Jellyfin official Docker build by rebuilding periodically against newer base images and pulling in fixes to those vulnerabilities. If you found other bugs, want to suggest a VBOX build, or you think no one should put effort into the official Jellyfin Docker build because there are other Jellyfin Docker builds out there, it might be more constructive to raise separate issues to discuss those.
OVERLORD commented 2026-02-06 20:19:04 +03:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Feb 5, 2020):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (Feb 5, 2020): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
OVERLORD commented 2026-02-06 20:19:05 +03:00
Author
Owner
Copy Link

@Xalaxis commented on GitHub (Feb 5, 2020):

I still think this is a valid issue. (Removing Stale)

@Xalaxis commented on GitHub (Feb 5, 2020): I still think this is a valid issue. (Removing Stale)
OVERLORD commented 2026-02-06 20:19:05 +03:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Jun 5, 2020):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (Jun 5, 2020): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
OVERLORD commented 2026-02-06 20:19:06 +03:00
Author
Owner
Copy Link

@Xalaxis commented on GitHub (Jun 10, 2020):

Still a valid suggestion.

@Xalaxis commented on GitHub (Jun 10, 2020): Still a valid suggestion.
OVERLORD commented 2026-02-06 20:19:07 +03:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Oct 9, 2020):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (Oct 9, 2020): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
OVERLORD commented 2026-02-06 20:19:09 +03:00
Author
Owner
Copy Link

@Xalaxis commented on GitHub (Oct 9, 2020):

As far as I know this still isn't happening

On Fri, 9 Oct 2020, 14:02 stale[bot], notifications@github.com wrote:

This issue has gone 120 days without comment. To avoid abandoned issues,
it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming
if this issue still affects you in the latest release or nightlies, or
close the issue if it has been fixed. If you're another user also affected
by this bug, please comment confirming so. Either action will remove the
stale label.
This bot exists to prevent issues from becoming stale and forgotten.
Jellyfin is always moving forward, and bugs are often fixed as side effects
of other changes. We therefore ask that bug report authors remain vigilant
about their issues to ensure they are closed if fixed, or re-confirmed -
perhaps with fresh logs or reproduction examples - regularly. If you have
any questions you can reach us on Matrix or Social Media
https://docs.jellyfin.org/general/getting-help.html.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/jellyfin/jellyfin/issues/1847#issuecomment-706167490,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ADCWV3G74HAEHLCITWWCFJLSJ4CWTANCNFSM4I6ATM6Q
.

@Xalaxis commented on GitHub (Oct 9, 2020): As far as I know this still isn't happening On Fri, 9 Oct 2020, 14:02 stale[bot], <notifications@github.com> wrote: > This issue has gone 120 days without comment. To avoid abandoned issues, > it will be closed in 21 days if there are no new comments. > If you're the original submitter of this issue, please comment confirming > if this issue still affects you in the latest release or nightlies, or > close the issue if it has been fixed. If you're another user also affected > by this bug, please comment confirming so. Either action will remove the > stale label. > This bot exists to prevent issues from becoming stale and forgotten. > Jellyfin is always moving forward, and bugs are often fixed as side effects > of other changes. We therefore ask that bug report authors remain vigilant > about their issues to ensure they are closed if fixed, or re-confirmed - > perhaps with fresh logs or reproduction examples - regularly. If you have > any questions you can reach us on Matrix or Social Media > <https://docs.jellyfin.org/general/getting-help.html>. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/jellyfin/jellyfin/issues/1847#issuecomment-706167490>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ADCWV3G74HAEHLCITWWCFJLSJ4CWTANCNFSM4I6ATM6Q> > . >
OVERLORD commented 2026-02-06 20:19:09 +03:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Feb 7, 2021):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (Feb 7, 2021): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
OVERLORD commented 2026-02-06 20:19:10 +03:00
Author
Owner
Copy Link

@Xalaxis commented on GitHub (Feb 7, 2021):

In GitHub actions, this is as simple as adding a schedule parameter to the build configuration, so I think perhaps the complexity of doing this has been overstated.

@Xalaxis commented on GitHub (Feb 7, 2021): In GitHub actions, this is as simple as adding a `schedule` parameter to the build configuration, so I think perhaps the complexity of doing this has been overstated.
OVERLORD commented 2026-02-06 20:19:10 +03:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Jun 9, 2021):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (Jun 9, 2021): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
OVERLORD commented 2026-02-06 20:19:10 +03:00
Author
Owner
Copy Link

@Xalaxis commented on GitHub (Jun 18, 2021):

This is still a good idea.

@Xalaxis commented on GitHub (Jun 18, 2021): This is still a good idea.
OVERLORD commented 2026-02-06 20:19:11 +03:00
Author
Owner
Copy Link

@jellyfin-bot commented on GitHub (Oct 24, 2023):

This issue has gone 120 days without an update and will be closed within 21 days if there is no new activity. To prevent this issue from being closed, please confirm the issue has not already been fixed by providing updated examples or logs.

If you have any questions you can use one of several ways to contact us.

@jellyfin-bot commented on GitHub (Oct 24, 2023): This issue has gone 120 days without an update and will be closed within 21 days if there is no new activity. To prevent this issue from being closed, please confirm the issue has not already been fixed by providing updated examples or logs. If you have any questions you can use one of several ways to [contact us](https://jellyfin.org/contact).
OVERLORD commented 2026-02-06 20:19:11 +03:00
Author
Owner
Copy Link

@jellyfin-bot commented on GitHub (Nov 14, 2023):

This issue was closed due to inactivity.

@jellyfin-bot commented on GitHub (Nov 14, 2023): This issue was closed due to inactivity.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label backend bug stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#962
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?