Update with docker-compose for "Unplanned security update (3.6 / 3.5)"


  • Used Zammad version: 3.6.0-20
  • Used Zammad installation source: docker-compose
  • Operating system: Debian 10.8 (for the host)
  • Browser + version: Firefox 87.0 (64-bit)

Expected behavior:

Actual behavior:

  • Still get reported by docker ps that the version is 3.6.0-20

Steps to reproduce the behavior:

  • docker-compose stop
  • git pull
  • docker-compose pull
  • docker-compose start

Hello, I’ve seen the pinned announcement (Alert: Unplanned security update! (3.6 / 3.5)) and decided I would like to patch our running system for the security vulnerability.

As you can see within the template, I have followed the steps exactly the way I used to update our system before. But this time the docker images seem to have stayed at the same version.

With git pull it seems to have pulled the latest commit 6ddc9262ed4b5fbf884e153e3de3e9a3406a487c, but I guess the docker images aren’t updated, even though docker-compose pull did re-download and took a while.

I am aware that the documentation for updating with Docker Compose notes:

🙀 Incomplete documentation

Sorry, but this documentation part is outdated. We will rework this part later, but can’t tell when yet.

Please feel welcome to provide a pull request if you find spare time!

but I’m kind of lost on what the reason could be. So if anyone has had any experience with this and would be able to point towards the direction I should be looking it would be much appreciated.

Thank you very much!

Okay I was a tired idiot and did docker-compose start instead of docker-compose up and of course the old images were used.

But the update still failed to work for 3.6.0-67, quick skimming through the logs suggest something to do with elasticsearch. Probably removing the volume and letting it rebuild with the new version is going solve it, but sounds like something to work on NOT during a Friday evening.

Switched back to the git branch that I kept for production with 3.6.0-20 and brought it back online as it was for the time being.

Will report back here next week when I manage to figure out what exactly was failing with the new version. Could be helpful for others who run into similar issues updating from 3.6.0-20 to 3.6.0-67.

Upgrading to 3.6.0-67 failed for me as well because of issues with nginx and elasticsearch.
However, going straight to 4.0.0-7 has worked like a charmed and fixed my issues.

Just make sure that you take notice that the nginx ports have changed because running the proccess as a non-root user will not alllow you to bind to port 80.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.