apache · janhoy · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · janhoy
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -4,9 +4,19 @@
   "enabled": true,
   "gitIgnoredAuthors": ["renovate-bot <renovate-bot@noreply.github.com>"],
   "dependencyDashboard": false,
-  "enabledManagers": ["gradle", "github-actions"],
+  "enabledManagers": ["gradle", "github-actions", "regex"],
   "labels": ["exempt-stale"],
-  "includePaths": ["gradle/libs.versions.toml", "versions.*", "build.gradle", ".github/workflows/*"],
+  "includePaths": ["gradle/libs.versions.toml", "versions.*", "build.gradle", ".github/workflows/*", "solr/docker/templates/Dockerfile.body.template"],
+  "customManagers": [
+    {
+      "description": "Track gosu GitHub releases and update ARG GOSU_VERSION in Dockerfile template",
+      "customType": "regex",
+      "fileMatch": ["^solr/docker/templates/Dockerfile\\.body\\.template$"],
+      "matchStrings": ["ARG GOSU_VERSION=(?<currentValue>[^\\s]+)"],
+      "depNameTemplate": "tianon/gosu",
+      "datasourceTemplate": "github-releases"
+    }
+  ],
   "postUpgradeTasks": {
     "commands": [
       "./gradlew resolveAndLockAll --write-locks",

diff --git a/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml b/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml
@@ -0,0 +1,8 @@
+title: Bump gosu binary to v1.19 in docker images
+type: dependency_update
+authors:
+  - name: Jan Høydahl
+    url: https://home.apache.org/phonebook.html?uid=janhoy
+links:
+  - name: SOLR-17353
+    url: https://issues.apache.org/jira/browse/SOLR-17353
diff --git a/solr/docker/templates/Dockerfile.body.template b/solr/docker/templates/Dockerfile.body.template
@@ -48,6 +48,26 @@ ENV SOLR_USER="solr" \
     SOLR_HOST_BIND="0.0.0.0" \
     SOLR_ZOOKEEPER_EMBEDDED_HOST="0.0.0.0"
 
+ARG GOSU_VERSION=1.19
+RUN set -eux; \
+    apt-get update; \
+    apt-get -y --no-install-recommends install curl acl lsof procps wget netcat-openbsd tini jattach gpg gnupg dirmngr; \
+    rm -rf /var/lib/apt/lists/*; \
+    dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}"; \
+    wget -O /tmp/gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc"; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    chmod 700 "$GNUPGHOME"; \
+    gpg --batch --keyserver hkps://keys.openpgp.org \
+        --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+    gpg --batch --verify /tmp/gosu.asc /usr/local/bin/gosu; \
+    gpgconf --kill gpg-agent; \
+    rm -rf "$GNUPGHOME" /tmp/gosu.asc; \
+    chmod +x /usr/local/bin/gosu; \
+    gosu --version; \
+    gosu nobody true; \
+    apt-get -y remove gpg dirmngr && apt-get -y autoremove
+
 RUN set -ex; \
   groupadd -r --gid "$SOLR_GID" "$SOLR_GROUP"; \
   useradd -r --uid "$SOLR_UID" --gid "$SOLR_GID" "$SOLR_USER"
@@ -67,11 +87,6 @@ RUN set -ex; \
   mkdir -p -m0770 /var/solr; \
   chown -R "$SOLR_USER:0" /var/solr;
 
-RUN set -ex; \
-    apt-get update; \
-    apt-get -y --no-install-recommends install curl acl lsof procps wget netcat-openbsd gosu tini jattach; \
-    rm -rf /var/lib/apt/lists/*;
-
 VOLUME /var/solr
 EXPOSE 8983
 WORKDIR /opt/solr