New Firebird Docker Images

67 views
Skip to first unread message

F. D. Castel

unread,
Apr 27, 2026, 10:46:00 PM (8 days ago) Apr 27
to firebird-general
New Firebird Docker Images

The official firebirdsql/firebird Docker images have just shipped a major overhaul.

TL;DR
  • Daily pre-release snapshots: firebirdsql/firebird:6-snapshot and 5-snapshot, rebuilt every 24 hours from the upstream Firebird source branches.
  • Debian Trixie (13) is now the default base image; Bookworm, Bullseye, Jammy, and Noble are still available.
  • New Firebird patch releases packaged: 5.0.4, 4.0.7, 3.0.14.
  • Consistent tag scheme — every image has a <version>-<distro> tag so you can pin precisely.
  • Cleaner registry — multi-arch images are assembled by digest, so you no longer see -amd64 / -arm64 staging tags on Docker Hub.
What’s New Daily Snapshot Images

The project now also tracks Firebird’s in-development branches:

docker pull firebirdsql/firebird:6-snapshot # built daily from master (Firebird 6) docker pull firebirdsql/firebird:5-snapshot # built daily from v5.0-release

Snapshots are rebuilt every day at 06:00 UTC. They are also published with a distro-qualified form (6-snapshot-trixie) so you can tell which base they were built on.

These tags are explicitly unstable — they follow the tip of a development branch and can break without notice. They exist for testing and early feedback, not production.

Debian Trixie Default + Expanded Distro Matrix

Bare tags (latest, 5, 5.0.4, …) now resolve to the Debian Trixie (13) variant. Trixie is the current Debian stable and ships newer system libraries (libicu76, OpenSSL 3.x, glibc 2.41) that match what you’d get from a fresh deployment on any other modern base.

Distro Base image Firebird 3 Firebird 4 Firebird 5 Trixie (default) debian:trixie-slim Bookworm debian:bookworm-slim Bullseye debian:bullseye-slim Jammy ubuntu:jammy Noble ubuntu:noble

Firebird 3 is not built on Trixie or Noble because it still depends on libncurses5, which those releases dropped.

If you want to stay on the previous default, pin to the -bookworm form:

docker pull firebirdsql/firebird:5-bookworm docker pull firebirdsql/firebird:latest-bookworm Consistent Tag Scheme

Every image now has a deterministic full tag of the form <version>-<distro> (e.g. 5.0.4-trixie, 4.0.7-jammy), plus shorter aliases for the latest-of-major and latest-overall:

  • 5.0.4-trixie, 5.0.4-bookworm, 5.0.4-bullseye, 5.0.4-jammy, 5.0.4-noble — fully qualified (immutable within a release)
  • 5-trixie, 5-bookworm, … — latest 5.x on that distro
  • trixie, bookworm, … — latest overall on that distro
  • 5.0.4, 5, latest — latest overall on the default distro (Trixie)

The full per-variant list is in the README.

New Firebird Patch Releases

5.0.4, 4.0.7, and 3.0.14 are included in the initial v2 push. New Firebird releases now get picked up automatically by a small release-discovery script driven by the PSFirebird module and the official FirebirdSQL/firebird GitHub releases — no more hand-edited URL + SHA-256 lists.

Under the Hood

You don’t need to know any of this to use the images, but a few details are worth mentioning because they change behavior in subtle ways.

tini as PID 1

Containers now use tini as PID 1 with ENTRYPOINT ["tini", "--"]. This fixes proper signal forwarding and zombie reaping — specifically, docker stop will now reliably deliver SIGTERM to fbguard/firebird for a graceful shutdown. STOPSIGNAL SIGTERM is set explicitly.

Hardened Entrypoint

Passwords containing single quotes (e.g. it's_me) used to break or even risk SQL injection when passed via FIREBIRD_ROOT_PASSWORD / FIREBIRD_PASSWORD. The entrypoint now properly escapes quoted values before they touch SQL.

The _FILE variants (FIREBIRD_ROOT_PASSWORD_FILE, FIREBIRD_PASSWORD_FILE, FIREBIRD_DATABASE_PASSWORD_FILE) are supported for Docker/Kubernetes secrets, and the test suite now covers both the direct and _FILE paths plus mutual-exclusion between them.

Digest-Based Multi-Arch Assembly

Previous multi-arch publishes left <tag>-amd64 and <tag>-arm64 staging tags visible in the registry. v2 uses docker buildx with push-by-digest=true and assembles the final manifest via buildx imagetools create — the same pattern the postgres, nginx, and redis official images use. Docker Hub now shows only the user-facing tags. Thanks to @asfernandes for pushing for this direction.

Single Dockerfile Template

The four per-distro Dockerfile templates have been replaced with one parameterized src/Dockerfile.template. Distro differences (base image, ICU package, extra packages) are declared once in assets.json. Contributing a new distro is now a config change, not a template duplication.

Upgrading from v1

Most users need to do nothing. If you pull by a fully-qualified tag (5.0.3-bookworm, 4.0.6-jammy, …) you get the same image you had before.

Watch out if you pull by a bare tag:

  • firebirdsql/firebird:latest, firebirdsql/firebird:5, firebirdsql/firebird:5.0.4 — these now resolve to the Trixie variant instead of Bookworm.
    • Trixie is Debian stable, so the switch is safe for most deployments, but if you have infrastructure that depends on a specific glibc / libicu version, pin to -bookworm to stay put.
  • firebirdsql/firebird:bookworm, firebirdsql/firebird:5-bookworm, etc. — unchanged.

There are no breaking changes inside the container: the Firebird binaries, data directory (/var/lib/firebird), ports, and environment variables are the same.

Feedback

Issues, questions, and success stories (especially ARM64 reports from Apple Silicon and Graviton users) are welcome at:

github.com/FirebirdSQL/firebird-docker/issues

Thanks to everyone who tested the pre-release builds — your reports shaped this release.

Reply all
Reply to author
Forward
0 new messages