Phonemos User Guide

Upgrading from 2026.01 to 2026.03

In short:

  • application images advance from 2764 to 2868

  • Keycloak jumps from 21 to 26

  • Several converter services are added, others are aremoved (old container names go away)

Before you upgrade

  • Maintenance window: expect image pulls, container recreates

  • Keycloak major upgrade, might break Themes and IdP integrations (first start after the image change can take noticeably longer than usual).

  • Backups: snapshot or backup the server according to your policies before changing the running stack.

How to run the upgrade

  1. Backup the system

  2. Go into folder cd /opt/phonemos-linux

  3. Execute git pull

  4. Run sudo ./update-phonemos.sh --apply

  5. Check if the application is running again using docker ps, all pods should be healthy (will take at least 5 minutes)

  6. Open the phonemos instance in the browser and check the version in the “About” dialog. Must be 2898.

Details

Detailed technical changes (see Phonemos Release 2026.03 for functional changes):

Keycloak Upgrade

Keycloak is upgraded to 26.5.6, parameters are changed accordingly (KC_HOSTNAME from your app Keycloak base, KC_HTTP_ENABLED, KC_PROXY_HEADERS)

Application stack and converters

Topic

Change

Hasura startup

Two one-shot wait services run before Hasura: database reachable (pg_isready) and Keycloak JWKS over HTTPS (TLS verified). Hasura’s healthcheck allows a longer initial period so heavy migrations can finish without false “unhealthy” flapping.

Redis

Redis has a healthcheck; pandoc and converters start only after Redis is healthy, which stabilizes startup order.

Converter services

Draw.io and BPMN converter containers are replaced by PlantUML, LaTeX, and browser-widget-renderer. Any custom overlay under /etc/phonemos/app/overlay.yaml that referenced the old service names is pruned/aligned during upgrade; review the file after upgrade if you had deep customizations.

Healthchecks

Several converters use a small http-healthcheck.sh helper where the image may not include curl.

TLS and certificates

New regenerate-certs.sh (run as root): refreshes or resyncs TLS material and can rebuild host / Java trust for the Phonemos keystore—useful after manual cert changes or a broken trust store. See the script --help / usage in the file header.

Configuration and observability defaults

  • Disable off-site sentry by default