From 9b1cc94c9a0ed90075d8436cb4d7016f5433739f Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 21 Apr 2026 11:44:44 +0200 Subject: [PATCH 1/7] chore: update ubi to version 10 --- stackable-base/Dockerfile | 18 ++++++++++++------ stackable-devel/Dockerfile | 16 +++++++++++----- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile index 7de424ea3..9f781fa3a 100644 --- a/stackable-base/Dockerfile +++ b/stackable-base/Dockerfile @@ -35,13 +35,19 @@ cd /secret-operator cargo auditable --quiet build --release --package cert-tools && cargo cyclonedx --all --spec-version 1.5 --describe binaries EOF -# Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti +# Find the latest version at https://catalog.redhat.com +# Use the search to find the image you are interested in because navigating the catalog folders is impossible. +# # IMPORTANT: Make sure to use the "Manifest List Digest" that references the images for multiple architectures # rather than just the "Image Digest" that references the image for the selected architecture. -# The website is broken, so you can use this to find it: -# curl https://catalog.redhat.com/en/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5 \ -# | grep -oE 'registry.redhat.io/ubi9/ubi-minimal@sha256:[a-z0-9]{64}' -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS builder +# +# The website is awful/broken, so you can use one of the following tools to find it: +# +# docker buildx imagetools inspect registry.redhat.io/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}' +# # or +# skopeo inspect --format '{{.Digest}}' docker://registry.redhat.io/ubi10/ubi-minimal +# +FROM registry.redhat.io/ubi10/ubi-minimal@sha256:8935d83eadb5c9f621c13f4dfab7e1bbd8d948317dc67157279911ede1013112 # intentionally unused ARG PRODUCT_VERSION @@ -158,7 +164,7 @@ chown ${STACKABLE_USER_UID}:0 /stackable/.curlrc # CVE-2023-37920: Remove "e-Tugra" root certificates # e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems # Until they are removed by default from ca-certificates, we should remove them manually -EXPECTED_CERTS_PACKAGE="ca-certificates-2025.2.80_v9.0.305-91.el9.noarch" +EXPECTED_CERTS_PACKAGE="ca-certificates-2025.2.80_v9.0.305-102.el10_1.noarch" ACTUAL_CERTS_PACKAGE="$(rpm -qa ca-certificates)" if [ "$ACTUAL_CERTS_PACKAGE" != "$EXPECTED_CERTS_PACKAGE" ]; then echo "The ca-certificates package was updated to $ACTUAL_CERTS_PACKAGE. Please check if the e-Tugra root certificates are present. \ diff --git a/stackable-devel/Dockerfile b/stackable-devel/Dockerfile index cdec8f426..fd3c4a6b5 100644 --- a/stackable-devel/Dockerfile +++ b/stackable-devel/Dockerfile @@ -8,13 +8,19 @@ # Use `stackable-base` as a base for the final image stage instead # -# Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti +# Find the latest version at https://catalog.redhat.com +# Use the search to find the image you are interested in because navigating the catalog folders is impossible. +# # IMPORTANT: Make sure to use the "Manifest List Digest" that references the images for multiple architectures # rather than just the "Image Digest" that references the image for the selected architecture. -# The website is broken, so you can use this to find it: -# curl https://catalog.redhat.com/en/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5 \ -# | grep -oE 'registry.redhat.io/ubi9/ubi-minimal@sha256:[a-z0-9]{64}' -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS builder +# +# The website is awful/broken, so you can use one of the following tools to find it: +# +# docker buildx imagetools inspect registry.redhat.io/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}' +# # or +# skopeo inspect --format '{{.Digest}}' docker://registry.redhat.io/ubi10/ubi-minimal +# +FROM registry.redhat.io/ubi10/ubi-minimal@sha256:8935d83eadb5c9f621c13f4dfab7e1bbd8d948317dc67157279911ede1013112 # intentionally unused ARG PRODUCT_VERSION From f569bc3bdbb0be2af693758b7366ff193350bf74 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 22 Apr 2026 16:29:46 +0200 Subject: [PATCH 2/7] Squash merge chore/boost-from-source into feat/ubi10-hadoop --- .scripts/upload_new_boost_version.sh | 59 ++++++++++++++++++++++++++++ CHANGELOG.md | 3 ++ hadoop/Dockerfile | 16 ++++++-- hadoop/boost/Dockerfile | 40 +++++++++++++++++++ hadoop/boost/boil-config.toml | 5 +++ hadoop/hadoop/Dockerfile | 15 ++++--- hadoop/hadoop/boil-config.toml | 2 + 7 files changed, 132 insertions(+), 8 deletions(-) create mode 100755 .scripts/upload_new_boost_version.sh create mode 100644 hadoop/boost/Dockerfile create mode 100644 hadoop/boost/boil-config.toml diff --git a/.scripts/upload_new_boost_version.sh b/.scripts/upload_new_boost_version.sh new file mode 100755 index 000000000..200299691 --- /dev/null +++ b/.scripts/upload_new_boost_version.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash +# This script mirrors the boostorg/boost source bundle for the given version to Nexus. +# The boost source bundle is architecture independent. +# It contains it's own build system (b2) which is also built from source before building boost itself, so we don't need to worry about architecture specific builds. +# This artifact is used by the hadoop/boost local image. + + +set -euo pipefail + +VERSION=${1:?"Missing version number argument (arg 1)"} +NEXUS_USER=${2:?"Missing Nexus username argument (arg 2)"} + +read -r -s -p "Nexus Password: " NEXUS_PASSWORD +echo "" + +# https://stackoverflow.com/questions/4632028/how-to-create-a-temporary-directory +# Find the directory name of the script +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +# the temp directory used, within $DIR +WORK_DIR=$(mktemp -d -p "$DIR") + +# check if tmp dir was created +if [[ ! "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then + echo "Could not create temp dir" + exit 1 +fi + +# deletes the temp directory +function cleanup { + rm -rf "$WORK_DIR" +} + +# register the cleanup function to be called on the EXIT signal +trap cleanup EXIT + +cd "$WORK_DIR" || exit + +# boost does not currently publish signatures or SBOMs +BOOST_UNDERSCORE="$(echo "${VERSION}" | tr '.' '_')" +BOOST_TARBALL="boost_${BOOST_UNDERSCORE}.tar.bz2" +DOWNLOAD_URL="https://archives.boost.io/release/$VERSION/source/$BOOST_TARBALL" + +echo "Downloading boost" +if ! curl --fail -Ls -O "$DOWNLOAD_URL"; then + echo "Failed to download from $DOWNLOAD_URL" + exit 1 +fi + +FILE_NAME=$(basename "$DOWNLOAD_URL") + +echo "Uploading boost to Nexus" +if ! curl --fail -o /dev/null --progress-bar -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$FILE_NAME" 'https://repo.stackable.tech/repository/packages/boost/'; then + echo "Failed to upload boost to Nexus" + exit 1 +fi + +echo "Successfully uploaded new version of boost ($VERSION) to Nexus" +echo "https://repo.stackable.tech/service/rest/repository/browse/packages/boost/" diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fa86a1e2..c87288d73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ All notable changes to this project will be documented in this file. ### Changed - hbase: Update `hbase-opa-authorizer` from `0.1.0` to `0.2.0` and then `0.3.0` ([#1446], [#1454]). +- hadoop: Build the boost library from source instead of installing the EPEL package ([#1475]). + This is a requirement for the adoption of UBI 10 as base image because the package is not available there. ### Fixed @@ -25,6 +27,7 @@ All notable changes to this project will be documented in this file. [#1463]: https://github.com/stackabletech/docker-images/pull/1463 [#1466]: https://github.com/stackabletech/docker-images/pull/1466 [#1474]: https://github.com/stackabletech/docker-images/pull/1474 +[#1475]: https://github.com/stackabletech/docker-images/pull/1475 ## [26.3.0] - 2026-03-16 diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile index 2757b4e8c..f5ebf2b14 100644 --- a/hadoop/Dockerfile +++ b/hadoop/Dockerfile @@ -90,6 +90,7 @@ LABEL \ COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION} /stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION} COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/*-src.tar.gz /stackable +COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/boost /stackable/boost COPY --chown=${STACKABLE_USER_UID}:0 --from=hdfs-utils-builder /stackable/hdfs-utils-${HDFS_UTILS_VERSION}.jar /stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION}/share/hadoop/common/lib/hdfs-utils-${HDFS_UTILS_VERSION}.jar COPY --chown=${STACKABLE_USER_UID}:0 --from=hdfs-utils-builder /stackable/hdfs-utils-${HDFS_UTILS_VERSION}-src.tar.gz /stackable @@ -105,9 +106,11 @@ microdnf update # tar is required for `kubectl cp` which can be used to copy the log files # or profiler flamegraph from the Pod # It is already installed in the base image but leaving here for documentation purposes +# libstdc++ is a runtime dependency for boost microdnf install \ fuse \ fuse-libs \ + libstdc++ \ tar microdnf clean all rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE_VERSION}\n" | sort > /stackable/package_manifest.txt @@ -132,8 +135,13 @@ chmod -x "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER_VERSION}.jar" ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER_VERSION}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar # Set correct permissions and ownerships -chown --recursive ${STACKABLE_USER_UID}:0 /stackable/hadoop /stackable/jmx /stackable/async-profiler "/stackable/async-profiler-${ASYNC_PROFILER_VERSION}-${TARGETOS}-${ARCH}" -chmod --recursive g=u /stackable/jmx /stackable/async-profiler "/stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION}" +chown --recursive ${STACKABLE_USER_UID}:0 \ +/stackable/hadoop /stackable/jmx /stackable/async-profiler \ +"/stackable/async-profiler-${ASYNC_PROFILER_VERSION}-${TARGETOS}-${ARCH}" \ +/stackable/boost +chmod --recursive g=u /stackable/jmx /stackable/async-profiler \ +"/stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION}" \ +/stackable/boost # Workaround for https://issues.apache.org/jira/browse/HADOOP-12845 # The problem is that our stackable-devel image does contain the openssl-devel package @@ -162,7 +170,7 @@ EOF USER ${STACKABLE_USER_UID} ENV HOME=/stackable -ENV LD_LIBRARY_PATH=/stackable/hadoop/lib/native:/usr/lib/jvm/jre/lib/server +ENV LD_LIBRARY_PATH=/stackable/boost/lib:/stackable/hadoop/lib/native:/usr/lib/jvm/jre/lib/server ENV PATH="${PATH}":/stackable/hadoop/bin ENV HADOOP_HOME=/stackable/hadoop ENV HADOOP_CONF_DIR=/stackable/config @@ -174,6 +182,8 @@ ENV ASYNC_PROFILER_HOME=/stackable/async-profiler # if HADOOP_YARN_HOME does not exist at all, so we set it here to a sensible default. ENV HADOOP_YARN_HOME=/stackable/hadoop ENV HADOOP_MAPRED_HOME=/stackable/hadoop +ENV BOOST_ROOT=/stackable/boost +ENV CPATH=/stackable/boost/include WORKDIR /stackable/hadoop CMD ["echo", "This image is not meant to be 'run' directly."] diff --git a/hadoop/boost/Dockerfile b/hadoop/boost/Dockerfile new file mode 100644 index 000000000..80f1b27dd --- /dev/null +++ b/hadoop/boost/Dockerfile @@ -0,0 +1,40 @@ +# syntax=docker/dockerfile:1.16.0@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7 +# check=error=true + +# The boost library is a runtime dependency of the Hadoop native code +# but is not available in the RedHat UBI10 or EPEL10 repositories, so we need to build +# it ourselves. +# +# NOTE: We use a published source bundle instead of the patchable workflow +# because boost uses git submodules for it's build system +# and patchable doesn't support these. +# The source bundle contains everything needed to build b2 (the build system) +# and boost except for dependencies which are automatically discovered. +# +FROM local-image/stackable-base AS boost-builder + +ARG BOOST_VERSION + +WORKDIR /tmp + +RUN < Date: Mon, 15 Jun 2026 16:58:46 +0200 Subject: [PATCH 3/7] update image hash and try out ssl 3 fix for 3.5.0 --- ...lude-Engine-API-when-building-with-O.patch | 95 +++++++++++++++++++ stackable-base/Dockerfile | 6 +- stackable-devel/Dockerfile | 6 +- 3 files changed, 101 insertions(+), 6 deletions(-) create mode 100644 hadoop/hadoop/stackable/patches/3.5.0/0007-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch diff --git a/hadoop/hadoop/stackable/patches/3.5.0/0007-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch b/hadoop/hadoop/stackable/patches/3.5.0/0007-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch new file mode 100644 index 000000000..2a1d90134 --- /dev/null +++ b/hadoop/hadoop/stackable/patches/3.5.0/0007-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch @@ -0,0 +1,95 @@ +From 417cf6efdf1950da52867f883d361435f488d811 Mon Sep 17 00:00:00 2001 +From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> +Date: Mon, 15 Jun 2026 15:59:39 +0200 +Subject: HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x. + +Source https://github.com/apache/hadoop/pull/8550/ +--- + .../hadoop/crypto/random/OpensslSecureRandom.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c +index 3f141be05b..047e1bb402 100644 +--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c ++++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c +@@ -49,11 +49,13 @@ static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)()); + static void (*dlsym_ENGINE_load_rdrand) (void); + static void (*dlsym_ENGINE_cleanup) (void); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + static ENGINE * (*dlsym_ENGINE_by_id) (const char *); + static int (*dlsym_ENGINE_init) (ENGINE *); + static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int); + static int (*dlsym_ENGINE_finish) (ENGINE *); + static int (*dlsym_ENGINE_free) (ENGINE *); ++#endif + static int (*dlsym_RAND_bytes) (unsigned char *, int); + static unsigned long (*dlsym_ERR_get_error) (void); + #endif +@@ -126,12 +128,14 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_ + openssl, "ENGINE_load_rdrand"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup"); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env, \ + openssl, "ENGINE_set_default"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free"); ++#endif + LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes"); + LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error"); + #endif +@@ -239,7 +243,7 @@ static void windows_locking_callback(int mode, int type, char *file, int line) + } + #endif /* WINDOWS */ + +-#ifdef UNIX ++#if defined(UNIX) && OPENSSL_VERSION_NUMBER < 0x10100000L + static void pthreads_locking_callback(int mode, int type, char *file, int line); + static unsigned long pthreads_thread_id(void); + static pthread_mutex_t *lock_cs; +@@ -300,7 +304,7 @@ static unsigned long pthreads_thread_id(void) + return thread_id; + } + +-#endif /* UNIX */ ++#endif /* UNIX && OpenSSL < 1.1.0 */ + + /** + * If using an Intel chipset with RDRAND, the high-performance hardware +@@ -308,6 +312,7 @@ static unsigned long pthreads_thread_id(void) + */ + static ENGINE * openssl_rand_init(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + #if OPENSSL_VERSION_NUMBER < 0x10100000L + locks_setup(); + +@@ -339,10 +344,14 @@ static ENGINE * openssl_rand_init(void) + } + + return eng; ++#else ++ return NULL; ++#endif + } + + static void openssl_rand_clean(ENGINE *eng, int clean_locks) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (NULL != eng) { + dlsym_ENGINE_finish(eng); + dlsym_ENGINE_free(eng); +@@ -353,6 +362,10 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks) + locks_cleanup(); + } + #endif ++#else ++ UNUSED(eng); ++ UNUSED(clean_locks); ++#endif + } + + static int openssl_rand_bytes(unsigned char *buf, int num) diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile index 05a2e4268..2619fb42c 100644 --- a/stackable-base/Dockerfile +++ b/stackable-base/Dockerfile @@ -43,11 +43,11 @@ EOF # # The website is awful/broken, so you can use one of the following tools to find it: # -# docker buildx imagetools inspect registry.redhat.io/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}' +# docker buildx imagetools inspect registry.access.redhat.com/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}' # # or -# skopeo inspect --format '{{.Digest}}' docker://registry.redhat.io/ubi10/ubi-minimal +# skopeo inspect --format '{{.Digest}}' docker://registry.access.redhat.com/ubi10/ubi-minimal # -FROM registry.redhat.io/ubi10/ubi-minimal@sha256:8935d83eadb5c9f621c13f4dfab7e1bbd8d948317dc67157279911ede1013112 +FROM registry.access.redhat.com/ubi10/ubi-minimal@sha256:76c113359a458e3f04057762b5bd4a9837a6987520434dea158c728280116713 # intentionally unused ARG PRODUCT_VERSION diff --git a/stackable-devel/Dockerfile b/stackable-devel/Dockerfile index fd3c4a6b5..d7ec5d583 100644 --- a/stackable-devel/Dockerfile +++ b/stackable-devel/Dockerfile @@ -16,11 +16,11 @@ # # The website is awful/broken, so you can use one of the following tools to find it: # -# docker buildx imagetools inspect registry.redhat.io/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}' +# docker buildx imagetools inspect registry.access.redhat.com/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}' # # or -# skopeo inspect --format '{{.Digest}}' docker://registry.redhat.io/ubi10/ubi-minimal +# skopeo inspect --format '{{.Digest}}' docker://registry.access.redhat.com/ubi10/ubi-minimal # -FROM registry.redhat.io/ubi10/ubi-minimal@sha256:8935d83eadb5c9f621c13f4dfab7e1bbd8d948317dc67157279911ede1013112 +FROM registry.access.redhat.com/ubi10/ubi-minimal@sha256:76c113359a458e3f04057762b5bd4a9837a6987520434dea158c728280116713 # intentionally unused ARG PRODUCT_VERSION From 8da24644aae2a2e6724e34ebfdd8d40d9f7e0799 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 16 Jun 2026 12:28:25 +0200 Subject: [PATCH 4/7] add openssl fix for ubi 10 to 3.4.x versions --- ...lude-Engine-API-when-building-with-O.patch | 95 +++++++++++++++++++ ...lude-Engine-API-when-building-with-O.patch | 95 +++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 hadoop/hadoop/stackable/patches/3.4.2/0010-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch create mode 100644 hadoop/hadoop/stackable/patches/3.4.3/0009-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch diff --git a/hadoop/hadoop/stackable/patches/3.4.2/0010-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch b/hadoop/hadoop/stackable/patches/3.4.2/0010-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch new file mode 100644 index 000000000..5f5f75573 --- /dev/null +++ b/hadoop/hadoop/stackable/patches/3.4.2/0010-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch @@ -0,0 +1,95 @@ +From fb632e667004fd707a814cb6415c953a7478dd26 Mon Sep 17 00:00:00 2001 +From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> +Date: Mon, 15 Jun 2026 15:59:39 +0200 +Subject: HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x. + +Source https://github.com/apache/hadoop/pull/8550/ +--- + .../hadoop/crypto/random/OpensslSecureRandom.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c +index 3f141be05b..047e1bb402 100644 +--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c ++++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c +@@ -49,11 +49,13 @@ static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)()); + static void (*dlsym_ENGINE_load_rdrand) (void); + static void (*dlsym_ENGINE_cleanup) (void); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + static ENGINE * (*dlsym_ENGINE_by_id) (const char *); + static int (*dlsym_ENGINE_init) (ENGINE *); + static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int); + static int (*dlsym_ENGINE_finish) (ENGINE *); + static int (*dlsym_ENGINE_free) (ENGINE *); ++#endif + static int (*dlsym_RAND_bytes) (unsigned char *, int); + static unsigned long (*dlsym_ERR_get_error) (void); + #endif +@@ -126,12 +128,14 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_ + openssl, "ENGINE_load_rdrand"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup"); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env, \ + openssl, "ENGINE_set_default"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free"); ++#endif + LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes"); + LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error"); + #endif +@@ -239,7 +243,7 @@ static void windows_locking_callback(int mode, int type, char *file, int line) + } + #endif /* WINDOWS */ + +-#ifdef UNIX ++#if defined(UNIX) && OPENSSL_VERSION_NUMBER < 0x10100000L + static void pthreads_locking_callback(int mode, int type, char *file, int line); + static unsigned long pthreads_thread_id(void); + static pthread_mutex_t *lock_cs; +@@ -300,7 +304,7 @@ static unsigned long pthreads_thread_id(void) + return thread_id; + } + +-#endif /* UNIX */ ++#endif /* UNIX && OpenSSL < 1.1.0 */ + + /** + * If using an Intel chipset with RDRAND, the high-performance hardware +@@ -308,6 +312,7 @@ static unsigned long pthreads_thread_id(void) + */ + static ENGINE * openssl_rand_init(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + #if OPENSSL_VERSION_NUMBER < 0x10100000L + locks_setup(); + +@@ -339,10 +344,14 @@ static ENGINE * openssl_rand_init(void) + } + + return eng; ++#else ++ return NULL; ++#endif + } + + static void openssl_rand_clean(ENGINE *eng, int clean_locks) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (NULL != eng) { + dlsym_ENGINE_finish(eng); + dlsym_ENGINE_free(eng); +@@ -353,6 +362,10 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks) + locks_cleanup(); + } + #endif ++#else ++ UNUSED(eng); ++ UNUSED(clean_locks); ++#endif + } + + static int openssl_rand_bytes(unsigned char *buf, int num) diff --git a/hadoop/hadoop/stackable/patches/3.4.3/0009-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch b/hadoop/hadoop/stackable/patches/3.4.3/0009-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch new file mode 100644 index 000000000..b6e258bd9 --- /dev/null +++ b/hadoop/hadoop/stackable/patches/3.4.3/0009-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch @@ -0,0 +1,95 @@ +From e224e0e240a6223ce1fe706a18438cde1e811886 Mon Sep 17 00:00:00 2001 +From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> +Date: Mon, 15 Jun 2026 15:59:39 +0200 +Subject: HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x. + +Source https://github.com/apache/hadoop/pull/8550/ +--- + .../hadoop/crypto/random/OpensslSecureRandom.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c +index 3f141be05b..047e1bb402 100644 +--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c ++++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c +@@ -49,11 +49,13 @@ static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)()); + static void (*dlsym_ENGINE_load_rdrand) (void); + static void (*dlsym_ENGINE_cleanup) (void); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + static ENGINE * (*dlsym_ENGINE_by_id) (const char *); + static int (*dlsym_ENGINE_init) (ENGINE *); + static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int); + static int (*dlsym_ENGINE_finish) (ENGINE *); + static int (*dlsym_ENGINE_free) (ENGINE *); ++#endif + static int (*dlsym_RAND_bytes) (unsigned char *, int); + static unsigned long (*dlsym_ERR_get_error) (void); + #endif +@@ -126,12 +128,14 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_ + openssl, "ENGINE_load_rdrand"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup"); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env, \ + openssl, "ENGINE_set_default"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish"); + LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free"); ++#endif + LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes"); + LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error"); + #endif +@@ -239,7 +243,7 @@ static void windows_locking_callback(int mode, int type, char *file, int line) + } + #endif /* WINDOWS */ + +-#ifdef UNIX ++#if defined(UNIX) && OPENSSL_VERSION_NUMBER < 0x10100000L + static void pthreads_locking_callback(int mode, int type, char *file, int line); + static unsigned long pthreads_thread_id(void); + static pthread_mutex_t *lock_cs; +@@ -300,7 +304,7 @@ static unsigned long pthreads_thread_id(void) + return thread_id; + } + +-#endif /* UNIX */ ++#endif /* UNIX && OpenSSL < 1.1.0 */ + + /** + * If using an Intel chipset with RDRAND, the high-performance hardware +@@ -308,6 +312,7 @@ static unsigned long pthreads_thread_id(void) + */ + static ENGINE * openssl_rand_init(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + #if OPENSSL_VERSION_NUMBER < 0x10100000L + locks_setup(); + +@@ -339,10 +344,14 @@ static ENGINE * openssl_rand_init(void) + } + + return eng; ++#else ++ return NULL; ++#endif + } + + static void openssl_rand_clean(ENGINE *eng, int clean_locks) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (NULL != eng) { + dlsym_ENGINE_finish(eng); + dlsym_ENGINE_free(eng); +@@ -353,6 +362,10 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks) + locks_cleanup(); + } + #endif ++#else ++ UNUSED(eng); ++ UNUSED(clean_locks); ++#endif + } + + static int openssl_rand_bytes(unsigned char *buf, int num) From 2f247031116f1b75f268e7ef195c8217b1af87bd Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 16 Jun 2026 12:59:29 +0200 Subject: [PATCH 5/7] remove hadoop/boost --- hadoop/boost/Dockerfile | 40 ----------------------------------- hadoop/boost/boil-config.toml | 5 ----- 2 files changed, 45 deletions(-) delete mode 100644 hadoop/boost/Dockerfile delete mode 100644 hadoop/boost/boil-config.toml diff --git a/hadoop/boost/Dockerfile b/hadoop/boost/Dockerfile deleted file mode 100644 index 80f1b27dd..000000000 --- a/hadoop/boost/Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# syntax=docker/dockerfile:1.16.0@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7 -# check=error=true - -# The boost library is a runtime dependency of the Hadoop native code -# but is not available in the RedHat UBI10 or EPEL10 repositories, so we need to build -# it ourselves. -# -# NOTE: We use a published source bundle instead of the patchable workflow -# because boost uses git submodules for it's build system -# and patchable doesn't support these. -# The source bundle contains everything needed to build b2 (the build system) -# and boost except for dependencies which are automatically discovered. -# -FROM local-image/stackable-base AS boost-builder - -ARG BOOST_VERSION - -WORKDIR /tmp - -RUN < Date: Tue, 16 Jun 2026 13:03:29 +0200 Subject: [PATCH 6/7] merge hadoop Dockerfiles from maim --- hadoop/Dockerfile | 16 +++------------- hadoop/hadoop/Dockerfile | 3 +++ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile index f5ebf2b14..2757b4e8c 100644 --- a/hadoop/Dockerfile +++ b/hadoop/Dockerfile @@ -90,7 +90,6 @@ LABEL \ COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION} /stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION} COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/*-src.tar.gz /stackable -COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/boost /stackable/boost COPY --chown=${STACKABLE_USER_UID}:0 --from=hdfs-utils-builder /stackable/hdfs-utils-${HDFS_UTILS_VERSION}.jar /stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION}/share/hadoop/common/lib/hdfs-utils-${HDFS_UTILS_VERSION}.jar COPY --chown=${STACKABLE_USER_UID}:0 --from=hdfs-utils-builder /stackable/hdfs-utils-${HDFS_UTILS_VERSION}-src.tar.gz /stackable @@ -106,11 +105,9 @@ microdnf update # tar is required for `kubectl cp` which can be used to copy the log files # or profiler flamegraph from the Pod # It is already installed in the base image but leaving here for documentation purposes -# libstdc++ is a runtime dependency for boost microdnf install \ fuse \ fuse-libs \ - libstdc++ \ tar microdnf clean all rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE_VERSION}\n" | sort > /stackable/package_manifest.txt @@ -135,13 +132,8 @@ chmod -x "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER_VERSION}.jar" ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER_VERSION}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar # Set correct permissions and ownerships -chown --recursive ${STACKABLE_USER_UID}:0 \ -/stackable/hadoop /stackable/jmx /stackable/async-profiler \ -"/stackable/async-profiler-${ASYNC_PROFILER_VERSION}-${TARGETOS}-${ARCH}" \ -/stackable/boost -chmod --recursive g=u /stackable/jmx /stackable/async-profiler \ -"/stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION}" \ -/stackable/boost +chown --recursive ${STACKABLE_USER_UID}:0 /stackable/hadoop /stackable/jmx /stackable/async-profiler "/stackable/async-profiler-${ASYNC_PROFILER_VERSION}-${TARGETOS}-${ARCH}" +chmod --recursive g=u /stackable/jmx /stackable/async-profiler "/stackable/hadoop-${HADOOP_VERSION}-stackable${RELEASE_VERSION}" # Workaround for https://issues.apache.org/jira/browse/HADOOP-12845 # The problem is that our stackable-devel image does contain the openssl-devel package @@ -170,7 +162,7 @@ EOF USER ${STACKABLE_USER_UID} ENV HOME=/stackable -ENV LD_LIBRARY_PATH=/stackable/boost/lib:/stackable/hadoop/lib/native:/usr/lib/jvm/jre/lib/server +ENV LD_LIBRARY_PATH=/stackable/hadoop/lib/native:/usr/lib/jvm/jre/lib/server ENV PATH="${PATH}":/stackable/hadoop/bin ENV HADOOP_HOME=/stackable/hadoop ENV HADOOP_CONF_DIR=/stackable/config @@ -182,8 +174,6 @@ ENV ASYNC_PROFILER_HOME=/stackable/async-profiler # if HADOOP_YARN_HOME does not exist at all, so we set it here to a sensible default. ENV HADOOP_YARN_HOME=/stackable/hadoop ENV HADOOP_MAPRED_HOME=/stackable/hadoop -ENV BOOST_ROOT=/stackable/boost -ENV CPATH=/stackable/boost/include WORKDIR /stackable/hadoop CMD ["echo", "This image is not meant to be 'run' directly."] diff --git a/hadoop/hadoop/Dockerfile b/hadoop/hadoop/Dockerfile index fe6429eee..b8387410e 100644 --- a/hadoop/hadoop/Dockerfile +++ b/hadoop/hadoop/Dockerfile @@ -10,6 +10,7 @@ ARG PROTOBUF_VERSION ARG AWS_JAVA_SDK_BUNDLE_VERSION ARG AZURE_STORAGE_VERSION ARG AZURE_KEYVAULT_CORE_VERSION +ARG ANALYTICSACCELERATOR_S3_VERSION ARG STACKABLE_USER_UID WORKDIR /stackable @@ -166,6 +167,8 @@ else cp /stackable/hadoop/share/hadoop/common/lib/hadoop-aws-${NEW_VERSION}.jar /stackable/hadoop-cloud-libraries/ # Starting with Hadoop 3.4.3 the aws-java-sdk-bundle is not included any more. curl -o /stackable/hadoop-cloud-libraries/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE_VERSION}.jar --fail "https://repo.stackable.tech/repository/packages/aws/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE_VERSION}.jar" + # Starting with Hadoop 3.4.3 the S3A InputStreamType factory references analyticsaccelerator-s3 (software.amazon.s3.analyticsaccelerator.request.ObjectClient) during S3AFileSystem.initialize. + curl -o /stackable/hadoop-cloud-libraries/analyticsaccelerator-s3-${ANALYTICSACCELERATOR_S3_VERSION}.jar --fail "https://repo.stackable.tech/repository/packages/aws/analyticsaccelerator-s3-${ANALYTICSACCELERATOR_S3_VERSION}.jar" cp /stackable/hadoop/share/hadoop/common/lib/hadoop-azure-${NEW_VERSION}.jar /stackable/hadoop-cloud-libraries/ cp /stackable/hadoop/share/hadoop/common/lib/azure-storage-${AZURE_STORAGE_VERSION}.jar /stackable/hadoop-cloud-libraries/ cp /stackable/hadoop/share/hadoop/common/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE_VERSION}.jar /stackable/hadoop-cloud-libraries/ From c66329b5d35a18ceb184ee6733430f9249247247 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 16 Jun 2026 17:59:27 +0200 Subject: [PATCH 7/7] install gzip --- hadoop/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile index 2757b4e8c..faf918905 100644 --- a/hadoop/Dockerfile +++ b/hadoop/Dockerfile @@ -105,9 +105,11 @@ microdnf update # tar is required for `kubectl cp` which can be used to copy the log files # or profiler flamegraph from the Pod # It is already installed in the base image but leaving here for documentation purposes +# TODO: gzip is needed by rpm and it is not included in UBI 10. Probably needs to go higher up the image chain. microdnf install \ fuse \ fuse-libs \ + gzip \ tar microdnf clean all rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE_VERSION}\n" | sort > /stackable/package_manifest.txt