fix: hadoop build with openssl 3 on UBI 10

hadoop/Dockerfile

@@ -105,9 +105,11 @@ microdnf update
 # tar is required for `kubectl cp` which can be used to copy the log files
 # or profiler flamegraph from the Pod
 # It is already installed in the base image but leaving here for documentation purposes
+# TODO: gzip is needed by rpm and it is not included in UBI 10. Probably needs to go higher up the image chain.
 microdnf install \
   fuse \
   fuse-libs \
+  gzip \
   tar
 microdnf clean all
 rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE_VERSION}\n" | sort > /stackable/package_manifest.txt

hadoop/hadoop/stackable/patches/3.4.2/0010-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch

@@ -0,0 +1,95 @@
+From fb632e667004fd707a814cb6415c953a7478dd26 Mon Sep 17 00:00:00 2001
+From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
+Date: Mon, 15 Jun 2026 15:59:39 +0200
+Subject: HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x.
+
+Source https://github.com/apache/hadoop/pull/8550/
+---
+ .../hadoop/crypto/random/OpensslSecureRandom.c  | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+index 3f141be05b..047e1bb402 100644
+--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
++++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+@@ -49,11 +49,13 @@ static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)());
+ static void (*dlsym_ENGINE_load_rdrand) (void);
+ static void (*dlsym_ENGINE_cleanup) (void);
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ static ENGINE * (*dlsym_ENGINE_by_id) (const char *);
+ static int (*dlsym_ENGINE_init) (ENGINE *);
+ static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int);
+ static int (*dlsym_ENGINE_finish) (ENGINE *);
+ static int (*dlsym_ENGINE_free) (ENGINE *);
++#endif
+ static int (*dlsym_RAND_bytes) (unsigned char *, int);
+ static unsigned long (*dlsym_ERR_get_error) (void);
+ #endif
+@@ -126,12 +128,14 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_
+                       openssl, "ENGINE_load_rdrand");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup");
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env,  \
+                       openssl, "ENGINE_set_default");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free");
++#endif
+   LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error");
+ #endif
+@@ -239,7 +243,7 @@ static void windows_locking_callback(int mode, int type, char *file, int line)
+ }
+ #endif /* WINDOWS */
+
+-#ifdef UNIX
++#if defined(UNIX) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ static void pthreads_locking_callback(int mode, int type, char *file, int line);
+ static unsigned long pthreads_thread_id(void);
+ static pthread_mutex_t *lock_cs;
+@@ -300,7 +304,7 @@ static unsigned long pthreads_thread_id(void)
+   return thread_id;
+ }
+
+-#endif /* UNIX */
++#endif /* UNIX && OpenSSL < 1.1.0 */
+
+ /**
+  * If using an Intel chipset with RDRAND, the high-performance hardware
+@@ -308,6 +312,7 @@ static unsigned long pthreads_thread_id(void)
+  */
+ static ENGINE * openssl_rand_init(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+   locks_setup();
+
+@@ -339,10 +344,14 @@ static ENGINE * openssl_rand_init(void)
+   }
+
+   return eng;
++#else
++  return NULL;
++#endif
+ }
+
+ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   if (NULL != eng) {
+     dlsym_ENGINE_finish(eng);
+     dlsym_ENGINE_free(eng);
+@@ -353,6 +362,10 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+     locks_cleanup();
+   }
+ #endif
++#else
++  UNUSED(eng);
++  UNUSED(clean_locks);
++#endif
+ }
+
+ static int openssl_rand_bytes(unsigned char *buf, int num)

hadoop/hadoop/stackable/patches/3.4.3/0009-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch

@@ -0,0 +1,95 @@
+From e224e0e240a6223ce1fe706a18438cde1e811886 Mon Sep 17 00:00:00 2001
+From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
+Date: Mon, 15 Jun 2026 15:59:39 +0200
+Subject: HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x.
+
+Source https://github.com/apache/hadoop/pull/8550/
+---
+ .../hadoop/crypto/random/OpensslSecureRandom.c  | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+index 3f141be05b..047e1bb402 100644
+--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
++++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+@@ -49,11 +49,13 @@ static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)());
+ static void (*dlsym_ENGINE_load_rdrand) (void);
+ static void (*dlsym_ENGINE_cleanup) (void);
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ static ENGINE * (*dlsym_ENGINE_by_id) (const char *);
+ static int (*dlsym_ENGINE_init) (ENGINE *);
+ static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int);
+ static int (*dlsym_ENGINE_finish) (ENGINE *);
+ static int (*dlsym_ENGINE_free) (ENGINE *);
++#endif
+ static int (*dlsym_RAND_bytes) (unsigned char *, int);
+ static unsigned long (*dlsym_ERR_get_error) (void);
+ #endif
+@@ -126,12 +128,14 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_
+                       openssl, "ENGINE_load_rdrand");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup");
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env,  \
+                       openssl, "ENGINE_set_default");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free");
++#endif
+   LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error");
+ #endif
+@@ -239,7 +243,7 @@ static void windows_locking_callback(int mode, int type, char *file, int line)
+ }
+ #endif /* WINDOWS */
+
+-#ifdef UNIX
++#if defined(UNIX) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ static void pthreads_locking_callback(int mode, int type, char *file, int line);
+ static unsigned long pthreads_thread_id(void);
+ static pthread_mutex_t *lock_cs;
+@@ -300,7 +304,7 @@ static unsigned long pthreads_thread_id(void)
+   return thread_id;
+ }
+
+-#endif /* UNIX */
++#endif /* UNIX && OpenSSL < 1.1.0 */
+
+ /**
+  * If using an Intel chipset with RDRAND, the high-performance hardware
+@@ -308,6 +312,7 @@ static unsigned long pthreads_thread_id(void)
+  */
+ static ENGINE * openssl_rand_init(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+   locks_setup();
+
+@@ -339,10 +344,14 @@ static ENGINE * openssl_rand_init(void)
+   }
+
+   return eng;
++#else
++  return NULL;
++#endif
+ }
+
+ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   if (NULL != eng) {
+     dlsym_ENGINE_finish(eng);
+     dlsym_ENGINE_free(eng);
+@@ -353,6 +362,10 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+     locks_cleanup();
+   }
+ #endif
++#else
++  UNUSED(eng);
++  UNUSED(clean_locks);
++#endif
+ }
+
+ static int openssl_rand_bytes(unsigned char *buf, int num)

hadoop/hadoop/stackable/patches/3.5.0/0007-HADOOP-19872-Exclude-Engine-API-when-building-with-O.patch

@@ -0,0 +1,95 @@
+From 417cf6efdf1950da52867f883d361435f488d811 Mon Sep 17 00:00:00 2001
+From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
+Date: Mon, 15 Jun 2026 15:59:39 +0200
+Subject: HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x.
+
+Source https://github.com/apache/hadoop/pull/8550/
+---
+ .../hadoop/crypto/random/OpensslSecureRandom.c  | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+index 3f141be05b..047e1bb402 100644
+--- a/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
++++ b/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c
+@@ -49,11 +49,13 @@ static void (*dlsym_CRYPTO_set_id_callback) (unsigned long (*)());
+ static void (*dlsym_ENGINE_load_rdrand) (void);
+ static void (*dlsym_ENGINE_cleanup) (void);
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ static ENGINE * (*dlsym_ENGINE_by_id) (const char *);
+ static int (*dlsym_ENGINE_init) (ENGINE *);
+ static int (*dlsym_ENGINE_set_default) (ENGINE *, unsigned int);
+ static int (*dlsym_ENGINE_finish) (ENGINE *);
+ static int (*dlsym_ENGINE_free) (ENGINE *);
++#endif
+ static int (*dlsym_RAND_bytes) (unsigned char *, int);
+ static unsigned long (*dlsym_ERR_get_error) (void);
+ #endif
+@@ -126,12 +128,14 @@ JNIEXPORT void JNICALL Java_org_apache_hadoop_crypto_random_OpensslSecureRandom_
+                       openssl, "ENGINE_load_rdrand");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_cleanup, env, openssl, "ENGINE_cleanup");
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_by_id, env, openssl, "ENGINE_by_id");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_init, env, openssl, "ENGINE_init");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_set_default, env,  \
+                       openssl, "ENGINE_set_default");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_finish, env, openssl, "ENGINE_finish");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ENGINE_free, env, openssl, "ENGINE_free");
++#endif
+   LOAD_DYNAMIC_SYMBOL(dlsym_RAND_bytes, env, openssl, "RAND_bytes");
+   LOAD_DYNAMIC_SYMBOL(dlsym_ERR_get_error, env, openssl, "ERR_get_error");
+ #endif
+@@ -239,7 +243,7 @@ static void windows_locking_callback(int mode, int type, char *file, int line)
+ }
+ #endif /* WINDOWS */
+
+-#ifdef UNIX
++#if defined(UNIX) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ static void pthreads_locking_callback(int mode, int type, char *file, int line);
+ static unsigned long pthreads_thread_id(void);
+ static pthread_mutex_t *lock_cs;
+@@ -300,7 +304,7 @@ static unsigned long pthreads_thread_id(void)
+   return thread_id;
+ }
+
+-#endif /* UNIX */
++#endif /* UNIX && OpenSSL < 1.1.0 */
+
+ /**
+  * If using an Intel chipset with RDRAND, the high-performance hardware
+@@ -308,6 +312,7 @@ static unsigned long pthreads_thread_id(void)
+  */
+ static ENGINE * openssl_rand_init(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+   locks_setup();
+
+@@ -339,10 +344,14 @@ static ENGINE * openssl_rand_init(void)
+   }
+
+   return eng;
++#else
++  return NULL;
++#endif
+ }
+
+ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   if (NULL != eng) {
+     dlsym_ENGINE_finish(eng);
+     dlsym_ENGINE_free(eng);
+@@ -353,6 +362,10 @@ static void openssl_rand_clean(ENGINE *eng, int clean_locks)
+     locks_cleanup();
+   }
+ #endif
++#else
++  UNUSED(eng);
++  UNUSED(clean_locks);
++#endif
+ }
+
+ static int openssl_rand_bytes(unsigned char *buf, int num)

stackable-base/Dockerfile

@@ -35,13 +35,19 @@ cd /secret-operator
 cargo auditable --quiet build --release --package cert-tools && cargo cyclonedx --all --spec-version 1.5 --describe binaries
 EOF
 
-# Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti
+# Find the latest version at https://catalog.redhat.com
+# Use the search to find the image you are interested in because navigating the catalog folders is impossible.
+#
 # IMPORTANT: Make sure to use the "Manifest List Digest" that references the images for multiple architectures
 # rather than just the "Image Digest" that references the image for the selected architecture.
-# The website is broken, so you can use this to find it:
-# curl https://catalog.redhat.com/en/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5 \
-# | grep -oE 'registry.redhat.io/ubi9/ubi-minimal@sha256:[a-z0-9]{64}'
-FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS builder
+#
+# The website is awful/broken, so you can use one of the following tools to find it:
+#
+#   docker buildx imagetools inspect registry.access.redhat.com/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}'
+#   # or
+#   skopeo inspect --format '{{.Digest}}' docker://registry.access.redhat.com/ubi10/ubi-minimal
+#
+FROM registry.access.redhat.com/ubi10/ubi-minimal@sha256:76c113359a458e3f04057762b5bd4a9837a6987520434dea158c728280116713
 
 # intentionally unused
 ARG PRODUCT_VERSION
@@ -158,7 +164,7 @@ chown ${STACKABLE_USER_UID}:0 /stackable/.curlrc
 # CVE-2023-37920: Remove "e-Tugra" root certificates
 # e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems
 # Until they are removed by default from ca-certificates, we should remove them manually
-EXPECTED_CERTS_PACKAGE="ca-certificates-2025.2.80_v9.0.305-91.el9.noarch"
+EXPECTED_CERTS_PACKAGE="ca-certificates-2025.2.80_v9.0.305-102.el10_1.noarch"
 ACTUAL_CERTS_PACKAGE="$(rpm -qa ca-certificates)"
 if [ "$ACTUAL_CERTS_PACKAGE" != "$EXPECTED_CERTS_PACKAGE" ]; then
   echo "The ca-certificates package was updated to $ACTUAL_CERTS_PACKAGE. Please check if the e-Tugra root certificates are present. \

stackable-devel/Dockerfile

@@ -8,13 +8,19 @@
 # Use `stackable-base` as a base for the final image stage instead
 #
 
-# Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti
+# Find the latest version at https://catalog.redhat.com
+# Use the search to find the image you are interested in because navigating the catalog folders is impossible.
+#
 # IMPORTANT: Make sure to use the "Manifest List Digest" that references the images for multiple architectures
 # rather than just the "Image Digest" that references the image for the selected architecture.
-# The website is broken, so you can use this to find it:
-# curl https://catalog.redhat.com/en/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5 \
-# | grep -oE 'registry.redhat.io/ubi9/ubi-minimal@sha256:[a-z0-9]{64}'
-FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS builder
+#
+# The website is awful/broken, so you can use one of the following tools to find it:
+#
+#   docker buildx imagetools inspect registry.access.redhat.com/ubi10/ubi-minimal --format '{{json .Manifest.Digest}}'
+#   # or
+#   skopeo inspect --format '{{.Digest}}' docker://registry.access.redhat.com/ubi10/ubi-minimal
+#
+FROM registry.access.redhat.com/ubi10/ubi-minimal@sha256:76c113359a458e3f04057762b5bd4a9837a6987520434dea158c728280116713
 
 # intentionally unused
 ARG PRODUCT_VERSION