Updates Druid versions for 24.7 (#731)

* Updates Druid versions for 24.7

- Adds 30.0.0, removes 27.0.0
- Fixes run-druid script to include parameters needed for Java 11 and above
- Switch to Java 17 for runtime (building still has an error, I'm on it)
- Switches the Dockerfile to heredoc format for easier reading
- Installs "native" pyyaml instead of via pip
- Adds package_manifest
- Removes outdated comment from base image
- Fixes typo in upload script

* Updates

- Builds Prometheus Emitter from source and includes it directly
- Adds patch to update patch level dependencies

* Fix Changelog

* Fix Changelog

* Forgotten changes

* Extend comment for dataformat-xml

* Split the patches into four distinct ones and add them for every version we support.

* Review comments

- hadolint ignore instead of || exit
- Add comment on why we try to shrink intermediate images

* Remove Log4Shell workarounds.

Druid 26.0.0 uses Log4j 2.18 which is not vulnerable anymore

* Add dependencies required for XmlLayout to the build directly.

* Add dependencies required for XmlLayout to the build directly

* Merge changes

* Fix bad permissions leading to test failures

var/druid/metadata.db could not be created

* Make build less noisy

* Update labels

* Updates

- Add common labels
- Update image-tools to 0.0.11
- Don't build targz for Druid

* Updates

- Add common labels
- Update image-tools to 0.0.11
- Don't build targz for Druid

* Remove accidentally committed line

* Silence hadolint warning

* Silence hadolint warning

* Fix Docker lint warning

* Add a build arg to keep the cache directories around for NPM, Maven and .cache

* Update image-tools to 0.0.12

* Remove accidental commit

* Update druid/Dockerfile

Co-authored-by: Lukas Voetmand <lukas.voetmand@stackable.tech>

* Delete duplicate changelog entry

* Update druid/Dockerfile

Co-authored-by: Lukas Voetmand <lukas.voetmand@stackable.tech>

---------

Co-authored-by: Lukas Voetmand <lukas.voetmand@stackable.tech>

Author: lfrancke

.github/actions/build/action.yml

@@ -10,7 +10,7 @@ inputs:
     required: true
   image-tools-version:
     description: The Stackable image-tools version
-    default: 0.0.10
+    default: 0.0.12
   build-cache-nexus-password:
     description: Build cache password for the github user
 outputs:

.github/workflows/preflight.yaml

@@ -70,7 +70,7 @@ jobs:
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.x'
-      - run: pip install image-tools-stackabletech==0.0.8
+      - run: pip install image-tools-stackabletech==0.0.12
       - name: Install preflight
         run: |
           wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.9.1/preflight-linux-amd64

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Set up syft
         uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
       - name: Install image-tools-stackabletech
-        run: pip install image-tools-stackabletech==0.0.8
+        run: pip install image-tools-stackabletech==0.0.12
       - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: docker.stackable.tech

CHANGELOG.md

@@ -31,6 +31,7 @@ All notable changes to this project will be documented in this file.
 - trino & trino-cli: Add version 451 ([#758]).
 - airflow: Add version `2.8.4` and `2.9.2` ([#762]).
 - superset: Add version `3.1.3` and `4.0.2` ([#768]).
+- druid: Support for 30.0.0 using Java 17 ([#731])
 
 ### Changed
 
@@ -77,6 +78,7 @@ All notable changes to this project will be documented in this file.
 - kafka: Remove unsupported version `3.5.2` ([#745]).
 - airflow: Remove unsupprted version `2.7.2`, `2.7.3` and `2.8.3` ([#762]).
 - superset: Remove version `2.1.1`, `3.0.1` and `3.0.3` ([#768]).
+- druid: Remove support for 27.0.0 ([#731])
 
 [#583]: https://github.com/stackabletech/docker-images/pull/583
 [#611]: https://github.com/stackabletech/docker-images/pull/611
@@ -114,6 +116,7 @@ All notable changes to this project will be documented in this file.
 [#706]: https://github.com/stackabletech/docker-images/pull/706
 [#721]: https://github.com/stackabletech/docker-images/pull/721
 [#727]: https://github.com/stackabletech/docker-images/pull/727
+[#731]: https://github.com/stackabletech/docker-images/pull/731
 [#732]: https://github.com/stackabletech/docker-images/pull/732
 [#734]: https://github.com/stackabletech/docker-images/pull/734
 [#736]: https://github.com/stackabletech/docker-images/pull/736

druid/Dockerfile

@@ -2,95 +2,111 @@
 
 # Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf in our base image
 # Ignoring DL4006 globally because we inherit the SHELL from our base image
-# hadolint global ignore=DL3038,DL4006
+# Ignoring SC2164 globally because we inherit SHELL from the base image which contains "-e" for bash
+# hadolint global ignore=DL3038,DL4006,SC2164
 
 # hadolint ignore=DL3006
-FROM stackable/image/java-devel as druid-builder
+FROM stackable/image/java-devel AS druid-builder
 
 ARG PRODUCT
 ARG JACKSON_DATAFORMAT_XML
 ARG STAX2_API
 ARG WOODSTOX_CORE
 ARG AUTHORIZER
 
-RUN microdnf update && \
-    microdnf install \
-    # Required to install pyyaml
-    python-pip \
-    # Required to patch druid
-    patch && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum && \
-    # pyyaml is required for the compile Druid
-    pip install --no-cache-dir pyyaml==6.0.1
+# Setting this to anything other than "true" will keep the cache folders around (e.g. for Maven, NPM etc.)
+# This can be used to speed up builds when disk space is of no concern.
+ARG DELETE_CACHES="true"
+
+RUN <<EOF
+microdnf update
+
+# python-pyyaml:
+#   This note was last checked for version 30.0.0
+#   Required for the compilation of Druid.
+#   This requirement is documented in docs/development/build.md and version 5.1 or later is required.
+#   UBI 9 ships with 5.4.x so that should be fine
+#
+# patch: Required for the apply-patches.sh script
+microdnf install \
+python-pyyaml \
+patch
+
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
 
 USER stackable
 WORKDIR /stackable
 
 COPY --chown=stackable:stackable druid/stackable/patches/apply_patches.sh /stackable/apache-druid-${PRODUCT}-src/patches/apply_patches.sh
 COPY --chown=stackable:stackable druid/stackable/patches/${PRODUCT} /stackable/apache-druid-${PRODUCT}-src/patches/${PRODUCT}
 
-RUN curl --fail -L "https://repo.stackable.tech/repository/packages/druid/apache-druid-${PRODUCT}-src.tar.gz" | tar -xzC . && \
-    cd apache-druid-${PRODUCT}-src && \
-    ./patches/apply_patches.sh ${PRODUCT} && \
-    mvn clean install -Pdist -pl '!extensions-core/druid-ranger-security' -DskipTests -Dmaven.javadoc.skip=true && \
-    tar -xzf /stackable/apache-druid-${PRODUCT}-src/distribution/target/apache-druid-${PRODUCT}-bin.tar.gz && \
-    mv /stackable/apache-druid-${PRODUCT}-src/apache-druid-${PRODUCT} /stackable/apache-druid-${PRODUCT} && \
-    rm -rf /stackable/apache-druid-${PRODUCT}-src && \
-    rm -rf /stackable/.m2 && \
-    rm -rf /stackable/.npm && \
-    rm -rf /stackable/.cache
-
-    #  Do not remove the /stackable/apache-druid-${PRODUCT}/quickstart folder, it is needed for loading the Wikipedia
-    # testdata in kuttl tests and the getting started guide.
-
-    # Install the Prometheus emitter extension. This bundle contains the emitter and all jar dependencies.
-RUN curl --fail "https://repo.stackable.tech/repository/packages/druid/druid-prometheus-emitter-${PRODUCT}.tar.gz" | tar -xzC /stackable/apache-druid-${PRODUCT}/extensions && \
-    # Install OPA authorizer extension.
-    curl --fail "https://repo.stackable.tech/repository/packages/druid/druid-opa-authorizer-${AUTHORIZER}.tar.gz" | tar -xzC /stackable/apache-druid-${PRODUCT}/extensions && \
-    # Install jackson-dataformat-xml, stax2-api, and woodstox-core which are required for logging, and remove stax-ex.
-    rm /stackable/apache-druid-${PRODUCT}/lib/stax-ex-*.jar && \
-    curl --fail -L -o /stackable/apache-druid-${PRODUCT}/lib/jackson-dataformat-xml-${JACKSON_DATAFORMAT_XML}.jar \
-        "https://repo.stackable.tech/repository/packages/jackson-dataformat-xml/jackson-dataformat-xml-${JACKSON_DATAFORMAT_XML}.jar" && \
-    curl --fail -L -o /stackable/apache-druid-${PRODUCT}/lib/stax2-api-${STAX2_API}.jar \
-        "https://repo.stackable.tech/repository/packages/stax2-api/stax2-api-${STAX2_API}.jar" && \
-    curl --fail -L -o /stackable/apache-druid-${PRODUCT}/lib/woodstox-core-${WOODSTOX_CORE}.jar \
-        "https://repo.stackable.tech/repository/packages/woodstox-core/woodstox-core-${WOODSTOX_CORE}.jar"
-
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh "/stackable/apache-druid-${PRODUCT}"
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s "/stackable/apache-druid-${PRODUCT}"
-# ===
+# Cache mounts are owned by root by default
+# We need to explicitly give the uid to use which is hardcoded to "1000" in stackable-base
+RUN --mount=type=cache,id=maven,uid=1000,target=/stackable/.m2/repository \
+    --mount=type=cache,id=npm,uid=1000,target=/stackable/.npm \
+    --mount=type=cache,id=cache,uid=1000,target=/stackable/.cache \
+    <<EOF
+curl --fail -L "https://repo.stackable.tech/repository/packages/druid/apache-druid-${PRODUCT}-src.tar.gz" | tar -xzC .
+cd apache-druid-${PRODUCT}-src
+./patches/apply_patches.sh ${PRODUCT}
+
+mvn --batch-mode --no-transfer-progress clean install -Pdist,stackable-bundle-contrib-exts -DskipTests -Dmaven.javadoc.skip=true
+mv distribution/target/apache-druid-${PRODUCT}-bin/apache-druid-${PRODUCT} /stackable/
+rm -rf /stackable/apache-druid-${PRODUCT}-src
+
+# We're removing these to make the intermediate layer smaller
+# This can be necessary even though it's only a builder image because the GitHub Action Runners only have very limited space available
+# and we are sometimes running into errors because we're out of space.
+# Therefore, we try to clean up all layers as much as possible.
+if [ "${DELETE_CACHES}" = "true" ] ; then
+  rm -rf /stackable/.m2/repository/*
+  rm -rf /stackable/.npm/*
+  rm -rf /stackable/.cache/*
+fi
+
+# Do not remove the /stackable/apache-druid-${PRODUCT}/quickstart folder, it is needed for loading the Wikipedia
+# testdata in kuttl tests and the getting started guide.
+
+# Install OPA authorizer extension.
+curl --fail -L "https://repo.stackable.tech/repository/packages/druid/druid-opa-authorizer-${AUTHORIZER}.tar.gz" | tar -xzC /stackable/apache-druid-${PRODUCT}/extensions
+EOF
 
 # hadolint ignore=DL3006
-FROM stackable/image/java-base as final
+FROM stackable/image/java-base AS final
 
 ARG PRODUCT
 ARG RELEASE
 
-LABEL name="Apache Druid" \
-      maintainer="info@stackable.tech" \
-      vendor="Stackable GmbH" \
-      version="${PRODUCT}" \
-      release="${RELEASE}" \
-      summary="The Stackable image for Apache Druid." \
-      description="This image is deployed by the Stackable Operator for Apache Druid."
-
-RUN microdnf update && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum
+ARG NAME="Apache Druid"
+ARG DESCRIPTION="This image is deployed by the Stackable Operator for Apache Druid"
+
+LABEL name="${NAME}"
+LABEL version="${PRODUCT}"
+LABEL release="${RELEASE}"
+LABEL summary="The Stackable image for Apache Druid"
+LABEL description="${DESCRIPTION}"
+
+# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations
+LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/druid/"
+LABEL org.opencontainers.image.version="${PRODUCT}"
+LABEL org.opencontainers.image.revision="${RELEASE}"
+LABEL org.opencontainers.image.title="${NAME}"
+LABEL org.opencontainers.image.description="${DESCRIPTION}"
+
+# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata
+# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md
+LABEL io.openshift.tags="ubi9,stackable,druid,sdp"
+LABEL io.k8s.description="${DESCRIPTION}"
+LABEL io.k8s.display-name="${NAME}"
+
+RUN <<EOF
+microdnf update
+microdnf clean all
+rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt
+rm -rf /var/cache/yum
+EOF
 
 USER stackable
 WORKDIR /stackable
@@ -99,9 +115,12 @@ COPY --chown=stackable:stackable --from=druid-builder /stackable/apache-druid-${
 COPY --chown=stackable:stackable druid/stackable/bin /stackable/bin
 COPY --chown=stackable:stackable druid/licenses /licenses
 
-RUN ln -s /stackable/apache-druid-${PRODUCT} /stackable/druid && \
-    # Force to overwrite the existing 'run-druid'
-    ln -sf /stackable/bin/run-druid /stackable/druid/bin/run-druid
+RUN <<EOF
+ln -s /stackable/apache-druid-${PRODUCT} /stackable/druid
+
+# Force to overwrite the existing 'run-druid'
+ln -sf /stackable/bin/run-druid /stackable/druid/bin/run-druid
+EOF
 
 ENV PATH="${PATH}":/stackable/druid/bin
 

druid/stackable/bin/run-druid

@@ -1,5 +1,8 @@
 #!/bin/bash -eu
 
+# This is adapted from the original `run-java` program from Druid 30.0.0 which was licensed under the Apache-2.0 license, as is this.
+# Source: https://github.com/apache/druid/blob/druid-30.0.0/examples/bin/run-java
+
 if [ "$#" -ne 2 ]
 then
   >&2 echo "usage: $0 <service> conf-dir"
@@ -9,12 +12,36 @@ fi
 WHATAMI="$1"
 CONFDIR="$(cd "$2" && pwd)"
 # shellcheck disable=SC1091 # java-util is not available at this scripts source
-JAVA_BIN="$(source ./bin/java-util && get_java_bin_dir)"
+JAVA_BIN="$(source ./bin/java-util && get_java_bin_dir)/java"
 if [ -z "$JAVA_BIN" ]; then
   >&2 echo "Could not find java - please run ./bin/verify-java to confirm it is installed."
   exit 1
 fi
-# shellcheck disable=SC2046 # unsure how this `cat | xargs` works, and this script might rely on discouraged behaviour
-exec "$JAVA_BIN"/java $(cat "$CONFDIR"/jvm.config | xargs) \
-  -cp "$CONFDIR":"./lib/*" \
-  org.apache.druid.cli.Main server "$WHATAMI"
+
+JAVA_MAJOR="$("$JAVA_BIN" -version 2>&1 | sed -n -E 's/.* version "([^."-]*).*/\1/p')"
+
+if [ "$JAVA_MAJOR" != "" ] && [ "$JAVA_MAJOR" -ge "11" ]
+then
+  # Disable strong encapsulation for certain packages on Java 11+.
+  # When updating this list, update all four:
+  #  1) ForkingTaskRunner#STRONG_ENCAPSULATION_PROPERTIES
+  #  2) docs/operations/java.md, "Strong encapsulation" section
+  #  3) pom.xml, jdk.strong.encapsulation.argLine
+  #  4) examples/bin/run-java script (here)
+  exec "$JAVA_BIN" \
+    `cat "$CONFDIR"/jvm.config | xargs` \
+    -cp "$CONFDIR":"./lib/*" \
+    --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED \
+    --add-exports=java.base/jdk.internal.ref=ALL-UNNAMED \
+    --add-opens=java.base/java.nio=ALL-UNNAMED \
+    --add-opens=java.base/sun.nio.ch=ALL-UNNAMED \
+    --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED \
+    --add-opens=java.base/java.io=ALL-UNNAMED \
+    --add-opens=java.base/java.lang=ALL-UNNAMED \
+    --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED \
+    org.apache.druid.cli.Main server "$WHATAMI"
+else
+  exec "$JAVA_BIN" `cat "$CONFDIR"/jvm.config | xargs` \
+    -cp "$CONFDIR":"./lib/*" \
+    org.apache.druid.cli.Main server "$WHATAMI"
+fi

druid/stackable/patches/26.0.0/01-remove-ranger-security.patch

@@ -0,0 +1,42 @@
+Removes all traces of the druid ranger extension
+
+From: Lars Francke <git@lars-francke.de>
+
+
+---
+ 0 files changed
+
+diff --git a/distribution/pom.xml b/distribution/pom.xml
+index eec26171af..a6e72cf2c2 100644
+--- a/distribution/pom.xml
++++ b/distribution/pom.xml
+@@ -255,8 +255,6 @@
+                                         <argument>-c</argument>
+                                         <argument>org.apache.druid.extensions:druid-pac4j</argument>
+                                         <argument>-c</argument>
+-                                        <argument>org.apache.druid.extensions:druid-ranger-security</argument>
+-                                        <argument>-c</argument>
+                                         <argument>org.apache.druid.extensions:druid-kubernetes-extensions</argument>
+                                         <argument>-c</argument>
+                                         <argument>org.apache.druid.extensions:druid-catalog</argument>
+@@ -439,8 +437,6 @@
+                                         <argument>-c</argument>
+                                         <argument>org.apache.druid.extensions:druid-pac4j</argument>
+                                         <argument>-c</argument>
+-                                        <argument>org.apache.druid.extensions:druid-ranger-security</argument>
+-                                        <argument>-c</argument>
+                                         <argument>org.apache.druid.extensions:druid-kubernetes-extensions</argument>
+                                         <argument>${druid.distribution.pulldeps.opts}</argument>
+                                     </arguments>
+diff --git a/pom.xml b/pom.xml
+index 0c6294f5ed..a33c6bd521 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -186,7 +186,6 @@
+         <module>extensions-core/simple-client-sslcontext</module>
+         <module>extensions-core/druid-basic-security</module>
+         <module>extensions-core/google-extensions</module>
+-        <module>extensions-core/druid-ranger-security</module>
+         <module>extensions-core/druid-catalog</module>
+         <module>extensions-core/testing-tools</module>
+         <!-- Community extensions -->