Rework Hive image (#774)

* Rework Hive image

- Move postgresql and logging dependencies into build of Hive itself
- Backport all patches that have been backported on branch-3.1 upstream as well which affect the metastore
- Update patch dependencies
- Update Hadoop dependency to 3.3.6

* Remove postgres upload script

* Update hive/Dockerfile

Co-authored-by: Sebastian Bernauer <[email protected]>

* Add comment

* Update hive/Dockerfile

Co-authored-by: Sebastian Bernauer <[email protected]>

* README explaining the process the patches were created.

* fix Python lint on comment

* fix Python lint on comment

---------

Co-authored-by: Sebastian Bernauer <[email protected]>
Co-authored-by: Sebastian Bernauer <[email protected]>

Author: lfrancke

hive/Dockerfile

@@ -2,124 +2,120 @@
 
 FROM stackable/image/hadoop AS hadoop-builder
 
-FROM stackable/image/java-devel AS builder
+FROM stackable/image/java-devel AS hive-builder
 
-# Apache Hive up t0 4.x(!) officially requires Java 8 (there is no distincion between building and running). As of
-# 2024-04-15 we for sure need Java 8 for building, but we used a Java 11 runtime for months now without any problems.
+# Apache Hive up to 4.0.x(!) officially requires Java 8 (there is no distinction between building and running).
+# As of 2024-04-15 we for sure need Java 8 for building, but we used a Java 11 runtime for months now without any problems.
 # As we got weird TLS errors (https://stackable-workspace.slack.com/archives/C031A5BEFS7/p1713185172557459) with a
-# Java 8 runtime we bumped the Runtime to Java 11 again. As we can only select a single version from the java-base
-# image, we pick 11 (which is used in the final image), and install Java 8 here.
+# Java 8 runtime we bumped the Runtime to Java 11 again.
 
 ARG PRODUCT
 ARG HADOOP
 ARG JMX_EXPORTER
-ARG JACKSON_DATAFORMAT_XML
-ARG JACKSON_JAXB_ANNOTATIONS
-ARG POSTGRES_DRIVER
-ARG AWS_JAVA_SDK_BUNDLE
-ARG AZURE_STORAGE
-ARG AZURE_KEYVAULT_CORE
+
+# Setting this to anything other than "true" will keep the cache folders around (e.g. for Maven, NPM etc.)
+# This can be used to speed up builds when disk space is of no concern.
+ARG DELETE_CACHES="true"
 
 COPY --chown=stackable:stackable hive/stackable /stackable
 
 USER stackable
 WORKDIR /stackable
 
-RUN curl --fail -L "https://repo.stackable.tech/repository/packages/hive/apache-hive-${PRODUCT}-src.tar.gz" | tar -xzC . && \
-    patches/apply_patches.sh ${PRODUCT} && \
-    cd /stackable/apache-hive-${PRODUCT}-src/ && \
-    mvn clean package -DskipTests --projects standalone-metastore && \
-    mv standalone-metastore/target/apache-hive-metastore-${PRODUCT}-bin/apache-hive-metastore-${PRODUCT}-bin /stackable && \
-    ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin/ /stackable/hive-metastore && \
-    cp /stackable/hive-metastore/bin/start-metastore /stackable/hive-metastore/bin/start-metastore.bak && \
-    cp /stackable/bin/start-metastore /stackable/hive-metastore/bin && \
-    rm -rf /stackable/apache-hive-${PRODUCT}-src
+# Cache mounts are owned by root by default
+# We need to explicitly give the uid to use which is hardcoded to "1000" in stackable-base
+RUN --mount=type=cache,id=maven-hive,uid=1000,target=/stackable/.m2/repository <<EOF
+curl --fail -L "https://repo.stackable.tech/repository/packages/hive/apache-hive-${PRODUCT}-src.tar.gz" | tar -xzC .
 
-COPY --chown=stackable:stackable --from=hadoop-builder /stackable/hadoop /stackable/hadoop
+patches/apply_patches.sh ${PRODUCT}
 
-# Add a PostgreSQL driver, as this is the primary used persistence
-RUN curl --fail -L https://repo.stackable.tech/repository/packages/pgjdbc/postgresql-${POSTGRES_DRIVER}.jar -o /stackable/hive-metastore/lib/postgresql-${POSTGRES_DRIVER}.jar
+cd /stackable/apache-hive-${PRODUCT}-src/
+mvn --batch-mode --no-transfer-progress clean package -DskipTests --projects standalone-metastore
+mv standalone-metastore/target/apache-hive-metastore-${PRODUCT}-bin/apache-hive-metastore-${PRODUCT}-bin /stackable
 
-# The next two sections for S3 and Azure use hardcoded version numbers on purpose instead of wildcards
-# This way the build will fail should one of the files not be available anymore in a later Hadoop version!
+ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin/ /stackable/hive-metastore
+cp /stackable/bin/start-metastore /stackable/hive-metastore/bin
+rm -rf /stackable/apache-hive-${PRODUCT}-src
 
-# Add S3 Support for Hive (support for s3a://)
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/hive-metastore/lib/
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/hive-metastore/lib/
+curl --fail -L "https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" -o "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar"
+ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar
 
-# Add Azure ABFS support (support for abfs://)
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/hive-metastore/lib/
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar /stackable/hive-metastore/lib/
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar /stackable/hive-metastore/lib/
+# We're removing these to make the intermediate layer smaller
+# This can be necessary even though it's only a builder image because the GitHub Action Runners only have very limited space available
+# and we are sometimes running into errors because we're out of space.
+# Therefore, we try to clean up all layers as much as possible.
+if [ "${DELETE_CACHES}" = "true" ] ; then
+  rm -rf /stackable/.m2/repository/*
+  rm -rf /stackable/.npm/*
+  rm -rf /stackable/.cache/*
+fi
+EOF
 
-# The symlink from JMX Exporter 0.16.1 to the versionless link exists because old HDFS Operators (up until and including 23.7) used to hardcode
-# the version of JMX Exporter like this: "-javaagent:/stackable/jmx/jmx_prometheus_javaagent-0.16.1.jar"
-# This is a TEMPORARY fix which means that we can keep the hardcoded path in HDFS operator FOR NOW as it will still point to a newer version of JMX Exporter, despite the "0.16.1" in the name.
-# At the same time a new HDFS Operator will still work with older images which do not have the symlink to the versionless jar.
-# After one of our next releases (23.11 or 24.x) we should update the operator to point at the non-versioned symlink (jmx_prometheus_javaagent.jar)
-# And then we can also remove the symlink to 0.16.1 from this Dockerfile.
-RUN curl --fail -L "https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" -o "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" && \
-    ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar && \
-    ln -s /stackable/jmx/jmx_prometheus_javaagent.jar /stackable/jmx/jmx_prometheus_javaagent-0.16.1.jar
-
-# Logging.
-# jackson-module-jaxb-annotations: this is no longer bundled with the hadoop-yarn/mapreduce libraries (excluded from the hadoop build).
-RUN rm /stackable/hive-metastore/lib/log4j-slf4j-impl* && \
-    curl --fail -L https://repo.stackable.tech/repository/packages/jackson-dataformat-xml/jackson-dataformat-xml-${JACKSON_DATAFORMAT_XML}.jar -o /stackable/hive-metastore/lib/jackson-dataformat-xml-${JACKSON_DATAFORMAT_XML}.jar && \
-    curl --fail -L https://repo.stackable.tech/repository/packages/jackson-module-jaxb-annotations/jackson-module-jaxb-annotations-${JACKSON_JAXB_ANNOTATIONS}.jar -o /stackable/hive-metastore/lib/jackson-module-jaxb-annotations-${JACKSON_JAXB_ANNOTATIONS}.jar
-
-# ===
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/apache-hive-metastore-${PRODUCT}-bin/
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-# log4shell_scanner does not work on symlinks!
-RUN /bin/log4shell_scanner s /stackable/apache-hive-metastore-${PRODUCT}-bin/
-# ===
-
-# syntax=docker/dockerfile:1@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021
-FROM stackable/image/java-base
+
+FROM stackable/image/java-base AS final
 
 ARG PRODUCT
 ARG HADOOP
 ARG RELEASE
+ARG AWS_JAVA_SDK_BUNDLE
+ARG AZURE_STORAGE
+ARG AZURE_KEYVAULT_CORE
 
-LABEL name="Apache Hive metastore" \
-      maintainer="[email protected]" \
-      vendor="Stackable GmbH" \
-      version="${PRODUCT}" \
-      release="${RELEASE}" \
-      summary="The Stackable image for Apache Hive metastore." \
-      description="This image is deployed by the Stackable Operator for Apache Hive."
 
-RUN microdnf update && \
-    microdnf clean all && \
-    rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt && \
-    rm -rf /var/cache/yum
+ARG NAME="Apache Hive metastore"
+ARG DESCRIPTION="This image is deployed by the Stackable Operator for Apache Hive."
+
+LABEL name="Apache Hive metastore"
+LABEL version="${PRODUCT}"
+LABEL release="${RELEASE}"
+LABEL summary="The Stackable image for Apache Hive metastore."
+LABEL description="${DESCRIPTION}"
+
+# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations
+LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/hive/"
+LABEL org.opencontainers.image.version="${PRODUCT}"
+LABEL org.opencontainers.image.revision="${RELEASE}"
+LABEL org.opencontainers.image.title="${NAME}"
+LABEL org.opencontainers.image.description="${DESCRIPTION}"
+
+# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata
+# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md
+LABEL io.openshift.tags="ubi9,stackable,hive,sdp"
+LABEL io.k8s.description="${DESCRIPTION}"
+LABEL io.k8s.display-name="${NAME}"
+
+RUN <<EOF
+microdnf update
+microdnf clean all
+rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt
+rm -rf /var/cache/yum
+EOF
 
 USER stackable
 WORKDIR /stackable
 
-# TODO: Try to use --link here, as it should be faster
-COPY --chown=stackable:stackable --from=builder /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/apache-hive-metastore-${PRODUCT}-bin
-RUN ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin/ /stackable/hive-metastore
+COPY --chown=stackable:stackable --from=hive-builder /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/apache-hive-metastore-${PRODUCT}-bin
+RUN ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/hive-metastore
 
 # It is useful to see which version of Hadoop is used at a glance
 # Therefore the use of the full name here
-COPY --chown=stackable:stackable --from=builder /stackable/hadoop /stackable/hadoop-${HADOOP}
-RUN ln -s /stackable/hadoop-${HADOOP}/ /stackable/hadoop
+# TODO: Do we really need all of Hadoop in here?
+COPY --chown=stackable:stackable --from=hadoop-builder /stackable/hadoop /stackable/hadoop-${HADOOP}
+RUN ln -s /stackable/hadoop-${HADOOP} /stackable/hadoop
+
+# The next two sections for S3 and Azure use hardcoded version numbers on purpose instead of wildcards
+# This way the build will fail should one of the files not be available anymore in a later Hadoop version!
+
+# Add S3 Support for Hive (support for s3a://)
+RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/hive-metastore/lib/
+RUN cp /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/hive-metastore/lib/
+
+# Add Azure ABFS support (support for abfs://)
+RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/hive-metastore/lib/
+RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar /stackable/hive-metastore/lib/
+RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar /stackable/hive-metastore/lib/
 
-COPY --chown=stackable:stackable --from=builder /stackable/jmx /stackable/jmx
+COPY --chown=stackable:stackable --from=hive-builder /stackable/jmx /stackable/jmx
 COPY hive/licenses /licenses
 
 ENV HADOOP_HOME=/stackable/hadoop

hive/README.md

@@ -0,0 +1,14 @@
+# Stackable Docker image including Apache Hive
+
+This is our Dockerfile for the Apache Hive metastore.
+
+It is building Hive from source.
+We use the officially released source tarballs and apply patches on top.
+These patches can also be seen in our [fork](https://github.com/stackabletech/hive) of Hive.
+
+Look for the `stackable/` branches.
+
+The patches were created using [Stacked Git](https://stacked-git.github.io/) but that, unfortunately, does not allow sharing the state remotely.
+We do not have a good solution for this yet.
+
+The command used was: `stg export --dir patches/3.1.3 -p -n` but this would require you to get your local fork into a state where it recognizes all _our_ commits as patches first.

hive/stackable/bin/start-metastore

@@ -10,7 +10,7 @@
 #   --hive-bin-dir <path>
 #
 # Checks if the metastore database schema is initialized. If so it starts the metastore,
-# otherwise it tries to initialize the schma first.
+# otherwise it tries to initialize the schema first.
 #
 
 #set -x

hive/stackable/patches/3.1.3/001-HIVE-26905-3.1.3.patch renamed to hive/stackable/patches/3.1.3/01-HIVE-26905.patch

@@ -1,15 +1,14 @@
-From 5e9b99cdcac99bcce86fc040b066fdfbc319060d Mon Sep 17 00:00:00 2001
-From: Chris Nauroth <[email protected]>
-Date: Thu, 5 Jan 2023 05:19:41 +0000
-Subject: [PATCH] HIVE-26905: Backport HIVE-25173 to 3.2.0: Exclude
- pentaho-aggdesigner-algorithm from upgrade-acid build.
+HIVE-26905
 
+From: Lars Francke <[email protected]>
+
+Backport HIVE-25173 to 3.2.0: Exclude pentaho-aggdesigner-algorithm from upgrade-acid build.
 ---
- upgrade-acid/pom.xml | 6 ++++++
+ upgrade-acid/pom.xml |    6 ++++++
  1 file changed, 6 insertions(+)
 
 diff --git a/upgrade-acid/pom.xml b/upgrade-acid/pom.xml
-index 5002fc6f6317..131f86fc1f7d 100644
+index f95117e07d..b25b332b34 100644
 --- a/upgrade-acid/pom.xml
 +++ b/upgrade-acid/pom.xml
 @@ -80,6 +80,12 @@

hive/stackable/patches/3.1.3/002-HIVE-21939-3.1.3.patch renamed to hive/stackable/patches/3.1.3/02-HIVE-21939.patch

@@ -1,14 +1,10 @@
-From d0fc55929e2fb00dbd84fb092771bf558dd20f16 Mon Sep 17 00:00:00 2001
-From: Sebastian Bernauer <[email protected]>
-Date: Thu, 11 Apr 2024 15:41:05 +0200
-Subject: [PATCH] HIVE-21939: protoc:2.5.0 dependence has broken building on
- aarch64
+HIVE-21939
 
-Cherry-picked from 2baf21bb55fcf33d8522444c78a8d8cab60e7415
+From: Lars Francke <[email protected]>
 
-Co-authored-by: Chinna Rao L <[email protected]>
+protoc:2.5.0 dependence has broken building on aarch64
 ---
- standalone-metastore/pom.xml | 21 +++++++++++++++++++--
+ standalone-metastore/pom.xml |   21 +++++++++++++++++++--
  1 file changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
@@ -26,7 +22,7 @@ index e36f1e64f0..6007b7961b 100644
 +    <protobuf-exc.version>2.6.1</protobuf-exc.version>
      <sqlline.version>1.3.0</sqlline.version>
      <storage-api.version>2.7.0</storage-api.version>
-
+ 
 @@ -443,6 +446,20 @@
          </plugins>
        </build>
@@ -57,6 +53,3 @@ index e36f1e64f0..6007b7961b 100644
                <addSources>none</addSources>
                <inputDirectories>
                  <include>${basedir}/src/main/protobuf/org/apache/hadoop/hive/metastore</include>
---
-2.43.0
-