Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Slim down product images #816

Open
3 of 5 tasks
Tracked by #345
dervoeti opened this issue Aug 27, 2024 · 4 comments
Open
3 of 5 tasks
Tracked by #345

Slim down product images #816

dervoeti opened this issue Aug 27, 2024 · 4 comments

Comments

@dervoeti
Copy link
Member

dervoeti commented Aug 27, 2024
edited
Loading

We might have some potential to slim down product images. This can reduce build time, image size and attack surface. For example, the Hive Dockerfile has a comment about Hadoop:

docker-images/hive/Dockerfile

Line 102 in 1965d50

# TODO: Do we really need all of Hadoop in here?

Now that we build from source, it might be worth digging into the build processes to:
a) Limit which components we build. It doesn't make sense to build stuff that's never copied to the final image.
b) Revalidate if all the components that are copied into the final image are really needed in production. With Hive, for example, we switched the build to only build the metastore, which significantly reduced the attack surface. Some products consist of multiple components and plugins, which might not all be needed to run the platform.
c) While we're at it, try to generate an SBOM for each component that is copied into the final image (next to the component itself). For most components that should already be the case, see #814

We want to focus on products that are mostly affected by vulnerabilities right now:

  • Trino
  • Hive
  • HBase

Acceptance criteria:

  • Document what could be removed and the impacts of the removal
  • Document what can't be removed and why it can't be removed
@dervoeti dervoeti mentioned this issue Aug 27, 2024
Open
@lfrancke
Copy link
Member

I'm fairly certain that there is another similar issue already and there is at least one draft PR for Hadoop on this already.

@razvan razvan mentioned this issue Aug 29, 2024
Draft
@xeniape
Copy link
Member

xeniape commented Aug 29, 2024
edited
Loading

Hive analysis regarding the Hadoop question in the issue description:
The components copied into Hive from the Hadoop-Image are already slimmed down by some degree since we are only building part of the Hadoop components https://github.com/stackabletech/docker-images/blob/main/hadoop/Dockerfile#L66

Hive therefore only contains a subset of Hadoop (contents shown with dive):
Image

Someone with experience and product knowledge might slim it further down by removing jars that are not needed from the shown folders (and under each lib folder in there).

With Hive 4.0.0 the component we are using from Hive (standalone-metastore) is split into multiple separate parts: metastore-common, metastore-server, and metastore-tools, where - depending on the outcome of tests etc. - we might also only include the metastore-server component, further slimming down the attack surface https://github.com/stackabletech/docker-images/pull/818/files#diff-71bbe6452013d0b0b73eca04f83193cb3ece7f3c58310666cbc66c7a954e115aR40

In case it's needed for later:

Complete jar list of Hadoop in Hive 
/stackable/hadoop-3.3.6/share/hadoop/client:
total 48160
-rw-r--r-- 1 stackable stackable 19226632 Aug 29 13:25 hadoop-client-api-3.3.6.jar
-rw-r--r-- 1 stackable stackable 30083899 Aug 29 13:25 hadoop-client-runtime-3.3.6.jar

/stackable/hadoop-3.3.6/share/hadoop/common:
total 4960
-rw-r--r-- 1 stackable stackable 4599379 Aug 29 13:25 hadoop-common-3.3.6.jar
-rw-r--r-- 1 stackable stackable   96242 Aug 29 13:25 hadoop-kms-3.3.6.jar
-rw-r--r-- 1 stackable stackable  170044 Aug 29 13:25 hadoop-nfs-3.3.6.jar
-rw-r--r-- 1 stackable stackable  186870 Aug 29 13:25 hadoop-registry-3.3.6.jar

/stackable/hadoop-3.3.6/share/hadoop/common/lib:
total 53012
-rw-r--r-- 1 stackable stackable     3448 Aug 29 13:25 animal-sniffer-annotations-1.17.jar
-rw-r--r-- 1 stackable stackable    20437 Aug 29 13:25 audience-annotations-0.5.0.jar
-rw-r--r-- 1 stackable stackable   436303 Aug 29 13:25 avro-1.7.7.jar
-rw-r--r-- 1 stackable stackable   193322 Aug 29 13:25 checker-qual-2.5.2.jar
-rw-r--r-- 1 stackable stackable   246918 Aug 29 13:25 commons-beanutils-1.9.4.jar
-rw-r--r-- 1 stackable stackable    41123 Aug 29 13:25 commons-cli-1.2.jar
-rw-r--r-- 1 stackable stackable   353793 Aug 29 13:25 commons-codec-1.15.jar
-rw-r--r-- 1 stackable stackable   588337 Aug 29 13:25 commons-collections-3.2.2.jar
-rw-r--r-- 1 stackable stackable  1018316 Aug 29 13:25 commons-compress-1.21.jar
-rw-r--r-- 1 stackable stackable   632505 Aug 29 13:25 commons-configuration2-2.8.0.jar
-rw-r--r-- 1 stackable stackable    24239 Aug 29 13:25 commons-daemon-1.0.13.jar
-rw-r--r-- 1 stackable stackable   285424 Aug 29 13:25 commons-io-2.8.0.jar
-rw-r--r-- 1 stackable stackable   587402 Aug 29 13:25 commons-lang3-3.12.0.jar
-rw-r--r-- 1 stackable stackable    62050 Aug 29 13:25 commons-logging-1.1.3.jar
-rw-r--r-- 1 stackable stackable  1599627 Aug 29 13:25 commons-math3-3.1.1.jar
-rw-r--r-- 1 stackable stackable   316431 Aug 29 13:25 commons-net-3.9.0.jar
-rw-r--r-- 1 stackable stackable   238400 Aug 29 13:25 commons-text-1.10.0.jar
-rw-r--r-- 1 stackable stackable  2983237 Aug 29 13:25 curator-client-5.2.0.jar
-rw-r--r-- 1 stackable stackable   336384 Aug 29 13:25 curator-framework-5.2.0.jar
-rw-r--r-- 1 stackable stackable   315569 Aug 29 13:25 curator-recipes-5.2.0.jar
-rw-r--r-- 1 stackable stackable   307637 Aug 29 13:25 dnsjava-2.1.7.jar
-rw-r--r-- 1 stackable stackable     3727 Aug 29 13:25 failureaccess-1.0.jar
-rw-r--r-- 1 stackable stackable   249277 Aug 29 13:25 gson-2.9.0.jar
-rw-r--r-- 1 stackable stackable  2747878 Aug 29 13:25 guava-27.0-jre.jar
-rw-r--r-- 1 stackable stackable    13232 Aug 29 13:25 hadoop-annotations-3.3.6.jar
-rw-r--r-- 1 stackable stackable   105724 Aug 29 13:25 hadoop-auth-3.3.6.jar
-rw-r--r-- 1 stackable stackable  3362359 Aug 29 13:25 hadoop-shaded-guava-1.1.1.jar
-rw-r--r-- 1 stackable stackable  1477052 Aug 29 13:25 hadoop-shaded-protobuf_3_7-1.1.1.jar
-rw-r--r-- 1 stackable stackable 14014205 Aug 29 13:02 hdfs-utils-0.3.0.jar
-rw-r--r-- 1 stackable stackable   780321 Aug 29 13:25 httpclient-4.5.13.jar
-rw-r--r-- 1 stackable stackable   328593 Aug 29 13:25 httpcore-4.4.13.jar
-rw-r--r-- 1 stackable stackable     8782 Aug 29 13:25 j2objc-annotations-1.1.jar
-rw-r--r-- 1 stackable stackable    75705 Aug 29 13:25 jackson-annotations-2.12.7.jar
-rw-r--r-- 1 stackable stackable   365538 Aug 29 13:25 jackson-core-2.12.7.jar
-rw-r--r-- 1 stackable stackable   232248 Aug 29 13:25 jackson-core-asl-1.9.13.jar
-rw-r--r-- 1 stackable stackable  1512418 Aug 29 13:25 jackson-databind-2.12.7.1.jar
-rw-r--r-- 1 stackable stackable   780664 Aug 29 13:25 jackson-mapper-asl-1.9.13.jar
-rw-r--r-- 1 stackable stackable    44399 Aug 29 13:25 jakarta.activation-api-1.2.1.jar
-rw-r--r-- 1 stackable stackable    95806 Aug 29 13:25 javax.servlet-api-3.1.0.jar
-rw-r--r-- 1 stackable stackable   102244 Aug 29 13:25 jaxb-api-2.2.11.jar
-rw-r--r-- 1 stackable stackable   890168 Aug 29 13:25 jaxb-impl-2.2.3-1.jar
-rw-r--r-- 1 stackable stackable     4722 Aug 29 13:25 jcip-annotations-1.0-1.jar
-rw-r--r-- 1 stackable stackable   436731 Aug 29 13:25 jersey-core-1.19.4.jar
-rw-r--r-- 1 stackable stackable   158695 Aug 29 13:25 jersey-json-1.20.jar
-rw-r--r-- 1 stackable stackable   705276 Aug 29 13:25 jersey-server-1.19.4.jar
-rw-r--r-- 1 stackable stackable   128990 Aug 29 13:25 jersey-servlet-1.19.4.jar
-rw-r--r-- 1 stackable stackable    90184 Aug 29 13:25 jettison-1.5.4.jar
-rw-r--r-- 1 stackable stackable   235225 Aug 29 13:25 jetty-http-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   183020 Aug 29 13:25 jetty-io-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   118512 Aug 29 13:25 jetty-security-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   736865 Aug 29 13:25 jetty-server-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   146077 Aug 29 13:25 jetty-servlet-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   583590 Aug 29 13:25 jetty-util-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable    66653 Aug 29 13:25 jetty-util-ajax-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   140321 Aug 29 13:25 jetty-webapp-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable    68302 Aug 29 13:25 jetty-xml-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   282591 Aug 29 13:25 jsch-0.1.55.jar
-rw-r--r-- 1 stackable stackable   100636 Aug 29 13:25 jsp-api-2.1.jar
-rw-r--r-- 1 stackable stackable    19936 Aug 29 13:25 jsr305-3.0.2.jar
-rw-r--r-- 1 stackable stackable    46367 Aug 29 13:25 jsr311-api-1.1.1.jar
-rw-r--r-- 1 stackable stackable     4519 Aug 29 13:25 jul-to-slf4j-1.7.36.jar
-rw-r--r-- 1 stackable stackable    80980 Aug 29 13:25 kerb-admin-1.0.1.jar
-rw-r--r-- 1 stackable stackable   113017 Aug 29 13:25 kerb-client-1.0.1.jar
-rw-r--r-- 1 stackable stackable    65464 Aug 29 13:25 kerb-common-1.0.1.jar
-rw-r--r-- 1 stackable stackable   226672 Aug 29 13:25 kerb-core-1.0.1.jar
-rw-r--r-- 1 stackable stackable   116120 Aug 29 13:25 kerb-crypto-1.0.1.jar
-rw-r--r-- 1 stackable stackable    20046 Aug 29 13:25 kerb-identity-1.0.1.jar
-rw-r--r-- 1 stackable stackable    82756 Aug 29 13:25 kerb-server-1.0.1.jar
-rw-r--r-- 1 stackable stackable    20409 Aug 29 13:25 kerb-simplekdc-1.0.1.jar
-rw-r--r-- 1 stackable stackable    36708 Aug 29 13:25 kerb-util-1.0.1.jar
-rw-r--r-- 1 stackable stackable   102174 Aug 29 13:25 kerby-asn1-1.0.1.jar
-rw-r--r-- 1 stackable stackable    30674 Aug 29 13:25 kerby-config-1.0.1.jar
-rw-r--r-- 1 stackable stackable   204650 Aug 29 13:25 kerby-pkix-1.0.1.jar
-rw-r--r-- 1 stackable stackable    40554 Aug 29 13:25 kerby-util-1.0.1.jar
-rw-r--r-- 1 stackable stackable    29134 Aug 29 13:25 kerby-xdr-1.0.1.jar
-rw-r--r-- 1 stackable stackable     2199 Aug 29 13:25 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-rw-r--r-- 1 stackable stackable   136314 Aug 29 13:25 metrics-core-3.2.4.jar
-rw-r--r-- 1 stackable stackable     4433 Aug 29 13:25 netty-all-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   305139 Aug 29 13:25 netty-buffer-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   345977 Aug 29 13:25 netty-codec-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    66887 Aug 29 13:25 netty-codec-dns-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    37776 Aug 29 13:25 netty-codec-haproxy-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   655092 Aug 29 13:25 netty-codec-http-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   480218 Aug 29 13:25 netty-codec-http2-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    44691 Aug 29 13:25 netty-codec-memcache-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   100903 Aug 29 13:25 netty-codec-mqtt-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    45959 Aug 29 13:25 netty-codec-redis-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    21291 Aug 29 13:25 netty-codec-smtp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   120710 Aug 29 13:25 netty-codec-socks-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    34545 Aug 29 13:25 netty-codec-stomp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    19774 Aug 29 13:25 netty-codec-xml-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   657795 Aug 29 13:25 netty-common-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   545615 Aug 29 13:25 netty-handler-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    25409 Aug 29 13:25 netty-handler-proxy-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    26512 Aug 29 13:25 netty-handler-ssl-ocsp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    37790 Aug 29 13:25 netty-resolver-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   165684 Aug 29 13:25 netty-resolver-dns-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable     9091 Aug 29 13:25 netty-resolver-dns-classes-macos-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    19205 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-aarch_64.jar
-rw-r--r-- 1 stackable stackable    19426 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-x86_64.jar
-rw-r--r-- 1 stackable stackable   488388 Aug 29 13:25 netty-transport-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   145035 Aug 29 13:25 netty-transport-classes-epoll-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   108283 Aug 29 13:25 netty-transport-classes-kqueue-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    39517 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-aarch_64.jar
-rw-r--r-- 1 stackable stackable    37918 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-x86_64.jar
-rw-r--r-- 1 stackable stackable    25098 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-aarch_64.jar
-rw-r--r-- 1 stackable stackable    26133 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-x86_64.jar
-rw-r--r-- 1 stackable stackable    43700 Aug 29 13:25 netty-transport-native-unix-common-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    18190 Aug 29 13:25 netty-transport-rxtx-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    50764 Aug 29 13:25 netty-transport-sctp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    32133 Aug 29 13:25 netty-transport-udt-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   444013 Aug 29 13:25 nimbus-jose-jwt-9.8.1.jar
-rw-r--r-- 1 stackable stackable    29555 Aug 29 13:25 paranamer-2.3.jar
-rw-r--r-- 1 stackable stackable   533455 Aug 29 13:25 protobuf-java-2.5.0.jar
-rw-r--r-- 1 stackable stackable   128414 Aug 29 13:25 re2j-1.1.jar
-rw-r--r-- 1 stackable stackable   332398 Aug 29 13:25 reload4j-1.2.22.jar
-rw-r--r-- 1 stackable stackable    41125 Aug 29 13:25 slf4j-api-1.7.36.jar
-rw-r--r-- 1 stackable stackable     9824 Aug 29 13:25 slf4j-reload4j-1.7.36.jar
-rw-r--r-- 1 stackable stackable  2112099 Aug 29 13:25 snappy-java-1.1.10.4.jar
-rw-r--r-- 1 stackable stackable   195909 Aug 29 13:25 stax2-api-4.2.1.jar
-rw-r--r-- 1 stackable stackable    18763 Aug 29 13:25 token-provider-1.0.1.jar
-rw-r--r-- 1 stackable stackable   522679 Aug 29 13:25 woodstox-core-5.4.0.jar
-rw-r--r-- 1 stackable stackable  1254153 Aug 29 13:25 zookeeper-3.6.3.jar
-rw-r--r-- 1 stackable stackable   250399 Aug 29 13:25 zookeeper-jute-3.6.3.jar

/stackable/hadoop-3.3.6/share/hadoop/hdfs:
total 13044
-rw-r--r-- 1 stackable stackable 6278997 Aug 29 13:25 hadoop-hdfs-3.3.6.jar
-rw-r--r-- 1 stackable stackable 5514234 Aug 29 13:25 hadoop-hdfs-client-3.3.6.jar
-rw-r--r-- 1 stackable stackable  250962 Aug 29 13:25 hadoop-hdfs-httpfs-3.3.6.jar
-rw-r--r-- 1 stackable stackable    9585 Aug 29 13:25 hadoop-hdfs-native-client-3.3.6.jar
-rw-r--r-- 1 stackable stackable  115215 Aug 29 13:25 hadoop-hdfs-nfs-3.3.6.jar
-rw-r--r-- 1 stackable stackable 1151041 Aug 29 13:25 hadoop-hdfs-rbf-3.3.6.jar

/stackable/hadoop-3.3.6/share/hadoop/hdfs/lib:
total 44264
-rw-r--r-- 1 stackable stackable  134308 Aug 29 13:25 HikariCP-java7-2.4.12.jar
-rw-r--r-- 1 stackable stackable    3448 Aug 29 13:25 animal-sniffer-annotations-1.17.jar
-rw-r--r-- 1 stackable stackable   20437 Aug 29 13:25 audience-annotations-0.5.0.jar
-rw-r--r-- 1 stackable stackable  436303 Aug 29 13:25 avro-1.7.7.jar
-rw-r--r-- 1 stackable stackable  193322 Aug 29 13:25 checker-qual-2.5.2.jar
-rw-r--r-- 1 stackable stackable  246918 Aug 29 13:25 commons-beanutils-1.9.4.jar
-rw-r--r-- 1 stackable stackable   41123 Aug 29 13:25 commons-cli-1.2.jar
-rw-r--r-- 1 stackable stackable  353793 Aug 29 13:25 commons-codec-1.15.jar
-rw-r--r-- 1 stackable stackable  588337 Aug 29 13:25 commons-collections-3.2.2.jar
-rw-r--r-- 1 stackable stackable 1018316 Aug 29 13:25 commons-compress-1.21.jar
-rw-r--r-- 1 stackable stackable  632505 Aug 29 13:25 commons-configuration2-2.8.0.jar
-rw-r--r-- 1 stackable stackable   24239 Aug 29 13:25 commons-daemon-1.0.13.jar
-rw-r--r-- 1 stackable stackable  285424 Aug 29 13:25 commons-io-2.8.0.jar
-rw-r--r-- 1 stackable stackable  587402 Aug 29 13:25 commons-lang3-3.12.0.jar
-rw-r--r-- 1 stackable stackable   62050 Aug 29 13:25 commons-logging-1.1.3.jar
-rw-r--r-- 1 stackable stackable 1599627 Aug 29 13:25 commons-math3-3.1.1.jar
-rw-r--r-- 1 stackable stackable  316431 Aug 29 13:25 commons-net-3.9.0.jar
-rw-r--r-- 1 stackable stackable  238400 Aug 29 13:25 commons-text-1.10.0.jar
-rw-r--r-- 1 stackable stackable 2983237 Aug 29 13:25 curator-client-5.2.0.jar
-rw-r--r-- 1 stackable stackable  336384 Aug 29 13:25 curator-framework-5.2.0.jar
-rw-r--r-- 1 stackable stackable  315569 Aug 29 13:25 curator-recipes-5.2.0.jar
-rw-r--r-- 1 stackable stackable  307637 Aug 29 13:25 dnsjava-2.1.7.jar
-rw-r--r-- 1 stackable stackable    3727 Aug 29 13:25 failureaccess-1.0.jar
-rw-r--r-- 1 stackable stackable  249277 Aug 29 13:25 gson-2.9.0.jar
-rw-r--r-- 1 stackable stackable 2747878 Aug 29 13:25 guava-27.0-jre.jar
-rw-r--r-- 1 stackable stackable   13232 Aug 29 13:25 hadoop-annotations-3.3.6.jar
-rw-r--r-- 1 stackable stackable  105724 Aug 29 13:25 hadoop-auth-3.3.6.jar
-rw-r--r-- 1 stackable stackable 3362359 Aug 29 13:25 hadoop-shaded-guava-1.1.1.jar
-rw-r--r-- 1 stackable stackable 1477052 Aug 29 13:25 hadoop-shaded-protobuf_3_7-1.1.1.jar
-rw-r--r-- 1 stackable stackable  780321 Aug 29 13:25 httpclient-4.5.13.jar
-rw-r--r-- 1 stackable stackable  328593 Aug 29 13:25 httpcore-4.4.13.jar
-rw-r--r-- 1 stackable stackable    8782 Aug 29 13:25 j2objc-annotations-1.1.jar
-rw-r--r-- 1 stackable stackable   75705 Aug 29 13:25 jackson-annotations-2.12.7.jar
-rw-r--r-- 1 stackable stackable  365538 Aug 29 13:25 jackson-core-2.12.7.jar
-rw-r--r-- 1 stackable stackable  232248 Aug 29 13:25 jackson-core-asl-1.9.13.jar
-rw-r--r-- 1 stackable stackable 1512418 Aug 29 13:25 jackson-databind-2.12.7.1.jar
-rw-r--r-- 1 stackable stackable  780664 Aug 29 13:25 jackson-mapper-asl-1.9.13.jar
-rw-r--r-- 1 stackable stackable   44399 Aug 29 13:25 jakarta.activation-api-1.2.1.jar
-rw-r--r-- 1 stackable stackable   95806 Aug 29 13:25 javax.servlet-api-3.1.0.jar
-rw-r--r-- 1 stackable stackable  102244 Aug 29 13:25 jaxb-api-2.2.11.jar
-rw-r--r-- 1 stackable stackable  890168 Aug 29 13:25 jaxb-impl-2.2.3-1.jar
-rw-r--r-- 1 stackable stackable    4722 Aug 29 13:25 jcip-annotations-1.0-1.jar
-rw-r--r-- 1 stackable stackable  436731 Aug 29 13:25 jersey-core-1.19.4.jar
-rw-r--r-- 1 stackable stackable  158695 Aug 29 13:25 jersey-json-1.20.jar
-rw-r--r-- 1 stackable stackable  705276 Aug 29 13:25 jersey-server-1.19.4.jar
-rw-r--r-- 1 stackable stackable  128990 Aug 29 13:25 jersey-servlet-1.19.4.jar
-rw-r--r-- 1 stackable stackable   90184 Aug 29 13:25 jettison-1.5.4.jar
-rw-r--r-- 1 stackable stackable  235225 Aug 29 13:25 jetty-http-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  183020 Aug 29 13:25 jetty-io-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  118512 Aug 29 13:25 jetty-security-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  736865 Aug 29 13:25 jetty-server-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  146077 Aug 29 13:25 jetty-servlet-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  583590 Aug 29 13:25 jetty-util-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   66653 Aug 29 13:25 jetty-util-ajax-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  140321 Aug 29 13:25 jetty-webapp-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable   68302 Aug 29 13:25 jetty-xml-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable  282591 Aug 29 13:25 jsch-0.1.55.jar
-rw-r--r-- 1 stackable stackable   23931 Aug 29 13:25 json-simple-1.1.1.jar
-rw-r--r-- 1 stackable stackable   19936 Aug 29 13:25 jsr305-3.0.2.jar
-rw-r--r-- 1 stackable stackable   46367 Aug 29 13:25 jsr311-api-1.1.1.jar
-rw-r--r-- 1 stackable stackable   80980 Aug 29 13:25 kerb-admin-1.0.1.jar
-rw-r--r-- 1 stackable stackable  113017 Aug 29 13:25 kerb-client-1.0.1.jar
-rw-r--r-- 1 stackable stackable   65464 Aug 29 13:25 kerb-common-1.0.1.jar
-rw-r--r-- 1 stackable stackable  226672 Aug 29 13:25 kerb-core-1.0.1.jar
-rw-r--r-- 1 stackable stackable  116120 Aug 29 13:25 kerb-crypto-1.0.1.jar
-rw-r--r-- 1 stackable stackable   20046 Aug 29 13:25 kerb-identity-1.0.1.jar
-rw-r--r-- 1 stackable stackable   82756 Aug 29 13:25 kerb-server-1.0.1.jar
-rw-r--r-- 1 stackable stackable   20409 Aug 29 13:25 kerb-simplekdc-1.0.1.jar
-rw-r--r-- 1 stackable stackable   36708 Aug 29 13:25 kerb-util-1.0.1.jar
-rw-r--r-- 1 stackable stackable  102174 Aug 29 13:25 kerby-asn1-1.0.1.jar
-rw-r--r-- 1 stackable stackable   30674 Aug 29 13:25 kerby-config-1.0.1.jar
-rw-r--r-- 1 stackable stackable  204650 Aug 29 13:25 kerby-pkix-1.0.1.jar
-rw-r--r-- 1 stackable stackable   40554 Aug 29 13:25 kerby-util-1.0.1.jar
-rw-r--r-- 1 stackable stackable   29134 Aug 29 13:25 kerby-xdr-1.0.1.jar
-rw-r--r-- 1 stackable stackable 1487085 Aug 29 13:25 kotlin-stdlib-1.4.10.jar
-rw-r--r-- 1 stackable stackable  191211 Aug 29 13:25 kotlin-stdlib-common-1.4.10.jar
-rw-r--r-- 1 stackable stackable 1045744 Aug 29 13:25 leveldbjni-all-1.8.jar
-rw-r--r-- 1 stackable stackable    2199 Aug 29 13:25 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-rw-r--r-- 1 stackable stackable  136314 Aug 29 13:25 metrics-core-3.2.4.jar
-rw-r--r-- 1 stackable stackable 1292696 Aug 29 13:25 netty-3.10.6.Final.jar
-rw-r--r-- 1 stackable stackable    4433 Aug 29 13:25 netty-all-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  305139 Aug 29 13:25 netty-buffer-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  345977 Aug 29 13:25 netty-codec-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   66887 Aug 29 13:25 netty-codec-dns-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   37776 Aug 29 13:25 netty-codec-haproxy-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  655092 Aug 29 13:25 netty-codec-http-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  480218 Aug 29 13:25 netty-codec-http2-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   44691 Aug 29 13:25 netty-codec-memcache-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  100903 Aug 29 13:25 netty-codec-mqtt-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   45959 Aug 29 13:25 netty-codec-redis-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   21291 Aug 29 13:25 netty-codec-smtp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  120710 Aug 29 13:25 netty-codec-socks-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   34545 Aug 29 13:25 netty-codec-stomp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   19774 Aug 29 13:25 netty-codec-xml-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  657795 Aug 29 13:25 netty-common-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  545615 Aug 29 13:25 netty-handler-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   25409 Aug 29 13:25 netty-handler-proxy-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   26512 Aug 29 13:25 netty-handler-ssl-ocsp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   37790 Aug 29 13:25 netty-resolver-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  165684 Aug 29 13:25 netty-resolver-dns-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable    9091 Aug 29 13:25 netty-resolver-dns-classes-macos-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   19205 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-aarch_64.jar
-rw-r--r-- 1 stackable stackable   19426 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-x86_64.jar
-rw-r--r-- 1 stackable stackable  488388 Aug 29 13:25 netty-transport-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  145035 Aug 29 13:25 netty-transport-classes-epoll-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  108283 Aug 29 13:25 netty-transport-classes-kqueue-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   39517 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-aarch_64.jar
-rw-r--r-- 1 stackable stackable   37918 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-x86_64.jar
-rw-r--r-- 1 stackable stackable   25098 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-aarch_64.jar
-rw-r--r-- 1 stackable stackable   26133 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-x86_64.jar
-rw-r--r-- 1 stackable stackable   43700 Aug 29 13:25 netty-transport-native-unix-common-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   18190 Aug 29 13:25 netty-transport-rxtx-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   50764 Aug 29 13:25 netty-transport-sctp-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable   32133 Aug 29 13:25 netty-transport-udt-4.1.89.Final.jar
-rw-r--r-- 1 stackable stackable  444013 Aug 29 13:25 nimbus-jose-jwt-9.8.1.jar
-rw-r--r-- 1 stackable stackable  792081 Aug 29 13:25 okhttp-4.9.3.jar
-rw-r--r-- 1 stackable stackable  243179 Aug 29 13:25 okio-2.8.0.jar
-rw-r--r-- 1 stackable stackable   29555 Aug 29 13:25 paranamer-2.3.jar
-rw-r--r-- 1 stackable stackable  533455 Aug 29 13:25 protobuf-java-2.5.0.jar
-rw-r--r-- 1 stackable stackable  128414 Aug 29 13:25 re2j-1.1.jar
-rw-r--r-- 1 stackable stackable  332398 Aug 29 13:25 reload4j-1.2.22.jar
-rw-r--r-- 1 stackable stackable 2112099 Aug 29 13:25 snappy-java-1.1.10.4.jar
-rw-r--r-- 1 stackable stackable  195909 Aug 29 13:25 stax2-api-4.2.1.jar
-rw-r--r-- 1 stackable stackable   18763 Aug 29 13:25 token-provider-1.0.1.jar
-rw-r--r-- 1 stackable stackable  522679 Aug 29 13:25 woodstox-core-5.4.0.jar
-rw-r--r-- 1 stackable stackable 1254153 Aug 29 13:25 zookeeper-3.6.3.jar
-rw-r--r-- 1 stackable stackable  250399 Aug 29 13:25 zookeeper-jute-3.6.3.jar

/stackable/hadoop-3.3.6/share/hadoop/tools/lib:
total 343860
-rw-r--r-- 1 stackable stackable    194215 Aug 29 13:25 aliyun-java-sdk-core-4.5.10.jar
-rw-r--r-- 1 stackable stackable    163698 Aug 29 13:25 aliyun-java-sdk-kms-2.11.0.jar
-rw-r--r-- 1 stackable stackable    220800 Aug 29 13:25 aliyun-java-sdk-ram-3.1.0.jar
-rw-r--r-- 1 stackable stackable    782427 Aug 29 13:25 aliyun-sdk-oss-3.13.0.jar
-rw-r--r-- 1 stackable stackable      4467 Aug 29 13:25 aopalliance-1.0.jar
-rw-r--r-- 1 stackable stackable     72781 Aug 29 13:25 asm-commons-9.4.jar
-rw-r--r-- 1 stackable stackable     52665 Aug 29 13:25 asm-tree-9.4.jar
-rw-r--r-- 1 stackable stackable 310582214 Aug 29 13:25 aws-java-sdk-bundle-1.12.367.jar
-rw-r--r-- 1 stackable stackable    113966 Aug 29 13:25 azure-data-lake-store-sdk-2.3.9.jar
-rw-r--r-- 1 stackable stackable     10288 Aug 29 13:25 azure-keyvault-core-1.0.0.jar
-rw-r--r-- 1 stackable stackable    815331 Aug 29 13:25 azure-storage-7.0.1.jar
-rw-r--r-- 1 stackable stackable    887800 Aug 29 13:25 bcpkix-jdk15on-1.68.jar
-rw-r--r-- 1 stackable stackable   5961178 Aug 29 13:25 bcprov-jdk15on-1.68.jar
-rw-r--r-- 1 stackable stackable     51322 Aug 29 13:25 commons-csv-1.9.0.jar
-rw-r--r-- 1 stackable stackable   1726527 Aug 29 13:25 ehcache-3.3.1.jar
-rw-r--r-- 1 stackable stackable    387689 Aug 29 13:25 fst-2.50.jar
-rw-r--r-- 1 stackable stackable     55236 Aug 29 13:25 geronimo-jcache_1.0_spec-1.0-alpha-1.jar
-rw-r--r-- 1 stackable stackable    668235 Aug 29 13:25 guice-4.0.jar
-rw-r--r-- 1 stackable stackable     76983 Aug 29 13:25 guice-servlet-4.0.jar
-rw-r--r-- 1 stackable stackable     63447 Aug 29 13:25 hadoop-aliyun-3.3.6.jar
-rw-r--r-- 1 stackable stackable     27297 Aug 29 13:25 hadoop-archive-logs-3.3.6.jar
-rw-r--r-- 1 stackable stackable     28222 Aug 29 13:25 hadoop-archives-3.3.6.jar
-rw-r--r-- 1 stackable stackable    781219 Aug 29 13:25 hadoop-aws-3.3.6.jar
-rw-r--r-- 1 stackable stackable    607060 Aug 29 13:25 hadoop-azure-3.3.6.jar
-rw-r--r-- 1 stackable stackable     32292 Aug 29 13:25 hadoop-azure-datalake-3.3.6.jar
-rw-r--r-- 1 stackable stackable      8568 Aug 29 13:25 hadoop-client-3.3.6.jar
-rw-r--r-- 1 stackable stackable     20766 Aug 29 13:25 hadoop-datajoin-3.3.6.jar
-rw-r--r-- 1 stackable stackable    158995 Aug 29 13:25 hadoop-distcp-3.3.6.jar
-rw-r--r-- 1 stackable stackable     22430 Aug 29 13:25 hadoop-dynamometer-blockgen-3.3.6.jar
-rw-r--r-- 1 stackable stackable     80062 Aug 29 13:25 hadoop-dynamometer-infra-3.3.6.jar
-rw-r--r-- 1 stackable stackable     54226 Aug 29 13:25 hadoop-dynamometer-workload-3.3.6.jar
-rw-r--r-- 1 stackable stackable     27525 Aug 29 13:25 hadoop-extras-3.3.6.jar
-rw-r--r-- 1 stackable stackable     50900 Aug 29 13:25 hadoop-fs2img-3.3.6.jar
-rw-r--r-- 1 stackable stackable    223354 Aug 29 13:25 hadoop-gridmix-3.3.6.jar
-rw-r--r-- 1 stackable stackable     12811 Aug 29 13:25 hadoop-kafka-3.3.6.jar
-rw-r--r-- 1 stackable stackable     68244 Aug 29 13:25 hadoop-resourceestimator-3.3.6.jar
-rw-r--r-- 1 stackable stackable    286163 Aug 29 13:25 hadoop-rumen-3.3.6.jar
-rw-r--r-- 1 stackable stackable    369465 Aug 29 13:25 hadoop-sls-3.3.6.jar
-rw-r--r-- 1 stackable stackable    140777 Aug 29 13:25 hadoop-streaming-3.3.6.jar
-rw-r--r-- 1 stackable stackable   3640007 Aug 29 13:25 hadoop-yarn-api-3.3.6.jar
-rw-r--r-- 1 stackable stackable    286186 Aug 29 13:25 hadoop-yarn-client-3.3.6.jar
-rw-r--r-- 1 stackable stackable   2435566 Aug 29 13:25 hadoop-yarn-common-3.3.6.jar
-rw-r--r-- 1 stackable stackable     45024 Aug 29 13:25 hamcrest-core-1.3.jar
-rw-r--r-- 1 stackable stackable    102220 Aug 29 13:25 ini4j-0.5.4.jar
-rw-r--r-- 1 stackable stackable     35847 Aug 29 13:25 jackson-jaxrs-base-2.12.7.jar
-rw-r--r-- 1 stackable stackable     16433 Aug 29 13:25 jackson-jaxrs-json-provider-2.12.7.jar
-rw-r--r-- 1 stackable stackable     36576 Aug 29 13:25 jackson-module-jaxb-annotations-2.12.7.jar
-rw-r--r-- 1 stackable stackable    115498 Aug 29 13:25 jakarta.xml.bind-api-2.3.2.jar
-rw-r--r-- 1 stackable stackable     58487 Aug 29 13:25 java-util-1.9.0.jar
-rw-r--r-- 1 stackable stackable    168057 Aug 29 13:25 javax-websocket-client-impl-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     47861 Aug 29 13:25 javax-websocket-server-impl-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     26586 Aug 29 13:25 javax.annotation-api-1.3.2.jar
-rw-r--r-- 1 stackable stackable      2497 Aug 29 13:25 javax.inject-1.jar
-rw-r--r-- 1 stackable stackable     36611 Aug 29 13:25 javax.websocket-api-1.0.jar
-rw-r--r-- 1 stackable stackable     27011 Aug 29 13:25 javax.websocket-client-api-1.0.jar
-rw-r--r-- 1 stackable stackable    304924 Aug 29 13:25 jdom2-2.0.6.jar
-rw-r--r-- 1 stackable stackable    134066 Aug 29 13:25 jersey-client-1.19.4.jar
-rw-r--r-- 1 stackable stackable     16151 Aug 29 13:25 jersey-guice-1.19.4.jar
-rw-r--r-- 1 stackable stackable     86708 Aug 29 13:25 jetty-annotations-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable    327919 Aug 29 13:25 jetty-client-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     46770 Aug 29 13:25 jetty-jndi-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     65616 Aug 29 13:25 jetty-plus-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable    707273 Aug 29 13:25 jline-3.9.0.jar
-rw-r--r-- 1 stackable stackable   1488769 Aug 29 13:25 jna-5.2.0.jar
-rw-r--r-- 1 stackable stackable    384581 Aug 29 13:25 junit-4.13.2.jar
-rw-r--r-- 1 stackable stackable   4639857 Aug 29 13:25 kafka-clients-2.8.2.jar
-rw-r--r-- 1 stackable stackable    649950 Aug 29 13:25 lz4-java-1.7.1.jar
-rw-r--r-- 1 stackable stackable    792442 Aug 29 13:25 mssql-jdbc-6.2.1.jre7.jar
-rw-r--r-- 1 stackable stackable     55684 Aug 29 13:25 objenesis-2.6.jar
-rw-r--r-- 1 stackable stackable   1664497 Aug 29 13:25 ojalgo-43.0.jar
-rw-r--r-- 1 stackable stackable     18189 Aug 29 13:25 opentracing-api-0.33.0.jar
-rw-r--r-- 1 stackable stackable     10542 Aug 29 13:25 opentracing-noop-0.33.0.jar
-rw-r--r-- 1 stackable stackable      7504 Aug 29 13:25 opentracing-util-0.33.0.jar
-rw-r--r-- 1 stackable stackable    281989 Aug 29 13:25 org.jacoco.agent-0.8.5-runtime.jar
-rw-r--r-- 1 stackable stackable     52177 Aug 29 13:25 websocket-api-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     45621 Aug 29 13:25 websocket-client-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable    214628 Aug 29 13:25 websocket-common-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     45511 Aug 29 13:25 websocket-server-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable     30316 Aug 29 13:25 websocket-servlet-9.4.51.v20230217.jar
-rw-r--r-- 1 stackable stackable    436580 Aug 29 13:25 wildfly-openssl-1.1.3.Final.jar
-rw-r--r-- 1 stackable stackable   6474018 Aug 29 13:25 zstd-jni-1.4.9-1.jar

@razvan
Copy link
Member

razvan commented Aug 30, 2024

HBase

The first attempt to remove unused components focused on Phoenix. After realising that > 50% of CVEs in the HBase image come from the jackson-databind 2.4.0 the focus was shifted to removing this dependency.

This PR #820 removes it from the phoenix-server component and the number of CVEs is reduced from 502 to 229.

CI for PR #820 https://testing.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/hbase-operator-it-custom/

@razvan
Copy link
Member

razvan commented Aug 30, 2024

HBase - replace htrace with the noop version

Looked into replacing the htrace dependency with it's no-op version as done in the Omid image by @soenkeliebau . Htrace 3.5.0 brings in the offending jackson-databind as a transitive dependency into Phoenix.

Unfortunately it is not possible to replace htrace 3.5.0 with htrace-noop 3.5.0 . The noop version is only a drop in replacement for htrace-core4 :(

On the upside, Phoenix will hopefully replace htrace with opentelemetry soon: apache/phoenix#1282

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@razvan @lfrancke @dervoeti @xeniape