chore(precompiled/hadoop): Add image for precompiled hadoop for later reuse (#1466)

* chore: Move hadoop/hadoop source build to precompiled/hadoop

* chore: Update relative path (hadoop/hadoop -> precompiled/hadoop)

* ci(precompiled/hadoop): Compile hadoop source and publish as an image

* chore(hadoop): Restore hadoop/hadoop

This will be removed in the Part 2 PR

* ci(precompiled/hadoop): Make zizmor happy

* chore(nix): Add zizmor dependency

* chore: Update changelog

Author: NickLarsenNZ

.github/workflows/precompile_hadoop.yaml

@@ -0,0 +1,51 @@
+---
+name: Compile Hadoop
+run-name: |
+  Compile Hadoop (attempt #${{ github.run_attempt }})
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - precompiled/hadoop/**
+      # I don't think there's any reason to rebuild just because the workflow changed.
+      # If the version is compiled (for that patch set), then it needs no rebuild.
+      # - .github/actions/**
+      # - .github/workflows/precompile_hadoop.yaml
+      # - .github/workflows/reusable_build_image.yaml
+
+permissions: {}
+
+jobs:
+  # This is a separate job so that it remains consistent if a rerun of failed jobs is needed.
+  # It is used in place of the "sdp-version" passed to the build action.
+  generate_build_timestamp:
+    name: Generate unix timestamp
+    runs-on: ubuntu-latest
+    steps:
+      - shell: bash
+        id: unix_timestamp
+        run: |
+          set -euo pipefail
+          UNIX_TIMESTAMP=$(date +%s)
+          echo "unix_timestamp=$UNIX_TIMESTAMP" | tee -a "$GITHUB_OUTPUT"
+    outputs:
+      unix_timestamp: ${{ steps.unix_timestamp.outputs.unix_timestamp }}
+
+  build_image:
+    name: Reusable Workflow
+    uses: ./.github/workflows/reusable_build_image.yaml
+    needs: [generate_build_timestamp]
+    secrets:
+      harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_PRECOMPILED_GITHUB_ACTION_BUILD_SECRET }}
+      slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      # Needed for cosign (sign and attest)
+      id-token: write
+      # Needed for checkout
+      contents: read
+    with:
+      product-name: hadoop
+      sdp-version: ${{ needs.generate_build_timestamp.outputs.unix_timestamp }}
+      registry-namespace: precompiled

.github/workflows/reusable_build_image.yaml

@@ -146,6 +146,8 @@ jobs:
     name: Failure Notification
     needs: [generate_version_dimension, build, publish_manifests]
     runs-on: ubuntu-latest
+    # TODO (@NickLarsenNZ): Allow a condition from input so that we can always
+    # be notified of new builds for precompiled product images.
     if: failure() || (github.run_attempt > 1 && !cancelled())
     steps:
       - name: Send Notification

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- hadoop: Add precompiled hadoop for later reuse in dependent images ([#1466]).
+
 ### Changed
 
 - hbase: Update `hbase-opa-authorizer` from `0.1.0` to `0.2.0` and then `0.3.0` ([#1446], [#1454]).
@@ -17,6 +21,7 @@ All notable changes to this project will be documented in this file.
 [#1452]: https://github.com/stackabletech/docker-images/pull/1452
 [#1453]: https://github.com/stackabletech/docker-images/pull/1453
 [#1454]: https://github.com/stackabletech/docker-images/pull/1454
+[#1466]: https://github.com/stackabletech/docker-images/pull/1466
 
 ## [26.3.0] - 2026-03-16
 

precompiled/hadoop/Dockerfile

@@ -0,0 +1,128 @@
+# syntax=docker/dockerfile:1.16.0@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7
+# check=error=true
+
+FROM local-image/java-devel AS hadoop-builder
+
+ARG PRODUCT_VERSION
+ARG RELEASE_VERSION
+ARG PROTOBUF_VERSION
+ARG STACKABLE_USER_UID
+
+WORKDIR /stackable
+
+COPY --chown=${STACKABLE_USER_UID}:0 shared/protobuf/stackable/patches/patchable.toml /stackable/src/shared/protobuf/stackable/patches/patchable.toml
+COPY --chown=${STACKABLE_USER_UID}:0 shared/protobuf/stackable/patches/${PROTOBUF_VERSION} /stackable/src/shared/protobuf/stackable/patches/${PROTOBUF_VERSION}
+
+RUN <<EOF
+rpm --install --replacepkgs https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+microdnf update
+# boost is a build dependency starting in Hadoop 3.4.0 if compiling native code
+# automake and libtool are required to build protobuf
+microdnf install boost1.78-devel automake libtool
+microdnf clean all
+rm -rf /var/cache/yum
+mkdir /opt/protobuf
+chown ${STACKABLE_USER_UID}:0 /opt/protobuf
+EOF
+
+USER ${STACKABLE_USER_UID}
+# This Protobuf version is the exact version as used in the Hadoop Dockerfile
+# See https://github.com/apache/hadoop/blob/trunk/dev-support/docker/pkg-resolver/install-protobuf.sh
+# (this was hardcoded in the Dockerfile in earlier versions of Hadoop, make sure to look at the exact version in Github)
+RUN <<EOF
+    cd "$(/stackable/patchable --images-repo-root=src checkout shared/protobuf ${PROTOBUF_VERSION})"
+
+    # Create snapshot of the source code including custom patches
+    tar -czf /stackable/protobuf-${PROTOBUF_VERSION}-src.tar.gz .
+
+    ./autogen.sh
+    ./configure --prefix=/opt/protobuf
+    make "-j$(nproc)"
+    make install
+    (cd .. && rm -r ${PROTOBUF_VERSION})
+EOF
+
+ENV PROTOBUF_HOME=/opt/protobuf
+ENV PATH="${PATH}:/opt/protobuf/bin"
+
+WORKDIR /build
+COPY --chown=${STACKABLE_USER_UID}:0 precompiled/hadoop/stackable/patches/patchable.toml /build/src/precompiled/hadoop/stackable/patches/patchable.toml
+COPY --chown=${STACKABLE_USER_UID}:0 precompiled/hadoop/stackable/patches/${PRODUCT_VERSION} /build/src/precompiled/hadoop/stackable/patches/${PRODUCT_VERSION}
+COPY --chown=${STACKABLE_USER_UID}:0 precompiled/hadoop/stackable/fuse_dfs_wrapper /build
+USER ${STACKABLE_USER_UID}
+# Hadoop Pipes requires libtirpc to build, whose headers are not packaged in RedHat UBI, so skip building this module
+# Build from source to enable FUSE module, and to apply custom patches.
+# Also skip building the yarn, mapreduce and minicluster modules: this will result in the modules being excluded but not all
+# jar files will be stripped if they are needed elsewhere e.g. share/hadoop/yarn will not be part of the build, but yarn jars
+# will still exist in share/hadoop/tools as they would be needed by the resource estimator tool. Such jars are removed in a later step.
+RUN <<EOF
+cd "$(/stackable/patchable --images-repo-root=src checkout precompiled/hadoop ${PRODUCT_VERSION})"
+
+ORIGINAL_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+NEW_VERSION=${PRODUCT_VERSION}-stackable${RELEASE_VERSION}
+
+mvn versions:set -DnewVersion=${NEW_VERSION}
+
+# Since we skip building the hadoop-pipes module, we need to set the version to the original version so it can be pulled from Maven Central
+sed -e '/<artifactId>hadoop-pipes<\/artifactId>/,/<\/dependency>/ { s/<version>.*<\/version>/<version>'"$ORIGINAL_VERSION"'<\/version>/ }' -i hadoop-tools/hadoop-tools-dist/pom.xml
+
+# Create snapshot of the source code including custom patches
+tar -czf /stackable/hadoop-${NEW_VERSION}-src.tar.gz .
+
+# We do not pass require.snappy because that is only built in to the MapReduce client and we don't need that
+#
+# Passing require.openssl SHOULD make the build fail if OpenSSL is not present.
+# This does not work properly however because this builder image contains the openssl-devel package which creates a symlink from /usr/lib64/libcrypto.so to the real version.
+# Therefore, this build does work but the final image does NOT contain the openssl-devel package which is why it fails there which is why we have to create the symlink over there manually.
+# We still leave this flag in to automatically fail should anything with the packages or symlinks ever fail.
+mvn \
+    clean package install \
+    -Pdist,native \
+    -pl '!hadoop-tools/hadoop-pipes' \
+    -Dhadoop.version=${NEW_VERSION} \
+    -Drequire.fuse=true \
+    -Drequire.openssl=true \
+    -DskipTests \
+    -Dmaven.javadoc.skip=true
+
+mkdir -p /stackable/patched-libs/maven/org/apache
+cp -r /stackable/.m2/repository/org/apache/hadoop /stackable/patched-libs/maven/org/apache
+
+rm -rf hadoop-dist/target/hadoop-${NEW_VERSION}/share/hadoop/yarn
+rm -rf hadoop-dist/target/hadoop-${NEW_VERSION}/share/hadoop/mapreduce
+rm hadoop-dist/target/hadoop-${NEW_VERSION}/share/hadoop/client/hadoop-client-minicluster-*.jar
+rm hadoop-dist/target/hadoop-${NEW_VERSION}/share/hadoop/tools/lib/hadoop-minicluster-*.jar
+
+cp -r hadoop-dist/target/hadoop-${NEW_VERSION} /stackable/hadoop-${NEW_VERSION}
+sed -i "s/${NEW_VERSION}/${ORIGINAL_VERSION}/g" hadoop-dist/target/bom.json
+mv hadoop-dist/target/bom.json /stackable/hadoop-${NEW_VERSION}/hadoop-${NEW_VERSION}.cdx.json
+
+# HDFS fuse-dfs is not part of the regular dist output, so we need to copy it in ourselves
+cp hadoop-hdfs-project/hadoop-hdfs-native-client/target/main/native/fuse-dfs/fuse_dfs /stackable/hadoop-${NEW_VERSION}/bin
+
+# Remove source code
+(cd .. && rm -r ${PRODUCT_VERSION})
+
+ln -s /stackable/hadoop-${NEW_VERSION} /stackable/hadoop
+
+mv /build/fuse_dfs_wrapper /stackable/hadoop/bin
+
+# Remove unneeded binaries:
+#  - code sources
+#  - mapreduce/yarn binaries that were built as cross-project dependencies
+#  - minicluster (only used for testing) and test .jars
+#  - json-io: this is a transitive dependency pulled in by cedarsoft/java-utils/json-io and is excluded in 3.4.0. See CVE-2023-34610.
+rm -rf /stackable/hadoop/share/hadoop/common/sources/
+rm -rf /stackable/hadoop/share/hadoop/hdfs/sources/
+rm -rf /stackable/hadoop/share/hadoop/tools/sources/
+rm -rf /stackable/hadoop/share/hadoop/tools/lib/json-io-*.jar
+rm -rf /stackable/hadoop/share/hadoop/tools/lib/hadoop-mapreduce-client-*.jar
+rm -rf /stackable/hadoop/share/hadoop/tools/lib/hadoop-yarn-server*.jar
+find /stackable/hadoop -name 'hadoop-minicluster-*.jar' -type f -delete
+find /stackable/hadoop -name 'hadoop-client-minicluster-*.jar' -type f -delete
+find /stackable/hadoop -name 'hadoop-*tests.jar' -type f -delete
+rm -rf /stackable/.m2
+
+# Set correct groups; make sure only required artifacts for the final image are located in /stackable
+chmod -R g=u /stackable
+EOF

precompiled/hadoop/boil-config.toml

@@ -0,0 +1,11 @@
+[versions."3.3.6".local-images]
+java-devel = "11"
+
+[versions."3.3.6".build-arguments]
+protobuf-version = "3.7.1"
+
+[versions."3.4.2".local-images]
+java-devel = "11"
+
+[versions."3.4.2".build-arguments]
+protobuf-version = "3.7.1"

precompiled/hadoop/stackable/fuse_dfs_wrapper

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+
+# JNI does _NOT_ support wildcards in the Classpath so we can't use the usual /stackable/hadoop/share/hadoop/client/* here
+# Instead we need to use find and then concatenate them all with colons.
+# There is a trailing colon at the end but that does seem to work just fine
+# Not all three directories might be needed, common is definitely needed
+CLASSPATH=$(find -L /stackable/hadoop/share/hadoop/client/ /stackable/hadoop/share/hadoop/hdfs/ /stackable/hadoop/share/hadoop/common -type f -name "*.jar" -print0 | xargs -0 printf "%s:")
+
+export CLASSPATH=$HADOOP_CONF_DIR:$CLASSPATH
+export LD_LIBRARY_PATH=/stackable/hadoop/lib/native:/usr/lib/jvm/jre/lib/server
+export PATH="${PATH}":/stackable/hadoop/bin
+export HADOOP_HOME=/stackable/hadoop
+
+fuse_dfs "$@"

precompiled/hadoop/stackable/patches/3.3.6/0001-YARN-11527-Update-node.js.patch

@@ -0,0 +1,22 @@
+From bd2fa3a3a5ef57c5f6ca4f0e5535a1cd875e50d1 Mon Sep 17 00:00:00 2001
+From: Siegfried Weber <mail@siegfriedweber.net>
+Date: Thu, 21 Dec 2023 13:51:13 +0100
+Subject: YARN-11527: Update node.js
+
+---
+ hadoop-project/pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
+index f1ac43ed5b..9b01858e0e 100644
+--- a/hadoop-project/pom.xml
++++ b/hadoop-project/pom.xml
+@@ -213,7 +213,7 @@
+     <openssl-wildfly.version>1.1.3.Final</openssl-wildfly.version>
+     <woodstox.version>5.4.0</woodstox.version>
+     <nimbus-jose-jwt.version>9.8.1</nimbus-jose-jwt.version>
+-    <nodejs.version>v12.22.1</nodejs.version>
++    <nodejs.version>v14.17.0</nodejs.version>
+     <yarnpkg.version>v1.22.5</yarnpkg.version>
+     <apache-ant.version>1.10.13</apache-ant.version>
+     <jmh.version>1.20</jmh.version>