Slim down product images

dervoeti commented 2 months ago

We might have some potential to slim down product images. This can reduce build time, image size and attack surface. For example, the Hive Dockerfile has a comment about Hadoop: https://github.com/stackabletech/docker-images/blob/1965d50dc436552d4c7e06363f4b1ed46deac29c/hive/Dockerfile#L102

Now that we build from source, it might be worth digging into the build processes to: a) Limit which components we build. It doesn't make sense to build stuff that's never copied to the final image. b) Revalidate if all the components that are copied into the final image are really needed in production. With Hive, for example, we switched the build to only build the metastore, which significantly reduced the attack surface. Some products consist of multiple components and plugins, which might not all be needed to run the platform. c) While we're at it, try to generate an SBOM for each component that is copied into the final image (next to the component itself). For most components that should already be the case, see https://github.com/stackabletech/docker-images/pull/814

We want to focus on products that are mostly affected by vulnerabilities right now:

[x] Trino
[x] Hive
[x] HBase

Acceptance criteria:

[ ] Document what could be removed and the impacts of the removal
[ ] Document what can't be removed and why it can't be removed

lfrancke commented 2 months ago

I'm fairly certain that there is another similar issue already and there is at least one draft PR for Hadoop on this already.

xeniape commented 2 months ago

Hive analysis regarding the Hadoop question in the issue description: The components copied into Hive from the Hadoop-Image are already slimmed down by some degree since we are only building part of the Hadoop components https://github.com/stackabletech/docker-images/blob/main/hadoop/Dockerfile#L66

Hive therefore only contains a subset of Hadoop (contents shown with dive):

Someone with experience and product knowledge might slim it further down by removing jars that are not needed from the shown folders (and under each lib folder in there).

With Hive 4.0.0 the component we are using from Hive (standalone-metastore) is split into multiple separate parts: metastore-common, metastore-server, and metastore-tools, where - depending on the outcome of tests etc. - we might also only include the metastore-server component, further slimming down the attack surface https://github.com/stackabletech/docker-images/pull/818/files#diff-71bbe6452013d0b0b73eca04f83193cb3ece7f3c58310666cbc66c7a954e115aR40

In case it's needed for later:

Complete jar list of Hadoop in Hive

``` /stackable/hadoop-3.3.6/share/hadoop/client: total 48160 -rw-r--r-- 1 stackable stackable 19226632 Aug 29 13:25 hadoop-client-api-3.3.6.jar -rw-r--r-- 1 stackable stackable 30083899 Aug 29 13:25 hadoop-client-runtime-3.3.6.jar /stackable/hadoop-3.3.6/share/hadoop/common: total 4960 -rw-r--r-- 1 stackable stackable 4599379 Aug 29 13:25 hadoop-common-3.3.6.jar -rw-r--r-- 1 stackable stackable 96242 Aug 29 13:25 hadoop-kms-3.3.6.jar -rw-r--r-- 1 stackable stackable 170044 Aug 29 13:25 hadoop-nfs-3.3.6.jar -rw-r--r-- 1 stackable stackable 186870 Aug 29 13:25 hadoop-registry-3.3.6.jar /stackable/hadoop-3.3.6/share/hadoop/common/lib: total 53012 -rw-r--r-- 1 stackable stackable 3448 Aug 29 13:25 animal-sniffer-annotations-1.17.jar -rw-r--r-- 1 stackable stackable 20437 Aug 29 13:25 audience-annotations-0.5.0.jar -rw-r--r-- 1 stackable stackable 436303 Aug 29 13:25 avro-1.7.7.jar -rw-r--r-- 1 stackable stackable 193322 Aug 29 13:25 checker-qual-2.5.2.jar -rw-r--r-- 1 stackable stackable 246918 Aug 29 13:25 commons-beanutils-1.9.4.jar -rw-r--r-- 1 stackable stackable 41123 Aug 29 13:25 commons-cli-1.2.jar -rw-r--r-- 1 stackable stackable 353793 Aug 29 13:25 commons-codec-1.15.jar -rw-r--r-- 1 stackable stackable 588337 Aug 29 13:25 commons-collections-3.2.2.jar -rw-r--r-- 1 stackable stackable 1018316 Aug 29 13:25 commons-compress-1.21.jar -rw-r--r-- 1 stackable stackable 632505 Aug 29 13:25 commons-configuration2-2.8.0.jar -rw-r--r-- 1 stackable stackable 24239 Aug 29 13:25 commons-daemon-1.0.13.jar -rw-r--r-- 1 stackable stackable 285424 Aug 29 13:25 commons-io-2.8.0.jar -rw-r--r-- 1 stackable stackable 587402 Aug 29 13:25 commons-lang3-3.12.0.jar -rw-r--r-- 1 stackable stackable 62050 Aug 29 13:25 commons-logging-1.1.3.jar -rw-r--r-- 1 stackable stackable 1599627 Aug 29 13:25 commons-math3-3.1.1.jar -rw-r--r-- 1 stackable stackable 316431 Aug 29 13:25 commons-net-3.9.0.jar -rw-r--r-- 1 stackable stackable 238400 Aug 29 13:25 commons-text-1.10.0.jar -rw-r--r-- 1 stackable stackable 2983237 Aug 29 13:25 curator-client-5.2.0.jar -rw-r--r-- 1 stackable stackable 336384 Aug 29 13:25 curator-framework-5.2.0.jar -rw-r--r-- 1 stackable stackable 315569 Aug 29 13:25 curator-recipes-5.2.0.jar -rw-r--r-- 1 stackable stackable 307637 Aug 29 13:25 dnsjava-2.1.7.jar -rw-r--r-- 1 stackable stackable 3727 Aug 29 13:25 failureaccess-1.0.jar -rw-r--r-- 1 stackable stackable 249277 Aug 29 13:25 gson-2.9.0.jar -rw-r--r-- 1 stackable stackable 2747878 Aug 29 13:25 guava-27.0-jre.jar -rw-r--r-- 1 stackable stackable 13232 Aug 29 13:25 hadoop-annotations-3.3.6.jar -rw-r--r-- 1 stackable stackable 105724 Aug 29 13:25 hadoop-auth-3.3.6.jar -rw-r--r-- 1 stackable stackable 3362359 Aug 29 13:25 hadoop-shaded-guava-1.1.1.jar -rw-r--r-- 1 stackable stackable 1477052 Aug 29 13:25 hadoop-shaded-protobuf_3_7-1.1.1.jar -rw-r--r-- 1 stackable stackable 14014205 Aug 29 13:02 hdfs-utils-0.3.0.jar -rw-r--r-- 1 stackable stackable 780321 Aug 29 13:25 httpclient-4.5.13.jar -rw-r--r-- 1 stackable stackable 328593 Aug 29 13:25 httpcore-4.4.13.jar -rw-r--r-- 1 stackable stackable 8782 Aug 29 13:25 j2objc-annotations-1.1.jar -rw-r--r-- 1 stackable stackable 75705 Aug 29 13:25 jackson-annotations-2.12.7.jar -rw-r--r-- 1 stackable stackable 365538 Aug 29 13:25 jackson-core-2.12.7.jar -rw-r--r-- 1 stackable stackable 232248 Aug 29 13:25 jackson-core-asl-1.9.13.jar -rw-r--r-- 1 stackable stackable 1512418 Aug 29 13:25 jackson-databind-2.12.7.1.jar -rw-r--r-- 1 stackable stackable 780664 Aug 29 13:25 jackson-mapper-asl-1.9.13.jar -rw-r--r-- 1 stackable stackable 44399 Aug 29 13:25 jakarta.activation-api-1.2.1.jar -rw-r--r-- 1 stackable stackable 95806 Aug 29 13:25 javax.servlet-api-3.1.0.jar -rw-r--r-- 1 stackable stackable 102244 Aug 29 13:25 jaxb-api-2.2.11.jar -rw-r--r-- 1 stackable stackable 890168 Aug 29 13:25 jaxb-impl-2.2.3-1.jar -rw-r--r-- 1 stackable stackable 4722 Aug 29 13:25 jcip-annotations-1.0-1.jar -rw-r--r-- 1 stackable stackable 436731 Aug 29 13:25 jersey-core-1.19.4.jar -rw-r--r-- 1 stackable stackable 158695 Aug 29 13:25 jersey-json-1.20.jar -rw-r--r-- 1 stackable stackable 705276 Aug 29 13:25 jersey-server-1.19.4.jar -rw-r--r-- 1 stackable stackable 128990 Aug 29 13:25 jersey-servlet-1.19.4.jar -rw-r--r-- 1 stackable stackable 90184 Aug 29 13:25 jettison-1.5.4.jar -rw-r--r-- 1 stackable stackable 235225 Aug 29 13:25 jetty-http-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 183020 Aug 29 13:25 jetty-io-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 118512 Aug 29 13:25 jetty-security-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 736865 Aug 29 13:25 jetty-server-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 146077 Aug 29 13:25 jetty-servlet-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 583590 Aug 29 13:25 jetty-util-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 66653 Aug 29 13:25 jetty-util-ajax-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 140321 Aug 29 13:25 jetty-webapp-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 68302 Aug 29 13:25 jetty-xml-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 282591 Aug 29 13:25 jsch-0.1.55.jar -rw-r--r-- 1 stackable stackable 100636 Aug 29 13:25 jsp-api-2.1.jar -rw-r--r-- 1 stackable stackable 19936 Aug 29 13:25 jsr305-3.0.2.jar -rw-r--r-- 1 stackable stackable 46367 Aug 29 13:25 jsr311-api-1.1.1.jar -rw-r--r-- 1 stackable stackable 4519 Aug 29 13:25 jul-to-slf4j-1.7.36.jar -rw-r--r-- 1 stackable stackable 80980 Aug 29 13:25 kerb-admin-1.0.1.jar -rw-r--r-- 1 stackable stackable 113017 Aug 29 13:25 kerb-client-1.0.1.jar -rw-r--r-- 1 stackable stackable 65464 Aug 29 13:25 kerb-common-1.0.1.jar -rw-r--r-- 1 stackable stackable 226672 Aug 29 13:25 kerb-core-1.0.1.jar -rw-r--r-- 1 stackable stackable 116120 Aug 29 13:25 kerb-crypto-1.0.1.jar -rw-r--r-- 1 stackable stackable 20046 Aug 29 13:25 kerb-identity-1.0.1.jar -rw-r--r-- 1 stackable stackable 82756 Aug 29 13:25 kerb-server-1.0.1.jar -rw-r--r-- 1 stackable stackable 20409 Aug 29 13:25 kerb-simplekdc-1.0.1.jar -rw-r--r-- 1 stackable stackable 36708 Aug 29 13:25 kerb-util-1.0.1.jar -rw-r--r-- 1 stackable stackable 102174 Aug 29 13:25 kerby-asn1-1.0.1.jar -rw-r--r-- 1 stackable stackable 30674 Aug 29 13:25 kerby-config-1.0.1.jar -rw-r--r-- 1 stackable stackable 204650 Aug 29 13:25 kerby-pkix-1.0.1.jar -rw-r--r-- 1 stackable stackable 40554 Aug 29 13:25 kerby-util-1.0.1.jar -rw-r--r-- 1 stackable stackable 29134 Aug 29 13:25 kerby-xdr-1.0.1.jar -rw-r--r-- 1 stackable stackable 2199 Aug 29 13:25 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar -rw-r--r-- 1 stackable stackable 136314 Aug 29 13:25 metrics-core-3.2.4.jar -rw-r--r-- 1 stackable stackable 4433 Aug 29 13:25 netty-all-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 305139 Aug 29 13:25 netty-buffer-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 345977 Aug 29 13:25 netty-codec-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 66887 Aug 29 13:25 netty-codec-dns-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 37776 Aug 29 13:25 netty-codec-haproxy-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 655092 Aug 29 13:25 netty-codec-http-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 480218 Aug 29 13:25 netty-codec-http2-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 44691 Aug 29 13:25 netty-codec-memcache-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 100903 Aug 29 13:25 netty-codec-mqtt-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 45959 Aug 29 13:25 netty-codec-redis-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 21291 Aug 29 13:25 netty-codec-smtp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 120710 Aug 29 13:25 netty-codec-socks-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 34545 Aug 29 13:25 netty-codec-stomp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 19774 Aug 29 13:25 netty-codec-xml-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 657795 Aug 29 13:25 netty-common-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 545615 Aug 29 13:25 netty-handler-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 25409 Aug 29 13:25 netty-handler-proxy-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 26512 Aug 29 13:25 netty-handler-ssl-ocsp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 37790 Aug 29 13:25 netty-resolver-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 165684 Aug 29 13:25 netty-resolver-dns-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 9091 Aug 29 13:25 netty-resolver-dns-classes-macos-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 19205 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-aarch_64.jar -rw-r--r-- 1 stackable stackable 19426 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-x86_64.jar -rw-r--r-- 1 stackable stackable 488388 Aug 29 13:25 netty-transport-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 145035 Aug 29 13:25 netty-transport-classes-epoll-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 108283 Aug 29 13:25 netty-transport-classes-kqueue-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 39517 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-aarch_64.jar -rw-r--r-- 1 stackable stackable 37918 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-x86_64.jar -rw-r--r-- 1 stackable stackable 25098 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-aarch_64.jar -rw-r--r-- 1 stackable stackable 26133 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-x86_64.jar -rw-r--r-- 1 stackable stackable 43700 Aug 29 13:25 netty-transport-native-unix-common-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 18190 Aug 29 13:25 netty-transport-rxtx-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 50764 Aug 29 13:25 netty-transport-sctp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 32133 Aug 29 13:25 netty-transport-udt-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 444013 Aug 29 13:25 nimbus-jose-jwt-9.8.1.jar -rw-r--r-- 1 stackable stackable 29555 Aug 29 13:25 paranamer-2.3.jar -rw-r--r-- 1 stackable stackable 533455 Aug 29 13:25 protobuf-java-2.5.0.jar -rw-r--r-- 1 stackable stackable 128414 Aug 29 13:25 re2j-1.1.jar -rw-r--r-- 1 stackable stackable 332398 Aug 29 13:25 reload4j-1.2.22.jar -rw-r--r-- 1 stackable stackable 41125 Aug 29 13:25 slf4j-api-1.7.36.jar -rw-r--r-- 1 stackable stackable 9824 Aug 29 13:25 slf4j-reload4j-1.7.36.jar -rw-r--r-- 1 stackable stackable 2112099 Aug 29 13:25 snappy-java-1.1.10.4.jar -rw-r--r-- 1 stackable stackable 195909 Aug 29 13:25 stax2-api-4.2.1.jar -rw-r--r-- 1 stackable stackable 18763 Aug 29 13:25 token-provider-1.0.1.jar -rw-r--r-- 1 stackable stackable 522679 Aug 29 13:25 woodstox-core-5.4.0.jar -rw-r--r-- 1 stackable stackable 1254153 Aug 29 13:25 zookeeper-3.6.3.jar -rw-r--r-- 1 stackable stackable 250399 Aug 29 13:25 zookeeper-jute-3.6.3.jar /stackable/hadoop-3.3.6/share/hadoop/hdfs: total 13044 -rw-r--r-- 1 stackable stackable 6278997 Aug 29 13:25 hadoop-hdfs-3.3.6.jar -rw-r--r-- 1 stackable stackable 5514234 Aug 29 13:25 hadoop-hdfs-client-3.3.6.jar -rw-r--r-- 1 stackable stackable 250962 Aug 29 13:25 hadoop-hdfs-httpfs-3.3.6.jar -rw-r--r-- 1 stackable stackable 9585 Aug 29 13:25 hadoop-hdfs-native-client-3.3.6.jar -rw-r--r-- 1 stackable stackable 115215 Aug 29 13:25 hadoop-hdfs-nfs-3.3.6.jar -rw-r--r-- 1 stackable stackable 1151041 Aug 29 13:25 hadoop-hdfs-rbf-3.3.6.jar /stackable/hadoop-3.3.6/share/hadoop/hdfs/lib: total 44264 -rw-r--r-- 1 stackable stackable 134308 Aug 29 13:25 HikariCP-java7-2.4.12.jar -rw-r--r-- 1 stackable stackable 3448 Aug 29 13:25 animal-sniffer-annotations-1.17.jar -rw-r--r-- 1 stackable stackable 20437 Aug 29 13:25 audience-annotations-0.5.0.jar -rw-r--r-- 1 stackable stackable 436303 Aug 29 13:25 avro-1.7.7.jar -rw-r--r-- 1 stackable stackable 193322 Aug 29 13:25 checker-qual-2.5.2.jar -rw-r--r-- 1 stackable stackable 246918 Aug 29 13:25 commons-beanutils-1.9.4.jar -rw-r--r-- 1 stackable stackable 41123 Aug 29 13:25 commons-cli-1.2.jar -rw-r--r-- 1 stackable stackable 353793 Aug 29 13:25 commons-codec-1.15.jar -rw-r--r-- 1 stackable stackable 588337 Aug 29 13:25 commons-collections-3.2.2.jar -rw-r--r-- 1 stackable stackable 1018316 Aug 29 13:25 commons-compress-1.21.jar -rw-r--r-- 1 stackable stackable 632505 Aug 29 13:25 commons-configuration2-2.8.0.jar -rw-r--r-- 1 stackable stackable 24239 Aug 29 13:25 commons-daemon-1.0.13.jar -rw-r--r-- 1 stackable stackable 285424 Aug 29 13:25 commons-io-2.8.0.jar -rw-r--r-- 1 stackable stackable 587402 Aug 29 13:25 commons-lang3-3.12.0.jar -rw-r--r-- 1 stackable stackable 62050 Aug 29 13:25 commons-logging-1.1.3.jar -rw-r--r-- 1 stackable stackable 1599627 Aug 29 13:25 commons-math3-3.1.1.jar -rw-r--r-- 1 stackable stackable 316431 Aug 29 13:25 commons-net-3.9.0.jar -rw-r--r-- 1 stackable stackable 238400 Aug 29 13:25 commons-text-1.10.0.jar -rw-r--r-- 1 stackable stackable 2983237 Aug 29 13:25 curator-client-5.2.0.jar -rw-r--r-- 1 stackable stackable 336384 Aug 29 13:25 curator-framework-5.2.0.jar -rw-r--r-- 1 stackable stackable 315569 Aug 29 13:25 curator-recipes-5.2.0.jar -rw-r--r-- 1 stackable stackable 307637 Aug 29 13:25 dnsjava-2.1.7.jar -rw-r--r-- 1 stackable stackable 3727 Aug 29 13:25 failureaccess-1.0.jar -rw-r--r-- 1 stackable stackable 249277 Aug 29 13:25 gson-2.9.0.jar -rw-r--r-- 1 stackable stackable 2747878 Aug 29 13:25 guava-27.0-jre.jar -rw-r--r-- 1 stackable stackable 13232 Aug 29 13:25 hadoop-annotations-3.3.6.jar -rw-r--r-- 1 stackable stackable 105724 Aug 29 13:25 hadoop-auth-3.3.6.jar -rw-r--r-- 1 stackable stackable 3362359 Aug 29 13:25 hadoop-shaded-guava-1.1.1.jar -rw-r--r-- 1 stackable stackable 1477052 Aug 29 13:25 hadoop-shaded-protobuf_3_7-1.1.1.jar -rw-r--r-- 1 stackable stackable 780321 Aug 29 13:25 httpclient-4.5.13.jar -rw-r--r-- 1 stackable stackable 328593 Aug 29 13:25 httpcore-4.4.13.jar -rw-r--r-- 1 stackable stackable 8782 Aug 29 13:25 j2objc-annotations-1.1.jar -rw-r--r-- 1 stackable stackable 75705 Aug 29 13:25 jackson-annotations-2.12.7.jar -rw-r--r-- 1 stackable stackable 365538 Aug 29 13:25 jackson-core-2.12.7.jar -rw-r--r-- 1 stackable stackable 232248 Aug 29 13:25 jackson-core-asl-1.9.13.jar -rw-r--r-- 1 stackable stackable 1512418 Aug 29 13:25 jackson-databind-2.12.7.1.jar -rw-r--r-- 1 stackable stackable 780664 Aug 29 13:25 jackson-mapper-asl-1.9.13.jar -rw-r--r-- 1 stackable stackable 44399 Aug 29 13:25 jakarta.activation-api-1.2.1.jar -rw-r--r-- 1 stackable stackable 95806 Aug 29 13:25 javax.servlet-api-3.1.0.jar -rw-r--r-- 1 stackable stackable 102244 Aug 29 13:25 jaxb-api-2.2.11.jar -rw-r--r-- 1 stackable stackable 890168 Aug 29 13:25 jaxb-impl-2.2.3-1.jar -rw-r--r-- 1 stackable stackable 4722 Aug 29 13:25 jcip-annotations-1.0-1.jar -rw-r--r-- 1 stackable stackable 436731 Aug 29 13:25 jersey-core-1.19.4.jar -rw-r--r-- 1 stackable stackable 158695 Aug 29 13:25 jersey-json-1.20.jar -rw-r--r-- 1 stackable stackable 705276 Aug 29 13:25 jersey-server-1.19.4.jar -rw-r--r-- 1 stackable stackable 128990 Aug 29 13:25 jersey-servlet-1.19.4.jar -rw-r--r-- 1 stackable stackable 90184 Aug 29 13:25 jettison-1.5.4.jar -rw-r--r-- 1 stackable stackable 235225 Aug 29 13:25 jetty-http-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 183020 Aug 29 13:25 jetty-io-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 118512 Aug 29 13:25 jetty-security-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 736865 Aug 29 13:25 jetty-server-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 146077 Aug 29 13:25 jetty-servlet-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 583590 Aug 29 13:25 jetty-util-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 66653 Aug 29 13:25 jetty-util-ajax-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 140321 Aug 29 13:25 jetty-webapp-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 68302 Aug 29 13:25 jetty-xml-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 282591 Aug 29 13:25 jsch-0.1.55.jar -rw-r--r-- 1 stackable stackable 23931 Aug 29 13:25 json-simple-1.1.1.jar -rw-r--r-- 1 stackable stackable 19936 Aug 29 13:25 jsr305-3.0.2.jar -rw-r--r-- 1 stackable stackable 46367 Aug 29 13:25 jsr311-api-1.1.1.jar -rw-r--r-- 1 stackable stackable 80980 Aug 29 13:25 kerb-admin-1.0.1.jar -rw-r--r-- 1 stackable stackable 113017 Aug 29 13:25 kerb-client-1.0.1.jar -rw-r--r-- 1 stackable stackable 65464 Aug 29 13:25 kerb-common-1.0.1.jar -rw-r--r-- 1 stackable stackable 226672 Aug 29 13:25 kerb-core-1.0.1.jar -rw-r--r-- 1 stackable stackable 116120 Aug 29 13:25 kerb-crypto-1.0.1.jar -rw-r--r-- 1 stackable stackable 20046 Aug 29 13:25 kerb-identity-1.0.1.jar -rw-r--r-- 1 stackable stackable 82756 Aug 29 13:25 kerb-server-1.0.1.jar -rw-r--r-- 1 stackable stackable 20409 Aug 29 13:25 kerb-simplekdc-1.0.1.jar -rw-r--r-- 1 stackable stackable 36708 Aug 29 13:25 kerb-util-1.0.1.jar -rw-r--r-- 1 stackable stackable 102174 Aug 29 13:25 kerby-asn1-1.0.1.jar -rw-r--r-- 1 stackable stackable 30674 Aug 29 13:25 kerby-config-1.0.1.jar -rw-r--r-- 1 stackable stackable 204650 Aug 29 13:25 kerby-pkix-1.0.1.jar -rw-r--r-- 1 stackable stackable 40554 Aug 29 13:25 kerby-util-1.0.1.jar -rw-r--r-- 1 stackable stackable 29134 Aug 29 13:25 kerby-xdr-1.0.1.jar -rw-r--r-- 1 stackable stackable 1487085 Aug 29 13:25 kotlin-stdlib-1.4.10.jar -rw-r--r-- 1 stackable stackable 191211 Aug 29 13:25 kotlin-stdlib-common-1.4.10.jar -rw-r--r-- 1 stackable stackable 1045744 Aug 29 13:25 leveldbjni-all-1.8.jar -rw-r--r-- 1 stackable stackable 2199 Aug 29 13:25 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar -rw-r--r-- 1 stackable stackable 136314 Aug 29 13:25 metrics-core-3.2.4.jar -rw-r--r-- 1 stackable stackable 1292696 Aug 29 13:25 netty-3.10.6.Final.jar -rw-r--r-- 1 stackable stackable 4433 Aug 29 13:25 netty-all-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 305139 Aug 29 13:25 netty-buffer-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 345977 Aug 29 13:25 netty-codec-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 66887 Aug 29 13:25 netty-codec-dns-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 37776 Aug 29 13:25 netty-codec-haproxy-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 655092 Aug 29 13:25 netty-codec-http-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 480218 Aug 29 13:25 netty-codec-http2-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 44691 Aug 29 13:25 netty-codec-memcache-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 100903 Aug 29 13:25 netty-codec-mqtt-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 45959 Aug 29 13:25 netty-codec-redis-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 21291 Aug 29 13:25 netty-codec-smtp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 120710 Aug 29 13:25 netty-codec-socks-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 34545 Aug 29 13:25 netty-codec-stomp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 19774 Aug 29 13:25 netty-codec-xml-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 657795 Aug 29 13:25 netty-common-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 545615 Aug 29 13:25 netty-handler-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 25409 Aug 29 13:25 netty-handler-proxy-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 26512 Aug 29 13:25 netty-handler-ssl-ocsp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 37790 Aug 29 13:25 netty-resolver-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 165684 Aug 29 13:25 netty-resolver-dns-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 9091 Aug 29 13:25 netty-resolver-dns-classes-macos-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 19205 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-aarch_64.jar -rw-r--r-- 1 stackable stackable 19426 Aug 29 13:25 netty-resolver-dns-native-macos-4.1.89.Final-osx-x86_64.jar -rw-r--r-- 1 stackable stackable 488388 Aug 29 13:25 netty-transport-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 145035 Aug 29 13:25 netty-transport-classes-epoll-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 108283 Aug 29 13:25 netty-transport-classes-kqueue-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 39517 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-aarch_64.jar -rw-r--r-- 1 stackable stackable 37918 Aug 29 13:25 netty-transport-native-epoll-4.1.89.Final-linux-x86_64.jar -rw-r--r-- 1 stackable stackable 25098 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-aarch_64.jar -rw-r--r-- 1 stackable stackable 26133 Aug 29 13:25 netty-transport-native-kqueue-4.1.89.Final-osx-x86_64.jar -rw-r--r-- 1 stackable stackable 43700 Aug 29 13:25 netty-transport-native-unix-common-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 18190 Aug 29 13:25 netty-transport-rxtx-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 50764 Aug 29 13:25 netty-transport-sctp-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 32133 Aug 29 13:25 netty-transport-udt-4.1.89.Final.jar -rw-r--r-- 1 stackable stackable 444013 Aug 29 13:25 nimbus-jose-jwt-9.8.1.jar -rw-r--r-- 1 stackable stackable 792081 Aug 29 13:25 okhttp-4.9.3.jar -rw-r--r-- 1 stackable stackable 243179 Aug 29 13:25 okio-2.8.0.jar -rw-r--r-- 1 stackable stackable 29555 Aug 29 13:25 paranamer-2.3.jar -rw-r--r-- 1 stackable stackable 533455 Aug 29 13:25 protobuf-java-2.5.0.jar -rw-r--r-- 1 stackable stackable 128414 Aug 29 13:25 re2j-1.1.jar -rw-r--r-- 1 stackable stackable 332398 Aug 29 13:25 reload4j-1.2.22.jar -rw-r--r-- 1 stackable stackable 2112099 Aug 29 13:25 snappy-java-1.1.10.4.jar -rw-r--r-- 1 stackable stackable 195909 Aug 29 13:25 stax2-api-4.2.1.jar -rw-r--r-- 1 stackable stackable 18763 Aug 29 13:25 token-provider-1.0.1.jar -rw-r--r-- 1 stackable stackable 522679 Aug 29 13:25 woodstox-core-5.4.0.jar -rw-r--r-- 1 stackable stackable 1254153 Aug 29 13:25 zookeeper-3.6.3.jar -rw-r--r-- 1 stackable stackable 250399 Aug 29 13:25 zookeeper-jute-3.6.3.jar /stackable/hadoop-3.3.6/share/hadoop/tools/lib: total 343860 -rw-r--r-- 1 stackable stackable 194215 Aug 29 13:25 aliyun-java-sdk-core-4.5.10.jar -rw-r--r-- 1 stackable stackable 163698 Aug 29 13:25 aliyun-java-sdk-kms-2.11.0.jar -rw-r--r-- 1 stackable stackable 220800 Aug 29 13:25 aliyun-java-sdk-ram-3.1.0.jar -rw-r--r-- 1 stackable stackable 782427 Aug 29 13:25 aliyun-sdk-oss-3.13.0.jar -rw-r--r-- 1 stackable stackable 4467 Aug 29 13:25 aopalliance-1.0.jar -rw-r--r-- 1 stackable stackable 72781 Aug 29 13:25 asm-commons-9.4.jar -rw-r--r-- 1 stackable stackable 52665 Aug 29 13:25 asm-tree-9.4.jar -rw-r--r-- 1 stackable stackable 310582214 Aug 29 13:25 aws-java-sdk-bundle-1.12.367.jar -rw-r--r-- 1 stackable stackable 113966 Aug 29 13:25 azure-data-lake-store-sdk-2.3.9.jar -rw-r--r-- 1 stackable stackable 10288 Aug 29 13:25 azure-keyvault-core-1.0.0.jar -rw-r--r-- 1 stackable stackable 815331 Aug 29 13:25 azure-storage-7.0.1.jar -rw-r--r-- 1 stackable stackable 887800 Aug 29 13:25 bcpkix-jdk15on-1.68.jar -rw-r--r-- 1 stackable stackable 5961178 Aug 29 13:25 bcprov-jdk15on-1.68.jar -rw-r--r-- 1 stackable stackable 51322 Aug 29 13:25 commons-csv-1.9.0.jar -rw-r--r-- 1 stackable stackable 1726527 Aug 29 13:25 ehcache-3.3.1.jar -rw-r--r-- 1 stackable stackable 387689 Aug 29 13:25 fst-2.50.jar -rw-r--r-- 1 stackable stackable 55236 Aug 29 13:25 geronimo-jcache_1.0_spec-1.0-alpha-1.jar -rw-r--r-- 1 stackable stackable 668235 Aug 29 13:25 guice-4.0.jar -rw-r--r-- 1 stackable stackable 76983 Aug 29 13:25 guice-servlet-4.0.jar -rw-r--r-- 1 stackable stackable 63447 Aug 29 13:25 hadoop-aliyun-3.3.6.jar -rw-r--r-- 1 stackable stackable 27297 Aug 29 13:25 hadoop-archive-logs-3.3.6.jar -rw-r--r-- 1 stackable stackable 28222 Aug 29 13:25 hadoop-archives-3.3.6.jar -rw-r--r-- 1 stackable stackable 781219 Aug 29 13:25 hadoop-aws-3.3.6.jar -rw-r--r-- 1 stackable stackable 607060 Aug 29 13:25 hadoop-azure-3.3.6.jar -rw-r--r-- 1 stackable stackable 32292 Aug 29 13:25 hadoop-azure-datalake-3.3.6.jar -rw-r--r-- 1 stackable stackable 8568 Aug 29 13:25 hadoop-client-3.3.6.jar -rw-r--r-- 1 stackable stackable 20766 Aug 29 13:25 hadoop-datajoin-3.3.6.jar -rw-r--r-- 1 stackable stackable 158995 Aug 29 13:25 hadoop-distcp-3.3.6.jar -rw-r--r-- 1 stackable stackable 22430 Aug 29 13:25 hadoop-dynamometer-blockgen-3.3.6.jar -rw-r--r-- 1 stackable stackable 80062 Aug 29 13:25 hadoop-dynamometer-infra-3.3.6.jar -rw-r--r-- 1 stackable stackable 54226 Aug 29 13:25 hadoop-dynamometer-workload-3.3.6.jar -rw-r--r-- 1 stackable stackable 27525 Aug 29 13:25 hadoop-extras-3.3.6.jar -rw-r--r-- 1 stackable stackable 50900 Aug 29 13:25 hadoop-fs2img-3.3.6.jar -rw-r--r-- 1 stackable stackable 223354 Aug 29 13:25 hadoop-gridmix-3.3.6.jar -rw-r--r-- 1 stackable stackable 12811 Aug 29 13:25 hadoop-kafka-3.3.6.jar -rw-r--r-- 1 stackable stackable 68244 Aug 29 13:25 hadoop-resourceestimator-3.3.6.jar -rw-r--r-- 1 stackable stackable 286163 Aug 29 13:25 hadoop-rumen-3.3.6.jar -rw-r--r-- 1 stackable stackable 369465 Aug 29 13:25 hadoop-sls-3.3.6.jar -rw-r--r-- 1 stackable stackable 140777 Aug 29 13:25 hadoop-streaming-3.3.6.jar -rw-r--r-- 1 stackable stackable 3640007 Aug 29 13:25 hadoop-yarn-api-3.3.6.jar -rw-r--r-- 1 stackable stackable 286186 Aug 29 13:25 hadoop-yarn-client-3.3.6.jar -rw-r--r-- 1 stackable stackable 2435566 Aug 29 13:25 hadoop-yarn-common-3.3.6.jar -rw-r--r-- 1 stackable stackable 45024 Aug 29 13:25 hamcrest-core-1.3.jar -rw-r--r-- 1 stackable stackable 102220 Aug 29 13:25 ini4j-0.5.4.jar -rw-r--r-- 1 stackable stackable 35847 Aug 29 13:25 jackson-jaxrs-base-2.12.7.jar -rw-r--r-- 1 stackable stackable 16433 Aug 29 13:25 jackson-jaxrs-json-provider-2.12.7.jar -rw-r--r-- 1 stackable stackable 36576 Aug 29 13:25 jackson-module-jaxb-annotations-2.12.7.jar -rw-r--r-- 1 stackable stackable 115498 Aug 29 13:25 jakarta.xml.bind-api-2.3.2.jar -rw-r--r-- 1 stackable stackable 58487 Aug 29 13:25 java-util-1.9.0.jar -rw-r--r-- 1 stackable stackable 168057 Aug 29 13:25 javax-websocket-client-impl-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 47861 Aug 29 13:25 javax-websocket-server-impl-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 26586 Aug 29 13:25 javax.annotation-api-1.3.2.jar -rw-r--r-- 1 stackable stackable 2497 Aug 29 13:25 javax.inject-1.jar -rw-r--r-- 1 stackable stackable 36611 Aug 29 13:25 javax.websocket-api-1.0.jar -rw-r--r-- 1 stackable stackable 27011 Aug 29 13:25 javax.websocket-client-api-1.0.jar -rw-r--r-- 1 stackable stackable 304924 Aug 29 13:25 jdom2-2.0.6.jar -rw-r--r-- 1 stackable stackable 134066 Aug 29 13:25 jersey-client-1.19.4.jar -rw-r--r-- 1 stackable stackable 16151 Aug 29 13:25 jersey-guice-1.19.4.jar -rw-r--r-- 1 stackable stackable 86708 Aug 29 13:25 jetty-annotations-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 327919 Aug 29 13:25 jetty-client-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 46770 Aug 29 13:25 jetty-jndi-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 65616 Aug 29 13:25 jetty-plus-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 707273 Aug 29 13:25 jline-3.9.0.jar -rw-r--r-- 1 stackable stackable 1488769 Aug 29 13:25 jna-5.2.0.jar -rw-r--r-- 1 stackable stackable 384581 Aug 29 13:25 junit-4.13.2.jar -rw-r--r-- 1 stackable stackable 4639857 Aug 29 13:25 kafka-clients-2.8.2.jar -rw-r--r-- 1 stackable stackable 649950 Aug 29 13:25 lz4-java-1.7.1.jar -rw-r--r-- 1 stackable stackable 792442 Aug 29 13:25 mssql-jdbc-6.2.1.jre7.jar -rw-r--r-- 1 stackable stackable 55684 Aug 29 13:25 objenesis-2.6.jar -rw-r--r-- 1 stackable stackable 1664497 Aug 29 13:25 ojalgo-43.0.jar -rw-r--r-- 1 stackable stackable 18189 Aug 29 13:25 opentracing-api-0.33.0.jar -rw-r--r-- 1 stackable stackable 10542 Aug 29 13:25 opentracing-noop-0.33.0.jar -rw-r--r-- 1 stackable stackable 7504 Aug 29 13:25 opentracing-util-0.33.0.jar -rw-r--r-- 1 stackable stackable 281989 Aug 29 13:25 org.jacoco.agent-0.8.5-runtime.jar -rw-r--r-- 1 stackable stackable 52177 Aug 29 13:25 websocket-api-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 45621 Aug 29 13:25 websocket-client-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 214628 Aug 29 13:25 websocket-common-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 45511 Aug 29 13:25 websocket-server-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 30316 Aug 29 13:25 websocket-servlet-9.4.51.v20230217.jar -rw-r--r-- 1 stackable stackable 436580 Aug 29 13:25 wildfly-openssl-1.1.3.Final.jar -rw-r--r-- 1 stackable stackable 6474018 Aug 29 13:25 zstd-jni-1.4.9-1.jar ```

razvan commented 2 months ago

HBase

The first attempt to remove unused components focused on Phoenix. After realising that > 50% of CVEs in the HBase image come from the jackson-databind 2.4.0 the focus was shifted to removing this dependency.

This PR #820 removes it from the phoenix-server component and the number of CVEs is reduced from 502 to 229.

CI for PR #820 https://testing.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/hbase-operator-it-custom/

razvan commented 2 months ago

HBase - replace htrace with the noop version

Looked into replacing the htrace dependency with it's no-op version as done in the Omid image by @soenkeliebau . Htrace 3.5.0 brings in the offendingjackson-databind as a transitive dependency into Phoenix.

Unfortunately it is not possible to replace htrace 3.5.0 with htrace-noop 3.5.0 . The noop version is only a drop in replacement for htrace-core4 :(

On the upside, Phoenix will hopefully replace htrace with opentelemetry soon: https://github.com/apache/phoenix/pull/1282

stackabletech / docker-images

Slim down product images #816