Add hdp3.1-hive, hdp3.1-hive-kerberized and centos7-oj8-openldap

[unidevel]

This PR added the following images:

cherry-picked a commit from trino to get hdp3.1-hive files

https://github.com/trinodb/docker-images/tree/master/archived/hdp3.1-hive

Mac with M chips

Please setup the environment before building the images

# bash/zsh
export DOCKER_DEFAULT_PLATFORM=linux/amd64

# fish
set -gx DOCKER_DEFAULT_PLATFORM linux/amd64

brew install docker-credential-helper
docker login

hive4.0-hive

(Note: HADOOP_VERSION=3.4.1 & HIVE_VERSION=4.0.1)

To build the image

make prestodb/centos7-oj8@local
make prestodb/hive4.0-hive

hdp3.1-hive

To build the image

make prestodb/centos7-oj8@local
make prestodb/hdp3.1-hive

hdp3.1-hive-kerberized

make prestodb/centos7-oj8@local
make prestodb/hdp3.1-hive-kerberized

centos7-oj8-openldap

make prestodb/centos7-oj8@local
make prestodb/centos7-oj8-openldap

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: unidevel / name: Li Zhou (7e4f3aa)

[wanglinsong]

Why is this?

[unidevel]

This comes from its original file, I'll remove later

[unidevel]

@wanglinsong Most of the files are copied from old version, I'll make it work first, then refactor the files.

[wanglinsong]

You still need the CLA Authorization.

[unidevel]

You still need the CLA Authorization.

Fixed by adding the co-author

[imjalpreet]

@unidevel We have one more image centos6-oj8-openldap which is used in Presto, should we upgrade it as well to centos7?

[unidevel]

@imjalpreet I'll investigate.

[unidevel]

@imjalpreet Added prestodb/centos7-oj8-openldap

[imjalpreet]

@unidevel thanks for the PR, I successfully ran the Presto integration tests using the hive4.0-hive, hdp3.1-hive, and hdp3.1-hive-kerberized images. However, I encountered issues with the centos7-oj8-openldap image.

The Presto server fails to start when using that image, which suggests there may be a problem with the LDAP setup or a certificate issue.

For reference, here is a sample run with centos7-oj8-openldap image: https://github.com/prestodb/presto/actions/runs/15119301841/job/42498832069?pr=25143

[imjalpreet]

Error message:

presto-master-1  | 1 error
presto-master-1  | 
presto-master-1  | ======================
presto-master-1  | Full classname legend:
presto-master-1  | ======================
presto-master-1  | AuthenticationNotSupportedException: "javax.naming.AuthenticationNotSupportedException"
presto-master-1  | LdapAuthenticator:                   "com.facebook.presto.password.ldap.LdapAuthenticator"
presto-master-1  | LdapAuthenticatorFactory:            "com.facebook.presto.password.ldap.LdapAuthenticatorFactory"
presto-master-1  | ========================
presto-master-1  | End of classname legend:
presto-master-1  | ========================
presto-master-1  | 
presto-master-1  | 	at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:576)
presto-master-1  | 	at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:190)
presto-master-1  | 	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:113)
presto-master-1  | 	at com.google.inject.Guice.createInjector(Guice.java:87)
presto-master-1  | 	at com.facebook.airlift.bootstrap.Bootstrap.initialize(Bootstrap.java:263)
presto-master-1  | 	at com.facebook.presto.password.ldap.LdapAuthenticatorFactory.create(LdapAuthenticatorFactory.java:49)
presto-master-1  | 	at com.facebook.presto.server.security.PasswordAuthenticatorManager.loadPasswordAuthenticator(PasswordAuthenticatorManager.java:75)
presto-master-1  | 	at com.facebook.presto.server.PrestoServer.run(PrestoServer.java:183)
presto-master-1  | 	at com.facebook.presto.server.PrestoServer.main(PrestoServer.java:96)
presto-master-1  | Caused by: java.lang.RuntimeException: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
presto-master-1  | 	at com.facebook.presto.password.ldap.LdapAuthenticator.checkEnvironment(LdapAuthenticator.java:184)
presto-master-1  | 	at com.facebook.presto.password.ldap.LdapAuthenticator.<init>(LdapAuthenticator.java:79)
presto-master-1  | 	at com.facebook.presto.password.ldap.LdapAuthenticator$$FastClassByGuice$$1807621.GUICE$TRAMPOLINE(<generated>)
presto-master-1  | 	at com.facebook.presto.password.ldap.LdapAuthenticator$$FastClassByGuice$$1807621.apply(<generated>)
presto-master-1  | 	at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
presto-master-1  | 	at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
presto-master-1  | 	at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
presto-master-1  | 	at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
presto-master-1  | 	at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
presto-master-1  | 	at com.facebook.airlift.bootstrap.LifeCycleModule.provision(LifeCycleModule.java:54)
presto-master-1  | 	at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
presto-master-1  | 	at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
presto-master-1  | 	at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
presto-master-1  | 	at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
presto-master-1  | 	at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
presto-master-1  | 	at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
presto-master-1  | 	at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
presto-master-1  | 	at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:213)
presto-master-1  | 	at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186)
presto-master-1  | 	... 7 more
presto-master-1  | Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3252)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
presto-master-1  | 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
presto-master-1  | 	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
presto-master-1  | 	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
presto-master-1  | 	at javax.naming.InitialContext.init(InitialContext.java:244)
presto-master-1  | 	at javax.naming.InitialContext.<init>(InitialContext.java:216)
presto-master-1  | 	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
presto-master-1  | 	at com.facebook.presto.password.jndi.JndiUtils.createDirContext(JndiUtils.java:30)
presto-master-1  | 	at com.facebook.presto.password.ldap.LdapAuthenticator.checkEnvironment(LdapAuthenticator.java:181)
presto-master-1  | 	... 25 more

[unidevel]

@imjalpreet the openldap seems removed the anonymous bind after upgrade, I have to remove the bind_anon to make it work, but I think this may need to be addressed in the presto code.

#dn: cn=config
#changetype: modify
#add: olcDisallows
#olcDisallows: bind_anon

[unidevel]

Removed olcDisallows: bind_anon

[imjalpreet]

Thank you for looking into it, I will test with this change. Just to get some more idea, is this something that wasn't configured in the old centos6 image?

[imjalpreet]

I triggered another run with the new image, the anonymous bind error is fixed, but there are a couple of other test failures related to keystore/truststore(https://github.com/prestodb/presto/actions/runs/15119301841/job/42634779349?pr=25143). I will investigate. Thank you for the temporary fix.

[unidevel]

@imjalpreet I noticed the default jdk is zulu jdk 11 in centos7-oj8, I updated it to jdk 1.8.0. Since the openldap updated the keystore only for jdk 1.8.0 that may cause the case failed, you need update both centos7-oj8 and centos7-oj8-openldap to test

make prestodb/centos7-oj8@local
make prestodb/centos7-oj8-openldap

[imjalpreet]

Actually it was just a change in the error message, the tests passed after a small fix

[imjalpreet]

https://github.com/prestodb/presto/actions/runs/15163849899/job/42636364136

[unidevel]

removed the last commit since it is not necessary.

[imjalpreet]

@unidevel I am also testing some Presto changes so that we can disable anonymous bind again. I will update you once I have verified my change.

Can you confirm if only these 4 lines need to be uncommented to disable anonymous bind or are there any other changes we will have to revert?

[unidevel]

The commit include other changes => unidevel@bceb4de, you need rebuild the image centos7-oj8-openldap, then build hive4.0-hive.

Since the hive4.0-hive is removed from this PR, you can checkout my new branch https://github.com/unidevel/docker-images/tree/hive4.0-hive, to build the images

[imjalpreet]

@unidevel, would you mind creating a separate PR for the hive4.0-hive image? We are ready to release the remaining images, but Hive needs a little bit more time.

[imjalpreet]

Also, could we squash the commits into fewer commits, perhaps one per image, or in any way that you think makes the most sense?

[unidevel]

Also, could we squash the commits into fewer commits, perhaps one per image, or in any way that you think makes the most sense?

Sure, will update later

[unidevel]

squashed into one commit.

[unidevel]

Removed hive4.0-hive

[imjalpreet]

I’ve verified the latest images in this PR: prestodb/presto#24799, and everything looks good.

Just had a quick question, should we consider moving the release.yml and .gitignore changes into a separate commit?

[imjalpreet]

Thanks, LGTM

[imjalpreet]

@tdcmeehan, could you please help merge this, too? thanks!