NMS-19504: UBI10: Create the base deploy

[mershad-manesh]

Creating a new UBI 10 branch (variant/ubi10) to support both UBI 9 and UBI 10 independently.

Java Strategy for UBI 10:

• JDK 8: Temurin binaries (used for building JICMP/JICMP6 native libraries)
• JDK 11: Temurin binaries (downloaded from Adoptium releases)
• JDK 17: Temurin binaries (downloaded from Adoptium releases)
• JDK 21: Official UBI 10 repository package

Considerations:

• JDK 11 and 17 could potentially be dropped from UBI 10 base images if not needed
• Future work: evaluate migrating dependencies to newer Java versions

[Copilot]

Pull request overview

This PR migrates the base deploy image from UBI 9 to UBI 10, updating Java distribution strategies and dependency versions to support the new base image.

Changes:

• Updated base image from ubi9-minimal to ubi10-minimal
• Changed Java strategy to use Temurin binaries for JDK 8, 11, and 17, while using UBI 10 repository packages for JDK 21
• Updated JICMP and JICMP6 versions from 3.0.0-2 to 3.0.5-1

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
Makefile	Updated base image to UBI 10, changed default Java version from 11 to 21, updated JICMP/JICMP6 versions, and modified version tag prefix
Dockerfile.tpl	Replaced UBI repository Java packages with Temurin binary downloads for JDK 8/11/17, updated JAVA_HOME configuration, and modified OpenNMS repository setup for UBI 10

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The architecture detection and URL construction logic is duplicated across JDK 8, 11, and 17 installations. Consider extracting this into a reusable function or parameterized block to reduce code duplication and improve maintainability.

Suggested change

	# if JAVA_MAJOR_VERSION is 11, use this:
	# https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz
	RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
	if [ "$(uname -m)" = "x86_64" ]; then \
	curl -L "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz" --output /tmp/openjdk.tar.gz; \
	elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
	curl -L "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_aarch64_linux_hotspot_11.0.30_7.tar.gz" --output /tmp/openjdk.tar.gz; \
	fi && \
	tar -xzf /tmp/openjdk.tar.gz -C /opt && \
	rm -f /tmp/openjdk.tar.gz; \
	fi
	# if JAVA_MAJOR_VERSION is 17, use this:
	# https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz
	RUN if [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
	if [ "$(uname -m)" = "x86_64" ]; then \
	curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz" --output /tmp/openjdk.tar.gz; \
	elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
	curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_aarch64_linux_hotspot_17.0.18_8.tar.gz" --output /tmp/openjdk.tar.gz; \
	fi && \
	# if JAVA_MAJOR_VERSION is 11 or 17, use the corresponding Adoptium Temurin binary
	# e.g. for 11 (x64):
	# https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz
	# and for 17 (x64):
	# https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz
	RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ] || [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
	ARCH_RAW="$(uname -m)"; \
	if [ "${ARCH_RAW}" = "x86_64" ]; then \
	ARCH="x64"; \
	elif [ "${ARCH_RAW}" = "aarch64" ] || [ "${ARCH_RAW}" = "arm64" ]; then \
	ARCH="aarch64"; \
	else \
	echo "Unsupported architecture: ${ARCH_RAW}"; \
	exit 1; \
	fi; \
	if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
	BASE_URL="https://github.com/adoptium/temurin11-binaries/releases/download"; \
	JDK_TAG="jdk-11.0.30%2B7"; \
	JDK_VERSION="11.0.30_7"; \
	elif [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
	BASE_URL="https://github.com/adoptium/temurin17-binaries/releases/download"; \
	JDK_TAG="jdk-17.0.18%2B8"; \
	JDK_VERSION="17.0.18_8"; \
	fi; \
	JDK_URL="${BASE_URL}/${JDK_TAG}/OpenJDK${JAVA_MAJOR_VERSION}U-jdk_${ARCH}_linux_hotspot_${JDK_VERSION}.tar.gz"; \
	curl -L "${JDK_URL}" --output /tmp/openjdk.tar.gz && \

[Copilot]

Disabling GPG signature verification (--nodigest --nosignature --noverify) and package verification (gpgcheck=0) removes critical security checks. This exposes the build to potential package tampering. If this is temporary due to UBI 10 migration issues, consider documenting the reason and tracking removal of these flags once proper GPG keys are available.

Suggested change

	rpm -Uvh --nodigest --nosignature --noverify /tmp/repo.rpm && \
	sed -i 's/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/opennms*.repo && \
	rm -f /tmp/repo.rpm
	rpm -Uvh /tmp/repo.rpm && \
	rm -f /tmp/repo.rpm

[Copilot]

The JDK version paths are hardcoded (jdk-11.0.30+7, jdk-17.0.18+8) but should be derived from the actual extracted directory names to avoid breaking when JDK patch versions are updated. The tar extraction creates versioned directories that should be discovered dynamically.

Suggested change

	RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
	ln -sf /opt/jdk-11.0.30+7 /opt/java; \
	elif [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
	ln -sf /opt/jdk-17.0.18+8 /opt/java; \
	RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ] || [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
	JDK_DIR=$(ls -d /opt/jdk-"${JAVA_MAJOR_VERSION}"* 2>/dev/null | head -n 1); \
	if [ -z "${JDK_DIR}" ]; then echo "No JDK directory found for JAVA_MAJOR_VERSION=${JAVA_MAJOR_VERSION}" >&2; exit 1; fi; \
	ln -sf "${JDK_DIR}" /opt/java; \