diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index cd1b0cb1c5..7a43fcb64c 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -14,7 +14,7 @@ fail_fast:
when: "true"
execution_time_limit:
- hours: 1
+ hours: 2
queue:
- when: "branch != 'master' and branch !~ '[0-9]+\\.[0-9]+\\.[0-9]+'"
@@ -99,6 +99,7 @@ global_job_config:
- export DOCKER_DEV_TAG="dev-$BRANCH_TAG-$BUILD_NUMBER"
- export AMD_ARCH=.amd64
- export ARM_ARCH=.arm64
+ - export S390X_ARCH=.s390x
blocks:
- name: Validation
dependencies: []
@@ -123,8 +124,10 @@ blocks:
- ci-tools ci-update-version
- export OS_PACKAGES_URL=$(echo "$PACKAGES_URL" | sed "s/PACKAGE_TYPE/rpm/g")
- export PACKAGING_BUILD_ARGS="$PACKAGING_BUILD_ARGS -DCONFLUENT_PACKAGES_REPO=$OS_PACKAGES_URL"
- - mvn -Dmaven.wagon.http.retryHandler.count=3 --batch-mode -P jenkins,docker clean install dependency:analyze validate -U -Ddocker.registry=$DOCKER_DEV_REGISTRY
- -Ddocker.upstream-registry=$DOCKER_UPSTREAM_REGISTRY -DBUILD_NUMBER=$BUILD_NUMBER -DGIT_COMMIT=$GIT_COMMIT -Ddocker.tag=$DOCKER_DEV_TAG$OS_TAG$AMD_ARCH
+ # Build artifacts with Maven (skip Docker image build, use docker CLI instead)
+ # Let Maven build Docker images for AMD (it handles all build args automatically)
+ - mvn -Dmaven.wagon.http.retryHandler.count=3 --batch-mode -P jenkins,docker clean install dependency:analyze validate -U -Ddocker.registry=$DOCKER_DEV_REGISTRY
+ -Ddocker.upstream-registry=$DOCKER_UPSTREAM_REGISTRY -DBUILD_NUMBER=$BUILD_NUMBER -DGIT_COMMIT=$GIT_COMMIT -Ddocker.tag=$DOCKER_DEV_TAG$OS_TAG$AMD_ARCH
-Ddocker.upstream-tag=$DOCKER_UPSTREAM_TAG$OS_TAG -Darch.type=$AMD_ARCH -Ddocker.os_type=ubi9 $PACKAGING_BUILD_ARGS -Ddependency.check.skip=true $MAVEN_EXTRA_ARGS
- . cache-maven store
- >-
@@ -156,17 +159,139 @@ blocks:
- export OS_PACKAGES_URL=$(echo "$PACKAGES_URL" | sed "s/PACKAGE_TYPE/rpm/g")
- export PACKAGING_BUILD_ARGS="$PACKAGING_BUILD_ARGS -DCONFLUENT_PACKAGES_REPO=$OS_PACKAGES_URL"
- ci-tools ci-update-version
- - mvn -Dmaven.wagon.http.retryHandler.count=3 --batch-mode -P jenkins,docker clean install dependency:analyze validate -U -Ddocker.registry=$DOCKER_DEV_REGISTRY
- -Ddocker.upstream-registry=$DOCKER_UPSTREAM_REGISTRY -DBUILD_NUMBER=$BUILD_NUMBER -DGIT_COMMIT=$GIT_COMMIT -Ddocker.tag=$DOCKER_DEV_TAG$OS_TAG$ARM_ARCH
+ # Let Maven build Docker images for ARM (it handles all build args automatically)
+ - mvn -Dmaven.wagon.http.retryHandler.count=3 --batch-mode -P jenkins,docker clean install dependency:analyze validate -U -Ddocker.registry=$DOCKER_DEV_REGISTRY
+ -Ddocker.upstream-registry=$DOCKER_UPSTREAM_REGISTRY -DBUILD_NUMBER=$BUILD_NUMBER -DGIT_COMMIT=$GIT_COMMIT -Ddocker.tag=$DOCKER_DEV_TAG$OS_TAG$ARM_ARCH
-Ddocker.upstream-tag=$DOCKER_UPSTREAM_TAG$OS_TAG -Darch.type=$ARM_ARCH -Ddocker.os_type=ubi9 $PACKAGING_BUILD_ARGS -Ddependency.check.skip=true $MAVEN_EXTRA_ARGS
- . cache-maven store
- - for image in $ARM_DOCKER_DEV_FULL_IMAGES; do echo "Pushing $image" && docker push $image; done
epilogue:
always:
commands:
- . publish-test-results
- artifact push workflow target/test-results
- artifact push workflow target --destination target-ARM
+ - name: Build & Test S390X
+ dependencies: ["Validation"]
+ run:
+ when: "pull_request =~ '.*'"
+ execution_time_limit:
+ hours: 2
+ task:
+ agent:
+ machine:
+ type: s1-prod-ubuntu24-04-amd64-1
+ jobs:
+ - name: Build & Test ubi9
+ commands:
+ # Setup QEMU for s390x emulation
+ - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+ - docker buildx create --name s390x-builder --use || docker buildx use s390x-builder
+ - docker buildx inspect --bootstrap
+ - export OS_TAG="-ubi9"
+ - export DOCKER_DEV_FULL_IMAGES=$DOCKER_DEV_REGISTRY${DOCKER_REPOS// /:$DOCKER_DEV_TAG$OS_TAG $DOCKER_DEV_REGISTRY}:$DOCKER_DEV_TAG$OS_TAG
+ - export S390X_DOCKER_DEV_FULL_IMAGES=${DOCKER_DEV_FULL_IMAGES// /$S390X_ARCH }$S390X_ARCH
+ - export OS_PACKAGES_URL=$(echo "$PACKAGES_URL" | sed "s/PACKAGE_TYPE/rpm/g")
+ - export PACKAGING_BUILD_ARGS="$PACKAGING_BUILD_ARGS -DCONFLUENT_PACKAGES_REPO=$OS_PACKAGES_URL"
+ - ci-tools ci-update-version
+ # Build artifacts with Maven (skip Docker image build, use docker buildx instead)
+ - mvn -Dmaven.wagon.http.retryHandler.count=3 --batch-mode -P jenkins,docker clean install dependency:analyze validate -U -Ddocker.registry=$DOCKER_DEV_REGISTRY
+ -Ddocker.upstream-registry=$DOCKER_UPSTREAM_REGISTRY -DBUILD_NUMBER=$BUILD_NUMBER -DGIT_COMMIT=$GIT_COMMIT -Ddocker.tag=$DOCKER_DEV_TAG$OS_TAG$S390X_ARCH
+ -Ddocker.upstream-tag=$DOCKER_UPSTREAM_TAG$OS_TAG -Darch.type=$S390X_ARCH -Ddocker.os_type=ubi9 -Ddocker.skip-build=true -Ddocker.skip-test=true $PACKAGING_BUILD_ARGS -Ddependency.check.skip=true $MAVEN_EXTRA_ARGS
+ - . cache-maven store
+ # Extract essential version properties from pom.xml for docker build args
+ - export PROJECT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+ - export UBI9_MINIMAL_VERSION=$(mvn help:evaluate -Dexpression=ubi9-minimal.image.version -q -DforceStdout)
+ - export UBI9_MICRO_VERSION=$(mvn help:evaluate -Dexpression=ubi9-micro.image.version -q -DforceStdout)
+ - export UBI9_VERSION=$(mvn help:evaluate -Dexpression=ubi9.image.version -q -DforceStdout)
+ - export GOLANG_VERSION=$(mvn help:evaluate -Dexpression=golang.image.version -q -DforceStdout)
+ - export CP_DOCKER_UTILS_VERSION=$(mvn help:evaluate -Dexpression=git-repo.cp-docker-utils.tag -q -DforceStdout)
+ - export CONFLUENT_DOCKER_UTILS_VERSION=$(mvn help:evaluate -Dexpression=git-repo.confluent-docker-utils.tag -q -DforceStdout)
+ # Manually create package directories (Maven skip-build doesn't create them)
+ - mkdir -p base/target/cp-base-new-${PROJECT_VERSION}-package/share/{doc,java/cp-base-new}
+ - mkdir -p base-java/target/cp-base-java-${PROJECT_VERSION}-package/share/{doc,java/cp-base-java}
+ - mkdir -p base-java-micro/target/cp-base-java-micro-${PROJECT_VERSION}-package/share/{doc,java/cp-base-java-micro}
+ - mkdir -p base-lite/target/cp-base-lite-${PROJECT_VERSION}-package/share/{doc,java/cp-base-lite}
+ # Create README files in doc directories (Docker COPY wildcards require at least one file)
+ - echo "Confluent Platform Base Image" > base/target/cp-base-new-${PROJECT_VERSION}-package/share/doc/README.txt
+ - echo "Confluent Platform Base Java Image" > base-java/target/cp-base-java-${PROJECT_VERSION}-package/share/doc/README.txt
+ - echo "Confluent Platform Base Java Micro Image" > base-java-micro/target/cp-base-java-micro-${PROJECT_VERSION}-package/share/doc/README.txt
+ - echo "Confluent Platform Base Lite Image" > base-lite/target/cp-base-lite-${PROJECT_VERSION}-package/share/doc/README.txt
+ # Copy built JARs to package structure
+ - cp utility-belt/target/*.jar base/target/cp-base-new-${PROJECT_VERSION}-package/share/java/cp-base-new/ 2>/dev/null || true
+ - cp utility-belt/target/*.jar base-java/target/cp-base-java-${PROJECT_VERSION}-package/share/java/cp-base-java/ 2>/dev/null || true
+ - cp utility-belt/target/*.jar base-java-micro/target/cp-base-java-micro-${PROJECT_VERSION}-package/share/java/cp-base-java-micro/ 2>/dev/null || true
+ - cp utility-belt/target/*.jar base-lite/target/cp-base-lite-${PROJECT_VERSION}-package/share/java/cp-base-lite/ 2>/dev/null || true
+ # Build Docker images with docker buildx for s390x platform with all required build args
+ # Build cp-base-new (base image for others)
+ - |
+ docker buildx build --platform linux/s390x --load \
+ -t ${DOCKER_DEV_REGISTRY}confluentinc/cp-base-new:${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH} \
+ -f base/Dockerfile.ubi9 \
+ --build-arg ARTIFACT_ID=cp-base-new \
+ --build-arg PROJECT_VERSION=${PROJECT_VERSION} \
+ --build-arg GIT_COMMIT=${GIT_COMMIT} \
+ --build-arg BUILD_NUMBER=${BUILD_NUMBER} \
+ --build-arg UBI_MINIMAL_VERSION=${UBI9_MINIMAL_VERSION} \
+ --build-arg PYTHON_CONFLUENT_DOCKER_UTILS_VERSION=${CONFLUENT_DOCKER_UTILS_VERSION} \
+ base/
+ # Push cp-base-new immediately (jmxterm depends on it being in registry)
+ - docker push ${DOCKER_DEV_REGISTRY}confluentinc/cp-base-new:${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH}
+ # Build cp-base-java (uses s390x-specific Dockerfile with cross-compilation)
+ - |
+ docker buildx build --platform linux/s390x --load \
+ -t ${DOCKER_DEV_REGISTRY}confluentinc/cp-base-java:${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH} \
+ -f base-java/Dockerfile.ubi9.s390x \
+ --build-arg ARTIFACT_ID=cp-base-java \
+ --build-arg PROJECT_VERSION=${PROJECT_VERSION} \
+ --build-arg GIT_COMMIT=${GIT_COMMIT} \
+ --build-arg BUILD_NUMBER=${BUILD_NUMBER} \
+ --build-arg UBI_MINIMAL_VERSION=${UBI9_MINIMAL_VERSION} \
+ --build-arg GOLANG_VERSION=${GOLANG_VERSION} \
+ --build-arg CP_DOCKER_UTILS_VERSION=${CP_DOCKER_UTILS_VERSION} \
+ base-java/
+ # Build cp-base-java-micro (uses s390x-specific Dockerfile with cross-compilation)
+ - |
+ docker buildx build --platform linux/s390x --load \
+ -t ${DOCKER_DEV_REGISTRY}confluentinc/cp-base-java-micro:${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH} \
+ -f base-java-micro/Dockerfile.ubi9.s390x \
+ --build-arg ARTIFACT_ID=cp-base-java-micro \
+ --build-arg PROJECT_VERSION=${PROJECT_VERSION} \
+ --build-arg GIT_COMMIT=${GIT_COMMIT} \
+ --build-arg BUILD_NUMBER=${BUILD_NUMBER} \
+ --build-arg UBI_MICRO_VERSION=${UBI9_MICRO_VERSION} \
+ --build-arg UBI9_VERSION=${UBI9_VERSION} \
+ --build-arg GOLANG_VERSION=${GOLANG_VERSION} \
+ --build-arg CP_DOCKER_UTILS_VERSION=${CP_DOCKER_UTILS_VERSION} \
+ base-java-micro/
+ # Build cp-base-lite (uses s390x-specific Dockerfile with cross-compilation)
+ - |
+ docker buildx build --platform linux/s390x --load \
+ -t ${DOCKER_DEV_REGISTRY}confluentinc/cp-base-lite:${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH} \
+ -f base-lite/Dockerfile.ubi9.s390x \
+ --build-arg ARTIFACT_ID=cp-base-lite \
+ --build-arg PROJECT_VERSION=${PROJECT_VERSION} \
+ --build-arg GIT_COMMIT=${GIT_COMMIT} \
+ --build-arg BUILD_NUMBER=${BUILD_NUMBER} \
+ --build-arg UBI_MINIMAL_VERSION=${UBI9_MINIMAL_VERSION} \
+ --build-arg GOLANG_VERSION=${GOLANG_VERSION} \
+ base-lite/
+ # Build cp-jmxterm (depends on cp-base-new)
+ - |
+ docker buildx build --platform linux/s390x --load \
+ -t ${DOCKER_DEV_REGISTRY}confluentinc/cp-jmxterm:${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH} \
+ -f jmxterm/Dockerfile.ubi9 \
+ --build-arg DOCKER_REGISTRY=${DOCKER_DEV_REGISTRY} \
+ --build-arg DOCKER_TAG=${DOCKER_DEV_TAG}${OS_TAG}${S390X_ARCH} \
+ jmxterm/
+ # Verify images are built for s390x architecture
+ - for image in $S390X_DOCKER_DEV_FULL_IMAGES; do echo "Checking architecture of $image:" && docker inspect --format='{{.Architecture}}' $image; done
+ - for image in $S390X_DOCKER_DEV_FULL_IMAGES; do echo "Pushing $image" && docker push $image; done
+ epilogue:
+ always:
+ commands:
+ - . publish-test-results
+ - artifact push workflow target/test-results
+ - artifact push workflow target --destination target-S390X
after_pipeline:
task:
agent:
@@ -184,4 +309,5 @@ after_pipeline:
- checkout
- artifact pull workflow target-AMD
- artifact pull workflow target-ARM
+ - artifact pull workflow target-S390X
- emit-sonarqube-data --run_only_sonar_scan
diff --git a/base-java-micro/Dockerfile.ubi9.s390x b/base-java-micro/Dockerfile.ubi9.s390x
new file mode 100644
index 0000000000..4b31b4e418
--- /dev/null
+++ b/base-java-micro/Dockerfile.ubi9.s390x
@@ -0,0 +1,126 @@
+# syntax=docker/dockerfile:1
+
+ARG APP_UID=1000
+ARG APP_GID=1000
+
+ARG UBI_MICRO_VERSION
+ARG UBI9_VERSION
+ARG GOLANG_VERSION
+
+# Helpers for cross-compilation using clang
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0 AS xx
+
+# --- Stage 1: Build Go Binaries ---
+FROM --platform=$BUILDPLATFORM docker.io/golang:${GOLANG_VERSION} AS build-ub-package-dedupe
+COPY --from=xx / /
+RUN apt-get update && apt-get install -y clang lld git
+WORKDIR /build
+
+ARG CP_DOCKER_UTILS_VERSION
+ARG TARGETPLATFORM
+
+RUN xx-apt-get install -y libc6-dev gcc g++
+# This wraps the go compiler to enable cross-compilation by default
+RUN xx-go --wrap
+
+# Clone and build cp-docker-utils binaries with cross-compilation
+RUN git clone --depth 1 --branch ${CP_DOCKER_UTILS_VERSION} https://github.com/confluentinc/cp-docker-utils.git
+
+WORKDIR /build/cp-docker-utils/cmd/ub
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o /usr/local/bin/ub
+
+WORKDIR /build/cp-docker-utils/cmd/package_dedupe
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o /usr/local/bin/package_dedupe
+
+# --- Stage 2: Prepare the Micro Rootfs (using ubi9) ---
+FROM registry.access.redhat.com/ubi9:${UBI9_VERSION} AS jdk-builder
+ARG APP_UID
+ARG APP_GID
+ARG TEMURIN_JDK_VERSION
+ARG PROCPS_VERSION
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
+ARG SHADOW_UTILS_VERSION
+
+RUN printf "[temurin-jre] \n\
+name=temurin-jre \n\
+baseurl=https://adoptium.jfrog.io/artifactory/rpm/rhel/\$releasever/\$basearch \n\
+enabled=1 \n\
+gpgcheck=1 \n\
+gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
+" > /etc/yum.repos.d/adoptium.repo
+
+RUN mkdir -p /microdir
+
+RUN echo "Installing temurin-21-jre:${TEMURIN_JDK_VERSION}" \
+ && dnf install --installroot=/microdir --releasever=9 --setopt=install_weak_deps=False --nodocs -y \
+ temurin-21-jre${TEMURIN_JDK_VERSION} \
+ procps-ng${PROCPS_VERSION} \
+ crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION} \
+ findutils${FINDUTILS_VERSION} \
+ hostname${HOSTNAME_VERSION} \
+ shadow-utils${SHADOW_UTILS_VERSION} \
+ && dnf --installroot=/microdir clean all \
+ && rm -rf /microdir/var/cache/* /microdir/var/log/dnf* /microdir/var/log/yum.* \
+ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+
+# Create the user/group with EXPLICIT IDs inside the micro rootfs
+RUN chroot /microdir groupadd -g ${APP_GID} appuser && \
+ chroot /microdir useradd -u ${APP_UID} -g ${APP_GID} --no-log-init --create-home --shell /bin/bash appuser
+
+# --- Stage 3: Final Image (ubi9-micro) ---
+FROM registry.access.redhat.com/ubi9-micro:${UBI_MICRO_VERSION} AS REFRESH
+
+# Re-declare ARGs to bring them into this scope
+ARG APP_UID
+ARG APP_GID
+ARG PROJECT_VERSION
+ARG ARTIFACT_ID
+ARG GIT_COMMIT
+ARG BUILD_NUMBER=-1
+
+# EXPORT these as ENV so downstream images can use them via ${APP_UID}
+ENV APP_UID=${APP_UID}
+ENV APP_GID=${APP_GID}
+
+LABEL io.confluent.docker.git.repo="confluentinc/common-docker" \
+ io.confluent.docker.git.id=$GIT_COMMIT \
+ io.confluent.docker.build.number=$BUILD_NUMBER \
+ maintainer="tools@confluent.io" \
+ vendor="Confluent" \
+ version=$GIT_COMMIT \
+ release=$PROJECT_VERSION \
+ name=$ARTIFACT_ID \
+ summary="Common base image for new Confluent ultra-lightweight Docker images based on ubi9-micro." \
+ description="Common base image for Confluent ultra-lightweight Docker images based on ubi9-micro." \
+ io.confluent.docker=true
+
+ENV LANG="C.UTF-8"
+ENV USE_LOG4J_2="True"
+
+COPY --from=jdk-builder /microdir/ /
+
+RUN update-crypto-policies --set FIPS && \
+ mkdir -p /etc/confluent/docker /usr/logs /licenses && \
+ chown ${APP_UID}:${APP_GID} -R /etc/confluent/ /usr/logs
+
+COPY license.txt /licenses
+
+COPY --from=build-ub-package-dedupe --chown=${APP_UID}:${APP_GID} /usr/local/bin/package_dedupe /usr/bin/package_dedupe
+COPY --from=build-ub-package-dedupe --chown=${APP_UID}:${APP_GID} /usr/local/bin/ub /usr/bin/ub
+
+COPY --chown=${APP_UID}:${APP_GID} target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
+COPY --chown=${APP_UID}:${APP_GID} target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
+COPY --chown=${APP_UID}:${APP_GID} include/etc/confluent/docker /etc/confluent/docker
+COPY --chown=${APP_UID}:${APP_GID} include/etc/cp-base-java-micro /etc/cp-base-java-micro
+
+# Some components have hardcoded paths to /usr/share/java/cp-base-new, so to keep backward compatibility a symlink is created
+RUN ln -s /usr/share/java/${ARTIFACT_ID} /usr/share/java/cp-base-new
+
+# Disable setuid/setgid bits for security
+RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true
+
+# Switch to the numeric UID for runtime security
+USER ${APP_UID}
+WORKDIR /home/appuser
diff --git a/base-java-micro/pom.xml b/base-java-micro/pom.xml
index 820970d590..6cc87b386f 100644
--- a/base-java-micro/pom.xml
+++ b/base-java-micro/pom.xml
@@ -141,36 +141,6 @@
-
- io.fabric8
- docker-maven-plugin
- 0.43.4
-
-
-
-
-
- ${app.uid}
- ${app.gid}
- ${ubi9-micro.image.version}
- ${ubi9.image.version}
- -${ubi9.temurin-21-jdk.version}
- -${ubi9.procps-ng.version}
-
- ${docker.skip-security-update-check}
-
- ${golang.image.version}
- -${ubi9.crypto-policies-scripts.version}
- -${ubi9.findutils.version}
- -${ubi9.hostname.version}
- -${ubi9.shadow-utils.version}
- ${git-repo.cp-docker-utils.tag}
-
-
-
-
-
-
diff --git a/base-java/Dockerfile.ubi9.s390x b/base-java/Dockerfile.ubi9.s390x
new file mode 100644
index 0000000000..b947b363a2
--- /dev/null
+++ b/base-java/Dockerfile.ubi9.s390x
@@ -0,0 +1,107 @@
+# syntax=docker/dockerfile:1
+
+ARG GOLANG_VERSION
+ARG UBI_MINIMAL_VERSION
+
+# Helpers for cross-compilation using clang
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0 AS xx
+
+FROM --platform=$BUILDPLATFORM docker.io/golang:${GOLANG_VERSION} AS build-ub-package-dedupe
+COPY --from=xx / /
+RUN apt-get update && apt-get install -y clang lld git
+WORKDIR /build
+ARG CP_DOCKER_UTILS_VERSION
+ARG TARGETPLATFORM
+
+RUN xx-apt-get install -y libc6-dev gcc g++
+# This wraps the go compiler to enable cross-compilation by default
+RUN xx-go --wrap
+
+RUN useradd --no-log-init --create-home --shell /bin/bash appuser
+
+# Clone and build cp-docker-utils binaries with cross-compilation
+RUN git clone --depth 1 --branch ${CP_DOCKER_UTILS_VERSION} https://github.com/confluentinc/cp-docker-utils.git
+
+# CGO_ENABLED=0 flag should be removed for FedRAMP compliance builds.
+# For more details, see https://go.dev/doc/security/fips140
+WORKDIR /build/cp-docker-utils/cmd/ub
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o /usr/local/bin/ub
+
+# CGO_ENABLED=0 flag should be removed for FedRAMP compliance builds.
+# For more details, see https://go.dev/doc/security/fips140
+WORKDIR /build/cp-docker-utils/cmd/package_dedupe
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o /usr/local/bin/package_dedupe
+
+
+FROM registry.access.redhat.com/ubi9-minimal:${UBI_MINIMAL_VERSION} AS REFRESH
+ARG PROJECT_VERSION
+ARG ARTIFACT_ID
+ARG TEMURIN_JDK_VERSION
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
+
+# Remember where we came from
+LABEL io.confluent.docker.git.repo="confluentinc/common-docker"
+
+ARG GIT_COMMIT
+LABEL io.confluent.docker.git.id=$GIT_COMMIT
+
+ARG BUILD_NUMBER=-1
+LABEL io.confluent.docker.build.number=$BUILD_NUMBER
+
+LABEL maintainer="tools@confluent.io"
+LABEL vendor="Confluent"
+LABEL version=$GIT_COMMIT
+LABEL release=$PROJECT_VERSION
+LABEL name=$ARTIFACT_ID
+LABEL summary="Common base image for new Confluent lightweight Docker images."
+LABEL description="Common base image for Confluent lightweight Docker images."
+LABEL io.confluent.docker=true
+# This affects how strings in Java class files are interpreted. We want UTF-8 and this is the only locale in the
+# base image that supports it
+ENV LANG="C.UTF-8"
+ENV USE_LOG4J_2="True"
+
+RUN printf "[temurin-jre] \n\
+name=temurin-jre \n\
+baseurl=https://adoptium.jfrog.io/artifactory/rpm/rhel/\$releasever/\$basearch \n\
+enabled=1 \n\
+gpgcheck=1 \n\
+gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
+" > /etc/yum.repos.d/adoptium.repo
+
+RUN echo "installing temurin-21-jre:${TEMURIN_JDK_VERSION}" \
+ && microdnf install -y temurin-21-jre${TEMURIN_JDK_VERSION} \
+ && microdnf install -y procps-ng${PROCPS_VERSION} \
+ && microdnf install -y crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION} \
+ && microdnf install -y findutils${FINDUTILS_VERSION} \
+ && microdnf install -y hostname${HOSTNAME_VERSION} \
+ && microdnf clean all \
+ && useradd --no-log-init --create-home --shell /bin/bash appuser \
+ && mkdir -p /etc/confluent/docker /usr/logs \
+ && chown appuser:appuser -R /etc/confluent/ /usr/logs \
+ && mkdir /licenses \
+ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+
+# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+RUN update-crypto-policies --set FIPS
+
+COPY license.txt /licenses
+COPY --from=build-ub-package-dedupe /usr/local/bin/package_dedupe /usr/bin/package_dedupe
+COPY --from=build-ub-package-dedupe /usr/local/bin/ub /usr/bin/ub
+
+COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
+COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
+COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker
+COPY --chown=appuser:appuser include/etc/cp-base-java /etc/cp-base-java
+
+# Some components have hardcoded paths to /usr/share/java/cp-base-new, so to keep backward compatibility a symlink is created
+RUN ln -s /usr/share/java/${ARTIFACT_ID} /usr/share/java/cp-base-new
+
+# Disable setuid/setgid bits
+RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
+RUN find / -perm /6000 -type f -exec chmod g-s {} \; || true
+
+USER appuser
+WORKDIR /home/appuser
diff --git a/base-java/pom.xml b/base-java/pom.xml
index a563cde830..310c3e97ed 100644
--- a/base-java/pom.xml
+++ b/base-java/pom.xml
@@ -137,32 +137,6 @@
-
- io.fabric8
- docker-maven-plugin
- 0.43.4
-
-
-
-
-
- ${ubi9-minimal.image.version}
- -${ubi9-minimal.temurin-21-jdk.version}
- -${ubi9-minimal.procps-ng.version}
-
- ${docker.skip-security-update-check}
-
- ${golang.image.version}
- -${ubi9-minimal.crypto-policies-scripts.version}
- -${ubi9-minimal.findutils.version}
- -${ubi9-minimal.hostname.version}
- ${git-repo.cp-docker-utils.tag}
-
-
-
-
-
-
diff --git a/base-lite/Dockerfile.ubi9.s390x b/base-lite/Dockerfile.ubi9.s390x
new file mode 100644
index 0000000000..b98982f635
--- /dev/null
+++ b/base-lite/Dockerfile.ubi9.s390x
@@ -0,0 +1,112 @@
+# syntax=docker/dockerfile:1
+#
+# Copyright 2017 Confluent Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG UBI_MINIMAL_VERSION="latest"
+ARG GOLANG_VERSION
+ARG CURL_VERSION
+
+# Helpers for cross-compilation using clang
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0 AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GOLANG_VERSION} AS build-ub
+COPY --from=xx / /
+RUN apt-get update && apt-get install -y clang lld
+WORKDIR /build
+ARG TARGETPLATFORM
+RUN xx-apt-get install -y libc6-dev gcc g++
+# This wraps the go compiler to enable cross-compilation by default
+RUN xx-go --wrap
+RUN useradd --no-log-init --create-home --shell /bin/bash appuser
+COPY --chown=appuser:appuser ub/ ./
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" ./ub.go
+USER appuser
+RUN go test ./...
+
+FROM registry.access.redhat.com/ubi9/ubi-minimal:${UBI_MINIMAL_VERSION}
+
+ARG PROJECT_VERSION
+ARG ARTIFACT_ID
+ARG CURL_VERSION
+
+# Remember where we came from
+LABEL io.confluent.docker.git.repo="confluentinc/common-docker"
+
+ARG GIT_COMMIT
+LABEL io.confluent.docker.git.id=$GIT_COMMIT
+
+ARG BUILD_NUMBER=-1
+LABEL io.confluent.docker.build.number=$BUILD_NUMBER
+
+LABEL maintainer="tools@confluent.io"
+LABEL vendor="Confluent"
+LABEL version=$GIT_COMMIT
+LABEL release=$PROJECT_VERSION
+LABEL name=$ARTIFACT_ID
+LABEL summary="Common base image for new Confluent lightweight Docker images."
+LABEL description="Common base image for Confluent lightweight Docker images."
+LABEL io.confluent.docker=true
+
+# This affects how strings in Java class files are interpreted. We want UTF-8 and this is the only locale in the
+# base image that supports it
+ENV LANG="C.UTF-8"
+ENV USE_LOG4J_2="True"
+
+# Temurin JDK version
+ARG TEMURIN_JDK_VERSION=""
+
+ENV UB_CLASSPATH=/usr/share/java/cp-base-lite/*
+
+RUN printf "[temurin-jdk] \n\
+name=temurin-jdk \n\
+baseurl=https://adoptium.jfrog.io/artifactory/rpm/rhel/\$releasever/\$basearch \n\
+enabled=1 \n\
+gpgcheck=1 \n\
+gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
+" > /etc/yum.repos.d/adoptium.repo
+
+RUN microdnf --nodocs -y install yum \
+ && yum --nodocs update -y \
+ && yum --nodocs install -y --setopt=install_weak_deps=False \
+ "temurin-21-jre${TEMURIN_JDK_VERSION}" \
+ && microdnf clean all \
+ && yum clean all \
+ && rm -rf /tmp/* \
+ && mkdir -p /etc/confluent/docker /usr/logs \
+ && useradd --no-log-init --create-home --shell /bin/bash appuser \
+ && chown appuser:appuser -R /etc/confluent/ /usr/logs \
+ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+
+# This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed.
+# The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which
+# is not advisable in terms of security posture. If set to false (which triggers a shell exit(1) if the check fails from the left
+# hand of ||) this check will fail. If true (which triggers a right-hand || shell exit(0)), then this check will pass even if a
+# security update is availible. We skip checks from TemurinJDK repos because Confluent pins those upstream versions for various reasons
+# such as identified bugs in TemurinJDK's software.
+ARG SKIP_SECURITY_UPDATE_CHECK="false"
+RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}"
+
+COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
+COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
+
+COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker
+COPY --chown=appuser:appuser include/etc/cp-base-lite /etc/cp-base-lite
+COPY --from=build-ub /build/ub /usr/bin
+
+RUN mkdir /licenses
+COPY license.txt /licenses
+
+USER appuser
+WORKDIR /home/appuser
diff --git a/base-lite/pom.xml b/base-lite/pom.xml
index 81c8051414..060a58a46d 100644
--- a/base-lite/pom.xml
+++ b/base-lite/pom.xml
@@ -92,27 +92,6 @@
-
- io.fabric8
- docker-maven-plugin
- 0.43.4
-
-
-
-
-
- ${ubi9-minimal.image.version}
- -${ubi9-minimal.temurin-21-jdk.version}
-
- ${docker.skip-security-update-check}
-
- ${golang.image.version}
-
-
-
-
-
-
diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9
index 7eeb662384..2119e123bd 100644
--- a/base/Dockerfile.ubi9
+++ b/base/Dockerfile.ubi9
@@ -109,7 +109,11 @@ RUN microdnf --nodocs -y install yum \
&& alternatives --install /usr/bin/python python /usr/bin/python3 2000 \
&& alternatives --set python /usr/bin/python3 \
&& python3 -m pip install --upgrade "setuptools${PYTHON_SETUPTOOLS_VERSION}" \
- && python3 -m pip install --prefer-binary --prefix=/usr/local --upgrade "${PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC}" \
+ && if [ "$(uname -m)" = "s390x" ]; then \
+ echo "Skipping confluent-docker-utils installation on s390x due to Rust compilation issues with QEMU emulation"; \
+ else \
+ python3 -m pip install --prefer-binary --prefix=/usr/local --upgrade "${PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC}"; \
+ fi \
&& yum remove -y git \
&& yum clean all \
&& rm -rf /tmp/* \
diff --git a/base/pom.xml b/base/pom.xml
index 6ce60eeebb..b96d0d48d5 100644
--- a/base/pom.xml
+++ b/base/pom.xml
@@ -141,7 +141,7 @@
-${ubi9-minimal.xz-libs.version}
-${ubi9-minimal.glibc.version}
-${ubi9-minimal.findutils.version}
- -${ubi8-minimal.crypto-policies-scripts.version}
+ -${ubi9-minimal.crypto-policies-scripts.version}
-${ubi9-minimal.temurin-21-jdk.version}
-${ubi9-minimal.python3-pip.version}
==${python.setuptools.version}
@@ -150,45 +150,6 @@
-
- io.fabric8
- docker-maven-plugin
- 0.43.4
-
-
-
-
-
- ${ubi9-minimal.image.version}
- -${ubi9-minimal.openssl.version}
- -${ubi9-minimal.wget.version}
- -${ubi9-minimal.nmap-ncat.version}
- -${ubi9-minimal.python3.version}
- -${ubi9-minimal.tar.version}
- -${ubi9-minimal.procps-ng.version}
- -${ubi9-minimal.krb5-workstation.version}
-
- -${ubi9-minimal.iputils.version}
- -${ubi9-minimal.hostname.version}
- -${ubi9-minimal.xz-libs.version}
- -${ubi9-minimal.glibc.version}
- -${ubi9-minimal.findutils.version}
- -${ubi9-minimal.crypto-policies-scripts.version}
- -${ubi9-minimal.temurin-21-jdk.version}
- -${ubi9-minimal.python3-pip.version}
- ==${python.setuptools.version}
-
-
- ${git-repo.confluent-docker-utils.tag}
-
- ${docker.skip-security-update-check}
-
-
-
-
-
-
-
diff --git a/jmxterm/pom.xml b/jmxterm/pom.xml
index d3ef9a36ea..d1916a1ae2 100644
--- a/jmxterm/pom.xml
+++ b/jmxterm/pom.xml
@@ -47,4 +47,5 @@
+
diff --git a/pom.xml b/pom.xml
index d696855509..e7595fe9b6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -67,12 +67,12 @@
-->
- 8.10-1770021813
- 9.7-1769417801
+ 8.10-1768971094
+ 9.7-1768785530
9.7-1766049073
- 9.7-1769056855
+ 9.7-1768783948
- 21.0.10.0.0.7-0
+ 21.0.9.0.0.10-0
3.3.17-14.el9
20250905-1.git377cc42.el9_7
4.8.0-7.el9
@@ -92,7 +92,7 @@
2.34-231.el9_7.2
4.8.0-7.el9
20250905-1.git377cc42.el9_7
- 21.0.10.0.0.7-0
+ 21.0.9.0.0.10-0
21.3.1-1.el9
1.1.1k-14.el8_10
@@ -109,14 +109,14 @@
7.61.1-34.el8_10.9
4.6.0-24.el8_10
20230731-1.git3177e06.el8
- 17.0.18.0.0.8-0
+ 17.0.17.0.0.10-0
20.2.4-9.module+el8.10.0+21329+8d76b841
80.9.0
- v0.0.165
+ v0.0.164
v1.0.6