Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump hadoop version to 3.3.4 #17002

Merged
merged 1 commit into from
Oct 30, 2023
Merged

Bump hadoop version to 3.3.4 #17002

merged 1 commit into from
Oct 30, 2023

Conversation

fengshunli
Copy link
Contributor

@fengshunli fengshunli commented Mar 3, 2023
edited by dbw9580
Loading

What changes are proposed in this pull request?

Bump Hadoop version from 3.3.1 to 3.3.4.

Why are the changes needed?

Fix hadoop CVE-2021-37404.

Does this PR introduce any user facing changes?

Hadoop version bump.

@alluxio-bot alluxio-bot added POM Change API Change Changes covering public API labels Mar 3, 2023
@fengshunli fengshunli mentioned this pull request Mar 3, 2023
Closed
@fengshunli
Fix hadoop CVE-2021-37404
b3dd388 
Signed-off-by: fengshunli <1171313930@qq.com>
@elega
Copy link
Contributor

elega commented Mar 3, 2023

@Xenorith can you take a look?

@elega elega requested a review from Xenorith March 3, 2023 10:21
@elega elega added the dependencies Pull requests that update a dependency file label Mar 3, 2023
@Xenorith
Copy link
Contributor

Xenorith commented Mar 3, 2023

i think this should be okay to bump. @dbw9580 you were the previous committer to bump the hadoop version from 3.3.0 to 3.3.1; wondering if you have any opinions on this?

@elega
Copy link
Contributor

elega commented Mar 6, 2023

cc @dbw9580 can you take a look?

dbw9580
dbw9580 approved these changes Mar 6, 2023
View reviewed changes
Copy link
Contributor

@dbw9580 dbw9580 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dbw9580 dbw9580 changed the title Fix hadoop CVE-2021-37404 Bump hadoop version to 3.3.4 Mar 6, 2023
maobaolong
maobaolong approved these changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@maobaolong maobaolong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions
Copy link

github-actions bot commented Jun 7, 2023

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale The PR/Issue does not have recent activities and will be closed automatically label Jun 7, 2023
@cosminnicula
Copy link
Contributor

Hey, I see this PR got stale. That's a pity since this fix would have fixed also CVE-2019-175710 (critical log4j vulnerability).

@elega, @Xenorith, @maobaolong, @dbw9580 is there any chance for this PR to be merged soon?

@Xenorith
Copy link
Contributor

CVE-2019-175710

this CVE should have no impact on the codebase as it only affects log4j 1.x. all modules are using log4j 2.x and dependencies that pull in other versions of log4j should have the these log4j versions excluded, therefore the problematic code should not be taking any effect.

on the other hand i have no major issues with this upgrade from a code perspective, but would appreciate to have some real workload testing and validation that uses a tarball published with this change before merging

@dbw9580
Copy link
Contributor

dbw9580 commented Oct 24, 2023

Hadoop releases 3.3.2 through 3.3.4 seem relatively small:

https://hadoop.apache.org/docs/r3.3.2/hadoop-project-dist/hadoop-common/release/3.3.2/RELEASENOTES.3.3.2.html
https://hadoop.apache.org/docs/r3.3.3/hadoop-project-dist/hadoop-common/release/3.3.3/RELEASENOTES.3.3.3.html
https://hadoop.apache.org/docs/r3.3.4/hadoop-project-dist/hadoop-common/release/3.3.4/RELEASENOTES.3.3.4.html

3.3.3 and 3.3.4 are all housekeeping changes.

@Xenorith considering this targeting the master-2.x line, can we do an internal regression test on the impact of this hadoop version bump?

@cosminnicula
Copy link
Contributor

@Xenorith, I can help with the workload testing on an Alluxio cluster, but I need to understand first what scale (e.g. volume of data, requests per second, etc.) we are targeting for these tests.

Additionally, is there any specific output that these tests should yield, other than maybe some screenshots and a report?

@Xenorith
Copy link
Contributor

after some simple testing, i am good to merge this.

@cosminnicula i'm not particularly concerned about testing at scale since the changes listed by @dbw9580 are relatively minor. any functional testing that you could run would be great.

@Xenorith Xenorith removed the stale The PR/Issue does not have recent activities and will be closed automatically label Oct 30, 2023
@Xenorith
Copy link
Contributor

alluxio-bot, merge this please

@alluxio-bot
Copy link
Contributor

merge failed:
Merge refused because pull request does not have label start with type-

@Xenorith Xenorith added the type-debt This issue is about tech debt label Oct 30, 2023
@Xenorith
Copy link
Contributor

alluxio-bot, merge this please

@alluxio-bot alluxio-bot merged commit f00399f into Alluxio:master-2.x Oct 30, 2023
@cosminnicula cosminnicula mentioned this pull request Nov 1, 2023
Open
@jiacheliu3
Copy link
Contributor

@Xenorith do we need this in main? Thanks!

@jiacheliu3 jiacheliu3 mentioned this pull request Nov 8, 2023
Merged
@Xenorith
Copy link
Contributor

Xenorith commented Nov 8, 2023

nice to have but not strictly required

alluxio-bot added a commit that referenced this pull request Nov 8, 2023
@alluxio-bot
Merge master-2.x commits 2023/07/01~2023/11/08 into main
c2f4cd2 
### What changes are proposed in this pull request?
Merge missing commits from master-2.x to main. The commits in 2023/07/01~2023/11/08 from main...master-2.x will be included by this PR.

We do this merge to catch missing fixes from `master-2.x` and catch the train before `main` cuts a release.

#17747 is not cherry picked because tencent cloud EMR doc is removed
#17755 is not cherry picked because DistLoadCliRunner has been removed in 3.x
#17758 is not cherry picked because MonoBlockStore has been removed in 3.x
#17641 is not cherry picked because the PR has already been in main
#17781 is not cherry picked because the PR has already been in main
#17722 is not cherry picked because the alluxio-fuse command has been changed a lot
#17489 is not cherry picked because audit log on master is no longer in 3.x
#17865 is not cherry picked because replication on job service is no longer in 3.x
#17858 is not cherry picked because it is already in main
#18090 is not cherry picked because generate-tarball has been rewritten in 3.x
#18091 is not cherry picked because the change is already in main
#17474 is not cherry picked because reconfiguration feature is not defined in 3.x
#17735 is not cherry picked because MonoBlockStore is no longer in 3.x
#18133 is not cherry picked because the issue is about master metadata and no longer relevant in 3.x
#17910 is not cherry picked because I prefer to do that manually
#17983 is not cherry picked because the web UI has been reworked
#17984 is not cherry picked because Mount/Unmount commands have been reworked in 3.x
#18103 is not cherry picked because worker cache metrics have been reworked in 3.x
#18185 is not cherry picked because the report command has been reworked in 3.x
#18222 is not cherry picked because Mount/Unmount operations have been reworked in 3.x
#18143 is not cherry picked because the change is already in main
#18303 is not cherry picked because the change is already in main
#18208 is not cherry picked because cache metrics have been reworked in 3.x
#17002 is not cherry picked because the owner has been notified separately
#18334 is not cherry picked because the bash scripts have been reworked in 3.x
#18326 is not cherry picked because the owner has been notified separately

			pr-link: #18397
			change-id: cid-dbf8cbb2d9e721a5a0a1e5028a3c9577438a2ac0
maobaolong pushed a commit to maobaolong/alluxio that referenced this pull request Jan 3, 2024
@fengshunli @codings-dan
Bump hadoop version to 3.3.4
3cde2f5 
### What changes are proposed in this pull request?

Bump Hadoop version from `3.3.1` to `3.3.4`.

### Why are the changes needed?

Fix hadoop CVE-2021-37404.

### Does this PR introduce any user facing changes?

Hadoop version bump.

			pr-link: Alluxio#17002
			change-id: cid-fd12eec84b42efd3112c3c71039702dca92ca775
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maobaolong maobaolong maobaolong approved these changes

@dbw9580 dbw9580 dbw9580 approved these changes

@Xenorith Xenorith Xenorith approved these changes

Assignees

@apc999 apc999

Labels
API Change Changes covering public API dependencies Pull requests that update a dependency file POM Change type-debt This issue is about tech debt
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@fengshunli @elega @Xenorith @cosminnicula @dbw9580 @alluxio-bot @jiacheliu3 @maobaolong @apc999