CPBR-2901 fix

base-java/Dockerfile.ubi9

@@ -24,6 +24,10 @@ FROM registry.access.redhat.com/ubi9-minimal:${UBI_MINIMAL_VERSION} AS REFRESH
 ARG OPENSSL_VERSION
 ARG PROJECT_VERSION
 ARG ARTIFACT_ID
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
+ARG TEMURIN_JDK_VERSION
 
 # Remember where we came from
 LABEL io.confluent.docker.git.repo="confluentinc/common-docker"
@@ -55,11 +59,6 @@ gpgcheck=1 \n\
 gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
 " > /etc/yum.repos.d/adoptium.repo
 
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
-
 # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
 # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
 # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
@@ -71,7 +70,7 @@ RUN microdnf --nodocs -y install yum \
     && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
     && cd openssl${OPENSSL_VERSION} \
     && echo "installing FIPS compliant openssl" \
-    && ./Configure enable-fips \
+    && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
     && make > /dev/null 2>&1 \
     && make install > /dev/null 2>&1 \
     && echo "successfully installed FIPS compliant openssl" \
@@ -94,8 +93,14 @@ RUN microdnf --nodocs -y install yum \
 # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
 RUN update-crypto-policies --set FIPS
 
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /opt/openssl-fips/lib
+# for amd64 required binaries are present in /opt/openssl-fips/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Note: This is set after update-crypto-policies to avoid conflicts with system Python
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:$LD_LIBRARY_PATH
+
 COPY license.txt /licenses
-COPY openssl-fips.cnf  /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
 COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe
 COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub
 

base/Dockerfile.ubi9

@@ -86,11 +86,6 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
 " > /etc/yum.repos.d/adoptium.repo
 
 
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
-
 # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
 # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
 # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
@@ -102,7 +97,7 @@ RUN microdnf --nodocs -y install yum \
     && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
     && cd openssl${OPENSSL_VERSION} \
     && echo "installing FIPS compliant openssl" \
-    && ./Configure enable-fips \
+    && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
     && make > /dev/null 2>&1 \
     && make install > /dev/null 2>&1 \
     && echo "successfully installed FIPS compliant openssl" \
@@ -142,6 +137,12 @@ RUN microdnf --nodocs -y install yum \
 # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
 RUN update-crypto-policies --set FIPS
 
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /opt/openssl-fips/lib
+# for amd64 required binaries are present in /opt/openssl-fips/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Note: This is set after update-crypto-policies to avoid conflicts with system Python
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:$LD_LIBRARY_PATH
+
 # This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed.
 # The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which
 # is not advisable in terms of security posture. If set to false (which triggers a shell exit(1) if the check fails from the left
@@ -153,7 +154,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}"
 
 COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
 COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
-COPY openssl-fips.cnf  /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
 
 COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker
 COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new

pom.xml

@@ -35,27 +35,25 @@
         <docker.tag>${io.confluent.common-docker.version}-${docker.ubi9.os_type}</docker.tag>
         <io.confluent.common-docker.version>8.0.2</io.confluent.common-docker.version>
         <!-- Versions-->
-        <ubi8.image.version>8.10-1755105495</ubi8.image.version>
-        <ubi9.micro.image.version>9.6-1754345610</ubi9.micro.image.version>
-        <ubi9.minimal.image.version>9.6-1760515502</ubi9.minimal.image.version>
+        <ubi8.image.version>8.10-1761032271</ubi8.image.version>
+        <ubi9.micro.image.version>9.7-1762965531</ubi9.micro.image.version>
+        <ubi9.minimal.image.version>9.7-1762956380</ubi9.minimal.image.version>
         <ubi9.openssl.version>1:3.2.2-6.el9_5.1</ubi9.openssl.version>
         <!-- OpenSSL version that is FIPS compliant -->
         <fips.openssl.version>3.1.2</fips.openssl.version>
         <!-- Redhat Package Versions -->
         <ubi9.wget.version>1.21.1-8.el9_4</ubi9.wget.version>
         <ubi9.netcat.version>7.92-3.el9</ubi9.netcat.version>
-        <ubi9.python39.version>3.9.21-2.el9_6.2</ubi9.python39.version>
-        <ubi9.tar.version>1.34-7.el9</ubi9.tar.version>
-        <ubi9.wget.version>1.21.1-8.el9_4</ubi9.wget.version>
-        <ubi9.netcat.version>7.92-3.el9</ubi9.netcat.version>
+        <ubi9.python39.version>3.9.23-2.el9</ubi9.python39.version>
+        <ubi9.tar.version>2:1.34-7.el9</ubi9.tar.version>
         <ubi9.procps.version>3.3.17-14.el9</ubi9.procps.version>
         <ubi9.krb5.workstation.version>1.21.1-8.el9_6</ubi9.krb5.workstation.version>
-        <ubi9.iputils.version>20210202-11.el9_6.3</ubi9.iputils.version>
+        <ubi9.iputils.version>20210202-15.el9_7</ubi9.iputils.version>
         <ubi9.hostname.version>3.23-6.el9</ubi9.hostname.version>
         <ubi9.xzlibs.version>5.2.5-8.el9_0</ubi9.xzlibs.version>
-        <ubi9.glibc.version>2.34-168.el9_6.23</ubi9.glibc.version>
+        <ubi9.glibc.version>2.34-231.el9_7.2</ubi9.glibc.version>
         <ubi9.findutils.version>1:4.8.0-7.el9</ubi9.findutils.version>
-        <ubi9.crypto.policies.scripts.version>20240828-2.git626aa59.el9_5</ubi9.crypto.policies.scripts.version>
+        <ubi9.crypto.policies.scripts.version>20250905-1.git377cc42.el9_7</ubi9.crypto.policies.scripts.version>
         <!-- Python Module Versions -->
         <ubi9.python.pip.version>21.3.1-1.el9</ubi9.python.pip.version>
 
@@ -87,4 +85,4 @@
         `-Ddocker.skip-security-update-check=true` -->
         <docker.skip-security-update-check>true</docker.skip-security-update-check>
     </properties>
-</project>
+</project>