From 2ffdb1efea498cc6e01f936700d3ca7ba0942506 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 09:22:04 +0530 Subject: [PATCH 1/9] CPBR-3030 | Upgrade python to 3.14 (#1280) * upgradubg the python version * upgradubg the python version * Fixing the dependency * Fixing the dependency * Fixing the dependency * Fixing the slash * Fixing the confluent-docker-utils * Removing python39 occurences * Removing python39 occurences * Fix Python 3.14 property reference and reorganize Dockerfile layers - Fix build failure: Correct property reference from ${python314.version} to ${python.python314.version} This addresses the reviewer's comment about following the python.*.version naming convention - Reorganize Dockerfile into 4 clean layers with Python installed BEFORE Java: 1. Setup package manager and repositories 2. Install Python 3.14 from source (now before Java/system packages) 3. Install system packages and Java 4. Install Python packages and user setup - Fix pip installation concerns: - Remove unused PYTHON_PIP_VERSION ARG (pip now installed via --with-ensurepip) - Add pip verification steps to ensure pip3 and python3 -m pip work correctly - Add explanatory comment about pip installation method - Remove debug scripts (check-pip-versions.sh, check-python-versions.sh) This addresses all reviewer comments and ensures compatibility with downstream Confluent Platform components (kafka, schema-registry, connect, etc.) Co-Authored-By: Claude Sonnet 4.5 * Fixing tar version issue * Fixing build issue * Fixing build issue * Fixing build issue python alternative * Fixing build issue python alternative * Fixing build issue python alternative * Fixing the dnf issue * Fixing the dnf issue * Fixing the dnf issue * Adding SHA validation and comment fix * updating tox version * reverting tox version * Adding alternative * adding python version in service yml * testing with alternatives * testing with GPG key * Using sigstore * Using sigstore * fixing alternatives * Testing with python3.6 * Testing with python3.6 * Testing with python3.11 * Testing with python3.11 * Testing update-alternatives * Testing update-alternatives * Testing update-alternatives * Testing update-alternatives * Removing which command * claenup stale pip --------- Co-authored-by: Claude Sonnet 4.5 --- .semaphore/cp_dockerfile_build.yml | 2 +- .semaphore/semaphore.yml | 2 +- base/Dockerfile.ubi8 | 60 +++++++++++++++++++++++++++--- base/pom.xml | 6 +-- base/requirements.txt | 2 +- base/tox.ini | 8 ++-- pom.xml | 3 +- service.yml | 4 +- 8 files changed, 67 insertions(+), 20 deletions(-) diff --git a/.semaphore/cp_dockerfile_build.yml b/.semaphore/cp_dockerfile_build.yml index 93859d6601..a40692aa14 100644 --- a/.semaphore/cp_dockerfile_build.yml +++ b/.semaphore/cp_dockerfile_build.yml @@ -25,7 +25,7 @@ global_job_config: commands: - checkout - if [[ $SEMAPHORE_GIT_BRANCH =~ ^7\..* ]]; then sem-version java 8; else sem-version java 17; fi - - sem-version python 3.9 + - sem-version python 3.14 - . vault-setup - . cache-maven restore - pip install tox==3.28.0 diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml index 08a785c442..2454c2490a 100644 --- a/.semaphore/semaphore.yml +++ b/.semaphore/semaphore.yml @@ -25,7 +25,7 @@ global_job_config: commands: - checkout - if [[ $SEMAPHORE_GIT_BRANCH =~ ^7\..* ]]; then sem-version java 8; else sem-version java 17; fi - - sem-version python 3.9 + - sem-version python 3.14 - . vault-setup - . cache-maven restore - pip install tox==3.28.0 diff --git a/base/Dockerfile.ubi8 b/base/Dockerfile.ubi8 index e946cfbd2e..67bf56df8e 100644 --- a/base/Dockerfile.ubi8 +++ b/base/Dockerfile.ubi8 @@ -53,7 +53,7 @@ ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"' ARG OPENSSL_VERSION="" ARG WGET_VERSION="" ARG NETCAT_VERSION="" -ARG PYTHON39_VERSION="" +ARG PYTHON314_VERSION="" ARG TAR_VERSION="" ARG PROCPS_VERSION="" ARG KRB5_WORKSTATION_VERSION="" @@ -67,7 +67,6 @@ ARG CURL_VERSION="" ARG ZULU_OPENJDK_VERSION="" # Python Module Versions -ARG PYTHON_PIP_VERSION="" ARG PYTHON_SETUPTOOLS_VERSION="" # Confluent Docker Utils Version (Namely the tag or branch to grab from git to install) @@ -76,6 +75,60 @@ ARG PYTHON_CONFLUENT_DOCKER_UTILS_VERSION="master" # This can be overriden for an offline/air-gapped builds ARG PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC="git+https://github.com/confluentinc/confluent-docker-utils@${PYTHON_CONFLUENT_DOCKER_UTILS_VERSION}" +# Install Python 3.14 from source FIRST +RUN microdnf --nodocs install yum \ + && yum --nodocs install -y --setopt=install_weak_deps=False \ + gcc \ + gcc-c++ \ + make \ + tar \ + curl \ + openssl-devel \ + ca-certificates \ + bzip2-devel \ + libffi-devel \ + zlib-devel \ + sqlite-devel \ + findutils \ + python39 \ + python39-pip \ + && python3.9 -m pip install --upgrade pip \ + && python3.9 -m pip install sigstore \ + && curl -fSLO https://www.python.org/ftp/python/${PYTHON314_VERSION}/Python-${PYTHON314_VERSION}.tgz \ + && curl -fSLO https://www.python.org/ftp/python/${PYTHON314_VERSION}/Python-${PYTHON314_VERSION}.tgz.sigstore \ + && python3.9 -m sigstore verify identity \ + --bundle Python-${PYTHON314_VERSION}.tgz.sigstore \ + --cert-identity hugo@python.org \ + --cert-oidc-issuer https://github.com/login/oauth \ + Python-${PYTHON314_VERSION}.tgz \ + && rm -f Python-${PYTHON314_VERSION}.tgz.sigstore \ + && python3.9 -m pip uninstall -y sigstore \ + && yum remove -y python39 python39-pip \ + && rm -f /usr/local/bin/pip /usr/local/bin/pip3 /usr/local/bin/pip3.9 \ + && tar -xzf Python-${PYTHON314_VERSION}.tgz \ + && cd Python-${PYTHON314_VERSION} \ + && ./configure --enable-optimizations \ + --with-ensurepip=install \ + --with-openssl=/usr \ + --with-openssl-rpath=auto \ + && make -j$(nproc) \ + && make altinstall \ + && cd .. \ + && rm -rf Python-${PYTHON314_VERSION}* \ + && rm -f /var/lib/alternatives/python /var/lib/alternatives/python3 /var/lib/alternatives/pip /var/lib/alternatives/pip3 \ + && update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.14 100 \ + && update-alternatives --install /usr/bin/python python /usr/local/bin/python3.14 100 \ + && update-alternatives --install /usr/bin/pip3 pip3 /usr/local/bin/pip3.14 100 \ + && update-alternatives --install /usr/bin/pip pip /usr/local/bin/pip3.14 100 \ + && python3 -c "import ssl; print('SSL module loaded successfully')" \ + && python --version \ + && python3 --version \ + && pip --version \ + && pip3 --version \ + && yum remove -y gcc gcc-c++ make openssl-devel bzip2-devel libffi-devel zlib-devel sqlite-devel \ + && yum clean all \ + && rm -rf /tmp/* /root/.cache + RUN microdnf --nodocs install yum \ && rpm --import https://www.azul.com/files/0xB1998361219BD9C9.txt \ && yum --nodocs -y install https://cdn.azul.com/zulu/bin/zulu-repo-1.0.0-1.noarch.rpm \ @@ -85,8 +138,6 @@ RUN microdnf --nodocs install yum \ "openssl${OPENSSL_VERSION}" \ "wget${WGET_VERSION}" \ "nmap-ncat${NETCAT_VERSION}" \ - "python39${PYTHON39_VERSION}" \ - "python39-pip${PYTHON_PIP_VERSION}" \ "tar${TAR_VERSION}" \ "procps-ng${PROCPS_VERSION}" \ "krb5-workstation${KRB5_WORKSTATION_VERSION}" \ @@ -99,7 +150,6 @@ RUN microdnf --nodocs install yum \ "curl${CURL_VERSION}" \ "libcurl${CURL_VERSION}" \ "zulu11-ca-jdk-headless${ZULU_OPENJDK_VERSION}" "zulu11-ca-jre-headless${ZULU_OPENJDK_VERSION}" \ - && alternatives --set python /usr/bin/python3 \ && python3 -m pip install --upgrade "setuptools${PYTHON_SETUPTOOLS_VERSION}" \ && python3 -m pip install --prefer-binary --prefix=/usr/local --upgrade "${PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC}" \ && yum remove -y git \ diff --git a/base/pom.xml b/base/pom.xml index 890d69d417..b28e89fd59 100644 --- a/base/pom.xml +++ b/base/pom.xml @@ -126,7 +126,7 @@ -${ubi8-minimal.openssl.version} -${ubi8-minimal.wget.version} -${ubi8-minimal.nmap-ncat.version} - -${ubi8-minimal.python39.version} + ${python.python314.version} -${ubi8-minimal.tar.version} -${ubi8-minimal.procps-ng.version} -${ubi8-minimal.krb5-workstation.version} @@ -136,7 +136,6 @@ -${ubi8-minimal.glibc.version} -${ubi8-minimal.curl.version} -${ubi8-minimal.zulu11-ca-jdk-headless.version} - -${ubi8-minimal.python39-pip.version} ==${python.setuptools.version} ${git-repo.confluent-docker-utils.tag} ${docker.skip-security-update-check} @@ -156,7 +155,7 @@ -${ubi8-minimal.openssl.version} -${ubi8-minimal.wget.version} -${ubi8-minimal.nmap-ncat.version} - -${ubi8-minimal.python39.version} + ${python.python314.version} -${ubi8-minimal.tar.version} -${ubi8-minimal.procps-ng.version} -${ubi8-minimal.krb5-workstation.version} @@ -166,7 +165,6 @@ -${ubi8-minimal.glibc.version} -${ubi8-minimal.curl.version} -${ubi8-minimal.zulu11-ca-jdk-headless.version} - -${ubi8-minimal.python39-pip.version} ==${python.setuptools.version} ${git-repo.confluent-docker-utils.tag} ${docker.skip-security-update-check} diff --git a/base/requirements.txt b/base/requirements.txt index 614c4c93e0..ac724d42e5 100644 --- a/base/requirements.txt +++ b/base/requirements.txt @@ -1 +1 @@ -git+https://github.com/confluentinc/confluent-docker-utils@v0.0.162 +git+https://github.com/confluentinc/confluent-docker-utils@v0.0.167 diff --git a/base/tox.ini b/base/tox.ini index af5b6fe10e..91aaca04a9 100644 --- a/base/tox.ini +++ b/base/tox.ini @@ -6,10 +6,10 @@ toxworkdir = /var/tmp deps = -rrequirements.txt flake8 - pytest == 4.6.4 - pytest-xdist == 1.29.0 - pytest-cov == 2.7.1 - sphinx!=1.2b2,<2.0.0 + pytest ~= 8.0.0 + pytest-xdist ~= 3.0.0 + pytest-cov ~= 4.0.0 + sphinx ~= 7.0.0 install_command = pip install -U {packages} recreate = True skipsdist = True diff --git a/pom.xml b/pom.xml index 527b37e33c..75d97853a0 100644 --- a/pom.xml +++ b/pom.xml @@ -70,7 +70,6 @@ 1.1.1k-15.el8_6 1.19.5-12.el8_10 7.92-2.el8_10 - 3.9.25-2.module+el8.10.0+23718+1842ae33 1.30-11.el8_10 3.3.15-14.el8 1.18.2-32.el8_10 @@ -80,9 +79,9 @@ 2.28-251.el8_10.27 7.61.1-34.el8_10.10 11.0.30-3 - 20.2.4-9.module+el8.10.0+21329+8d76b841 + 3.14.3 80.9.0 diff --git a/service.yml b/service.yml index 5ec40c99fa..80c92d80e3 100644 --- a/service.yml +++ b/service.yml @@ -1,6 +1,6 @@ name: common-docker -lang: unknown -lang_version: unknown +lang: python +lang_version: "3.14" git: enable: true semaphore: From 13eb2b618cf3b50d40e205ab6582fa61011cf5a2 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 14:47:02 +0530 Subject: [PATCH 2/9] update confluent-docker-utils version --- base/requirements.txt | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base/requirements.txt b/base/requirements.txt index ac724d42e5..da1f230f18 100644 --- a/base/requirements.txt +++ b/base/requirements.txt @@ -1 +1 @@ -git+https://github.com/confluentinc/confluent-docker-utils@v0.0.167 +git+https://github.com/confluentinc/confluent-docker-utils@v0.0.169 diff --git a/pom.xml b/pom.xml index f154fe1055..e4cc1d975d 100644 --- a/pom.xml +++ b/pom.xml @@ -107,7 +107,7 @@ 80.9.0 - v0.0.168 + v0.0.169 v1.0.8 From b24a0c5108107ad756eccf9eac7311a7a71cf2bf Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 15:12:52 +0530 Subject: [PATCH 3/9] update confluent-docker-utils version --- base-java/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base-java/requirements.txt b/base-java/requirements.txt index 614c4c93e0..da1f230f18 100644 --- a/base-java/requirements.txt +++ b/base-java/requirements.txt @@ -1 +1 @@ -git+https://github.com/confluentinc/confluent-docker-utils@v0.0.162 +git+https://github.com/confluentinc/confluent-docker-utils@v0.0.169 From 77dcba86886b8eea855fd14e041eea2ca9f38572 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 15:25:15 +0530 Subject: [PATCH 4/9] update test versions --- base-java/tox.ini | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/base-java/tox.ini b/base-java/tox.ini index af5b6fe10e..91aaca04a9 100644 --- a/base-java/tox.ini +++ b/base-java/tox.ini @@ -6,10 +6,10 @@ toxworkdir = /var/tmp deps = -rrequirements.txt flake8 - pytest == 4.6.4 - pytest-xdist == 1.29.0 - pytest-cov == 2.7.1 - sphinx!=1.2b2,<2.0.0 + pytest ~= 8.0.0 + pytest-xdist ~= 3.0.0 + pytest-cov ~= 4.0.0 + sphinx ~= 7.0.0 install_command = pip install -U {packages} recreate = True skipsdist = True From f64e280d4720289c5bafe67a9114fa3a3f47c4e1 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 15:51:18 +0530 Subject: [PATCH 5/9] update test versions --- base/Dockerfile.ubi9 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 7d2322f90c..3d36c0f9c7 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -79,7 +79,7 @@ ARG PYTHON_CONFLUENT_DOCKER_UTILS_VERSION="master" ARG PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC="git+https://github.com/confluentinc/confluent-docker-utils@${PYTHON_CONFLUENT_DOCKER_UTILS_VERSION}" # Install Python 3.14 from source FIRST -RUN microdnf --nodocs install yum \ +RUN microdnf --nodocs -y install yum \ && yum --nodocs install -y --setopt=install_weak_deps=False \ gcc \ gcc-c++ \ From 66677d3293bcd31828007387e42dc1158b863908 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 16:16:12 +0530 Subject: [PATCH 6/9] remove curl since ubi9 has curl has already there --- base/Dockerfile.ubi9 | 1 - 1 file changed, 1 deletion(-) diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 3d36c0f9c7..dcbe175fd6 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -85,7 +85,6 @@ RUN microdnf --nodocs -y install yum \ gcc-c++ \ make \ tar \ - curl \ openssl-devel \ ca-certificates \ bzip2-devel \ From f11b454af025fdc3892ebfb9401f10319f3a1705 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 16:40:32 +0530 Subject: [PATCH 7/9] remove python3.9 installation and removal since its already present in ubi9 --- base/Dockerfile.ubi9 | 3 --- 1 file changed, 3 deletions(-) diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index dcbe175fd6..59973b3709 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -92,8 +92,6 @@ RUN microdnf --nodocs -y install yum \ zlib-devel \ sqlite-devel \ findutils \ - python3 \ - python3-pip \ && python3 -m pip install --upgrade pip \ && python3 -m pip install sigstore \ && curl -fSLO https://www.python.org/ftp/python/${PYTHON314_VERSION}/Python-${PYTHON314_VERSION}.tgz \ @@ -105,7 +103,6 @@ RUN microdnf --nodocs -y install yum \ Python-${PYTHON314_VERSION}.tgz \ && rm -f Python-${PYTHON314_VERSION}.tgz.sigstore \ && python3 -m pip uninstall -y sigstore \ - && yum remove -y python3 python3-pip \ && rm -f /usr/local/bin/pip /usr/local/bin/pip3 /usr/local/bin/pip3.9 \ && tar -xzf Python-${PYTHON314_VERSION}.tgz \ && cd Python-${PYTHON314_VERSION} \ From ccfeadcd1699a24037157ecf72f7b5325b9d3bc6 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 17:12:03 +0530 Subject: [PATCH 8/9] Adding pip --- base/Dockerfile.ubi9 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 59973b3709..32fdbbcac3 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -92,6 +92,7 @@ RUN microdnf --nodocs -y install yum \ zlib-devel \ sqlite-devel \ findutils \ + python3-pip \ && python3 -m pip install --upgrade pip \ && python3 -m pip install sigstore \ && curl -fSLO https://www.python.org/ftp/python/${PYTHON314_VERSION}/Python-${PYTHON314_VERSION}.tgz \ @@ -103,6 +104,7 @@ RUN microdnf --nodocs -y install yum \ Python-${PYTHON314_VERSION}.tgz \ && rm -f Python-${PYTHON314_VERSION}.tgz.sigstore \ && python3 -m pip uninstall -y sigstore \ + && yum remove -y python3-pip \ && rm -f /usr/local/bin/pip /usr/local/bin/pip3 /usr/local/bin/pip3.9 \ && tar -xzf Python-${PYTHON314_VERSION}.tgz \ && cd Python-${PYTHON314_VERSION} \ From 0ce1c98b0f924cde728fa9a1bc70bbf12f125e00 Mon Sep 17 00:00:00 2001 From: Abhishek Krishna Date: Thu, 5 Mar 2026 17:43:52 +0530 Subject: [PATCH 9/9] fix crypto version --- base/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/pom.xml b/base/pom.xml index a843a3bc8e..b3445dee76 100644 --- a/base/pom.xml +++ b/base/pom.xml @@ -141,7 +141,7 @@ -${ubi9-minimal.xz-libs.version} -${ubi9-minimal.glibc.version} -${ubi9-minimal.findutils.version} - -${ubi8-minimal.crypto-policies-scripts.version} + -${ubi9-minimal.crypto-policies-scripts.version} -${ubi9-minimal.temurin-21-jdk.version} ==${python.setuptools.version} ${git-repo.confluent-docker-utils.tag}