AMBARI-26487: Bump commons-io:commons-io from 2.4 to 2.14.0 in /ambari-metrics-common

[0lai0]

What changes were proposed in this pull request?

Bump commons-io:commons-io from 2.4 to 2.14.0 in /ambari-metrics-common

How was this patch tested?

cd ambari-metrics-common
mvn test
mvn dependency:tree -DignoreErrors | grep commons-io
mvn dependency:tree -DignoreErrors

[jojochuang]

This change by itself is good. I verified it didn't break anything: https://github.com/apache/ambari-metrics/pull/157/commits

But commons-io is 2.1 in ambari-metrics-hadoop-sink ,
2.4 in ambari-metrics-timelineservice. Can we get them updated as well?

[0lai0]

This change by itself is good. I verified it didn't break anything: https://github.com/apache/ambari-metrics/pull/157/commits

But commons-io is 2.1 in ambari-metrics-hadoop-sink , 2.4 in ambari-metrics-timelineservice. Can we get them updated as well?

Sure, I'd be happy to update the PR.

[JiaLiangC]

@0lai0 When upgrading dependencies in Ambari Metrics, extreme caution must be exercised due to version coupling with Hadoop dependencies. These dependencies are packaged into the Hadoop-sink and embedded into Hadoop as a plugin. If the versions conflict with Hadoop's dependency versions, it can directly cause Hadoop to fail to start.

[JiaLiangC]

Therefore, the best approach is to quickly deploy a test cluster after upgrading the dependencies. However, the one-click Docker cluster deployment project is not yet available, making testing quite challenging. Previously, upgrading to JDK 17 caused the Hadoop Sink to be compiled with JDK 17, and when embedded into Hadoop as a plugin, the JDK version mismatch led to startup failures.

[jojochuang]

I see. Thanks for the heads up.
Commons-io usually doesn't cause trouble when upgrade. Also worth noting that I intend to update Hadoop 3.3 commons-io version to 2.14.0 as well.

Perhaps we should add an integration test module too otherwise these kind of frictions is too much.

[jojochuang]

We should consider shade the jars to avoid version conflicts. I'd like to study that possibility soon.

[jojochuang]

+1 from me but let's wait for more validation.

[0lai0]

Therefore, the best approach is to quickly deploy a test cluster after upgrading the dependencies. However, the one-click Docker cluster deployment project is not yet available, making testing quite challenging. Previously, upgrading to JDK 17 caused the Hadoop Sink to be compiled with JDK 17, and when embedded into Hadoop as a plugin, the JDK version mismatch led to startup failures.

Thank you for your comprehensive explanation, which has greatly clarified the risks and precautions involved in upgrading dependencies for Ambari Metrics.
Given the absence of a one-click Docker deployment tool, setting up a test cluster might be somewhat challenging. Could you kindly recommend any tools or scripts that could streamline the process of building a test cluster? Thank you!