diff --git a/README.md b/README.md index 2486b5d..cd4656b 100644 --- a/README.md +++ b/README.md @@ -78,4 +78,4 @@ and includes the full set of [free features](https://www.elastic.co/subscriptions). View the detailed release notes -[here](https://www.elastic.co/guide/en/elasticsearch/reference/8.17/es-release-notes.html). +[here](https://www.elastic.co/guide/en/elasticsearch/reference/8.18/es-release-notes.html). diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index 59e5a27..c7be5bf 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -9,7 +9,7 @@ # Extract Elasticsearch artifact ################################################################################ -FROM ubuntu:20.04 AS builder +FROM ubuntu:24.04 AS builder # Install required packages to extract the Elasticsearch distribution @@ -44,7 +44,7 @@ RUN for iter in 1 2 3 4 5 6 7 8 9 10; do \ RUN mkdir /usr/share/elasticsearch WORKDIR /usr/share/elasticsearch -RUN curl --retry 10 -S -L --output /tmp/elasticsearch.tar.gz https://artifacts-no-kpi.elastic.co/downloads/elasticsearch/elasticsearch-8.17.0-linux-$(arch).tar.gz +RUN curl --retry 10 -S -L --output /tmp/elasticsearch.tar.gz https://artifacts-no-kpi.elastic.co/downloads/elasticsearch/elasticsearch-8.18.8-linux-$(arch).tar.gz RUN tar -zxf /tmp/elasticsearch.tar.gz --strip-components=1 @@ -79,7 +79,7 @@ RUN sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' bin/elas # Add entrypoint ################################################################################ -FROM ubuntu:20.04 +FROM ubuntu:24.04 # Change default shell to bash, then install required packages with retries. RUN yes no | dpkg-reconfigure dash && \ @@ -88,7 +88,7 @@ RUN yes no | dpkg-reconfigure dash && \ apt-get update && \ apt-get upgrade -y && \ apt-get install -y --no-install-recommends \ - ca-certificates curl netcat p11-kit unzip zip && \ + ca-certificates curl netcat-openbsd p11-kit unzip zip && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && \ exit_code=0 && break || \ @@ -96,9 +96,10 @@ RUN yes no | dpkg-reconfigure dash && \ done; \ exit $exit_code -RUN groupadd -g 1000 elasticsearch && \ - adduser --uid 1000 --gid 1000 --home /usr/share/elasticsearch elasticsearch && \ - adduser elasticsearch root && \ +RUN userdel -r ubuntu && \ + groupadd -g 1000 elasticsearch && \ + useradd --uid 1000 --gid 1000 --home-dir /usr/share/elasticsearch --create-home elasticsearch && \ + usermod -aG root elasticsearch && \ chown -R 0:0 /usr/share/elasticsearch ENV ELASTIC_CONTAINER true @@ -137,25 +138,25 @@ RUN /etc/ca-certificates/update.d/docker-openjdk EXPOSE 9200 9300 -LABEL org.label-schema.build-date="2024-12-11T12:08:05.663969764Z" \ +LABEL org.label-schema.build-date="2025-10-02T22:10:40.225397673Z" \ org.label-schema.license="Elastic-License-2.0" \ org.label-schema.name="Elasticsearch" \ org.label-schema.schema-version="1.0" \ org.label-schema.url="https://www.elastic.co/products/elasticsearch" \ org.label-schema.usage="https://www.elastic.co/guide/en/elasticsearch/reference/index.html" \ - org.label-schema.vcs-ref="2b6a7fed44faa321997703718f07ee0420804b41" \ + org.label-schema.vcs-ref="c1310008a98b8bb63c9fc08e763de1d065b943ce" \ org.label-schema.vcs-url="https://github.com/elastic/elasticsearch" \ org.label-schema.vendor="Elastic" \ - org.label-schema.version="8.17.0" \ - org.opencontainers.image.created="2024-12-11T12:08:05.663969764Z" \ + org.label-schema.version="8.18.8" \ + org.opencontainers.image.created="2025-10-02T22:10:40.225397673Z" \ org.opencontainers.image.documentation="https://www.elastic.co/guide/en/elasticsearch/reference/index.html" \ org.opencontainers.image.licenses="Elastic-License-2.0" \ - org.opencontainers.image.revision="2b6a7fed44faa321997703718f07ee0420804b41" \ + org.opencontainers.image.revision="c1310008a98b8bb63c9fc08e763de1d065b943ce" \ org.opencontainers.image.source="https://github.com/elastic/elasticsearch" \ org.opencontainers.image.title="Elasticsearch" \ org.opencontainers.image.url="https://www.elastic.co/products/elasticsearch" \ org.opencontainers.image.vendor="Elastic" \ - org.opencontainers.image.version="8.17.0" + org.opencontainers.image.version="8.18.8" # Our actual entrypoint is `tini`, a minimal but functional init program. It # calls the entrypoint we provide, while correctly forwarding signals. diff --git a/elasticsearch/config/log4j2.properties b/elasticsearch/config/log4j2.properties index c0d67c8..719eea7 100644 --- a/elasticsearch/config/log4j2.properties +++ b/elasticsearch/config/log4j2.properties @@ -70,6 +70,12 @@ logger.org_apache_fontbox.level = off logger.org_apache_xmlbeans.name = org.apache.xmlbeans logger.org_apache_xmlbeans.level = off +logger.entitlements_ingest_attachment.name = org.elasticsearch.entitlement.runtime.policy.PolicyManager.ingest-attachment.ALL-UNNAMED +logger.entitlements_ingest_attachment.level = error + +logger.entitlements_repository_gcs.name = org.elasticsearch.entitlement.runtime.policy.PolicyManager.repository-gcs.ALL-UNNAMED +logger.entitlements_repository_gcs.level = error + logger.com_amazonaws.name = com.amazonaws logger.com_amazonaws.level = warn @@ -85,6 +91,9 @@ logger.com_amazonaws_auth_profile_internal_BasicProfileConfigFileLoader.level = logger.com_amazonaws_services_s3_internal_UseArnRegionResolver.name = com.amazonaws.services.s3.internal.UseArnRegionResolver logger.com_amazonaws_services_s3_internal_UseArnRegionResolver.level = error +logger.entitlements_repository_s3.name = org.elasticsearch.entitlement.runtime.policy.PolicyManager.repository-s3.ALL-UNNAMED +logger.entitlements_repository_s3.level = error + appender.audit_rolling.type = Console appender.audit_rolling.name = audit_rolling appender.audit_rolling.layout.type = PatternLayout @@ -190,4 +199,10 @@ logger.xmlsig.level = error logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter logger.samlxml_decrypt.level = fatal logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter -logger.saml2_decrypt.level = fatal \ No newline at end of file +logger.saml2_decrypt.level = fatal + +logger.entitlements_xpack_security.name = org.elasticsearch.entitlement.runtime.policy.PolicyManager.x-pack-security.org.elasticsearch.security +logger.entitlements_xpack_security.level = error + +logger.entitlements_inference.name = org.elasticsearch.entitlement.runtime.policy.PolicyManager.x-pack-inference.software.amazon.awssdk.profiles +logger.entitlements_inference.level = error diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 55b4377..708a6e9 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -9,14 +9,14 @@ # Build stage 0 `builder`: # Extract Kibana artifact ################################################################################ -FROM ubuntu:20.04 AS builder +FROM ubuntu:24.04 AS builder RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl RUN cd /tmp && \ curl --retry 8 -s -L \ --output kibana.tar.gz \ - https://artifacts.elastic.co/downloads/kibana/kibana-8.17.0-linux-$(arch).tar.gz && \ + https://artifacts.elastic.co/downloads/kibana/kibana-8.18.8-linux-$(arch).tar.gz && \ cd - RUN mkdir /usr/share/kibana @@ -61,7 +61,7 @@ RUN mkdir -p /usr/share/fonts/local && \ # Copy kibana from stage 0 # Add entrypoint ################################################################################ -FROM ubuntu:20.04 +FROM ubuntu:24.04 EXPOSE 5601 RUN for iter in {1..10}; do \ @@ -69,7 +69,7 @@ RUN for iter in {1..10}; do \ apt-get update && \ apt-get upgrade -y && \ apt-get install -y --no-install-recommends \ - fontconfig libnss3 curl ca-certificates && \ + fontconfig fonts-liberation libnss3 curl ca-certificates && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && \ sleep 10; \ @@ -103,30 +103,30 @@ RUN chmod g+ws /usr/share/kibana && \ RUN find / -xdev -perm -4000 -exec chmod u-s {} + # Provide a non-root user to run the process. -RUN groupadd --gid 1000 kibana && \ +RUN userdel -r ubuntu && groupadd --gid 1000 kibana && \ useradd --uid 1000 --gid 1000 -G 0 \ --home-dir /usr/share/kibana --no-create-home \ kibana -LABEL org.label-schema.build-date="2024-12-11T11:12:31.173Z" \ +LABEL org.label-schema.build-date="2025-10-02T20:20:10.933Z" \ org.label-schema.license="Elastic License" \ org.label-schema.name="Kibana" \ org.label-schema.schema-version="1.0" \ org.label-schema.url="https://www.elastic.co/products/kibana" \ org.label-schema.usage="https://www.elastic.co/guide/en/kibana/reference/index.html" \ - org.label-schema.vcs-ref="86cbc85e621f4f3f701ed230f4e859ac5a80145b" \ + org.label-schema.vcs-ref="08ece643671f3ee61a7297b3e67aa99e79a1aef7" \ org.label-schema.vcs-url="https://github.com/elastic/kibana" \ org.label-schema.vendor="Elastic" \ - org.label-schema.version="8.17.0" \ - org.opencontainers.image.created="2024-12-11T11:12:31.173Z" \ + org.label-schema.version="8.18.8" \ + org.opencontainers.image.created="2025-10-02T20:20:10.933Z" \ org.opencontainers.image.documentation="https://www.elastic.co/guide/en/kibana/reference/index.html" \ org.opencontainers.image.licenses="Elastic License" \ - org.opencontainers.image.revision="86cbc85e621f4f3f701ed230f4e859ac5a80145b" \ + org.opencontainers.image.revision="08ece643671f3ee61a7297b3e67aa99e79a1aef7" \ org.opencontainers.image.source="https://github.com/elastic/kibana" \ org.opencontainers.image.title="Kibana" \ org.opencontainers.image.url="https://www.elastic.co/products/kibana" \ org.opencontainers.image.vendor="Elastic" \ - org.opencontainers.image.version="8.17.0" + org.opencontainers.image.version="8.18.8" ENTRYPOINT ["/bin/tini", "--"] diff --git a/kibana/bin/kibana-docker b/kibana/bin/kibana-docker index f4ae377..1538ebb 100755 --- a/kibana/bin/kibana-docker +++ b/kibana/bin/kibana-docker @@ -85,6 +85,7 @@ kibana_vars=( elasticsearch.username enterpriseSearch.accessCheckTimeout enterpriseSearch.accessCheckTimeoutWarning + enterpriseSearch.appsDisabled enterpriseSearch.host externalUrl.policy i18n.locale @@ -165,6 +166,7 @@ kibana_vars=( server.name server.port server.protocol + server.prototypeHardening server.publicBaseUrl server.requestId.allowFromAnyIp server.requestId.ipAllowlist @@ -239,10 +241,11 @@ kibana_vars=( xpack.alerting.rules.run.actions.max xpack.alerting.rules.run.alerts.max xpack.alerting.rules.run.actions.connectorTypeOverrides - xpack.alerting.maxScheduledPerMinute xpack.alerts.healthCheck.interval xpack.alerts.invalidateApiKeysTask.interval xpack.alerts.invalidateApiKeysTask.removalDelay + xpack.alerting.rules.maxScheduledPerMinute + xpack.alerting.disabledRuleTypes xpack.apm.indices.error xpack.apm.indices.metric xpack.apm.indices.onboarding @@ -383,6 +386,7 @@ kibana_vars=( xpack.security.audit.appender.strategy.type xpack.security.audit.appender.type xpack.security.audit.enabled + xpack.security.audit.include_saved_object_names xpack.security.audit.ignore_filters xpack.security.authc.http.autoSchemesEnabled xpack.security.authc.http.enabled @@ -415,6 +419,7 @@ kibana_vars=( xpack.securitySolution.packagerTaskInterval xpack.securitySolution.prebuiltRulesPackageVersion xpack.spaces.maxSpaces + xpack.spaces.defaultSolution xpack.task_manager.capacity xpack.task_manager.claim_strategy xpack.task_manager.auto_calculate_default_ech_capacity diff --git a/logstash/Dockerfile b/logstash/Dockerfile index 8fbacad..c14f980 100644 --- a/logstash/Dockerfile +++ b/logstash/Dockerfile @@ -2,7 +2,7 @@ -FROM ubuntu:20.04 +FROM ubuntu:24.04 RUN for iter in {1..10}; do \ export DEBIAN_FRONTEND=noninteractive && \ @@ -22,13 +22,13 @@ sleep 10; done; \ (exit $exit_code) # Provide a non-root user to run the process. -RUN groupadd --gid 1000 logstash && \ - adduser --uid 1000 --gid 1000 --home /usr/share/logstash --no-create-home logstash +RUN userdel -r ubuntu && groupadd --gid 1000 logstash && \ + useradd --uid 1000 --gid 1000 --home /usr/share/logstash --no-create-home logstash # Add Logstash itself. -RUN curl -Lo - https://artifacts.elastic.co/downloads/logstash/logstash-8.17.0-linux-$(arch).tar.gz | \ +RUN curl -Lo - https://artifacts.elastic.co/downloads/logstash/logstash-8.18.8-linux-$(arch).tar.gz | \ tar zxf - -C /usr/share && \ - mv /usr/share/logstash-8.17.0 /usr/share/logstash && \ + mv /usr/share/logstash-8.18.8 /usr/share/logstash && \ chown --recursive logstash:logstash /usr/share/logstash/ && \ chown -R logstash:root /usr/share/logstash && \ chmod -R g=u /usr/share/logstash && \ @@ -54,7 +54,7 @@ ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 COPY env2yaml/env2yaml-amd64 env2yaml/env2yaml-arm64 env2yaml/ # Copy over the appropriate env2yaml artifact -RUN env2yamlarch="$(dpkg --print-architecture)"; \ +RUN set -eux; env2yamlarch="$(dpkg --print-architecture)"; \ case "${env2yamlarch}" in \ 'x86_64'|'amd64') \ env2yamlarch=amd64; \ @@ -82,14 +82,14 @@ LABEL org.label-schema.schema-version="1.0" \ org.opencontainers.image.vendor="Elastic" \ org.label-schema.name="logstash" \ org.opencontainers.image.title="logstash" \ - org.label-schema.version="8.17.0" \ - org.opencontainers.image.version="8.17.0" \ + org.label-schema.version="8.18.8" \ + org.opencontainers.image.version="8.18.8" \ org.label-schema.url="https://www.elastic.co/products/logstash" \ org.label-schema.vcs-url="https://github.com/elastic/logstash" \ org.label-schema.license="Elastic License" \ org.opencontainers.image.licenses="Elastic License" \ org.opencontainers.image.description="Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite 'stash.'" \ - org.label-schema.build-date=2024-12-05T00:55:38+00:00 \ - org.opencontainers.image.created=2024-12-05T00:55:38+00:00 + org.label-schema.build-date=2025-09-30T19:02:11+00:00 \ + org.opencontainers.image.created=2025-09-30T19:02:11+00:00 ENTRYPOINT ["/usr/local/bin/docker-entrypoint"] diff --git a/logstash/env2yaml/env2yaml-amd64 b/logstash/env2yaml/env2yaml-amd64 index b014d39..c0ccf53 100755 Binary files a/logstash/env2yaml/env2yaml-amd64 and b/logstash/env2yaml/env2yaml-amd64 differ diff --git a/logstash/env2yaml/env2yaml-arm64 b/logstash/env2yaml/env2yaml-arm64 index 61bc088..6a73e7d 100755 Binary files a/logstash/env2yaml/env2yaml-arm64 and b/logstash/env2yaml/env2yaml-arm64 differ