Merge branch 'main' into e2etest

CHANGELOG.next.asciidoc

@@ -17,6 +17,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Drop support for Debian 10 and upgrade statically linked glibc from 2.28 to 2.31 {pull}41402[41402]
 - Fix metrics not being ingested, due to "Limit of total fields [10000] has been exceeded while adding new fields [...]". The total fields limit has been increased to 12500. No significant performance impact on Elasticsearch is anticipated. {pull}41640[41640]
 - Set default kafka version to 2.1.0 in kafka output and filebeat. {pull}41662[41662]
+- Replace default Ubuntu-based images with UBI-minimal-based ones {pull}42150[42150]
 - Fix templates and docs to use correct `--` version of command line arguments. {issue}42038[42038] {pull}42060[42060]
 
 *Auditbeat*

dev-tools/packaging/packages.yml

@@ -159,7 +159,7 @@ shared:
   - &docker_spec
     <<: *binary_spec
     extra_vars:
-      from: '--platform=linux/amd64 ubuntu:24.04'
+      from: '--platform=linux/amd64 docker.elastic.co/ubi9/ubi-minimal'
       buildFrom: '--platform=linux/amd64 cgr.dev/chainguard/wolfi-base'
       user: '{{ .BeatName }}'
       linux_capabilities: ''
@@ -172,7 +172,7 @@ shared:
   - &docker_arm_spec
     <<: *docker_spec
     extra_vars:
-      from: '--platform=linux/arm64 ubuntu:24.04'
+      from: '--platform=linux/arm64 docker.elastic.co/ubi9/ubi-minimal'
       buildFrom: '--platform=linux/arm64 cgr.dev/chainguard/wolfi-base'
 
   - &docker_ubi_spec

dev-tools/packaging/templates/docker/Dockerfile.tmpl

@@ -49,25 +49,14 @@ RUN for iter in {1..10}; do \
 {{- if contains .from "ubi-minimal" }}
 RUN for iter in {1..10}; do \
         microdnf -y update && \
-        microdnf -y install findutils shadow-utils && \
+        microdnf -y install findutils shadow-utils ca-certificates \
+        gawk libcap xz tar && \
         microdnf clean all && \
         exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; \
     done; \
     (exit $exit_code)
 {{- end }}
 
-{{- if contains .from "ubuntu" }}
-RUN touch /var/mail/ubuntu && chown ubuntu /var/mail/ubuntu && userdel -r ubuntu
-
-RUN for iter in {1..10}; do \
-        apt-get update -y && \
-        DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ca-certificates curl gawk libcap2-bin xz-utils && \
-        apt-get clean all && \
-        exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
-    done; \
-    (exit $exit_code)
-{{- end }}
-
 LABEL \
   org.label-schema.build-date="{{ date }}" \
   org.label-schema.schema-version="1.0" \
@@ -166,7 +155,7 @@ USER {{ .user }}
 RUN (npm i -g --loglevel verbose --production --engine-strict  @elastic/synthetics@stack_release || sh -c 'tail -n +1 ${NPM_CONFIG_PREFIX}/_logs/* && exit 1')
 {{- end }}
 
-{{- if (and (eq .BeatName "heartbeat") (contains .from "ubuntu")) }}
+{{- if (and (eq .BeatName "heartbeat") (contains .from "ubi-minimal")) }}
 USER root
 ENV NODE_PATH={{ $beatHome }}/.node
 RUN echo \
@@ -217,12 +206,23 @@ USER root
 # We don't use npx playwright install-deps because that could pull a newer version
 # Install additional fonts as well
 RUN for iter in {1..10}; do \
-    apt-get update -y && \
-    $NODE_PATH/node/lib/node_modules/@elastic/synthetics/node_modules/.bin/playwright install-deps chromium && \
-    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
-    fonts-noto \
-    fonts-noto-cjk && \
-    exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
+    microdnf -y update && \
+    microdnf -y install fontconfig freetype cairo glib2 gtk3 pango xorg-x11-fonts-misc xorg-x11-fonts-Type1 \
+    at-spi2-atk atk at-spi2-core alsa-lib cups-libs dbus-libs libdrm mesa-libEGL mesa-libgbm nspr nss libX11 \
+    libX11-xcb libxcb libXcomposite libXdamage libXext libXfixes libXrandr libxkbcommon libxshmfence glib2 \
+    dbus-glib libicu mesa-libGL unzip -y && \
+    mkdir -p /usr/share/fonts/google-noto && \
+    curl -LO https://noto-website-2.storage.googleapis.com/pkgs/NotoSansCJKjp-hinted.zip && \
+    unzip NotoSansCJKjp-hinted.zip -d /usr/share/fonts/google-noto && \
+    rm -f NotoSansCJKjp-hinted.zip && \
+    microdnf -y remove unzip && \
+    curl -LO https://github.com/googlefonts/noto-fonts/raw/main/hinted/ttf/NotoSans/NotoSans-Regular.ttf && \
+    mv NotoSans-Regular.ttf /usr/share/fonts/google-noto && \
+    curl -LO https://github.com/googlefonts/noto-emoji/raw/main/fonts/NotoColorEmoji.ttf && \
+    mv NotoColorEmoji.ttf /usr/share/fonts/google-noto && \
+    fc-cache -fv && \
+    microdnf clean all && \
+    exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; \
 done; \
 (exit $exit_code)
 {{- end }}

libbeat/docs/shared-ssl-config.asciidoc

@@ -66,7 +66,7 @@ heartbeat.monitors:
   ports: [80, 9200, 5044]
   ssl:
     certificate_authorities: ['/etc/ca.crt']
-    supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+    supported_protocols: ["TLSv1.1", "TLSv1.2"]
 -------------------------------------------------------------------------------
 endif::[]
 
@@ -120,10 +120,9 @@ SSL settings are disabled if either `enabled` is set to `false` or the
 List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions
 not configured, the connection will be dropped during or after the handshake. The
 setting is a list of allowed protocol versions:
-`TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and
-`TLSv1.3`.
+`TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
 
-The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`.
+The default value is `[TLSv1.2, TLSv1.3]`.
 
 [float]
 [[cipher-suites]]
@@ -406,7 +405,7 @@ supports SSL.
 [[server-certificate-authorities]]
 ==== `certificate_authorities`
 
-The list of root certificates for client verifications is only required if 
+The list of root certificates for client verifications is only required if
 `client_authentication` is configured. If `certificate_authorities` is empty or not set, and
 `client_authentication` is configured, the system keystore is used.