From d100a8fd69067c59569eaef4d164fb5fe784822e Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Wed, 8 Jan 2025 15:27:18 +0200 Subject: [PATCH 1/2] Switch Docker images to UBI (#42150) * feat: replace default ubuntu based images with ubi-minimal based ones * fix: re-introduce -ubi suffixed images --- CHANGELOG.next.asciidoc | 1 + dev-tools/packaging/packages.yml | 4 +- .../templates/docker/Dockerfile.tmpl | 40 +++++++++---------- 3 files changed, 23 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b61eb2a9ee2f..8d3046df620d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -17,6 +17,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Drop support for Debian 10 and upgrade statically linked glibc from 2.28 to 2.31 {pull}41402[41402] - Fix metrics not being ingested, due to "Limit of total fields [10000] has been exceeded while adding new fields [...]". The total fields limit has been increased to 12500. No significant performance impact on Elasticsearch is anticipated. {pull}41640[41640] - Set default kafka version to 2.1.0 in kafka output and filebeat. {pull}41662[41662] +- Replace default Ubuntu-based images with UBI-minimal-based ones {pull}42150[42150] - Fix templates and docs to use correct `--` version of command line arguments. {issue}42038[42038] {pull}42060[42060] *Auditbeat* diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 1391368cf0bd..0c7acfe07e11 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -159,7 +159,7 @@ shared: - &docker_spec <<: *binary_spec extra_vars: - from: '--platform=linux/amd64 ubuntu:24.04' + from: '--platform=linux/amd64 docker.elastic.co/ubi9/ubi-minimal' buildFrom: '--platform=linux/amd64 cgr.dev/chainguard/wolfi-base' user: '{{ .BeatName }}' linux_capabilities: '' @@ -172,7 +172,7 @@ shared: - &docker_arm_spec <<: *docker_spec extra_vars: - from: '--platform=linux/arm64 ubuntu:24.04' + from: '--platform=linux/arm64 docker.elastic.co/ubi9/ubi-minimal' buildFrom: '--platform=linux/arm64 cgr.dev/chainguard/wolfi-base' - &docker_ubi_spec diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index 1643e308c9a3..64b6a155e1eb 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -49,25 +49,14 @@ RUN for iter in {1..10}; do \ {{- if contains .from "ubi-minimal" }} RUN for iter in {1..10}; do \ microdnf -y update && \ - microdnf -y install findutils shadow-utils && \ + microdnf -y install findutils shadow-utils ca-certificates \ + gawk libcap xz tar && \ microdnf clean all && \ exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; \ done; \ (exit $exit_code) {{- end }} -{{- if contains .from "ubuntu" }} -RUN touch /var/mail/ubuntu && chown ubuntu /var/mail/ubuntu && userdel -r ubuntu - -RUN for iter in {1..10}; do \ - apt-get update -y && \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ca-certificates curl gawk libcap2-bin xz-utils && \ - apt-get clean all && \ - exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \ - done; \ - (exit $exit_code) -{{- end }} - LABEL \ org.label-schema.build-date="{{ date }}" \ org.label-schema.schema-version="1.0" \ @@ -166,7 +155,7 @@ USER {{ .user }} RUN (npm i -g --loglevel verbose --production --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 ${NPM_CONFIG_PREFIX}/_logs/* && exit 1') {{- end }} -{{- if (and (eq .BeatName "heartbeat") (contains .from "ubuntu")) }} +{{- if (and (eq .BeatName "heartbeat") (contains .from "ubi-minimal")) }} USER root ENV NODE_PATH={{ $beatHome }}/.node RUN echo \ @@ -217,12 +206,23 @@ USER root # We don't use npx playwright install-deps because that could pull a newer version # Install additional fonts as well RUN for iter in {1..10}; do \ - apt-get update -y && \ - $NODE_PATH/node/lib/node_modules/@elastic/synthetics/node_modules/.bin/playwright install-deps chromium && \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \ - fonts-noto \ - fonts-noto-cjk && \ - exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \ + microdnf -y update && \ + microdnf -y install fontconfig freetype cairo glib2 gtk3 pango xorg-x11-fonts-misc xorg-x11-fonts-Type1 \ + at-spi2-atk atk at-spi2-core alsa-lib cups-libs dbus-libs libdrm mesa-libEGL mesa-libgbm nspr nss libX11 \ + libX11-xcb libxcb libXcomposite libXdamage libXext libXfixes libXrandr libxkbcommon libxshmfence glib2 \ + dbus-glib libicu mesa-libGL unzip -y && \ + mkdir -p /usr/share/fonts/google-noto && \ + curl -LO https://noto-website-2.storage.googleapis.com/pkgs/NotoSansCJKjp-hinted.zip && \ + unzip NotoSansCJKjp-hinted.zip -d /usr/share/fonts/google-noto && \ + rm -f NotoSansCJKjp-hinted.zip && \ + microdnf -y remove unzip && \ + curl -LO https://github.com/googlefonts/noto-fonts/raw/main/hinted/ttf/NotoSans/NotoSans-Regular.ttf && \ + mv NotoSans-Regular.ttf /usr/share/fonts/google-noto && \ + curl -LO https://github.com/googlefonts/noto-emoji/raw/main/fonts/NotoColorEmoji.ttf && \ + mv NotoColorEmoji.ttf /usr/share/fonts/google-noto && \ + fc-cache -fv && \ + microdnf clean all && \ + exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; \ done; \ (exit $exit_code) {{- end }} From 725345c71d57eda366dd363574ca2718dfbce46a Mon Sep 17 00:00:00 2001 From: Michel Laterman <82832767+michel-laterman@users.noreply.github.com> Date: Wed, 8 Jan 2025 17:50:28 -0300 Subject: [PATCH 2/2] Remove TLSv1.0 from supported protocols (#42267) --- libbeat/docs/shared-ssl-config.asciidoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index 3c456de42060..a4bcd2223b9d 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -66,7 +66,7 @@ heartbeat.monitors: ports: [80, 9200, 5044] ssl: certificate_authorities: ['/etc/ca.crt'] - supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + supported_protocols: ["TLSv1.1", "TLSv1.2"] ------------------------------------------------------------------------------- endif::[] @@ -120,10 +120,9 @@ SSL settings are disabled if either `enabled` is set to `false` or the List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: -`TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and -`TLSv1.3`. +`TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. -The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`. +The default value is `[TLSv1.2, TLSv1.3]`. [float] [[cipher-suites]] @@ -406,7 +405,7 @@ supports SSL. [[server-certificate-authorities]] ==== `certificate_authorities` -The list of root certificates for client verifications is only required if +The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.