From b34224bc22c7a7e4ad15339080dc57a296c363ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Sat, 14 Feb 2026 14:43:11 +0100 Subject: [PATCH 1/7] fix --- .../eck-ror/kind-cluster/ror/base/es.yml | 1 + environments/eck-ror/start.sh | 31 +++++++++++++++++++ environments/elk-ror/images/es/Dockerfile | 16 ++++++++++ 3 files changed, 48 insertions(+) diff --git a/environments/eck-ror/kind-cluster/ror/base/es.yml b/environments/eck-ror/kind-cluster/ror/base/es.yml index af494008..a4333475 100644 --- a/environments/eck-ror/kind-cluster/ror/base/es.yml +++ b/environments/eck-ror/kind-cluster/ror/base/es.yml @@ -12,6 +12,7 @@ spec: spec: containers: - name: elasticsearch + imagePullPolicy: IfNotPresent securityContext: runAsNonRoot: false runAsUser: 0 diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh index 08753e97..e3d05993 100755 --- a/environments/eck-ror/start.sh +++ b/environments/eck-ror/start.sh @@ -123,12 +123,43 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then show_help fi +# ES 8.0.x and 8.1.x bundle JDK 17.0.2 which has cgroup v2 bug JDK-8287073: +# CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport flag is checked. +# Fixed in JDK 17.0.5+ (backport JDK-8288308). ES 8.2.0+ ships JDK 18+ which doesn't have the bug. +# We build a patched image with Amazon Corretto 17.0.5 and load it into the KinD cluster. +patch_es_image_if_needed() { + local MAJOR MINOR + MAJOR=$(echo "$ES_VERSION" | cut -d '.' -f1) + MINOR=$(echo "$ES_VERSION" | cut -d '.' -f2) + + if [[ "$MAJOR" -eq 8 && "$MINOR" -le 1 ]]; then + local ES_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}" + echo "ES $ES_VERSION bundles a JDK with cgroup v2 bug (JDK-8287073). Building patched image..." + docker build --build-arg ES_IMAGE="$ES_IMAGE" -t "$ES_IMAGE" -f - . <<'PATCH_DOCKERFILE' +ARG ES_IMAGE +FROM ${ES_IMAGE} +USER root +RUN ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ + curl -fsSL "https://corretto.aws/downloads/resources/17.0.5.8.1/amazon-corretto-17.0.5.8.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + rm -rf /usr/share/elasticsearch/jdk && \ + mkdir -p /usr/share/elasticsearch/jdk && \ + tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ + rm /tmp/jdk.tar.gz +PATCH_DOCKERFILE + echo "Patched ES image built successfully: $ES_IMAGE" + kind load docker-image "$ES_IMAGE" --name eck-ror || { echo "Failed to load patched ES image into KinD cluster."; exit 1; } + echo "Patched ES image loaded into KinD cluster: $ES_IMAGE" + fi +} + echo "CONFIGURING K8S CLUSTER ..." kind create cluster --name eck-ror --config kind-cluster/kind-cluster-config.yml docker exec eck-ror-control-plane /bin/bash -c "sysctl -w vm.max_map_count=262144" docker exec eck-ror-worker /bin/bash -c "sysctl -w vm.max_map_count=262144" docker exec eck-ror-worker2 /bin/bash -c "sysctl -w vm.max_map_count=262144" +patch_es_image_if_needed + echo "CONFIGURING ECK $ECK_VERSION ..." diff --git a/environments/elk-ror/images/es/Dockerfile b/environments/elk-ror/images/es/Dockerfile index 71ff6212..f3c63541 100644 --- a/environments/elk-ror/images/es/Dockerfile +++ b/environments/elk-ror/images/es/Dockerfile @@ -4,6 +4,22 @@ ARG ROR_ES_VERSION="UNDEFINED_ROR_ES_VERSION" FROM ${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION} +# ES 8.0.x and 8.1.x bundle JDK 17.0.2 which has cgroup v2 bug JDK-8287073: +# CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport flag is checked. +# Fixed in JDK 17.0.5+ (backport JDK-8288308). ES 8.2.0+ ships JDK 18+ which doesn't have the bug. +# We replace the bundled JDK with Amazon Corretto 17.0.5 that contains the fix. +ARG ES_VERSION +USER root +RUN if echo "$ES_VERSION" | grep -qE '^8\.[01]\.'; then \ + ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ + echo "Replacing buggy bundled JDK 17.0.2 with Corretto 17.0.5 for ES $ES_VERSION (arch: $ARCH)" && \ + curl -fsSL "https://corretto.aws/downloads/resources/17.0.5.8.1/amazon-corretto-17.0.5.8.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + rm -rf /usr/share/elasticsearch/jdk && \ + mkdir -p /usr/share/elasticsearch/jdk && \ + tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ + rm /tmp/jdk.tar.gz; \ + fi + USER elasticsearch COPY conf/es/readonlyrest.yml /usr/share/elasticsearch/config/readonlyrest.yml From c270d699f9703738fbe6f7f4eb17c5467039ba57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Sat, 14 Feb 2026 15:23:02 +0100 Subject: [PATCH 2/7] fix --- environments/eck-ror/start.sh | 20 ++++++++++++++------ environments/elk-ror/images/es/Dockerfile | 16 ++++++++++++---- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh index e3d05993..76d154c2 100755 --- a/environments/eck-ror/start.sh +++ b/environments/eck-ror/start.sh @@ -123,24 +123,32 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then show_help fi -# ES 8.0.x and 8.1.x bundle JDK 17.0.2 which has cgroup v2 bug JDK-8287073: +# ES 8.0.x–8.4.x bundle JDK 17.0.2 or JDK 18, both of which have cgroup v2 bug JDK-8287073: # CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport flag is checked. -# Fixed in JDK 17.0.5+ (backport JDK-8288308). ES 8.2.0+ ships JDK 18+ which doesn't have the bug. -# We build a patched image with Amazon Corretto 17.0.5 and load it into the KinD cluster. +# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. ES 8.5.0+ ships JDK 19+. +# We build a patched image: Corretto 17.0.5 for ES 8.0–8.1, Corretto 19.0.0 for ES 8.2–8.4. patch_es_image_if_needed() { local MAJOR MINOR MAJOR=$(echo "$ES_VERSION" | cut -d '.' -f1) MINOR=$(echo "$ES_VERSION" | cut -d '.' -f2) + local CORRETTO_VERSION="" if [[ "$MAJOR" -eq 8 && "$MINOR" -le 1 ]]; then + CORRETTO_VERSION="17.0.5.8.1" + elif [[ "$MAJOR" -eq 8 && "$MINOR" -le 4 ]]; then + CORRETTO_VERSION="19.0.0.36.1" + fi + + if [[ -n "$CORRETTO_VERSION" ]]; then local ES_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}" - echo "ES $ES_VERSION bundles a JDK with cgroup v2 bug (JDK-8287073). Building patched image..." - docker build --build-arg ES_IMAGE="$ES_IMAGE" -t "$ES_IMAGE" -f - . <<'PATCH_DOCKERFILE' + echo "ES $ES_VERSION bundles a JDK with cgroup v2 bug (JDK-8287073). Building patched image with Corretto $CORRETTO_VERSION..." + docker build --build-arg ES_IMAGE="$ES_IMAGE" --build-arg CORRETTO_VERSION="$CORRETTO_VERSION" -t "$ES_IMAGE" -f - . <<'PATCH_DOCKERFILE' ARG ES_IMAGE FROM ${ES_IMAGE} USER root +ARG CORRETTO_VERSION RUN ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - curl -fsSL "https://corretto.aws/downloads/resources/17.0.5.8.1/amazon-corretto-17.0.5.8.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + curl -fsSL "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ rm -rf /usr/share/elasticsearch/jdk && \ mkdir -p /usr/share/elasticsearch/jdk && \ tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ diff --git a/environments/elk-ror/images/es/Dockerfile b/environments/elk-ror/images/es/Dockerfile index f3c63541..b510d295 100644 --- a/environments/elk-ror/images/es/Dockerfile +++ b/environments/elk-ror/images/es/Dockerfile @@ -4,20 +4,28 @@ ARG ROR_ES_VERSION="UNDEFINED_ROR_ES_VERSION" FROM ${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION} -# ES 8.0.x and 8.1.x bundle JDK 17.0.2 which has cgroup v2 bug JDK-8287073: +# ES 8.0.x–8.4.x bundle JDK 17.0.2 or JDK 18, both of which have cgroup v2 bug JDK-8287073: # CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport flag is checked. -# Fixed in JDK 17.0.5+ (backport JDK-8288308). ES 8.2.0+ ships JDK 18+ which doesn't have the bug. -# We replace the bundled JDK with Amazon Corretto 17.0.5 that contains the fix. +# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. ES 8.5.0+ ships JDK 19+. +# We replace the bundled JDK: Corretto 17.0.5 for ES 8.0–8.1, Corretto 19.0.0 for ES 8.2–8.4. ARG ES_VERSION USER root RUN if echo "$ES_VERSION" | grep -qE '^8\.[01]\.'; then \ ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - echo "Replacing buggy bundled JDK 17.0.2 with Corretto 17.0.5 for ES $ES_VERSION (arch: $ARCH)" && \ + echo "Replacing buggy bundled JDK 17 with Corretto 17.0.5 for ES $ES_VERSION (arch: $ARCH)" && \ curl -fsSL "https://corretto.aws/downloads/resources/17.0.5.8.1/amazon-corretto-17.0.5.8.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ rm -rf /usr/share/elasticsearch/jdk && \ mkdir -p /usr/share/elasticsearch/jdk && \ tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ rm /tmp/jdk.tar.gz; \ + elif echo "$ES_VERSION" | grep -qE '^8\.[234]\.'; then \ + ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ + echo "Replacing buggy bundled JDK 18 with Corretto 19.0.0 for ES $ES_VERSION (arch: $ARCH)" && \ + curl -fsSL "https://corretto.aws/downloads/resources/19.0.0.36.1/amazon-corretto-19.0.0.36.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + rm -rf /usr/share/elasticsearch/jdk && \ + mkdir -p /usr/share/elasticsearch/jdk && \ + tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ + rm /tmp/jdk.tar.gz; \ fi USER elasticsearch From 5d1f91a49db1bdb98cbc2d404d635f30042730ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Sat, 14 Feb 2026 16:23:37 +0100 Subject: [PATCH 3/7] fix --- environments/eck-ror/start.sh | 19 ++++++++---- environments/elk-ror/images/es/Dockerfile | 37 ++++++++++++++--------- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh index 76d154c2..e2cf79e3 100755 --- a/environments/eck-ror/start.sh +++ b/environments/eck-ror/start.sh @@ -123,17 +123,24 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then show_help fi -# ES 8.0.x–8.4.x bundle JDK 17.0.2 or JDK 18, both of which have cgroup v2 bug JDK-8287073: -# CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport flag is checked. -# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. ES 8.5.0+ ships JDK 19+. -# We build a patched image: Corretto 17.0.5 for ES 8.0–8.1, Corretto 19.0.0 for ES 8.2–8.4. +# ES 7.16.x–7.17.6 and 8.0.x–8.4.x bundle JDK 17.0.1/17.0.2 or JDK 18, which have cgroup v2 +# bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked. +# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. +# We build a patched image: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds. patch_es_image_if_needed() { - local MAJOR MINOR + local MAJOR MINOR PATCH MAJOR=$(echo "$ES_VERSION" | cut -d '.' -f1) MINOR=$(echo "$ES_VERSION" | cut -d '.' -f2) + PATCH=$(echo "$ES_VERSION" | cut -d '.' -f3) local CORRETTO_VERSION="" - if [[ "$MAJOR" -eq 8 && "$MINOR" -le 1 ]]; then + if [[ "$MAJOR" -eq 7 && "$MINOR" -eq 16 ]]; then + CORRETTO_VERSION="17.0.5.8.1" + elif [[ "$MAJOR" -eq 7 && "$MINOR" -eq 17 && "$PATCH" -le 2 ]]; then + CORRETTO_VERSION="17.0.5.8.1" + elif [[ "$MAJOR" -eq 7 && "$MINOR" -eq 17 && "$PATCH" -le 6 ]]; then + CORRETTO_VERSION="19.0.0.36.1" + elif [[ "$MAJOR" -eq 8 && "$MINOR" -le 1 ]]; then CORRETTO_VERSION="17.0.5.8.1" elif [[ "$MAJOR" -eq 8 && "$MINOR" -le 4 ]]; then CORRETTO_VERSION="19.0.0.36.1" diff --git a/environments/elk-ror/images/es/Dockerfile b/environments/elk-ror/images/es/Dockerfile index b510d295..1adb4046 100644 --- a/environments/elk-ror/images/es/Dockerfile +++ b/environments/elk-ror/images/es/Dockerfile @@ -4,24 +4,31 @@ ARG ROR_ES_VERSION="UNDEFINED_ROR_ES_VERSION" FROM ${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION} -# ES 8.0.x–8.4.x bundle JDK 17.0.2 or JDK 18, both of which have cgroup v2 bug JDK-8287073: -# CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport flag is checked. -# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. ES 8.5.0+ ships JDK 19+. -# We replace the bundled JDK: Corretto 17.0.5 for ES 8.0–8.1, Corretto 19.0.0 for ES 8.2–8.4. +# ES 7.16.x–7.17.6 and 8.0.x–8.4.x bundle JDK 17.0.1/17.0.2 or JDK 18, which have cgroup v2 +# bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked. +# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. +# We replace the bundled JDK: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds. ARG ES_VERSION USER root -RUN if echo "$ES_VERSION" | grep -qE '^8\.[01]\.'; then \ +RUN MAJOR=$(echo "$ES_VERSION" | cut -d. -f1) && \ + MINOR=$(echo "$ES_VERSION" | cut -d. -f2) && \ + PATCH=$(echo "$ES_VERSION" | cut -d. -f3) && \ + CORRETTO_VERSION="" && \ + if [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 16 ]; then \ + CORRETTO_VERSION="17.0.5.8.1"; \ + elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 2 ]; then \ + CORRETTO_VERSION="17.0.5.8.1"; \ + elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 6 ]; then \ + CORRETTO_VERSION="19.0.0.36.1"; \ + elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 1 ]; then \ + CORRETTO_VERSION="17.0.5.8.1"; \ + elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 4 ]; then \ + CORRETTO_VERSION="19.0.0.36.1"; \ + fi && \ + if [ -n "$CORRETTO_VERSION" ]; then \ ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - echo "Replacing buggy bundled JDK 17 with Corretto 17.0.5 for ES $ES_VERSION (arch: $ARCH)" && \ - curl -fsSL "https://corretto.aws/downloads/resources/17.0.5.8.1/amazon-corretto-17.0.5.8.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ - rm -rf /usr/share/elasticsearch/jdk && \ - mkdir -p /usr/share/elasticsearch/jdk && \ - tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ - rm /tmp/jdk.tar.gz; \ - elif echo "$ES_VERSION" | grep -qE '^8\.[234]\.'; then \ - ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - echo "Replacing buggy bundled JDK 18 with Corretto 19.0.0 for ES $ES_VERSION (arch: $ARCH)" && \ - curl -fsSL "https://corretto.aws/downloads/resources/19.0.0.36.1/amazon-corretto-19.0.0.36.1-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + echo "Replacing buggy bundled JDK with Corretto $CORRETTO_VERSION for ES $ES_VERSION (arch: $ARCH)" && \ + curl -fsSL "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ rm -rf /usr/share/elasticsearch/jdk && \ mkdir -p /usr/share/elasticsearch/jdk && \ tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ From 9f502643f7e3e17c3a2107d622ae0a3d65d7895f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Sat, 14 Feb 2026 17:11:48 +0100 Subject: [PATCH 4/7] fix --- environments/eck-ror/start.sh | 2 +- environments/elk-ror/images/es/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh index e2cf79e3..29bab5e2 100755 --- a/environments/eck-ror/start.sh +++ b/environments/eck-ror/start.sh @@ -155,7 +155,7 @@ FROM ${ES_IMAGE} USER root ARG CORRETTO_VERSION RUN ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - curl -fsSL "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + curl -fsSLk "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ rm -rf /usr/share/elasticsearch/jdk && \ mkdir -p /usr/share/elasticsearch/jdk && \ tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ diff --git a/environments/elk-ror/images/es/Dockerfile b/environments/elk-ror/images/es/Dockerfile index 1adb4046..341d9d1a 100644 --- a/environments/elk-ror/images/es/Dockerfile +++ b/environments/elk-ror/images/es/Dockerfile @@ -28,7 +28,7 @@ RUN MAJOR=$(echo "$ES_VERSION" | cut -d. -f1) && \ if [ -n "$CORRETTO_VERSION" ]; then \ ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ echo "Replacing buggy bundled JDK with Corretto $CORRETTO_VERSION for ES $ES_VERSION (arch: $ARCH)" && \ - curl -fsSL "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ + curl -fsSLk "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ rm -rf /usr/share/elasticsearch/jdk && \ mkdir -p /usr/share/elasticsearch/jdk && \ tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ From b196371316b8da681aa174243a77af402ad11a8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Sat, 14 Feb 2026 19:48:00 +0100 Subject: [PATCH 5/7] wip --- .../common/images/es-jdk-patch/Dockerfile | 7 +++ .../images/es-jdk-patch/patch-es-jdk.sh | 42 +++++++++++++++++ environments/eck-ror/start.sh | 47 ++++--------------- environments/elk-ror/base.docker-compose.yml | 4 +- environments/elk-ror/images/es/Dockerfile | 39 ++------------- environments/elk-ror/start.sh | 8 ++++ 6 files changed, 71 insertions(+), 76 deletions(-) create mode 100644 environments/common/images/es-jdk-patch/Dockerfile create mode 100755 environments/common/images/es-jdk-patch/patch-es-jdk.sh diff --git a/environments/common/images/es-jdk-patch/Dockerfile b/environments/common/images/es-jdk-patch/Dockerfile new file mode 100644 index 00000000..d96b21d0 --- /dev/null +++ b/environments/common/images/es-jdk-patch/Dockerfile @@ -0,0 +1,7 @@ +ARG BASE_IMAGE +FROM ${BASE_IMAGE} + +ARG ES_VERSION +USER root +COPY patch-es-jdk.sh /tmp/patch-es-jdk.sh +RUN chmod +x /tmp/patch-es-jdk.sh && ES_VERSION=${ES_VERSION} /tmp/patch-es-jdk.sh && rm -f /tmp/patch-es-jdk.sh diff --git a/environments/common/images/es-jdk-patch/patch-es-jdk.sh b/environments/common/images/es-jdk-patch/patch-es-jdk.sh new file mode 100755 index 00000000..e2c96418 --- /dev/null +++ b/environments/common/images/es-jdk-patch/patch-es-jdk.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# ES 7.16.x-7.17.6 and 8.0.x-8.4.x bundle JDK 17.0.1/17.0.2 or JDK 18, which have cgroup v2 +# bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked. +# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. +# We replace the bundled JDK: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds. +# +# Usage: +# ES_VERSION=7.16.0 ./patch-es-jdk.sh # patch the JDK in /usr/share/elasticsearch/jdk +# ES_VERSION=7.16.0 ./patch-es-jdk.sh --check # exit 0 if patching is needed, 1 otherwise +set -e + +MAJOR=$(echo "$ES_VERSION" | cut -d. -f1) +MINOR=$(echo "$ES_VERSION" | cut -d. -f2) +PATCH=$(echo "$ES_VERSION" | cut -d. -f3) + +CORRETTO_VERSION="" +if [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 16 ]; then + CORRETTO_VERSION="17.0.5.8.1" +elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 2 ]; then + CORRETTO_VERSION="17.0.5.8.1" +elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 6 ]; then + CORRETTO_VERSION="19.0.0.36.1" +elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 1 ]; then + CORRETTO_VERSION="17.0.5.8.1" +elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 4 ]; then + CORRETTO_VERSION="19.0.0.36.1" +fi + +if [ "$1" = "--check" ]; then + [ -n "$CORRETTO_VERSION" ] + exit $? +fi + +if [ -n "$CORRETTO_VERSION" ]; then + ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') + echo "Replacing buggy bundled JDK with Corretto $CORRETTO_VERSION for ES $ES_VERSION (arch: $ARCH)" + curl -fsSLk "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz + rm -rf /usr/share/elasticsearch/jdk + mkdir -p /usr/share/elasticsearch/jdk + tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 + rm /tmp/jdk.tar.gz +fi diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh index 29bab5e2..606cec6d 100755 --- a/environments/eck-ror/start.sh +++ b/environments/eck-ror/start.sh @@ -123,44 +123,17 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then show_help fi -# ES 7.16.x–7.17.6 and 8.0.x–8.4.x bundle JDK 17.0.1/17.0.2 or JDK 18, which have cgroup v2 -# bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked. -# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. -# We build a patched image: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds. -patch_es_image_if_needed() { - local MAJOR MINOR PATCH - MAJOR=$(echo "$ES_VERSION" | cut -d '.' -f1) - MINOR=$(echo "$ES_VERSION" | cut -d '.' -f2) - PATCH=$(echo "$ES_VERSION" | cut -d '.' -f3) - - local CORRETTO_VERSION="" - if [[ "$MAJOR" -eq 7 && "$MINOR" -eq 16 ]]; then - CORRETTO_VERSION="17.0.5.8.1" - elif [[ "$MAJOR" -eq 7 && "$MINOR" -eq 17 && "$PATCH" -le 2 ]]; then - CORRETTO_VERSION="17.0.5.8.1" - elif [[ "$MAJOR" -eq 7 && "$MINOR" -eq 17 && "$PATCH" -le 6 ]]; then - CORRETTO_VERSION="19.0.0.36.1" - elif [[ "$MAJOR" -eq 8 && "$MINOR" -le 1 ]]; then - CORRETTO_VERSION="17.0.5.8.1" - elif [[ "$MAJOR" -eq 8 && "$MINOR" -le 4 ]]; then - CORRETTO_VERSION="19.0.0.36.1" - fi +PATCH_SCRIPT_DIR="../common/images/es-jdk-patch" - if [[ -n "$CORRETTO_VERSION" ]]; then - local ES_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}" - echo "ES $ES_VERSION bundles a JDK with cgroup v2 bug (JDK-8287073). Building patched image with Corretto $CORRETTO_VERSION..." - docker build --build-arg ES_IMAGE="$ES_IMAGE" --build-arg CORRETTO_VERSION="$CORRETTO_VERSION" -t "$ES_IMAGE" -f - . <<'PATCH_DOCKERFILE' -ARG ES_IMAGE -FROM ${ES_IMAGE} -USER root -ARG CORRETTO_VERSION -RUN ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - curl -fsSLk "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ - rm -rf /usr/share/elasticsearch/jdk && \ - mkdir -p /usr/share/elasticsearch/jdk && \ - tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ - rm /tmp/jdk.tar.gz -PATCH_DOCKERFILE +patch_es_image_if_needed() { + local ES_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}" + if ES_VERSION="$ES_VERSION" "$PATCH_SCRIPT_DIR/patch-es-jdk.sh" --check; then + echo "ES $ES_VERSION bundles a JDK with cgroup v2 bug (JDK-8287073). Building patched image..." + docker build \ + --build-arg BASE_IMAGE="$ES_IMAGE" \ + --build-arg ES_VERSION="$ES_VERSION" \ + -t "$ES_IMAGE" \ + "$PATCH_SCRIPT_DIR" echo "Patched ES image built successfully: $ES_IMAGE" kind load docker-image "$ES_IMAGE" --name eck-ror || { echo "Failed to load patched ES image into KinD cluster."; exit 1; } echo "Patched ES image loaded into KinD cluster: $ES_IMAGE" diff --git a/environments/elk-ror/base.docker-compose.yml b/environments/elk-ror/base.docker-compose.yml index 44100111..860a9d48 100644 --- a/environments/elk-ror/base.docker-compose.yml +++ b/environments/elk-ror/base.docker-compose.yml @@ -5,9 +5,7 @@ services: context: . dockerfile: images/es/Dockerfile args: - ROR_ES_REPO: $ROR_ES_REPO - ES_VERSION: $ES_VERSION - ROR_ES_VERSION: $ROR_ES_VERSION + ES_PATCHED_IMAGE: $ES_PATCHED_IMAGE ports: - "9200:9200" - "5005:5005" diff --git a/environments/elk-ror/images/es/Dockerfile b/environments/elk-ror/images/es/Dockerfile index 341d9d1a..17819644 100644 --- a/environments/elk-ror/images/es/Dockerfile +++ b/environments/elk-ror/images/es/Dockerfile @@ -1,39 +1,6 @@ -ARG ES_VERSION="UNDEFINED_ES_VERSION" -ARG ROR_ES_REPO="UNDEFINED_ROR_ES_REPO" -ARG ROR_ES_VERSION="UNDEFINED_ROR_ES_VERSION" +ARG ES_PATCHED_IMAGE -FROM ${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION} - -# ES 7.16.x–7.17.6 and 8.0.x–8.4.x bundle JDK 17.0.1/17.0.2 or JDK 18, which have cgroup v2 -# bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked. -# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. -# We replace the bundled JDK: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds. -ARG ES_VERSION -USER root -RUN MAJOR=$(echo "$ES_VERSION" | cut -d. -f1) && \ - MINOR=$(echo "$ES_VERSION" | cut -d. -f2) && \ - PATCH=$(echo "$ES_VERSION" | cut -d. -f3) && \ - CORRETTO_VERSION="" && \ - if [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 16 ]; then \ - CORRETTO_VERSION="17.0.5.8.1"; \ - elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 2 ]; then \ - CORRETTO_VERSION="17.0.5.8.1"; \ - elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 6 ]; then \ - CORRETTO_VERSION="19.0.0.36.1"; \ - elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 1 ]; then \ - CORRETTO_VERSION="17.0.5.8.1"; \ - elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 4 ]; then \ - CORRETTO_VERSION="19.0.0.36.1"; \ - fi && \ - if [ -n "$CORRETTO_VERSION" ]; then \ - ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/') && \ - echo "Replacing buggy bundled JDK with Corretto $CORRETTO_VERSION for ES $ES_VERSION (arch: $ARCH)" && \ - curl -fsSLk "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz && \ - rm -rf /usr/share/elasticsearch/jdk && \ - mkdir -p /usr/share/elasticsearch/jdk && \ - tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1 && \ - rm /tmp/jdk.tar.gz; \ - fi +FROM ${ES_PATCHED_IMAGE} USER elasticsearch @@ -49,4 +16,4 @@ COPY certs/elasticsearch.key /usr/share/elasticsearch/config/elasticsearch.key ENV I_UNDERSTAND_AND_ACCEPT_ES_PATCHING yes # For ROR_ES_VERSION < 1.64.0 ENV I_UNDERSTAND_IMPLICATION_OF_ES_PATCHING yes -USER root \ No newline at end of file +USER root diff --git a/environments/elk-ror/start.sh b/environments/elk-ror/start.sh index 584ba140..967c1878 100755 --- a/environments/elk-ror/start.sh +++ b/environments/elk-ror/start.sh @@ -116,6 +116,14 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then show_help fi +echo "Building JDK-patched ES base image ..." +export ES_PATCHED_IMAGE="es-ror-patched:${ES_VERSION}" +docker build \ + --build-arg BASE_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}" \ + --build-arg ES_VERSION="$ES_VERSION" \ + -t "$ES_PATCHED_IMAGE" \ + ../common/images/es-jdk-patch/ + echo "Bootstrapping the docker-based environment ..." echo "Cluster type: $CLUSTER_TYPE" From ae54946886f5fb06f33c7b140909c540e1c49851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Sat, 14 Feb 2026 23:37:44 +0100 Subject: [PATCH 6/7] fix --- environments/common/images/es-jdk-patch/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/environments/common/images/es-jdk-patch/Dockerfile b/environments/common/images/es-jdk-patch/Dockerfile index d96b21d0..53344970 100644 --- a/environments/common/images/es-jdk-patch/Dockerfile +++ b/environments/common/images/es-jdk-patch/Dockerfile @@ -5,3 +5,4 @@ ARG ES_VERSION USER root COPY patch-es-jdk.sh /tmp/patch-es-jdk.sh RUN chmod +x /tmp/patch-es-jdk.sh && ES_VERSION=${ES_VERSION} /tmp/patch-es-jdk.sh && rm -f /tmp/patch-es-jdk.sh +USER elasticsearch From 1cc55410f9fb78a5561e323e80cefb1be7b270d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ko=C5=82odziejczyk?= Date: Mon, 16 Feb 2026 08:49:01 +0100 Subject: [PATCH 7/7] fix --- environments/common/images/es-jdk-patch/patch-es-jdk.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/environments/common/images/es-jdk-patch/patch-es-jdk.sh b/environments/common/images/es-jdk-patch/patch-es-jdk.sh index e2c96418..58822abb 100755 --- a/environments/common/images/es-jdk-patch/patch-es-jdk.sh +++ b/environments/common/images/es-jdk-patch/patch-es-jdk.sh @@ -1,5 +1,5 @@ #!/bin/sh -# ES 7.16.x-7.17.6 and 8.0.x-8.4.x bundle JDK 17.0.1/17.0.2 or JDK 18, which have cgroup v2 +# ES 7.15.1-7.17.6 and 8.0.x-8.4.x bundle JDK 17.0.0/17.0.1/17.0.2 or JDK 18, which have cgroup v2 # bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked. # Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+. # We replace the bundled JDK: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds. @@ -14,7 +14,9 @@ MINOR=$(echo "$ES_VERSION" | cut -d. -f2) PATCH=$(echo "$ES_VERSION" | cut -d. -f3) CORRETTO_VERSION="" -if [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 16 ]; then +if [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 15 ] && [ "$PATCH" -ge 1 ]; then + CORRETTO_VERSION="17.0.5.8.1" +elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 16 ]; then CORRETTO_VERSION="17.0.5.8.1" elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 2 ]; then CORRETTO_VERSION="17.0.5.8.1"