beshu-tech · coutoPL · Feb 16, 2026 · Feb 14, 2026 · Feb 14, 2026 · Feb 14, 2026
diff --git a/environments/common/images/es-jdk-patch/Dockerfile b/environments/common/images/es-jdk-patch/Dockerfile
@@ -0,0 +1,8 @@
+ARG BASE_IMAGE
+FROM ${BASE_IMAGE}
+
+ARG ES_VERSION
+USER root
+COPY patch-es-jdk.sh /tmp/patch-es-jdk.sh
+RUN chmod +x /tmp/patch-es-jdk.sh && ES_VERSION=${ES_VERSION} /tmp/patch-es-jdk.sh && rm -f /tmp/patch-es-jdk.sh
+USER elasticsearch
diff --git a/environments/common/images/es-jdk-patch/patch-es-jdk.sh b/environments/common/images/es-jdk-patch/patch-es-jdk.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# ES 7.15.1-7.17.6 and 8.0.x-8.4.x bundle JDK 17.0.0/17.0.1/17.0.2 or JDK 18, which have cgroup v2
+# bug JDK-8287073: CgroupV2Subsystem.getInstance() NPEs before UseContainerSupport is checked.
+# Fixed in JDK 17.0.5+ (backport JDK-8288308) and JDK 19+.
+# We replace the bundled JDK: Corretto 17.0.5 for JDK-17 builds, Corretto 19.0.0 for JDK-18 builds.
+#
+# Usage:
+#   ES_VERSION=7.16.0 ./patch-es-jdk.sh          # patch the JDK in /usr/share/elasticsearch/jdk
+#   ES_VERSION=7.16.0 ./patch-es-jdk.sh --check   # exit 0 if patching is needed, 1 otherwise
+set -e
+
+MAJOR=$(echo "$ES_VERSION" | cut -d. -f1)
+MINOR=$(echo "$ES_VERSION" | cut -d. -f2)
+PATCH=$(echo "$ES_VERSION" | cut -d. -f3)
+
+CORRETTO_VERSION=""
+if [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 15 ] && [ "$PATCH" -ge 1 ]; then
+  CORRETTO_VERSION="17.0.5.8.1"
+elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 16 ]; then
+  CORRETTO_VERSION="17.0.5.8.1"
+elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 2 ]; then
+  CORRETTO_VERSION="17.0.5.8.1"
+elif [ "$MAJOR" -eq 7 ] && [ "$MINOR" -eq 17 ] && [ "$PATCH" -le 6 ]; then
+  CORRETTO_VERSION="19.0.0.36.1"
+elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 1 ]; then
+  CORRETTO_VERSION="17.0.5.8.1"
+elif [ "$MAJOR" -eq 8 ] && [ "$MINOR" -le 4 ]; then
+  CORRETTO_VERSION="19.0.0.36.1"
+fi
+
+if [ "$1" = "--check" ]; then
+  [ -n "$CORRETTO_VERSION" ]
+  exit $?
+fi
+
+if [ -n "$CORRETTO_VERSION" ]; then
+  ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/arm64/aarch64/')
+  echo "Replacing buggy bundled JDK with Corretto $CORRETTO_VERSION for ES $ES_VERSION (arch: $ARCH)"
+  curl -fsSLk "https://corretto.aws/downloads/resources/${CORRETTO_VERSION}/amazon-corretto-${CORRETTO_VERSION}-linux-${ARCH}.tar.gz" -o /tmp/jdk.tar.gz
+  rm -rf /usr/share/elasticsearch/jdk
+  mkdir -p /usr/share/elasticsearch/jdk
+  tar xzf /tmp/jdk.tar.gz -C /usr/share/elasticsearch/jdk --strip-components=1
+  rm /tmp/jdk.tar.gz
+fi
diff --git a/environments/eck-ror/kind-cluster/ror/base/es.yml b/environments/eck-ror/kind-cluster/ror/base/es.yml
@@ -12,6 +12,7 @@ spec:
         spec:
           containers:
             - name: elasticsearch
+              imagePullPolicy: IfNotPresent
               securityContext:
                 runAsNonRoot: false
                 runAsUser: 0

diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh
@@ -123,12 +123,31 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then
   show_help
 fi
 
+PATCH_SCRIPT_DIR="../common/images/es-jdk-patch"
+
+patch_es_image_if_needed() {
+  local ES_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}"
+  if ES_VERSION="$ES_VERSION" "$PATCH_SCRIPT_DIR/patch-es-jdk.sh" --check; then
+    echo "ES $ES_VERSION bundles a JDK with cgroup v2 bug (JDK-8287073). Building patched image..."
+    docker build \
+      --build-arg BASE_IMAGE="$ES_IMAGE" \
+      --build-arg ES_VERSION="$ES_VERSION" \
+      -t "$ES_IMAGE" \
+      "$PATCH_SCRIPT_DIR"
+    echo "Patched ES image built successfully: $ES_IMAGE"
+    kind load docker-image "$ES_IMAGE" --name eck-ror || { echo "Failed to load patched ES image into KinD cluster."; exit 1; }
+    echo "Patched ES image loaded into KinD cluster: $ES_IMAGE"
+  fi
+}
+
 echo "CONFIGURING K8S CLUSTER ..."
 kind create cluster --name eck-ror --config kind-cluster/kind-cluster-config.yml
 docker exec eck-ror-control-plane /bin/bash -c "sysctl -w vm.max_map_count=262144"
 docker exec eck-ror-worker        /bin/bash -c "sysctl -w vm.max_map_count=262144"
 docker exec eck-ror-worker2       /bin/bash -c "sysctl -w vm.max_map_count=262144"
 
+patch_es_image_if_needed
+
 
 
 echo "CONFIGURING ECK $ECK_VERSION ..."

diff --git a/environments/elk-ror/base.docker-compose.yml b/environments/elk-ror/base.docker-compose.yml
@@ -5,9 +5,7 @@ services:
       context: .
       dockerfile: images/es/Dockerfile
       args:
-        ROR_ES_REPO: $ROR_ES_REPO
-        ES_VERSION: $ES_VERSION
-        ROR_ES_VERSION: $ROR_ES_VERSION
+        ES_PATCHED_IMAGE: $ES_PATCHED_IMAGE
     ports:
       - "9200:9200"
       - "5005:5005"

diff --git a/environments/elk-ror/images/es/Dockerfile b/environments/elk-ror/images/es/Dockerfile
@@ -1,8 +1,6 @@
-ARG ES_VERSION="UNDEFINED_ES_VERSION"
-ARG ROR_ES_REPO="UNDEFINED_ROR_ES_REPO"
-ARG ROR_ES_VERSION="UNDEFINED_ROR_ES_VERSION"
+ARG ES_PATCHED_IMAGE
 
-FROM ${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}
+FROM ${ES_PATCHED_IMAGE}
 
 USER elasticsearch
 
@@ -18,4 +16,4 @@ COPY certs/elasticsearch.key /usr/share/elasticsearch/config/elasticsearch.key
 ENV I_UNDERSTAND_AND_ACCEPT_ES_PATCHING yes
 # For ROR_ES_VERSION < 1.64.0
 ENV I_UNDERSTAND_IMPLICATION_OF_ES_PATCHING yes
-USER root
+USER root
diff --git a/environments/elk-ror/start.sh b/environments/elk-ror/start.sh
@@ -116,6 +116,14 @@ if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then
   show_help
 fi
 
+echo "Building JDK-patched ES base image ..."
+export ES_PATCHED_IMAGE="es-ror-patched:${ES_VERSION}"
+docker build \
+  --build-arg BASE_IMAGE="${ROR_ES_REPO}:${ES_VERSION}-ror-${ROR_ES_VERSION}" \
+  --build-arg ES_VERSION="$ES_VERSION" \
+  -t "$ES_PATCHED_IMAGE" \
+  ../common/images/es-jdk-patch/
+
 echo "Bootstrapping the docker-based environment ..."
 echo "Cluster type: $CLUSTER_TYPE"