From 30cfd036a1bcc447ee61cd1c233109ea7c44bdbf Mon Sep 17 00:00:00 2001 From: Rene Groeschke Date: Wed, 4 Dec 2024 10:10:38 +0100 Subject: [PATCH] Some cleanup --- .../org/elasticsearch/gradle/internal/DockerBase.java | 2 -- distribution/docker/build.gradle | 10 ++++------ distribution/docker/src/docker/Dockerfile.fips | 4 ++-- .../docker/src/docker/config/elasticsearch.yml | 6 ------ 4 files changed, 6 insertions(+), 16 deletions(-) diff --git a/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java b/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java index a4555963ded6e..59050d8e3729e 100644 --- a/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java +++ b/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java @@ -30,11 +30,9 @@ public enum DockerBase { // Based on WOLFI above, with more extras. We don't set a base image because // we programmatically extend from the wolfi image. CLOUD_ESS(null, "-cloud-ess", "apk"), - // Based on WOLFI above, we programmatically extend from the wolfi image. FIPS(null, "-fips", "apk"); - private final String image; private final String suffix; private final String packageManager; diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle index c10c3367e2441..3c75d2c0600d2 100644 --- a/distribution/docker/build.gradle +++ b/distribution/docker/build.gradle @@ -113,8 +113,8 @@ dependencies { filebeat_x86_64 "beats:filebeat:${VersionProperties.elasticsearch}:linux-x86_64@tar.gz" metricbeat_aarch64 "beats:metricbeat:${VersionProperties.elasticsearch}:linux-arm64@tar.gz" metricbeat_x86_64 "beats:metricbeat:${VersionProperties.elasticsearch}:linux-x86_64@tar.gz" - fips "org.bouncycastle:bctls-fips:1.0.17" - fips "org.bouncycastle:bc-fips:1.0.2.4" + fips "org.bouncycastle:bctls-fips:1.0.19" + fips "org.bouncycastle:bc-fips:1.0.2.5" } ext.expansions = { Architecture architecture, DockerBase base -> @@ -570,19 +570,17 @@ void addBuildCloudDockerImageTasks(Architecture architecture) { } // fips -//String javaSecurityFilename = buildParams.runtimeJavaDetails.get().toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security' -String javaSecurityFilename = 'fips_java.security' +String javaSecurityFilename = buildParams.runtimeJavaDetails.get().toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security' +//String javaSecurityFilename = 'fips_java.security' File fipsResourcesDir = new File(project.buildDir, 'fips-resources') File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename) File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy') -//File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks') TaskProvider fipsResourcesTask = tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask) fipsResourcesTask.configure { outputDir = fipsResourcesDir copy javaSecurityFilename copy 'fips_java.policy' -// copy 'cacerts.bcfks' } for (final Architecture architecture : Architecture.values()) { diff --git a/distribution/docker/src/docker/Dockerfile.fips b/distribution/docker/src/docker/Dockerfile.fips index 13237ff5d1ded..b8fa023e1016e 100644 --- a/distribution/docker/src/docker/Dockerfile.fips +++ b/distribution/docker/src/docker/Dockerfile.fips @@ -27,8 +27,8 @@ RUN cp node1/node1.crt config RUN cp node1/node1.key config WORKDIR /usr/share/elasticsearch/config -# Add policies for FIPS -RUN cat < elasticsearch.yml +# Add fips specific configuration +RUN cat <> elasticsearch.yml xpack.security.fips_mode.enabled: true xpack.security.enabled: true xpack.security.http.ssl.enabled: true diff --git a/distribution/docker/src/docker/config/elasticsearch.yml b/distribution/docker/src/docker/config/elasticsearch.yml index 3368f4a89a645..50b154702b941 100644 --- a/distribution/docker/src/docker/config/elasticsearch.yml +++ b/distribution/docker/src/docker/config/elasticsearch.yml @@ -1,8 +1,2 @@ cluster.name: "docker-cluster" network.host: 0.0.0.0 -#xpack.security.fips_mode.enabled: true -#xpack.security.autoconfiguration.enabled: false -## xpack.security.fips_mode.required_providers: ["BCFIPS"] -#xpack.security.fips_mode.required_providers: ["BCFIPS", "BCJSSE"] -#xpack.security.authc.password_hashing.algorithm: "pbkdf2_stretch" -## xpack.security.transport.ssl.enabled: true