From f13df6750fb2c453b81cbcec153db472fcc3e8dd Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Thu, 1 Apr 2021 21:45:31 -0700 Subject: [PATCH] Upgrade Kibana to 7.12.0 Signed-off-by: Tyler Smalley --- Dockerfile | 6 +- README.md | 8 +- {scripts => bin}/kibana-docker | 143 ++++++++++++++++++++++----------- hardening_manifest.yaml | 10 +-- 4 files changed, 105 insertions(+), 62 deletions(-) rename {scripts => bin}/kibana-docker (84%) diff --git a/Dockerfile b/Dockerfile index 2e04564..4cfa264 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ RUN yum update --setopt=tsflags=nodocs -y && \ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana -COPY --chown=1000:0 kibana-7.11.2-linux-x86_64.tar.gz . -RUN tar --strip-components=1 -zxf kibana-7.11.2-linux-x86_64.tar.gz +COPY --chown=1000:0 kibana-7.12.0-linux-x86_64.tar.gz . +RUN tar --strip-components=1 -zxf kibana-7.12.0-linux-x86_64.tar.gz # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. @@ -59,7 +59,7 @@ COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml # Add the launcher/wrapper script. It knows how to interpret environment # variables and translate them to Kibana CLI options. -COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/ +COPY --chown=1000:0 bin/kibana-docker /usr/local/bin/ # Remove the suid bit everywhere to mitigate "Stack Clash" RUN find / -xdev -perm -4000 -exec chmod u-s {} + diff --git a/README.md b/README.md index ca01515..ca08793 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ https://www.elastic.co/products/kibana. ### Installation instructions -Please follow the documentation on [running Kibana on Docker](https://www.elastic.co/guide/en/kibana/7.9/docker.html). +Please follow the documentation on [running Kibana on Docker](https://www.elastic.co/guide/en/kibana/7.12/docker.html). ### Where to file issues and PRs @@ -25,17 +25,15 @@ Due to the [NODE-SECURITY-1184](https://www.npmjs.com/advisories/1184) issue, Ki - [Kibana Discuss Forums](https://discuss.elastic.co/c/kibana) - [Kibana Documentation](https://www.elastic.co/guide/en/kibana/current/index.html) - ### Still need help? You can learn more about the Elastic Community and also understand how to get more help visiting [Elastic Community](https://www.elastic.co/community). - This software is governed by the [Elastic -License](https://github.com/elastic/elasticsearch/blob/7.9/licenses/ELASTIC-LICENSE.txt), +License](https://github.com/elastic/elasticsearch/blob/7.12/licenses/ELASTIC-LICENSE.txt), and includes the full set of [free features](https://www.elastic.co/subscriptions). View the detailed release notes -[here](https://www.elastic.co/guide/en/elasticsearch/reference/7.9/es-release-notes.html). +[here](https://www.elastic.co/guide/en/elasticsearch/reference/7.12/es-release-notes.html). diff --git a/scripts/kibana-docker b/bin/kibana-docker similarity index 84% rename from scripts/kibana-docker rename to bin/kibana-docker index 33f994c..12752e0 100755 --- a/scripts/kibana-docker +++ b/bin/kibana-docker @@ -15,11 +15,17 @@ # --elasticsearch.logQueries=true kibana_vars=( + apm_oss.apmAgentConfigurationIndex + apm_oss.errorIndices + apm_oss.indexPattern + apm_oss.metricsIndices + apm_oss.onboardingIndices + apm_oss.sourcemapIndices + apm_oss.spanIndices + apm_oss.transactionIndices console.enabled console.proxyConfig console.proxyFilter - ops.cGroupOverrides.cpuPath - ops.cGroupOverrides.cpuAcctPath cpu.cgroup.path.override cpuacct.cgroup.path.override csp.rules @@ -41,10 +47,10 @@ kibana_vars=( elasticsearch.ssl.certificateAuthorities elasticsearch.ssl.key elasticsearch.ssl.keyPassphrase - elasticsearch.ssl.keystore.path elasticsearch.ssl.keystore.password - elasticsearch.ssl.truststore.path + elasticsearch.ssl.keystore.path elasticsearch.ssl.truststore.password + elasticsearch.ssl.truststore.path elasticsearch.ssl.verificationMode elasticsearch.username enterpriseSearch.accessCheckTimeout @@ -76,34 +82,42 @@ kibana_vars=( map.tilemap.options.minZoom map.tilemap.options.subdomains map.tilemap.url + migrations.batchSize + migrations.enableV2 + migrations.pollInterval + migrations.scrollDuration + migrations.skip monitoring.cluster_alerts.email_notifications.email_address monitoring.enabled monitoring.kibana.collection.enabled monitoring.kibana.collection.interval monitoring.ui.container.elasticsearch.enabled monitoring.ui.container.logstash.enabled - monitoring.ui.elasticsearch.password - monitoring.ui.elasticsearch.pingTimeout monitoring.ui.elasticsearch.hosts - monitoring.ui.elasticsearch.username monitoring.ui.elasticsearch.logFetchCount + monitoring.ui.elasticsearch.password + monitoring.ui.elasticsearch.pingTimeout monitoring.ui.elasticsearch.ssl.certificateAuthorities monitoring.ui.elasticsearch.ssl.verificationMode + monitoring.ui.elasticsearch.username monitoring.ui.enabled monitoring.ui.max_bucket_size monitoring.ui.min_interval_seconds newsfeed.enabled + ops.cGroupOverrides.cpuAcctPath + ops.cGroupOverrides.cpuPath ops.interval path.data pid.file regionmap security.showInsecureClusterWarning server.basePath - server.customResponseHeaders server.compression.enabled server.compression.referrerWhitelist server.cors server.cors.origin + server.customResponseHeaders + server.customResponseHeaders server.defaultRoute server.host server.keepAliveTimeout @@ -117,20 +131,24 @@ kibana_vars=( server.ssl.certificateAuthorities server.ssl.cipherSuites server.ssl.clientAuthentication - server.customResponseHeaders server.ssl.enabled server.ssl.key server.ssl.keyPassphrase - server.ssl.keystore.path server.ssl.keystore.password - server.ssl.truststore.path - server.ssl.truststore.password + server.ssl.keystore.path server.ssl.redirectHttpFromPort server.ssl.supportedProtocols + server.ssl.truststore.password + server.ssl.truststore.path server.xsrf.disableProtection server.xsrf.whitelist status.allowAnonymous status.v6ApiFormat + telemetry.allowChangingOptInStatus + telemetry.enabled + telemetry.optIn + telemetry.optInStatusUrl + telemetry.sendUsageFrom tilemap.options.attribution tilemap.options.maxZoom tilemap.options.minZoom @@ -138,39 +156,45 @@ kibana_vars=( tilemap.url timelion.enabled vega.enableExternalUrls + xpack.actions.allowedHosts + xpack.actions.enabled + xpack.actions.enabledActionTypes + xpack.actions.preconfigured + xpack.actions.proxyHeaders + xpack.actions.proxyRejectUnauthorizedCertificates xpack.actions.proxyUrl + xpack.actions.rejectUnauthorized + xpack.alerts.healthCheck.interval + xpack.alerts.invalidateApiKeysTask.interval + xpack.alerts.invalidateApiKeysTask.removalDelay xpack.apm.enabled xpack.apm.serviceMapEnabled xpack.apm.ui.enabled xpack.apm.ui.maxTraceItems xpack.apm.ui.transactionGroupBucketSize - apm_oss.apmAgentConfigurationIndex - apm_oss.indexPattern - apm_oss.errorIndices - apm_oss.onboardingIndices - apm_oss.spanIndices - apm_oss.sourcemapIndices - apm_oss.transactionIndices - apm_oss.metricsIndices xpack.canvas.enabled - xpack.code.ui.enabled xpack.code.disk.thresholdEnabled xpack.code.disk.watermarkLow - xpack.code.maxWorkspace xpack.code.indexRepoFrequencyMs - xpack.code.updateRepoFrequencyMs xpack.code.lsp.verbose - xpack.code.verbose + xpack.code.maxWorkspace xpack.code.security.enableGitCertCheck xpack.code.security.gitHostWhitelist xpack.code.security.gitProtocolWhitelist + xpack.code.ui.enabled + xpack.code.updateRepoFrequencyMs + xpack.code.verbose xpack.encryptedSavedObjects.encryptionKey xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys + xpack.event_log.enabled + xpack.event_log.indexEntries + xpack.event_log.logEntries xpack.fleet.agents.elasticsearch.host xpack.fleet.agents.kibana.host xpack.fleet.agents.tlsCheckDisabled - xpack.graph.enabled + xpack.fleet.registryUrl xpack.graph.canEditDrillDownUrls + xpack.graph.enabled xpack.graph.savePolicy xpack.grokdebugger.enabled xpack.infra.enabled @@ -194,28 +218,28 @@ kibana_vars=( xpack.reporting.capture.browser.chromium.disableSandbox xpack.reporting.capture.browser.chromium.inspect xpack.reporting.capture.browser.chromium.maxScreenshotDimension + xpack.reporting.capture.browser.chromium.proxy.bypass xpack.reporting.capture.browser.chromium.proxy.enabled xpack.reporting.capture.browser.chromium.proxy.server - xpack.reporting.capture.browser.chromium.proxy.bypass xpack.reporting.capture.browser.type xpack.reporting.capture.concurrency xpack.reporting.capture.loadDelay + xpack.reporting.capture.maxAttempts xpack.reporting.capture.settleTime xpack.reporting.capture.timeout + xpack.reporting.capture.timeouts.openUrl + xpack.reporting.capture.timeouts.renderComplete + xpack.reporting.capture.timeouts.waitForElements xpack.reporting.capture.viewport.height xpack.reporting.capture.viewport.width xpack.reporting.capture.zoom xpack.reporting.csv.checkForFormulas - xpack.reporting.csv.escapeFormulaValues xpack.reporting.csv.enablePanelActionDownload - xpack.reporting.csv.useByteOrderMarkEncoding + xpack.reporting.csv.escapeFormulaValues xpack.reporting.csv.maxSizeBytes xpack.reporting.csv.scroll.duration xpack.reporting.csv.scroll.size - xpack.reporting.capture.maxAttempts - xpack.reporting.capture.timeouts.openUrl - xpack.reporting.capture.timeouts.waitForElements - xpack.reporting.capture.timeouts.renderComplete + xpack.reporting.csv.useByteOrderMarkEncoding xpack.reporting.enabled xpack.reporting.encryptionKey xpack.reporting.index @@ -234,36 +258,57 @@ kibana_vars=( xpack.reporting.queue.timeout xpack.reporting.roles.allow xpack.rollup.enabled - xpack.security.audit.enabled xpack.searchprofiler.enabled - xpack.security.authProviders - xpack.security.authc.providers + xpack.security.audit.enabled + xpack.security.audit.appender.type + xpack.security.audit.appender.layout.type + xpack.security.audit.appender.layout.highlight + xpack.security.audit.appender.layout.pattern + xpack.security.audit.appender.legacyLoggingConfig + xpack.security.audit.appender.fileName + xpack.security.audit.appender.policy.type + xpack.security.audit.appender.policy.interval + xpack.security.audit.appender.policy.modulate + xpack.security.audit.appender.policy.size + xpack.security.audit.appender.strategy.type + xpack.security.audit.appender.strategy.max + xpack.security.audit.appender.strategy.pattern + xpack.security.audit.ignore_filters xpack.security.authc.oidc.realm - xpack.security.authc.saml.realm + xpack.security.authc.providers xpack.security.authc.saml.maxRedirectURLSize + xpack.security.authc.saml.realm xpack.security.authc.selector.enabled + xpack.security.authProviders xpack.security.cookieName xpack.security.enabled xpack.security.encryptionKey xpack.security.loginAssistanceMessage - xpack.security.sameSiteCookies - xpack.security.secureCookies - xpack.security.sessionTimeout - xpack.security.session.idleTimeout - xpack.security.session.lifespan - xpack.security.session.cleanupInterval xpack.security.loginAssistanceMessage xpack.security.loginHelp - xpack.security.public.protocol xpack.security.public.hostname xpack.security.public.port + xpack.security.public.protocol + xpack.security.sameSiteCookies + xpack.security.secureCookies + xpack.security.session.cleanupInterval + xpack.security.session.idleTimeout + xpack.security.session.lifespan + xpack.security.sessionTimeout xpack.spaces.enabled xpack.spaces.maxSpaces - telemetry.allowChangingOptInStatus - telemetry.enabled - telemetry.optIn - telemetry.optInStatusUrl - telemetry.sendUsageFrom + xpack.task_manager.enabled + xpack.task_manager.index + xpack.task_manager.max_attempts + xpack.task_manager.max_poll_inactivity_cycles + xpack.task_manager.max_workers + xpack.task_manager.monitored_aggregated_stats_refresh_rate + xpack.task_manager.monitored_stats_required_freshness + xpack.task_manager.monitored_stats_running_average_window + xpack.task_manager.monitored_task_execution_thresholds + xpack.task_manager.poll_interval + xpack.task_manager.request_capacity + xpack.task_manager.version_conflict_threshold ) longopts='' @@ -296,4 +341,4 @@ umask 0002 # Therefore, we set this value here so that cgroup statistics are # available for the container this process will run in. -exec /usr/share/kibana/bin/kibana --ops.cGroupOverrides.cpuPath=/ --ops.cGroupOverrides.cpuAcctPath=/ ${longopts} "$@" \ No newline at end of file +exec /usr/share/kibana/bin/kibana --ops.cGroupOverrides.cpuPath=/ --ops.cGroupOverrides.cpuAcctPath=/ ${longopts} "$@" diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 6355131..5f5c37c 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "elastic/kibana/kibana" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "7.11.2" +- "7.12.0" - "latest" # Build args passed to Dockerfile ARGs @@ -23,18 +23,18 @@ labels: org.opencontainers.image.licenses: "Elastic License" org.opencontainers.image.url: "https://www.elastic.co/products/kibana" org.opencontainers.image.vendor: "Elastic" - org.opencontainers.image.version: "7.11.2" + org.opencontainers.image.version: "7.12.0" # mil.dso.ironbank.image.keywords: "" # mil.dso.ironbank.image.type: "commercial" mil.dso.ironbank.product.name: "Kibana" # List of resources to make available to the offline build context resources: -- filename: kibana-7.11.2-linux-x86_64.tar.gz - url: https://artifacts.elastic.co/downloads/kibana/kibana-7.11.2-linux-x86_64.tar.gz +- filename: kibana-7.12.0-linux-x86_64.tar.gz + url: https://artifacts.elastic.co/downloads/kibana/kibana-7.12.0-linux-x86_64.tar.gz validation: type: sha512 - value: fd757772ec7b1313882e9b89a1542c64254480d108c2d61122e22a842c0b34f4428a597e4320f9a5cea870f0571ce51cb63320848ebbf14f4338fe81e1c3c17b + value: 0b6a9596698c64a65d82cc146dad8e24118eb8991b9ed36e13f309d2e3d7af408c35358a8b39899bf2daf260ddd8d50678d437a3dba32923fe026da99a526006 - filename: tini url: https://github.com/krallin/tini/releases/download/v0.19.0/tini-amd64 validation: -- GitLab