This commit adds a new command line option to the run task to include
plugins. The option takes in a comma separated list of plugins from the
plugins directory. For example:
```
./gradlew run --with-plugins=analysis-icu,analysis-nori
```
* Permanently switch from SecurityManager to Entitlements (#124865)
The JDK team has completely disabled the Java SecurityManager from Java 24. Elasticsearch has always used the Java SecurityManager as an additional protection mechanism; in order to retain this second line of defense, the Elasticsearch Core/Infra team has been working on the Entitlements project.
Similar to SecurityManager, Entitlements only allow calling specific methods in the JDK when the caller has a matching policy attached. In other words, if some code (in the main Elasticsearch codebase, in a plugin/module, or in a script) attempts to perform a "privileged" operation and it is not entitled to do so, a NotEntitledException will be thrown.
This PR includes the minimal set of changes to always use Entitlements, regardless of system properties or Java version.
Relates to ES-10921
* Update changelog
In case when file with `.attach_pid` in name was stored in distribution
and then deleted, the exception could stop copying/linking files
without any sign of issue. The files were then missing in the cluster
used in the test causing them sometimes to fail (depending on which
files haven't been copied).
When using `Files.walk` it is impossible to catch the IOException and
continue walking through files conditionally. It has been replaced with
FileVisitor implementation to be able to continue if the exception is
caused by files left temporarily by JVM but no longer available.
This is required to update to newer version of gradle enterprise and the gradle enterprise plugin.
(cherry picked from commit 9c19538c06)
# Conflicts:
# .ci/init.gradle
* [Gradle] Make rolling upgrade tests configuration cache compatible (#119577)
With this, all rolling upgrade tests that involve a
`nextNodeToNextVersion` update are gradle configuration cache
compatible.
Simplify API around test cluster registry and cc compatible usage of
test cluster in TestClusterAware tasks.
(cherry picked from commit 7b6bdfa323)
# Conflicts:
# qa/ccs-rolling-upgrade-remote-cluster/build.gradle
# x-pack/plugin/sql/qa/jdbc/security/build.gradle
# x-pack/plugin/sql/qa/server/security/build.gradle
* Fix backport merge issue
* Do not try to enable SecurityManager on JDK 24 (#117999)
* cleanup
* [CI] Auto commit changes from spotless
* more
* [CI] Auto commit changes from spotless
---------
Co-authored-by: Lorenzo Dematté <lorenzo.dematte@elastic.co>
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
This updates the gradle wrapper to 8.12
We addressed deprecation warnings due to the update that includes:
- Fix change in TestOutputEvent api
- Fix deprecation in groovy syntax
- Use latest ospackage plugin containing our fix
- Remove project usages at execution time
- Fix deprecated project references in repository-old-versions
(cherry picked from commit ba61f8c7f7)
This adds infrastructure to make the legacy test cluster plugin and
the legacy test cluster based test plugins generally configuration cache compatible.
(cherry picked from commit 8c20ac5884)
# Conflicts:
# qa/mixed-cluster/build.gradle
* [Build] Fix Concurrency issue in buildparams access (#117552)
Also provide caching support for buildparams provider
* Extract BuildParameterExtension public api into interface
* Make tests better readable
* Fix test flakyness
(cherry picked from commit 1b4f5eb36d)
# Conflicts:
# build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/test/rest/compat/compat/AbstractYamlRestCompatTestPlugin.java
* Ignore BuildParameterExtensionSpec for now
* Ignore BuildParameterExtensionSpec for now
replace deprecated gradle api
fix permission api usage in debian and rpm package creation
remove deprecated usage of #ProjectDependency..getDependencyProject()
improves gradle configuration cache reading in our weekly benchmark by almost 30%
* Add initial entitlement policy parsing (#114448)
This change adds entitlement policy parsing with the following design:
* YAML file for readability and re-use of our x-content parsers
* hierarchical structure to group entitlements under a single scope
* no general entitlements without a scope or for the entire project
* Avoid double instrumentation via class annotation (#115398)
* Move entitlement jars to libs (#115883)
The distribution tools are meant to be CLIs. This commit moves the
entitlements jar projects to the libs dir, under a single
libs/entitlement root directory to keep the related jars together.
* Entitlement tools: SecurityManager scanner (#116020)
* Dynamic entitlement agent (#116125)
* Refactor: treat "maybe" JVM options uniformly
* WIP
* Get entitlement running with bridge all the way through, with qualified
exports
* Cosmetic changes to SystemJvmOptions
* Disable entitlements by default
* Bridge module comments
* Fixup forbidden APIs
* spotless
* Rename EntitlementChecker
* Fixup InstrumenterTests
* exclude recursive dep
* Fix some compliance stuff
* Rename asm-provider
* Stop using bridge in InstrumenterTests
* Generalize readme for asm-provider
* InstrumenterTests doesn't need EntitlementCheckerHandle
* Better javadoc
* Call parseBoolean
* Add entitlement to internal module list
* Docs as requested by Lorenzo
* Changes from Jack
* Rename ElasticsearchEntitlementChecker
* Remove logging javadoc
* exportInitializationToAgent should reference EntitlementInitialization, not EntitlementBootstrap.
They're currently in the same module, but if that ever changes, this code would have become wrong.
* Some suggestions from Mark
---------
Co-authored-by: Ryan Ernst <ryan@iernst.net>
* Remove unused EntitlementInternals (#116473)
* Revert "Entitlement tools: SecurityManager scanner (#116020)"
This reverts commit 023fb663de.
---------
Co-authored-by: Jack Conradson <osjdconrad@gmail.com>
Co-authored-by: Lorenzo Dematté <lorenzo.dematte@elastic.co>
Co-authored-by: Ryan Ernst <ryan@iernst.net>
* [TEST] Migrated REST tests extending JsonLogsIntegTestCase (#115188)
REST tests extending JsonLogsIntegTestCase migrated to the new REST
testing framework, using 'elasticsearch.internal-java-rest-test' Gradle
plugin
Explicit handling of test single-cluster config by checking if cluster
is explicitly configured as single-node to avoid an incorrect configuration
which may cause split brain.
Replaced `ElasticsearchJavaPlugin` with `ElasticsearchJavaBasePlugin` in
`RestTestBasePlugin` for better granularity.
Additionally, updated the `DistributionDownloadPlugin` to set configurations as
non-consumable and the `InternalDistributionArchiveSetupPlugin` to mark
certain configurations as consumable. This ensures that configurations
are correctly utilized during build setup and execution phases.
(cherry picked from commit 130cc74d8a)
* Fixed DefaultSettingsProvider to use Java 17 (#116029)
It is needed to be able to backport the change to the 8.x.
Having same code for both versions can help us to avoid some merge
conflicts in the future.
* Use directory name as project name for libs (#115720)
The libs projects are configured to all begin with `elasticsearch-`.
While this is desireable for the artifacts to contain this consistent
prefix, it means the project names don't match up with their
directories. Additionally, it creates complexities for subproject naming
that must be manually adjusted.
This commit adjusts the project names for those under libs to be their
directory names. The resulting artifacts for these libs are kept the
same, all beginning with `elasticsearch-`.
* fixes
The `java.security.manager=allow` system property is required when
running tests on newer Java versions with the security manager
deprecated. As such, it should be set in our
`GradleTestPolicySetupPlugin` so that it's done for external plugin
authors.
* Fallback to bundled jdk for runtime jdk instead of build jvm
* Rework bundled jdk resolution to be lazy
* Use fixed runtime jdk for gradle build integ tests
We do not implicitly rely on all different kind of env variables when leveraging Gradle Configuration Cache
this makes reusing config cache more reliable and improves cache hits
* configure default env variables for logged exec task
* Fix antfixturestop constructor
* Make LoggedExec cc compatible (fix integtests)
* Fix spotless
We throw an error when we detect resource leaks in cluster logs but we
don't provide any indication of which cluster, or which log. This change
logs the path to the log file in question so you can investigate.
Fix incompatibility with 8.8 and our internal api usages
- Update ospackage to a version that contains a fix we provided
- Tweak build logic to avoid deprecation warnings
- Use newer permission api
- Use custom shadowplugin
- Rework ElasticsearchDistribution dependencies resolution
- Update Gradle wrapper to 8.8
We should make sure to find leaks reported by both of these, these days
our `LeakTracker` will likely be more sensitive that Netty's in some
cases since our objects refer to Netty objects and thus get collected
first.
Adding support for MDX files in our :docs project. We parse those *.mdx files
like we do for asciidoc files for code snippets and generate yaml specs from them that
we test as part of our integration tests.
By default:
When searching for doc sources in the docs folder we fail the build if we detect multiple files of
the same name but different extension. E.g. having painless-field-context.mdx
and painless-field-context.asciidoc in the same source folder will fail the build.
Migration Mode:
To allow easier migration from asciidoc to mdx the build supports a kind of migration mode.
When running the build with -Dgradle.docs.migration=true (e.g. ./gradlew buildRestTests -Dgradle.docs.migration=true)
Duplicate doc source files (asciidoc and mdx) are allowed
The Generated yaml rest specs for duplicates will have the extension *.mdx.yml or *asciidoc.yml.
The generated yaml rest specs for duplicates are compared to each other to ensure they produce the same yml output.
This commit makes zstd compression available to Elasticsearch. The
library is pulled in through maven in jar files for each platform, then
bundled in a new platform directory under lib. Access to the zstd
compression/decompression is through NativeAccess.
Sometimes subprojects are created by build tests. There exists a utility
function to define the subproject build file. Yet some tests add the
project to settings and then configure through the subprojects directive
in the root build file. This commit cleans up two such cases to use
explicit subproject build files.
On Serverless it is not possible to configure deprecation indexing (it
is always off). This commit updates the behaviour of
`ElasticsearchCluster` to no longer attempt to configure deprecation
indexing on stateless nodes.
Fixing a couple of file leaks (and cleaning up one missing
try-with-resources). The directory descriptor leaks in particular
were leaking massively on every precommit run, to the point where it
slows down the whole system and/or we're running into descriptor limits.
* Use single-char variant of String.indexOf() where possible
indexOf(char) is more efficient than searching for the same one-character String.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Use String.replace() instead of replaceAll() for non-regexp replacements
When arguments do not make use of regexp features replace() is a more efficient option, especially the char-variant.
Prevent invalid and miss-configuration of APM agent using an explicit allow-list of setting keys.
Additionally, configuration defaults of APMAgentSettings are consolidated in APMJvmOptions to keep defaults in a single location.
(ES-6916)
RunTaks is used by both statefull and serverless.
when --with-apm-server is used, `telemetry.metrics.enabled` is always turned to true
and server_url is set to localhost
However when --with-apm-server is NOT used, then we should disable `telemetry.metrics.enabled`
only if that setting was not explicitly used. This explicte use is for instance when
running gradlew run and configuring ES to send to ESS cluster
a follow up from https://github.com/elastic/elasticsearch/pull/101941/files#r1388403805
