Update ELK images

[tianon]

elasticsearch:

• docker-library/elasticsearch@e86bdc9: Update to 6.8.9
• docker-library/elasticsearch@b8cd81a: Update to 7.7.0
• docker-library/elasticsearch@9aaa5a0: Merge pull request Add initial GitHub Actions CI elasticsearch#192 from docker-library/github-actions
• docker-library/elasticsearch@548b31c: Add initial GitHub Actions CI

logstash:

• docker-library/logstash@a205d9b: Update to 6.8.9
• docker-library/logstash@2b7e245: Update to 7.7.0
• docker-library/logstash@9f6a924: Merge pull request Add initial GitHub Actions CI logstash#97 from docker-library/github-actions
• docker-library/logstash@53eb248: Add initial GitHub Actions CI

kibana:

• docker-library/kibana@5e0efc4: Update to 6.8.9
• docker-library/kibana@e3426d2: Update to 7.7.0
• docker-library/kibana@cdaa5f1: Merge pull request Add initial GitHub Actions CI kibana#92 from docker-library/github-actions
• docker-library/kibana@4f3f74e: Add initial GitHub Actions CI

[tianon]

Upstream diffs:

• elastic/dockerfiles@v6.8.8...v6.8.9
• elastic/dockerfiles@v7.6.2...v7.7.0

[github-actions]

Diff for c5d5fce:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 4162ea3..6346a4d 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -2,12 +2,12 @@
 Maintainers: Tianon Gravi <admwiggin@gmail.com> (@tianon), Joseph Ferguson <yosifkit@gmail.com> (@yosifkit)
 GitRepo: https://github.com/docker-library/elasticsearch.git
 
-Tags: 6.8.8
-GitCommit: 79420fbf8e7f263bc25b4ff7c592240129ecb180
+Tags: 6.8.9
+GitCommit: e86bdc93b04fedbf1e6d0754d1f54324707439ed
 Directory: 6
 
-Tags: 7.6.2
-GitCommit: 323a9028774ff18e1e3b1d0304bdd55edc88ab80
+Tags: 7.7.0
+GitCommit: b8cd81aa48870e31970acbca7ec376953810d522
 Directory: 7
 
 
@@ -15,12 +15,12 @@ Directory: 7
 Maintainers: Tianon Gravi <admwiggin@gmail.com> (@tianon), Joseph Ferguson <yosifkit@gmail.com> (@yosifkit)
 GitRepo: https://github.com/docker-library/kibana.git
 
-Tags: 6.8.8
-GitCommit: 119c1cde627beeb27df8181f313900788399442b
+Tags: 6.8.9
+GitCommit: 5e0efc4e8d90e20f0f7faefa145b9b2aebcb2c5a
 Directory: 6
 
-Tags: 7.6.2
-GitCommit: 8e76f488b77dda7824e531450ddc08b33aae18bc
+Tags: 7.7.0
+GitCommit: e3426d2c1ba645d6e19eb0ac66d7a400fa5f3fdf
 Directory: 7
 
 
@@ -28,10 +28,10 @@ Directory: 7
 Maintainers: Tianon Gravi <admwiggin@gmail.com> (@tianon), Joseph Ferguson <yosifkit@gmail.com> (@yosifkit)
 GitRepo: https://github.com/docker-library/logstash.git
 
-Tags: 6.8.8
-GitCommit: 591ffb5cdd3e61e87e582b374c9b8d72f8ee1dbe
+Tags: 6.8.9
+GitCommit: a205d9b2634606f8fe9a45ed30655acf5d3ac929
 Directory: 6
 
-Tags: 7.6.2
-GitCommit: c75adbe14f4280d172e6e049b677215fdb225e0d
+Tags: 7.7.0
+GitCommit: 2b7e24559f1ec8105ce1f6d906eaa7b0d33775ff
 Directory: 7
diff --git a/_bashbrew-list b/_bashbrew-list
index b63a2e5..85c138b 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -1,6 +1,6 @@
-elasticsearch:6.8.8
-elasticsearch:7.6.2
-kibana:6.8.8
-kibana:7.6.2
-logstash:6.8.8
-logstash:7.6.2
+elasticsearch:6.8.9
+elasticsearch:7.7.0
+kibana:6.8.9
+kibana:7.7.0
+logstash:6.8.9
+logstash:7.7.0
diff --git a/elasticsearch_7.6.2/Dockerfile b/elasticsearch_6.8.9/Dockerfile
similarity index 65%
rename from elasticsearch_7.6.2/Dockerfile
rename to elasticsearch_6.8.9/Dockerfile
index 37908fd..614c5e7 100644
--- a/elasticsearch_7.6.2/Dockerfile
+++ b/elasticsearch_6.8.9/Dockerfile
@@ -1,10 +1,10 @@
-# Elasticsearch 7.6.2
+# Elasticsearch 6.8.9
 
 # This image re-bundles the Docker image from the upstream provider, Elastic.
-FROM docker.elastic.co/elasticsearch/elasticsearch:7.6.2@sha256:59342c577e2b7082b819654d119f42514ddf47f0699c8b54dc1f0150250ce7aa
+FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.9@sha256:593b06516f44fddcaa1078cf67fcf128b603905d2c13efe4809e9b56c6d68351
 
 # The upstream image was built by:
-#   https://github.com/elastic/dockerfiles/tree/v7.6.2/elasticsearch
+#   https://github.com/elastic/dockerfiles/tree/v6.8.9/elasticsearch
 
 # For a full list of supported images and tags visit https://www.docker.elastic.co
 
diff --git a/elasticsearch_6.8.8/Dockerfile b/elasticsearch_7.7.0/Dockerfile
similarity index 65%
rename from elasticsearch_6.8.8/Dockerfile
rename to elasticsearch_7.7.0/Dockerfile
index 28cda21..677facc 100644
--- a/elasticsearch_6.8.8/Dockerfile
+++ b/elasticsearch_7.7.0/Dockerfile
@@ -1,10 +1,10 @@
-# Elasticsearch 6.8.8
+# Elasticsearch 7.7.0
 
 # This image re-bundles the Docker image from the upstream provider, Elastic.
-FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.8@sha256:0e0fd27c4e133399d8c5419141915cbf04966aa808427f21bd316fb7c5bed61f
+FROM docker.elastic.co/elasticsearch/elasticsearch:7.7.0@sha256:b4ec018c974d23a796b1d17ddec3863e4e6deff76d25f58027c45b7a697089dc
 
 # The upstream image was built by:
-#   https://github.com/elastic/dockerfiles/tree/v6.8.8/elasticsearch
+#   https://github.com/elastic/dockerfiles/tree/v7.7.0/elasticsearch
 
 # For a full list of supported images and tags visit https://www.docker.elastic.co
 
diff --git a/kibana_7.6.2/Dockerfile b/kibana_6.8.9/Dockerfile
similarity index 65%
rename from kibana_7.6.2/Dockerfile
rename to kibana_6.8.9/Dockerfile
index 4087bbc..c91aaa0 100644
--- a/kibana_7.6.2/Dockerfile
+++ b/kibana_6.8.9/Dockerfile
@@ -1,10 +1,10 @@
-# Kibana 7.6.2
+# Kibana 6.8.9
 
 # This image re-bundles the Docker image from the upstream provider, Elastic.
-FROM docker.elastic.co/kibana/kibana:7.6.2@sha256:e8f3743e404462709663422056db2d5076a7a6bd6024f64aea1599b3014c63be
+FROM docker.elastic.co/kibana/kibana:6.8.9@sha256:cf376141e7f543e368055308fa0e64ffe169eb7f8097abc84ba33be4b5c904e4
 
 # The upstream image was built by:
-#   https://github.com/elastic/dockerfiles/tree/v7.6.2/kibana
+#   https://github.com/elastic/dockerfiles/tree/v6.8.9/kibana
 
 # For a full list of supported images and tags visit https://www.docker.elastic.co
 
diff --git a/kibana_6.8.8/Dockerfile b/kibana_7.7.0/Dockerfile
similarity index 65%
rename from kibana_6.8.8/Dockerfile
rename to kibana_7.7.0/Dockerfile
index 4df4894..d7160e4 100644
--- a/kibana_6.8.8/Dockerfile
+++ b/kibana_7.7.0/Dockerfile
@@ -1,10 +1,10 @@
-# Kibana 6.8.8
+# Kibana 7.7.0
 
 # This image re-bundles the Docker image from the upstream provider, Elastic.
-FROM docker.elastic.co/kibana/kibana:6.8.8@sha256:385ca1bc2ebc618bf06bf94f473104cce33897ac2f1765c669379fb3b76a8faf
+FROM docker.elastic.co/kibana/kibana:7.7.0@sha256:1682e44eb728e1de2027c2cc8787d206388d9f73391928bdbfbbd24d758dd927
 
 # The upstream image was built by:
-#   https://github.com/elastic/dockerfiles/tree/v6.8.8/kibana
+#   https://github.com/elastic/dockerfiles/tree/v7.7.0/kibana
 
 # For a full list of supported images and tags visit https://www.docker.elastic.co
 
diff --git a/logstash_6.8.8/Dockerfile b/logstash_6.8.9/Dockerfile
similarity index 65%
rename from logstash_6.8.8/Dockerfile
rename to logstash_6.8.9/Dockerfile
index 5f1ea21..70b6c6e 100644
--- a/logstash_6.8.8/Dockerfile
+++ b/logstash_6.8.9/Dockerfile
@@ -1,10 +1,10 @@
-# Logstash 6.8.8
+# Logstash 6.8.9
 
 # This image re-bundles the Docker image from the upstream provider, Elastic.
-FROM docker.elastic.co/logstash/logstash:6.8.8@sha256:b7746ce8f309e3c23e26e03f887f8f0bde34d353c7b10eaf84cf6ead273df62f
+FROM docker.elastic.co/logstash/logstash:6.8.9@sha256:0ed94c58fd5c706867d19a0b26d769fb9f369ee9a8391b964c39ab388605924d
 
 # The upstream image was built by:
-#   https://github.com/elastic/dockerfiles/tree/v6.8.8/logstash
+#   https://github.com/elastic/dockerfiles/tree/v6.8.9/logstash
 
 # For a full list of supported images and tags visit https://www.docker.elastic.co
 
diff --git a/logstash_7.6.2/Dockerfile b/logstash_7.7.0/Dockerfile
similarity index 65%
rename from logstash_7.6.2/Dockerfile
rename to logstash_7.7.0/Dockerfile
index 4472d5e..a8a1dbd 100644
--- a/logstash_7.6.2/Dockerfile
+++ b/logstash_7.7.0/Dockerfile
@@ -1,10 +1,10 @@
-# Logstash 7.6.2
+# Logstash 7.7.0
 
 # This image re-bundles the Docker image from the upstream provider, Elastic.
-FROM docker.elastic.co/logstash/logstash:7.6.2@sha256:baed5f5bf04299994ea41881afb4d4985cb0f33427a2aef39223c75975bab60e
+FROM docker.elastic.co/logstash/logstash:7.7.0@sha256:389ba939d3ca1087929215713f811c9ce7d45e5249e3db1aaa7d8c5590b38d56
 
 # The upstream image was built by:
-#   https://github.com/elastic/dockerfiles/tree/v7.6.2/logstash
+#   https://github.com/elastic/dockerfiles/tree/v7.7.0/logstash
 
 # For a full list of supported images and tags visit https://www.docker.elastic.co
 

[tianon]

Not blockers, but a couple thoughts after review: (cc @mgreau @Conky5 @jethr0null)

---

-COPY --chown=1000:0 bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+COPY bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+RUN chmod g=u /etc/passwd &&     chmod 0775 /usr/local/bin/docker-entrypoint.sh

Instead of this chmod 0775 /usr/local/bin/docker-entrypoint.sh, which makes a copy of the whole file, bin/docker-entrypoint.sh ought to be set as executable in the build context / Git.

---

+# Ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks.
+RUN find / -xdev -perm -4000 -exec chmod ug-s {} +

A similar concern applies here -- this creates a copy of every file/folder it touches; do the files changed here come from the base image? This is less of a concern when using no-new-privileges, but I'm curious if there are more alternative solutions that don't create a new layer of what's ultimately just bloat. 😕

$ docker pull centos:7
7: Pulling from library/centos
524b0c1e57f8: Pull complete 
Digest: sha256:e9ce0b76f29f942502facd849f3e468232492b259b9d9f076f71b392293f1582
Status: Downloaded newer image for centos:7
docker.io/library/centos:7

$ docker run -it --rm centos:7
[root@aa08be3827ba /]# find / -xdev -perm -4000 -print0 | xargs -0 du -hsc 
24K	/usr/bin/chfn
32K	/usr/bin/su
76K	/usr/bin/chage
28K	/usr/bin/passwd
24K	/usr/bin/chsh
44K	/usr/bin/newgrp
32K	/usr/bin/umount
80K	/usr/bin/gpasswd
44K	/usr/bin/mount
60K	/usr/libexec/dbus-1/dbus-daemon-launch-helper
36K	/usr/sbin/unix_chkpwd
12K	/usr/sbin/pam_timestamp_check
492K	total

(Granted, doesn't look like a terribly large layer after all, but still, that's ~500KiB that users can't ever get back, and seems like a common problem that might be worth discussing upstream. 😅)

[tianon]

(We should probably also update the Maintainers: line on these to include whoever we should ping from the Elastic side for things that affect these images such as review comments. 😅 👍)

[tianon]

It also looks like there's some really tiny discrepancies in the published images /usr/share/elasticsearch vs what comes from a build of the published Dockerfiles for the 6.8.x series that might be worth looking into (although ultimately look pretty harmless):

$ diff -u <(docker run --rm docker.elastic.co/elasticsearch/elasticsearch:6.8.9 find /usr/share/elasticsearch | sort) <(docker run --rm f1d12c18b999 find /usr/share/elasticsearch | sort)
--- /dev/fd/63	2020-05-13 10:29:15.925454104 -0700
+++ /dev/fd/62	2020-05-13 10:29:15.925454104 -0700
@@ -277,6 +277,9 @@
 /usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64
 /usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app
 /usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents
+/usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents/CodeResources
+/usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents/_CodeSignature
+/usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents/_CodeSignature/CodeResources
 /usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents/Info.plist
 /usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents/lib
 /usr/share/elasticsearch/modules/x-pack-ml/platform/darwin-x86_64/controller.app/Contents/lib/libboost_date_time-clang-darwin42-mt-1_65_1.dylib

Additionally, it looks like this new 6.8.9 image was built against an older CentOS base (from back in October) instead of the fresh update released last month, so you might want to see about adding base image pulling (--pull on docker build) to your build pipeline to ensure you're building on top of the latest centos image (or alternatively, pinning the Dockerfile to a specific content-addressable digest for centos so that no matter when it's built, it's always on the same revision of the centos base image).

$ diff -u <(docker history --no-trunc --format '{{ .CreatedBy }}' docker.elastic.co/elasticsearch/elasticsearch:6.8.9) <(docker history --no-trunc --format '{{ .CreatedBy }}' f1d12c18b999)
...
 /bin/sh -c #(nop)  ENV ELASTIC_CONTAINER=true
 /bin/sh -c #(nop)  CMD ["/bin/bash"]
-/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20191001
-/bin/sh -c #(nop) ADD file:45a381049c52b5664e5e911dead277b25fadbae689c0bb35be3c42dff0f2dffe in / 
+/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20200504 org.opencontainers.image.title=CentOS Base Image org.opencontainers.image.vendor=CentOS org.opencontainers.image.licenses=GPL-2.0-only org.opencontainers.image.created=2020-05-04 00:00:00+01:00
+/bin/sh -c #(nop) ADD file:38e2d2a1a0cd8694bd5086f257fdf7504f0c2481bf4f746c9bd1c8d9f3f6430d in /