hitachienergy · seriva · Dec 30, 2021 · Dec 20, 2021 · Dec 21, 2021 · Dec 21, 2021
diff --git a/ansible/playbooks/roles/opendistro_for_elasticsearch/defaults/main.yml b/ansible/playbooks/roles/opendistro_for_elasticsearch/defaults/main.yml
@@ -60,3 +60,4 @@ certificates:
 ports:
   http:      9200  # defaults to range but we want static port
   transport: 9300  # defaults to range but we want static port
+log4j_file_name: apache-log4j-2.17.0-bin.tar.gz
diff --git a/ansible/playbooks/roles/opendistro_for_elasticsearch/meta/main.yml b/ansible/playbooks/roles/opendistro_for_elasticsearch/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: preflight_facts
diff --git a/ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/configure-es.yml b/ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/configure-es.yml
@@ -102,20 +102,24 @@
 # For apply mode, demo certificate files are removed based only on their names. For upgrade mode,
 # public key fingerprints are checked to protect against unintentional deletion (what takes additional time).
 
-# Remove demo certificate files
-- include_tasks:
+- name: Remove demo certificate files
+  include_tasks:
     file: "{{ is_upgrade_run | ternary('remove-known-demo-certs.yml', 'remove-demo-certs.yml') }}"
   when: not certificates.files.demo.opendistro_security.allow_unsafe_democertificates
 
+- name: Include log4j patch
+  include_tasks: log4j-patch.yml
+
 - name: Restart elasticsearch service
   systemd:
     name: elasticsearch
     state: restarted
   register: restart_elasticsearch
   when: change_config.changed
-     or change_jvm_config.changed
-     or install_elasticsearch_package.changed
-     or (install_opendistro_packages is defined and install_opendistro_packages.changed)
+    or log4j_patch.changed
+    or change_jvm_config.changed
+    or install_elasticsearch_package.changed
+    or (install_opendistro_packages is defined and install_opendistro_packages.changed)
 
 - name: Enable and start elasticsearch service
   systemd:

diff --git a/ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml b/ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml
@@ -0,0 +1,68 @@
+
+- name: Log4j patch
+  block:
+    - name: "opendistro_for_elasticsearch : Log4j patch - get archive"
+      include_role:
+        name: download
+        tasks_from: download_file
+      vars:
+        file_name: "{{ log4j_file_name }}"
+
+    - name: Log4j patch - extract archive
+      unarchive:
+        dest: /tmp/
+        src: "{{ download_directory }}/{{ log4j_file_name }}"
+        remote_src: true
+        list_files: true
+      register: unarchive_list_files
+
+    - name: Log4j patch - Copy new jars
+      register: log4j_patch
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        owner: elasticsearch
+        group: root
+        mode: u=rw,g=r,o=
+        remote_src: true
+      loop:
+        - { src: "{{ download_directory }}/{{ log4j_api }}",       dest: /usr/share/elasticsearch/lib/ }
+        - { src: "{{ download_directory }}/{{ log4j_api }}",       dest: /usr/share/elasticsearch/performance-analyzer-rca/lib/ }
+        - { src: "{{ download_directory }}/{{ log4j_api }}",       dest: /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/ }
+        - { src: "{{ download_directory }}/{{ log4j_core }}",      dest: /usr/share/elasticsearch/lib/ }
+        - { src: "{{ download_directory }}/{{ log4j_core }}",      dest: /usr/share/elasticsearch/performance-analyzer-rca/lib/ }
+        - { src: "{{ download_directory }}/{{ log4j_core }}",      dest: /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/ }
+        - { src: "{{ download_directory }}/{{ log4j_slfj_impl }}", dest: /usr/share/elasticsearch/plugins/opendistro_security/ }
+      vars:
+        log4j_core: "{{ unarchive_list_files.files | select('contains', 'log4j-api-2.17.0.jar') | first }}"
+        log4j_api: "{{ unarchive_list_files.files | select('contains', 'log4j-core-2.17.0.jar') | first }}"
+        log4j_slfj_impl: "{{ unarchive_list_files.files | select('contains', 'log4j-slf4j-impl-2.17.0.jar') | first }}"
+
+    - name: Log4j patch - cleanup
+      block:
+      - name: Log4j patch - remove old jars
+        file:
+          state: absent
+          path: "{{ item }}"
+        loop:
+          - /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
+          - /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.13.0.jar
+          - /usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
+          - /usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.13.0.jar
+          - /usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
+          - /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
+          - /usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.11.1.jar
+
+      - name: Log4j patch - Delete temporary dir
+        file:
+          dest: "{{ download_directory }}/{{ _archive_root_dir }}"
+          state: absent
+        vars:
+          _archive_root_dir: >-
+            {{ unarchive_list_files.files | first | dirname }}
+
+- name: Restart opendistro-performance-analyzer service
+  systemd:
+    name: opendistro-performance-analyzer
+    state: restarted
+  when: log4j_patch.changed
diff --git a/.../playbooks/roles/repository/files/download-requirements/centos-7/requirements.aarch64.txt b/.../playbooks/roles/repository/files/download-requirements/centos-7/requirements.aarch64.txt
@@ -165,6 +165,7 @@ https://archive.apache.org/dist/ignite/2.9.1/apache-ignite-2.9.1-bin.zip
 https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_linux_arm64.zip
 https://get.helm.sh/helm-v3.2.0-linux-arm64.tar.gz
 https://github.com/hashicorp/vault-helm/archive/v0.11.0.tar.gz
+https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz
 # --- Helm charts ---
 https://charts.bitnami.com/bitnami/node-exporter-1.1.2.tgz
 https://helm.elastic.co/helm/filebeat/filebeat-7.9.2.tgz

diff --git a/...e/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt b/...e/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt
@@ -166,6 +166,7 @@ https://archive.apache.org/dist/ignite/2.9.1/apache-ignite-2.9.1-bin.zip
 https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_linux_amd64.zip
 https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz
 https://github.com/hashicorp/vault-helm/archive/v0.11.0.tar.gz
+https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz
 # --- Helm charts ---
 https://helm.elastic.co/helm/filebeat/filebeat-7.9.2.tgz
 https://charts.bitnami.com/bitnami/node-exporter-1.1.2.tgz

diff --git a/...e/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt b/...e/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt
@@ -162,6 +162,7 @@ https://archive.apache.org/dist/ignite/2.9.1/apache-ignite-2.9.1-bin.zip
 https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_linux_amd64.zip
 https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz
 https://github.com/hashicorp/vault-helm/archive/v0.11.0.tar.gz
+https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz
 # --- Helm charts ---
 https://helm.elastic.co/helm/filebeat/filebeat-7.9.2.tgz
 https://charts.bitnami.com/bitnami/node-exporter-1.1.2.tgz

diff --git a/...aybooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.x86_64.txt b/...aybooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.x86_64.txt
@@ -225,6 +225,7 @@ https://archive.apache.org/dist/ignite/2.9.1/apache-ignite-2.9.1-bin.zip
 https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_linux_amd64.zip
 https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz
 https://github.com/hashicorp/vault-helm/archive/v0.11.0.tar.gz
+https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz
 # --- Helm charts ---
 https://charts.bitnami.com/bitnami/node-exporter-1.1.2.tgz
 https://helm.elastic.co/helm/filebeat/filebeat-7.9.2.tgz

diff --git a/ansible/playbooks/roles/upgrade/tasks/opendistro_for_elasticsearch-01.yml b/ansible/playbooks/roles/upgrade/tasks/opendistro_for_elasticsearch-01.yml
@@ -15,6 +15,19 @@
     file: roles/opendistro_for_elasticsearch/defaults/main.yml
     name: odfe_defaults
 
+- name: ODFE | Log4j patch
+  include_role:
+    name: opendistro_for_elasticsearch
+    tasks_from: log4j-patch
+  when: odfe_defaults.log4j_file_name is defined
+
+- name: Restart elasticsearch service
+  systemd:
+    name: elasticsearch
+    state: restarted
+  register: restart_elasticsearch
+  when: odfe_defaults.log4j_file_name is defined and log4j_patch.changed
+
 - name: ODFE | Print elasticsearch-oss versions
   debug:
     msg:

diff --git a/docs/changelogs/CHANGELOG-1.3.md b/docs/changelogs/CHANGELOG-1.3.md
@@ -48,6 +48,8 @@
 - [#2748](https://github.com/epiphany-platform/epiphany/issues/2748) - Upgrade Kafka exporter to the version 1.4.2
 - [#2750](https://github.com/epiphany-platform/epiphany/issues/2750) - Upgrade JMX exporter to the newest version
 - [#2699](https://github.com/epiphany-platform/epiphany/issues/2699) - Upgrade Grafana to 8.3.2
+- [#2788](https://github.com/epiphany-platform/epiphany/issues/2788) - Upgrade Log4j in Open Distro for Elasticsearch
+
 
 ### Removed