From 121147746061c686a7c905fbeeb3ad73c0a4e2a3 Mon Sep 17 00:00:00 2001
From: Rene Groeschke <rene@elastic.co>
Date: Wed, 30 Apr 2025 15:56:24 +0200
Subject: [PATCH 1/2] Rename docker fips image to cloud-ess-fips (#127561)

(cherry picked from commit aa309515f8db580bf7c94e85f69875bdaf22a974)

# Conflicts:
#	distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
#	distribution/docker/fips-docker-aarch64-export/build.gradle
#	server/src/main/java/org/elasticsearch/common/util/Countable.java
#	settings.gradle
---
 .../gradle/internal/DockerBase.java           | 15 ++++++------
 distribution/docker/build.gradle              | 10 ++++----
 .../build.gradle                              | 14 +++++++++++
 .../build.gradle                              |  0
 distribution/docker/src/docker/Dockerfile     | 24 +++++++++----------
 settings.gradle                               |  3 ++-
 6 files changed, 41 insertions(+), 25 deletions(-)
 create mode 100644 distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
 rename distribution/docker/{fips-docker-export => cloud-ess-fips-docker-export}/build.gradle (100%)

diff --git a/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java b/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java
index 968a705cd3c06..c7666a3a93850 100644
--- a/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java
+++ b/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java
@@ -28,16 +28,17 @@ public enum DockerBase {
         "apk",
         "Dockerfile"
     ),
-    FIPS(
-        "docker.elastic.co/wolfi/chainguard-base-fips:sha256-ebfc3f1d7dba992231747a2e05ad1b859843e81b5e676ad342859d7cf9e425a7@sha256:ebfc3f1d7dba992231747a2e05ad1b859843e81b5e676ad342859d7cf9e425a7",
-        "-fips",
-        "apk",
-        "Dockerfile"
-    ),
     // spotless:on
     // Based on WOLFI above, with more extras. We don't set a base image because
     // we programmatically extend from the wolfi image.
-    CLOUD_ESS(null, "-cloud-ess", "apk", "Dockerfile.cloud-ess"),;
+    CLOUD_ESS(null, "-cloud-ess", "apk", "Dockerfile.cloud-ess"),
+
+    CLOUD_ESS_FIPS(
+        "docker.elastic.co/wolfi/chainguard-base-fips:sha256-ebfc3f1d7dba992231747a2e05ad1b859843e81b5e676ad342859d7cf9e425a7@sha256:ebfc3f1d7dba992231747a2e05ad1b859843e81b5e676ad342859d7cf9e425a7",
+        "-cloud-ess-fips",
+        "apk",
+        "Dockerfile"
+    );
 
     private final String image;
     private final String suffix;
diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle
index ef08774c4e3d3..b52b72518039d 100644
--- a/distribution/docker/build.gradle
+++ b/distribution/docker/build.gradle
@@ -299,7 +299,7 @@ void addBuildDockerContextTask(Architecture architecture, DockerBase base, Strin
           filter TransformLog4jConfigFilter
         }
       }
-      if(base == DockerBase.FIPS) {
+      if(base == DockerBase.CLOUD_ESS_FIPS) {
 
         // If we're performing a release build, but `build.id` hasn't been set, we can
         // infer that we're not at the Docker building stage of the build, and therefore
@@ -593,19 +593,19 @@ subprojects { Project subProject ->
     DockerBase base = DockerBase.DEFAULT
     if (subProject.name.contains('ironbank-')) {
       base = DockerBase.IRON_BANK
-    } else if (subProject.name.contains('cloud-ess-')) {
+    } else if (subProject.name.contains('cloud-ess-docker')) {
       base = DockerBase.CLOUD_ESS
     } else if (subProject.name.contains('wolfi-')) {
       base = DockerBase.WOLFI
-    } else if (subProject.name.contains('fips-')) {
-      base = DockerBase.FIPS
+    } else if (subProject.name.contains('cloud-ess-fips-docker')) {
+      base = DockerBase.CLOUD_ESS_FIPS
     }
 
     final String arch = architecture == Architecture.AARCH64 ? '-aarch64' : ''
     final String extension =
       (base == DockerBase.IRON_BANK ? 'ironbank.tar' :
         (base == DockerBase.CLOUD_ESS ? 'cloud-ess.tar' :
-          (base == DockerBase.FIPS ? 'fips.tar' :
+          (base == DockerBase.CLOUD_ESS_FIPS ? 'cloud-ess-fips.tar' :
             (base == DockerBase.WOLFI ? 'wolfi.tar' :
               'docker.tar'))))
     final String artifactName = "elasticsearch${arch}${base.suffix}_test"
diff --git a/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle b/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
new file mode 100644
index 0000000000000..27ac9cd0c938c
--- /dev/null
+++ b/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.common.util;
+
+public interface Countable {
+    int size();
+}
diff --git a/distribution/docker/fips-docker-export/build.gradle b/distribution/docker/cloud-ess-fips-docker-export/build.gradle
similarity index 100%
rename from distribution/docker/fips-docker-export/build.gradle
rename to distribution/docker/cloud-ess-fips-docker-export/build.gradle
diff --git a/distribution/docker/src/docker/Dockerfile b/distribution/docker/src/docker/Dockerfile
index bd004ac0c2d48..7c077d5dbc018 100644
--- a/distribution/docker/src/docker/Dockerfile
+++ b/distribution/docker/src/docker/Dockerfile
@@ -41,7 +41,7 @@ RUN chmod 0555 /bin/tini
 <% } else { %>
 
 # Install required packages to extract the Elasticsearch distribution
-<% if (docker_base == "wolfi" || docker_base == "fips") { %>
+<% if (docker_base == "wolfi" || docker_base == "cloud_ess_fips") { %>
 RUN <%= retry.loop(package_manager, "export DEBIAN_FRONTEND=noninteractive && ${package_manager} update && ${package_manager} update && ${package_manager} add --no-cache curl") %>
 <% } else { %>
 RUN <%= retry.loop(package_manager, "${package_manager} install -y findutils tar gzip") %>
@@ -115,7 +115,7 @@ RUN sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' bin/elas
     chmod 0775 bin config config/jvm.options.d data logs plugins && \\
     find config -type f -exec chmod 0664 {} +
 
-<% if (docker_base == "fips") { %>
+<% if (docker_base == "cloud_ess_fips") { %>
 
 # Add plugins infrastructure
 RUN mkdir -p /opt/plugins/archive
@@ -179,7 +179,7 @@ RUN ${package_manager} update --setopt=tsflags=nodocs -y && \\
       nc shadow-utils zip findutils unzip procps-ng && \\
     ${package_manager} clean all
 
-<% } else if (docker_base == "wolfi" || docker_base == "fips") { %>
+<% } else if (docker_base == "wolfi" || docker_base == "cloud_ess_fips") { %>
 RUN <%= retry.loop(package_manager,
           "export DEBIAN_FRONTEND=noninteractive && \n" +
           "      ${package_manager} update && \n" +
@@ -208,7 +208,7 @@ RUN <%= retry.loop(
 <% } %>
 
 
-<% if (docker_base == "wolfi" || docker_base == "fips") { %>
+<% if (docker_base == "wolfi" || docker_base == "cloud_ess_fips") { %>
 RUN groupadd -g 1000 elasticsearch && \
     adduser -G elasticsearch -u 1000 elasticsearch -D --home /usr/share/elasticsearch elasticsearch && \
     adduser elasticsearch root && \
@@ -219,17 +219,17 @@ RUN groupadd -g 1000 elasticsearch && \\
     chown -R 0:0 /usr/share/elasticsearch
 <% } %>
 
-ENV ELASTIC_CONTAINER true
+ENV ELASTIC_CONTAINER=true
 
 WORKDIR /usr/share/elasticsearch
 
 COPY --from=builder --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
-<% if (docker_base != "wolfi" && docker_base != "fips") { %>
+<% if (docker_base != "wolfi" && docker_base != "cloud_ess_fips") { %>
 COPY --from=builder --chown=0:0 /bin/tini /bin/tini
 <% } %>
 
-ENV PATH /usr/share/elasticsearch/bin:\$PATH
-ENV SHELL /bin/bash
+ENV PATH=/usr/share/elasticsearch/bin:\$PATH
+ENV SHELL=/bin/bash
 COPY ${bin_dir}/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 # 1. Sync the user and group permissions of /etc/passwd
@@ -249,7 +249,7 @@ RUN chmod g=u /etc/passwd && \\
     chmod 0775 /usr/share/elasticsearch && \\
     chown elasticsearch bin config config/jvm.options.d data logs plugins
 
-<% if (docker_base == 'wolfi' || docker_base == "fips") { %>
+<% if (docker_base == 'wolfi' || docker_base == "cloud_ess_fips") { %>
 RUN ln -sf /etc/ssl/certs/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts
 <% } else { %>
 RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts
@@ -292,7 +292,7 @@ RUN mkdir /licenses && ln LICENSE.txt /licenses/LICENSE
 COPY LICENSE /licenses/LICENSE.addendum
 <% } %>
 
-<% if (docker_base == "wolfi" || docker_base == "fips") { %>
+<% if (docker_base == "wolfi" || docker_base == "cloud_ess_fips") { %>
 # Our actual entrypoint is `tini`, a minimal but functional init program. It
 # calls the entrypoint we provide, while correctly forwarding signals.
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
@@ -312,9 +312,9 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 http://localhost:9200 || exit 1
 <% } %>
 
-<% if (docker_base == 'fips') { %>
+<% if (docker_base == 'cloud_ess_fips') { %>
 COPY --from=builder --chown=0:0 /opt /opt
-ENV ES_PLUGIN_ARCHIVE_DIR /opt/plugins/archive
+ENV ES_PLUGIN_ARCHIVE_DIR=/opt/plugins/archive
 WORKDIR /usr/share/elasticsearch
 COPY --from=builder --chown=0:0 /fips/libs/*.jar /usr/share/elasticsearch/lib/
 <% } %>
diff --git a/settings.gradle b/settings.gradle
index 1e7705fea6c9e..4d26960cf932c 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -70,7 +70,8 @@ List projects = [
   'distribution:docker:ironbank-docker-export',
   'distribution:docker:wolfi-docker-aarch64-export',
   'distribution:docker:wolfi-docker-export',
-  'distribution:docker:fips-docker-export',
+  'distribution:docker:cloud-ess-fips-docker-export',
+  'distribution:docker:cloud-ess-fips-docker-aarch64-export',
   'distribution:packages:aarch64-deb',
   'distribution:packages:deb',
   'distribution:packages:aarch64-rpm',

From 2128bb2f1acc21cad1a65c0812709620e60926b5 Mon Sep 17 00:00:00 2001
From: Rene Groeschke <rene@elastic.co>
Date: Tue, 20 May 2025 10:10:30 +0200
Subject: [PATCH 2/2] Fix backport merge

---
 .../cloud-ess-fips-docker-aarch64-export/build.gradle     | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle b/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
index 27ac9cd0c938c..44f22809bae50 100644
--- a/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
+++ b/distribution/docker/cloud-ess-fips-docker-aarch64-export/build.gradle
@@ -5,10 +5,4 @@
  * Public License v 1"; you may not use this file except in compliance with, at
  * your election, the "Elastic License 2.0", the "GNU Affero General Public
  * License v3.0 only", or the "Server Side Public License, v 1".
- */
-
-package org.elasticsearch.common.util;
-
-public interface Countable {
-    int size();
-}
+ */
\ No newline at end of file