From f02a0bf92196d061494335fe946fd313125ed1ce Mon Sep 17 00:00:00 2001
From: Phil Budne <phil@regressive.org>
Date: Sat, 22 Feb 2025 17:51:57 -0500
Subject: [PATCH 1/5] change "include: elasticsearch-security-file.yml" to
 "include_tasks:"

---
 tasks/xpack/security/elasticsearch-security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml
index 4d32daaa..8591a364 100644
--- a/tasks/xpack/security/elasticsearch-security.yml
+++ b/tasks/xpack/security/elasticsearch-security.yml
@@ -64,7 +64,7 @@
 
 #-----------------------------FILE BASED REALM----------------------------------------
 
-- include: elasticsearch-security-file.yml
+- include_tasks: elasticsearch-security-file.yml
   when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)
 
 #-----------------------------ROLE MAPPING ----------------------------------------

From f3a67070b1ae6750f409d998df6431e4e89decf1 Mon Sep 17 00:00:00 2001
From: Phil Budne <phil@regressive.org>
Date: Wed, 4 Jun 2025 22:25:29 -0400
Subject: [PATCH 2/5] update/replace README.md

---
 README.md | 530 +-----------------------------------------------------
 1 file changed, 6 insertions(+), 524 deletions(-)

diff --git a/README.md b/README.md
index 02848f72..a17771ef 100644
--- a/README.md
+++ b/README.md
@@ -1,527 +1,9 @@
-# ansible-elasticsearch
-[![Build Status](https://img.shields.io/jenkins/s/https/devops-ci.elastic.co/job/elastic+ansible-elasticsearch+main.svg)](https://devops-ci.elastic.co/job/elastic+ansible-elasticsearch+main/)
-[![Ansible Galaxy](https://img.shields.io/badge/ansible--galaxy-elastic.elasticsearch-blue.svg)](https://galaxy.ansible.com/elastic/elasticsearch/)
+# NOTE!
 
-⚠️ **This Ansible role is being deprecated and will not be updated to support Elasticsearch 8.0.0 and the following versions.**
+This is a fork (with some Ubuntu fixes) of a fork (with ES 8.x
+support) of the old elastic supplied ansible role.
 
-**THIS ROLE IS FOR 7.x & 6.x**
+It has been kept in its original form in case upstream fixes become
+available, and to avoid any temptation to improve it.
 
-Ansible role for 7.x/6.x Elasticsearch.  Currently this works on Debian and RedHat based linux systems. Tested platforms are:
-
-* Ubuntu 16.04
-* Ubuntu 18.04
-* Ubuntu 20.04
-* Debian 8
-* Debian 9
-* Debian 10
-* CentOS 7
-* Amazon Linux 2
-
-The latest Elasticsearch versions of 7.x & 6.x are actively tested.
-
-## BREAKING CHANGES
-
-### Notice about multi-instance support
-
-* If you use only one instance but want to upgrade from an older ansible-elasticsearch version, follow [upgrade procedure](https://github.com/elastic/ansible-elasticsearch/blob/main/docs/multi-instance.md#upgrade-procedure)
-* If you install more than one instance of Elasticsearch on the same host (with different ports, directory and config files), **do not update to ansible-elasticsearch >= 7.1.1**, please follow this [workaround](https://github.com/elastic/ansible-elasticsearch/blob/main/docs/multi-instance.md#workaround) instead.
-* For multi-instances use cases, we are now recommending Docker containers using our official images (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html).
-
-### Removing the MAX_THREAD settings
-
-Ansible-elasticsearch 7.5.2 is removing the option to customize the maximum number of threads the process can start in [#637](https://github.com/elastic/ansible-elasticsearch/pull/637/files#diff-04c6e90faac2675aa89e2176d2eec7d8L408).
-We discovered that this option wasn't working anymore since multi-instance support removal in ansible-elasticsearch 7.1.1.
-This option will be added back in a following release if it's still relevant regarding latest Elasticsearch evolutions.
-
-### Changes about configuration files
-
-Ansible-elasticsearch 7.5.2 is updating the configuration files provided by this role in [#637](https://github.com/elastic/ansible-elasticsearch/pull/637) which contained some options deprecated in 6.x and 7.x:
-- `/etc/default/elasticsearch`|`/etc/sysconfig/elasticsearch`: the new template reflect the configuration file provided by Elasticsearch >= 6.x, the parameters we removed were already not used in 6.x and 7.x
-- `/etc/elasticsearch/jvm.options`: the new template reflect the configuration files provided by Elasticsearch >= 6.x
-- `/etc/elasticsearch/log4j2.properties`:
-  - We removed `log4j2.properties.j2` template from this Ansible role as it was a static file not bringing any customization specific to some ansible variable.
-  - Deployment of this Ansible role on new servers will get the default `log4j2.properties` provided by Elasticsearch without any override.
-  - **WARNING**: For upgrade scenarios where this file was already managed by previous versions of ansible-elasticsearch, this file will become unmanaged and won't be updated by default. If you wish to update it to 7.5 version, you can retrieve it [here](https://github.com/elastic/elasticsearch/blob/7.5/distribution/src/config/log4j2.properties) and use this file with `es_config_log4j2` Ansible variable (see below).
-
-### Removing OSS distribution for versions >= 7.11.0
-
-Starting from Elasticsearch 7.11.0, OSS distributions will no longer be provided following the recent Elasticsearch license change.
-
-This Ansible role will fail if `oss_version` is set to `true` and `es_version` is greater than 
-`7.11.0`.
-
-See [Doubling down on open, Part II](https://www.elastic.co/blog/licensing-change)
-blog post for more details.
-
-#### How to override configuration files provided by ansible-elasticsearch?
-
-You can now override the configuration files with your own versions by using the following Ansible variables:
-- `es_config_default: "elasticsearch.j2"`: replace `elasticsearch.j2` by your own template to use a custom `/etc/default/elasticsearch`|`/etc/sysconfig/elasticsearch` configuration file
-- `es_config_jvm: "jvm.options.j2"`: replace `jvm.options.j2` by your own template to use a custom `/etc/elasticsearch/jvm.options` configuration file
-- `es_config_log4j2: ""`: set this variable to the path of your own template to use a custom `/etc/elasticsearch/log4j2.properties` configuration file
-
-## Dependency
-
-This role uses the json_query filter which [requires jmespath](https://github.com/ansible/ansible/issues/24319) on the local machine.
-
-## Usage
-
-Create your Ansible playbook with your own tasks, and include the role elasticsearch. You will have to have this repository accessible within the context of playbook.
-
-```sh
-ansible-galaxy install elastic.elasticsearch,v7.17.0
-```
-
-Then create your playbook yaml adding the role elasticsearch.
-The application of the elasticsearch role results in the installation of a node on a host.
-
-The simplest configuration therefore consists of:
-
-```yaml
-- name: Simple Example
-  hosts: localhost
-  roles:
-    - role: elastic.elasticsearch
-  vars:
-    es_version: 7.17.0
-```
-
-The above installs Elasticsearch 7.17.0 in a single node 'node1' on the hosts 'localhost'.
-
-**Note**:
-Elasticsearch default version is described in [`es_version`](https://github.com/elastic/ansible-elasticsearch/blob/main/defaults/main.yml#L2). You can override this variable in your playbook to install another version.
-While we are testing this role only with one 7.x and one 6.x version (respectively [7.17.0](https://github.com/elastic/ansible-elasticsearch/blob/main/defaults/main.yml#L2) and [6.8.23](https://github.com/elastic/ansible-elasticsearch/blob/main/.kitchen.yml#L22) at the time of writing), this role should work with other versions also in most cases.
-
-This role also uses [Ansible tags](https://docs.ansible.com/ansible/2.9/user_guide/playbooks_tags.html). Run your playbook with the `--list-tasks` flag for more information.
-
-## Testing
-
-This playbook uses [Kitchen](https://kitchen.ci/) for CI and local testing.
-
-### Requirements
-
-* Ruby
-* Bundler
-* Docker
-* Make
-
-### Running the tests
-
-* Ensure you have checked out this repository to `elasticsearch`, not `ansible-elasticsearch`.
-* If you don't have a Gold or Platinum license to test with you can run the trial versions of the `xpack-upgrade` suites by appending `-trial` to the `PATTERN` variable.
-* You may need to explicitly specify `VERSION=7.x` if some suites are failing.
-
-Install the ruby dependencies with bundler
-
-```sh
-make setup
-```
-
-If you want to test X-Pack features with a license you will first need to export the `ES_XPACK_LICENSE_FILE` variable.
-```sh
-export ES_XPACK_LICENSE_FILE="$(pwd)/license.json"
-```
-
-To converge an Ubuntu 16.04 host running X-Pack
-```sh
-$ make converge
-```
-
-To run the tests
-```sh
-$ make verify
-```
-
-To list all of the different test suits
-```sh
-$ make list
-```
-
-The default test suite is Ubuntu 16.04 with X-Pack. If you want to test another suite you can override this with the `PATTERN` variable
-```sh
-$ make converge PATTERN=security-centos-7
-```
-
-The `PATTERN` is a kitchen pattern which can match multiple suites. To run all tests for CentOS
-```sh
-$ make converge PATTERN=centos-7
-```
-
-The default version is 7.x. If you want to test 6.x you can override it with the `VERSION` variable, for example:
-```sh
-$ make converge VERSION=6.x PATTERN=security-centos-7
-```
-
-When you are finished testing you can clean up everything with
-```sh
-$ make destroy-all
-```
-
-### Basic Elasticsearch Configuration
-
-All Elasticsearch configuration parameters are supported.  This is achieved using a configuration map parameter 'es_config' which is serialized into the elasticsearch.yml file.
-The use of a map ensures the Ansible playbook does not need to be updated to reflect new/deprecated/plugin configuration parameters.
-
-In addition to the es_config map, several other parameters are supported for additional functions e.g. script installation.  These can be found in the role's defaults/main.yml file.
-
-The following illustrates applying configuration parameters to an Elasticsearch instance.
-
-```yaml
-- name: Elasticsearch with custom configuration
-  hosts: localhost
-  roles:
-    - role: elastic.elasticsearch
-  vars:
-    es_data_dirs:
-      - "/opt/elasticsearch/data"
-    es_log_dir: "/opt/elasticsearch/logs"
-    es_config:
-      node.name: "node1"
-      cluster.name: "custom-cluster"
-      discovery.seed_hosts: "localhost:9301"
-      http.port: 9201
-      transport.port: 9301
-      node.data: false
-      node.master: true
-      bootstrap.memory_lock: true
-    es_heap_size: 1g
-    es_api_port: 9201
-```
-
-Whilst the role installs Elasticsearch with the default configuration parameters, the following should be configured to ensure a cluster successfully forms:
-
-* ```es_config['http.port']``` - the http port for the node
-* ```es_config['transport.port']``` - the transport port for the node
-* ```es_config['discovery.seed_hosts']``` - the unicast discovery list, in the comma separated format ```"<host>:<port>,<host>:<port>"``` (typically the clusters dedicated masters)
-* ```es_config['cluster.initial_master_nodes']``` - for 7.x and above the list of master-eligible nodes to boostrap the cluster, in the comma separated format ```"<node.name>:<port>,<node.name>:<port>"``` (typically the node names of the clusters dedicated masters)
-* ```es_config['network.host']``` - sets both network.bind_host and network.publish_host to the same host value. The network.bind_host setting allows to control the host different network components will bind on.
-
-The `network.publish_host` setting allows to control the host the node will publish itself within the cluster so other nodes will be able to connect to it.
-
-See https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html for further details on default binding behavior and available options.
-The role makes no attempt to enforce the setting of these are requires users to specify them appropriately.  It is recommended master nodes are listed and thus deployed first where possible.
-
-A more complex example:
-
-```yaml
-- name: Elasticsearch with custom configuration
-  hosts: localhost
-  roles:
-    - role: elastic.elasticsearch
-  vars:
-    es_data_dirs:
-      - "/opt/elasticsearch/data"
-    es_log_dir: "/opt/elasticsearch/logs"
-    es_config:
-      node.name: "node1"
-      cluster.name: "custom-cluster"
-      discovery.seed_hosts: "localhost:9301"
-      http.port: 9201
-      transport.port: 9301
-      node.data: false
-      node.master: true
-      bootstrap.memory_lock: true
-    es_heap_size: 1g
-    es_start_service: false
-    es_api_port: 9201
-    es_plugins:
-      - plugin: ingest-attachment
-```
-
-#### Important Notes
-
-**The role uses es_api_host and es_api_port to communicate with the node for actions only achievable via http e.g. to install templates and to check the NODE IS ACTIVE.  These default to "localhost" and 9200 respectively.
-If the node is deployed to bind on either a different host or port, these must be changed.**
-
-**Only use es_data_dirs and es_log_dir for customizing the data and log dirs respectively. When using together with `es_config['path.data']` and `es_config['path.logs']` it would result in generating duplicate data- and logs-keys in `elasticsearch.yml` and thus let fail to start elasticsearch.**
-
-### Multi Node Server Installations
-
-The application of the elasticsearch role results in the installation of a node on a host. Specifying the role multiple times for a host therefore results in the installation of multiple nodes for the host.
-
-An example of a three server deployment is shown below.  The first server holds the master and is thus declared first.  Whilst not mandatory, this is recommended in any multi node cluster configuration.  The two others servers hosts data nodes.
-
-**Note that we do not support anymore installation of more than one node in the same host**
-
-```yaml
-- hosts: master_node
-  roles:
-    - role: elastic.elasticsearch
-  vars:
-    es_heap_size: "1g"
-    es_config:
-      cluster.name: "test-cluster"
-      cluster.initial_master_nodes: "elastic02"
-      discovery.seed_hosts: "elastic02:9300"
-      http.host: 0.0.0.0
-      http.port: 9200
-      node.data: false
-      node.master: true
-      transport.host: 0.0.0.0
-      transport.port: 9300
-      bootstrap.memory_lock: false
-    es_plugins:
-     - plugin: ingest-attachment
-
-- hosts: data_node_1
-  roles:
-    - role: elastic.elasticsearch
-  vars:
-    es_data_dirs:
-      - "/opt/elasticsearch"
-    es_config:
-      cluster.name: "test-cluster"
-      cluster.initial_master_nodes: "elastic02"
-      discovery.seed_hosts: "elastic02:9300"
-      http.host: 0.0.0.0
-      http.port: 9200
-      node.data: true
-      node.master: false
-      transport.host: 0.0.0.0
-      transport.port: 9300
-      bootstrap.memory_lock: false
-    es_plugins:
-      - plugin: ingest-attachment
-
-- hosts: data_node_2
-  roles:
-    - role: elastic.elasticsearch
-  vars:
-    es_config:
-      cluster.name: "test-cluster"
-      discovery.seed_hosts: "elastic02:9300"
-      http.host: 0.0.0.0
-      http.port: 9200
-      node.data: true
-      node.master: false
-      transport.host: 0.0.0.0
-      transport.port: 9300
-      bootstrap.memory_lock: false
-    es_plugins:
-      - plugin: ingest-attachment
-```
-
-Parameters can additionally be assigned to hosts using the inventory file if desired.
-
-Make sure your hosts are defined in your ```inventory``` file with the appropriate ```ansible_ssh_host```,  ```ansible_ssh_user``` and ```ansible_ssh_private_key_file``` values.
-
-Then run it:
-
-```sh
-ansible-playbook -i hosts ./your-playbook.yml
-```
-
-### Installing X-Pack Features
-
-* ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html)
-
-
-```yaml
-es_role_mapping:
-  power_user:
-    - "cn=admins,dc=example,dc=com"
-  user:
-    - "cn=users,dc=example,dc=com"
-    - "cn=admins,dc=example,dc=com"
-```
-
-* ```es_users``` - Users can be declared here as yml. Two sub keys 'native' and 'file' determine the realm under which the user is created.  Beneath each of these keys users should be declared as yml entries. e.g.
-
-```yaml
-es_users:
-  native:
-    kibana4_server:
-      password: changeMe
-      roles:
-        - kibana4_server
-  file:
-    es_admin:
-      password: changeMe
-      roles:
-        - admin
-    testUser:
-      password: changeMeAlso!
-      roles:
-        - power_user
-        - user
-```
-
-
-* ```es_roles``` - Elasticsearch roles can be declared here as yml. Two sub keys 'native' and 'file' determine how the role is created i.e. either through a file or http(native) call.  Beneath each key list the roles with appropriate permissions, using the file based format described [here](https://www.elastic.co/guide/en/x-pack/current/file-realm.html) e.g.
-
-```yaml
-es_roles:
-  file:
-    admin:
-      cluster:
-        - all
-      indices:
-        - names: '*'
-          privileges:
-            - all
-    power_user:
-      cluster:
-        - monitor
-      indices:
-        - names: '*'
-          privileges:
-            - all
-    user:
-      indices:
-        - names: '*'
-          privileges:
-            - read
-    kibana4_server:
-      cluster:
-          - monitor
-      indices:
-        - names: '.kibana'
-          privileges:
-            - all
-  native:
-    logstash:
-      cluster:
-        - manage_index_templates
-      indices:
-        - names: 'logstash-*'
-          privileges:
-            - write
-            - delete
-            - create_index
-```
-
-* ```es_xpack_license``` - X-Pack license. The license is a json blob. Set the variable directly (possibly protected by Ansible vault) or from a file in the Ansible project on the control machine via a lookup:
-
-```yaml
-es_xpack_license: "{{ lookup('file', playbook_dir + '/files/' + es_cluster_name + '/license.json') }}"
-```
-
-If you don't have a license you can enable the 30-day trial by setting `es_xpack_trial` to `true`.
-
-X-Pack configuration parameters can be added to the elasticsearch.yml file using the normal `es_config` parameter.
-
-For a full example see [here](https://github.com/elastic/ansible-elasticsearch/blob/main/test/integration/xpack-upgrade.yml)
-
-#### Important Note for Native Realm Configuration
-
-In order for native users and roles to be configured, the role calls the Elasticsearch API.  Given security is installed this requires definition of two parameters:
-
-* ```es_api_basic_auth_username``` - admin username
-* ```es_api_basic_auth_password``` - admin password
-
-These can either be set to a user declared in the file based realm, with admin permissions, or the default "elastic" superuser (default password is changeme).
-
-#### X-Pack Security SSL/TLS
-
-* To configure your cluster with SSL/TLS for HTTP and/or transport communications follow the [SSL/TLS setup procedure](https://github.com/elastic/ansible-elasticsearch/blob/main/docs/ssl-tls-setup.md)
-
-
-### Additional Configuration
-
-In addition to es_config, the following parameters allow the customization of the Java and Elasticsearch versions as well as the role behavior. Options include:
-
-* ```oss_version```  Default `false`. Setting this to `true` will install the oss release of Elasticsearch (for version <7.11.0 only).
-* `es_xpack_trial` Default `false`. Setting this to `true` will start the 30-day trail once the cluster starts.
-* ```es_version``` (e.g. "7.17.0").
-* ```es_api_host``` The host name used for actions requiring HTTP e.g. installing templates. Defaults to "localhost".
-* ```es_api_port``` The port used for actions requiring HTTP e.g. installing templates. Defaults to 9200. **CHANGE IF THE HTTP PORT IS NOT 9200**
-* ```es_api_basic_auth_username``` The Elasticsearch username for making admin changing actions. Used if Security is enabled. Ensure this user is admin.
-* ```es_api_basic_auth_password``` The password associated with the user declared in `es_api_basic_auth_username`
-* `es_delete_unmanaged_file` Default `true`. Set to false to keep file realm users that have been added outside of ansible.
-* `es_delete_unmanaged_native` Default `true`. Set to false to keep native realm users that have been added outside of ansible.
-* ```es_start_service``` (true (default) or false)
-* ```es_plugins_reinstall``` (true or false (default) )
-* ```es_plugins``` an array of plugin definitions e.g.:
-
-  ```yaml
-    es_plugins:
-      - plugin: ingest-attachment
-  ```
-
-* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories
-* ```es_action_auto_create_index``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false):
-     es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]'
-* ```es_allow_downgrades``` For development purposes only. (true or false (default) )
-* ```es_java_install``` If set to true, Java will be installed. (false (default for 7.x) or true (default for 6.x))
-* ```update_java``` Updates Java to the latest version. (true or false (default))
-* ```es_max_map_count``` maximum number of VMA (Virtual Memory Areas) a process can own. Defaults to 262144.
-* ```es_max_open_files``` the maximum file descriptor number that can be opened by this process. Defaults to 65536.
-* ```es_debian_startup_timeout``` how long Debian-family SysV init scripts wait for the service to start, in seconds. Defaults to 10 seconds.
-* ```es_use_repository``` Setting this to `false` will stop Ansible from using the official Elastic package from any repository configured on the system.
-* ```es_add_repository``` Setting this to `false` will stop Ansible to add the official Elastic package repositories (if es_use_repository is true) if you want to use a repo already present.
-* ```es_custom_package_url``` the URL to the rpm or deb package for Ansible to install. When using this you will also need to set `es_use_repository: false` and make sure that the `es_version` matches the version being installed from your custom URL. E.g. `es_custom_package_url: https://downloads.example.com/elasticsearch.rpm`
-
-Earlier examples illustrate the installation of plugins using `es_plugins`.  For officially supported plugins no version or source delimiter is required. The plugin script will determine the appropriate plugin version based on the target Elasticsearch version.  For community based plugins include the full url.  This approach should NOT be used for the X-Pack plugin.  See X-Pack below for details here.
-
-If installing Monitoring or Alerting, ensure the license plugin is also specified.  Security configuration currently has limited support, but more support is planned for later versions.
-
-To configure X-pack to send mail, the following configuration can be added to the role. When require_auth is true, you will also need to provide the user and password. If not these can be removed:
-
-```yaml
-    es_mail_config:
-        account: <functional name>
-        profile: standard
-        from: <from address>
-        require_auth: <true or false>
-        host: <mail domain>
-        port: <port number>
-        user: <e-mail address> --optional
-        pass: <password> --optional
-```
-
-* ```es_user``` - defaults to elasticsearch.
-* ```es_group``` - defaults to elasticsearch.
-* ```es_user_id``` - default is undefined.
-* ```es_group_id``` - default is undefined.
-
-Both ```es_user_id``` and ```es_group_id``` must be set for the user and group ids to be set.
-
-* ```es_restart_on_change``` - defaults to true.  If false, changes will not result in Elasticsearch being restarted.
-* ```es_plugins_reinstall``` - defaults to false.  If true, all currently installed plugins will be removed from a node.  Listed plugins will then be re-installed.
-
-To add, update or remove elasticsearch.keystore entries, use the following variable:
-
-```yaml
-# state is optional and defaults to present
-es_keystore_entries:
-- key: someKeyToAdd
-  value: someValue
-  state: present
-
-- key: someKeyToUpdate
-  value: newValue
-  # state: present
-  force: Yes
-
-- key: someKeyToDelete
-  state: absent
-```
-
-
-
-This role ships with sample templates located in the [test/integration/files/templates-7.x](https://github.com/elastic/ansible-elasticsearch/tree/main/test/integration/files/templates-7.x) directory. `es_templates_fileglob` variable is used with the Ansible [with_fileglob](http://docs.ansible.com/ansible/playbooks_loops.html#id4) loop. When setting the globs, be sure to use an absolute path.
-
-### Proxy
-
-To define proxy globally, set the following variables:
-
-* ```es_proxy_host``` - global proxy host
-* ```es_proxy_port``` - global proxy port
-
-## Notes
-
-* The role assumes the user/group exists on the server.  The elasticsearch packages create the default elasticsearch user.  If this needs to be changed, ensure the user exists.
-* The playbook relies on the inventory_name of each host to ensure its directories are unique
-* KitchenCI has been used for testing.  This is used to confirm images reach the correct state after a play is first applied.  We currently test the latest version of 7.x and 6.x on all supported platforms.
-* The role aims to be idempotent.  Running the role multiple times, with no changes, should result in no state change on the server.  If the configuration is changed, these will be applied and Elasticsearch restarted where required.
-* In order to run x-pack tests a license file with security enabled is required. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. A trial license is appropriate and can be used by setting `es_xpack_trial` to `true`
-
-## IMPORTANT NOTES RE PLUGIN MANAGEMENT
-
-* If the ES version is changed, all plugins will be removed.  Those listed in the playbook will be re-installed.  This is behavior is required in ES 6.x.
-* If no plugins are listed in the playbook for a node, all currently installed plugins will be removed.
-* The role supports automatic detection of differences between installed and listed plugins - installing those listed but not installed, and removing those installed but not listed.   Should users wish to re-install plugins they should set es_plugins_reinstall to true.  This will cause all currently installed plugins to be removed and those listed to be installed.
-
-## Questions on Usage
-
-We welcome questions on how to use the role.  However, in order to keep the GitHub issues list focused on "issues" we ask the community to raise questions at https://discuss.elastic.co/c/elasticsearch.  This is monitored by the maintainers.
+It's used by `mediacloud/newsscribe-ansible`

From cf2a65fc2e34eba9dab5d658729f54ac19748785 Mon Sep 17 00:00:00 2001
From: Phil Budne <phil@regressive.org>
Date: Thu, 5 Jun 2025 14:44:05 -0400
Subject: [PATCH 3/5] try adding es_certificates

---
 tasks/main.yml | 1 +
 vars/main.yml  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index 0dbe56e6..bf2abc57 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -38,6 +38,7 @@
 
 - name: Generate ssl certificates
   import_tasks: elasticsearch-certificates.yml
+  when: es_certificates
   tags:
       - certificates
 
diff --git a/vars/main.yml b/vars/main.yml
index 91b7b699..c8d4514c 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -2,3 +2,4 @@
 es_package_url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch"
 reserved_xpack_users: ["elastic","kibana","logstash_system"]
 sysd_config_file: "/etc/systemd/system/elasticsearch.service.d/override.conf"
+es_certificates: true

From 0bdf5e6e0181700662971b4626319a88c2e97f3d Mon Sep 17 00:00:00 2001
From: Phil Budne <phil@regressive.org>
Date: Sat, 7 Jun 2025 23:06:58 -0400
Subject: [PATCH 4/5] Update for ES 8.17.3

* Update templates/jvm.options.j2 from github 8.17.3 version
* Add templates/elasticsearch.options.j2 for es_heap_size, es_jvm_custom_parameters
* Removed templates/elasticsearch.j2 (pre systemd defaults file)
---
 README.md                          |  10 +-
 defaults/main.yml                  |   4 +-
 tasks/elasticsearch-config.yml     |  28 ++---
 templates/elasticsearch.j2         |  67 -----------
 templates/elasticsearch.options.j2 |  19 ++++
 templates/jvm.options.j2           | 175 ++++++++---------------------
 6 files changed, 93 insertions(+), 210 deletions(-)
 delete mode 100644 templates/elasticsearch.j2
 create mode 100644 templates/elasticsearch.options.j2

diff --git a/README.md b/README.md
index a17771ef..dc04ed20 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,15 @@
 # NOTE!
 
 This is a fork (with some Ubuntu fixes) of a fork (with ES 8.x
-support) of the old elastic supplied ansible role.
+support) of the old (no longer supported) elastic supplied ansible
+role for installing ES 7.x.
 
 It has been kept in its original form in case upstream fixes become
-available, and to avoid any temptation to improve it.
+available, for transparency regarding who changed what and when, and
+to encourage leaving it alone (avoiding temptation to "improve" it).
 
 It's used by `mediacloud/newsscribe-ansible`
+
+NOTE!!!! Installs elasticsearch version 8.17.3, accordingly
+jvm.options.j2 has been updated to the version from that release.
+*BUT* files not used at Media Cloud have NOT been updated!
diff --git a/defaults/main.yml b/defaults/main.yml
index 47c94790..6a2561f0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-es_version: "7.17.0"
+es_version: "8.17.3"
 es_use_snapshot_release: false
 oss_version: false
 es_package_name: "elasticsearch"
@@ -20,9 +20,9 @@ es_templates: false
 es_user: elasticsearch
 es_group: elasticsearch
 es_config: {}
-es_config_default: "elasticsearch.j2"
 es_config_log4j2: ""
 es_config_jvm: "jvm.options.j2"
+es_config_jvm_local: "elasticsearch.options.j2"
 #Need to provide default directories
 es_conf_dir: "/etc/elasticsearch"
 es_pid_dir: "/var/run/elasticsearch"
diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml
index afab202d..5a498467 100644
--- a/tasks/elasticsearch-config.yml
+++ b/tasks/elasticsearch-config.yml
@@ -48,19 +48,6 @@
   register: system_change
   notify: restart elasticsearch
 
-#Copy the default file
-- name: Copy Default File
-  become: yes
-  template:
-    src: "{{ es_config_default }}"
-    dest: "{{ default_file }}"
-    owner: root
-    group: "{{ es_group }}"
-    mode: "660"
-    force: yes
-    backup: yes
-  notify: restart elasticsearch
-
 #Copy the systemd specific file if systemd is installed
 - when: use_system_d and (m_lock_enabled or es_max_open_files is defined)
   become: yes
@@ -83,6 +70,9 @@
        - reload systemd configuration
        - restart elasticsearch
 
+# not supposed to modified locally, but
+# es install makes substitutions for @thing@
+# so this file is version specific!
 - name: Copy jvm.options File
   become: yes
   template:
@@ -95,6 +85,18 @@
     backup: yes
   notify: restart elasticsearch
 
+- name: Copy elasticsearch.options File
+  become: yes
+  template:
+    src: "{{ es_config_jvm_local }}"
+    dest: "{{ es_conf_dir }}/jvm.options.d/elasticsearch.options"
+    owner: root
+    group: "{{ es_group }}"
+    mode: "660"
+    force: yes
+    backup: yes
+  notify: restart elasticsearch
+
 - name: Copy log4j2.properties File
   become: yes
   template:
diff --git a/templates/elasticsearch.j2 b/templates/elasticsearch.j2
deleted file mode 100644
index 4e64f388..00000000
--- a/templates/elasticsearch.j2
+++ /dev/null
@@ -1,67 +0,0 @@
-################################
-# Elasticsearch
-################################
-
-# Elasticsearch home directory
-ES_HOME={{es_home}}
-
-# Elasticsearch temp directory
-ES_TMPDIR={{ es_tmp_dir }}
-
-# Elasticsearch Java path
-{% if es_java_home | length > 0 %}
-ES_JAVA_HOME={{ es_java_home }}
-{% else %}
-#ES_JAVA_HOME=
-{% endif %}
-
-# Elasticsearch configuration directory
-ES_PATH_CONF={{ es_conf_dir }}
-
-# Elasticsearch PID directory
-PID_DIR={{ es_pid_dir }}
-
-# Additional Java OPTS
-ES_JAVA_OPTS="{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}"
-
-# Configure restart on package upgrade (true, every other setting will lead to not restarting)
-#RESTART_ON_UPGRADE=true
-
-################################
-# Elasticsearch service
-################################
-
-# SysV init.d
-#
-# The number of seconds to wait before checking if Elasticsearch started successfully as a daemon process
-ES_STARTUP_SLEEP_TIME=5
-
-################################
-# System properties
-################################
-
-# Specifies the maximum file descriptor number that can be opened by this process
-# When using Systemd, this setting is ignored and the LimitNOFILE defined in
-# /usr/lib/systemd/system/elasticsearch.service takes precedence
-#MAX_OPEN_FILES=65535
-{% if es_max_open_files is defined %}
-MAX_OPEN_FILES={{es_max_open_files}}
-{% endif %}
-
-# The maximum number of bytes of memory that may be locked into RAM
-# Set to "unlimited" if you use the 'bootstrap.memory_lock: true' option
-# in elasticsearch.yml.
-# When using systemd, LimitMEMLOCK must be set in a unit file such as
-# /etc/systemd/system/elasticsearch.service.d/override.conf.
-#MAX_LOCKED_MEMORY=unlimited
-{% if m_lock_enabled %}
-MAX_LOCKED_MEMORY=unlimited
-{% endif %}
-
-# Maximum number of VMA (Virtual Memory Areas) a process can own
-# When using Systemd, this setting is ignored and the 'vm.max_map_count'
-# property is set at boot time in /usr/lib/sysctl.d/elasticsearch.conf
-#MAX_MAP_COUNT=262144
-{% if es_max_map_count is defined %}
-MAX_MAP_COUNT={{es_max_map_count}}
-{% endif %}
diff --git a/templates/elasticsearch.options.j2 b/templates/elasticsearch.options.j2
new file mode 100644
index 00000000..bd455644
--- /dev/null
+++ b/templates/elasticsearch.options.j2
@@ -0,0 +1,19 @@
+# template for local jvm options, extracted from old
+# ansible-elasticsearch jvm.options.j2 dropped into
+# /etc/elasticsearch/jvm.d/
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+{% if es_heap_size is defined %}
+-Xms{{ es_heap_size }}
+-Xmx{{ es_heap_size }}
+{% else %}
+-Xms2g
+-Xmx2g
+{% endif %}
+
+{% if es_jvm_custom_parameters !='' %}
+{% for item in es_jvm_custom_parameters %}
+{{ item }}
+{% endfor %}
+{% endif %}
diff --git a/templates/jvm.options.j2 b/templates/jvm.options.j2
index 3acf3988..ff833964 100644
--- a/templates/jvm.options.j2
+++ b/templates/jvm.options.j2
@@ -1,130 +1,80 @@
+# Media Cloud NOTE: this is the jvm.options from
+# https://github.com/elastic/elasticsearch v8.17.3 release, with
+# @thing@ replaced
+################################################################
+##
 ## JVM configuration
+##
+################################################################
+##
+## WARNING: DO NOT EDIT THIS FILE. If you want to override the
+## JVM options in this file, or set any additional options, you
+## should create one or more files in the jvm.options.d
+## directory containing your adjustments.
+##
+## See https://www.elastic.co/guide/en/elasticsearch/reference/8.17/advanced-configuration.html#set-jvm-options
+## for more information.
+##
+################################################################
+
+
 
 ################################################################
 ## IMPORTANT: JVM heap size
 ################################################################
 ##
-## You should always set the min and max JVM heap
-## size to the same value. For example, to set
-## the heap to 4 GB, set:
+## The heap size is automatically configured by Elasticsearch
+## based on the available memory in your system and the roles
+## each node is configured to fulfill. If specifying heap is
+## required, it should be done through a file in jvm.options.d,
+## which should be named with .options suffix, and the min and
+## max should be set to the same value. For example, to set the
+## heap to 4 GB, create a new file in the jvm.options.d
+## directory containing these lines:
 ##
 ## -Xms4g
 ## -Xmx4g
 ##
-## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## See https://www.elastic.co/guide/en/elasticsearch/reference/8.17/heap-size.html
 ## for more information
 ##
 ################################################################
 
-# Xms represents the initial size of total heap space
-# Xmx represents the maximum size of total heap space
-{% if es_heap_size is defined %}
--Xms{{ es_heap_size }}
--Xmx{{ es_heap_size }}
-{% else %}
--Xms2g
--Xmx2g
-{% endif %}
 
 ################################################################
 ## Expert settings
 ################################################################
 ##
-## All settings below this section are considered
-## expert settings. Don't tamper with them unless
-## you understand what you are doing
+## All settings below here are considered expert settings. Do
+## not adjust them unless you understand what you are doing. Do
+## not edit them in this file; instead, create a new file in the
+## jvm.options.d directory containing your adjustments.
 ##
 ################################################################
 
-## GC configuration
-{% if es_version is version('7.6.0', '<') %}
--XX:+UseConcMarkSweepGC
--XX:CMSInitiatingOccupancyFraction=75
--XX:+UseCMSInitiatingOccupancyOnly
-{% else %}
-8-13:-XX:+UseConcMarkSweepGC
-8-13:-XX:CMSInitiatingOccupancyFraction=75
-8-13:-XX:+UseCMSInitiatingOccupancyOnly
-{% endif %}
-
-## G1GC Configuration
-# NOTE: G1 GC is only supported on JDK version 10 or later
-{% if es_version is version('7.6.0', '<') %}
-# To use G1GC uncomment the lines below.
-# 10-:-XX:-UseConcMarkSweepGC
-# 10-:-XX:-UseCMSInitiatingOccupancyOnly
-# 10-:-XX:+UseG1GC
-{% if es_version is version('7.4.0', '<') %}
-# 10-:-XX:InitiatingHeapOccupancyPercent=75
-{% else %}
-# 10-:-XX:G1ReservePercent=25
-# 10-:-XX:InitiatingHeapOccupancyPercent=30
-{% endif %}
-{% else %}
-# to use G1GC, uncomment the next two lines and update the version on the
-# following three lines to your version of the JDK
-# 10-13:-XX:-UseConcMarkSweepGC
-# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
-14-:-XX:+UseG1GC
-14-:-XX:G1ReservePercent=25
-14-:-XX:InitiatingHeapOccupancyPercent=30
-{% endif %}
-
-{% if es_version is version('7.5.0', '<') %}
-## DNS cache policy
-# cache ttl in seconds for positive DNS lookups noting that this overrides the
-# JDK security property networkaddress.cache.ttl; set to -1 to cache forever
--Des.networkaddress.cache.ttl=60
-# cache ttl in seconds for negative DNS lookups noting that this overrides the
-# JDK security property networkaddress.cache.negative ttl; set to -1 to cache
-# forever
--Des.networkaddress.cache.negative.ttl=10
-
-## optimizations
-
-# pre-touch memory pages used by the JVM during initialization
--XX:+AlwaysPreTouch
-
-## basic
-
-# explicitly set the stack size
--Xss1m
-
-# set to headless, just in case
--Djava.awt.headless=true
-
-# ensure UTF-8 encoding by default (e.g. filenames)
--Dfile.encoding=UTF-8
-
-# use our provided JNA always versus the system one
--Djna.nosys=true
-
-# turn off a JDK optimization that throws away stack traces for common
-# exceptions because stack traces are important for debugging
--XX:-OmitStackTraceInFastThrow
-
-# flags to configure Netty
--Dio.netty.noUnsafe=true
--Dio.netty.noKeySetOptimization=true
--Dio.netty.recycler.maxCapacityPerThread=0
-{% if es_version is version('7.4.0', '>=') %}
--Dio.netty.allocator.numDirectArenas=0
-{% endif %}
-
-# log4j 2
--Dlog4j.shutdownHookEnabled=false
--Dlog4j2.disable.jmx=true
-{% endif %}
+-XX:+UseG1GC
 
 ## JVM temporary directory
 -Djava.io.tmpdir=${ES_TMPDIR}
 
+# Leverages accelerated vector hardware instructions; removing this may
+# result in less optimal vector performance
+20-:--add-modules=jdk.incubator.vector
+
+# Required to workaround performance issue in JDK 23, https://github.com/elastic/elasticsearch/issues/113030
+23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
+23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
+
 ## heap dumps
 
-# generate a heap dump when an allocation from the Java heap fails
-# heap dumps are created in the working directory of the JVM
+# generate a heap dump when an allocation from the Java heap fails; heap dumps
+# are created in the working directory of the JVM unless an alternative path is
+# specified
 -XX:+HeapDumpOnOutOfMemoryError
 
+# exit right after heap dump on out of memory error
+-XX:+ExitOnOutOfMemoryError
+
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
 -XX:HeapDumpPath={{ es_heap_dump_path }}
@@ -132,32 +82,5 @@
 # specify an alternative path for JVM fatal error logs
 -XX:ErrorFile={{ es_log_dir }}/hs_err_pid%p.log
 
-## JDK 8 GC logging
-
-8:-XX:+PrintGCDetails
-8:-XX:+PrintGCDateStamps
-8:-XX:+PrintTenuringDistribution
-8:-XX:+PrintGCApplicationStoppedTime
-8:-Xloggc:{{ es_log_dir }}/gc.log
-8:-XX:+UseGCLogFileRotation
-8:-XX:NumberOfGCLogFiles=32
-8:-XX:GCLogFileSize=64m
-
-# JDK 9+ GC logging
-9-:-Xlog:gc*,gc+age=trace,safepoint:file={{ es_log_dir }}/gc.log:utctime,pid,tags:filecount=32,filesize=64m
-{% if es_version is version('7.5.0', '<') %}
-# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
-# time/date parsing will break in an incompatible way for some date patterns and locals
-9-:-Djava.locale.providers=COMPAT
-
-{% if es_major_version == "6.x" %}
-# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512
-10-:-XX:UseAVX=2
-{% endif %}
-{% endif %}
-
-{% if es_jvm_custom_parameters !='' %}
-{% for item in es_jvm_custom_parameters %}
-{{ item }}
-{% endfor %}
-{% endif %}
+## GC logging
+-Xlog:gc*,gc+age=trace,safepoint:file={{ es_log_dir }}/gc.log:utctime,level,pid,tags:filecount=32,filesize=64m

From e02dcc343af064ec571eda8d5dfe5a3b1a2bc734 Mon Sep 17 00:00:00 2001
From: Phil Budne <phil@regressive.org>
Date: Wed, 11 Jun 2025 12:06:04 -0400
Subject: [PATCH 5/5] move es_certificates from vars/main.yml to
 defaults/main.yml

---
 defaults/main.yml | 1 +
 vars/main.yml     | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 6a2561f0..10cabb11 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -69,3 +69,4 @@ es_ssl_verification_mode: "certificate"
 es_validate_certs: "yes"
 es_delete_unmanaged_file: true
 es_delete_unmanaged_native: true
+es_certificates: true
diff --git a/vars/main.yml b/vars/main.yml
index c8d4514c..91b7b699 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -2,4 +2,3 @@
 es_package_url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch"
 reserved_xpack_users: ["elastic","kibana","logstash_system"]
 sysd_config_file: "/etc/systemd/system/elasticsearch.service.d/override.conf"
-es_certificates: true