change "include: elasticsearch-security-file.yml" to "include_tasks:"

defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-es_version: "7.17.0"
+es_version: "8.17.3"
 es_use_snapshot_release: false
 oss_version: false
 es_package_name: "elasticsearch"
@@ -20,9 +20,9 @@ es_templates: false
 es_user: elasticsearch
 es_group: elasticsearch
 es_config: {}
-es_config_default: "elasticsearch.j2"
 es_config_log4j2: ""
 es_config_jvm: "jvm.options.j2"
+es_config_jvm_local: "elasticsearch.options.j2"
 #Need to provide default directories
 es_conf_dir: "/etc/elasticsearch"
 es_pid_dir: "/var/run/elasticsearch"
@@ -69,3 +69,4 @@ es_ssl_verification_mode: "certificate"
 es_validate_certs: "yes"
 es_delete_unmanaged_file: true
 es_delete_unmanaged_native: true
+es_certificates: true

tasks/elasticsearch-config.yml

@@ -48,19 +48,6 @@
   register: system_change
   notify: restart elasticsearch
 
-#Copy the default file
-- name: Copy Default File
-  become: yes
-  template:
-    src: "{{ es_config_default }}"
-    dest: "{{ default_file }}"
-    owner: root
-    group: "{{ es_group }}"
-    mode: "660"
-    force: yes
-    backup: yes
-  notify: restart elasticsearch
-
 #Copy the systemd specific file if systemd is installed
 - when: use_system_d and (m_lock_enabled or es_max_open_files is defined)
   become: yes
@@ -83,6 +70,9 @@
        - reload systemd configuration
        - restart elasticsearch
 
+# not supposed to modified locally, but
+# es install makes substitutions for @thing@
+# so this file is version specific!
 - name: Copy jvm.options File
   become: yes
   template:
@@ -95,6 +85,18 @@
     backup: yes
   notify: restart elasticsearch
 
+- name: Copy elasticsearch.options File
+  become: yes
+  template:
+    src: "{{ es_config_jvm_local }}"
+    dest: "{{ es_conf_dir }}/jvm.options.d/elasticsearch.options"
+    owner: root
+    group: "{{ es_group }}"
+    mode: "660"
+    force: yes
+    backup: yes
+  notify: restart elasticsearch
+
 - name: Copy log4j2.properties File
   become: yes
   template:

tasks/main.yml

@@ -38,6 +38,7 @@
 
 - name: Generate ssl certificates
   import_tasks: elasticsearch-certificates.yml
+  when: es_certificates
   tags:
       - certificates
 

tasks/xpack/security/elasticsearch-security.yml

@@ -64,7 +64,7 @@
 
 #-----------------------------FILE BASED REALM----------------------------------------
 
-- include: elasticsearch-security-file.yml
+- include_tasks: elasticsearch-security-file.yml
   when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)
 
 #-----------------------------ROLE MAPPING ----------------------------------------

templates/elasticsearch.options.j2

@@ -0,0 +1,19 @@
+# template for local jvm options, extracted from old
+# ansible-elasticsearch jvm.options.j2 dropped into
+# /etc/elasticsearch/jvm.d/
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+{% if es_heap_size is defined %}
+-Xms{{ es_heap_size }}
+-Xmx{{ es_heap_size }}
+{% else %}
+-Xms2g
+-Xmx2g
+{% endif %}
+
+{% if es_jvm_custom_parameters !='' %}
+{% for item in es_jvm_custom_parameters %}
+{{ item }}
+{% endfor %}
+{% endif %}

templates/jvm.options.j2

@@ -1,163 +1,86 @@
+# Media Cloud NOTE: this is the jvm.options from
+# https://github.com/elastic/elasticsearch v8.17.3 release, with
+# @thing@ replaced
+################################################################
+##
 ## JVM configuration
+##
+################################################################
+##
+## WARNING: DO NOT EDIT THIS FILE. If you want to override the
+## JVM options in this file, or set any additional options, you
+## should create one or more files in the jvm.options.d
+## directory containing your adjustments.
+##
+## See https://www.elastic.co/guide/en/elasticsearch/reference/8.17/advanced-configuration.html#set-jvm-options
+## for more information.
+##
+################################################################
+
+
 
 ################################################################
 ## IMPORTANT: JVM heap size
 ################################################################
 ##
-## You should always set the min and max JVM heap
-## size to the same value. For example, to set
-## the heap to 4 GB, set:
+## The heap size is automatically configured by Elasticsearch
+## based on the available memory in your system and the roles
+## each node is configured to fulfill. If specifying heap is
+## required, it should be done through a file in jvm.options.d,
+## which should be named with .options suffix, and the min and
+## max should be set to the same value. For example, to set the
+## heap to 4 GB, create a new file in the jvm.options.d
+## directory containing these lines:
 ##
 ## -Xms4g
 ## -Xmx4g
 ##
-## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## See https://www.elastic.co/guide/en/elasticsearch/reference/8.17/heap-size.html
 ## for more information
 ##
 ################################################################
 
-# Xms represents the initial size of total heap space
-# Xmx represents the maximum size of total heap space
-{% if es_heap_size is defined %}
--Xms{{ es_heap_size }}
--Xmx{{ es_heap_size }}
-{% else %}
--Xms2g
--Xmx2g
-{% endif %}
 
 ################################################################
 ## Expert settings
 ################################################################
 ##
-## All settings below this section are considered
-## expert settings. Don't tamper with them unless
-## you understand what you are doing
+## All settings below here are considered expert settings. Do
+## not adjust them unless you understand what you are doing. Do
+## not edit them in this file; instead, create a new file in the
+## jvm.options.d directory containing your adjustments.
 ##
 ################################################################
 
-## GC configuration
-{% if es_version is version('7.6.0', '<') %}
--XX:+UseConcMarkSweepGC
--XX:CMSInitiatingOccupancyFraction=75
--XX:+UseCMSInitiatingOccupancyOnly
-{% else %}
-8-13:-XX:+UseConcMarkSweepGC
-8-13:-XX:CMSInitiatingOccupancyFraction=75
-8-13:-XX:+UseCMSInitiatingOccupancyOnly
-{% endif %}
-
-## G1GC Configuration
-# NOTE: G1 GC is only supported on JDK version 10 or later
-{% if es_version is version('7.6.0', '<') %}
-# To use G1GC uncomment the lines below.
-# 10-:-XX:-UseConcMarkSweepGC
-# 10-:-XX:-UseCMSInitiatingOccupancyOnly
-# 10-:-XX:+UseG1GC
-{% if es_version is version('7.4.0', '<') %}
-# 10-:-XX:InitiatingHeapOccupancyPercent=75
-{% else %}
-# 10-:-XX:G1ReservePercent=25
-# 10-:-XX:InitiatingHeapOccupancyPercent=30
-{% endif %}
-{% else %}
-# to use G1GC, uncomment the next two lines and update the version on the
-# following three lines to your version of the JDK
-# 10-13:-XX:-UseConcMarkSweepGC
-# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
-14-:-XX:+UseG1GC
-14-:-XX:G1ReservePercent=25
-14-:-XX:InitiatingHeapOccupancyPercent=30
-{% endif %}
-
-{% if es_version is version('7.5.0', '<') %}
-## DNS cache policy
-# cache ttl in seconds for positive DNS lookups noting that this overrides the
-# JDK security property networkaddress.cache.ttl; set to -1 to cache forever
--Des.networkaddress.cache.ttl=60
-# cache ttl in seconds for negative DNS lookups noting that this overrides the
-# JDK security property networkaddress.cache.negative ttl; set to -1 to cache
-# forever
--Des.networkaddress.cache.negative.ttl=10
-
-## optimizations
-
-# pre-touch memory pages used by the JVM during initialization
--XX:+AlwaysPreTouch
-
-## basic
-
-# explicitly set the stack size
--Xss1m
-
-# set to headless, just in case
--Djava.awt.headless=true
-
-# ensure UTF-8 encoding by default (e.g. filenames)
--Dfile.encoding=UTF-8
-
-# use our provided JNA always versus the system one
--Djna.nosys=true
-
-# turn off a JDK optimization that throws away stack traces for common
-# exceptions because stack traces are important for debugging
--XX:-OmitStackTraceInFastThrow
-
-# flags to configure Netty
--Dio.netty.noUnsafe=true
--Dio.netty.noKeySetOptimization=true
--Dio.netty.recycler.maxCapacityPerThread=0
-{% if es_version is version('7.4.0', '>=') %}
--Dio.netty.allocator.numDirectArenas=0
-{% endif %}
-
-# log4j 2
--Dlog4j.shutdownHookEnabled=false
--Dlog4j2.disable.jmx=true
-{% endif %}
+-XX:+UseG1GC
 
 ## JVM temporary directory
 -Djava.io.tmpdir=${ES_TMPDIR}
 
+# Leverages accelerated vector hardware instructions; removing this may
+# result in less optimal vector performance
+20-:--add-modules=jdk.incubator.vector
+
+# Required to workaround performance issue in JDK 23, https://github.com/elastic/elasticsearch/issues/113030
+23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
+23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
+
 ## heap dumps
 
-# generate a heap dump when an allocation from the Java heap fails
-# heap dumps are created in the working directory of the JVM
+# generate a heap dump when an allocation from the Java heap fails; heap dumps
+# are created in the working directory of the JVM unless an alternative path is
+# specified
 -XX:+HeapDumpOnOutOfMemoryError
 
+# exit right after heap dump on out of memory error
+-XX:+ExitOnOutOfMemoryError
+
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
 -XX:HeapDumpPath={{ es_heap_dump_path }}
 
 # specify an alternative path for JVM fatal error logs
 -XX:ErrorFile={{ es_log_dir }}/hs_err_pid%p.log
 
-## JDK 8 GC logging
-
-8:-XX:+PrintGCDetails
-8:-XX:+PrintGCDateStamps
-8:-XX:+PrintTenuringDistribution
-8:-XX:+PrintGCApplicationStoppedTime
-8:-Xloggc:{{ es_log_dir }}/gc.log
-8:-XX:+UseGCLogFileRotation
-8:-XX:NumberOfGCLogFiles=32
-8:-XX:GCLogFileSize=64m
-
-# JDK 9+ GC logging
-9-:-Xlog:gc*,gc+age=trace,safepoint:file={{ es_log_dir }}/gc.log:utctime,pid,tags:filecount=32,filesize=64m
-{% if es_version is version('7.5.0', '<') %}
-# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
-# time/date parsing will break in an incompatible way for some date patterns and locals
-9-:-Djava.locale.providers=COMPAT
-
-{% if es_major_version == "6.x" %}
-# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512
-10-:-XX:UseAVX=2
-{% endif %}
-{% endif %}
-
-{% if es_jvm_custom_parameters !='' %}
-{% for item in es_jvm_custom_parameters %}
-{{ item }}
-{% endfor %}
-{% endif %}
+## GC logging
+-Xlog:gc*,gc+age=trace,safepoint:file={{ es_log_dir }}/gc.log:utctime,level,pid,tags:filecount=32,filesize=64m