Please refer to the release process document for detailed information on how to release the OpenSearch and OpenSearch Dashboards software.
The OpenSearch project releases as versioned distributions of OpenSearch, OpenSearch Dashboards, and the OpenSearch plugins. It follows semantic versioning. Software, such as Data Prepper, clients, and the Logstash output plugin, are versioned independently of the OpenSearch Project. They also may have independent releases from the main project distributions. The OpenSearch Project may also release software under alpha, beta, release candidate, and generally available labels. The definition of when to use these labels is derived from the Wikipedia page on Software release lifecycle. Below is the definition of when to use each label.
-alphaX
where "X" is the number of the alpha version (e.g., "2.0-alpha1").-betaX
where "X" is the number of the beta version (e.g., "2.0.0-beta1").-rcX
where "X" is the number of the release candidate version (e.g., "2.0.0-rc1").Plugin owners can follow the Onboarding Process to onboard their plugins to the release process.
See wiki
See wiki
For all types of signing within OpenSearch project we use opensearch-signer-client
(in progress of being open-sourced) which is a wrapper around internal signing system and is only available for authenticated users. The input requires a path to the build manifest or directory containing all the artifacts or a single artifact.
Usage:
./sign.sh builds/opensearch/manifest.yml
The tool currently supports following platforms for signing.
Anything can be signed using PGP signing eg: tarball, any type of file, etc. A .sig
file will be returned containing the signature. OpenSearch and OpenSearch dashboards distributions, components such as data prepper, etc. as well as maven artifacts are signed using PGP signing. See this page for how to verify signatures.
Windows signing can be used to sign windows executables such as .msi, .msp, .msm, .cab, .dll, .exe, .appx, .appxbundle, .msix, .msixbundle, .sys, .vxd, .ps1, .psm1
, and any PE file that is supported by Signtool.exe. Various windows artifacts such as SQL OBDC, opensearch-cli, etc are signed using this method.
Windows code signing uses EV (Extended Validated) code signing certificates.
Types of signing/Details | Digest | Cipher | Key Size |
---|---|---|---|
PGP | SHA1 | AES-128 | 2048 |
Windows | SHA256 | RSA | |
RPM | SHA512 | RSA | 4096 |
RPM artifacts are signed via a legacy shell script which uses a macros template. See this commit for more information and this issue to add RPM artifact signing functionality to the above signing system. Currently we are only signing OpenSearch and OpenSearch dashboards RPM distributions using this method.
See src/sign_workflow for more information.
The Linux / Windows release is managed by a team at Amazon following this release template (e.g. opensearch-build#2649).
The FreeBSD ports and packages for OpenSearch are managed by a community OpenSearch Team at FreeBSD. When a new release is rolled out, this team will update the port and commit it to the FreeBSD ports tree. Anybody is welcome to help the team by providing patches for upgrading the ports following the FreeBSD Porter's Handbook instructions.
At this moment there's no official macOS distribution. However, this project does support building and assembling OpenSearch for macOS. See opensearch-build#37 and #38 for more details.
The checkout workflow checks out source code for a given manifest for further examination.
./checkout.sh manifests/1.3.0/opensearch-1.3.0.yml
See src/checkout_workflow for more information.
You can perform cross-platform builds. For example, build and assemble a Windows distribution on macOS.
export JAVA_HOME=$(/usr/libexec/java_home) # required by OpenSearch install-plugin during assemble
./build.sh manifests/1.3.0/opensearch-1.3.0.yml --snapshot --platform windows
./assemble.sh builds/opensearch/manifest.yml
This will produce dist/opensearch-1.3.0-SNAPSHOT-windows-x64.zip
on Linux and macOS.
This workflow runs sanity checks on every component present in the bundle, executed as part of the manifests workflow in this repository. It ensures that the component GitHub repositories are correct and versions in those components match the OpenSearch version.
The following example sanity-checks components in the OpenSearch 1.3.0 manifest.
./ci.sh manifests/1.3.0/opensearch-1.3.0.yml --snapshot
See src/ci_workflow for more information.
The manifests workflow reacts to version increments in OpenSearch and its components by extracting Gradle properties from project branches. When a new version is found, a new input manifest is added to manifests, and a pull request is opened (e.g. opensearch-build#491).
Show information about existing manifests.
./manifests.sh list
Check for updates and create any new manifests.
./manifests.sh update
See src/manifests_workflow for more information.
This project uses jenkins as the build infrastructure for building, testing and releasing the artifacts. The infrastructure is deployed using CDK and code can be found in opensearch-ci repository.
See developer guide and how to contribute to this project.
If you find a bug, or have a feature request, please don't hesitate to open an issue in this repository.
For more information, see project website and documentation. If you need help and are unsure where to open an issue, try forums.
This project has adopted the Amazon Open Source Code of Conduct. For more information see the Code of Conduct FAQ, or contact opensource-codeofconduct@amazon.com with any additional questions or comments.
If you discover a potential security issue in this project we ask that you notify OpenSearch Security directly via email to security@opensearch.org. Please do not create a public GitHub issue.
This project is licensed under the Apache v2.0 License.
Copyright OpenSearch Contributors. See NOTICE for details.