elasticsearch
A distributed, RESTful search and analytics engine built on Apache Lucene, used for full-text search, log analytics, APM, and security analytics workloads.
What is Elasticsearch?
The elasticsearch image packages Elasticsearch, a distributed search and analytics engine. Teams use it to power full-text search, log analytics, application performance monitoring, and security analytics — typically as the storage and query layer of an ELK or Elastic Stack deployment. It exposes the REST API on 9200 and clusters with peers on 9300; production runs use StatefulSets with at least three master-eligible nodes.
What is Echo's Elasticsearch image?
Echo's elasticsearch image is a hardened build of the Elasticsearch server bundle. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your app. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. The default variant carries the JVM and tooling needed for `elasticsearch-plugin install` workflows; the distroless variant is suitable for fully baked-in deployments where security plugins and certificates are already provisioned.
What is the difference between Echo's Elasticsearch image and the public Elasticsearch image?
Public elasticsearch images include a fairly broad JVM and tooling layer that brings non-trivial CVE counts. Echo's elasticsearch image keeps the JVM aligned with what Elasticsearch actually requires and trims the rest, dropping CVEs to zero on day one. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my elasticsearch image with Echo's elasticsearch image?
Yes. Echo's elasticsearch image is a drop-in replacement. Update the FROM line in your Dockerfile (or the image reference in your manifests) and your application keeps working - the CVEs disappear, the behavior doesn't.
Is Echo's elasticsearch image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use - unlike FIPS-compliant images that haven't been validated.
What is Echo's vulnerability management SLA on the elasticsearch image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version.
Is Echo's elasticsearch image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells.
How does Echo achieve such a drastic CVE reduction in elasticsearch?
Echo elasticsearch is built from source with only the absolute essentials needed to run the workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the version that works for you without forcing a functional change for the sake of security.
Will Echo's elasticsearch image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP - managing vulnerabilities, applying fixes, and using FIPS-validated cryptography - are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting.
.avif)
