Hello, I’m trying to start an OpenSearch cluster without using the demo security configuration.
I did the following (using image version 1.0.1):
- Generated my own self-signed certificates as per the open search documentation.
- Added new certs to volume mounts in my docker compose.
- Implemented custom opensearch.yml referencing new certs.
- Set
plugins.security.allow_unsafe_democertificates: false
- Added docker environment variable:
DISABLE_INSTALL_DEMO_CONFIG=true
to docker-compose.yml.
My containers fail to start with the following error:
Likely root cause: java.lang.RuntimeException: Demo certificates found [d14aefe70a592d7a29e14f3ff89c3d0070c99e87d21776aa07d333ee877e758f, 54a70016e0837a2b0c5658d1032d7ca32e432c62c55f01a2bf5adcb69a0a7ba9, bdc141ab2272c779d0f242b79063152c49e1b06a2af05e0fd90d505f2b44d5f5, 3e839e2b059036a99ee4f742814995f2fb0ced7e9d68a47851f43a3c630b5324]
at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:367)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481)
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:726)
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:671)
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:492)
at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:181)
at org.opensearch.node.Node.<init>(Node.java:357)
at org.opensearch.node.Node.<init>(Node.java:301)
at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:240)
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:240)
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:406)
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:182)
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:173)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:99)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:140)
at org.opensearch.cli.Command.main(Command.java:103)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:139)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:105)
For complete error details, refer to the log at /usr/share/opensearch/logs/opensearch-cluster.log
This is the file I used to generate the certs:
REM Root CA
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=PRINCE EDWARD ISLAND/L=CHARLOTTETOWN/O=PEIGOV/OU=ITSS/CN=ROOT" -out root-ca.pem -days 730
REM Admin cert
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/C=CA/ST=PRINCE EDWARD ISLAND/L=CHARLOTTETOWN/O=PEIGOV/OU=ITSS/CN=ADMIN" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
REM Node cert 1
openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
openssl req -new -key node-key.pem -subj "/C=CA/ST=PRINCE EDWARD ISLAND/L=CHARLOTTETOWN/O=PEIGOV/OU=ITSS/CN=EIPELASTIC.GOV.PE.CA" -out node.csr
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 730
REM Client cert
openssl genrsa -out client-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in client-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out client-key.pem
openssl req -new -key client-key.pem -subj "/C=CA/ST=PRINCE EDWARD ISLAND/L=CHARLOTTETOWN/O=PEIGOV/OU=ITSS/CN=CLIENT" -out client.csr
openssl x509 -req -in client.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out client.pem -days 730
REM Cleanup
del admin-key-temp.pem
del admin.csr
del node-key-temp.pem
del node.csr
del client-key-temp.pem
del client.csr
This is my opensearch.yml
plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node.pem
plugins.security.ssl.http.pemkey_filepath: node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=ITSS,O=PEIGOV,L=CHARLOTTETOWN,ST=PRINCE EDWARD ISLAND,C=CA'
plugins.security.nodes_dn:
- 'CN=EIPELASTIC.GOV.PE.CA,OU=ITSS,O=PEIGOV,L=CHARLOTTETOWN,ST=PRINCE EDWARD ISLAND,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
This is my docker-compose.yml:
version: '3'
services:
opensearch-node1:
image: opensearchproject/opensearch:latest
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1,opensearch-node2
- cluster.initial_master_nodes=opensearch-node1,opensearch-node2
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "OPENSEARCH_JAVA_OPTS=-Xms1G -Xmx1G" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
- network.host=0.0.0.0
- "DISABLE_INSTALL_DEMO_CONFIG=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- opensearch-data1:/usr/share/opensearch/data
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
- ./certs/node.pem:/usr/share/opensearch/config/node.pem
- ./certs/node-key.pem:/usr/share/opensearch/config/node-key.pem
- ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
- ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
- ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- opensearch-net
opensearch-node2:
image: opensearchproject/opensearch:latest
container_name: opensearch-node2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node2
- discovery.seed_hosts=opensearch-node1,opensearch-node2
- cluster.initial_master_nodes=opensearch-node1,opensearch-node2
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms1G -Xmx1G"
- network.host=0.0.0.0
- "DISABLE_INSTALL_DEMO_CONFIG=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- opensearch-data2:/usr/share/opensearch/data
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
- ./certs/node.pem:/usr/share/opensearch/config/node.pem
- ./certs/node-key.pem:/usr/share/opensearch/config/node-key.pem
- ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
- ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
- ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
networks:
- opensearch-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest
container_name: opensearch-dashboards
ports:
- 5601:5601
expose:
- "5601"
environment:
OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # must be a string with no spaces when specified as an environment variable
networks:
- opensearch-net
volumes:
opensearch-data1:
opensearch-data2:
networks:
opensearch-net:
I see this BUG report on the GitHub site. Wondering if this fix is in version 1.0.1.
https://github.com/opensearch-project/opensearch-build/issues/254
Thanks,
Robby.