Docker compose and security plugin

Security
1

Hi team,

I’m trying to deploy a single node cluster via docker-compose. We have deployed several opendistro hosts with tarball, and this is the first one im trying to deploy with docker.

I have volumes for the security yml files, but when I’m trying to deploy de container I have the following error message:

opensearch-node1       | [2022-11-24T08:07:14,487][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-node1] Will not attempt to create index .opendistro_security and default configs if the
y are absent. Use securityadmin to initialize cluster
opensearch-node1       | [2022-11-24T08:07:14,490][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-node1] 0 OpenSearch Security modules loaded so far: []
opensearch-node1       | [2022-11-24T08:07:14,490][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-node1] Background init thread started. Install default config?: false
opensearch-node1       | [2022-11-24T08:07:14,501][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] Failure no such index [.opendistro_security] retrieving configuration for [
INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

If I execute the securityadmin script the output its correct:

Clusterstate: GREEN                                                                                                                                                                           
Number of nodes: 1                                                                                                                                                                            
Number of data nodes: 1                                                                                                                                                                       
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)                                                                                                    
Populate config from /usr/share/opensearch/plugins/opensearch-security/securityconfig/                                                                                                        
Will update '/config' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml                                                                                        
   SUCC: Configuration for 'config' created or updated                                                                                                                                        
Will update '/roles' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml                                                                                          
   SUCC: Configuration for 'roles' created or updated                                                                                                                                         
Will update '/rolesmapping' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml                                                                           
   SUCC: Configuration for 'rolesmapping' created or updated                                                                                                                                  
Will update '/internalusers' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml                                                                         
   SUCC: Configuration for 'internalusers' created or updated                                                                                                                                 
Will update '/actiongroups' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml                                                                           
   SUCC: Configuration for 'actiongroups' created or updated                                                                                                                                  
Will update '/tenants' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml                                                                                      
   SUCC: Configuration for 'tenants' created or updated                                                                                                                                       
Will update '/nodesdn' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/nodes_dn.yml                                                                                     
   SUCC: Configuration for 'nodesdn' created or updated                                                                                                                                       
Will update '/whitelist' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/whitelist.yml                                                                                  
   SUCC: Configuration for 'whitelist' created or updated                                                                                                                                     
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

And afterwardsm, If y restart the container of opensearch the same error (The first one) is printed again… What I am missing? Does securityadmin script execute by itself when starting opensearch container? Or may it be a parametrization error in the configuration?

Thanks in advance!!

2

@esalas Please share your docker-compose.yml file.
How do you stop and start the docker-compose? Please share exact commands.

3

Hi @pablo,

Thanks for the response!

Here it is the docker-compose.yml file

version: '3'
services:

  opensearch-node1:
    image: opensearchproject/opensearch:latest
    container_name: opensearch-node1
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node1
      - discovery.seed_hosts=opensearch-node1
      - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms4096m -Xmx4096m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
      - "DISABLE_INSTALL_DEMO_CONFIG=true" # disable demo config see https://opensearch.org/docs/latest/opensearch/install/docker-security/
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
        hard: 65536
    volumes:
      - ./data:/usr/share/opensearch/data
      - ./securityconfig/config.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
      - ./securityconfig/tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
      - ./securityconfig/whitelist.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/whitelist.yml
      - ./securityconfig/nodes_dn.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/nodes_dn.yml
      - ./securityconfig/action_groups.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
      - ./securityconfig/internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
      - ./securityconfig/roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
      - ./securityconfig/roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
      - ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
      - ./certs/node1.pem:/usr/share/opensearch/config/node1.pem
      - ./certs/node1-key.pem:/usr/share/opensearch/config/node1-key.pem
      - ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
      - ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
    ports:
      - 9200:9200
      - 9600:9600 # required for Performance Analyzer
    dns:
      - 8.8.8.8
    networks:
      - opensearch-net
  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:latest
    container_name: opensearch-dashboards
    volumes:
      - ./dashboards/config:/usr/share/opensearch-dashboards/config
    ports:
      - 5601:5601
    dns:
      - 8.8.8.8
    expose:
      - "5601"
    environment:
      OPENSEARCH_HOSTS: '["https://X.X.X.X:9200"]' # must be a string with no spaces when specified as an environment variable
    networks:
      - opensearch-net


volumes:
  opensearch-data:

networks:
  opensearch-net:

For the containers start I use docker-compose up and to stop them docker-compose down or ctrl + c, I get the same result with both methods.

Regards!

4

@esalas Is this a test environment?

5

@esalas Could you share your elasticsearch.yml and cofig.yml files?

6

@esalas Can you try to comment the following line in the docker-compose.yml.

      - discovery.seed_hosts=opensearch-node1

and use this instead

discovery.type=single-node

or
add cluster.initial_cluster_manager_nodes to the existing config

      - discovery.seed_hosts=opensearch-node1
      - cluster.initial_cluster_manager_nodes=opensearch-node1