How to setup security on containerised opensearch?

lost · December 14, 2022, 8:46am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
server opensearchproject/opensearch:2.4.0

Describe the issue:
I’m trying to set up a single-node cluster using the above docker container (although running under podman + systemd on rockylinux). This will ingest from filebeat so I have a custom opensearch.yml mounted in to allow me to define compatibility.override_main_response_version: true. Using the demo security certs that all works fine, opensearch runs filebeat can connect to it.

However, if I stop and restart the container then it fails with:

Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]

which makes sense - the demo certs get created in the container’s config directory and don’t persist, but the paths to them have been automatically added to the opensearch.yml which does persist because it’s mounted in.

How do people deal with that?

I tried creating my own (self-signed) certs following the docs and mounting those in too. It looks like the container is waiting for something to run securityadmin.sh, which seems like it’ll be painful to “orchestrate” with podman/systemd if I have to exec into the container at the right point (I.e. after opensearch is running) to run that. Or can I just specify that as the command to run for the container, e.g.

/usr/bin/podman run ... opensearchproject/opensearch:2.4.0 plugins/opensearch-security/tools/securityadmin.sh

or something?
Thanks for any help, seems like this must be a common problem but I can’t find a solution in the docs.

Configuration:

### This section copies a running container's default config ###
cluster.name: docker-cluster

# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# discovery.zen.minimum_master_nodes: 1

# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# discovery.type: single-node

### Custom config section ###

# Fake version for filebeat: https://opensearch.org/docs/2.4/tools/index/#agents-and-ingestion-tools
compatibility.override_main_response_version: true

Relevant Logs or Screenshots:

pablo · December 14, 2022, 12:16pm

@lost Do you use docker-compose? Try the following procedure.

lost · December 14, 2022, 3:56pm

No. This is a single-node cluster with a systemd unit running the container via (rootless) podman.

pablo · February 2, 2024, 3:38pm

@lost Did you resolve your issue?

Topic		Replies	Views
Config Issue Opensearch not running after "Admin password set successfully" OpenSearch	10	285	June 20, 2024
Set simple password Security configure	3	570	July 22, 2022
How to set up certificates for OpenSearch on Kubernetes? Security	7	3541	January 4, 2023
Docker-compose startup failures using v.1.2.4 first-time starts Security configure	12	1359	February 15, 2022
Received fatal alert: certificate_unknown - cluster Security	1	1181	July 6, 2023

How to setup security on containerised opensearch?

Related topics