Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
version: opensearch 2.17.0 (apt installed)
os: Debian bookworm.
Describe the issue:
Unable to start OpenSearch after applying custom CA-files before initial setup.
Steps:
- Installing OpenSearch using apt.
- Applying custom opensearch.yml file to the configuration folder.
- Removing demo certificates in configuration folder.
- Writing custom CA-files from CA-server to configuration folder.
- Starting the service
Arch:
3 index nodes within the cluster. Each will be assigned as master. negotiation shall be voted internally.
Each node is a dedicated VM inside of a Proxmox node.
Deployment done through Ansible.
Configuration:
Each node will have identical configuration file except proper values like filenames on certs/keys and node name.
cluster.name: ES
node.name: "log1"
cluster.initial_master_nodes: ["log1","log2","log3"]
discovery.seed_hosts: ["log1","log2","log3"]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
plugins.security.disabled: false
plugins.security.ssl_cert_reload_enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.pemcert_filepath: log1.crt
plugins.security.ssl.transport.pemkey_filepath: log1.key
plugins.security.ssl.transport.pemtrustedcas_filepath: root.crt
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: log1.crt
plugins.security.ssl.http.pemkey_filepath: log1.key
plugins.security.ssl.http.pemtrustedcas_filepath: root.crt
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
# RFC2253 format
plugins.security.nodes_dn:
- "CN=log1,O=ES,C=DK"
- "CN=log2,O=ES,C=DK"
- "CN=log3,O=ES,C=DK"
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,O=ES,C=DK'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices:
- .plugins-ml-agent
- .plugins-ml-config
- .plugins-ml-connector
- .plugins-ml-controller
- .plugins-ml-model-group
- .plugins-ml-model
- .plugins-ml-task
- .plugins-ml-conversation-meta
- .plugins-ml-conversation-interactions
- .plugins-ml-memory-meta
- .plugins-ml-memory-message
- .plugins-ml-stop-words
- .opendistro-alerting-config
- .opendistro-alerting-alert*
- .opendistro-anomaly-results*
- .opendistro-anomaly-detector*
- .opendistro-anomaly-checkpoints
- .opendistro-anomaly-detection-state
- .opendistro-reports-*
- .opensearch-notifications-*
- .opensearch-notebooks
- .opensearch-observability
- .ql-datasources
- .opendistro-asynchronous-search-response*
- .replication-metadata-store
- .opensearch-knn-models
- .geospatial-ip2geo-data*
- .plugins-flow-framework-config
- .plugins-flow-framework-templates
- .plugins-flow-framework-state
node.max_local_storage_nodes: 3
Relevant Logs or Screenshots:
Log sample 1 (same output from all nodes):
[WARN ][o.o.c.c.ClusterFormationFailureHelper] [log1] cluster-manager not discovered or elected yet, an election requires at least 2 nodes with ids from...
Wait for cluster to be available....
Questions:
- Do we need to execute securityadmin.sh while installing opensearch from apt?
- Are we required to preform any other actions except for starting the services after proper configuration files has been applied?
- Making the log1 as master only will make the node log1 start with health of GREEN. But the other nodes (log2, log3) wont be able to join as “slaves”. This should verify that the certificate files works as intended?
- tcpdump provides information of communication between nodes at port 9300 (transport). a manual verification to port 9200 (http) with node certificate using openssl or curl also outputs ok. Does there exist any other tools provided by opensearch for troubleshooting?