OpenSearch Dashboards Port 443

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.16.0

Describe the issue: I’m trying to start OpenSearch Dashboards with HTTPS in Port 443 using the Helm Charts but I get an error: “Error: listen EACCES: permission denied 0.0.0.0:443”
I was able to configure HTTPS with the certificates with the default port 5601 but now I’m trying to change the port and getting the error.

Configuration:
Here is my values.yaml:

opensearchHosts: "https://opensearch-cluster-2-16-0:9200"
replicaCount: 1
 
image:
  repository: "opensearchproject/opensearch-dashboards"
  tag: "2.16.0"
  pullPolicy: "Always"

startupProbe:
  tcpSocket:
    port: 443
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 20
  successThreshold: 1
  initialDelaySeconds: 10

livenessProbe:
  tcpSocket:
    port: 443
  periodSeconds: 20
  timeoutSeconds: 5
  failureThreshold: 10
  successThreshold: 1
  initialDelaySeconds: 10

readinessProbe:
  tcpSocket:
    port: 443
  periodSeconds: 20
  timeoutSeconds: 5
  failureThreshold: 10
  successThreshold: 1
  initialDelaySeconds: 10

ingress:
  enabled: true
  ingressClassName: "azure-application-gateway"
  annotations:
    appgw.ingress.kubernetes.io/health-probe-port: "443"
    appgw.ingress.kubernetes.io/backend-protocol: https
  hosts:
    - host: opensearch.myhost.com
      paths:
        - path: /
          backend:
           serviceName: os-dashboards-2-16-0-opensearch-dashboards
           servicePort : 443
  tls:
    - hosts:
        - opensearch.myhost.com
      secretName: opensearch-dashboards-app-tls

config:
  opensearch_dashboards.yml: |
    opensearch.hosts: [https://opensearch-cluster-2-16-0:9200]
    opensearch.ssl.verificationMode: none
    opensearch.requestHeadersWhitelist: [authorization, securitytenant]

    opensearch_security.multitenancy.enabled: true
    opensearch_security.multitenancy.tenants.preferred: [Private, Global]
    opensearch_security.readonly_mode.roles: [kibana_read_only]
    server.host: '0.0.0.0'

    server.port: 443
    server.ssl.enabled: true
    server.ssl.key: /tmp/opensearch-dashboards.key
    server.ssl.certificate: /tmp/opensearch-dashboards.crt
    opensearch_security.cookie.secure: true

secretMounts: 
 - name: opensearch-dashboards-cert
   secretName: opensearch-dashboards-cert
   path: /tmp/opensearch-dashboards.crt
   subPath: opensearch-dashboards.crt
 - name: opensearch-dashboards-cert-key
   secretName: opensearch-dashboards-cert-key
   path: /tmp/opensearch-dashboards.key
   subPath: opensearch-dashboards.key

Relevant Logs or Screenshots:

{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"applicationConfig\" is disabled."}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"cspHandler\" is disabled."}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"dataSource\" is disabled."}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"visTypeXy\" is disabled."}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"workspace\" is disabled."}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["warning","config","deprecation"],"pid":1,"message":"\"cpu.cgroup.path.override\" is deprecated and h
as been replaced by \"ops.cGroupOverrides.cpuPath\""}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["warning","config","deprecation"],"pid":1,"message":"\"cpuacct.cgroup.path.override\" is deprecated a
nd has been replaced by \"ops.cGroupOverrides.cpuAcctPath\""}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["warning","config","deprecation"],"pid":1,"message":"\"opensearch.requestHeadersWhitelist\" is deprec
ated and has been replaced by \"opensearch.requestHeadersAllowlist\""}
{"type":"log","@timestamp":"2024-11-27T05:11:16Z","tags":["fatal","root"],"pid":1,"message":"Error: listen EACCES: permission denied 0.0.0.0:443\n    at Server
.setupListenHandle [as _listen2] (node:net:1800:21)\n    at listenInCluster (node:net:1865:12)\n    at doListen (node:net:2014:7)\n    at processTicksAndReject
ions (node:internal/process/task_queues:83:21) {\n  code: 'EACCES',\n  errno: -13,\n  syscall: 'listen',\n  address: '0.0.0.0',\n  port: 443\n}"}

 FATAL  Error: listen EACCES: permission denied 0.0.0.0:443

Have you ever seen this before? any ideas? thanks in advance.

Can you share the information of Service type(dashboards) in your namespace?

ex)

$ kubectl describe svc test-opensearch-cluster-dashboards

Name:              test-opensearch-cluster-dashboards
Namespace:         test-opensearch-cluster
...
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                172.31.38.89
IPs:               172.31.38.89
Port:              http  5601/TCP
TargetPort:        5601/TCP
Endpoints:         10.251.73.166:5601
Session Affinity:  None
Events:            <none>

It looks like is still using port 5601 :confused:

Name:                     os-dashboards-2-16-0-opensearch-dashboards
Namespace:                default
Labels:                   app.kubernetes.io/instance=os-dashboards-2-16-0
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=opensearch-dashboards
                          app.kubernetes.io/version=2.18.0
                          helm.sh/chart=opensearch-dashboards-2.25.0
Annotations:              meta.helm.sh/release-name: os-dashboards-2-16-0
                          meta.helm.sh/release-namespace: default
Selector:                 app=opensearch-dashboards,release=os-dashboards-2-16-0
Type:                     ClusterIP
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       172.0.0.69
IPs:                      172.0.0.69
Port:                     http  5601/TCP
TargetPort:               5601/TCP
Endpoints:                10.8.8.79:5601
Port:                     metrics  9601/TCP
TargetPort:               9601/TCP
Endpoints:                10.8.8.79:9601
Session Affinity:         None
Internal Traffic Policy:  Cluster
Events:                   <none>

what am I missing?

I added the following section to my values.yaml:

service:
  type: ClusterIP
  port: 443
  metricsPort: 9601
  loadBalancerIP: ""
  nodePort: ""
  labels: {}
  annotations: {}
  loadBalancerSourceRanges: []
  httpPortName: https
  metricsPortName: metrics

and now I get the correct port numbers when I describe the service.
but, I keep getting the same error in the pod

If so, can you try the below yaml for ingress and share what would happen?

hosts:
    - host: opensearch.myhost.com
      paths:
        - path: /
          backend:
           serviceName: os-dashboards-2-16-0-opensearch-dashboards
           servicePort : 5601

It looks like it doesn’t have any effect, in the service or the pod.
If I describe the ingress I see this:

Backend target port 5601 does not have matching endpoint port

Has error from the ingress still been returned after you keep the original port(5601), not overwriting service.port through values.yaml?

443 is a privileged port, depending on your setup the dashboards process may not have the necessary permissions for that.
I would recommend starting dasboards on a non-privileged port as you will still be able to reach dasboards on 443 because of your service configuration, if you set the targetport to your new non-privileged port.

thanks for your answers.
it looks like the helm chart doesn’t allow having a service with a different targetport (it could be a nice improvement), so I created my own service and it works.
however, this doesn’t solve the original question, can the pod run using port 443? if it is possible, how?

In my case, tls for cluster is enabled but not for dashboards.
How about inject opensearch.ssl.verificationMode env and set it none?
OpenSearch doesn’t require you to conform tls setting for dashboards.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/backend-protocol: HTTPS
  name: test-opensearch-cluster-os
  namespace: test-opensearch-cluster
spec:
  ingressClassName: nginx
  rules:
  - host: test-opensearch-cluster-os.xxx.xxxx.com
    http:
      paths:
      - backend:
          service:
            name: test-opensearch-cluster
            port:
              number: 9200
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - test-opensearch-cluster-os.xxx.xxxx.com
    secretName: test-opensearch-cluster-http-cert
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-opensearch-cluster-osd
  namespace: test-opensearch-cluster
spec:
  ingressClassName: nginx
  rules:
  - host: test-opensearch-cluster-osd.xxx.xxxx.com
    http:
      paths:
      - backend:
          service:
            name: test-opensearch-cluster-dashboards
            port:
              number: 5601
        path: /
        pathType: ImplementationSpecific
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: test-opensearch-cluster
  namespace: test-opensearch-cluster
spec:
  dashboards:
    additionalConfig:
      opensearch.ssl.verificationMode: none
    enable: true
    image: harbor.xxxx.com/library/opensearchproject/opensearch-dashboards:v2.17.1
    opensearchCredentialsSecret:
      name: admin-credentials-secret
    replicas: 1
    resources:
      limits:
        cpu: 500m
        memory: 2Gi
      requests:
        cpu: 500m
        memory: 2Gi
    tls: null
    version: 2.3.0
...

You will have to start the pod in priviliged mode i.e. with the root user. That is generally not recommended if it isn’t necessary for some reason. You would do that with the securityContext setting on the pod Configure a Security Context for a Pod or Container | Kubernetes

tried using the securityContext to switch to the root user:

securityContext:
  runAsUser: 0

but I got the following error:

Error: container's runAsUser breaks non-root policy 

well, seems like your kubernetes cluster disallows this. Why are you trying to start dasboards on port 443? You can remap to any port you want with the service and ingress, there is literally no need to do that

1 Like

Good question! :blush: If the ingress error is still occurring even after keeping the original port (5601)