Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
In my docker compose I am using this image
opensearchproject/opensearch:latest
Describe the issue:
I followed the instruction on quick start guide to download the docker compose file and run it. I did run and set a custom password in the yaml, but it says unauthorized. I tried setting the password from ENV as well but it didn’t work.
Relevant Logs or Screenshots:
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
rsuhas@ATH-PM27YX9J opensearch_lab %
Detected OpenSearch Security Version: 2.17.1.0
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
services:
opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
image: opensearchproject/opensearch:latest
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster # Name the cluster
- node.name=opensearch-node1 # Name the node that will run in this container
- discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
- bootstrap.memory_lock=true # Disable JVM heap memory swapping
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration (for OpenSearch 2.12 and later)
ulimits:
memlock:
soft: -1 # Set memlock to unlimited (no soft or hard limit)
hard: -1
nofile:
soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
hard: 65536
volumes:
- opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
ports:
- 9200:9200 # REST API
- 9600:9600 # Performance Analyzer
networks:
- opensearch-net # All of the containers will join the same Docker bridge network
opensearch-node2:
image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
container_name: opensearch-node2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node2
- discovery.seed_hosts=opensearch-node1,opensearch-node2
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- opensearch-data2:/usr/share/opensearch/data
networks:
- opensearch-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
container_name: opensearch-dashboards
ports:
- 5601:5601 # Map host port 5601 to container port 5601
expose:
- "5601" # Expose port 5601 for web access to OpenSearch Dashboards
environment:
OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
networks:
- opensearch-net
volumes:
opensearch-data1:
opensearch-data2:
networks:
opensearch-net:
Yeah, but that didn’t work either… Since I was setting up for learning purpose I tried adding - plugins.security.disabled=true in environment block but that also didn’t help, it still prompted for username and password.
I had the same issue. What helped me, is that I changed the password (hash) in the internal_users.yml. As earlier it was mentioned, you need the /plugins/opensearch-security/tools/hash.sh script to generate a new hashed password, which you will put in the internal_users.yml. To actually change the hash value in it, you can use the sed command line tool, as the container itself doesnt come with nano, vi or anyother text editors(god knows why). Don’t forget to apply the changes with /plugins/opensearch-security/tools/securityadmin.sh. I ran the script from where the the .pem key files were found.
Thank you @Mantas I did the changes which you recommended and happen to see the problem is addressed. But I did find an issue when trying to load the opensearch dashboard. http://localhost:5601/
Error:
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:01Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200”}
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:01Z”,“tags”:[“error”,“savedobjects-service”],“pid”:1,“message”:“Unable to retrieve version information from OpenSearch nodes.”}
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:04Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200”}
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:06Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200”}
I did some reading and got to know I need to use https://127.0.0.1:9200/ when plugins.security.ssl.http.enabled: is set to true. After hitting https://127.0.0.1:9200/ I dont see the dashboard but a Json
{
“name”: “opensearch-node1”,
“cluster_name”: “opensearch-cluster”,
“cluster_uuid”: “WBwi8JAdTM6e6rv5Z19FJg”,
“version”: {
“distribution”: “opensearch”,
“number”: “2.17.1”,
“build_type”: “tar”,
“build_hash”: “1893d20797e30110e5877170e44d42275ce5951e”,
“build_date”: “2024-09-26T21:59:52.691008096Z”,
“build_snapshot”: false,
“lucene_version”: “9.11.1”,
“minimum_wire_compatibility_version”: “7.10.0”,
“minimum_index_compatibility_version”: “7.0.0”
},
“tagline”: “The OpenSearch Project: https://opensearch.org/”
}