Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
My current version is 3.0.0 - it works well.
Just before the upgrade from 2.19.0 to 3.0.0, I had to update the following config files:
sudo nano /etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy
grant {
java.lang.RuntimePermission "accessUserInformation"
};
AND
sudo nano /lib/systemd/system/opensearch.service
SystemCallFilter=seccomp mincore
That’s all.
Describe the issue:
I can’t update from 3.0.0 to 3.1.0 version with apt update.
Running OpenSearch Post-Installation Script
Restarting OpenSearch.service after upgrade
Job for OpenSearch.service failed because the control process exited with an error code.
See "systemctl status opensearch.service" and "journalctl -xeu opensearch.service" for details.
dpkg: error processing package opensearch (--configure):
Installed opensearch package post-installation script subprocess returned error exit status 1
Processing triggers for libc-bin (2.36-9+deb12u10) ...
Errors were encountered while processing:
opensearch
E: Sub-process /usr/bin/dpkg returned an error code (1)
Jul 03 23:01:53 server.net opensearch[875525]: WARNING: Using incubator modules: jdk.incubator.vector
Jul 03 23:01:53 server.net opensearch[875525]: WARNING: Unknown module: org.apache.arrow.memory.core specified to --add-opens
Jul 03 23:02:04 server.net opensearch[875525]: fatal error in thread [main], exiting
Jul 03 23:02:04 server.net opensearch[875525]: java.lang.NoClassDefFoundError: org/bouncycastle/jcajce/provider/BouncyCastleFipsProvider
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.common.ssl.PemTrustConfig.loadCertificates(PemTrustConfig.java:97)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.common.ssl.PemTrustConfig.createTrustManager(PemTrustConfig.java:87)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.common.ssl.SslConfiguration.createSslContext(SslConfiguration.java:150)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.index.reindex.ReindexSslConfig.reload(ReindexSslConfig.java:164)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.index.reindex.ReindexSslConfig.<init>(ReindexSslConfig.java:134)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.index.reindex.ReindexModulePlugin.createComponents(ReindexModulePlugin.java:127)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.node.Node.lambda$new$21(Node.java:1042)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.node.Node.<init>(Node.java:1056)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.node.Node.<init>(Node.java:464)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:249)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:249)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:411)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.cli.Command.main(Command.java:101)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125)
Jul 03 23:02:04 server.net opensearch[875525]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91)
Jul 03 23:02:04 server.net opensearch[875525]: Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:593)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:872)
Jul 03 23:02:04 server.net opensearch[875525]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
Jul 03 23:02:04 server.net opensearch[875525]: ... 26 more
Configuration:
opensearch.yml
cluster.name: lab
# Bind to all interfaces because we don't know what IP address Docker will assign to us.
node.name: ${HOSTNAME}
network.host: 0.0.0.0
node.roles: [ cluster_manager, data, ingest ]
###https://opensearch.org/docs/latest/opensearch/cluster/#forced-awareness
#node.attr.temp: hot
#node.attr.zone: zoneA
action.auto_create_index: true
cluster.task.consumers.top_n.size: 100
cluster.task.consumers.top_n.frequency: 60s
bootstrap.memory_lock: true
discovery.seed_hosts: ["server.net"]
discovery.type: single-node
cluster.routing.allocation.disk.threshold_enabled: true
cluster.routing.allocation.disk.watermark.low: 90%
cluster.routing.allocation.disk.watermark.high: 95%
path.data: /data/opensearch/data
path.logs: /data/opensearch/log
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: server.net.crt.pem
plugins.security.ssl.transport.pemkey_filepath: server.net.pk8.key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: server.net.crt.pem
plugins.security.ssl.http.pemkey_filepath: server.net.pk8.key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: ca.pem
plugins.security.ssl.http.enabled_protocols:
- "TLSv1.2"
- "TLSv1.3"
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:
- 'CN=server.net,OU=DevSecOps,O=server.net,ST=Alaska,C=US'
plugins.security.audit.type: internal_opensearch
plugins.security.audit.config.index: "'security-auditlog-'YYYY.MM"
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro_security", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
# Require explicit names when deleting indices:
action.destructive_requires_name: true
plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{12,}'
plugins.security.restapi.password_validation_error_message: "Password must be minimum 12 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
reindex.remote.allowlist: "srv-remote.server.net.com:9200"
reindex.ssl.certificate_authorities: cas.crt
search.allow_expensive_queries: "true" #Impact: This might slow down search operations and affect the stability of the cluster. By default, this setting is set to true.
indices.query.bool.max_clause_count: 2048
Relevant Logs or Screenshots:
I can downgrade to 3.0.0 version via apt install without issue.
Running OpenSearch Post-Installation Script
Restarting opensearch.service after upgrade
### Breaking change in packaging since 2.13.0
In 2.13.0 and later releases of OpenSearch, we have changed the permissions associated with access to installed files
If you are configuring tools that require read access to the OpenSearch configuration files, we recommend you add the user that runs these tools to the 'opensearch' group
For more information, see https://github.com/opensearch-project/opensearch-build/pull/4043
Processing triggers for libc-bin (2.36-9+deb12u10) ...
It works well on 3.0.0.
Any ideas?