Hello,
I’m using ansible playbook to deploy OpenSearch (next OS) on my cluster: 2 master, 2 ingest, 3 data nodes (vps). Doest not using any config files, only from playbooks by env.
I’m using tasks by docker_compose module in ansible. Deploing processing good.
My config for dashboard from docker_compose:
nginx config for nginx docker container:
upstream kibana {
server kibana:5601;
}
server {
listen 80;
server_name oswebportal.site.local;
ssl off;
location / {
proxy_pass http://kibana;
proxy_next_upstream off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
kibana:
environment:
- "SERVER_NAME={{ ansible_fqdn }}"
- "HOST_IP={{ ansible_facts['default_ipv4']['address'] }}"
- 'OPENSEARCH_HOSTS=["http://oswebportal-ingest-01.site.local:9200","http://oswebportal-ingest-02.site.local:9200"]'
- "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false"
- "opensearch.ssl.verificationMode=none"
- "server.ssl.enabled=false"
- 'opensearch.requestHeadersWhitelist: [Authorization, securitytenant]'
- "opensearch.username=kibanaserver"
- "opensearch.password=kibanaserver"
- "opensearch_security.auth.type=basicauth"
- "opensearch_security.auth.anonymous_auth_enabled=false"
- "opensearch_security.cookie.secure=true"
os-ingest:
environment:
- DISABLE_INSTALL_DEMO_CONFIG=false
- compatibility.override_main_response_version=false
- plugins.security.disabled=false
- plugins.security.allow_default_init_securityindex=true
- plugins.security.ssl.transport.enforce_hostname_verification=false
- plugins.security.ssl.transport.pemcert_filepath=esnode.pem
- plugins.security.ssl.transport.pemkey_filepath=esnode-key.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath=root-ca.pem
- plugins.security.ssl.http.enabled=false
- plugins.security.ssl.http.pemcert_filepath=esnode.pem
- plugins.security.ssl.http.pemkey_filepath=esnode-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=root-ca.pem
- plugins.security.allow_unsafe_democertificates=true
- plugins.security.restapi.roles_enabled=["all_access", "security_rest_api_access"]
- cluster.name=oswebportal
- bootstrap.memory_lock=true
- discovery.zen.ping.unicast.hosts=192.168.168.60,192.168.168.61,192.168.168.62,192.168.168.63,192.168.168.64,192.168.168.65,192.168.168.66,192.168.168.67
- node.data=false
- node.master=false
- node.ingest=true
- node.name={{ ansible_fqdn }}
- network.host=0.0.0.0
- network.publish_host={{ ansible_facts['default_ipv4']['address'] }}
- "OPENSEARCH_JAVA_OPTS=-Xms12g -Xmx12g -Xlog:disable"
same in master and docker as ingest.
same volumes on Ingest,master,data nodes:
volumes:
- /srv/{{ inventory_hostname }}/opensearch:/usr/share/opensearch/data
- /srv/{{ inventory_hostname }}/keys/esnode-key.pem:/usr/share/opensearch/config/esnode-key.pem
- /srv/{{ inventory_hostname }}/keys/esnode.pem:/usr/share/opensearch/config/esnode.pem
- /srv/{{ inventory_hostname }}/keys/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
When deploying ending by playbooks, a go to web dashboard and see:
OpenSearch Dashboards server is not ready yet
In docker container ingest logs:
[2022-10-13T06:30:38,955][ERROR][o.o.s.a.BackendRegistry ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:40,969][ERROR][o.o.s.a.BackendRegistry ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:40,972][ERROR][o.o.s.a.BackendRegistry ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:41,453][ERROR][o.o.s.a.BackendRegistry ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:41,456][ERROR][o.o.s.a.BackendRegistry ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
In docker containers master seems all good.
In docker containers data seems all good.
When I trying run manual inside container securityadmin got error:
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
Security Admin v7
Will connect to localhost:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:958)
at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:278)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:332)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:547)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:833)
When I’m trying use - DISABLE_INSTALL_DEMO_CONFIG=false to - DISABLE_INSTALL_DEMO_CONFIG=true got same.