You may need to run securityadmin: bu when run got error

Hello,

I’m using ansible playbook to deploy OpenSearch (next OS) on my cluster: 2 master, 2 ingest, 3 data nodes (vps). Doest not using any config files, only from playbooks by env.

I’m using tasks by docker_compose module in ansible. Deploing processing good.
My config for dashboard from docker_compose:

nginx config for nginx docker container:

upstream kibana {
     server kibana:5601;
}
server {
   listen 80;
   server_name oswebportal.site.local;
   ssl off;
   location / {
       proxy_pass http://kibana;
       proxy_next_upstream off;
       proxy_set_header Host $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Real-IP $remote_addr;
   }
}

kibana:
environment:
                - "SERVER_NAME={{ ansible_fqdn }}"
                - "HOST_IP={{ ansible_facts['default_ipv4']['address'] }}"
                - 'OPENSEARCH_HOSTS=["http://oswebportal-ingest-01.site.local:9200","http://oswebportal-ingest-02.site.local:9200"]'
                - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false"
                - "opensearch.ssl.verificationMode=none"
                - "server.ssl.enabled=false"
                - 'opensearch.requestHeadersWhitelist: [Authorization, securitytenant]'
                - "opensearch.username=kibanaserver"
                - "opensearch.password=kibanaserver"
                - "opensearch_security.auth.type=basicauth"
                - "opensearch_security.auth.anonymous_auth_enabled=false"
                - "opensearch_security.cookie.secure=true"

os-ingest:
environment:
                - DISABLE_INSTALL_DEMO_CONFIG=false
                - compatibility.override_main_response_version=false
                - plugins.security.disabled=false
                - plugins.security.allow_default_init_securityindex=true
                - plugins.security.ssl.transport.enforce_hostname_verification=false
                - plugins.security.ssl.transport.pemcert_filepath=esnode.pem
                - plugins.security.ssl.transport.pemkey_filepath=esnode-key.pem
                - plugins.security.ssl.transport.pemtrustedcas_filepath=root-ca.pem
                - plugins.security.ssl.http.enabled=false
                - plugins.security.ssl.http.pemcert_filepath=esnode.pem
                - plugins.security.ssl.http.pemkey_filepath=esnode-key.pem
                - plugins.security.ssl.http.pemtrustedcas_filepath=root-ca.pem
                - plugins.security.allow_unsafe_democertificates=true
                - plugins.security.restapi.roles_enabled=["all_access", "security_rest_api_access"]
                - cluster.name=oswebportal
                - bootstrap.memory_lock=true
                - discovery.zen.ping.unicast.hosts=192.168.168.60,192.168.168.61,192.168.168.62,192.168.168.63,192.168.168.64,192.168.168.65,192.168.168.66,192.168.168.67
                - node.data=false
                - node.master=false
                - node.ingest=true
                - node.name={{ ansible_fqdn }}
                - network.host=0.0.0.0
                - network.publish_host={{ ansible_facts['default_ipv4']['address'] }}
                - "OPENSEARCH_JAVA_OPTS=-Xms12g -Xmx12g -Xlog:disable"

same in master and docker as ingest.

same volumes on Ingest,master,data nodes:
volumes:
                - /srv/{{ inventory_hostname }}/opensearch:/usr/share/opensearch/data
                - /srv/{{ inventory_hostname }}/keys/esnode-key.pem:/usr/share/opensearch/config/esnode-key.pem
                - /srv/{{ inventory_hostname }}/keys/esnode.pem:/usr/share/opensearch/config/esnode.pem
                - /srv/{{ inventory_hostname }}/keys/root-ca.pem:/usr/share/opensearch/config/root-ca.pem

When deploying ending by playbooks, a go to web dashboard and see:

OpenSearch Dashboards server is not ready yet

In docker container ingest logs:
[2022-10-13T06:30:38,955][ERROR][o.o.s.a.BackendRegistry  ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:40,969][ERROR][o.o.s.a.BackendRegistry  ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:40,972][ERROR][o.o.s.a.BackendRegistry  ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:41,453][ERROR][o.o.s.a.BackendRegistry  ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)
[2022-10-13T06:30:41,456][ERROR][o.o.s.a.BackendRegistry  ] [oswebportal-ingest-02.site.local] Not yet initialized (you may need to run securityadmin)

In docker containers master seems all good.
In docker containers data seems all good.

When I trying run manual inside container securityadmin got error:

**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to localhost:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?
	at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:958)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
	at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
	at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
	at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
	at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
	at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
	at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:278)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:332)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:547)
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
	at java.base/java.lang.Thread.run(Thread.java:833)

When I’m trying use - DISABLE_INSTALL_DEMO_CONFIG=false to - DISABLE_INSTALL_DEMO_CONFIG=true got same.

@kam Could you share the full securityadmin.sh command?

@kam Did you get this issue solved?

Yes!

I moved all env from docker-compose to config files and this helped for me.