OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace:
opensearch:os_installation_linux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
opensearch:os_installation_linux [2023/02/01 00:06] – removed - external edit (Unknown date) 127.0.0.1opensearch:os_installation_linux [2023/02/25 21:44] (current) – typo: hush.sh - hash.sh olaf
Line 1: Line 1:
 +==== Opensearch 8.x Installation on Linux ====
 +----
 +=== Configure APT and install required tools ===
 +
 +Import PGP key of the repository and create the repository entry
 +<code bash>
 +sudo apt update && sudo upgrade -y
 +sudo apt install sudo vim curl gpg unzip cifs-utils -y
 +
 +wget -qO - https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/opensearch.pgp
 +echo "deb [signed-by=/etc/apt/trusted.gpg.d/opensearch.pgp] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list
 +
 +sudo apt update
 +</code>
 +
 +=== Install Opensearch ===
 +
 +Update the APT database and install the latest version of Opensearch\\
 +<code bash>sudo apt install opensearch</code>
 +
 +=== Or install a specific Opensearch version ===
 +
 +List available versions\\
 +<code bash>sudo apt list opensearch</code>
 +
 +Install a version from the list returned by "apt list opensearch"\\
 +<code bash>sudo apt install opensearch=2.5.0</code>
 +
 +== Adjust settings in opensearch.yml ==
 +
 +Change /etc/opensearch/opensearch.yml set:\\
 +<code yaml>
 +cluster.name: myopensearch
 +network.host: 0.0.0.0
 +discovery.type: single-node
 +plugins.security.ssl.transport.pemcert_filepath: certs/node-01.pem
 +plugins.security.ssl.transport.pemkey_filepath: certs/node-01-key.pem
 +plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
 +plugins.security.ssl.transport.enforce_hostname_verification: false
 +plugins.security.ssl.http.enabled: true
 +plugins.security.ssl.http.pemcert_filepath: certs/node-01.pem
 +plugins.security.ssl.http.pemkey_filepath: certs/node-01-key.pem
 +plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
 +plugins.security.allow_unsafe_democertificates: true
 +plugins.security.allow_default_init_securityindex: true
 +# The empty line after the parameters for admin_dn is important: without authentication fails 
 +plugins.security.authcz.admin_dn:
 +  - CN=admin,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US
 +
 +# The empty line after the parameters for nodes_dn is important: without authentication fails
 +plugins.security.nodes_dn:
 +  - CN=node-01,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US
 +
 +plugins.security.audit.type: internal_opensearch
 +plugins.security.enable_snapshot_restore_privilege: true
 +plugins.security.check_snapshot_restore_write_privileges: true
 +plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
 +plugins.security.system_indices.enabled: true
 +plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
 +node.max_local_storage_nodes: 1
 +</code>
 +
 +Continue with [[opensearch:Generating certificates]]
 +
 +==== Configure users ====
 +Users can be configured in /etc/opensearch/opensearch-security/internal_users.yml
 +Change to the tool directory and run hash.sh (the tool warns it's depricated - but they did without plans for what's next ...)
 +<code bash>
 +cd /usr/share/opensearch/plugins/opensearch-security/tools
 +export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk
 +./hash.sh
 +</code>
 +Enter the password and save the hash that the tool returns.\\
 +Generate the hash for the password for the admin user and for the kibanaserver account.\\
 +
 +Open internal_users.yml.
 +<code bash>vi /etc/opensearch/opensearch-security/internal_users.yml</code>
 +
 +Remove all demo users except for admin and replace the hash with the output provided by hash.sh in a previous step. The file should look similar to the following example:\\
 +(Use the hashes you generated: you don't know the passwords used to generate them ...)\\
 +<code yaml>
 +---
 +# This is the internal user database
 +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
 +
 +_meta:
 +  type: "internalusers"
 +  config_version: 2
 +
 +# Define your internal users here (use the hashes you generated: you don't know the passwords used to generate them ...)
 +
 +admin:
 +  hash: "$2y$12$EqikRW0NCvAlC2a8r8M6O.w7sQ6k2A8R5C23RBDTP0jJZ7b/4Xlfq"
 +  reserved: true
 +  backend_roles:
 +  - "admin"
 +  description: "Admin user"
 +dashboardsserver:
 +  hash: "$2y$12$2JkFjrXucTPtBJ0O.VAhD.fhtVrhyI3ExY7D0py0TosRCkhjX0ESS"
 +  reserved: true
 +  backend_roles:
 +  description: "Dashboards Server"
 +</code>
 +
 +Now the system contains a basic configuration 
 +
 +=== Enable Opensearch service and start it ===
 +<code bash>
 +systemctl daemon-reload
 +systemctl enable opensearch
 +systemctl start opensearch  
 +
 +systemctl status opensearch  
 +</code>
 +The last command should show:
 +
 +<code>
 +  ●opensearch.service - OpenSearch
 +     Loaded: loaded (/lib/systemd/system/opensearch.service; enabled; vendor preset: enabled)
 +     Active: active (running) since Tue 2023-01-01 00:00:01 CET; 0h 01min ago
 +     ...
 +</code>
 +
 +The log is /var/log/opensearch/myopensearch.log (the log file is <cluster name>.log)
 +<code bash>sudo cat /var/log/opensearch/myopensearch.log</code>
 +
 +=== Inject the users ===
 +==== This will overwrite the security configuration! ====
 +
 +<code bash>
 +./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/certs/root-ca-myopensearch.pem -cert /etc/opensearch/certs/myopensearch-admin.pem -key /etc/opensearch/certs/myopensearch-admin-key.pem -icl -nhnv
 +</code>
 +
 +=== Test the installation ===
 +<code bash>curl https://your.host.address:9200 -u admin:password -k</code>
 +
 +==== Done. Opensearch is installed ====
 +
 +Now you might want to continue with [[opensearch:osd_installation_linux|Dashboards Installation on Linux]]
 +
 +
  

Page Tools