==== Opensearch 8.x Installation on Linux ====
----
=== Configure APT and install required tools ===

Import PGP key of the repository and create the repository entry
<code bash>
sudo apt update && sudo upgrade -y
sudo apt install sudo vim curl gpg unzip cifs-utils -y

wget -qO - https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/opensearch.pgp
echo "deb [signed-by=/etc/apt/trusted.gpg.d/opensearch.pgp] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list

sudo apt update
</code>

=== Install Opensearch ===

Update the APT database and install the latest version of Opensearch\\
<code bash>sudo apt install opensearch</code>

=== Or install a specific Opensearch version ===

List available versions\\
<code bash>sudo apt list opensearch</code>

Install a version from the list returned by "apt list opensearch"\\
<code bash>sudo apt install opensearch=2.5.0</code>

== Adjust settings in opensearch.yml ==

Change /etc/opensearch/opensearch.yml set:\\
<code yaml>
cluster.name: myopensearch
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.ssl.transport.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.transport.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.http.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
# The empty line after the parameters for admin_dn is important: without authentication fails 
plugins.security.authcz.admin_dn:
  - CN=admin,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US

# The empty line after the parameters for nodes_dn is important: without authentication fails
plugins.security.nodes_dn:
  - CN=node-01,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 1
</code>

Continue with [[opensearch:Generating certificates]]

==== Configure users ====
Users can be configured in /etc/opensearch/opensearch-security/internal_users.yml
Change to the tool directory and run hash.sh (the tool warns it's depricated - but they did without plans for what's next ...)
<code bash>
cd /usr/share/opensearch/plugins/opensearch-security/tools
export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk
./hash.sh
</code>
Enter the password and save the hash that the tool returns.\\
Generate the hash for the password for the admin user and for the kibanaserver account.\\

Open internal_users.yml.
<code bash>vi /etc/opensearch/opensearch-security/internal_users.yml</code>

Remove all demo users except for admin and replace the hash with the output provided by hash.sh in a previous step. The file should look similar to the following example:\\
(Use the hashes you generated: you don't know the passwords used to generate them ...)\\
<code yaml>
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta:
  type: "internalusers"
  config_version: 2

# Define your internal users here (use the hashes you generated: you don't know the passwords used to generate them ...)

admin:
  hash: "$2y$12$EqikRW0NCvAlC2a8r8M6O.w7sQ6k2A8R5C23RBDTP0jJZ7b/4Xlfq"
  reserved: true
  backend_roles:
  - "admin"
  description: "Admin user"
dashboardsserver:
  hash: "$2y$12$2JkFjrXucTPtBJ0O.VAhD.fhtVrhyI3ExY7D0py0TosRCkhjX0ESS"
  reserved: true
  backend_roles:
  description: "Dashboards Server"
</code>

Now the system contains a basic configuration 

=== Enable Opensearch service and start it ===
<code bash>
systemctl daemon-reload
systemctl enable opensearch
systemctl start opensearch  

systemctl status opensearch  
</code>
The last command should show:

<code>
  ●opensearch.service - OpenSearch
     Loaded: loaded (/lib/systemd/system/opensearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-01-01 00:00:01 CET; 0h 01min ago
     ...
</code>

The log is /var/log/opensearch/myopensearch.log (the log file is <cluster name>.log)
<code bash>sudo cat /var/log/opensearch/myopensearch.log</code>

=== Inject the users ===
==== This will overwrite the security configuration! ====

<code bash>
./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/certs/root-ca-myopensearch.pem -cert /etc/opensearch/certs/myopensearch-admin.pem -key /etc/opensearch/certs/myopensearch-admin-key.pem -icl -nhnv
</code>

=== Test the installation ===
<code bash>curl https://your.host.address:9200 -u admin:password -k</code>

==== Done. Opensearch is installed ====

Now you might want to continue with [[opensearch:osd_installation_linux|Dashboards Installation on Linux]]