opensearch:os_installation

Opensearch 8.x Installation on Linux
Configure users
This will overwrite the security configuration!
Done. Opensearch is installed

Opensearch 8.x Installation on Linux

Configure APT and install required tools

Import PGP key of the repository and create the repository entry

sudo apt update && sudo upgrade -y
sudo apt install sudo vim curl gpg unzip cifs-utils -y
 
wget -qO - https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/opensearch.pgp
echo "deb [signed-by=/etc/apt/trusted.gpg.d/opensearch.pgp] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list
 
sudo apt update

Install Opensearch

Update the APT database and install the latest version of Opensearch

sudo apt install opensearch

Or install a specific Opensearch version

List available versions

sudo apt list opensearch

Install a version from the list returned by “apt list opensearch”

sudo apt install opensearch=2.5.0

Adjust settings in opensearch.yml

Change /etc/opensearch/opensearch.yml set:

cluster.name: myopensearch
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.ssl.transport.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.transport.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.http.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
# The empty line after the parameters for admin_dn is important: without authentication fails 
plugins.security.authcz.admin_dn:
  - CN=admin,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US
 
# The empty line after the parameters for nodes_dn is important: without authentication fails
plugins.security.nodes_dn:
  - CN=node-01,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 1

Continue with Generating certificates

Configure users

Users can be configured in /etc/opensearch/opensearch-security/internal_users.yml Change to the tool directory and run hash.sh (the tool warns it's depricated - but they did without plans for what's next …)

cd /usr/share/opensearch/plugins/opensearch-security/tools
export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk
./hash.sh

Enter the password and save the hash that the tool returns.
Generate the hash for the password for the admin user and for the kibanaserver account.

Open internal_users.yml.

vi /etc/opensearch/opensearch-security/internal_users.yml

Remove all demo users except for admin and replace the hash with the output provided by hash.sh in a previous step. The file should look similar to the following example:
(Use the hashes you generated: you don't know the passwords used to generate them …)

---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta:
  type: "internalusers"
  config_version: 2
 
# Define your internal users here (use the hashes you generated: you don't know the passwords used to generate them ...)

admin:
  hash: "$2y$12$EqikRW0NCvAlC2a8r8M6O.w7sQ6k2A8R5C23RBDTP0jJZ7b/4Xlfq"
  reserved: true
  backend_roles:
  - "admin"
  description: "Admin user"
dashboardsserver:
  hash: "$2y$12$2JkFjrXucTPtBJ0O.VAhD.fhtVrhyI3ExY7D0py0TosRCkhjX0ESS"
  reserved: true
  backend_roles:
  description: "Dashboards Server"

Now the system contains a basic configuration

Enable Opensearch service and start it

systemctl daemon-reload
systemctl enable opensearch
systemctl start opensearch  
 
systemctl status opensearch

The last command should show:

  ●opensearch.service - OpenSearch
     Loaded: loaded (/lib/systemd/system/opensearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-01-01 00:00:01 CET; 0h 01min ago
     ...

The log is /var/log/opensearch/myopensearch.log (the log file is <cluster name>.log)

sudo cat /var/log/opensearch/myopensearch.log

Inject the users

This will overwrite the security configuration!

./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/certs/root-ca-myopensearch.pem -cert /etc/opensearch/certs/myopensearch-admin.pem -key /etc/opensearch/certs/myopensearch-admin-key.pem -icl -nhnv

Test the installation

curl https://your.host.address:9200 -u admin:password -k

Done. Opensearch is installed

Now you might want to continue with Dashboards Installation on Linux

Table of Contents