OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace: os_installation_linux

Sidebar

Welcome to my Wiki
Elasticsearch
Linux
Opensearch
Sat receiver Octagon SF 8008
Windows
Android: Disable WhatsApp backup
Arduino and ESP32
OpenSSL
Setup Occulus software for multi-user on PC
EasyMesh
Welcome to your new DokuWiki

opensearch:os_installation_linux

Table of Contents

Opensearch 8.x Installation on Linux

Configure APT and install required tools

Import PGP key of the repository and create the repository entry 

sudo apt update && sudo upgrade -y
sudo apt install sudo vim curl gpg unzip cifs-utils -y
 
wget -qO - https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/opensearch.pgp
echo "deb [signed-by=/etc/apt/trusted.gpg.d/opensearch.pgp] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list
 
sudo apt update

Install Opensearch

Update the APT database and install the latest version of Opensearch

sudo apt install opensearch

Or install a specific Opensearch version

List available versions

sudo apt list opensearch

Install a version from the list returned by “apt list opensearch”

sudo apt install opensearch=2.5.0
Adjust settings in opensearch.yml

Change /etc/opensearch/opensearch.yml set:

cluster.name: myopensearch
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.ssl.transport.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.transport.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.http.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
# The empty line after the parameters for admin_dn is important: without authentication fails 
plugins.security.authcz.admin_dn:
  - CN=admin,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US
 
# The empty line after the parameters for nodes_dn is important: without authentication fails
plugins.security.nodes_dn:
  - CN=node-01,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 1

Continue with Generating certificates

Configure users

Users can be configured in /etc/opensearch/opensearch-security/internal_users.yml Change to the tool directory and run hash.sh (the tool warns it's depricated - but they did without plans for what's next …) 

cd /usr/share/opensearch/plugins/opensearch-security/tools
export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk
./hash.sh

Enter the password and save the hash that the tool returns.
Generate the hash for the password for the admin user and for the kibanaserver account.

Open internal_users.yml. 

vi /etc/opensearch/opensearch-security/internal_users.yml

Remove all demo users except for admin and replace the hash with the output provided by hash.sh in a previous step. The file should look similar to the following example:
(Use the hashes you generated: you don't know the passwords used to generate them …)

---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta:
  type: "internalusers"
  config_version: 2
 
# Define your internal users here (use the hashes you generated: you don't know the passwords used to generate them ...)

admin:
  hash: "$2y$12$EqikRW0NCvAlC2a8r8M6O.w7sQ6k2A8R5C23RBDTP0jJZ7b/4Xlfq"
  reserved: true
  backend_roles:
  - "admin"
  description: "Admin user"
dashboardsserver:
  hash: "$2y$12$2JkFjrXucTPtBJ0O.VAhD.fhtVrhyI3ExY7D0py0TosRCkhjX0ESS"
  reserved: true
  backend_roles:
  description: "Dashboards Server"

Now the system contains a basic configuration

Enable Opensearch service and start it

systemctl daemon-reload
systemctl enable opensearch
systemctl start opensearch  
 
systemctl status opensearch

The last command should show: 

  ●opensearch.service - OpenSearch
     Loaded: loaded (/lib/systemd/system/opensearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-01-01 00:00:01 CET; 0h 01min ago
     ...

The log is /var/log/opensearch/myopensearch.log (the log file is <cluster name>.log) 

sudo cat /var/log/opensearch/myopensearch.log

Inject the users

This will overwrite the security configuration!

./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/certs/root-ca-myopensearch.pem -cert /etc/opensearch/certs/myopensearch-admin.pem -key /etc/opensearch/certs/myopensearch-admin-key.pem -icl -nhnv

Test the installation

curl https://your.host.address:9200 -u admin:password -k

Done. Opensearch is installed

Now you might want to continue with Dashboards Installation on Linux

opensearch/os_installation_linux.txt · Last modified: 2023/02/25 21:44 by olaf

Page Tools