OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace: os_installation_linux

Sidebar

Welcome to my Wiki
Elasticsearch
Linux
Opensearch
Sat receiver Octagon SF 8008
Windows
Android: Disable WhatsApp backup
Arduino and ESP32
OpenSSL
Setup Occulus software for multi-user on PC
EasyMesh
Welcome to your new DokuWiki

opensearch:os_installation_linux

This is an old revision of the document!

Table of Contents

Opensearch 8.x Installation on Linux

Configure APT and install required tools

Import PGP key of the repository and create the repository entry 

sudo apt update && sudo upgrade -y
sudo apt install sudo vim curl gpg unzip cifs-utils -y
 
wget -qO - https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/opensearch.pgp
echo "deb [signed-by=/etc/apt/trusted.gpg.d/opensearch.pgp] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list
 
sudo apt update

Install Opensearch

Update the APT database and install the latest version of Opensearch

sudo apt install opensearch

Or install a specific Opensearch version

List available versions

sudo apt list opensearch

Install a version from the list returned by “apt list opensearch”

sudo apt install opensearch=2.5.0
Adjust settings in opensearch.yml

Change /etc/opensearch/opensearch.yml set:

cluster.name: myopensearch
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.ssl.transport.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.transport.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/node-01.pem
plugins.security.ssl.http.pemkey_filepath: certs/node-01-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca-myopensearch.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
# The empty line after the parameters for admin_dn is important: without authentication fails 
plugins.security.authcz.admin_dn:
  - CN=admin,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US
 
# The empty line after the parameters for nodes_dn is important: without authentication fails
plugins.security.nodes_dn:
  - CN=node-01,OU=SheepPR,O=TheBigBadWolf,L=Dallas,C=US

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 1

Continue with Generating certificates

Configure users

Users can be configured in /etc/opensearch/opensearch-security/internal_users.yml Change to the tool directory and run hush.sh (the tool warns it's depricated - but they did without plans for what's next …) 

cd /usr/share/opensearch/plugins/opensearch-security/tools
export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk
./hash.sh

Enter the password and save the hash that the tool returns.
Generate the hash for the password for the admin user and for the kibanaserver account.

Open internal_users.yml. 

vi /etc/opensearch/opensearch-security/internal_users.yml

Remove all demo users except for admin and replace the hash with the output provided by hash.sh in a previous step. The file should look similar to the following example:
(Use the hashes you generated: you don't know the passwords used to generate them …)

---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta:
  type: "internalusers"
  config_version: 2
 
# Define your internal users here (use the hashes you generated: you don't know the passwords used to generate them ...)

admin:
  hash: "$2y$12$EqikRW0NCvAlC2a8r8M6O.w7sQ6k2A8R5C23RBDTP0jJZ7b/4Xlfq"
  reserved: true
  backend_roles:
  - "admin"
  description: "Admin user"
dashboardsserver:
  hash: "$2y$12$2JkFjrXucTPtBJ0O.VAhD.fhtVrhyI3ExY7D0py0TosRCkhjX0ESS"
  reserved: true
  backend_roles:
  description: "Dashboards Server"

Now the system contains a basic configuration

Enable Opensearch service and start it

systemctl daemon-reload
systemctl enable opensearch
systemctl start opensearch  
 
systemctl status opensearch

The last command should show: 

  ●opensearch.service - OpenSearch
     Loaded: loaded (/lib/systemd/system/opensearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-01-01 00:00:01 CET; 0h 01min ago
     ...

The log is /var/log/opensearch/myopensearch.log (the log file is <cluster name>.log) 

sudo cat /var/log/opensearch/myopensearch.log

Inject the users

This will overwrite the security configuration!

./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/certs/root-ca-myopensearch.pem -cert /etc/opensearch/certs/myopensearch-admin.pem -key /etc/opensearch/certs/myopensearch-admin-key.pem -icl -nhnv

Test the installation

curl https://your.host.address:9200 -u admin:Kenny12 -k

Done. Opensearch is installed

Now you might want to continue with Dashboards Installation on Linux

opensearch/os_installation_linux.1675210313.txt.gz · Last modified: 2023/02/01 00:11 by olaf

Page Tools