setting up opensearch

logging | elk | fluentbit

opensearch install setup upgrade

dashboard install setup upgrade

tested on debian12

install

see osearch-install and osearch-install-dashboard

setup

all nodes

mv -i /etc/opensearch/opensearch.yml /etc/opensearch/opensearch.yml.dist
grep -vE '^#|^$' /etc/opensearch/opensearch.yml.dist > /etc/opensearch/opensearch.yml.clean
grep -vE '^#|^$' /etc/opensearch/opensearch.yml.dist > /etc/opensearch/opensearch.yml

chown opensearch:opensearch /etc/opensearch/opensearch.yml.clean
chown opensearch:opensearch /etc/opensearch/opensearch.yml

chmod 640 /etc/opensearch/opensearch.yml.clean
chmod 640 /etc/opensearch/opensearch.yml

vi /etc/opensearch/opensearch.yml

node0 (coordinator)

network.host: 0.0.0.0
cluster.name: opensearch-cluster
node.name: opensearch-c1
node.roles: []
network.bind_host: [_local_, _site_]
discovery.seed_hosts: ["opensearch1", "opensearch2", "opensearch3"]
cluster.initial_cluster_manager_nodes: ["10.1.0.33"]

node1 (data1)

network.host: 0.0.0.0
cluster.name: opensearch-cluster
node.name: opensearch-d1
node.roles: [ data, ingest ]
network.bind_host: [_local_, _site_]
discovery.seed_hosts: ["opensearch2", "opensearch3", "opensearch0"]
cluster.initial_cluster_manager_nodes: ["10.1.0.33"]

node2 (data2)

network.host: 0.0.0.0
cluster.name: opensearch-cluster
node.name: opensearch-d2
node.roles: [ data, ingest ]
network.bind_host: [_local_, _site_]
discovery.seed_hosts: ["opensearch1", "opensearch3", "opensearch0"]
cluster.initial_cluster_manager_nodes: ["10.1.0.33"]

node3 (manager)

network.host: 0.0.0.0
cluster.name: opensearch-cluster
node.name: opensearch-cluster_manager
node.roles: [ cluster_manager ]
network.bind_host: [_local_, _site_]
discovery.seed_hosts: ["opensearch1", "opensearch2", "opensearch0"]
cluster.initial_cluster_manager_nodes: ["10.1.0.33"]

## additional tuning

_all nodes_

    echo vm.max_map_count=262144 >> /etc/sysctl.conf
    sysctl -p

    echo OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m >> /etc/default/opensearch
    #mv -i /etc/opensearch/jvm.options /etc/opensearch/jvm.options.dist
    #vi /etc/opensearch/jvm.options

## ready to go

enable

    systemctl status opensearch.service # not yet
    systemctl enable opensearch.service
    systemctl restart opensearch.service
    systemctl status opensearch

    netstat -lntup

    nmap -p 9200,9300 opensearch1
    nmap -p 9200,9300 opensearch2
    nmap -p 9200,9300 opensearch3
    nmap -p 9200,9300 opensearch0

## operations

    tail -F /var/log/opensearch/opensearch-cluster.log

    curl https://opensearch0:9200/_cat/nodes?v -k -u admin:PASSWORD
    curl https://opensearch0:9200/_cat/plugins?v -k -u admin:PASSWORD
    curl https://opensearch0:9200/ -k -u admin:PASSWORD

## admin user account

clean-up demo accounts and create initial admin user

    cd /usr/share/opensearch/plugins/opensearch-security/tools/

    # provide password you want to hash
    OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./hash.sh

    cp -pi /etc/opensearch/opensearch-security/internal_users.yml /etc/opensearch/opensearch-security/internal_users.yml.dist
    vi /etc/opensearch/opensearch-security/internal_users.yml

admin: hash: “…” reserved: true backend_roles: - “admin” description: “admin user” ```

apply

export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
    -f /etc/opensearch/opensearch-security/internal_users.yml \
    -cacert /etc/opensearch/root-ca.pem \
    -cert /etc/opensearch/kirk.pem \
    -key /etc/opensearch/kirk-key.pem

shooting troubles

ram requirements

OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000c0000000, 1073741824, 0) fa>

==> ok disable TMEM…

vi /etc/modules

#tmem

reboot

cluster formation

[opensearch-cluster_manager] cluster-manager not discovered yet, this node has not previously joined a bootstrapped cluster, and [cluster.initial_cluster_manager_nodes] is empty on this node: have discovered [{opensearch-cluster_manager}{2mB8wMEnQaqJBc52MH2b1w}{HBTJ4ruqRkmXlYYbSMx4eA}{10.1.0.33}{10.1.0.33:9300}{m}{shard_indexing_pressure_enabled=true}]; discovery will continue using [10.1.0.31:9300, 10.1.0.32:9300, 10.1.0.30:9300] from hosts providers and [{opensearch-cluster_manager}{2mB8wMEnQaqJBc52MH2b1w}{HBTJ4ruqRkmXlYYbSMx4eA}{10.1.0.33}{10.1.0.33:9300}{m}{shard_indexing_pressure_enabled=true}] from last-known cluster state; node term 0, last-accepted version 0 in

term 0

==> start from scratch (fortunately this is a PoC)

systemctl stop opensearch
rm -rf /var/lib/opensearch/*
systemctl start opensearch

start from scratch

systemctl stop opensearch
apt purge opensearch
rm -rf /var/log/opensearch
rm -rf /var/lib/opensearch
rm -rf /etc/opensearch/

resources

https://opensearch.org/docs/latest/install-and-configure/install-opensearch/debian/

https://opensearch.org/docs/latest/tuning-your-cluster/index/

https://logz.io/learn/opensearch-guide/


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun