Install and Configure OpenSearch & OpenSearch Dashboard
15 min readOpenSearch is a community-driven, open-source search and analytics suite used by developers to ingest, search, visualize, and analyze data. OpenSearch consists of a data store and search engine (OpenSearch), a visualization and user interface (OpenSearch Dashboards), and a server-side data collector (Data Prepper). Users can extend the functionality of OpenSearch with a selection of plugins that enhance search, analytics, observability, security, machine learning, and more.
Prerequisites
Disable Swap
sed -i '/ swap / s/^(.*)$/#1/g' /etc/fstab
swapoff -a
[root@rocky9 ~]# sed -i '/ swap / s/^(.*)$/#1/g' /etc/fstab
[root@rocky9 ~]# swapoff -a
Increase max_map_count to 262144
echo "vm.max_map_count=262144" >> /etc/sysctl.d/99-vm.conf
sysctl --system
[root@rocky9 ~]# #check previous value
[root@rocky9 ~]# sysctl -a | grep max_map_count
vm.max_map_count = 65530
[root@rocky9 ~]# #Change the value to required value
[root@rocky9 ~]# echo "vm.max_map_count=262144" >> /etc/sysctl.d/99-vm.conf
[root@rocky9 ~]# sysctl --system
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
* Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ...
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
* Applying /usr/lib/sysctl.d/50-redhat.conf ...
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/99-vm.conf ...
* Applying /etc/sysctl.conf ...
kernel.yama.ptrace_scope = 0
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
kernel.core_pipe_limit = 16
fs.suid_dumpable = 2
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.ens160.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.ens160.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.ens160.promote_secondaries = 1
net.ipv4.conf.lo.promote_secondaries = 1
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
net.core.optmem_max = 81920
kernel.pid_max = 4194304
kernel.kptr_restrict = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.ens160.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
vm.max_map_count = 262144
[root@rocky9 ~]# Check the current value
[root@rocky9 ~]# sysctl -a | grep max_map_count
vm.max_map_count = 262144
Install Java
sudo dnf install java-11-openjdk -y
[root@rocky9 ~]# dnf install java-11-openjdk -y
Last metadata expiration check: -1 day, 18:57:29 ago on Wed 25 Sep 2024 05:33:14 PM EDT.
Dependencies resolved.
============================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================
Installing:
java-11-openjdk x86_64 1:11.0.24.0.8-2.el9 appstream 406 k
---
Complete!
[root@rocky9 ~]# #check if java is installed and version
[root@rocky9 ~]# java -version
openjdk version "11.0.24" 2024-07-16 LTS
OpenJDK Runtime Environment (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS, mixed mode, sharing)
Change the default hashing algorithm to SHA1
Open Search GPG Key uses SHA1 hashing algorithm.
But, SHA1 has been deprecated in Red Hat Enterprise Linux 9 and RHEL 9 forks in favor of more secure hashing algorithms.
Although, the default policy does not accept SHA1, but you can still workaround this issue by temporarily enabling the SHA1 support and after installing OpenSearch you can revert back to the default hashing algorithm.
update-crypto-policies --set DEFAULT:SHA1
[root@rocky9 ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@rocky9 ~]#
Disable Firewalld and Selinux
systemctl disable --now firewalld
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
reboot
[root@rocky9 ~]# systemctl disable --now firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@rocky9 ~]# sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@rocky9 ~]# sestatus
SELinux status: disabled
Reboot the System
[root@rocky9 ~]# init 6
Add Repository for OpenSearch
sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repo
sudo yum clean all
sudo yum repolist
sudo yum list opensearch --showduplicates
[avs@rocky9 ~]$ sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 242 100 242 0 0 232 0 0:00:01 0:00:01 --:--:-- 232
[avs@rocky9 ~]$ sudo yum clean all
25 files removed
[avs@rocky9 ~]$ sudo yum repolist
repo id repo name
appstream Rocky Linux 9 - AppStream
baseos Rocky Linux 9 - BaseOS
extras Rocky Linux 9 - Extras
opensearch-2.x OpenSearch 2.x
[avs@rocky9 ~]$ sudo yum list opensearch
Last metadata expiration check: 0:00:19 ago on Wed 25 Sep 2024 12:51:16 PM EDT.
Available Packages
opensearch.aarch64 2.17.0-1 opensearch-2.x
opensearch.x86_64 2.17.0-1 opensearch-2.x
Install OpenSearch
For OpenSearch versions 2.12 and later, a custom admin password is required in order to set up a demo security configuration for a new installation.
To set a custom admin password, use the following commands:
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=ke%U:302BiU yum install opensearch
[avs@rocky9 ~]$ sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=ke%U:302BiU dnf install opensearch -y
Last metadata expiration check: 0:04:11 ago on Wed 25 Sep 2024 12:51:16 PM EDT.
Dependencies resolved.
=================================================================================================================================================================================
Package Architecture Version Repository Size
=================================================================================================================================================================================
Installing:
opensearch x86_64 2.17.0-1 opensearch-2.x 822 M
Transaction Summary
=================================================================================================================================================================================
Install 1 Package
Total download size: 822 M
Installed size: 1.1 G
Downloading Packages:
---
Running transaction
Preparing : 1/1
Running scriptlet: opensearch-2.17.0-1.x86_64 1/1
Installing : opensearch-2.17.0-1.x86_64 1/1
Running scriptlet: opensearch-2.17.0-1.x86_64 1/1
/usr/lib/tmpfiles.d/opensearch.conf:1: Line references path below legacy directory /var/run/, updating /var/run/opensearch → /run/opensearch; please update the tmpfiles.d/ drop-in file accordingly.
### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
### You can start opensearch service by executing
sudo systemctl start opensearch.service
### Create opensearch demo certificates in /etc/opensearch/
See demo certs creation log in /var/log/opensearch/install_demo_configuration.log
### Breaking change in packaging since 2.13.0
In 2.13.0 and later releases of OpenSearch, we have changed the permissions associated with access to installed files
If you are configuring tools that require read access to the OpenSearch configuration files, we recommend you add the user that runs these tools to the 'opensearch' group
For more information, see https://github.com/opensearch-project/opensearch-build/pull/4043
/usr/lib/tmpfiles.d/opensearch.conf:1: Line references path below legacy directory /var/run/, updating /var/run/opensearch → /run/opensearch; please update the tmpfiles.d/ drop-in file accordingly.
Verifying : opensearch-2.17.0-1.x86_64 1/1
Installed:
opensearch-2.17.0-1.x86_64
Start and Configure OpenSearch
Start OpenSearch with Demo Config
sudo systemctl enable --now opensearch
[avs@rocky9 ~]$ sudo systemctl enable --now opensearch
Created symlink /etc/systemd/system/multi-user.target.wants/opensearch.service → /usr/lib/systemd/system/opensearch.service.
Test OpenSearch Connection
curl -X GET https://localhost:9200 -u 'admin:<your_password>' --insecure
[avs@rocky9 ~]$ curl -X GET https://localhost:9200 -u 'admin:ke%U:302BiU' --insecure
{
"name" : "rocky9.linuxvmimages.local",
"cluster_name" : "opensearch",
"cluster_uuid" : "Gb1LEdyLQhOLyPSRFklCfg",
"version" : {
"distribution" : "opensearch",
"number" : "2.17.0",
"build_type" : "rpm",
"build_hash" : "8586481dc99b1740ca3c7c966aee15ad0fc7b412",
"build_date" : "2024-09-13T01:03:56.097566655Z",
"build_snapshot" : false,
"lucene_version" : "9.11.1",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Configure OpenSearch for your environment
- Bind OpenSearch to an IP or network interface on the host.
- Set initial and maximum JVM heap sizes.
- Define an environment variable that points to the bundled JDK.
- Configure your own TLS certificates—no third-party certificate authority (CA) is required.
- Create an admin user with a custom password.
Bind OpenSearch to an IP or network interface on the host.
Change the following parameter as given below, if they don’t exist append in the relevant section or at the bottom of the file
[avs@rocky9 ~]$ sudo vi /etc/opensearch/opensearch.yml
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.disabled: false
Specify initial and maximum JVM heap size
[avs@rocky9 ~]$ sudo vi /etc/opensearch/jvm.options
-Xms4g
-Xmx4g
Configure TLS
I’ve created a bash script to simplify the certificate creation, you can tweak as per your requirements.
create_certs.sh
#!/bin/bash
# Define the directory for certificates
CERT_DIR="/etc/opensearch"
# Navigate to the certificate directory
cd "$CERT_DIR" || { echo "Failed to navigate to $CERT_DIR"; exit 1; }
# Step 1: Delete the demo certificates
echo "Deleting demo certificates..."
sudo rm -f *.pem
# Step 2: Generate a root certificate
echo "Generating root certificate..."
sudo openssl genrsa -out root-ca-key.pem 2048
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730
# Step 3: Create the admin certificate
echo "Creating admin certificate..."
sudo openssl genrsa -out admin-key-temp.pem 2048
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
sudo openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
# Step 4: Create a certificate for the node
echo "Creating node certificate..."
sudo openssl genrsa -out node1-key-temp.pem 2048
sudo openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
sudo openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr
sudo sh -c 'echo subjectAltName=DNS:node1.dns.a-record > node1.ext'
sudo openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext
# Step 5: Remove temporary files
echo "Removing temporary files..."
sudo rm -f *temp.pem *csr *ext
# Step 6: Change ownership of the remaining certificates
echo "Changing ownership of certificates..."
sudo chown opensearch:opensearch admin-key.pem admin.pem node1-key.pem node1.pem root-ca-key.pem root-ca.pem root-ca.srl
echo "Certificate generation completed successfully."
Change the mode of create_certs.sh to executable and then execute it.
[avs@rocky9 ~]$ chmod +x create_certs.sh
[avs@rocky9 ~]$ sudo ./create_certs.sh
Deleting demo certificates...
Generating root certificate...
Creating admin certificate...
Certificate request self-signature ok
subject=C = CA, ST = ONTARIO, L = TORONTO, O = ORG, OU = UNIT, CN = A
Creating node certificate...
Certificate request self-signature ok
subject=C = CA, ST = ONTARIO, L = TORONTO, O = ORG, OU = UNIT, CN = node1.dns.a-record
Removing temporary files...
Changing ownership of certificates...
Certificate generation completed successfully.
Replace the entries in yml file from line: plugins.security.disabled: false
plugins.security.disabled: false
######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
# HTTP SSL Configuration
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
# Security settings
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
# System indices configuration
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [
.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector, .plugins-ml-controller,
.plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
.plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
.plugins-ml-stop-words, .opendistro-alerting-config, .opendistro-alerting-alert*,
.opendistro-anomaly-results*, .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints,
.opendistro-anomaly-detection-state, .opendistro-reports-*, .opensearch-notifications-*,
.opensearch-notebooks, .opensearch-observability, .ql-datasources,
.opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
.geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
.plugins-flow-framework-state
]
# Other settings
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########
Configure or Create a New User
We started the cluster with a password that should adhere to OpenSearch requirements, which makes it un-memorable, we will change the admin password to our preference now.
Users are defined and authenticated by OpenSearch in a variety of ways. One method that does not require additional backend infrastructure is to manually configure users in internal_users.yml
Let’s generate a hash for our preferable password
cd /usr/share/opensearch/plugins/opensearch-security/tools
[avs@rocky9 ~]$ cd /usr/share/opensearch/plugins/opensearch-security/tools
[avs@rocky9 tools]$ ./hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use /usr/bin/java
[Password:]
$2y$12$x4O8/8Y9C/2tXDXNFknR9u/z/pRk5.QXXZq2bcVaxAm2rEcrF6Sqe
Enter the desired password at the prompt and make a note of the output hash.
Change the password in the /etc/opensearch/opensearch-security/internal_users.yml file also delete the demo users, except for admin
---
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2y$12$x4O8/8Y9C/2tXDXNFknR9u/z/pRk5.QXXZq2bcVaxAm2rEcrF6Sqe"
reserved: true
backend_roles:
- "admin"
description: "Admin user"
Apply Changes
[avs@rocky9 tools]$ cd /usr/share/opensearch/plugins/opensearch-security/tools
[avs@rocky9 tools]$ sudo OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA"
OpenSearch Version: 2.17.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: flink_dev_test
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/opensearch/opensearch-security/
Will update '/config' with /etc/opensearch/opensearch-security/config.yml
SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/opensearch/opensearch-security/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/opensearch/opensearch-security/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/opensearch/opensearch-security/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/opensearch/opensearch-security/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/opensearch/opensearch-security/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/opensearch/opensearch-security/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/opensearch/opensearch-security/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/opensearch/opensearch-security/audit.yml
SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/opensearch/opensearch-security/allowlist.yml
SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null
Done with success
Test Connectivity with New Password
curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
[avs@rocky9 ~]$ curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
{
"name" : "rocky9.linuxvmimages.local",
"cluster_name" : "flink_dev_test",
"cluster_uuid" : "Gb1LEdyLQhOLyPSRFklCfg",
"version" : {
"distribution" : "opensearch",
"number" : "2.17.0",
"build_type" : "rpm",
"build_hash" : "8586481dc99b1740ca3c7c966aee15ad0fc7b412",
"build_date" : "2024-09-13T01:03:56.097566655Z",
"build_snapshot" : false,
"lucene_version" : "9.11.1",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Install OpenSearch Dashboard
OpenSearch Dashboards provides a fully integrated solution for visually exploring, discovering, and querying your observability data. You can install OpenSearch Dashboards with any of the following options:
Create a local repository file for OpenSearch Dashboards:
sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/opensearch-dashboards-2.x.repo -o /etc/yum.repos.d/opensearch-dashboards-2.x.repo
sudo dnf repolist
sudo dnf clean all
sudo dnf list opensearch-dashboards --showduplicates
[avs@rocky9 ~]$ sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/opensearch-dashboards-2.x.repo -o /etc/yum.repos.d/opensearch-dashboards-2.x.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 275 100 275 0 0 851 0 --:--:-- --:--:-- --:--:-- 856
[avs@rocky9 ~]$ sudo dnf repolist
repo id repo name
appstream Rocky Linux 9 - AppStream
baseos Rocky Linux 9 - BaseOS
extras Rocky Linux 9 - Extras
opensearch-2.x OpenSearch 2.x
opensearch-dashboards-2.x OpenSearch Dashboards 2.x
[avs@rocky9 ~]$ sudo dnf clean all
31 files removed
[avs@rocky9 ~]$ sudo dnf list opensearch-dashboards
OpenSearch 2.x 275 kB/s | 395 kB 00:01
OpenSearch Dashboards 2.x 541 B/s | 498 B 00:00
OpenSearch Dashboards 2.x 12 kB/s | 4.2 kB 00:00
Importing GPG key 0x9310D3FC:
Userid : "OpenSearch project <opensearch@amazon.com>"
Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
From : https://artifacts.opensearch.org/publickeys/opensearch.pgp
Is this ok [y/N]: y
OpenSearch Dashboards 2.x 3.1 MB/s | 23 MB 00:07
Rocky Linux 9 - BaseOS 785 kB/s | 2.3 MB 00:02
Rocky Linux 9 - AppStream 1.7 MB/s | 8.0 MB 00:04
Rocky Linux 9 - Extras 7.6 kB/s | 15 kB 00:01
Available Packages
opensearch-dashboards.aarch64 2.17.0-1 opensearch-dashboards-2.x
opensearch-dashboards.x86_64 2.17.0-1 opensearch-dashboards-2.x
Install OpenSearch Dashboard
[avs@rocky9 ~]$ sudo dnf install opensearch-dashboards -y
Last metadata expiration check: 0:02:48 ago on Wed 25 Sep 2024 02:05:03 PM EDT.
Dependencies resolved.
=================================================================================================================================================================================
Package Architecture Version Repository Size
=================================================================================================================================================================================
Installing:
opensearch-dashboards x86_64 2.17.0-1 opensearch-dashboards-2.x 252 M
Transaction Summary
=================================================================================================================================================================================
Install 1 Package
Total download size: 252 M
Installed size: 1.1 G
Downloading Packages:
opensearch-dashboards-2.17.0-linux-x64.rpm 3.3 MB/s | 252 MB 01:17
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.3 MB/s | 252 MB 01:17
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: opensearch-dashboards-2.17.0-1.x86_64 1/1
Installing : opensearch-dashboards-2.17.0-1.x86_64 1/1
Running scriptlet: opensearch-dashboards-2.17.0-1.x86_64 1/1
/usr/lib/tmpfiles.d/opensearch-dashboards.conf:1: Line references path below legacy directory /var/run/, updating /var/run/opensearch-dashboards → /run/opensearch-dashboards; please update the tmpfiles.d/ drop-in file accordingly.
### NOT starting on installation, please execute the following statements to configure opensearch-dashboards service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable opensearch-dashboards.service
### You can start opensearch-dashboards service by executing
sudo systemctl start opensearch-dashboards.service
### Breaking change in packaging since 2.13.0
In 2.13.0 and later releases of OpenSearch Dashboards, we have changed the permissions associated with access to installed files
If you are configuring tools that require read access to the OpenSearch Dashboards configuration files, we recommend you add the user that runs these tools to the 'opensearch-dashboards' group
For more information, see https://github.com/opensearch-project/opensearch-build/pull/4043
/usr/lib/tmpfiles.d/opensearch-dashboards.conf:1: Line references path below legacy directory /var/run/, updating /var/run/opensearch-dashboards → /run/opensearch-dashboards; please update the tmpfiles.d/ drop-in file accordingly.
/usr/lib/tmpfiles.d/opensearch.conf:1: Line references path below legacy directory /var/run/, updating /var/run/opensearch → /run/opensearch; please update the tmpfiles.d/ drop-in file accordingly.
Verifying : opensearch-dashboards-2.17.0-1.x86_64 1/1
Installed:
opensearch-dashboards-2.17.0-1.x86_64
Configure OpenSearch yml file
Append or modify the following parameters in /etc/opensearch-dashboards/opensearch_dashboards.yml
server.host: "0.0.0.0"
opensearch.ssl.verificationMode: none
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: admin
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
Start OpenSearch Dashboard
[avs@rocky9 ~]$ sudo systemctl enable --now opensearch-dashboards
Created symlink /etc/systemd/system/multi-user.target.wants/opensearch-dashboards.service → /usr/lib/systemd/system/opensearch-dashboards.service.
[avs@rocky9 ~]$ systemctl status opensearch-dashboards
● opensearch-dashboards.service - "OpenSearch Dashboards"
Loaded: loaded (/usr/lib/systemd/system/opensearch-dashboards.service; enabled; preset: disabled)
Active: active (running) since Wed 2024-09-25 14:17:12 EDT; 24s ago
Main PID: 26714 (node)
Tasks: 11 (limit: 48731)
Memory: 266.5M
CPU: 7.664s
CGroup: /system.slice/opensearch-dashboards.service
└─26714 /usr/share/opensearch-dashboards/node/bin/node /usr/share/opensearch-dashboards/src/cli/dist
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["info","dynamic-config-service"],"pid":26714,>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["info","dynamic-config-service"],"pid":26714,>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["info","savedobjects-service"],"pid":26714,"m>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["info","savedobjects-service"],"pid":26714,"m>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["warning","cross-compatibility-service"],"pid>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["info","plugins-system"],"pid":26714,"message>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["error","plugins","securityDashboards"],"pid">
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["warning","environment"],"pid":26714,"message>
Sep 25 14:17:18 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:18Z","tags":["listening","info"],"pid":26714,"message":"Se>
Sep 25 14:17:19 rocky9.linuxvmimages.local opensearch-dashboards[26714]: {"type":"log","@timestamp":"2024-09-25T18:17:19Z","tags":["info","http","server","OpenSearchDashboards">