Docker security configuration

Before deploying to a production environment, you should replace the demo security certificates and configuration YAML files with your own. With the tarball, you have direct access to the file system, but the Docker image requires modifying the Docker storage volumes to include the replacement files.

Additionally, you can set the Docker environment variable DISABLE_INSTALL_DEMO_CONFIG to true. This change completely disables the demo installer.

Sample Docker Compose file

  1. version: '3'
  2. services:
  3. opensearch-node1:
  4. image: opensearchproject/opensearch:1.1.0
  5. container_name: opensearch-node1
  6. environment:
  7. - cluster.name=opensearch-cluster
  8. - node.name=opensearch-node1
  9. - discovery.seed_hosts=opensearch-node1,opensearch-node2
  10. - cluster.initial_master_nodes=opensearch-node1,opensearch-node2
  11. - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
  12. - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
  13. - network.host=0.0.0.0 # required if not using the demo security configuration
  14. ulimits:
  15. memlock:
  16. soft: -1
  17. hard: -1
  18. nofile:
  19. soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
  20. hard: 65536
  21. volumes:
  22. - opensearch-data1:/usr/share/opensearch/data
  23. - ./root-ca.pem:/usr/share/opensearch/config/root-ca.pem
  24. - ./node.pem:/usr/share/opensearch/config/node.pem
  25. - ./node-key.pem:/usr/share/opensearch/config/node-key.pem
  26. - ./admin.pem:/usr/share/opensearch/config/admin.pem
  27. - ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
  28. - ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
  29. - ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
  30. - ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
  31. - ./tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
  32. - ./roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
  33. - ./action_groups.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
  34. ports:
  35. - 9200:9200
  36. - 9600:9600 # required for Performance Analyzer
  37. networks:
  38. - opensearch-net
  39. opensearch-node2:
  40. image: opensearchproject/opensearch:1.1.0
  41. container_name: opensearch-node2
  42. environment:
  43. - cluster.name=opensearch-cluster
  44. - node.name=opensearch-node2
  45. - discovery.seed_hosts=opensearch-node1,opensearch-node2
  46. - cluster.initial_master_nodes=opensearch-node1,opensearch-node2
  47. - bootstrap.memory_lock=true
  48. - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
  49. - network.host=0.0.0.0
  50. ulimits:
  51. memlock:
  52. soft: -1
  53. hard: -1
  54. nofile:
  55. soft: 65536
  56. hard: 65536
  57. volumes:
  58. - opensearch-data2:/usr/share/opensearch/data
  59. - ./root-ca.pem:/usr/share/opensearch/config/root-ca.pem
  60. - ./node.pem:/usr/share/opensearch/config/node.pem
  61. - ./node-key.pem:/usr/share/opensearch/config/node-key.pem
  62. - ./admin.pem:/usr/share/opensearch/config/admin.pem
  63. - ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
  64. - ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
  65. - ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
  66. - ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
  67. - ./tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
  68. - ./roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
  69. - ./action_groups.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
  70. networks:
  71. - opensearch-net
  72. opensearch-dashboards
  73. image: opensearchproject/opensearch-dashboards:1.1.0
  74. container_name: opensearch-dashboards
  75. ports:
  76. - 5601:5601
  77. expose:
  78. - "5601"
  79. environment:
  80. OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # must be a string with no spaces when specified as an environment variable
  81. volumes:
  82. - ./custom-opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
  83. networks:
  84. - opensearch-net
  85. volumes:
  86. opensearch-data1:
  87. opensearch-data2:
  88. networks:
  89. opensearch-net:

Then make your changes to opensearch.yml. For a full list of settings, see Security. This example adds (extremely) verbose audit logging:

  1. plugins.security.ssl.transport.pemcert_filepath: node.pem
  2. plugins.security.ssl.transport.pemkey_filepath: node-key.pem
  3. plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
  4. plugins.security.ssl.transport.enforce_hostname_verification: false
  5. plugins.security.ssl.http.enabled: true
  6. plugins.security.ssl.http.pemcert_filepath: node.pem
  7. plugins.security.ssl.http.pemkey_filepath: node-key.pem
  8. plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
  9. plugins.security.allow_default_init_securityindex: true
  10. plugins.security.authcz.admin_dn:
  11. - CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
  12. plugins.security.nodes_dn:
  13. - 'CN=N,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  14. plugins.security.audit.type: internal_opensearch
  15. plugins.security.enable_snapshot_restore_privilege: true
  16. plugins.security.check_snapshot_restore_write_privileges: true
  17. plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
  18. cluster.routing.allocation.disk.threshold_enabled: false
  19. opendistro_security.audit.config.disabled_rest_categories: NONE
  20. opendistro_security.audit.config.disabled_transport_categories: NONE

Use this same override process to specify new authentication settings in /usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml, as well as new default internal users, roles, mappings, action groups, and tenants.

To start the cluster, run docker-compose up.

If you encounter any File /usr/share/opensearch/config/opensearch.yml has insecure file permissions (should be 0600) messages, you can use chmod to set file permissions before running docker-compose up. Docker Compose passes files to the container as-is.

Finally, you can reach OpenSearch Dashboards at http://localhost:5601, sign in, and use the Security panel to perform other management tasks.

Using certificates with Docker

To use your own certificates in your configuration, add all of the necessary certificates to the volumes section of the Docker Compose file:

  1. volumes:
  2. - ./root-ca.pem:/full/path/to/certificate.pem
  3. - ./admin.pem:/full/path/to/certificate.pem
  4. - ./admin-key.pem:/full/path/to/certificate.pem
  5. #Add other certificates

After replacing the demo certificates with your own, you must also include a custom opensearch.yml in your setup, which you need to specify in the volumes section.

  1. volumes:
  2. #Add certificates here
  3. - ./custom-opensearch.yml: /full/path/to/custom-opensearch.yml

Remember that the certificates you specify in your Docker Compose file must be the same as the certificates listed in your custom opensearch.yml file. At a minimum, you should replace the root, admin, and node certificates with your own. For more information about adding and using certificates, see Configure TLS certificates.

  1. plugins.security.ssl.transport.pemcert_filepath: new-node-cert.pem
  2. plugins.security.ssl.transport.pemkey_filepath: new-node-cert-key.pem
  3. plugins.security.ssl.transport.pemtrustedcas_filepath: new-root-ca.pem
  4. plugins.security.ssl.http.pemcert_filepath: new-node-cert.pem
  5. plugins.security.ssl.http.pemkey_filepath: new-node-cert-key.pem
  6. plugins.security.ssl.http.pemtrustedcas_filepath: new-root-ca.pem
  7. plugins.security.authcz.admin_dn:
  8. - CN=admin,OU=SSL,O=Test,L=Test,C=DE

To start the cluster, run docker-compose up as usual.