Rolling upgrade lab
You can follow these steps on your own compatible host to recreate the same cluster state the OpenSearch Project used for testing rolling upgrades. This exercise is useful if you want to test the upgrade process in a development environment.
The steps used in this lab were validated on an arbitrarily chosen Amazon Elastic Compute Cloud (Amazon EC2) t2.large
instance using Amazon Linux 2 kernel version Linux 5.10.162-141.675.amzn2.x86_64
and Docker version 20.10.17, build 100c701
. The instance was provisioned with an attached 20 GiB gp2 Amazon EBS root volume. These specifications are included for informational purposes and do not represent hardware requirements for OpenSearch or OpenSearch Dashboards.
References in this procedure to the $HOME
path on the host machine in this procedure are represented by the tilde character (“~”) to make the instructions more portable. If you would prefer to specify an absolute path, modify the volume paths defined in upgrade-demo-cluster.sh
and used throughout relevant commands in this document to reflect your environment.
Setting up the environment
As you follow the steps in this document, you will define several Docker resources, including containers, volumes, and a dedicated Docker network, using a script we provide. You can clean up your environment with the following command if you want to restart the process:
docker container stop $(docker container ls -aqf name=os-); \
docker container rm $(docker container ls -aqf name=os-); \
docker volume rm -f $(docker volume ls -q | egrep 'data-0|repo-0'); \
docker network rm opensearch-dev-net
copy
The command removes container names matching the regular expression os-*
, data volumes matching data-0*
and repo-0*
, and the Docker network named opensearch-dev-net
. If you have other Docker resources running on your host, then you should review and modify the command to avoid removing other resources unintentionally. This command does not revert host configuration changes, like memory swapping behavior.
After selecting a host, you can begin the lab:
- Install the appropriate version of Docker Engine for your Linux distribution and system architecture.
Configure important system settings on your host:
Disable memory paging and swapping on the host to improve performance:
sudo swapoff -a
copy
Increase the number of memory maps available to OpenSearch. Open the
sysctl
configuration file for editing. This example command uses the vim text editor, but you can use any available text editor:sudo vim /etc/sysctl.conf
copy
Add the following line to
/etc/sysctl.conf
:vm.max_map_count=262144
copy
Save and quit. If you use the
vi
orvim
text editors, you save and quit by switching to command mode, and entering:wq!
orZZ
.Apply the configuration change:
sudo sysctl -p
copy
Create a new directory called
deploy
in your home directory, then navigate to it. You will use~/deploy
for paths in the deployment script, configuration files, and TLS certificates:mkdir ~/deploy && cd ~/deploy
copy
Download
upgrade-demo-cluster.sh
from the OpenSearch Project documentation-website repository:wget https://raw.githubusercontent.com/opensearch-project/documentation-website/main/assets/examples/upgrade-demo-cluster.sh
copy
Run the script without any modifications in order to deploy four containers running OpenSearch and one container running OpenSearch Dashboards, with custom, self-signed TLS certificates and a pre-defined set of internal users:
sh upgrade-demo-cluster.sh
copy
Confirm that the containers were launched successfully:
docker container ls
copy
Example response
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e5218c8397d opensearchproject/opensearch-dashboards:1.3.7 "./opensearch-dashbo…" 24 seconds ago Up 22 seconds 0.0.0.0:5601->5601/tcp, :::5601->5601/tcp os-dashboards-01
cb5188308b21 opensearchproject/opensearch:1.3.7 "./opensearch-docker…" 25 seconds ago Up 24 seconds 9300/tcp, 9650/tcp, 0.0.0.0:9204->9200/tcp, :::9204->9200/tcp, 0.0.0.0:9604->9600/tcp, :::9604->9600/tcp os-node-04
71b682aa6671 opensearchproject/opensearch:1.3.7 "./opensearch-docker…" 26 seconds ago Up 25 seconds 9300/tcp, 9650/tcp, 0.0.0.0:9203->9200/tcp, :::9203->9200/tcp, 0.0.0.0:9603->9600/tcp, :::9603->9600/tcp os-node-03
f894054a9378 opensearchproject/opensearch:1.3.7 "./opensearch-docker…" 27 seconds ago Up 26 seconds 9300/tcp, 9650/tcp, 0.0.0.0:9202->9200/tcp, :::9202->9200/tcp, 0.0.0.0:9602->9600/tcp, :::9602->9600/tcp os-node-02
2e9c91c959cd opensearchproject/opensearch:1.3.7 "./opensearch-docker…" 28 seconds ago Up 27 seconds 9300/tcp, 9650/tcp, 0.0.0.0:9201->9200/tcp, :::9201->9200/tcp, 0.0.0.0:9601->9600/tcp, :::9601->9600/tcp os-node-01
The amount of time OpenSearch needs to initialize the cluster varies depending on the performance capabilities of the underlying host. You can follow container logs to see what OpenSearch is doing during the bootstrap process:
Enter the following command to display logs for container
os-node-01
in the terminal window:docker logs -f os-node-01
copy
You will see a log entry resembling the following example when the node is ready:
Example
[INFO ][o.o.s.c.ConfigurationRepository] [os-node-01] Node 'os-node-01' initialized
Press
Ctrl+C
to stop following container logs and return to the command prompt.
Use cURL to query the OpenSearch REST API. In the following command,
os-node-01
is queried by sending the request to host port9201
, which is mapped to port9200
on the container:curl -s "https://localhost:9201" -ku admin:<custom-admin-password>
copy
Example response
{
"name" : "os-node-01",
"cluster_name" : "opensearch-dev-cluster",
"cluster_uuid" : "g1MMknuDRuuD9IaaNt56KA",
"version" : {
"distribution" : "opensearch",
"number" : "1.3.7",
"build_type" : "tar",
"build_hash" : "db18a0d5a08b669fb900c00d81462e221f4438ee",
"build_date" : "2022-12-07T22:59:20.186520Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Tip: Use the -s
option with curl
to hide the progress meter and error messages.
Adding data and configuring OpenSearch Security
Now that the OpenSearch cluster is running, it’s time to add data and configure some OpenSearch Security settings. The data you add and settings you configure will be validated again after the version upgrade is complete.
This section can be broken down into two parts:
Indexing data with the REST API
Download the sample field mappings file:
wget https://raw.githubusercontent.com/opensearch-project/documentation-website/main/assets/examples/ecommerce-field_mappings.json
copy
Next, download the bulk data that you will ingest into this index:
wget https://raw.githubusercontent.com/opensearch-project/documentation-website/main/assets/examples/ecommerce.ndjson
copy
Use the Create index API to create an index using the mappings defined in
ecommerce-field_mappings.json
:curl -H "Content-Type: application/json" \
-X PUT "https://localhost:9201/ecommerce?pretty" \
--data-binary "@ecommerce-field_mappings.json" \
-ku admin:<custom-admin-password>
copy
Example response
{
"acknowledged" : true,
"shards_acknowledged" : true,
"index" : "ecommerce"
}
Use the Bulk API to add data to the new ecommerce index from
ecommerce.ndjson
:curl -H "Content-Type: application/x-ndjson" \
-X PUT "https://localhost:9201/ecommerce/_bulk?pretty" \
--data-binary "@ecommerce.ndjson" \
-ku admin:<custom-admin-password>
copy
Example response (truncated)
{
"took" : 3323,
"errors" : false,
"items" : [
...
"index" : {
"_index" : "ecommerce",
"_type" : "_doc",
"_id" : "4674",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 4674,
"_primary_term" : 1,
"status" : 201
}
]
}
A search query can also confirm that the data was indexed successfully. The following query returns the number of documents in which keyword `customer_first_name` equals `Sonya`:
curl -H 'Content-Type: application/json' \
-X GET "https://localhost:9201/ecommerce/_search?pretty=true&filter_path=hits.total" \
-d'{"query":{"match":{"customer_first_name":"Sonya"}}}' \
-ku admin:<custom-admin-password>
copy
Example response
{
"hits" : {
"total" : {
"value" : 106,
"relation" : "eq"
}
}
}
Adding data using OpenSearch Dashboards
- Open a web browser and navigate to port
5601
on your Docker host (for example,https://HOST_ADDRESS:5601
). If OpenSearch Dashboards is running and you have network access to the host from your browser client, then you will be redirected to a login page.- If the web browser throws an error because the TLS certificates are self-signed, then you might need to bypass certificate checks in your browser. Refer to the browser’s documentation for information about bypassing certificate checks. The common name (CN) for each certificate is generated according to the container and node names for intracluster communication, so connecting to the host from a browser will still result in an “invalid CN” warning.
- Enter the default username (
admin
) and password (admin
). - On the OpenSearch Dashboards Home page, select Add sample data.
- Under Sample web logs, select Add data.
- Optional: Select View data to review the [Logs] Web Traffic dashboard.
- Select the Menu button to open the Navigation pane, then go to Security > Internal users.
- Select Create internal user.
- Provide a Username and Password.
- In the Backend role field, enter
admin
. - Select Create.
Backing up important files
Always create backups before making changes to your cluster, especially if the cluster is running in a production environment.
In this section you will be:
Registering a snapshot repository
Register a repository using the volume that was mapped by
upgrade-demo-cluster.sh
:curl -H 'Content-Type: application/json' \
-X PUT "https://localhost:9201/_snapshot/snapshot-repo?pretty" \
-d '{"type":"fs","settings":{"location":"/usr/share/opensearch/snapshots"}}' \
-ku admin:<custom-admin-password>
copy
Example response
{
"acknowledged" : true
}
Optional: Perform an additional check to verify that the repository was created successfully:
curl -H 'Content-Type: application/json' \
-X POST "https://localhost:9201/_snapshot/snapshot-repo/_verify?timeout=0s&master_timeout=50s&pretty" \
-ku admin:<custom-admin-password>
copy
Example response
{
"nodes" : {
"UODBXfAlRnueJ67grDxqgw" : {
"name" : "os-node-03"
},
"14I_OyBQQXio8nmk0xsVcQ" : {
"name" : "os-node-04"
},
"tQp3knPRRUqHvFNKpuD2vQ" : {
"name" : "os-node-02"
},
"rPe8D6ssRgO5twIP00wbCQ" : {
"name" : "os-node-01"
}
}
}
Creating a snapshot
Snapshots are backups of a cluster’s indexes and state. See Snapshots to learn more.
Create a snapshot that includes all indexes and the cluster state:
curl -H 'Content-Type: application/json' \
-X PUT "https://localhost:9201/_snapshot/snapshot-repo/cluster-snapshot-v137?wait_for_completion=true&pretty" \
-ku admin:<custom-admin-password>
copy
Example response
{
"snapshot" : {
"snapshot" : "cluster-snapshot-v137",
"uuid" : "-IYB8QNPShGOTnTtMjBjNg",
"version_id" : 135248527,
"version" : "1.3.7",
"indices" : [
"opensearch_dashboards_sample_data_logs",
".opendistro_security",
"security-auditlog-2023.02.27",
".kibana_1",
".kibana_92668751_admin_1",
"ecommerce",
"security-auditlog-2023.03.06",
"security-auditlog-2023.02.28",
"security-auditlog-2023.03.07"
],
"data_streams" : [ ],
"include_global_state" : true,
"state" : "SUCCESS",
"start_time" : "2023-03-07T18:33:00.656Z",
"start_time_in_millis" : 1678213980656,
"end_time" : "2023-03-07T18:33:01.471Z",
"end_time_in_millis" : 1678213981471,
"duration_in_millis" : 815,
"failures" : [ ],
"shards" : {
"total" : 9,
"failed" : 0,
"successful" : 9
}
}
}
Backing up security settings
Cluster administrators can modify OpenSearch Security settings by using any of the following methods:
- Modifying YAML files and running
securityadmin.sh
- Making REST API requests using the admin certificate
- Making changes with OpenSearch Dashboards
Regardless of the method you choose, OpenSearch Security writes your configuration to a special system index called .opendistro_security
. This system index is preserved through the upgrade process, and it is also saved in the snapshot you created. However, restoring system indexes requires elevated access granted by the admin
certificate. To learn more, see System indexes and Configuring TLS certificates.
You can also export your OpenSearch Security settings as YAML files by running securityadmin.sh
with the -backup
option on any of your OpenSearch nodes. These YAML files can be used to reinitialize the .opendistro_security
index with your existing configuration. The following steps will guide you through generating these backup files and copying them to your host for storage:
Open an interactive pseudo-TTY session with
os-node-01
:docker exec -it os-node-01 bash
copy
Create a directory called
backups
and navigate to it:mkdir /usr/share/opensearch/backups && cd /usr/share/opensearch/backups
copy
Use
securityadmin.sh
to create backups of your OpenSearch Security settings in/usr/share/opensearch/backups/
:/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-backup /usr/share/opensearch/backups \
-icl \
-nhnv \
-cacert /usr/share/opensearch/config/root-ca.pem \
-cert /usr/share/opensearch/config/admin.pem \
-key /usr/share/opensearch/config/admin-key.pem
copy
Example response
Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=A,OU=DOCS,O=OPENSEARCH,L=PORTLAND,ST=OREGON,C=US
OpenSearch Version: 1.3.7
OpenSearch Security Version: 1.3.7.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-dev-cluster
Clusterstate: GREEN
Number of nodes: 4
Number of data nodes: 4
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /usr/share/opensearch/backups/config.yml
SUCC: Configuration for 'config' stored in /usr/share/opensearch/backups/config.yml
Will retrieve '/roles' into /usr/share/opensearch/backups/roles.yml
SUCC: Configuration for 'roles' stored in /usr/share/opensearch/backups/roles.yml
Will retrieve '/rolesmapping' into /usr/share/opensearch/backups/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' stored in /usr/share/opensearch/backups/roles_mapping.yml
Will retrieve '/internalusers' into /usr/share/opensearch/backups/internal_users.yml
SUCC: Configuration for 'internalusers' stored in /usr/share/opensearch/backups/internal_users.yml
Will retrieve '/actiongroups' into /usr/share/opensearch/backups/action_groups.yml
SUCC: Configuration for 'actiongroups' stored in /usr/share/opensearch/backups/action_groups.yml
Will retrieve '/tenants' into /usr/share/opensearch/backups/tenants.yml
SUCC: Configuration for 'tenants' stored in /usr/share/opensearch/backups/tenants.yml
Will retrieve '/nodesdn' into /usr/share/opensearch/backups/nodes_dn.yml
SUCC: Configuration for 'nodesdn' stored in /usr/share/opensearch/backups/nodes_dn.yml
Will retrieve '/whitelist' into /usr/share/opensearch/backups/whitelist.yml
SUCC: Configuration for 'whitelist' stored in /usr/share/opensearch/backups/whitelist.yml
Will retrieve '/audit' into /usr/share/opensearch/backups/audit.yml
SUCC: Configuration for 'audit' stored in /usr/share/opensearch/backups/audit.yml
Optional: Create a backup directory for TLS certificates and store copies of the certificates. Repeat this for each node if you use unique TLS certificates:
mkdir /usr/share/opensearch/backups/certs && cp /usr/share/opensearch/config/*pem /usr/share/opensearch/backups/certs/
copy
Terminate the pseudo-TTY session:
exit
copy
Copy the files to your host:
docker cp os-node-01:/usr/share/opensearch/backups ~/deploy/
copy
Performing the upgrade
Now that the cluster is configured and you have made backups of important files and settings, it’s time to begin the version upgrade.
Some steps included in this section, like disabling shard replication and flushing the transaction log, will not impact the performance of your cluster. These steps are included as best practices and can significantly improve cluster performance in situations where clients continue interacting with the OpenSearch cluster throughout the upgrade, such as by querying existing data or indexing documents.
Disable shard replication to stop the movement of Lucene index segments within your cluster:
curl -H 'Content-type: application/json' \
-X PUT "https://localhost:9201/_cluster/settings?pretty" \
-d'{"persistent":{"cluster.routing.allocation.enable":"primaries"}}' \
-ku admin:<custom-admin-password>
copy
Example response
{
"acknowledged" : true,
"persistent" : {
"cluster" : {
"routing" : {
"allocation" : {
"enable" : "primaries"
}
}
}
},
"transient" : { }
}
Perform a flush operation on the cluster to commit transaction log entries to the Lucene index:
curl -X POST "https://localhost:9201/_flush?pretty" -ku admin:<custom-admin-password>
copy
Example response
{
"_shards" : {
"total" : 20,
"successful" : 20,
"failed" : 0
}
}
Select a node to upgrade. You can upgrade nodes in any order because all of the nodes in this demo cluster are eligible cluster managers. The following command will stop and remove container
os-node-01
without removing the mounted data volume:docker stop os-node-01 && docker container rm os-node-01
copy
Start a new container named
os-node-01
with theopensearchproject/opensearch:2.5.0
image and using the same mapped volumes as the original container:docker run -d \
-p 9201:9200 -p 9601:9600 \
-e "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" \
--ulimit nofile=65536:65536 --ulimit memlock=-1:-1 \
-v data-01:/usr/share/opensearch/data \
-v repo-01:/usr/share/opensearch/snapshots \
-v ~/deploy/opensearch-01.yml:/usr/share/opensearch/config/opensearch.yml \
-v ~/deploy/root-ca.pem:/usr/share/opensearch/config/root-ca.pem \
-v ~/deploy/admin.pem:/usr/share/opensearch/config/admin.pem \
-v ~/deploy/admin-key.pem:/usr/share/opensearch/config/admin-key.pem \
-v ~/deploy/os-node-01.pem:/usr/share/opensearch/config/os-node-01.pem \
-v ~/deploy/os-node-01-key.pem:/usr/share/opensearch/config/os-node-01-key.pem \
--network opensearch-dev-net \
--ip 172.20.0.11 \
--name os-node-01 \
opensearchproject/opensearch:2.5.0
copy
Example response
d26d0cb2e1e93e9c01bb00f19307525ef89c3c3e306d75913860e6542f729ea4
Optional: Query the cluster to determine which node is acting as the cluster manager. You can run this command at any time during the process to see when a new cluster manager is elected:
curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \
-ku admin:<custom-admin-password> | column -t
copy
Example response
name version node.role master
os-node-01 2.5.0 dimr -
os-node-04 1.3.7 dimr *
os-node-02 1.3.7 dimr -
os-node-03 1.3.7 dimr -
Optional: Query the cluster to see how shard allocation changes as nodes are removed and replaced. You can run this command at any time during the process to see how shard statuses change:
curl -s "https://localhost:9201/_cat/shards" \
-ku admin:<custom-admin-password>
copy
Example response
security-auditlog-2023.03.06 0 p STARTED 53 214.5kb 172.20.0.13 os-node-03
security-auditlog-2023.03.06 0 r UNASSIGNED
.kibana_1 0 p STARTED 3 14.5kb 172.20.0.12 os-node-02
.kibana_1 0 r STARTED 3 14.5kb 172.20.0.13 os-node-03
ecommerce 0 p STARTED 4675 3.9mb 172.20.0.12 os-node-02
ecommerce 0 r STARTED 4675 3.9mb 172.20.0.14 os-node-04
security-auditlog-2023.03.07 0 p STARTED 37 175.7kb 172.20.0.14 os-node-04
security-auditlog-2023.03.07 0 r UNASSIGNED
.opendistro_security 0 p STARTED 10 67.9kb 172.20.0.12 os-node-02
.opendistro_security 0 r STARTED 10 67.9kb 172.20.0.13 os-node-03
.opendistro_security 0 r STARTED 10 64.5kb 172.20.0.14 os-node-04
.opendistro_security 0 r UNASSIGNED
security-auditlog-2023.02.27 0 p STARTED 4 80.5kb 172.20.0.12 os-node-02
security-auditlog-2023.02.27 0 r UNASSIGNED
security-auditlog-2023.02.28 0 p STARTED 6 104.1kb 172.20.0.14 os-node-04
security-auditlog-2023.02.28 0 r UNASSIGNED
opensearch_dashboards_sample_data_logs 0 p STARTED 14074 9.1mb 172.20.0.12 os-node-02
opensearch_dashboards_sample_data_logs 0 r STARTED 14074 8.9mb 172.20.0.13 os-node-03
.kibana_92668751_admin_1 0 r STARTED 33 37.3kb 172.20.0.13 os-node-03
.kibana_92668751_admin_1 0 p STARTED 33 37.3kb 172.20.0.14 os-node-04
Stop
os-node-02
:docker stop os-node-02 && docker container rm os-node-02
copy
Start a new container named
os-node-02
with theopensearchproject/opensearch:2.5.0
image and using the same mapped volumes as the original container:docker run -d \
-p 9202:9200 -p 9602:9600 \
-e "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" \
--ulimit nofile=65536:65536 --ulimit memlock=-1:-1 \
-v data-02:/usr/share/opensearch/data \
-v repo-01:/usr/share/opensearch/snapshots \
-v ~/deploy/opensearch-02.yml:/usr/share/opensearch/config/opensearch.yml \
-v ~/deploy/root-ca.pem:/usr/share/opensearch/config/root-ca.pem \
-v ~/deploy/admin.pem:/usr/share/opensearch/config/admin.pem \
-v ~/deploy/admin-key.pem:/usr/share/opensearch/config/admin-key.pem \
-v ~/deploy/os-node-02.pem:/usr/share/opensearch/config/os-node-02.pem \
-v ~/deploy/os-node-02-key.pem:/usr/share/opensearch/config/os-node-02-key.pem \
--network opensearch-dev-net \
--ip 172.20.0.12 \
--name os-node-02 \
opensearchproject/opensearch:2.5.0
copy
Example response
7b802865bd6eb420a106406a54fc388ed8e5e04f6cbd908c2a214ea5ce72ac00
Stop
os-node-03
:docker stop os-node-03 && docker container rm os-node-03
copy
Start a new container named
os-node-03
with theopensearchproject/opensearch:2.5.0
image and using the same mapped volumes as the original container:docker run -d \
-p 9203:9200 -p 9603:9600 \
-e "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" \
--ulimit nofile=65536:65536 --ulimit memlock=-1:-1 \
-v data-03:/usr/share/opensearch/data \
-v repo-01:/usr/share/opensearch/snapshots \
-v ~/deploy/opensearch-03.yml:/usr/share/opensearch/config/opensearch.yml \
-v ~/deploy/root-ca.pem:/usr/share/opensearch/config/root-ca.pem \
-v ~/deploy/admin.pem:/usr/share/opensearch/config/admin.pem \
-v ~/deploy/admin-key.pem:/usr/share/opensearch/config/admin-key.pem \
-v ~/deploy/os-node-03.pem:/usr/share/opensearch/config/os-node-03.pem \
-v ~/deploy/os-node-03-key.pem:/usr/share/opensearch/config/os-node-03-key.pem \
--network opensearch-dev-net \
--ip 172.20.0.13 \
--name os-node-03 \
opensearchproject/opensearch:2.5.0
copy
Example response
d7f11726841a89eb88ff57a8cbecab392399f661a5205f0c81b60a995fc6c99d
Stop
os-node-04
:docker stop os-node-04 && docker container rm os-node-04
copy
Start a new container named
os-node-04
with theopensearchproject/opensearch:2.5.0
image and using the same mapped volumes as the original container:docker run -d \
-p 9204:9200 -p 9604:9600 \
-e "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" \
--ulimit nofile=65536:65536 --ulimit memlock=-1:-1 \
-v data-04:/usr/share/opensearch/data \
-v repo-01:/usr/share/opensearch/snapshots \
-v ~/deploy/opensearch-04.yml:/usr/share/opensearch/config/opensearch.yml \
-v ~/deploy/root-ca.pem:/usr/share/opensearch/config/root-ca.pem \
-v ~/deploy/admin.pem:/usr/share/opensearch/config/admin.pem \
-v ~/deploy/admin-key.pem:/usr/share/opensearch/config/admin-key.pem \
-v ~/deploy/os-node-04.pem:/usr/share/opensearch/config/os-node-04.pem \
-v ~/deploy/os-node-04-key.pem:/usr/share/opensearch/config/os-node-04-key.pem \
--network opensearch-dev-net \
--ip 172.20.0.14 \
--name os-node-04 \
opensearchproject/opensearch:2.5.0
copy
Example response
26f8286ab11e6f8dcdf6a83c95f265172f9557578a1b292af84c6f5ef8738e1d
Confirm that your cluster is running the new version:
curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \
-ku admin:<custom-admin-password> | column -t
copy
Example response
name version node.role master
os-node-01 2.5.0 dimr *
os-node-02 2.5.0 dimr -
os-node-04 2.5.0 dimr -
os-node-03 2.5.0 dimr -
The last component you should upgrade is the OpenSearch Dashboards node. First, stop and remove the old container:
docker stop os-dashboards-01 && docker rm os-dashboards-01
copy
Create a new container running the target version of OpenSearch Dashboards:
docker run -d \
-p 5601:5601 --expose 5601 \
-v ~/deploy/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml \
-v ~/deploy/root-ca.pem:/usr/share/opensearch-dashboards/config/root-ca.pem \
-v ~/deploy/os-dashboards-01.pem:/usr/share/opensearch-dashboards/config/os-dashboards-01.pem \
-v ~/deploy/os-dashboards-01-key.pem:/usr/share/opensearch-dashboards/config/os-dashboards-01-key.pem \
--network opensearch-dev-net \
--ip 172.20.0.10 \
--name os-dashboards-01 \
opensearchproject/opensearch-dashboards:2.5.0
copy
Example response
310de7a24cf599ca0b39b241db07fa8865592ebe15b6f5fda26ad19d8e1c1e09
Make sure the OpenSearch Dashboards container started properly. A command like the following can be used to confirm that requests to
https://HOST_ADDRESS:5601
are redirected (HTTP status code 302) to/app/login?
:curl https://localhost:5601 -kI
copy
Example response
HTTP/1.1 302 Found
location: /app/login?
osd-name: opensearch-dashboards-dev
cache-control: private, no-cache, no-store, must-revalidate
set-cookie: security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/
content-length: 0
Date: Wed, 08 Mar 2023 15:36:53 GMT
Connection: keep-alive
Keep-Alive: timeout=120
Re-enable allocation of replica shards:
curl -H 'Content-type: application/json' \
-X PUT "https://localhost:9201/_cluster/settings?pretty" \
-d'{"persistent":{"cluster.routing.allocation.enable":"all"}}' \
-ku admin:<custom-admin-password>
copy
Example response
{
"acknowledged" : true,
"persistent" : {
"cluster" : {
"routing" : {
"allocation" : {
"enable" : "all"
}
}
}
},
"transient" : { }
}
Validating the upgrade
You successfully deployed a secure OpenSearch cluster, indexed data, created a dashboard populated with sample data, created a new internal user, backed up your important files, and upgraded the cluster from version 1.3.7 to 2.5.0. Before you continue exploring and experimenting with OpenSearch and OpenSearch Dashboards, you should validate the outcome of the upgrade.
For this cluster, post-upgrade validation steps can include verifying the following:
Verifying the new running version
Verify the current running version of your OpenSearch nodes:
curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \
-ku admin:<custom-admin-password> | column -t
copy
Example response
name version node.role master
os-node-01 2.5.0 dimr *
os-node-02 2.5.0 dimr -
os-node-04 2.5.0 dimr -
os-node-03 2.5.0 dimr -
Verify the current running version of OpenSearch Dashboards:
- Option 1: Verify the OpenSearch Dashboards version from the web interface.
- Open a web browser and navigate to port
5601
on your Docker host (for example,https://HOST_ADDRESS:5601
). - Log in with the default username (
admin
) and default password (admin
). - Select the Help button in the upper-right corner. The version is displayed in a pop-up window.
- Select the Help button again to close the pop-up window.
- Open a web browser and navigate to port
Option 2: Verify the OpenSearch Dashboards version by inspecting
manifest.yml
.From the command line, open an interactive pseudo-TTY session with the OpenSearch Dashboards container:
docker exec -it os-dashboards-01 bash
copy
Check
manifest.yml
for the version:head -n 5 manifest.yml
copy
Example response
---
schema-version: '1.1'
build:
name: OpenSearch Dashboards
version: 2.5.0
Terminate the pseudo-TTY session:
exit
copy
- Option 1: Verify the OpenSearch Dashboards version from the web interface.
Verifying cluster health and shard allocation
Query the Cluster health API endpoint to see information about the health of your cluster. You should see a status of
green
, which indicates that all primary and replica shards are allocated:curl -s "https://localhost:9201/_cluster/health?pretty" -ku admin:<custom-admin-password>
copy
Example response
{
"cluster_name" : "opensearch-dev-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 4,
"number_of_data_nodes" : 4,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 16,
"active_shards" : 36,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Query the CAT shards API endpoint to see how shards are allocated after the cluster is upgrade:
curl -s "https://localhost:9201/_cat/shards" -ku admin:<custom-admin-password>
copy
Example response
security-auditlog-2023.02.27 0 r STARTED 4 80.5kb 172.20.0.13 os-node-03
security-auditlog-2023.02.27 0 p STARTED 4 80.5kb 172.20.0.11 os-node-01
security-auditlog-2023.03.08 0 p STARTED 30 95.2kb 172.20.0.13 os-node-03
security-auditlog-2023.03.08 0 r STARTED 30 123.8kb 172.20.0.11 os-node-01
ecommerce 0 p STARTED 4675 3.9mb 172.20.0.12 os-node-02
ecommerce 0 r STARTED 4675 3.9mb 172.20.0.13 os-node-03
.kibana_1 0 p STARTED 3 5.9kb 172.20.0.12 os-node-02
.kibana_1 0 r STARTED 3 5.9kb 172.20.0.11 os-node-01
.kibana_92668751_admin_1 0 p STARTED 33 37.3kb 172.20.0.13 os-node-03
.kibana_92668751_admin_1 0 r STARTED 33 37.3kb 172.20.0.11 os-node-01
opensearch_dashboards_sample_data_logs 0 p STARTED 14074 9.1mb 172.20.0.12 os-node-02
opensearch_dashboards_sample_data_logs 0 r STARTED 14074 9.1mb 172.20.0.14 os-node-04
security-auditlog-2023.02.28 0 p STARTED 6 26.2kb 172.20.0.11 os-node-01
security-auditlog-2023.02.28 0 r STARTED 6 26.2kb 172.20.0.14 os-node-04
.opendistro-reports-definitions 0 p STARTED 0 208b 172.20.0.12 os-node-02
.opendistro-reports-definitions 0 r STARTED 0 208b 172.20.0.13 os-node-03
.opendistro-reports-definitions 0 r STARTED 0 208b 172.20.0.14 os-node-04
security-auditlog-2023.03.06 0 r STARTED 53 174.6kb 172.20.0.12 os-node-02
security-auditlog-2023.03.06 0 p STARTED 53 174.6kb 172.20.0.14 os-node-04
.kibana_101107607_newuser_1 0 r STARTED 1 5.1kb 172.20.0.13 os-node-03
.kibana_101107607_newuser_1 0 p STARTED 1 5.1kb 172.20.0.11 os-node-01
.opendistro_security 0 r STARTED 10 64.5kb 172.20.0.12 os-node-02
.opendistro_security 0 r STARTED 10 64.5kb 172.20.0.13 os-node-03
.opendistro_security 0 r STARTED 10 64.5kb 172.20.0.11 os-node-01
.opendistro_security 0 p STARTED 10 64.5kb 172.20.0.14 os-node-04
.kibana_-152937574_admintenant_1 0 r STARTED 1 5.1kb 172.20.0.12 os-node-02
.kibana_-152937574_admintenant_1 0 p STARTED 1 5.1kb 172.20.0.14 os-node-04
security-auditlog-2023.03.07 0 r STARTED 37 175.7kb 172.20.0.12 os-node-02
security-auditlog-2023.03.07 0 p STARTED 37 175.7kb 172.20.0.14 os-node-04
.kibana_92668751_admin_2 0 p STARTED 34 38.6kb 172.20.0.13 os-node-03
.kibana_92668751_admin_2 0 r STARTED 34 38.6kb 172.20.0.11 os-node-01
.kibana_2 0 p STARTED 3 6kb 172.20.0.13 os-node-03
.kibana_2 0 r STARTED 3 6kb 172.20.0.14 os-node-04
.opendistro-reports-instances 0 r STARTED 0 208b 172.20.0.12 os-node-02
.opendistro-reports-instances 0 r STARTED 0 208b 172.20.0.11 os-node-01
.opendistro-reports-instances 0 p STARTED 0 208b 172.20.0.14 os-node-04
Verifying data consistency
You need to query the ecommerce index again in order to confirm that the sample data is still present:
Compare the response to this query with the response you received in the last step of Indexing data with the REST API:
curl -H 'Content-Type: application/json' \
-X GET "https://localhost:9201/ecommerce/_search?pretty=true&filter_path=hits.total" \
-d'{"query":{"match":{"customer_first_name":"Sonya"}}}' \
-ku admin:<custom-admin-password>
copy
Example response
{
"hits" : {
"total" : {
"value" : 106,
"relation" : "eq"
}
}
}
Open a web browser and navigate to port
5601
on your Docker host (for example,https://HOST_ADDRESS:5601
).- Enter the default username (
admin
) and password (admin
). - On the OpenSearch Dashboards Home page, select the Menu button in the upper-left corner of the web interface to open the Navigation pane.
- Select Dashboard.
- Choose [Logs] Web Traffic to open the dashboard that was created when you added sample data earlier in the process.
- When you are done reviewing the dashboard, select the Profile button. Choose Log out so you can log in as a different user.
- Enter the username and password you created before upgrading, then select Log in.
Next steps
Review the following resoures to learn more about how OpenSearch works: