swissmakers_gmbh/ansible-opensearch
12
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Nataliia Chaika 86fa5ff9b9 Corrected README.md formating
2025-08-27 17:00:06 +02:00
inventory
Ansible-opensearch Initial commit
2025-08-27 16:24:19 +02:00
playbooks
Ansible-opensearch Initial commit
2025-08-27 16:24:19 +02:00
roles
Ansible-opensearch Initial commit
2025-08-27 16:24:19 +02:00
vars
Ansible-opensearch Initial commit
2025-08-27 16:24:19 +02:00
.gitignore
Ansible-opensearch Initial commit
2025-08-27 16:24:19 +02:00
README.md
Corrected README.md formating
2025-08-27 17:00:06 +02:00

README.md

OPENSEARCH & OPENSEARCH-DASHBOARDS ANSIBLE INSTALLATION/REMOVAL

!Important requirements for Installation Opensearch and Opensearch-Dashboards!

1. Open below firewall ports:

5601	OpenSearch Dashboards
9200	OpenSearch REST API
9300	Node communication and transport (internal), cross cluster search
9600	Performance Analyzer

  1. Disable swap

  2. Change vm.max_map_count and fs.file-max

  3. Set time (Important for SSL/TLS certificates)

  4. Install usefull/required dependencies

  5. Set hostname

7.1. Opensearch:

  • Installs competible with OS Java version
  • Installs OpenSearch, Generates TLS Certificates, Configures Authentication Backend

7.2. Opensearch-Dashboards:

  • Install competible with OS Node.js version on Opensearch-Dashboards VM
  • Installs OpenSearch-Dashboards, Generates TLS Certificates
  1. Ansible Directory Structure:
.
├── files
├── inventory
│   ├── hosts-multi-node.ini
│   └── hosts-single-node.ini
├── playbooks
│   ├── removal.yml
│   └── setup.yml
├── README.md
├── roles
│   ├── opensearch
│   │   ├── defaults
│   │   │   └── main.yml
│   │   ├── files
│   │   ├── handlers
│   │   │   └── main.yml
│   │   ├── tasks
│   │   │   ├── install.yml
│   │   │   ├── main.yml
│   │   │   ├── preconfig.yml
│   │   │   ├── remove.yml
│   │   │   └── tls.yml
│   │   ├── templates
│   │   │   ├── config.yml.j2
│   │   │   ├── jvm.options.j2
│   │   │   ├── opensearch-multi-node.yml.j2
│   │   │   └── opensearch-single-node.yml.j2
│   │   └── vars
│   │       └── main.yml
│   └── opensearch-dashboards
│       ├── defaults
│       │   └── main.yml
│       ├── files
│       ├── handlers
│       │   └── main.yml
│       ├── tasks
│       │   ├── install.yml
│       │   ├── main.yml
│       │   ├── preconfig.yml
│       │   ├── remove.yml
│       │   └── tls.yml
│       ├── templates
│       │   └── opensearch-dashboards.yml.j2
│       └── vars
│           └── main.yml
├── templates
└── vars
    ├── general-vars.yml
    └── vault.yml

Playbook contains two cluster installation types:

  • single-node
  • multi-node

Files and values to check/replace before playbooks executions:

  • inventory/ (IP addresses, DNS names, ssh-key, user)
  • roles/opensearch/vars/main.yml (cluster name, certificates or LDAP details)
  • roles/opensearch-dashboards/vars/main.yml (certificates details, URL)
  • obtain vault pass

Commands for ansible:

#ping nodes:
ansible -i inventory/hosts.ini -m ping all

#check syntax:
ansible-playbook -i inventory/hosts-multi-node.ini playbooks/setup.yml --syntax-check

#dry-run:
ansible-playbook -i inventory/hosts-multi-node.ini playbooks/setup.yml --check

#encrypt/decrypt vault.yml file
ansible-vault encrypt vars/vault.yml --vault-password-file ~/.ansible_vault.txt
ansible-vault encrypt vars/vault.yml (input required)
ansible-vault decrypt vars/vault.yml --vault-password-file ~/.ansible_vault.txt
ansible-vault decrypt vars/vault.yml (input required)

#for installation with single node:
ansible-playbook -i inventory/hosts-single-node.ini playbooks/setup.yml -e cluster_type=single-node --vault-password-file ~/.ansible_vault.txt (preffered)
ansible-playbook -i inventory/hosts-single-node.ini playbooks/setup.yml -e cluster_type=single-node --ask-vault-pass (with vault pass input)

#for installation with multi node:
ansible-playbook -i inventory/hosts-multi-node.ini playbooks/setup.yml -e cluster_type=multi-node --vault-password-file ~/.ansible_vault.txt (preffered)
ansible-playbook -i inventory/hosts-multi-node.ini playbooks/setup.yml -e cluster_type=multi-node --ask-vault-pass (with vault pass input)

#for removal single node:
ansible-playbook -i inventory/hosts-single-node.ini playbooks/removal.yml -e cluster_type=single-node

#for removal multi node:
ansible-playbook -i inventory/hosts-multi-node.ini playbooks/removal.yml -e cluster_type=multi-node

Post Installation Steps:

  1. Update passwords for internal users (admin and kibanaserver), using export JAVA_HOME=/usr/share/opensearch/jdk/ && /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh ./hash.sh tool:

  2. For LDAP Setup, do the following:

update /etc/opensearch/opensearch-security/config.yml with required configuration

update /etc/opensearch/opensearch-security/internal_users.yml

update /etc/opensearch/opensearch-security/roles_mapping.yml

Perform one by one commands:

export JAVA_HOME=/usr/share/opensearch/jdk/ && /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/opensearch/opensearch-security -f "/etc/opensearch/opensearch-security/config.yml" -icl -key /etc/opensearch/certs/admin-key.pem -cert /etc/opensearch/certs/admin.pem -cacert /etc/opensearch/certs/root-ca.pem -nhnv

export JAVA_HOME=/usr/share/opensearch/jdk/ && /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/opensearch/opensearch-security -f "/etc/opensearch/opensearch-security/internal_users.yml" -icl -key /etc/opensearch/certs/admin-key.pem -cert /etc/opensearch/certs/admin.pem -cacert /etc/opensearch/certs/root-ca.pem -nhnv

export JAVA_HOME=/usr/share/opensearch/jdk/ && /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/opensearch/opensearch-security -f "/etc/opensearch/opensearch-security/roles_mapping.yml" -icl -key /etc/opensearch/certs/admin-key.pem -cert /etc/opensearch/certs/admin.pem -cacert /etc/opensearch/certs/

Or perform single command for all files update:

export JAVA_HOME=/usr/share/opensearch/jdk/ && /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/opensearch/opensearch-security - -icl -key /etc/opensearch/certs/admin-key.pem -cert /etc/opensearch/certs/admin.pem -cacert /etc/opensearch/certs/root-ca.pem -nhnv

Useful commands:

OPENSEARCH:

Check cluster status:

curl --cert /etc/opensearch/certs/admin.pem \      
    --key /etc/opensearch/certs/admin-key.pem \     
    --cacert /etc/opensearch/certs/root-ca.pem \
    https://node1.opensearch.local:9200/_cluster/health?pretty

Check nodes status:

curl --cert /etc/opensearch/certs/admin.pem \
     --key /etc/opensearch/certs/admin-key.pem \
     --cacert /etc/opensearch/certs/root-ca.pem \
     https://node1.opensearch.local:9200/_cat/nodes?v

LDAP (example for testing env):

test connection:

ldapsearch -x -H ldap://LDAP_IP:389 -D "cn=admin,dc=ldap,dc=local" -w password -s base

check whether user exists:

ldapsearch -x -H ldap://LDAP_IP:389 \-H ldap://LDAP_IP:389 -D "cn=admin,dc=ldap,dc=local" -w password -b "ou=users,dc=ldap,dc=local" "(uid=john)"

check access user access with curl:

curl -u john:password -k https://node1.opensearch.local:9200/_cluster/health
Description
No description provided
Readme 48 KiB
Languages
Jinja 100%