- OpenSearch Project Ansible-Playbook
- Version and Branching
- OpenSearch Installation with Dashboards
- Contributing
- Getting Help
- Code of Conduct
- Security
- License
- Copyright
A community repository for Ansible Playbook of OpenSearch Project.
As of now, this ansible-playbook repository maintains 2 branches:
- main (Version is 2.x.x for both
os_version
andos_dashboards_version
ininventories/opensearch/group_vars/all/all.yml
) - 1.x (Version is 1.x.x for both
os_version
andos_dashboards_version
ininventories/opensearch/group_vars/all/all.yml
)
Contributors should choose the corresponding branch(es) when commiting their change(s):
- If you have a change for a specific version, only open PR to specific branch
- If you have a change for all available versions, first open a PR on
main
, then open a backport PR with[backport 1.x]
in the title, with labelbackport 1.x
, etc.
This ansible playbook supports the following,
- Can be deployed on baremetal and VMs(AWS EC2)
- Supports most popular Linux distributions(Centos7, RHEL7, Amazon Linux2, Ubuntu 20.04)
- Install and configure the Apache2.0 opensource OpenSearch
- Configure TLS/SSL for OpenSearch transport layer(Nodes to Nodes communication) and REST API layer
- Generate self-signed certificates to configure TLS/SSL for opensearch
- Configure the Internal Users Database with limited users and user-defined passwords
- Configuration of authentication and authorization via OpenID
- Overriding default settings with your own
- Install and configure the Apache2.0 opensource OpenSearch Dashboards
- Ansible 2.9+
- Java 8
Refer the file inventories/opensearch/group_vars/all/all.yml
to change the default values.
For example if we need to increase the java memory heap size for opensearch,
xms_value: 8
xmx_value: 8
In inventories/opensearch/hosts
file, you can configure the node details.
ansible_host
is used for ansible to connect the nodes to run this playbook.
ip
is used in OpenSearch and Dashboards configuration.
In AWS EC2,
os1 ansible_host=<Elastic/Public IP> address ansible_user=root ip=<Private IP address>
By default, this playbook will install five nodes opensearch cluster with respective roles (3 master, 5 data and 2 ingest nodes).
os1 ansible_host=10.0.1.1 ip=10.0.1.1 roles=data,master
os2 ansible_host=10.0.1.2 ip=10.0.1.2 roles=data,master
os3 ansible_host=10.0.1.3 ip=10.0.1.3 roles=data,master
os4 ansible_host=10.0.1.4 ip=10.0.1.4 roles=data,ingest
os5 ansible_host=10.0.1.5 ip=10.0.1.5 roles=data,ingest
Note: You need to add additional nodes details in inventories/opensearch/hosts
file for creating opensearch cluster with different node sizes.
For example, if you want to create seven nodes cluster with two additional data nodes (os6
and os7
) then you need to include the below entries.
os6 ansible_host=10.0.1.6 ip=10.0.1.6 roles=data
os7 ansible_host=10.0.1.7 ip=10.0.1.5 roles=data
You have to mention the opensearch node roles details in roles
variable.
For single node installation, you need to change the cluster_type
variable in inventory file inventories/opensearch/group_vars/all/all.yml
cluster_type: single-node
# Deploy with ansible playbook - run the playbook as root
ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=myStrongPassword@123! kibanaserver_password=Test@6789 logstash_password=Test@456"
You should set the reserved users(admin
, kibanaserver
, and logstash
) password using admin_password
, kibanaserver_password
, and logstash_password
variables.
Note: Starting OpenSearch 2.12, a strong password is required for admin
user, i.e. myStrongPassword123!
. The cluster will fail to start with a weak password (i.e. admin) or no password.
If you define your own internal users (in addition to the reserved admin
, kibanaserver
, and logstash
) in custom configuration
files, then passwords to them should be set via variables on the principle of <username>_password
It will install and configure the opensearch. Once the deployment completed, you can access the opensearch Dashboards with user admin
and password which you provided for variable admin_password
.
# Deploy with ansible playbook - run the playbook as non-root user which have sudo privileges,
ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=myStrongPassword@123! kibanaserver_password=Test@6789 logstash_password=Test@456" --become
Note: Change the user details in ansible_user
parameter in inventories/opensearch/hosts
inventory file.
To enable authentication via OpenID, you need to change the auth_type
variable in the inventory file
inventories/opensearch/group_vars/all/all.yml
by setting the value oidc
and prescribe the necessary settings
in the oidc:
block.
To override the default settings files, you need to put your settings in the files
directory. The files should be
named exactly the same as the original ones (internal_users.yml, roles.yml, tenants.yml, etc.)
Especially note the file files/internal_users.yml
. If it exists and the copy_custom_security_configs: true
setting is enabled,
then only in this case the task of setting passwords for internal users from variables is started. If the file internal_users.yml
is not located in the files
directory, but, for example, in one of its subdirectories, then playbook will not work correctly
If you want to use the role not only for the initial deployment of the cluster, but also for further management of it,
then set the iac_enable
parameter to true
.
By default, if the /tmp/opensearch-nodecerts directory with certificates exists on the server from which the playbook is launched, it is assumed that the configuration has not changed and some settings are not copied to the target servers.
Conversely, if the /tmp/opensearch-nodecerts directory does not exist on the server from which the playbook is launched, then new certificates and settings are generated and they are copied to the target servers.
If you use this repository not only for the initial deployment of the cluster, but also for its automatic configuration via CI/CD, then new certificates will be generated every time the pipeline is launched, overwriting existing ones, which is not always necessary if the cluster is already in production.
When iac_enable enabling, and all the cluster servers have all the necessary certificates, they will not be copied again. If at least on one server (for example, when adding a new server to the cluster) if there is not at least one certificate from the list, then all certificates on all cluster servers will be updated
Also, if the option is enabled, the settings files will be updated with each execution (previously, the settings were updated only if the /tmp/opensearch-nodecerts directory was missing on the server from which the playbook was launched and new certificates were generated)
See developer guide and how to contribute to this project.
If you find a bug, or have a feature request, please don't hesitate to open an issue in this repository.
For more information, see project website and documentation. If you need help and are unsure where to open an issue, try forums.
This project has adopted the Amazon Open Source Code of Conduct. For more information see the Code of Conduct FAQ, or contact opensource-codeofconduct@amazon.com with any additional questions or comments.
If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page. Please do not create a public GitHub issue.
This project is licensed under the Apache v2.0 License.
Copyright OpenSearch Contributors. See NOTICE for details.