Starting OpenSearch Docker containers fails when using a custom config

[gijs007]

I'm attempting to setup OpenSearch and OpenSearch Dashboard, with Docker.
According to the documentation we can use a custom config: https://docs-beta.opensearch.org/docs/opensearch/install/docker/

However when following the steps in the documentation, the containers won't start properly. This happens with a custom config for OpenSearch or with a custom config for the OpenSearch Dashboard.

There are probably several issues here:

1. When running docker-compose for the first time (as per the documentation) two directories are created: custom-opensearch_dashboards.yml and custom-opensearch.yml
   Clearly these should be files, instead of directories.

2. Even when manually creating the above .yml files, before starting Docker compose, the containers fail to start properly.
   Probably due to the fact that the config files created with "touch" are empty. I'm not sure what to fill them with, which brings me to the 3th issue.

3. The documentation is unclear about the required contents of the custom config files.
   I'd be looking for an example, including guidance on required and optional parameters (Ideally this should include a description of the various options, and guidance on recommended settings for production usage).

[abbashus]

Thanks for bringing this issue. Since this docs are still in beta, we do expect some gaps. Let us reproduce this from our end and fix the issue no 1 and more documentation to fix issue 2 and 3. We encourage you to raise a PR for fixing issue 1. Please see our developer guide on how you can contribute.

[abbashus]

I tried reproducing.
OS: Mac Catalina v10.15.7

Case 1: Running the sample docker compose file

The container opensearch-node1 came up, but could not bootstap compelety and exited.

opensearch-node1         | ./opensearch-docker-entrypoint.sh: line 109:    11 Killed                  $OPENSEARCH_HOME/bin/opensearch "${opensearch_opts[@]}"
...
...
opensearch-node1 exited with code 0

Case 2: Tried running with modified docker compose file removing container opensearch-node2

This time both opensearch-node1 and opensearch-dashboards containers were up and I was able to access OpenSearch Dasiboards from browser and OpenSearch from curl

curl -XGET https://localhost:9200/_cluster/health?pretty -u 'admin:admin' --insecure
{
  "cluster_name" : "opensearch-cluster",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 7,
  "active_shards" : 7,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 1,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 87.5
}

I am yet to triage issue 1 with custom config files.

For issue 3, the custom config files are modification of and/or addition of other OpenSearch and plugin settings. In the absence of default settings in opensearch.yml and opensearch-dashboards.yml documented, I agree it presents a barrier for users to tinker with settings. I will post a PR which mentions default config settings in docker and a example setting change like a different cluster name.

[gijs007]

Thanks abbashus!
I'm not much of a coder and still a newbie to Elastic Stack / Open Search, but I'd love to help test this and provide feedback.

For clarification:
OS used: Ubuntu Server 20.04 LTS

What would help is if the custom config files (custom-opensearch_dashboards.yml and custom-opensearch.yml) are automatically created and filled with default settings, but only if they don't exist.

This would fix issue one and two, which I reported earlier.

As for your testing cases; case two works fine since you're not using custom.yml files in your Docker Compose file.
Once you add the following lines for the opensearch dashboard and opensearch node containers respectively, I'd expect you'd be able to reproduce the issues:

    volumes:
      - ./custom-opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml

    volumes:
      - ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml

[robinboening]

Unfortunately, the links in this thread are not working anymore.

I followed this guide https://opensearch.org/docs/latest/opensearch/install/docker-security/ and stumbled into the same issue where the mounts (certificates and config files) are created as folders instead of files.

The errors are a bunch of this kind

ERROR: for opensearch-node2  Cannot start service opensearch-node2: OCI runtime create failed: 
container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: 
rootfs_linux.go:76: mounting "/Users/robin/foobar/config/opensearch/tenants.yml" to rootfs at 
"/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml" caused:
Recreating opensearch-node1 ... error

The guide does not mention it is required to create the certificates and config files before starting the containers, but I assume not doing that is what causes the issue. On a side note though: the creation of folders vs files is not related to opensearch but to docker itself.

I removed all the certificate and most of the config mounts and only left the custom-config.yml to play around with. I created an empty file for it before starting the container and didn't see the above error again. After starting the container I can see the custom-config.yml gets written with a bunch of settings. Unfortunately I got a new error.

Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
OpenSearch Security Demo Installer
 ** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/opensearch
OpenSearch install type: rpm/deb on NAME="Amazon Linux"
OpenSearch config dir: /usr/share/opensearch/config
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin
OpenSearch plugins dir: /usr/share/opensearch/plugins
OpenSearch lib dir: /usr/share/opensearch/lib
Detected OpenSearch Version: x-content-1.1.0
Detected OpenSearch Security Version: 1.1.0.0
/usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
Enabling OpenSearch Security Plugin
sed: cannot rename /usr/share/opensearch/config/sedqdMb0d: Device or resource busy
Exception in thread "main" SettingsException[Failed to load settings from [opensearch.yml]]; nested: JsonParseException[Duplicate field 'plugins.security.ssl.transport.pemcert_filepath'
 at [Source: (sun.nio.ch.ChannelInputStream); line: 14, column: 48]];
	at org.opensearch.common.settings.Settings$Builder.loadFromStream(Settings.java:1127)
	at org.opensearch.common.settings.Settings$Builder.loadFromPath(Settings.java:1100)
	at org.opensearch.node.InternalSettingsPreparer.prepareEnvironment(InternalSettingsPreparer.java:96)
	at org.opensearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:113)
	at org.opensearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:104)
	at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:99)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:140)
	at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:140)
	at org.opensearch.cli.Command.main(Command.java:103)
	at org.opensearch.common.settings.KeyStoreCli.main(KeyStoreCli.java:56)

The first thing I notice is that sed can not do its thing. I don't know the effects though.
The second thing is the Duplicate field 'plugins.security.ssl.transport.pemcert_filepath', but I don't understand why as I understand the custom-opensearch.yml is meant to be an overwrite for the default config.

Any idea how to get this solved?

[unhipzippo]

I suspect that the "containers fail to start properly" and "sed cannot do its thing" are the same root cause.

See the following block in opensearch-docker-entrypoint.sh:

    if [ "$DISABLE_SECURITY_PLUGIN" = "true" ]; then
        echo "Disabling OpenSearch Security Plugin"
        sed -i '/plugins.security.disabled/d' $OPENSEARCH_HOME/config/opensearch.yml
        echo "plugins.security.disabled: true" >> $OPENSEARCH_HOME/config/opensearch.yml
    else
        echo "Enabling OpenSearch Security Plugin"
        sed -i '/plugins.security.disabled/d' $OPENSEARCH_HOME/config/opensearch.yml
    fi

The "sed -i" is an attempt to modify the opensearch.yml file "in place" -- But according to the GNU sed documentation (https://www.gnu.org/software/sed/manual/sed.html#Command_002dLine-Options), "in-place" actually "does this by creating a temporary file and sending output to this file rather than to the standard output. ... the temporary file is renamed to the output file’s original name".

I believe this rename would require changing the inode of the original file -- something that Docker volume mounts don't permit.

If this is correct, then to allow Dockerized OpenSearch to support a volume-mounted opensearch.yml, opensearch-docker-entrypoint.sh probably needs to use a method of updating the file which doesn't change the file's inode number, like "cat"ing the contents of the modified file over top of the original.

[manodupont]

Im curious about this issue. I am wondering if this bug was already on some older versions ?!

[unhipzippo]

Haven't checked how this might have been enabled in earlier incarnations of the software (e.g. OpenDistro, Elasticsearch), but if you check the history, this particular block was only added to OpenSearch 2 months ago.

[scratchings]

I believe this is the same as issue #1579

[robinboening]

The "sed -i" is an attempt to modify the opensearch.yml file "in place" -- But according to the GNU sed documentation (https://www.gnu.org/software/sed/manual/sed.html#Command_002dLine-Options), "in-place" actually "does this by creating a temporary file and sending output to this file rather than to the standard output. ... the temporary file is renamed to the output file’s original name".

I believe this rename would require changing the inode of the original file -- something that Docker volume mounts don't permit.

If this is correct, then to allow Dockerized OpenSearch to support a volume-mounted opensearch.yml, opensearch-docker-entrypoint.sh probably needs to use a method of updating the file which doesn't change the file's inode number, like "cat"ing the contents of the modified file over top of the original.

Thanks for the investigation. It makes a lot of sense to me now.

I just jumped the gun and created a PR, avoiding the -i option and using tee instead: opensearch-project/opensearch-build#1130

[gijs007]

It might be worth looking at an application called homeassistant, to see how they handle this. I have a Docker container running homeassistant, which exposes a configuration.yaml file, which can be edited from outside the container.

[peterzhuamazon]

Fixed in opensearch-project/opensearch-build#1130.

[Firdaus1]

Hi @peterzhuamazon ,

Is it possible to update the docker image in docker hub repository ?

[prudhvigodithi]

Saw this issue in 2.11.1 when mounted opensearch.yml throws seems to be already configured for Security. Quit.

Full error log: https://github.com/opensearch-project/helm-charts/actions/runs/7809681228/job/21301876373

Basedir: /usr/share/opensearch
OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
OpenSearch config dir: /usr/share/opensearch/config
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin
OpenSearch plugins dir: /usr/share/opensearch/plugins
OpenSearch lib dir: /usr/share/opensearch/lib
Detected OpenSearch Version: x-content-2.11.1
Detected OpenSearch Security Version: 2.11.1.0
/usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
Enabling OpenSearch Security Plugin
Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.11.1.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
[2024-02-07T04:06:05,010][DEPRECATION][o.o.d.c.s.Settings       ] [opensearch-cluster-master-0] [transport.tcp.port] setting was deprecated in OpenSearch and will be removed in a future release! See the breaking changes documentation for the next major version.
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/opensearch/lib/opensearch-2.11.1.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
WARNING: System::setSecurityManager will be removed in a future release
[2024-02-07T04:06:05,210][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] version[2.11.1], pid[37], build[tar/6b1986e964d440be9137eba1413015c31c5a7752/2023-11-29T21:43:10.135035992Z], OS[Linux/6.2.0-1019-azure/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7]
[2024-02-07T04:06:05,211][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] JVM home [/usr/share/opensearch/jdk], using bundled JDK/JRE [true]
[2024-02-07T04:06:05,211][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-163177[279](https://github.com/opensearch-project/helm-charts/actions/runs/7809681228/job/21301876373?pr=516#step:9:280)6848[291](https://github.com/opensearch-project/helm-charts/actions/runs/7809681228/job/21301876373?pr=516#step:9:292)3893, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/config/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dopensearch.cgroups.hierarchy.override=/, -Xmx512M, -Xms512M, -XX:MaxDirectMemorySize=268435456, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2024-02-07T04:06:06,319][INFO ][o.o.s.s.t.SSLConfig      ] [opensearch-cluster-master-0] SSL dual mode is disabled
[2024-02-07T04:06:06,320][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] OpenSearch Config path is /usr/share/opensearch/config
[2024-02-07T04:06:06,550][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] JVM supports TLSv1.3
[2024-02-07T04:06:06,551][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Config directory is /usr/share/opensearch/config/, from there the key- and truststore files are resolved relatively
Error: 2-07T04:06:06,565][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [opensearch-cluster-master-0] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]

But this passed in next run https://github.com/opensearch-project/helm-charts/actions/runs/7809681228/job/21302994506?pr=516.

Is this flaky ? do we know where is this message in code seems to be already configured for Security. Quit ? I have seen in opendistro-for-elasticsearch, but not in https://github.com/opensearch-project/security

Adding @peterzhuamazon @bbarani @DarshitChanpura @derek-ho

[DarshitChanpura]

@prudhvigodithi This message appears when opensearch.yml already contains at-least 1 setting related to security, i.e. plugins.security.**.**, and the demo config installer is run, essentially telling the demo script to quit because security is already configured. Based on the logs I'm guessing that a stale copy was somehow preserved and during the next run it was picked up, a message was thrown, and then in the subsequent run, this opensearch.yml was reset allowing the demo config tool to setup security from the scratch.

[prudhvigodithi]

Thanks @DarshitChanpura, what If I want to start the cluster (a brand new) with a pre-created opensearch.yml with at-least 1 setting related to security, the demo config installer should still run I assume as its the 1st time installation right ?
In the new commit all the CI checks pass now opensearch-project/helm-charts#516.

[DarshitChanpura]

Since helm charts use docker images which internally uses docker-entrypoint.sh script to start the container, there is way to skip demo config install completely if you want to use your own custom setup. You can do so by setting the env var DISABLE_INSTALL_DEMO_CONFIG to true.

If you try to do both, the demo setup will quit with "already configured" message.