OpenSearch is a community-driven project by Amazon, serving as a fork of Elasticsearch and Kibana. It is an entirely open-source search engine and analytics suite offering a rich array of features and innovative functionality. The main components of the OpenSearch project are OpenSearch (a fork of Elasticsearch) and the OpenSearch Dashboards (a fork of Kibana), providing capabilities such as enterprise security, alerting, machine learning, SQL, and index state management.
OpenSearch is 100% open-source, licensed under Apache 2.0. It allows you to ingest, secure, search, aggregate, view, and analyze data for various use cases including log analytics and application search.
This guide will walk you through deploying OpenSearch on a Debian 11 server, including securing it with SSL/TLS certificates and setting up authentication and authorization. We will also install and configure OpenSearch Dashboards for data analysis and visualization.
Prerequisites
- A Debian 11 server with at least 8GB of RAM (example hostname: node1, IP: 192.168.5.50).
- A non-root user with sudo privileges.
Setup System
Initially, optimize your Debian server for OpenSearch by setting the hostname and FQDN, disabling memory swapping, and increasing the max memory maps value.
sudo hostnamectl set-hostname node1 echo "192.168.5.50 node1.hwdomain.lan node1" >> /etc/hosts hostname -f sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab sudo swapoff -a free -m sudo echo "vm.max_map_count=262144" >> /etc/sysctl.conf sudo sysctl -p cat /proc/sys/vm/max_map_count
Downloading OpenSearch
Install OpenSearch using the Tarball package. Create a dedicated user and set up the installation directory with proper permissions.
sudo adduser --system --shell /bin/bash -U 10001 --no-create-home opensearch sudo groupadd opensearch sudo usermod -aG opensearch opensearch mkdir -p /home/opensearch sudo chown -R opensearch /home/opensearch wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.4.1/opensearch-2.4.1-linux-x64.tar.gz tar xf opensearch-2.4.1-linux-x64.tar.gz mv opensearch-2.4.1 /opt/opensearch sudo chown -R opensearch /opt/opensearch
Configuring OpenSearch
Configure OpenSearch settings by editing opensearch.yml and jvm.options. Set the appropriate heap memory size and network bindings.
cd /opt/opensearch sudo nano config/opensearch.yml # Bind OpenSearch to interface or IP address network.host: 192.168.5.50 # OpenSearch deployment type discovery.type: single-node # Re-enable security plugins plugins.security.disabled: false sudo nano config/jvm.options -Xms2g -Xmx2g export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk echo $OPENSEARCH_JAVA_HOME
Generating TLS Certificates
Generate certificates to secure OpenSearch deployment, including root CA, admin, and node certificates.
mkdir -p /opt/opensearch/config/certs; cd /opt/opensearch/config/certs openssl genrsa -out root-ca-key.pem 2048 openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730 openssl genrsa -out admin-key-temp.pem 2048 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730 openssl genrsa -out node1-key-temp.pem 2048 openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.hwdomain.lan" -out node1.csr echo 'subjectAltName=DNS:node1.hwdomain.lan' > node1.ext openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext rm *temp.pem *csr *ext openssl x509 -outform der -in root-ca.pem -out root-ca.crt sudo cp root-ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates sudo chown -R opensearch /opt/opensearch/config/certs sudo chmod 0700 /opt/opensearch/config/certs sudo chmod 0600 /opt/opensearch/config/certs/*.pem sudo chmod 0600 /opt/opensearch/config/certs/*.crt
FAQ
What is OpenSearch?
OpenSearch is an open-source search and analytics engine, a fork of Elasticsearch and Kibana, designed for applications such as log analytics and search functions.
Why disable swap for OpenSearch?
Disabling swap improves performance by ensuring that the data frequently accessed by the OpenSearch application remains in physical RAM.
How do I secure OpenSearch?
Install SSL/TLS certificates as described in the guide, enable security features in the configuration file, and set up user-based authentication and authorization.
Can OpenSearch Dashboards be installed on other distributions?
Yes, OpenSearch Dashboards can be installed on other Linux distributions following similar steps, provided compatible package versions are used.