Deployment Overview of OpenSearch on Server¶
Prerequisites and Basic Requirements¶
The deployment requires a Linux server running Ubuntu with the following specifications: - Root or sudo privileges to install system packages and manage Docker services. - Docker Engine installed and running on the host system. - Docker Compose installed to manage multi-container applications. - Network access to ports 9200, 9600, and 5601 for OpenSearch and OpenSearch Dashboards. - Network access to ports 80 and 443 for the Nginx proxy and SSL certificate management.
File and Directory Structure¶
The application and its configuration files are organized in the following locations on the server: - /home/<username>/opensearch-project/: The main project directory containing the Docker Compose configuration for OpenSearch. - /home/<username>/opensearch-project/docker-compose.yml: The configuration file defining the OpenSearch and OpenSearch Dashboards services. - /home/<username>/opensearch-project/opensearch-data/: The persistent volume directory where OpenSearch stores its data. - /root/nginx/: The directory containing the Nginx proxy configuration and Docker Compose file. - /root/nginx/compose.yml: The Docker Compose file for the Nginx and Certbot services. - /data/nginx/user_conf.d/: The directory containing custom Nginx configuration files for specific host keys. - /data/nginx/nginx-certbot.env: The environment file containing configuration variables for the Nginx-Certbot container.
Application Installation Process¶
The OpenSearch stack is deployed using Docker Compose with version 2.17.0 for both the core engine and the dashboards interface. The installation involves creating a project directory and defining the service configuration.
The docker-compose.yml file defines two primary services: - opensearch-node1: Runs the opensearchproject/opensearch:2.17.0 image. It is configured as a single-node cluster with memory locking enabled and Java heap size set to 512MB. - opensearch-dashboards: Runs the opensearchproject/opensearch-dashboards:2.17.0 image. It connects to the OpenSearch node via HTTPS on port 9200.
The Nginx proxy is deployed separately using a compose.yml file located in /root/nginx/. This setup utilizes the jonasal/nginx-certbot:latest image to handle SSL termination and reverse proxying.
Access Rights and Security¶
Security and access control are managed through the following mechanisms: - Firewall: The host must allow incoming traffic on ports 9200, 9600, 5601, 80, and 443. - User Permissions: The OpenSearch project directory is owned by the standard user (<username>), while the Nginx configuration directory is owned by root. - Authentication: The OpenSearch initial admin password is set via the OPENSEARCH_INITIAL_ADMIN_PASSWORD environment variable in the Docker Compose configuration. - SSL/TLS: SSL certificates are managed automatically by the Nginx-Certbot container, which stores secrets in the nginx_secrets volume.
Docker Containers and Their Deployment¶
The deployment utilizes Docker Compose to orchestrate the containers.
OpenSearch Stack Deployment: The OpenSearch and Dashboards containers are started using the following command from the project directory:
This command is executed in the/home/<username>/opensearch-project directory. The containers are configured with the following network and volume settings: - Network: A custom bridge network named opensearch-net connects the OpenSearch node and Dashboards. - Volumes: The opensearch-data directory on the host is mounted to /usr/share/opensearch/data inside the container to ensure data persistence. - Ports: - 9200: OpenSearch REST API. - 9600: OpenSearch Performance Analyzer. - 5601: OpenSearch Dashboards web interface. Nginx Proxy Deployment: The Nginx proxy is deployed using the docker compose up -d command executed in the /root/nginx directory. The configuration includes: - Image: jonasal/nginx-certbot:latest. - Restart Policy: unless-stopped. - Network Mode: host. - Volumes: - nginx_secrets: An external volume mounted at /etc/letsencrypt for certificate storage. - /data/nginx/user_conf.d: Mounted at /etc/nginx/user_conf.d for custom site configurations.
Proxy Servers¶
The Nginx proxy server is configured to handle incoming web traffic and manage SSL certificates via Certbot. - Domain Configuration: Custom host configurations are stored in /data/nginx/user_conf.d/ with filenames following the pattern <prefix><server_id>.hostkey.in.conf. - Proxy Pass: The Nginx configuration includes a proxy_pass directive that forwards requests to the local OpenSearch Dashboards instance at http://127.0.0.1:5601. - Email Configuration: The CERTBOT_EMAIL environment variable is set to [email protected] for certificate renewal notifications. - Environment File: Additional Nginx settings are loaded from /data/nginx/nginx-certbot.env.
Permission Settings¶
File and directory permissions are set as follows to ensure proper operation: - The /home/<username>/opensearch-project directory and its contents are owned by the standard user with read/write permissions. - The docker-compose.yml file in the OpenSearch project is set to mode 0666. - The /root/nginx directory is owned by root with mode 0755. - The compose.yml file in the Nginx directory is owned by root with mode 0644. - The nginx_secrets volume is managed externally by the Docker engine and the Certbot container.
Starting, Stopping, and Updating¶
The services are managed using Docker Compose commands.
OpenSearch Services: - Start: Execute docker-compose up -d in the /home/<username>/opensearch-project directory. - Stop: Execute docker-compose down in the same directory. - Update: To update the software version, modify the image tags in the docker-compose.yml file and re-run docker-compose up -d.
Nginx Proxy Services: - Start: Execute docker compose up -d in the /root/nginx directory. - Stop: Execute docker compose down in the same directory. - Update: To update the Nginx image, modify the image tag in /root/nginx/compose.yml and re-run docker compose up -d.