Deployment Overview of OpenSearch on Server¶

Prerequisites and Basic Requirements¶

The following requirements must be met on the target server before deploying the application:

• Operating System: Ubuntu.

• Privileges: Root or sudo access is required to manage Docker services and configure the firewall.

• Domain: The server must be associated with the hostkey.in zone.

• Ports:

  • Port 443 for HTTPS access via the reverse proxy.

  • Port 9200 for OpenSearch REST API (internal container networking).

  • Port 5601 for OpenSearch Dashboards (internal container networking).

  • Port 9600 for OpenSearch monitoring (internal container networking).

Access Panel URL¶

The final application panel is accessible via the following Fully Qualified Domain Name (FQDN) format: <prefix><Server ID>.hostkey.in:443

Where <prefix> is set to opensearch and <Server ID> corresponds to the specific instance identifier. The access is secured via HTTPS using the reverse proxy configuration.

File and Directory Structure¶

The application and its supporting components are organized into the following directories:

• /home/<user>/opensearch-project/: The main project directory containing the Docker Compose configuration and persistent data volumes for OpenSearch.

• /root/nginx/: The directory containing the Nginx reverse proxy and Certbot Docker Compose configuration.

• /data/nginx/user_conf.d/: The directory storing specific Nginx server configuration files for the application.

• /etc/letsencrypt/: The mount point for SSL/TLS certificates managed by Certbot.

Application Installation Process¶

The application is deployed using Docker and Docker Compose. The process involves installing the Docker engine, creating the project structure, and defining the service configuration.

• Docker Engine: Installed via the managed installation role.

• Docker Compose: Installed via the apt package manager.

• Image Versions:

  • OpenSearch: opensearchproject/opensearch:2.17.0

  • OpenSearch Dashboards: opensearchproject/opensearch-dashboards:2.17.0

The Docker Compose file is generated at /home/<user>/opensearch-project/docker-compose.yml. It defines two primary services:

1. opensearch-node1: Configured as a single-node cluster with memory locking enabled and Java heap size set to 512MB.

2. opensearch-dashboards: Configured to connect to the OpenSearch node via the internal Docker network.

Docker Containers and Their Deployment¶

The application consists of three main container groups deployed via Docker Compose:

OpenSearch Stack

• Container Name: opensearch-node1

  • Image: opensearchproject/opensearch:2.17.0

  • Environment Variables:

    • discovery.type: single-node

    • bootstrap.memory_lock: true

    • OPENSEARCH_JAVA_OPTS: -Xms512m -Xmx512m

    • OPENSEARCH_INITIAL_ADMIN_PASSWORD: Set to the SSH password during installation.

  • Volumes: Maps ./opensearch-data to /usr/share/opensearch/data for data persistence.

  • Ports: Exposes 9200 and 9600.

• Container Name: opensearch-dashboards

  • Image: opensearchproject/opensearch-dashboards:2.17.0

  • Environment Variables:

    • OPENSEARCH_HOSTS: ["https://opensearch-node1:9200"]

  • Ports: Exposes 5601.

• Network: Both containers utilize a bridge network named opensearch-net.

Reverse Proxy Stack

• Container Name: nginx (managed via /root/nginx/compose.yml)

  • Image: jonasal/nginx-certbot:latest

  • Network Mode: host

  • Volumes:

    • nginx_secrets mapped to /etc/letsencrypt for SSL certificate storage.

    • /data/nginx/user_conf.d mapped to /etc/nginx/user_conf.d for custom configurations.

  • Restart Policy: unless-stopped

  • Email: Configured for certificate renewal at [email protected].

Proxy Servers¶

A reverse proxy is implemented using Nginx and Certbot to handle SSL termination and domain routing.

• Software: Nginx with Certbot integration (jonasal/nginx-certbot).

• Configuration Location: /data/nginx/user_conf.d/opensearch<Server ID>.hostkey.in.conf.

• Proxy Settings:

  • The proxy configuration routes all traffic (location /) to http://127.0.0.1:5601.

  • External traffic is received on port 443 and forwarded internally to the OpenSearch Dashboards container on port 5601.

• SSL/Certificates: Managed automatically by Certbot within the Docker container, with secrets stored in the nginx_secrets volume.

Permission Settings¶

File and directory permissions are set to ensure proper ownership and access control:

• /home/<user>/opensearch-project/: Owned by the local user (<user>) with mode 0666 for the Docker Compose file.

• /root/nginx/: Owned by root with mode 0755.

• /root/nginx/compose.yml: Owned by root with mode 0644.

• /data/nginx/user_conf.d/: Owned by root (inherited from parent or explicit mount context).

Location of Configuration Files and Data¶

The following paths contain the critical configuration files and data stores:

Available Ports for Connection¶

The following ports are configured for service communication and external access:

• Port 443: HTTPS external access to the OpenSearch Dashboards UI via the Nginx reverse proxy.

• Port 5601: Internal OpenSearch Dashboards interface (bound to 127.0.0.1 by the proxy).

• Port 9200: Internal OpenSearch REST API endpoint.

• Port 9600: Internal OpenSearch monitoring endpoint.

Starting, Stopping, and Updating¶

Service management is handled via Docker Compose commands executed from their respective directories.

OpenSearch Services

• Start/Restart: Execute docker-compose up -d from /home/<user>/opensearch-project.

• Stop: Execute docker-compose down from /home/<user>/opensearch-project.

• Update: Modify the docker-compose.yml file to change images or configurations, then run docker-compose up -d.

Proxy Services

• Start/Restart: Execute docker compose up -d from /root/nginx.

• Stop: Execute docker compose down from /root/nginx.