From e91d3a770d99444f9ae78d3c3a2fe9bd7e60efd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maur=C3=ADcio=20Linhares?= Date: Fri, 22 Apr 2022 13:40:31 -0400 Subject: [PATCH] Adding opensearch as an option to 1-clicks This adds a 1 click recipe that installs opensearch and opensearch dashboards on a single droplet with TLS enabled. The apps use a self signed certificate and the passwords for the admin and kibana user are at `/home/opensearch/admin_password.txt` and `/home/opensearch/kibana_password.txt` files. --- .../ansible/opensearch-playbook.yml | 6 ++ .../roles/opensearch/defaults/main.yml | 21 +++++ .../files/internal_users.yml.template | 21 +++++ .../opensearch/files/jvm.options.template | 80 +++++++++++++++++++ .../opensearch/files/opensearch.yml.template | 31 +++++++ .../files/opensearch_dashboards.yml.template | 21 +++++ .../opensearch/files/tlsconfig.yml.template | 45 +++++++++++ .../roles/opensearch/tasks/dashboards.yml | 40 ++++++++++ .../ansible/roles/opensearch/tasks/main.yml | 67 ++++++++++++++++ .../roles/opensearch/tasks/opensearch.yml | 41 ++++++++++ .../roles/opensearch/tasks/security.yml | 38 +++++++++ .../roles/opensearch/templates/001_onboot | 58 ++++++++++++++ .../opensearch/templates/opensearch.service | 51 ++++++++++++ .../templates/opensearch_dashboards.service | 48 +++++++++++ .../files/etc/update-motd.d/99-one-click | 24 ++++++ .../scripts/014-ufw-opensearch.sh | 8 ++ opensearch-20-04/template.json | 79 ++++++++++++++++++ 17 files changed, 679 insertions(+) create mode 100644 opensearch-20-04/ansible/opensearch-playbook.yml create mode 100644 opensearch-20-04/ansible/roles/opensearch/defaults/main.yml create mode 100644 opensearch-20-04/ansible/roles/opensearch/files/internal_users.yml.template create mode 100644 opensearch-20-04/ansible/roles/opensearch/files/jvm.options.template create mode 100644 opensearch-20-04/ansible/roles/opensearch/files/opensearch.yml.template create mode 100644 opensearch-20-04/ansible/roles/opensearch/files/opensearch_dashboards.yml.template create mode 100644 opensearch-20-04/ansible/roles/opensearch/files/tlsconfig.yml.template create mode 100644 opensearch-20-04/ansible/roles/opensearch/tasks/dashboards.yml create mode 100644 opensearch-20-04/ansible/roles/opensearch/tasks/main.yml create mode 100644 opensearch-20-04/ansible/roles/opensearch/tasks/opensearch.yml create mode 100644 opensearch-20-04/ansible/roles/opensearch/tasks/security.yml create mode 100755 opensearch-20-04/ansible/roles/opensearch/templates/001_onboot create mode 100644 opensearch-20-04/ansible/roles/opensearch/templates/opensearch.service create mode 100644 opensearch-20-04/ansible/roles/opensearch/templates/opensearch_dashboards.service create mode 100755 opensearch-20-04/files/etc/update-motd.d/99-one-click create mode 100644 opensearch-20-04/scripts/014-ufw-opensearch.sh create mode 100644 opensearch-20-04/template.json diff --git a/opensearch-20-04/ansible/opensearch-playbook.yml b/opensearch-20-04/ansible/opensearch-playbook.yml new file mode 100644 index 0000000..859cb81 --- /dev/null +++ b/opensearch-20-04/ansible/opensearch-playbook.yml @@ -0,0 +1,6 @@ +--- +- hosts: default + become: true + serial: 1 + roles: + - role: opensearch diff --git a/opensearch-20-04/ansible/roles/opensearch/defaults/main.yml b/opensearch-20-04/ansible/roles/opensearch/defaults/main.yml new file mode 100644 index 0000000..c8ddb85 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/defaults/main.yml @@ -0,0 +1,21 @@ +--- +opensearch_home: /opt/opensearch +opensearch_config_home: /opt/opensearch/config +opensearch_config_file: /opt/opensearch/config/opensearch.yml +opensearch_url: https://artifacts.opensearch.org/releases/bundle/opensearch/1.3.1/opensearch-1.3.1-linux-x64.tar.gz + +opensearch_dashboards_home: /opt/opensearch-dashboards +opensearch_dashboards_config_home: /opt/opensearch-dashboards/config +opensearch_dashboards_config_file: /opt/opensearch-dashboards/config/opensearch_dashboards.yml +opensearch_dashboards_url: https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/1.3.1/opensearch-dashboards-1.3.1-linux-x64.tar.gz + +opensearch_user: opensearch +opensearch_group: opensearch + +opensearch_plugin_bin_path: /opt/opensearch/bin/opensearch-plugin +opensearch_security_plugin_conf_path: /opt/opensearch/plugins/opensearch-security/securityconfig +opensearch_security_plugin_tools_path: /opt/opensearch/plugins/opensearch-security/tools + +systemctl_path: /etc/systemd/system + +nodecerts_home: /opt/opensearch-nodecerts \ No newline at end of file diff --git a/opensearch-20-04/ansible/roles/opensearch/files/internal_users.yml.template b/opensearch-20-04/ansible/roles/opensearch/files/internal_users.yml.template new file mode 100644 index 0000000..02e2fc1 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/files/internal_users.yml.template @@ -0,0 +1,21 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +admin: + hash: "{{ datasource "admin_password" }}" + reserved: true + backend_roles: + - "admin" + description: "admin user" + +kibanaserver: + hash: "{{ datasource "kibanaserver_password" }}" + reserved: true + description: "kibanaserver user" diff --git a/opensearch-20-04/ansible/roles/opensearch/files/jvm.options.template b/opensearch-20-04/ansible/roles/opensearch/files/jvm.options.template new file mode 100644 index 0000000..b9d702a --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/files/jvm.options.template @@ -0,0 +1,80 @@ +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://opensearch.org/docs/opensearch/install/important-settings/ +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +-Xms{{datasource "max_memory" }}m +-Xmx{{datasource "max_memory" }}m + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +8-13:-XX:+UseConcMarkSweepGC +8-13:-XX:CMSInitiatingOccupancyFraction=75 +8-13:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1 GC is only supported on JDK version 10 or later +# to use G1GC, uncomment the next two lines and update the version on the +# following three lines to your version of the JDK +# 10-13:-XX:-UseConcMarkSweepGC +# 10-13:-XX:-UseCMSInitiatingOccupancyOnly +14-:-XX:+UseG1GC +14-:-XX:G1ReservePercent=25 +14-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=data + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=logs/hs_err_pid%p.log + +## JDK 8 GC logging +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:logs/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m + +# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380) +18-:-Djava.security.manager=allow diff --git a/opensearch-20-04/ansible/roles/opensearch/files/opensearch.yml.template b/opensearch-20-04/ansible/roles/opensearch/files/opensearch.yml.template new file mode 100644 index 0000000..43b3945 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/files/opensearch.yml.template @@ -0,0 +1,31 @@ +cluster.name: {{ datasource "droplet_name" }} + +node.name: {{ datasource "droplet_name" }} + +network.host: {{ datasource "ip_address" }} + +http.port: 9200 + +discovery.type: single-node + +bootstrap.memory_lock: true + +plugins.security.allow_default_init_securityindex: true +plugins.security.audit.type: internal_opensearch +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] + +plugins.security.ssl.transport.pemcert_filepath: opensearch.pem +plugins.security.ssl.transport.pemkey_filepath: opensearch.key +plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.ssl.http.enabled: true +plugins.security.ssl.http.pemcert_filepath: opensearch_http.pem +plugins.security.ssl.http.pemkey_filepath: opensearch_http.key +plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem +plugins.security.nodes_dn: +- CN=opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch +plugins.security.authcz.admin_dn: +- CN=admin.opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch diff --git a/opensearch-20-04/ansible/roles/opensearch/files/opensearch_dashboards.yml.template b/opensearch-20-04/ansible/roles/opensearch/files/opensearch_dashboards.yml.template new file mode 100644 index 0000000..a2bef54 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/files/opensearch_dashboards.yml.template @@ -0,0 +1,21 @@ +server.port: 5601 +server.host: "{{ datasource "ip_address" }}" +opensearch.hosts: ["https://{{ datasource "ip_address" }}:9200"] +opensearch.ssl.verificationMode: none +opensearch.username: "kibanaserver" +opensearch.password: "{{ datasource "kibanaserver_password" }}" +opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] + +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +opensearch_security.cookie.secure: true + +server.ssl.enabled: true +server.ssl.certificate: {{ datasource "opensearch_config_home" }}/opensearch_http.pem +server.ssl.key: {{ datasource "opensearch_config_home" }}/opensearch_http.key + +opensearch.ssl.certificateAuthorities: [ "{{ datasource "opensearch_config_home" }}/root-ca.pem" ] + +opensearch.ssl.certificate: {{ datasource "opensearch_config_home" }}/opensearch.pem +opensearch.ssl.key: {{ datasource "opensearch_config_home" }}/opensearch.key diff --git a/opensearch-20-04/ansible/roles/opensearch/files/tlsconfig.yml.template b/opensearch-20-04/ansible/roles/opensearch/files/tlsconfig.yml.template new file mode 100644 index 0000000..3eac06c --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/files/tlsconfig.yml.template @@ -0,0 +1,45 @@ +ca: + root: + dn: CN=root.ca.opensearch,OU=CA,O=opensearch\, Inc.,DC=opensearch + keysize: 2048 + validityDays: 3650 + pkPassword: none + file: root-ca.pem + +### Default values and global settings +defaults: + validityDays: 3650 + pkPassword: none + # Set this to true in order to generate config and certificates for + # the HTTP interface of nodes + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + + +### +### Nodes +### +# +# Specify the nodes of your ES cluster here +# +nodes: +- name: opensearch + dn: CN=opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch + dns: opensearch + ip: {{ datasource "ip_address" }} + +### +### Clients +### +# +# Specify the clients that shall access your ES cluster with certificate authentication here +# +# At least one client must be an admin user (i.e., a super-user). Admin users can +# be specified with the attribute admin: true +# +clients: + - name: admin + dn: CN=admin.opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch + admin: true diff --git a/opensearch-20-04/ansible/roles/opensearch/tasks/dashboards.yml b/opensearch-20-04/ansible/roles/opensearch/tasks/dashboards.yml new file mode 100644 index 0000000..dffda58 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/tasks/dashboards.yml @@ -0,0 +1,40 @@ +--- + +- name: Download dashboards + get_url: + url: "{{ opensearch_dashboards_url }}" + dest: "/tmp/dashboards.tar.gz" + +- name: Unpack dashboards tarball + unarchive: + copy: no + src: "/tmp/dashboards.tar.gz" + dest: "{{ opensearch_dashboards_home }}" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + extra_opts: + - --strip-components=1 + +- name: Dashboards Install | create systemd service + template: + src: opensearch_dashboards.service + dest: "{{ systemctl_path }}/opensearch_dashboards.service" + +- name: Add dashboards jvm options template + copy: + src: jvm.options.template + dest: "{{ opensearch_dashboards_config_home }}/jvm.options.template" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + +- name: Copy template config file + copy: + src: "opensearch_dashboards.yml.template" + dest: "{{ opensearch_dashboards_config_file }}.template" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + +- name: Remove dashboards config file + file: + path: "{{ opensearch_dashboards_config_file }}" + state: absent diff --git a/opensearch-20-04/ansible/roles/opensearch/tasks/main.yml b/opensearch-20-04/ansible/roles/opensearch/tasks/main.yml new file mode 100644 index 0000000..bc87034 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/tasks/main.yml @@ -0,0 +1,67 @@ +--- + +- name: setup group + group: + name: "{{ opensearch_group }}" + system: true + state: present + +- name: setup user + user: + name: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + system: true + +- name: Set vm.max_map_count in sysctl.conf + sysctl: + name: vm.max_map_count + value: 262144 + state: present + +- name: Set open files limit in sysctl.conf + sysctl: + name: fs.file-max + value: 65536 + state: present + +- name: create base directories + file: + path: "{{ item }}" + state: directory + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + mode: 0744 + loop: + - "{{ opensearch_home }}" + - "{{ opensearch_dashboards_home }}" + - "{{ nodecerts_home }}" + +- name: Download gomplate + get_url: + url: "https://github.com/hairyhenderson/gomplate/releases/download/v3.10.0/gomplate_linux-amd64" + dest: "/usr/bin/gomplate" + mode: a+x + +- name: include opensearch + include: opensearch.yml + +- name: include dashboards + include: dashboards.yml + +- name: include security + include: security.yml + +- name: Add opensearch init script + template: + src: 001_onboot + dest: "/var/lib/cloud/scripts/per-instance/001_onboot" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + mode: a+x + +- name: Run config script on boot + cron: + name: "configure-opensearch" + special_time: "reboot" + job: "/bin/bash /var/lib/cloud/scripts/per-instance/001_onboot" + user: "{{ opensearch_user }}" diff --git a/opensearch-20-04/ansible/roles/opensearch/tasks/opensearch.yml b/opensearch-20-04/ansible/roles/opensearch/tasks/opensearch.yml new file mode 100644 index 0000000..a1a6efe --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/tasks/opensearch.yml @@ -0,0 +1,41 @@ +--- + +- name: Download opensearch + get_url: + url: "{{ opensearch_url }}" + dest: "/tmp/opensearch.tar.gz" + +- name: Unpack opensearch tarball + unarchive: + copy: no + src: "/tmp/opensearch.tar.gz" + dest: "{{ opensearch_home }}" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + mode: 0700 + extra_opts: + - --strip-components=1 + +- name: Add opensearch config template + copy: + src: opensearch.yml.template + dest: "{{ opensearch_config_file }}.template" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + +- name: Add opensearch jvm options template + copy: + src: jvm.options.template + dest: "{{ opensearch_config_home }}/jvm.options.template" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + +- name: Remove opensearch config file + file: + path: "{{ opensearch_config_file }}" + state: absent + +- name: OpenSearch Install | create systemd service + template: + src: opensearch.service + dest: "{{ systemctl_path }}/opensearch.service" diff --git a/opensearch-20-04/ansible/roles/opensearch/tasks/security.yml b/opensearch-20-04/ansible/roles/opensearch/tasks/security.yml new file mode 100644 index 0000000..712ef9c --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/tasks/security.yml @@ -0,0 +1,38 @@ +--- + +- name: Security Plugin configuration | Create local temporary directory for certificates generation + file: + path: /tmp/opensearch-nodecerts + state: directory + +- name: Security Plugin configuration | Download certificates generation tool + get_url: + url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.tar.gz + dest: /tmp/opensearch-nodecerts/search-guard-tlstool.tar.gz + +- name: Unpack nodecerts tarball + unarchive: + copy: no + src: "/tmp/opensearch-nodecerts/search-guard-tlstool.tar.gz" + dest: "{{ nodecerts_home }}" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + +- name: Security Plugin configuration | Make the executable file + file: + path: "{{ nodecerts_home }}/tools/sgtlstool.sh" + mode: a+x + +- name: Add nodecerts template file + copy: + src: tlsconfig.yml.template + dest: "{{ nodecerts_home }}/tlsconfig.yml.template" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" + +- name: Add internal users config template + copy: + src: internal_users.yml.template + dest: "{{ opensearch_config_home }}/internal_users.yml.template" + owner: "{{ opensearch_user }}" + group: "{{ opensearch_group }}" diff --git a/opensearch-20-04/ansible/roles/opensearch/templates/001_onboot b/opensearch-20-04/ansible/roles/opensearch/templates/001_onboot new file mode 100755 index 0000000..d0b1223 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/templates/001_onboot @@ -0,0 +1,58 @@ +#!/bin/bash + +set -euo pipefail + +export JAVA_HOME="{{ opensearch_home }}/jdk" + +export OPENSEARCH_CONFIG_HOME="{{ opensearch_config_home }}" + +# Total memory in KB +totalMemKB=$(awk '/MemTotal:/ { print $2 }' /proc/meminfo) + +# heap size in KB +export OPENSEARCH_MAX_MEMORY=$(($totalMemKB*55/100/1024)); +export DASHBOARDS_MAX_MEMORY=$(($totalMemKB*3/100/1024)); + +if [ ! -f "{{ opensearch_config_file }}" ] +then + gomplate -d ip_address="http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address" -f {{ nodecerts_home }}/tlsconfig.yml.template -o {{ nodecerts_home }}/tlsconfig.yml + + ./{{ nodecerts_home }}/tools/sgtlstool.sh -c {{ nodecerts_home }}/tlsconfig.yml -ca -crt -t {{ opensearch_config_home }} -v + + chmod 0600 {{ opensearch_config_home }}/root-ca.pem {{ opensearch_config_home }}/root-ca.key {{ opensearch_config_home }}/opensearch.key {{ opensearch_config_home }}/opensearch.pem {{ opensearch_config_home }}/opensearch_http.key {{ opensearch_config_home }}/opensearch_http.pem {{ opensearch_config_home }}/admin.key {{ opensearch_config_home }}/admin.pem + + chown {{ opensearch_user }}:{{ opensearch_group }} {{ opensearch_config_home }}/root-ca.pem {{ opensearch_config_home }}/root-ca.key {{ opensearch_config_home }}/opensearch.key {{ opensearch_config_home }}/opensearch.pem {{ opensearch_config_home }}/opensearch_http.key {{ opensearch_config_home }}/opensearch_http.pem {{ opensearch_config_home }}/admin.key {{ opensearch_config_home }}/admin.pem + + ADMIN_PASSWORD=$(openssl rand -hex 20) + echo "$ADMIN_PASSWORD" > /home/{{ opensearch_user }}/admin_password.txt + export KIBANA_PASSWORD=$(openssl rand -hex 20) + echo "$KIBANA_PASSWORD" > /home/{{ opensearch_user }}/kibana_password.txt + + export ADMIN_PASSWORD_HASH=$({{ opensearch_security_plugin_tools_path }}/hash.sh -p "$ADMIN_PASSWORD" | tail -1) + export KIBANA_PASSWORD_HASH=$({{ opensearch_security_plugin_tools_path }}/hash.sh -p "$KIBANA_PASSWORD" | tail -1) + + gomplate -d admin_password="env:ADMIN_PASSWORD_HASH" -d kibanaserver_password="env:KIBANA_PASSWORD_HASH" -f "{{ opensearch_config_home }}/internal_users.yml.template" -o "{{ opensearch_security_plugin_conf_path }}/internal_users.yml" + + gomplate -d droplet_name="http://169.254.169.254/metadata/v1/hostname" -d ip_address="http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address" -f "{{ opensearch_config_file }}.template" -o "{{ opensearch_config_file }}" + + gomplate -d max_memory="env:OPENSEARCH_MAX_MEMORY" -f "$OPENSEARCH_CONFIG_HOME/jvm.options.template" -o "$OPENSEARCH_CONFIG_HOME/jvm.options" + + chown -R {{ opensearch_user }}:{{ opensearch_group }} {{ opensearch_home }} + + systemctl enable --now opensearch.service +else + echo "{{ opensearch_config_file }} exists, not doing anything." +fi + +if [ ! -f "{{ opensearch_dashboards_config_file }}" ] +then + gomplate -d kibanaserver_password="env:KIBANA_PASSWORD" -d ip_address="http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address" -d opensearch_config_home="env:OPENSEARCH_CONFIG_HOME" -f "{{ opensearch_dashboards_config_file }}.template" -o "{{ opensearch_dashboards_config_file }}" + + gomplate -d max_memory="env:DASHBOARDS_MAX_MEMORY" -f "{{ opensearch_dashboards_config_home }}/jvm.options.template" -o "{{ opensearch_dashboards_config_home }}/jvm.options" + + chown -R {{ opensearch_user }}:{{ opensearch_group }} {{ opensearch_dashboards_home }} + + systemctl enable --now opensearch_dashboards.service +else + echo "{{ opensearch_dashboards_config_file }} exists, not doing anything." +fi diff --git a/opensearch-20-04/ansible/roles/opensearch/templates/opensearch.service b/opensearch-20-04/ansible/roles/opensearch/templates/opensearch.service new file mode 100644 index 0000000..f466d64 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/templates/opensearch.service @@ -0,0 +1,51 @@ +[Unit] +Description=opensearch +Wants=network-online.target +After=network-online.target + +[Service] +RuntimeDirectory=opensearch +PrivateTmp=true + +WorkingDirectory={{ opensearch_home }} + +User={{ opensearch_user }} +Group={{ opensearch_group }} + +ExecStart={{ opensearch_home }}/bin/opensearch -p {{ opensearch_home }}/opensearch.pid -q + +StandardOutput=journal +StandardError=inherit + +# Specifies the maximum file descriptor number that can be opened by this process +LimitNOFILE=65536 + +# Specifies the memory lock settings +LimitMEMLOCK=infinity + +# Specifies the maximum number of processes +LimitNPROC=4096 + +# Specifies the maximum size of virtual memory +LimitAS=infinity + +# Specifies the maximum file size +LimitFSIZE=infinity + +# Disable timeout logic and wait until process is stopped +TimeoutStopSec=0 + +# SIGTERM signal is used to stop the Java process +KillSignal=SIGTERM + +# Send the signal only to the JVM rather than its control group +KillMode=process + +# Java process is never killed +SendSIGKILL=no + +# When a JVM receives a SIGTERM signal it exits with code 143 +SuccessExitStatus=143 + +[Install] +WantedBy=multi-user.target diff --git a/opensearch-20-04/ansible/roles/opensearch/templates/opensearch_dashboards.service b/opensearch-20-04/ansible/roles/opensearch/templates/opensearch_dashboards.service new file mode 100644 index 0000000..a5fa411 --- /dev/null +++ b/opensearch-20-04/ansible/roles/opensearch/templates/opensearch_dashboards.service @@ -0,0 +1,48 @@ +[Unit] +Description=opensearch-dashboards +Wants=network-online.target +After=network-online.target + +[Service] +RuntimeDirectory=opensearch-dashboards +PrivateTmp=true + +WorkingDirectory={{ opensearch_dashboards_home }} + +User={{ opensearch_user }} +Group={{ opensearch_group }} + +ExecStart={{ opensearch_dashboards_home }}/bin/opensearch-dashboards -q + +StandardOutput=journal +StandardError=inherit + +# Specifies the maximum file descriptor number that can be opened by this process +LimitNOFILE=65536 + +# Specifies the maximum number of processes +LimitNPROC=4096 + +# Specifies the maximum size of virtual memory +LimitAS=infinity + +# Specifies the maximum file size +LimitFSIZE=infinity + +# Disable timeout logic and wait until process is stopped +TimeoutStopSec=0 + +# SIGTERM signal is used to stop the Java process +KillSignal=SIGTERM + +# Send the signal only to the JVM rather than its control group +KillMode=process + +# Java process is never killed +SendSIGKILL=no + +# When a JVM receives a SIGTERM signal it exits with code 143 +SuccessExitStatus=143 + +[Install] +WantedBy=multi-user.target diff --git a/opensearch-20-04/files/etc/update-motd.d/99-one-click b/opensearch-20-04/files/etc/update-motd.d/99-one-click new file mode 100755 index 0000000..2116a24 --- /dev/null +++ b/opensearch-20-04/files/etc/update-motd.d/99-one-click @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Configured as part of the DigitalOcean 1-Click Image build process + +. /root/.digitalocean_password + +myip=$(hostname -I | awk '{print$1}') +cat <