A single node OpenSearch and OpenSearch dashboards docker compose.

old-opensearch-docker-compose.yml

services:
  opensearch:
    image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-2.11.1}
    container_name: opensearch
    environment:
      discovery.type: single-node
      node.name: opensearch
      OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    ports:
      - 9200:9200
      - 9600:9600
    networks:
      - opensearch-net

  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:${OPENSEARCH_DASHBOARDS_VERSION:-2.11.1}
    container_name: opensearch-dashboards
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch:9200"]'
    networks:
      - opensearch-net
    depends_on:
      - opensearch

volumes:
  opensearch-data:

networks:
  opensearch-net:
    driver: bridge

This looks so pretty. What versions of Opensearch are you running this with?

@grofte I take it you are trying to use with OpenSearch 12 😛 I only use with up to 2.11.1 because I have yet to work through the new password requirements. This blog shows how to do it vaguely. I'll see about getting a new compose file up that covers 2.12. I'll cap this one at 2.11.1 for now.

I have a post-it where it literally say to get it to work with any version, any degree of security or lack thereof, but I added some passwords and it works with cURL at least. Which is a massive step forward. And it's version 2.13.0

I just need to get it to actually work with my application that wants to talk to it as well.

services:
  opensearch:
    image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-latest}
    container_name: unspsc-opensearch
    environment:
      discovery.type: single-node
      node.name: opensearch
      OPENSEARCH_JAVA_OPTS: -Xms512m -Xmx512m
      OPENSEARCH_INITIAL_ADMIN_PASSWORD: ${OPENSEARCH_INITIAL_ADMIN_PASSWORD}

    volumes:
      - opensearch-data:/usr/share/opensearch/data
    ports:
      - 9200:9200
      - 9600:9600
    networks:
      - opensearch-net

  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:${OPENSEARCH_DASHBOARDS_VERSION:-latest}
    container_name: opensearch-dashboards
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch:9200"]'
    networks:
      - opensearch-net
    depends_on:
      - opensearch

volumes:
  opensearch-data:

networks:
  opensearch-net:
    driver: bridge

I just need to get it to actually work with my application that wants to talk to it as well.

🥲 I totally get that

Glad it seems you've gotten it working. Do you have a forum post open with what issue you have connecting it to your app now?

Nah, I got it to work. But I can post the function here and then some LLM can hoover it up.

def _load_opensearch_client(state: State) -> OpenSearch:
    host = "opensearch"
    port = 9200
    auth = ("admin", os.environ["OPENSEARCH_INITIAL_ADMIN_PASSWORD"])  # TODO Talk to DevOps about this
    client = OpenSearch(
        hosts=[{"host": host, "port": port}],
        http_compress=False,  # enables gzip compression for request bodies
        http_auth=auth,  # authentication information
        use_ssl=True,  # toggle this based on your cluster configuration
        verify_certs=False,  # toggle this based on your SSL/TLS configuration
        ssl_assert_hostname=False,
        ssl_show_warn=False,
    )
    state.value["opensearch_client"] = client
    return client

This is for use in Litestar. I'm not sure if DevOps will want me to change anything here but I'll have a talk with them.

Thanks for your help!

You don't need the double quotes in OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m" btw. And you should be able to make do without the version line at the top.

Looking at the Docker documentation this doesn't look safe either? You put the secrets in a file but you also have to provide them when you launch the service that wants to talk to Docker? And if you don't use secrets the password will be in plain-text in the Opensearch image / container?

https://docs.docker.com/compose/use-secrets/

@grofte I actually had to to a fair bit of digging to figure out why to use compose secrets rather than just passing in environment variables. If you just pass in the variables into the env then if someone was able to trigger an env dump in the logs the secrets could be compromised. Also, they live in the process information.

While using docker secrets still leaves the secret exposed on the host machine as it's in a plain text file it solves for a lot of in-container exploits. You could also pattern around the secret getting pulled locally when the machine boots and then is removed from disk after it's been read by the app. Idk if that would work though as I haven't tested it.

Also, @grofte I have a gist up with a pattern for generating docker compose environs using the new secrets now! https://gist.github.com/dtaivpp/c587d99a2cab441eba0314534ae87c86

Check it out and let me know what you think :D