A single node OpenSearch and OpenSearch dashboards docker compose.

old-opensearch-docker-compose.yml

services:
  opensearch:
    image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-2.11.1}
    container_name: opensearch
    environment:
      discovery.type: single-node
      node.name: opensearch
      OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    ports:
      - 9200:9200
      - 9600:9600
    networks:
      - opensearch-net

  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:${OPENSEARCH_DASHBOARDS_VERSION:-2.11.1}
    container_name: opensearch-dashboards
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch:9200"]'
    networks:
      - opensearch-net
    depends_on:
      - opensearch

volumes:
  opensearch-data:

networks:
  opensearch-net:
    driver: bridge

@grofte I actually had to to a fair bit of digging to figure out why to use compose secrets rather than just passing in environment variables. If you just pass in the variables into the env then if someone was able to trigger an env dump in the logs the secrets could be compromised. Also, they live in the process information.

While using docker secrets still leaves the secret exposed on the host machine as it's in a plain text file it solves for a lot of in-container exploits. You could also pattern around the secret getting pulled locally when the machine boots and then is removed from disk after it's been read by the app. Idk if that would work though as I haven't tested it.

Also, @grofte I have a gist up with a pattern for generating docker compose environs using the new secrets now! https://gist.github.com/dtaivpp/c587d99a2cab441eba0314534ae87c86

Check it out and let me know what you think :D