Building and Customizing OpenSearch with Docker: Complete Guide

Table of Contents#

Introduction#

This guide covers building custom OpenSearch Docker images, creating development environments, and deploying production-ready OpenSearch clusters using Docker and Docker Compose. Whether you need a simple development setup or a complex production deployment, this guide has you covered.

Building Custom OpenSearch Docker Images#

Basic Dockerfile#

1
# Dockerfile for custom OpenSearch image
2
FROM opensearchproject/opensearch:2.11.0
3

4
# Switch to root to install packages
5
USER root
6

7
# Install additional tools
8
RUN yum install -y \
9
    jq \
10
    curl \
11
    wget \
12
    net-tools \
13
    && yum clean all
14

15
# Install custom plugins
16
RUN /usr/share/opensearch/bin/opensearch-plugin install \
17
    --batch \
18
    repository-s3
19

20
RUN /usr/share/opensearch/bin/opensearch-plugin install \
21
    --batch \
22
    repository-gcs
23

24
# Copy custom configuration
25
COPY --chown=opensearch:opensearch config/opensearch.yml /usr/share/opensearch/config/
26
COPY --chown=opensearch:opensearch config/log4j2.properties /usr/share/opensearch/config/
27

28
# Copy custom scripts
29
COPY --chown=opensearch:opensearch scripts/docker-entrypoint.sh /usr/local/bin/
30
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
31

32
# Copy certificates
33
COPY --chown=opensearch:opensearch certs/ /usr/share/opensearch/config/certs/
34

35
# Set environment variables
36
ENV OPENSEARCH_JAVA_OPTS="-Xms1g -Xmx1g"
37
ENV discovery.type=single-node
38
ENV DISABLE_SECURITY_PLUGIN=false
39

40
# Switch back to opensearch user
41
USER opensearch
42

43
# Expose ports
44
EXPOSE 9200 9300 9600
45

46
# Set the entrypoint
47
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

Advanced Multi-Stage Build#

1
# Multi-stage Dockerfile for optimized OpenSearch image
2
# Stage 1: Plugin builder
3
FROM opensearchproject/opensearch:2.11.0 AS plugin-builder
4

5
USER root
6

7
# Install build dependencies
8
RUN yum install -y \
9
    git \
10
    maven \
11
    java-11-openjdk-devel \
12
    && yum clean all
13

14
# Clone and build custom plugin
15
RUN git clone https://github.com/example/custom-plugin.git /tmp/custom-plugin
16
WORKDIR /tmp/custom-plugin
17
RUN mvn clean package
18

19
# Stage 2: Certificate generator
20
FROM alpine:latest AS cert-generator
21

22
RUN apk add --no-cache openssl
23

24
WORKDIR /certs
25

26
# Generate self-signed certificates
27
RUN openssl genrsa -out root-ca-key.pem 2048 && \
28
    openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730 \
29
    -subj "/C=US/ST=State/L=City/O=Org/OU=Unit/CN=root.example.com" && \
30
    openssl genrsa -out node-key-temp.pem 2048 && \
31
    openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem && \
32
    openssl req -new -key node-key.pem -out node.csr \
33
    -subj "/C=US/ST=State/L=City/O=Org/OU=Unit/CN=node.example.com" && \
34
    openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 730 && \
35
    rm node-key-temp.pem node.csr
36

37
# Stage 3: Final image
38
FROM opensearchproject/opensearch:2.11.0
39

40
USER root
41

42
# Install runtime dependencies only
43
RUN yum install -y \
44
    jq \
45
    curl \
46
    && yum clean all && \
47
    rm -rf /var/cache/yum
48

49
# Copy custom plugin from builder
50
COPY --from=plugin-builder /tmp/custom-plugin/target/custom-plugin-*.zip /tmp/
51
RUN /usr/share/opensearch/bin/opensearch-plugin install --batch file:///tmp/custom-plugin-*.zip && \
52
    rm /tmp/custom-plugin-*.zip
53

54
# Copy certificates from generator
55
COPY --from=cert-generator --chown=opensearch:opensearch /certs /usr/share/opensearch/config/certs
56

57
# Copy custom configuration
58
COPY --chown=opensearch:opensearch config/ /usr/share/opensearch/config/
59

60
# Create necessary directories
61
RUN mkdir -p /usr/share/opensearch/data && \
62
    chown -R opensearch:opensearch /usr/share/opensearch/data
63

64
# Switch to opensearch user
65
USER opensearch
66

67
# Health check
68
HEALTHCHECK --interval=5s --timeout=2s --retries=12 \
69
    CMD curl -k -u admin:admin https://localhost:9200/_cluster/health || exit 1
70

71
EXPOSE 9200 9300
72

73
ENTRYPOINT ["/usr/share/opensearch/opensearch-docker-entrypoint.sh"]
74
CMD ["opensearch"]

Custom Entry Point Script#

1
#!/bin/bash
2
# docker-entrypoint.sh - Custom entrypoint for OpenSearch
3

4
set -e
5

6
# Function to wait for OpenSearch to start
7
wait_for_opensearch() {
8
    echo "Waiting for OpenSearch to start..."
9
    until curl -s -k -u admin:admin https://localhost:9200/_cluster/health >/dev/null 2>&1; do
10
        sleep 1
11
    done
12
    echo "OpenSearch is ready!"
13
}
14

15
# Set custom JVM options based on container memory
16
if [ -z "$OPENSEARCH_JAVA_OPTS" ]; then
17
    # Get container memory limit
18
    CONTAINER_MEMORY=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes 2>/dev/null || echo "2147483648")
19
    if [ "$CONTAINER_MEMORY" -gt "0" ] && [ "$CONTAINER_MEMORY" -lt "9223372036854775807" ]; then
20
        # Set heap to 50% of container memory
21
        HEAP_SIZE=$((CONTAINER_MEMORY / 2 / 1024 / 1024))m
22
        export OPENSEARCH_JAVA_OPTS="-Xms${HEAP_SIZE} -Xmx${HEAP_SIZE}"
23
        echo "Setting OPENSEARCH_JAVA_OPTS=$OPENSEARCH_JAVA_OPTS"
24
    fi
25
fi
26

27
# Configure security if enabled
28
if [ "$DISABLE_SECURITY_PLUGIN" != "true" ]; then
29
    # Initialize security index if this is the first node
30
    if [ "$NODE_NAME" = "opensearch-node1" ] || [ "$discovery.type" = "single-node" ]; then
31
        # Start OpenSearch in background
32
        /usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch &
33
        OPENSEARCH_PID=$!
34

35
        # Wait for OpenSearch to be ready
36
        wait_for_opensearch
37

38
        # Initialize security index
39
        /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
40
            -cd /usr/share/opensearch/config/opensearch-security/ \
41
            -icl -nhnv \
42
            -cacert /usr/share/opensearch/config/certs/root-ca.pem \
43
            -cert /usr/share/opensearch/config/certs/admin.pem \
44
            -key /usr/share/opensearch/config/certs/admin-key.pem
45

46
        # Bring OpenSearch back to foreground
47
        wait $OPENSEARCH_PID
48
    else
49
        # Start normally for other nodes
50
        exec /usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch
51
    fi
52
else
53
    # Start without security
54
    exec /usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch
55
fi

Docker Compose Configurations#

Development Environment#

1
# docker-compose.dev.yml - Development environment
2
version: "3.8"
3

4
services:
5
  opensearch:
6
    image: opensearchproject/opensearch:2.11.0
7
    container_name: opensearch-dev
8
    environment:
9
      - discovery.type=single-node
10
      - bootstrap.memory_lock=true
11
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
12
      - "DISABLE_SECURITY_PLUGIN=true"
13
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
14
    ulimits:
15
      memlock:
16
        soft: -1
17
        hard: -1
18
      nofile:
19
        soft: 65536
20
        hard: 65536
21
    volumes:
22
      - opensearch-data:/usr/share/opensearch/data
23
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml:ro
24
    ports:
25
      - 9200:9200
26
      - 9600:9600
27
    networks:
28
      - opensearch-net
29

30
  opensearch-dashboards:
31
    image: opensearchproject/opensearch-dashboards:2.11.0
32
    container_name: opensearch-dashboards-dev
33
    environment:
34
      - 'OPENSEARCH_HOSTS=["http://opensearch:9200"]'
35
      - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=true"
36
    ports:
37
      - 5601:5601
38
    networks:
39
      - opensearch-net
40
    depends_on:
41
      - opensearch
42

43
volumes:
44
  opensearch-data:
45

46
networks:
47
  opensearch-net:

Production Cluster#

1
# docker-compose.prod.yml - Production cluster with 3 nodes
2
version: "3.8"
3

4
services:
5
  opensearch-node1:
6
    build:
7
      context: .
8
      dockerfile: Dockerfile
9
    container_name: opensearch-node1
10
    environment:
11
      - cluster.name=opensearch-cluster
12
      - node.name=opensearch-node1
13
      - discovery.seed_hosts=opensearch-node1,opensearch-node2,opensearch-node3
14
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2,opensearch-node3
15
      - bootstrap.memory_lock=true
16
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
17
      - network.host=0.0.0.0
18
    ulimits:
19
      memlock:
20
        soft: -1
21
        hard: -1
22
      nofile:
23
        soft: 65536
24
        hard: 65536
25
    volumes:
26
      - opensearch-data1:/usr/share/opensearch/data
27
      - ./certs:/usr/share/opensearch/config/certs:ro
28
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml:ro
29
    ports:
30
      - 9200:9200
31
      - 9300:9300
32
    networks:
33
      - opensearch-net
34
    restart: unless-stopped
35
    healthcheck:
36
      test:
37
        [
38
          "CMD-SHELL",
39
          "curl -k -u admin:admin https://localhost:9200/_cluster/health || exit 1",
40
        ]
41
      interval: 30s
42
      timeout: 10s
43
      retries: 5
44

45
  opensearch-node2:
46
    build:
47
      context: .
48
      dockerfile: Dockerfile
49
    container_name: opensearch-node2
50
    environment:
51
      - cluster.name=opensearch-cluster
52
      - node.name=opensearch-node2
53
      - discovery.seed_hosts=opensearch-node1,opensearch-node2,opensearch-node3
54
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2,opensearch-node3
55
      - bootstrap.memory_lock=true
56
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
57
      - network.host=0.0.0.0
58
    ulimits:
59
      memlock:
60
        soft: -1
61
        hard: -1
62
      nofile:
63
        soft: 65536
64
        hard: 65536
65
    volumes:
66
      - opensearch-data2:/usr/share/opensearch/data
67
      - ./certs:/usr/share/opensearch/config/certs:ro
68
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml:ro
69
    networks:
70
      - opensearch-net
71
    restart: unless-stopped
72
    healthcheck:
73
      test:
74
        [
75
          "CMD-SHELL",
76
          "curl -k -u admin:admin https://localhost:9200/_cluster/health || exit 1",
77
        ]
78
      interval: 30s
79
      timeout: 10s
80
      retries: 5
81

82
  opensearch-node3:
83
    build:
84
      context: .
85
      dockerfile: Dockerfile
86
    container_name: opensearch-node3
87
    environment:
88
      - cluster.name=opensearch-cluster
89
      - node.name=opensearch-node3
90
      - discovery.seed_hosts=opensearch-node1,opensearch-node2,opensearch-node3
91
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2,opensearch-node3
92
      - bootstrap.memory_lock=true
93
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
94
      - network.host=0.0.0.0
95
    ulimits:
96
      memlock:
97
        soft: -1
98
        hard: -1
99
      nofile:
100
        soft: 65536
101
        hard: 65536
102
    volumes:
103
      - opensearch-data3:/usr/share/opensearch/data
104
      - ./certs:/usr/share/opensearch/config/certs:ro
105
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml:ro
106
    networks:
107
      - opensearch-net
108
    restart: unless-stopped
109
    healthcheck:
110
      test:
111
        [
112
          "CMD-SHELL",
113
          "curl -k -u admin:admin https://localhost:9200/_cluster/health || exit 1",
114
        ]
115
      interval: 30s
116
      timeout: 10s
117
      retries: 5
118

119
  opensearch-dashboards:
120
    image: opensearchproject/opensearch-dashboards:2.11.0
121
    container_name: opensearch-dashboards
122
    environment:
123
      - 'OPENSEARCH_HOSTS=["https://opensearch-node1:9200","https://opensearch-node2:9200","https://opensearch-node3:9200"]'
124
      - "SERVER_SSL_ENABLED=true"
125
      - "SERVER_SSL_CERTIFICATE=/usr/share/opensearch-dashboards/config/certs/dashboard.pem"
126
      - "SERVER_SSL_KEY=/usr/share/opensearch-dashboards/config/certs/dashboard-key.pem"
127
      - "OPENSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/opensearch-dashboards/config/certs/root-ca.pem"
128
      - "OPENSEARCH_USERNAME=admin"
129
      - "OPENSEARCH_PASSWORD=admin"
130
    volumes:
131
      - ./certs:/usr/share/opensearch-dashboards/config/certs:ro
132
      - ./config/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro
133
    ports:
134
      - 5601:5601
135
    networks:
136
      - opensearch-net
137
    depends_on:
138
      - opensearch-node1
139
      - opensearch-node2
140
      - opensearch-node3
141
    restart: unless-stopped
142

143
  nginx:
144
    image: nginx:alpine
145
    container_name: opensearch-nginx
146
    volumes:
147
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
148
      - ./certs:/etc/nginx/certs:ro
149
    ports:
150
      - 443:443
151
    networks:
152
      - opensearch-net
153
    depends_on:
154
      - opensearch-node1
155
      - opensearch-node2
156
      - opensearch-node3
157
    restart: unless-stopped
158

159
volumes:
160
  opensearch-data1:
161
  opensearch-data2:
162
  opensearch-data3:
163

164
networks:
165
  opensearch-net:
166
    driver: bridge

Load Balancer Configuration#

1
# nginx/nginx.conf - Load balancer for OpenSearch cluster
2
events {
3
    worker_connections 1024;
4
}
5

6
http {
7
    upstream opensearch {
8
        least_conn;
9
        server opensearch-node1:9200 max_fails=3 fail_timeout=30s;
10
        server opensearch-node2:9200 max_fails=3 fail_timeout=30s;
11
        server opensearch-node3:9200 max_fails=3 fail_timeout=30s;
12
    }
13

14
    server {
15
        listen 443 ssl;
16
        server_name opensearch.example.com;
17

18
        ssl_certificate /etc/nginx/certs/nginx.pem;
19
        ssl_certificate_key /etc/nginx/certs/nginx-key.pem;
20
        ssl_protocols TLSv1.2 TLSv1.3;
21
        ssl_ciphers HIGH:!aNULL:!MD5;
22

23
        location / {
24
            proxy_pass https://opensearch;
25
            proxy_http_version 1.1;
26
            proxy_set_header Connection "Keep-Alive";
27
            proxy_set_header Proxy-Connection "Keep-Alive";
28
            proxy_set_header Host $host;
29
            proxy_set_header X-Real-IP $remote_addr;
30
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
31
            proxy_set_header X-Forwarded-Proto $scheme;
32

33
            # Timeouts
34
            proxy_connect_timeout 5s;
35
            proxy_read_timeout 120s;
36
            proxy_send_timeout 120s;
37

38
            # Buffer settings
39
            proxy_buffering off;
40
            proxy_request_buffering off;
41
        }
42

43
        location /_cluster/health {
44
            proxy_pass https://opensearch/_cluster/health;
45
            access_log off;
46
        }
47
    }
48
}

Security Configuration#

Certificate Generation Script#

1
#!/bin/bash
2
# generate-certs.sh - Generate certificates for OpenSearch cluster
3

4
CERT_DIR="./certs"
5
mkdir -p $CERT_DIR
6

7
# Generate Root CA
8
openssl genrsa -out $CERT_DIR/root-ca-key.pem 2048
9
openssl req -new -x509 -sha256 -key $CERT_DIR/root-ca-key.pem -out $CERT_DIR/root-ca.pem -days 730 \
10
    -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=opensearch-ca"
11

12
# Generate Admin certificate
13
openssl genrsa -out $CERT_DIR/admin-key-temp.pem 2048
14
openssl pkcs8 -inform PEM -outform PEM -in $CERT_DIR/admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out $CERT_DIR/admin-key.pem
15
openssl req -new -key $CERT_DIR/admin-key.pem -out $CERT_DIR/admin.csr \
16
    -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=admin"
17
openssl x509 -req -in $CERT_DIR/admin.csr -CA $CERT_DIR/root-ca.pem -CAkey $CERT_DIR/root-ca-key.pem -CAcreateserial -sha256 -out $CERT_DIR/admin.pem -days 730
18
rm $CERT_DIR/admin-key-temp.pem $CERT_DIR/admin.csr
19

20
# Generate node certificates
21
for i in 1 2 3; do
22
    openssl genrsa -out $CERT_DIR/node${i}-key-temp.pem 2048
23
    openssl pkcs8 -inform PEM -outform PEM -in $CERT_DIR/node${i}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out $CERT_DIR/node${i}-key.pem
24
    openssl req -new -key $CERT_DIR/node${i}-key.pem -out $CERT_DIR/node${i}.csr \
25
        -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=opensearch-node${i}"
26

27
    # Create SAN extension file
28
    cat > $CERT_DIR/node${i}.ext <<EOF
29
subjectAltName = DNS:opensearch-node${i},DNS:localhost,IP:127.0.0.1
30
EOF
31

32
    openssl x509 -req -in $CERT_DIR/node${i}.csr -CA $CERT_DIR/root-ca.pem -CAkey $CERT_DIR/root-ca-key.pem \
33
        -CAcreateserial -sha256 -out $CERT_DIR/node${i}.pem -days 730 -extfile $CERT_DIR/node${i}.ext
34

35
    rm $CERT_DIR/node${i}-key-temp.pem $CERT_DIR/node${i}.csr $CERT_DIR/node${i}.ext
36
done
37

38
# Generate Dashboard certificate
39
openssl genrsa -out $CERT_DIR/dashboard-key-temp.pem 2048
40
openssl pkcs8 -inform PEM -outform PEM -in $CERT_DIR/dashboard-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out $CERT_DIR/dashboard-key.pem
41
openssl req -new -key $CERT_DIR/dashboard-key.pem -out $CERT_DIR/dashboard.csr \
42
    -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=opensearch-dashboards"
43
openssl x509 -req -in $CERT_DIR/dashboard.csr -CA $CERT_DIR/root-ca.pem -CAkey $CERT_DIR/root-ca-key.pem -CAcreateserial -sha256 -out $CERT_DIR/dashboard.pem -days 730
44
rm $CERT_DIR/dashboard-key-temp.pem $CERT_DIR/dashboard.csr
45

46
# Set permissions
47
chmod 600 $CERT_DIR/*-key.pem
48
chmod 644 $CERT_DIR/*.pem
49

50
echo "Certificates generated successfully in $CERT_DIR"

Security Configuration Files#

1
_meta:
2
  type: "internalusers"
3
  config_version: 2
4

5
admin:
6
  hash: "$2y$12$88IFVl6IfIwCFh5aQYfOmuXVL9j2hz/GusQb35o.4sdTDAEMTOD.K"
7
  reserved: true
8
  backend_roles:
9
    - "admin"
10
  description: "Admin user"
11

12
kibanaserver:
13
  hash: "$2y$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
14
  reserved: true
15
  description: "Kibana server user"
16

17
readall:
18
  hash: "$2y$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
19
  reserved: false
20
  backend_roles:
21
    - "readall"
22
  attributes:
23
    attribute1: "value1"
24
    attribute2: "value2"
25
  description: "Read-only user"

Monitoring and Management#

Health Check Script#

1
#!/bin/bash
2
# health-check.sh - Monitor OpenSearch cluster health
3

4
OPENSEARCH_URL="https://localhost:9200"
5
USERNAME="admin"
6
PASSWORD="admin"
7

8
# Colors for output
9
RED='\033[0;31m'
10
GREEN='\033[0;32m'
11
YELLOW='\033[1;33m'
12
NC='\033[0m' # No Color
13

14
# Check cluster health
15
echo "Checking cluster health..."
16
HEALTH=$(curl -s -k -u $USERNAME:$PASSWORD "$OPENSEARCH_URL/_cluster/health" | jq -r '.status')
17

18
case $HEALTH in
19
    "green")
20
        echo -e "${GREEN}Cluster health: GREEN${NC}"
21
        ;;
22
    "yellow")
23
        echo -e "${YELLOW}Cluster health: YELLOW${NC}"
24
        ;;
25
    "red")
26
        echo -e "${RED}Cluster health: RED${NC}"
27
        ;;
28
    *)
29
        echo -e "${RED}Unable to determine cluster health${NC}"
30
        exit 1
31
        ;;
32
esac
33

34
# Check node status
35
echo -e "\nNode Status:"
36
curl -s -k -u $USERNAME:$PASSWORD "$OPENSEARCH_URL/_cat/nodes?v"
37

38
# Check indices
39
echo -e "\nIndices:"
40
curl -s -k -u $USERNAME:$PASSWORD "$OPENSEARCH_URL/_cat/indices?v&s=index"
41

42
# Check disk usage
43
echo -e "\nDisk Usage:"
44
curl -s -k -u $USERNAME:$PASSWORD "$OPENSEARCH_URL/_cat/allocation?v"
45

46
# Check pending tasks
47
echo -e "\nPending Tasks:"
48
PENDING=$(curl -s -k -u $USERNAME:$PASSWORD "$OPENSEARCH_URL/_cluster/pending_tasks" | jq '.tasks | length')
49
if [ "$PENDING" -gt 0 ]; then
50
    echo -e "${YELLOW}Warning: $PENDING pending tasks${NC}"
51
else
52
    echo -e "${GREEN}No pending tasks${NC}"
53
fi

Performance Monitoring#

1
# docker-compose.monitoring.yml - Add monitoring stack
2
version: "3.8"
3

4
services:
5
  prometheus:
6
    image: prom/prometheus:latest
7
    container_name: prometheus
8
    volumes:
9
      - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
10
      - prometheus-data:/prometheus
11
    command:
12
      - "--config.file=/etc/prometheus/prometheus.yml"
13
      - "--storage.tsdb.path=/prometheus"
14
      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
15
      - "--web.console.templates=/usr/share/prometheus/consoles"
16
    ports:
17
      - 9090:9090
18
    networks:
19
      - opensearch-net
20

21
  grafana:
22
    image: grafana/grafana:latest
23
    container_name: grafana
24
    environment:
25
      - GF_SECURITY_ADMIN_PASSWORD=admin
26
      - GF_USERS_ALLOW_SIGN_UP=false
27
    volumes:
28
      - grafana-data:/var/lib/grafana
29
      - ./grafana/provisioning:/etc/grafana/provisioning:ro
30
    ports:
31
      - 3000:3000
32
    networks:
33
      - opensearch-net
34
    depends_on:
35
      - prometheus
36

37
  opensearch-exporter:
38
    image: justwatch/elasticsearch_exporter:latest
39
    container_name: opensearch-exporter
40
    command:
41
      - "--es.uri=https://admin:admin@opensearch-node1:9200"
42
      - "--es.ssl-skip-verify"
43
      - "--es.all"
44
    ports:
45
      - 9114:9114
46
    networks:
47
      - opensearch-net
48
    depends_on:
49
      - opensearch-node1
50

51
volumes:
52
  prometheus-data:
53
  grafana-data:

Backup and Restore#

Automated Backup Script#

1
#!/bin/bash
2
# backup-opensearch.sh - Automated backup for OpenSearch
3

4
BACKUP_DIR="/backup/opensearch"
5
REPOSITORY_NAME="backup-repo"
6
OPENSEARCH_URL="https://localhost:9200"
7
USERNAME="admin"
8
PASSWORD="admin"
9
RETENTION_DAYS=7
10

11
# Create backup directory
12
mkdir -p $BACKUP_DIR
13

14
# Register repository if it doesn't exist
15
echo "Registering backup repository..."
16
curl -s -k -u $USERNAME:$PASSWORD -X PUT "$OPENSEARCH_URL/_snapshot/$REPOSITORY_NAME" \
17
    -H 'Content-Type: application/json' \
18
    -d "{
19
        \"type\": \"fs\",
20
        \"settings\": {
21
            \"location\": \"$BACKUP_DIR\",
22
            \"compress\": true
23
        }
24
    }"
25

26
# Create snapshot
27
SNAPSHOT_NAME="snapshot-$(date +%Y%m%d-%H%M%S)"
28
echo "Creating snapshot: $SNAPSHOT_NAME"
29
curl -s -k -u $USERNAME:$PASSWORD -X PUT "$OPENSEARCH_URL/_snapshot/$REPOSITORY_NAME/$SNAPSHOT_NAME?wait_for_completion=true" \
30
    -H 'Content-Type: application/json' \
31
    -d '{
32
        "indices": "*",
33
        "ignore_unavailable": true,
34
        "include_global_state": true
35
    }'
36

37
# Clean up old snapshots
38
echo "Cleaning up old snapshots..."
39
OLD_SNAPSHOTS=$(curl -s -k -u $USERNAME:$PASSWORD "$OPENSEARCH_URL/_snapshot/$REPOSITORY_NAME/_all" | \
40
    jq -r ".snapshots[] | select(.start_time_in_millis < $(date -d "$RETENTION_DAYS days ago" +%s)000) | .snapshot")
41

42
for snapshot in $OLD_SNAPSHOTS; do
43
    echo "Deleting old snapshot: $snapshot"
44
    curl -s -k -u $USERNAME:$PASSWORD -X DELETE "$OPENSEARCH_URL/_snapshot/$REPOSITORY_NAME/$snapshot"
45
done
46

47
echo "Backup completed successfully"

Docker Volume Backup#

1
#!/bin/bash
2
# backup-volumes.sh - Backup Docker volumes
3

4
BACKUP_DIR="/backup/docker-volumes"
5
DATE=$(date +%Y%m%d-%H%M%S)
6

7
# Create backup directory
8
mkdir -p $BACKUP_DIR
9

10
# Backup each OpenSearch volume
11
for i in 1 2 3; do
12
    VOLUME_NAME="opensearch-data${i}"
13
    echo "Backing up volume: $VOLUME_NAME"
14

15
    docker run --rm \
16
        -v ${VOLUME_NAME}:/data \
17
        -v ${BACKUP_DIR}:/backup \
18
        alpine \
19
        tar czf /backup/${VOLUME_NAME}-${DATE}.tar.gz -C /data .
20
done
21

22
# Clean up old backups (keep last 7 days)
23
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete
24

25
echo "Volume backup completed"

Troubleshooting#

Common Issues and Solutions#

1
#!/bin/bash
2
# troubleshoot.sh - Common troubleshooting commands
3

4
echo "=== OpenSearch Troubleshooting ==="
5

6
# Check container status
7
echo "\n1. Container Status:"
8
docker-compose ps
9

10
# Check container logs
11
echo "\n2. Recent logs:"
12
for node in opensearch-node1 opensearch-node2 opensearch-node3; do
13
    echo "\n--- $node ---"
14
    docker logs --tail 20 $node 2>&1 | grep -E "ERROR|WARN|Exception"
15
done
16

17
# Check resource usage
18
echo "\n3. Resource Usage:"
19
docker stats --no-stream
20

21
# Check cluster allocation
22
echo "\n4. Cluster Allocation:"
23
curl -s -k -u admin:admin "https://localhost:9200/_cluster/allocation/explain?pretty"
24

25
# Check unassigned shards
26
echo "\n5. Unassigned Shards:"
27
curl -s -k -u admin:admin "https://localhost:9200/_cat/shards?h=index,shard,prirep,state,unassigned.reason&s=state"
28

29
# Check cluster settings
30
echo "\n6. Cluster Settings:"
31
curl -s -k -u admin:admin "https://localhost:9200/_cluster/settings?pretty"

Debug Mode Docker Compose#

1
# docker-compose.debug.yml - Debug configuration
2
version: "3.8"
3

4
services:
5
  opensearch-debug:
6
    image: opensearchproject/opensearch:2.11.0
7
    container_name: opensearch-debug
8
    environment:
9
      - discovery.type=single-node
10
      - bootstrap.memory_lock=true
11
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"
12
      - "DISABLE_SECURITY_PLUGIN=true"
13
      - "logger.level=DEBUG"
14
    ulimits:
15
      memlock:
16
        soft: -1
17
        hard: -1
18
    volumes:
19
      - ./logs:/usr/share/opensearch/logs
20
    ports:
21
      - 9200:9200
22
      - 5005:5005 # Debug port
23
    stdin_open: true
24
    tty: true
25
    command: ["/bin/bash"]

Performance Optimization#

JVM Tuning#

1
# Dockerfile with JVM optimization
2
FROM opensearchproject/opensearch:2.11.0
3

4
# Copy custom JVM options
5
COPY --chown=opensearch:opensearch jvm.options /usr/share/opensearch/config/jvm.options.d/custom.options
6

7
# jvm.options content:
8
# -Xms4g
9
# -Xmx4g
10
# -XX:+UseG1GC
11
# -XX:G1ReservePercent=25
12
# -XX:InitiatingHeapOccupancyPercent=30
13
# -XX:+HeapDumpOnOutOfMemoryError
14
# -XX:HeapDumpPath=/usr/share/opensearch/logs
15
# -XX:ErrorFile=/usr/share/opensearch/logs/hs_err_pid%p.log
16
# -XX:+ExitOnOutOfMemoryError

Resource Limits#

1
# docker-compose with resource limits
2
services:
3
  opensearch:
4
    image: opensearchproject/opensearch:2.11.0
5
    deploy:
6
      resources:
7
        limits:
8
          cpus: "2.0"
9
          memory: 4G
10
        reservations:
11
          cpus: "1.0"
12
          memory: 2G
13
    environment:
14
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"

Best Practices#

Security
- Always use TLS/SSL in production
- Change default passwords immediately
- Use strong certificates
- Enable audit logging
Performance
- Set heap size to 50% of available RAM (max 32GB)
- Use SSDs for data volumes
- Monitor and tune thread pools
- Implement proper index lifecycle management
High Availability
- Use at least 3 master-eligible nodes
- Distribute nodes across availability zones
- Implement proper backup strategies
- Monitor cluster health continuously
Container Best Practices
- Use specific version tags, not ‘latest’
- Implement health checks
- Use init containers for setup tasks
- Properly handle signals for graceful shutdown

Conclusion#

Docker provides an excellent platform for running OpenSearch, from development environments to production clusters. Key considerations:

Use multi-stage builds for optimized images
Implement proper security from the start
Monitor and tune performance based on workload
Automate backup and maintenance tasks
Use orchestration tools for production deployments

This guide provides a solid foundation for building and deploying OpenSearch with Docker, but remember to adapt configurations to your specific requirements and constraints.