Production Deployment Guide: OpenSearch Dashboards Service
This guide provides step-by-step instructions to deploy OpenSearch Dashboards as a systemd service on a production server. It covers configuration settings, directory permissions, service file configuration, and troubleshooting common issues like UUID file write errors.
Overview
OpenSearch Dashboards is a powerful visualization tool for OpenSearch data. In a production environment, it is critical to run OpenSearch Dashboards as a managed systemd service with the proper permissions and configuration. This guide details how to configure the service, set up SSL (HTTPS on port 443), and resolve common permission issues that may arise during deployment.
Prerequisites
Before proceeding with the deployment, ensure you have:
- A Linux server with OpenSearch Dashboards installed (using Tarball/RPM/Debian/Helm)
- Root access or sudo privileges
- SSL certificates (PEM format) available at the specified paths
- The opensearch-dashboards user is already created
If the opensearch-dashboards user doesn’t exist, create it with:
sudo useradd -r -s /sbin/nologin opensearch-dashboardsYou’ll also need:
- OpenSearch Dashboards installation directory (default:
/usr/share/opensearch-dashboards) - Configuration directory (default:
/etc/opensearch-dashboards)
Directory and File Permissions
Proper permissions are crucial for security and functionality. Follow these steps to set up the necessary permissions:
Set Ownership for Installation and Configuration Directories
sudo chown -R opensearch-dashboards:opensearch-dashboards /usr/share/opensearch-dashboardssudo chown -R opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboardsCreate and Set Permissions for the Data Directory
The UUID file is written in the data directory. Create it and set proper permissions:
sudo mkdir -p /usr/share/opensearch-dashboards/datasudo chown -R opensearch-dashboards:opensearch-dashboards /usr/share/opensearch-dashboards/datasudo chmod -R 755 /usr/share/opensearch-dashboards/dataConfiguration File
Edit the main configuration file located at /etc/opensearch-dashboards/opensearch_dashboards.yml. Below is an example configuration for a production environment:
server.host: "0.0.0.0"server.port: 443server.ssl.enabled: trueserver.ssl.certificate: "/etc/opensearch-dashboards/certs/dashboard.pem"server.ssl.key: "/etc/opensearch-dashboards/certs/dashboard-key.pem"
opensearch.hosts: [ "https://172.17.14.79:9200", "https://172.17.14.89:9200", "https://172.17.14.39:9200", ]opensearch.ssl.verificationMode: certificateopensearch.username: "admin"opensearch.password: "Anubhav@321"opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"]
opensearch_security.multitenancy.enabled: falseopensearch_security.readonly_mode.roles: ["kibana_read_only"]
uiSettings.overrides.defaultRoute: "/app/invinsense"Important Notes:
- Ensure the certificate files exist and are accessible by the opensearch-dashboards user
- Replace the OpenSearch hosts with your actual OpenSearch cluster nodes
- Update credentials to match your environment’s security configuration
- Consider storing passwords in a secure vault rather than in plaintext for production
Systemd Service File Configuration
Create (or modify) the systemd service file at /etc/systemd/system/opensearch-dashboards.service with the following content:
[Unit]Description=OpenSearch DashboardsDocumentation=https://opensearch.org/docs/Wants=network-online.targetAfter=network-online.target
[Service]Type=simpleUser=opensearch-dashboardsGroup=opensearch-dashboardsEnvironment=NODE_ENV=productionWorkingDirectory=/usr/share/opensearch-dashboardsExecStart=/usr/share/opensearch-dashboards/bin/opensearch-dashboardsRestart=on-failureStandardOutput=journalStandardError=inheritLimitNOFILE=65535
[Install]WantedBy=multi-user.targetKey Configuration Points:
- User and Group: The service runs as the opensearch-dashboards user
- WorkingDirectory: Must be set to the installation directory
- ExecStart: Path to the OpenSearch Dashboards startup script
- Restart: Set to restart on failure for improved reliability
- LimitNOFILE: Increased file descriptor limit for production workloads
After saving the file, reload systemd:
sudo systemctl daemon-reloadThen enable and start the service:
sudo systemctl enable opensearch-dashboards.servicesudo systemctl start opensearch-dashboards.serviceReloading and Restarting the Service
After updating configurations or permissions, always reload the systemd daemon:
sudo systemctl daemon-reloadThen restart the service:
sudo systemctl restart opensearch-dashboards.serviceVerify service status:
sudo systemctl status opensearch-dashboards.serviceTroubleshooting UUID File Write Errors
A common error when starting OpenSearch Dashboards is: