Opendistro Support for Openshift

I was wondering if there is any support for Openshift Container Platform? I tried the docker image but gave me a permission error at the point where it tries chmod to securityadmin.sh.

I appreciate your help

i haven’t tried it with opendistro yet, but for the future fork there’s already a discussion ongoing here about having support for an operator: Kubernetes operator support for the fork
this also contains some links to existing operators, some of which might work already now with opendistro.

we have also once played around a bit with ECK (you’ll have to make sure that the license is ok for your use-case!) where you can also create custom images and use these. however, the operator also wants to configure security things which obviously won’t work if you’re using the security module from opendistro instead of x-pack. and, once the fork has started, this operator will be fully incompatible (initially probably mainly due to the security module, later i could imagine that other things will also change), so investing in this right now doesn’t sound like a good idea.

for now, i have created a custom docker image which downloads the OSS version of ES plus some plugins and installs them. it also sets the permissions so that it’ll work for openshift (since it’s a PoC i’m probably giving too much permissions, i’ll have to re-iterate on this later) and i have set up a simple StatefulSet with a PersistentVolumeClaim (plus, of course, some NetworkPolicys, Services, etc.) to have it up & running. of course this can never compare to a real operator with all its features, thus i’m eagerly waiting for the operator of the fork :slight_smile:

In fact I used Komposer to convert the docker-composer.yml to Openshift YAML resource files. However after trying to run the cluster I got a permission error. In one of the steps it performs chmod that requires elevated privileges! Perhaps a minor modification is required to make it work. Hopefully no other road blockers will show up.

i don’t know the Dockerfile you’re using, but probably something like this helps:

USER root

RUN chown -R whatever:whatever elasticsearch && \
    chmod -R a+rw elasticsearch

USER whatever

obviously replace whatever with your user / group and elasticsearch with the folder which contains your elasticsearch (which you might call elasticsearch :slight_smile:).
also note that this might give too much in terms of permissions, this was just the quick-win lazy approach for a PoC.
and remember that openshift is using a random UID to run things, so that USER whatever statement doesn’t mean that your process will actually run with that user on openshift.

I was using the file provided in opendistro download page. Which is also below.

version: ‘3’
services:
odfe-node1:
image: amazon/opendistro-for-elasticsearch:1.13.1
container_name: odfe-node1
environment:
- cluster.name=odfe-cluster
- node.name=odfe-node1
- discovery.seed_hosts=odfe-node1,odfe-node2
- cluster.initial_master_nodes=odfe-node1,odfe-node2
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- “ES_JAVA_OPTS=-Xms512m -Xmx512m” # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- odfe-data1:/usr/share/elasticsearch/data
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- odfe-net
odfe-node2:
image: amazon/opendistro-for-elasticsearch:1.13.1
container_name: odfe-node2
environment:
- cluster.name=odfe-cluster
- node.name=odfe-node2
- discovery.seed_hosts=odfe-node1,odfe-node2
- cluster.initial_master_nodes=odfe-node1,odfe-node2
- bootstrap.memory_lock=true
- “ES_JAVA_OPTS=-Xms512m -Xmx512m”
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- odfe-data2:/usr/share/elasticsearch/data
networks:
- odfe-net
kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.13.1
container_name: odfe-kibana
ports:
- 5601:5601
expose:
- “5601”
environment:
ELASTICSEARCH_URL: https://odfe-node1:9200
ELASTICSEARCH_HOSTS: https://odfe-node1:9200
networks:
- odfe-net

volumes:
odfe-data1:
odfe-data2:

networks:
odfe-net:

I tried installing it on Openshift using

There might be certain tweaks required based on how Openshift is set-up but I was able to get through the deployment.

I was trying to install on
CodeReady

Could you share the exact error that you are seeing?

chmod: changing permissions of '/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh': Operation not permitted

I also noticed the same issue reported in the link below.