Merge branch 'opensearch' into 'master'

Migrate from ODFE to OpenSearch See merge request !5

Merge branch 'opensearch' into 'master'
c3a9086e · Temur Maisuradze · 9b5cda32 · d1bd7371 · c3a9086e · c3a9086e
Commit c3a9086e authored 2 years ago by Temur Maisuradze
--- a/roles/odfekibana/defaults/main.yml
+++ b/roles/odfekibana/defaults/main.yml
--- a/roles/odfees/files/.empty
+++ b/roles/odfees/files/.empty
--- a/roles/odfekibana/handlers/main.yml
+++ b/roles/odfekibana/handlers/main.yml
--- a/roles/odfekibana/meta/main.yml
+++ b/roles/odfekibana/meta/main.yml
--- a/roles/odfees/tasks/init.yml
+++ b/roles/odfees/tasks/init.yml
@@ -10,8 +10,8 @@
  remote_user: root
  command: "update-ca-trust"
- name: Copy certificates in odfe conf dir
+- name: Copy certificates in opensearch conf dir
-  remote_user: elasticsearch
+  remote_user: opensearch
  copy:
    src:  "{{ item }}"
    dest: "config/"
@@ -21,75 +21,64 @@
    - "{{playbook_dir}}/secrets/CA/cacerts.jks"
    - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
- name: Configure sysconfig
+- name: import soctools ca crt yo java truststore
-  remote_user: elasticsearch
+  remote_user: opensearch
-  template:
+  shell: /opt/opensearch/jdk/bin/keytool -import -noprompt -storepass changeit -trustcacerts -alias soctools -file /etc/pki/ca-trust/source/anchors/ca.crt -keystore /opt/opensearch/jdk/lib/security/cacerts
-    src: sysconfig_elasticsearch.j2
-    dest: sysconfig_elasticsearch
- name: Copy sysconfig to /etc
-  remote_user: elasticsearch
-  command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch"
- name: Configure odfe properties
+- name: Configure opensearch properties
-  remote_user: elasticsearch
+  remote_user: opensearch
  template:
    src: "config/{{item}}.j2"
    dest: "config/{{item}}"
  with_items:
-    - elasticsearch.yml
+    - opensearch.yml
    - jvm.options
    - log4j2.properties
 - name: Change password for admin
-  remote_user: elasticsearch
+  remote_user: opensearch
-  command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}"
+  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}} | tail -n 1
  register: adminhash
-  # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
 - set_fact:
    adminhashpwd: "{{ adminhash.stdout }}"
-    #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
+  remote_user: opensearch
-  remote_user: elasticsearch
 - name: Change password for cortex
-  remote_user: elasticsearch
+  remote_user: opensearch
-  command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
+  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_opensearch')}} | tail -n 1
  register: cortexhash
-  # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
 - set_fact:
    cortexhashpwd: "{{ cortexhash.stdout }}"
-    #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
+  remote_user: opensearch
-  remote_user: elasticsearch
- name: Configure opendistro_security properties
+- name: Configure opensearch_security properties
-  remote_user: elasticsearch
+  remote_user: opensearch
  template:
    src: "securityconfig/{{item}}.j2"
-    dest: "plugins/opendistro_security/securityconfig/{{item}}"
+    dest: "config/opensearch-security/{{item}}"
  with_items:
    - internal_users.yml
    - config.yml
    - roles_mapping.yml
+- name: Start opensearch
- name: Start OpenDistro for Elasticsearch
  remote_user: root
-  command: "supervisorctl start odfe"
+  command: "supervisorctl start opensearch"
- name: Wait for ElasticSearch
+- name: Wait for OpenSearch
  remote_user: root
  wait_for:
-    host: "{{groups['odfeescontainers'][0]}}"
+    host: "{{groups['opensearchescontainers'][0]}}"
    port: 9200
    state: started
    delay: 5
- name: Configure OpenDistro security
+- name: Configure Opensearch security
-  remote_user: elasticsearch
+  remote_user: opensearch
-  command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
+  shell: "export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash ./plugins/opensearch-security/tools/securityadmin.sh -h {{groups['opensearchescontainers'][0]}} -cd /opt/opensearch/config/opensearch-security/ -ks '/opt/opensearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /opt/opensearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
-  when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
+  when: "'{{groups['opensearchescontainers'][0]}}' in inventory_hostname"
 - name: Set Autostart for supervisord's services
  remote_user: root

--- a/roles/odfees/tasks/main.yml
+++ b/roles/odfees/tasks/main.yml
--- a/roles/odfees/tasks/restart.yml
+++ b/roles/odfees/tasks/restart.yml
@@ -2,12 +2,12 @@
 - name: Restart OpenDistro for Elasticsearch
  remote_user: root
-  command: "supervisorctl restart odfe"
+  command: "supervisorctl restart opensearch"
 - name: Wait for ElasticSearch
  remote_user: root
  wait_for:
-    host: "{{groups['odfeescontainers'][0]}}"
+    host: "{{groups['opensearchescontainers'][0]}}"
    port: 9200
    state: started
    delay: 5

--- a/roles/odfees/tasks/start.yml
+++ b/roles/odfees/tasks/start.yml
 ---
- name: Start OpenDistro for Elasticsearch
+- name: Start OpenDistro for Opensearch
  remote_user: root
-  command: "supervisorctl start odfe"
+  command: "supervisorctl start opensearch"
- name: Wait for ElasticSearch
+- name: Wait for OpenSearch
  remote_user: root
  wait_for:
-    host: "{{groups['odfeescontainers'][0]}}"
+    host: "{{groups['opensearchescontainers'][0]}}"
    port: 9200
    state: started
    delay: 5

--- a/roles/opensearches/tasks/stop.yml
+++ b/roles/opensearches/tasks/stop.yml
+---
+- name: Stop OpenDistro for Opensearch
+  remote_user: root
+  command: "supervisorctl stop opensearch"
--- a/roles/odfees/tasks/update-config.yml
+++ b/roles/odfees/tasks/update-config.yml
 ---
- name: Configure sysconfig
+- name: Configure opensearch properties
-  remote_user: elasticsearch
+  remote_user: opensearch
-  template:
-    src: sysconfig_elasticsearch.j2
-    dest: sysconfig_elasticsearch
- name: Copy sysconfig to /etc
-  remote_user: elasticsearch
-  command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch"
- name: Configure odfe properties
-  remote_user: elasticsearch
  template:
    src: "config/{{item}}.j2"
    dest: "config/{{item}}"
  with_items:
-    - elasticsearch.yml
+    - opensearch.yml
    - jvm.options
    - log4j2.properties
- name: Configure opendistro_security properties
+- name: Configure opensearch_security properties
-  remote_user: elasticsearch
+  remote_user: opensearch
  template:
    src: "securityconfig/{{item}}.j2"
-    dest: "plugins/opendistro_security/securityconfig/{{item}}"
+    dest: "config/opensearch-security/{{item}}"
  with_items:
    - internal_users.yml
    - config.yml

--- a/roles/odfees/templates/config/jvm.options.j2
+++ b/roles/odfees/templates/config/jvm.options.j2
@@ -11,7 +11,7 @@
 ## -Xms4g
 ## -Xmx4g
 ##
-## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## See https://opensearch.org/docs/opensearch/install/important-settings/
 ## for more information
 ##
 ################################################################
@@ -19,8 +19,8 @@
 # Xms represents the initial size of total heap space
 # Xmx represents the maximum size of total heap space
-Xms{{odfe_javamem}}
+-Xms{{opensearch_javamem}}
-Xmx{{odfe_javamem}}
+-Xmx{{opensearch_javamem}}
 ################################################################
 ## Expert settings
@@ -33,60 +33,22 @@
 ################################################################
 ## GC configuration
-XX:+UseConcMarkSweepGC
+8-10:-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
+8-10:-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
+8-10:-XX:+UseCMSInitiatingOccupancyOnly
 ## G1GC Configuration
-# NOTE: G1GC is only supported on JDK version 10 or later.
+# NOTE: G1 GC is only supported on JDK version 10 or later
-# To use G1GC uncomment the lines below.
+# to use G1GC, uncomment the next two lines and update the version on the
-# 10-:-XX:-UseConcMarkSweepGC
+# following three lines to your version of the JDK
-# 10-:-XX:-UseCMSInitiatingOccupancyOnly
+# 10:-XX:-UseConcMarkSweepGC
-# 10-:-XX:+UseG1GC
+# 10:-XX:-UseCMSInitiatingOccupancyOnly
-# 10-:-XX:InitiatingHeapOccupancyPercent=75
+11-:-XX:+UseG1GC
+11-:-XX:G1ReservePercent=25
-## DNS cache policy
+11-:-XX:InitiatingHeapOccupancyPercent=30
-# cache ttl in seconds for positive DNS lookups noting that this overrides the
-# JDK security property networkaddress.cache.ttl; set to -1 to cache forever
+## JVM temporary directory
-Des.networkaddress.cache.ttl=60
+-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
-# cache ttl in seconds for negative DNS lookups noting that this overrides the
-# JDK security property networkaddress.cache.negative ttl; set to -1 to cache
-# forever
-Des.networkaddress.cache.negative.ttl=10
-## optimizations
-# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
-## basic
-# explicitly set the stack size
-Xss1m
-# set to headless, just in case
-Djava.awt.headless=true
-# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8
-# use our provided JNA always versus the system one
-Djna.nosys=true
-# turn off a JDK optimization that throws away stack traces for common
-# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
-# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
-# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Djava.io.tmpdir=${ES_TMPDIR}
 ## heap dumps
@@ -102,7 +64,6 @@
 -XX:ErrorFile=logs/hs_err_pid%p.log
 ## JDK 8 GC logging
 8:-XX:+PrintGCDetails
 8:-XX:+PrintGCDateStamps
 8:-XX:+PrintTenuringDistribution
@@ -114,6 +75,12 @@
 # JDK 9+ GC logging
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
-# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
-# time/date parsing will break in an incompatible way for some date patterns and locals
+# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
-9-:-Djava.locale.providers=COMPAT
+18-:-Djava.security.manager=allow
+## OpenSearch Performance Analyzer
+-Dclk.tck=100
+-Djdk.attach.allowAttachSelf=true
+-Djava.security.policy=/opt/opensearch-2.3.0/config/opensearch-performance-analyzer/opensearch_security.policy
+--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED
--- a/roles/opensearches/templates/config/log4j2.properties.j2
+++ b/roles/opensearches/templates/config/log4j2.properties.j2
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# The OpenSearch Contributors require contributions made to
+# this file be licensed under the Apache-2.0 license or a
+# compatible open source license.
+#
+# Modifications Copyright OpenSearch Contributors. See
+# GitHub history for details.
+#
+status = error
+appender.console.type = Console
+appender.console.name = console
+appender.console.layout.type = PatternLayout
+appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
+######## Server JSON ############################
+appender.rolling.type = RollingFile
+appender.rolling.name = rolling
+appender.rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_server.json
+appender.rolling.filePermissions = rw-r-----
+appender.rolling.layout.type = OpenSearchJsonLayout
+appender.rolling.layout.type_name = server
+appender.rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz
+appender.rolling.policies.type = Policies
+appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
+appender.rolling.policies.time.interval = 1
+appender.rolling.policies.time.modulate = true
+appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.rolling.policies.size.size = 128MB
+appender.rolling.strategy.type = DefaultRolloverStrategy
+appender.rolling.strategy.fileIndex = nomax
+appender.rolling.strategy.action.type = Delete
+appender.rolling.strategy.action.basepath = ${sys:opensearch.logs.base_path}
+appender.rolling.strategy.action.condition.type = IfFileName
+appender.rolling.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-*
+appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
+appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
+################################################
+######## Server -  old style pattern ###########
+appender.rolling_old.type = RollingFile
+appender.rolling_old.name = rolling_old
+appender.rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}.log
+appender.rolling_old.filePermissions = rw-r-----
+appender.rolling_old.layout.type = PatternLayout
+appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
+appender.rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz
+appender.rolling_old.policies.type = Policies
+appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy
+appender.rolling_old.policies.time.interval = 1
+appender.rolling_old.policies.time.modulate = true
+appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy
+appender.rolling_old.policies.size.size = 128MB
+appender.rolling_old.strategy.type = DefaultRolloverStrategy
+appender.rolling_old.strategy.fileIndex = nomax
+appender.rolling_old.strategy.action.type = Delete
+appender.rolling_old.strategy.action.basepath = ${sys:opensearch.logs.base_path}
+appender.rolling_old.strategy.action.condition.type = IfFileName
+appender.rolling_old.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-*
+appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
+appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB
+################################################
+rootLogger.level = info
+rootLogger.appenderRef.console.ref = console
+rootLogger.appenderRef.rolling.ref = rolling
+rootLogger.appenderRef.rolling_old.ref = rolling_old
+######## Deprecation JSON #######################
+appender.deprecation_rolling.type = RollingFile
+appender.deprecation_rolling.name = deprecation_rolling
+appender.deprecation_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.json
+appender.deprecation_rolling.filePermissions = rw-r-----
+appender.deprecation_rolling.layout.type = OpenSearchJsonLayout
+appender.deprecation_rolling.layout.type_name = deprecation
+appender.deprecation_rolling.layout.opensearchmessagefields=x-opaque-id
+appender.deprecation_rolling.filter.rate_limit.type = RateLimitingFilter
+appender.deprecation_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation-%i.json.gz
+appender.deprecation_rolling.policies.type = Policies
+appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.deprecation_rolling.policies.size.size = 1GB
+appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy
+appender.deprecation_rolling.strategy.max = 4
+appender.header_warning.type = HeaderWarningAppender
+appender.header_warning.name = header_warning
+#################################################
+######## Deprecation -  old style pattern #######
+appender.deprecation_rolling_old.type = RollingFile
+appender.deprecation_rolling_old.name = deprecation_rolling_old
+appender.deprecation_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.log
+appender.deprecation_rolling_old.filePermissions = rw-r-----
+appender.deprecation_rolling_old.layout.type = PatternLayout
+appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
+appender.deprecation_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _deprecation-%i.log.gz
+appender.deprecation_rolling_old.policies.type = Policies
+appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
+appender.deprecation_rolling_old.policies.size.size = 1GB
+appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy
+appender.deprecation_rolling_old.strategy.max = 4
+#################################################
+logger.deprecation.name = org.opensearch.deprecation
+logger.deprecation.level = deprecation
+logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
+logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old
+logger.deprecation.appenderRef.header_warning.ref = header_warning
+logger.deprecation.additivity = false
+######## Search slowlog JSON ####################
+appender.index_search_slowlog_rolling.type = RollingFile
+appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
+appender.index_search_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
+  .cluster_name}_index_search_slowlog.json
+appender.index_search_slowlog_rolling.filePermissions = rw-r-----
+appender.index_search_slowlog_rolling.layout.type = OpenSearchJsonLayout
+appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog
+appender.index_search_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id
+appender.index_search_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
+  .cluster_name}_index_search_slowlog-%i.json.gz
+appender.index_search_slowlog_rolling.policies.type = Policies
+appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.index_search_slowlog_rolling.policies.size.size = 1GB
+appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy
+appender.index_search_slowlog_rolling.strategy.max = 4
+#################################################
+######## Search slowlog -  old style pattern ####
+appender.index_search_slowlog_rolling_old.type = RollingFile
+appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old
+appender.index_search_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _index_search_slowlog.log
+appender.index_search_slowlog_rolling_old.filePermissions = rw-r-----
+appender.index_search_slowlog_rolling_old.layout.type = PatternLayout
+appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
+appender.index_search_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _index_search_slowlog-%i.log.gz
+appender.index_search_slowlog_rolling_old.policies.type = Policies
+appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
+appender.index_search_slowlog_rolling_old.policies.size.size = 1GB
+appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
+appender.index_search_slowlog_rolling_old.strategy.max = 4
+#################################################
+logger.index_search_slowlog_rolling.name = index.search.slowlog
+logger.index_search_slowlog_rolling.level = trace
+logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling
+logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old
+logger.index_search_slowlog_rolling.additivity = false
+######## Indexing slowlog JSON ##################
+appender.index_indexing_slowlog_rolling.type = RollingFile
+appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
+appender.index_indexing_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _index_indexing_slowlog.json
+appender.index_indexing_slowlog_rolling.filePermissions = rw-r-----
+appender.index_indexing_slowlog_rolling.layout.type = OpenSearchJsonLayout
+appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog
+appender.index_indexing_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,doc_type,id,routing,source
+appender.index_indexing_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _index_indexing_slowlog-%i.json.gz
+appender.index_indexing_slowlog_rolling.policies.type = Policies
+appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.index_indexing_slowlog_rolling.policies.size.size = 1GB
+appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy
+appender.index_indexing_slowlog_rolling.strategy.max = 4
+#################################################
+######## Indexing slowlog -  old style pattern ##
+appender.index_indexing_slowlog_rolling_old.type = RollingFile
+appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old
+appender.index_indexing_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _index_indexing_slowlog.log
+appender.index_indexing_slowlog_rolling_old.filePermissions = rw-r-----
+appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout
+appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
+appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
+  _index_indexing_slowlog-%i.log.gz
+appender.index_indexing_slowlog_rolling_old.policies.type = Policies
+appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
+appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB
+appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
+appender.index_indexing_slowlog_rolling_old.strategy.max = 4
+#################################################
+logger.index_indexing_slowlog.name = index.indexing.slowlog.index
+logger.index_indexing_slowlog.level = trace
+logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling
+logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old
+logger.index_indexing_slowlog.additivity = false
+######## Task details log JSON ####################
+appender.task_detailslog_rolling.type = RollingFile
+appender.task_detailslog_rolling.name = task_detailslog_rolling
+appender.task_detailslog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.json
+appender.task_detailslog_rolling.filePermissions = rw-r-----
+appender.task_detailslog_rolling.layout.type = OpenSearchJsonLayout
+appender.task_detailslog_rolling.layout.type_name = task_detailslog
+appender.task_detailslog_rolling.layout.opensearchmessagefields=taskId,type,action,description,start_time_millis,resource_stats,metadata
+appender.task_detailslog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.json.gz
+appender.task_detailslog_rolling.policies.type = Policies
+appender.task_detailslog_rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.task_detailslog_rolling.policies.size.size = 1GB
+appender.task_detailslog_rolling.strategy.type = DefaultRolloverStrategy
+appender.task_detailslog_rolling.strategy.max = 4
+#################################################
+######## Task details log -  old style pattern ####
+appender.task_detailslog_rolling_old.type = RollingFile
+appender.task_detailslog_rolling_old.name = task_detailslog_rolling_old
+appender.task_detailslog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.log
+appender.task_detailslog_rolling_old.filePermissions = rw-r-----
+appender.task_detailslog_rolling_old.layout.type = PatternLayout
+appender.task_detailslog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
+appender.task_detailslog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.log.gz
+appender.task_detailslog_rolling_old.policies.type = Policies
+appender.task_detailslog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
+appender.task_detailslog_rolling_old.policies.size.size = 1GB
+appender.task_detailslog_rolling_old.strategy.type = DefaultRolloverStrategy
+appender.task_detailslog_rolling_old.strategy.max = 4
+#################################################
+logger.task_detailslog_rolling.name = task.detailslog
+logger.task_detailslog_rolling.level = trace
+logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling.ref = task_detailslog_rolling
+logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling_old.ref = task_detailslog_rolling_old
+logger.task_detailslog_rolling.additivity = false
--- a/roles/opensearches/templates/config/opensearch.yml.j2
+++ b/roles/opensearches/templates/config/opensearch.yml.j2
+cluster.name: "soctools-cluster"
+path.logs: /opt/opensearch/logs
+network.host: {{ inventory_hostname }}
+http.port: 9200
+transport.port: 9300
+discovery.seed_hosts:
+{% for opensearches in groups['opensearchescontainers'] %}
+  - {{ opensearches }}
+{% endfor %}
+cluster.initial_master_nodes:
+{% for opensearches in groups['opensearchescontainers'] %}
+  - {{ opensearches }}
+{% endfor %}
+cluster.initial_cluster_manager_nodes:
+{% for opensearches in groups['opensearchescontainers'] %}
+  - {{ opensearches }}
+{% endfor %}
+plugins.security.ssl.transport.keystore_type: pkcs12
+plugins.security.ssl.transport.keystore_filepath: {{ inventory_hostname }}.p12
+plugins.security.ssl.transport.keystore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
+plugins.security.ssl.transport.truststore_type: jks
+plugins.security.ssl.transport.truststore_filepath: cacerts.jks
+plugins.security.ssl.transport.truststore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.http.keystore_type: pkcs12
+plugins.security.ssl.http.keystore_filepath: {{ inventory_hostname }}.p12
+plugins.security.ssl.http.keystore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
+plugins.security.ssl.http.truststore_type: jks
+plugins.security.ssl.http.truststore_filepath: cacerts.jks
+plugins.security.ssl.http.truststore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
+plugins.security.allow_unsafe_democertificates: true
+plugins.security.allow_default_init_securityindex: true
+plugins.security.authcz.admin_dn:
+  - "{{soctools_users[0].DN}}"
+plugins.security.nodes_dn:
+{% for opensearches in groups['opensearchescontainers'] %}
+  - "CN={{ opensearches }}"
+{% endfor %}
+plugins.security.audit.type: internal_opensearch
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+node.max_local_storage_nodes: 3
--- a/roles/odfees/templates/securityconfig/action_groups.yml
+++ b/roles/odfees/templates/securityconfig/action_groups.yml
--- a/roles/odfees/templates/securityconfig/config.yml.j2
+++ b/roles/odfees/templates/securityconfig/config.yml.j2
 ---
-# This is the main Open Distro Security configuration file where authentication
+# This is the main OpenSearch Security configuration file where authentication
 # and authorization is defined.
 #
 # You need to configure at least one authentication domain in the authc of this file.
@@ -114,12 +114,12 @@ config:
          type: openid
          challenge: false
          config:
-            subject_key: {{openid_subjkey}} 
+            subject_key: {{openid_subjkey}}
            roles_key: roles
            openid_connect_url: https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
            enable_ssl: true
            verify_hostnames: false
-            pemtrustedcas_filepath: "/usr/share/elasticsearch/config/{{ca_cn}}.crt"
+            pemtrustedcas_filepath: "/opt/opensearch/config/{{ca_cn}}.crt"
        authentication_backend:
          type: noop
      proxy_auth_domain:

--- a/roles/odfees/templates/securityconfig/elasticsearch.yml.example
+++ b/roles/odfees/templates/securityconfig/elasticsearch.yml.example
--- a/roles/odfees/templates/securityconfig/internal_users.yml.j2
+++ b/roles/odfees/templates/securityconfig/internal_users.yml.j2
@@ -23,13 +23,20 @@ cortex:
  backend_roles:
  - "admin"
 #  - "own_index"
-#  - "readall"
+#  #  - "readall"
-  description: "Cortex user"
+#    description: "Cortex user"
+anomalyadmin:
+  hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
+  reserved: false
+  opendistro_security_roles:
+  - "anomaly_full_access"
+  description: "Demo anomaly admin user, using internal role"
 kibanaserver:
  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
  reserved: true
-  description: "Demo kibanaserver user"
+  description: "Demo OpenSearch Dashboards user"
 kibanaro:
  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
@@ -41,25 +48,25 @@ kibanaro:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
-  description: "Demo kibanaro user"
+  description: "Demo OpenSearch Dashboards read only user, using external role mapping"
 logstash:
  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
  reserved: false
  backend_roles:
  - "logstash"
-  description: "Demo logstash user"
+  description: "Demo logstash user, using external role mapping"
 readall:
  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
  reserved: false
  backend_roles:
  - "readall"
-  description: "Demo readall user"
+  description: "Demo readall user, using external role mapping"
 snapshotrestore:
  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
  reserved: false
  backend_roles:
  - "snapshotrestore"
-  description: "Demo snapshotrestore user"
+  description: "Demo snapshotrestore user, using external role mapping"
--- a/roles/odfees/templates/securityconfig/roles.yml
+++ b/roles/odfees/templates/securityconfig/roles.yml
--- a/roles/odfees/templates/securityconfig/roles_mapping.yml.j2
+++ b/roles/odfees/templates/securityconfig/roles_mapping.yml.j2
 ---
-# In this file users, backendroles and hosts can be mapped to Open Distro Security roles.
+# In this file users, backendroles and hosts can be mapped to Security roles.
-# Permissions for Opendistro roles are configured in roles.yml
+# Permissions for OpenSearch roles are configured in roles.yml
 _meta:
  type: "rolesmapping"

--- a/roles/odfees/templates/securityconfig/tenants.yml
+++ b/roles/odfees/templates/securityconfig/tenants.yml