{"id":22651,"date":"2025-04-19T06:13:08","date_gmt":"2025-04-18T22:13:08","guid":{"rendered":"https:\/\/www.wsisp.com\/helps\/22651.html"},"modified":"2025-04-19T06:13:08","modified_gmt":"2025-04-18T22:13:08","slug":"opensearch%e9%9b%86%e7%be%a4%e9%83%a8%e7%bd%b2%e3%80%90docker%e3%80%81%e6%9c%8d%e5%8a%a1%e5%99%a8%e3%80%81helm%e5%a4%9a%e7%a7%8d%e9%83%a8%e7%bd%b2%e6%96%b9%e5%bc%8f%e3%80%91","status":"publish","type":"post","link":"https:\/\/www.wsisp.com\/helps\/22651.html","title":{"rendered":"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011"},"content":{"rendered":"

\u64cd\u4f5c\u7cfb\u7edf\u517c\u5bb9\u6027<\/h2>\n

\u6211\u4eec\u5efa\u8bae\u5728 Red Hat Enterprise Linux (RHEL) \u6216\u4f7f\u7528systemd\u7684\u57fa\u4e8e Debian \u7684 Linux \u53d1\u884c\u7248\u4e0a\u5b89\u88c5 OpenSearch ,\u4f8b\u5982 CentOS\u3001Amazon Linux 2 \u548c Ubuntu Long-Term Support (LTS)\u3002OpenSearch \u5e94\u8be5\u9002\u7528\u4e8e\u5927\u591a\u6570 Linux \u53d1\u884c\u7248,\u4f46\u6211\u4eec\u53ea\u6d4b\u8bd5\u4e86\u5c11\u6570\u51e0\u4e2a\u3002\u5bf9\u4e8e\u4efb\u4f55\u7248\u672c\u7684 OpenSearch,\u6211\u4eec\u5efa\u8bae\u4f7f\u7528 RHEL 7 \u6216 8\u3001CentOS 7 \u6216 8\u3001Amazon Linux 2\u3001Ubuntu 16.04\u300118.04 \u6216 20.04\u3002<\/p>\n

Java \u517c\u5bb9\u6027<\/h2>\n

\u9002\u7528\u4e8e Linux \u7684 OpenSearch \u53d1\u884c\u7248\u5728\u76ee\u5f55\u4e2d\u9644\u5e26\u4e86\u517c\u5bb9\u7684Adoptium JDK\u7248\u672c\u7684 Java \u3002jdk\u8981\u67e5\u627e JDK \u7248\u672c,\u8bf7\u8fd0\u884c.\/jdk\/bin\/java -version. \u4f8b\u5982,OpenSearch 1.0.0 tarball \u968f\u9644 Java 15.0.1+9(\u975e LTS),OpenSearch 1.3.0 \u968f\u9644 Java 11.0.14.1+1 (LTS),OpenSearch 2.0.0 \u968f\u9644 Java 17.0.2 +8 (LTS)\u3002OpenSearch \u4f7f\u7528\u6240\u6709\u517c\u5bb9\u7684 Java \u7248\u672c\u8fdb\u884c\u4e86\u6d4b\u8bd5\u3002<\/p>\n\nOpenSearch\u7248\u672c\u517c\u5bb9\u7684 Java \u7248\u672c\u9700\u8981 Java \u7248\u672c<\/tr>\n\n\n\n\n
1.0 – 1.2.x<\/td>\n11, 15<\/td>\n15.0.1+9<\/td>\n<\/tr>\n
1.3.x<\/td>\n8, 11, 14<\/td>\n11.0.14.1+1<\/td>\n<\/tr>\n
2.0.0<\/td>\n11, 17<\/td>\n17.0.2+8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

docker\u5b89\u88c5<\/h2>\n

\u521b\u5efadocker-compose.yml<\/h3>\n

version: '3'<\/span>
\nservices:
\n opensearch-node1:
\n image: opensearchproject\/opensearch:2.2.0
\n container_name: opensearch-node1
\n environment:
\n – cluster.name=<\/span>opensearch-cluster
\n – node.name=<\/span>opensearch-node1
\n – discovery.seed_hosts=<\/span>opensearch-node1,opensearch-node2
\n – cluster.initial_master_nodes=<\/span>opensearch-node1,opensearch-node2
\n – bootstrap.memory_lock=<\/span>true # along with the memlock settings below, disables swapping<\/span>
\n – "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"<\/span> # minimum and maximum Java heap size, recommend setting both to 50% of system RAM<\/span>
\n ulimits:
\n memlock:
\n soft: -1
\n hard: -1
\n nofile:
\n soft: 65536<\/span> # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems<\/span>
\n hard: 65536<\/span>
\n volumes:
\n – opensearch-data1:\/usr\/share\/opensearch\/data
\n ports:
\n – 9200<\/span>:9200
\n – 9600<\/span>:9600 # required for Performance Analyzer<\/span>
\n networks:
\n – opensearch-net
\n opensearch-node2:
\n image: opensearchproject\/opensearch:2.2.0
\n container_name: opensearch-node2
\n environment:
\n – cluster.name=<\/span>opensearch-cluster
\n – node.name=<\/span>opensearch-node2
\n – discovery.seed_hosts=<\/span>opensearch-node1,opensearch-node2
\n – cluster.initial_master_nodes=<\/span>opensearch-node1,opensearch-node2
\n – bootstrap.memory_lock=<\/span>true
\n – "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"<\/span>
\n ulimits:
\n memlock:
\n soft: -1
\n hard: -1
\n nofile:
\n soft: 65536<\/span>
\n hard: 65536<\/span>
\n volumes:
\n – opensearch-data2:\/usr\/share\/opensearch\/data
\n networks:
\n – opensearch-net
\n opensearch-dashboards:
\n image: opensearchproject\/opensearch-dashboards:2.2.0
\n container_name: opensearch-dashboards
\n ports:
\n – 5601<\/span>:5601
\n expose:
\n – "5601"<\/span>
\n environment:
\n OPENSEARCH_HOSTS: '["https:\/\/opensearch-node1:9200","https:\/\/opensearch-node2:9200"]'<\/span> # must be a string with no spaces when specified as an environment variable<\/span>
\n networks:
\n – opensearch-net<\/p>\n

volumes:
\n opensearch-data1:
\n opensearch-data2:<\/p>\n

networks:
\n opensearch-net:<\/p>\n

\u542f\u52a8\u96c6\u7fa4<\/h3>\n

docker-compose up<\/p>\n

\u542f\u52a8\u65e5\u5fd7 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\u5e76\u4e14\u65e5\u5fd7\u6ca1\u660e\u663eerror\u8bf4\u660e\u542f\u52a8\u6210\u529f \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u67e5\u770b\u96c6\u7fa4\u8282\u70b9 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u901a\u8fc7opensearch-dashboard\u67e5\u770b \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u8bbf\u95ee\u670d\u52a1\u5668\u76845601\u7aef\u53e3 \u7528\u6237\u540d\u5bc6\u7801\u4e3aadmin admin \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u8fdb\u5165opensearch-dashboard\u9875\u9762 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u505c\u6b62\u96c6\u7fa4<\/p>\n

docker-compose down<\/p>\n

\u505c\u6b62\u96c6\u7fa4\u5e76\u5220\u9664\u6240\u6709\u6570\u636e\u4fe1\u606f<\/p>\n

docker-compose down -v<\/p>\n

\u88f8\u670d\u52a1\u5668\u5b89\u88c5<\/h2>\n

\u8bbe\u8ba1\u96c6\u7fa4\u7684\u65b9\u6cd5\u6709\u5f88\u591a\u79cd\u7ec4\u5408\u3002 \u4e0b\u56fe\u663e\u793a\u4e86\u4e00\u4e2a\u57fa\u672c\u67b6\u6784,\u5176\u4e2d\u5305\u62ec\u4e00\u4e2a\u56db\u8282\u70b9\u96c6\u7fa4,\u8be5\u96c6\u7fa4\u5177\u6709\u4e00\u4e2a\u96c6\u7fa4\u7ba1\u7406\u5668\u8282\u70b9\u3001\u4e00\u4e2a\u534f\u8c03\u8282\u70b9\u548c\u4e24\u4e2a\u6570\u636e\u8282\u70b9\u3002 \u66f4\u591a\u8282\u70b9\u4fe1\u606f\u8bf7\u53c2\u7167\u914d\u7f6e\u8be6\u89e3\u3002<\/p>\n

\u96c6\u7fa4\u67b6\u6784<\/h3>\n

\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

\u670d\u52a1\u5668\u89c4\u5212<\/h3>\n\nIP\u5730\u5740\u914d\u7f6e\u8282\u70b9<\/tr>\n\n\n\n\n
172.21.84.119<\/td>\n2C 4G 100G SATA<\/td>\nCluster manager data ingest<\/td>\n<\/tr>\n
172.21.84.120<\/td>\n2C 4G 100G SATA<\/td>\nCluster manager data ingest<\/td>\n<\/tr>\n
172.21.84.121<\/td>\n2C 4G 100G SATA<\/td>\nCluster manager data ingest<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u8fdb\u7fa4\u4e4b\u95f4\u8bf7\u786e\u4fdd\u4ee5\u4e0b\u7aef\u53e3\u662f\u8fde\u901a\u7684\u3002 \u9700\u8981\u4e3a OpenSearch \u7ec4\u4ef6\u6253\u5f00\u4ee5\u4e0b\u7aef\u53e3\u3002<\/p>\n\n\u7aef\u53e3\u53f7\u5f00\u653e\u641c\u7d22\u7ec4\u4ef6<\/tr>\n\n\n\n\n\n\n\n
443<\/td>\nAWS OpenSearch Service \u4e2d\u7684 OpenSearch \u4eea\u8868\u677f,\u5177\u6709\u4f20\u8f93\u4e2d\u52a0\u5bc6 (TLS)<\/td>\n<\/tr>\n
5601<\/td>\n\u5f00\u653e\u641c\u7d22\u4eea\u8868\u677f<\/td>\n<\/tr>\n
9200<\/td>\n\u5f00\u653e\u641c\u7d22 REST API<\/td>\n<\/tr>\n
9250<\/td>\n\u8de8\u96c6\u7fa4\u641c\u7d22<\/td>\n<\/tr>\n
9300<\/td>\n\u8282\u70b9\u901a\u4fe1\u548c\u4f20\u8f93<\/td>\n<\/tr>\n
9600<\/td>\n\u6027\u80fd\u5206\u6790\u5668<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u5b89\u88c5\u6b65\u9aa4<\/h3>\n
  • \u8bf7\u5728\u6240\u6709\u8282\u70b9\u5b89\u88c5\u5355\u673a\u7248opensearch\u5e76\u6d4b\u8bd5\u542f\u52a8\u6210\u529f(\u5b89\u88c5\u6b65\u9aa4\u8bf7\u53c2\u9605\u2013\u5355\u673a\u7248\u5b89\u88c5)<\/li>\n
  • \u5220\u9664\u5bf9\u5e94\u5355\u673a\u542f\u52a8opensearch\u7684\u65e5\u5fd7\u548c\u6570\u636e\u6587\u4ef6\u76ee\u5f55 data logs<\/li>\n
  • \u4fee\u6539\u914d\u7f6e\u6587\u4ef6<\/li>\n

    172.21.84.119 \u914d\u7f6e\u6587\u4ef6<\/h4>\n

    cluster.name: bigdata
    \nnode.name: master01
    \nnode.roles: [<\/span>cluster_manager ,data, ingest]<\/span>
    \npath.data: \/data\/opensearch\/opensearch-2.2.0\/data
    \npath.logs: \/data\/opensearch\/opensearch-2.2.0\/logs
    \nnetwork.host: 172.21<\/span>.84.119
    \nhttp.port: 9200<\/span>
    \ndiscovery.seed_hosts: [<\/span>"master01"<\/span>, "node01"<\/span>, "node02"<\/span>]<\/span>
    \ncluster.initial_cluster_manager_nodes: [<\/span>"master01"<\/span>, "node01"<\/span>, "node02"<\/span>]<\/span>
    \nplugins.security.ssl.transport.pemcert_filepath: esnode.pem
    \nplugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
    \nplugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
    \nplugins.security.ssl.transport.enforce_hostname_verification: false<\/span>
    \nplugins.security.ssl.http.enabled: true<\/span>
    \nplugins.security.ssl.http.pemcert_filepath: esnode.pem
    \nplugins.security.ssl.http.pemkey_filepath: esnode-key.pem
    \nplugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
    \nplugins.security.allow_unsafe_democertificates: true<\/span>
    \nplugins.security.allow_default_init_securityindex: true<\/span>
    \nplugins.security.authcz.admin_dn:
    \nCN<\/span>=<\/span>kirk,OU=<\/span>client,O=<\/span>client,L=<\/span>test, C<\/span>=<\/span>de
    \nplugins.security.audit.type: internal_opensearch
    \nplugins.security.enable_snapshot_restore_privilege: true<\/span>
    \nplugins.security.check_snapshot_restore_write_privileges: true<\/span>
    \nplugins.security.restapi.roles_enabled: [<\/span>"all_access"<\/span>, "security_rest_api_access"<\/span>]<\/span>
    \nplugins.security.system_indices.enabled: true<\/span>
    \nplugins.security.system_indices.indices: [<\/span>".plugins-ml-model"<\/span>, ".plugins-ml-task"<\/span>, ".opendistro-alerting-config"<\/span>, ".opendistro-alerting-alert*"<\/span>, ".opendistro-anomaly-results*"<\/span>, ".opendistro-anomaly-detector*"<\/span>, ".opendistro-anomaly-checkpoints"<\/span>, ".opendistro-anomaly-detection-state"<\/span>, ".opendistro-reports-"<\/span>, ".opensearch-notifications-"<\/span>, ".opensearch-notebooks"<\/span>, ".opensearch-observability"<\/span>, ".opendistro-asynchronous-search-response*"<\/span>, ".replication-metadata-store"<\/span>]<\/span>
    \nnode.max_local_storage_nodes: 3<\/span><\/p>\n

    172.21.84.120 \u914d\u7f6e\u6587\u4ef6<\/h4>\n

    \u6ce8: \u76f8\u540c\u914d\u7f6e\u4e0d\u518d\u5c55\u793a<\/p>\n

    cluster.name: bigdata
    \nnode.name: master01
    \nnode.roles: [<\/span>cluster_manager ,data, ingest]<\/span>
    \npath.data: \/data\/opensearch\/opensearch-2.2.0\/data
    \npath.logs: \/data\/opensearch\/opensearch-2.2.0\/logs
    \nnetwork.host: 172.21<\/span>.84.120<\/p>\n

    172.21.84.121 \u914d\u7f6e\u6587\u4ef6<\/h4>\n

    cluster.name: bigdata
    \nnode.name: master01
    \nnode.roles: [<\/span>cluster_manager ,data, ingest]<\/span>
    \npath.data: \/data\/opensearch\/opensearch-2.2.0\/data
    \npath.logs: \/data\/opensearch\/opensearch-2.2.0\/logs
    \nnetwork.host: 172.21<\/span>.84.121<\/p>\n

    \u4f9d\u6b21\u542f\u52a8\u4e09\u53f0openserach<\/h4>\n

    su<\/span> – opensearch -c "\/data\/opensearch\/opensearch-2.2.0\/bin\/opensearch"<\/span><\/p>\n

    \u770b\u5230\u5982\u4e0b\u4fe1\u606f,\u96c6\u7fa4\u521b\u5efa\u6210\u529f \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

    \u67e5\u770b\u96c6\u7fa4<\/h4>\n

    \u67e5\u770b\u8282\u70b9\u4fe1\u606f \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u67e5\u770b\u96c6\u7fa4\u5065\u5eb7\u72b6\u6001 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u81f3\u6b64\u88f8\u91d1\u5c5e\u7248\u90e8\u7f72\u5b8c\u6210<\/p>\n

    Helm\u5b89\u88c5<\/h2>\n

    \u5b98\u65b9\u5b89\u88c5<\/h3>\n

    \u8bf7\u786e\u4fddk8s\u96c6\u7fa4\u5b89\u88c5\u4e86helm\u547d\u4ee4,\u4e14\u53ef\u4ee5\u94fe\u63a5\u5916\u7f51\u3002\u9ed8\u8ba4 Helm \u90e8\u7f72\u4e00\u4e2a\u4e09\u8282\u70b9\u96c6\u7fa4\u3002\u6211\u4eec\u5efa\u8bae\u60a8\u4e3a\u6b64\u90e8\u7f72\u81f3\u5c11\u6709 8 GiB \u7684\u53ef\u7528\u5185\u5b58\u3002 \u4f8b\u5982,\u5982\u679c\u53ef\u7528\u5185\u5b58\u5c11\u4e8e 4 GiB,\u53ef\u80fd\u4f1a\u90e8\u7f72\u4f1a\u5931\u8d25\u3002 \u7248\u672c\u8981\u6c42<\/p>\n

      \n
    • Kubernetes >= 1.14<\/li>\n
    • Helm >= 2.17.0<\/li>\n<\/ul>\n

      Kubernetes \u4e2d\u90e8\u7f72 NFS-Subdir-External-Provisioner \u4e3a NFS \u63d0\u4f9b\u52a8\u6001\u5206\u914d\u5377 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u5e76\u4e14\u81ea\u52a8\u7ed1\u5b9apv,pvc,\u82e5\u7ed1\u5b9a\u5931\u8d25\u9700\u6267\u884c<\/p>\n

      kubectl patch storageclass nfs-storage -p '{"metadata": {"annotations":{"storageclass.kubernetes.io\/is-default-class":"true"}}}'<\/span><\/p>\n

      \u5b89\u88c5\u6b65\u9aa4<\/h4>\n
    • \u5c06opensearch helm-charts \u5b58\u50a8\u5e93\u6dfb\u52a0\u5230 Helm: helm repo add opensearch https:\/\/opensearch-project.github.io\/helm-charts\/ \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/li>\n
    • \u4ece\u56fe\u8868\u5b58\u50a8\u5e93\u672c\u5730\u66f4\u65b0\u53ef\u7528\u6e90:<\/li>\n

      helm repo update<\/p>\n

      \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

    • \u8981\u641c\u7d22\u4e0e OpenSearch \u76f8\u5173\u7684 Helm \u56fe\u8868<\/li>\n

      helm search repo opensearch<\/p>\n

      \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

    • \u90e8\u7f72 OpenSearch<\/li>\n

      helm install<\/span> my-deployment opensearch\/opensearch<\/p>\n

      \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u67e5\u770b\u90e8\u7f72\u7684pod \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u786e\u8ba4\u8282\u70b9\u8fd0\u884c\u72b6\u6001 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u5378\u8f7dopensearch \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u8fd0\u884c helm delete my-deployment<\/p>\n

      \u81ea\u5b9a\u4e49\u5b89\u88c5<\/h3>\n

      \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \u5176\u4e2ddata\u8282\u70b9\u4e5f\u53ef\u62c6\u5206\u51fa\u6765\u672c\u6587\u4e0d\u505a\u5c55\u793a\u3002<\/p>\n

      openserach-master.yaml<\/p>\n


      \nclusterName: "opensearch-cluster"<\/span>
      \nnodeGroup: "master"<\/span><\/p>\n

      # If discovery.type in the opensearch configuration is set to "single-node",<\/span>
      \n# this should be set to "true"<\/span>
      \n# If "true", replicas will be forced to 1<\/span>
      \nsingleNode: false<\/span><\/p>\n

      # The service that non master groups will try to connect to when joining the cluster<\/span>
      \n# This should be set to clusterName + "-" + nodeGroup for your master group<\/span>
      \nmasterService: "opensearch-cluster-master"<\/span><\/p>\n

      # OpenSearch roles that will be applied to this nodeGroup<\/span>
      \n# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client<\/span>
      \nroles:
      \n – master
      \n – ingest
      \n – data<\/p>\n

      replicas: 3<\/span><\/p>\n

      # if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion.<\/span>
      \nmajorVersion: ""<\/span><\/p>\n

      global:
      \n # Set if you want to change the default docker registry, e.g. a private one.<\/span>
      \n dockerRegistry: ""<\/span><\/p>\n

      # Allows you to add any config files in {{ .Values.opensearchHome }}\/config<\/span>
      \nopensearchHome: \/usr\/share\/opensearch
      \n# such as opensearch.yml and log4j2.properties<\/span>
      \nconfig:
      \n # Values must be YAML literal style scalar \/ YAML multiline string.<\/span>
      \n # <filename>: |<\/span>
      \n # <formatted-value(s)><\/span>
      \n # log4j2.properties: |<\/span>
      \n # status = error<\/span>
      \n #<\/span>
      \n # appender.console.type = Console<\/span>
      \n # appender.console.name = console<\/span>
      \n # appender.console.layout.type = PatternLayout<\/span>
      \n # appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n<\/span>
      \n #<\/span>
      \n # rootLogger.level = info<\/span>
      \n # rootLogger.appenderRef.console.ref = console<\/span>
      \n opensearch.yml: |<\/span>
      \n cluster.name: opensearch-cluster
      \n # Bind to all interfaces because we don't know what IP address Docker will assign to us.<\/span>
      \n network.host: 0.0<\/span>.0.0
      \n # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.<\/span>
      \n # Implicitly done if ".singleNode" is set to "true".<\/span>
      \n # discovery.type: single-node<\/span>
      \n # Start OpenSearch Security Demo Configuration<\/span>
      \n # WARNING: revise all the lines below before you go into production<\/span>
      \n plugins:
      \n security:
      \n ssl:
      \n transport:
      \n pemcert_filepath: esnode.pem
      \n pemkey_filepath: esnode-key.pem
      \n pemtrustedcas_filepath: root-ca.pem
      \n enforce_hostname_verification: false<\/span>
      \n http:
      \n enabled: true<\/span>
      \n pemcert_filepath: esnode.pem
      \n pemkey_filepath: esnode-key.pem
      \n pemtrustedcas_filepath: root-ca.pem
      \n allow_unsafe_democertificates: true<\/span>
      \n allow_default_init_securityindex: true<\/span>
      \n authcz:
      \n admin_dn:
      \n – CN<\/span>=<\/span>kirk,OU=<\/span>client,O=<\/span>client,L=<\/span>test,C=<\/span>de
      \n audit.type: internal_opensearch
      \n enable_snapshot_restore_privilege: true<\/span>
      \n check_snapshot_restore_write_privileges: true<\/span>
      \n restapi:
      \n roles_enabled: [<\/span>"all_access"<\/span>, "security_rest_api_access"<\/span>]<\/span>
      \n system_indices:
      \n enabled: true<\/span>
      \n indices:
      \n [<\/span>
      \n ".opendistro-alerting-config"<\/span>,
      \n ".opendistro-alerting-alert*"<\/span>,
      \n ".opendistro-anomaly-results*"<\/span>,
      \n ".opendistro-anomaly-detector*"<\/span>,
      \n ".opendistro-anomaly-checkpoints"<\/span>,
      \n ".opendistro-anomaly-detection-state"<\/span>,
      \n ".opendistro-reports-*"<\/span>,
      \n ".opendistro-notifications-*"<\/span>,
      \n ".opendistro-notebooks"<\/span>,
      \n ".opendistro-asynchronous-search-response*"<\/span>,
      \n ]<\/span>
      \n ######## End OpenSearch Security Demo Configuration ########<\/span>
      \n # log4j2.properties:<\/span><\/p>\n

      # Extra environment variables to append to this nodeGroup<\/span>
      \n# This will be appended to the current 'env:' key. You can use any of the kubernetes env<\/span>
      \n# syntax here<\/span>
      \nextraEnvs: [<\/span>]<\/span>
      \n# – name: MY_ENVIRONMENT_VAR<\/span>
      \n# value: the_value_goes_here<\/span><\/p>\n

      # Allows you to load environment variables from kubernetes secret or config map<\/span>
      \nenvFrom: [<\/span>]<\/span>
      \n# – secretRef:<\/span>
      \n# name: env-secret<\/span>
      \n# – configMapRef:<\/span>
      \n# name: config-map<\/span><\/p>\n

      # A list of secrets and their paths to mount inside the pod<\/span>
      \n# This is useful for mounting certificates for security and for mounting<\/span>
      \n# the X-Pack license<\/span>
      \nsecretMounts: [<\/span>]<\/span><\/p>\n

      hostAliases: [<\/span>]<\/span>
      \n# – ip: "127.0.0.1"<\/span>
      \n# hostnames:<\/span>
      \n# – "foo.local"<\/span>
      \n# – "bar.local"<\/span><\/p>\n

      image:
      \n repository: "opensearchproject\/opensearch"<\/span>
      \n # override image tag, which is .Chart.AppVersion by default<\/span>
      \n tag: ""<\/span>
      \n pullPolicy: "IfNotPresent"<\/span><\/p>\n

      podAnnotations: {<\/span>}<\/span>
      \n # iam.amazonaws.com\/role: es-cluster<\/span><\/p>\n

      # additionals labels<\/span>
      \nlabels: {<\/span>}<\/span><\/p>\n

      opensearchJavaOpts: "-Xmx512M -Xms512M"<\/span><\/p>\n

      resources:
      \n requests:
      \n cpu: "500m"<\/span>
      \n memory: "100Mi"<\/span><\/p>\n

      initResources: {<\/span>}<\/span>
      \n# limits:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span>
      \n# requests:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span><\/p>\n

      sidecarResources: {<\/span>}<\/span>
      \n# limits:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span>
      \n# requests:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span><\/p>\n

      networkHost: "0.0.0.0"<\/span><\/p>\n

      rbac:
      \n create: false<\/span>
      \n serviceAccountAnnotations: {<\/span>}<\/span>
      \n serviceAccountName: ""<\/span><\/p>\n

      podSecurityPolicy:
      \n create: false<\/span>
      \n name: ""<\/span>
      \n spec:
      \n privileged: true<\/span>
      \n fsGroup:
      \n rule: RunAsAny
      \n runAsUser:
      \n rule: RunAsAny
      \n seLinux:
      \n rule: RunAsAny
      \n supplementalGroups:
      \n rule: RunAsAny
      \n volumes:
      \n – secret
      \n – configMap
      \n – persistentVolumeClaim
      \n – emptyDir<\/p>\n

      persistence:
      \n enabled: true<\/span>
      \n # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk.<\/span>
      \n enableInitChown: true<\/span>
      \n # override image, which is busybox by default<\/span>
      \n # image: busybox<\/span>
      \n # override image tag, which is latest by default<\/span>
      \n # imageTag:<\/span>
      \n labels:
      \n # Add default labels for the volumeClaimTemplate of the StatefulSet<\/span>
      \n enabled: false<\/span>
      \n # OpenSearch Persistent Volume Storage Class<\/span>
      \n # If defined, storageClassName: <storageClass><\/span>
      \n # If set to "-", storageClassName: "", which disables dynamic provisioning<\/span>
      \n # If undefined (the default) or set to null, no storageClassName spec is<\/span>
      \n # set, choosing the default provisioner. (gp2 on AWS, standard on<\/span>
      \n # GKE, AWS & OpenStack)<\/span>
      \n #<\/span>
      \n # storageClass: "-"<\/span>
      \n accessModes:
      \n – ReadWriteOnce
      \n size: 5Gi
      \n annotations: {<\/span>}<\/span><\/p>\n

      extraVolumes: [<\/span>]<\/span>
      \n # – name: extras<\/span>
      \n # emptyDir: {}<\/span><\/p>\n

      extraVolumeMounts: [<\/span>]<\/span>
      \n # – name: extras<\/span>
      \n # mountPath: \/usr\/share\/extras<\/span>
      \n # readOnly: true<\/span><\/p>\n

      extraContainers: [<\/span>]<\/span>
      \n # – name: do-something<\/span>
      \n # image: busybox<\/span>
      \n # command: ['do', 'something']<\/span><\/p>\n

      extraInitContainers: [<\/span>]<\/span>
      \n # – name: do-somethings<\/span>
      \n # image: busybox<\/span>
      \n # command: ['do', 'something']<\/span><\/p>\n

      # This is the PriorityClass settings as defined in<\/span>
      \n# https:\/\/kubernetes.io\/docs\/concepts\/configuration\/pod-priority-preemption\/#priorityclass<\/span>
      \npriorityClassName: ""<\/span><\/p>\n

      # By default this will make sure two pods don't end up on the same node<\/span>
      \n# Changing this to a region would allow you to spread pods across regions<\/span>
      \nantiAffinityTopologyKey: "kubernetes.io\/hostname"<\/span><\/p>\n

      # Hard means that by default pods will only be scheduled if there are enough nodes for them<\/span>
      \n# and that they will never end up on the same node. Setting this to soft will do this "best effort"<\/span>
      \nantiAffinity: "soft"<\/span><\/p>\n

      # This is the node affinity settings as defined in<\/span>
      \n# https:\/\/kubernetes.io\/docs\/concepts\/configuration\/assign-pod-node\/#node-affinity-beta-feature<\/span>
      \nnodeAffinity: {<\/span>}<\/span><\/p>\n

      # This is the pod topology spread constraints<\/span>
      \n# https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod-topology-spread-constraints\/<\/span>
      \ntopologySpreadConstraints: [<\/span>]<\/span><\/p>\n

      # The default is to deploy all pods serially. By setting this to parallel all pods are started at<\/span>
      \n# the same time when bootstrapping the cluster<\/span>
      \npodManagementPolicy: "Parallel"<\/span><\/p>\n

      # The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when<\/span>
      \n# there are many services in the current namespace.<\/span>
      \n# If you experience slow pod startups you probably want to set this to `false`.<\/span>
      \nenableServiceLinks: true<\/span><\/p>\n

      protocol: https
      \nhttpPort: 9200<\/span>
      \ntransportPort: 9300<\/span><\/p>\n

      service:
      \n labels: {<\/span>}<\/span>
      \n labelsHeadless: {<\/span>}<\/span>
      \n headless:
      \n annotations: {<\/span>}<\/span>
      \n type: ClusterIP
      \n nodePort: ""<\/span>
      \n annotations: {<\/span>}<\/span>
      \n httpPortName: http
      \n transportPortName: transport
      \n loadBalancerIP: ""<\/span>
      \n loadBalancerSourceRanges: [<\/span>]<\/span>
      \n externalTrafficPolicy: ""<\/span><\/p>\n

      updateStrategy: RollingUpdate<\/p>\n

      # This is the max unavailable setting for the pod disruption budget<\/span>
      \n# The default value of 1 will make sure that kubernetes won't allow more than 1<\/span>
      \n# of your pods to be unavailable during maintenance<\/span>
      \nmaxUnavailable: 1<\/span><\/p>\n

      podSecurityContext:
      \n fsGroup: 1000<\/span>
      \n runAsUser: 1000<\/span><\/p>\n

      securityContext:
      \n capabilities:
      \n drop:
      \n – ALL
      \n # readOnlyRootFilesystem: true<\/span>
      \n runAsNonRoot: true<\/span>
      \n runAsUser: 1000<\/span><\/p>\n

      securityConfig:
      \n enabled: true<\/span>
      \n path: "\/usr\/share\/opensearch\/plugins\/opensearch-security\/securityconfig"<\/span>
      \n actionGroupsSecret:
      \n configSecret:
      \n internalUsersSecret:
      \n rolesSecret:
      \n rolesMappingSecret:
      \n tenantsSecret:
      \n # The following option simplifies securityConfig by using a single secret and<\/span>
      \n # specifying the config files as keys in the secret instead of creating<\/span>
      \n # different secrets for for each config file.<\/span>
      \n # Note that this is an alternative to the individual secret configuration<\/span>
      \n # above and shouldn't be used if the above secrets are used.<\/span>
      \n config:
      \n # There are multiple ways to define the configuration here:<\/span>
      \n # * If you define anything under data, the chart will automatically create<\/span>
      \n # a secret and mount it.<\/span>
      \n # * If you define securityConfigSecret, the chart will assume this secret is<\/span>
      \n # created externally and mount it.<\/span>
      \n # * It is an error to define both data and securityConfigSecret.<\/span>
      \n securityConfigSecret: ""<\/span>
      \n dataComplete: true<\/span>
      \n data: {<\/span>}<\/span>
      \n # config.yml: |-<\/span>
      \n # internal_users.yml: |-<\/span>
      \n # roles.yml: |-<\/span>
      \n # roles_mapping.yml: |-<\/span>
      \n # action_groups.yml: |-<\/span>
      \n # tenants.yml: |-<\/span><\/p>\n

      # How long to wait for opensearch to stop gracefully<\/span>
      \nterminationGracePeriod: 120<\/span><\/p>\n

      sysctlVmMaxMapCount: 262144<\/span><\/p>\n

      startupProbe:
      \n tcpSocket:
      \n port: 9200<\/span>
      \n initialDelaySeconds: 5<\/span>
      \n periodSeconds: 10<\/span>
      \n timeoutSeconds: 3<\/span>
      \n failureThreshold: 30<\/span>
      \nreadinessProbe:
      \n tcpSocket:
      \n port: 9200<\/span>
      \n periodSeconds: 5<\/span>
      \n timeoutSeconds: 3<\/span>
      \n failureThreshold: 3<\/span><\/p>\n

      ## Use an alternate scheduler.<\/span>
      \n## ref: https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/configure-multiple-schedulers\/<\/span>
      \n##<\/span>
      \nschedulerName: ""<\/span><\/p>\n

      imagePullSecrets: [<\/span>]<\/span>
      \nnodeSelector: {<\/span>}<\/span>
      \ntolerations: [<\/span>]<\/span><\/p>\n

      # Enabling this will publically expose your OpenSearch instance.<\/span>
      \n# Only enable this if you have security enabled on your cluster<\/span>
      \ningress:
      \n enabled: false<\/span>
      \n # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName<\/span>
      \n # See https:\/\/kubernetes.io\/blog\/2020\/04\/02\/improvements-to-the-ingress-api-in-kubernetes-1.18\/#specifying-the-class-of-an-ingress<\/span>
      \n # ingressClassName: nginx<\/span><\/p>\n

      annotations: {<\/span>}<\/span>
      \n # kubernetes.io\/ingress.class: nginx<\/span>
      \n # kubernetes.io\/tls-acme: "true"<\/span>
      \n path: \/
      \n hosts:
      \n – chart-example.local
      \n tls: [<\/span>]<\/span>
      \n # – secretName: chart-example-tls<\/span>
      \n # hosts:<\/span>
      \n # – chart-example.local<\/span><\/p>\n

      nameOverride: ""<\/span>
      \nfullnameOverride: ""<\/span><\/p>\n

      masterTerminationFix: false<\/span><\/p>\n

      lifecycle: {<\/span>}<\/span>
      \n # preStop:<\/span>
      \n # exec:<\/span>
      \n # command: ["\/bin\/sh", "-c", "echo Hello from the postStart handler > \/usr\/share\/message"]<\/span>
      \n # postStart:<\/span>
      \n # exec:<\/span>
      \n # command:<\/span>
      \n # – bash<\/span>
      \n # – -c<\/span>
      \n # – |<\/span>
      \n # #!\/bin\/bash<\/span>
      \n # # Add a template to adjust number of shards\/replicas1<\/span>
      \n # TEMPLATE_NAME=my_template<\/span>
      \n # INDEX_PATTERN="logstash-*"<\/span>
      \n # SHARD_COUNT=8<\/span>
      \n # REPLICA_COUNT=1<\/span>
      \n # ES_URL=http:\/\/localhost:9200<\/span>
      \n # while [[ "$(curl -s -o \/dev\/null -w '%{http_code}\\\\n' $ES_URL)" != "200" ]]; do sleep 1; done<\/span>
      \n # curl -XPUT "$ES_URL\/_template\/$TEMPLATE_NAME" -H 'Content-Type: application\/json' -d'{"index_patterns":['\\\\""$INDEX_PATTERN"\\\\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}'<\/span><\/p>\n

      keystore: [<\/span>]<\/span>
      \n# To add secrets to the keystore:<\/span>
      \n# – secretName: opensearch-encryption-key<\/span><\/p>\n

      networkPolicy:
      \n create: false<\/span>
      \n ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.<\/span>
      \n ## In order for a Pod to access OpenSearch, it needs to have the following label:<\/span>
      \n ## {{ template "uname" . }}-client: "true"<\/span>
      \n ## Example for default configuration to access HTTP port:<\/span>
      \n ## opensearch-master-http-client: "true"<\/span>
      \n ## Example for default configuration to access transport port:<\/span>
      \n ## opensearch-master-transport-client: "true"<\/span><\/p>\n

      http:
      \n enabled: false<\/span><\/p>\n

      # Deprecated<\/span>
      \n# please use the above podSecurityContext.fsGroup instead<\/span>
      \nfsGroup: ""<\/span><\/p>\n

      ## Set optimal sysctl's. This requires privilege. Can be disabled if<\/span>
      \n## the system has already been preconfigured. (Ex: https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/vm-max-map-count.html)<\/span>
      \n## Also see: https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/sysctl-cluster\/<\/span>
      \nsysctl:
      \n enabled: false<\/span><\/p>\n

      ## Enable to add 3rd Party \/ Custom plugins not offered in the default OpenSearch image.<\/span>
      \nplugins:
      \n enabled: false<\/span>
      \n installList: [<\/span>]<\/span>
      \n # – example-fake-plugin<\/span><\/p>\n

      # — Array of extra K8s manifests to deploy<\/span>
      \nextraObjects: [<\/span>]<\/span>
      \n # – apiVersion: secrets-store.csi.x-k8s.io\/v1<\/span>
      \n # kind: SecretProviderClass<\/span>
      \n # metadata:<\/span>
      \n # name: argocd-secrets-store<\/span>
      \n # spec:<\/span>
      \n # provider: aws<\/span>
      \n # parameters:<\/span>
      \n # objects: |<\/span>
      \n # – objectName: "argocd"<\/span>
      \n # objectType: "secretsmanager"<\/span>
      \n # jmesPath:<\/span>
      \n # – path: "client_id"<\/span>
      \n # objectAlias: "client_id"<\/span>
      \n # – path: "client_secret"<\/span>
      \n # objectAlias: "client_secret"<\/span>
      \n # secretObjects:<\/span>
      \n # – data:<\/span>
      \n # – key: client_id<\/span>
      \n # objectName: client_id<\/span>
      \n # – key: client_secret<\/span>
      \n # objectName: client_secret<\/span>
      \n # secretName: argocd-secrets-store<\/span>
      \n # type: Opaque<\/span>
      \n # labels:<\/span>
      \n # app.kubernetes.io\/part-of: argocd<\/span><\/p>\n

      \u5b89\u88c5\u547d\u4ee4 \u6ce8:version\u5e76\u975eopensearch\u7248\u672c,\u800c\u662fCHART VERSION \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

      helm install<\/span> opensearch-master -f openserach-master.yaml –version 2.5<\/span>.1 opensearch\/opensearch
      \nopensearch-client.yaml<\/p>\n


      \nclusterName: "opensearch-cluster"<\/span>
      \nnodeGroup: "client"<\/span><\/p>\n

      # If discovery.type in the opensearch configuration is set to "single-node",<\/span>
      \n# this should be set to "true"<\/span>
      \n# If "true", replicas will be forced to 1<\/span>
      \nsingleNode: false<\/span><\/p>\n

      # The service that non master groups will try to connect to when joining the cluster<\/span>
      \n# This should be set to clusterName + "-" + nodeGroup for your master group<\/span>
      \nmasterService: "opensearch-cluster-master"<\/span><\/p>\n

      # OpenSearch roles that will be applied to this nodeGroup<\/span>
      \n# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client<\/span>
      \nroles:
      \n – remote_cluster_client<\/p>\n

      replicas: 2<\/span><\/p>\n

      # if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion.<\/span>
      \nmajorVersion: ""<\/span><\/p>\n

      global:
      \n # Set if you want to change the default docker registry, e.g. a private one.<\/span>
      \n dockerRegistry: ""<\/span><\/p>\n

      # Allows you to add any config files in {{ .Values.opensearchHome }}\/config<\/span>
      \nopensearchHome: \/usr\/share\/opensearch
      \n# such as opensearch.yml and log4j2.properties<\/span>
      \nconfig:
      \n # Values must be YAML literal style scalar \/ YAML multiline string.<\/span>
      \n # <filename>: |<\/span>
      \n # <formatted-value(s)><\/span>
      \n # log4j2.properties: |<\/span>
      \n # status = error<\/span>
      \n #<\/span>
      \n # appender.console.type = Console<\/span>
      \n # appender.console.name = console<\/span>
      \n # appender.console.layout.type = PatternLayout<\/span>
      \n # appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n<\/span>
      \n #<\/span>
      \n # rootLogger.level = info<\/span>
      \n # rootLogger.appenderRef.console.ref = console<\/span>
      \n opensearch.yml: |<\/span>
      \n cluster.name: opensearch-cluster
      \n # Bind to all interfaces because we don't know what IP address Docker will assign to us.<\/span>
      \n network.host: 0.0<\/span>.0.0
      \n # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.<\/span>
      \n # Implicitly done if ".singleNode" is set to "true".<\/span>
      \n # discovery.type: single-node<\/span>
      \n # Start OpenSearch Security Demo Configuration<\/span>
      \n # WARNING: revise all the lines below before you go into production<\/span>
      \n plugins:
      \n security:
      \n ssl:
      \n transport:
      \n pemcert_filepath: esnode.pem
      \n pemkey_filepath: esnode-key.pem
      \n pemtrustedcas_filepath: root-ca.pem
      \n enforce_hostname_verification: false<\/span>
      \n http:
      \n enabled: true<\/span>
      \n pemcert_filepath: esnode.pem
      \n pemkey_filepath: esnode-key.pem
      \n pemtrustedcas_filepath: root-ca.pem
      \n allow_unsafe_democertificates: true<\/span>
      \n allow_default_init_securityindex: true<\/span>
      \n authcz:
      \n admin_dn:
      \n – CN<\/span>=<\/span>kirk,OU=<\/span>client,O=<\/span>client,L=<\/span>test,C=<\/span>de
      \n audit.type: internal_opensearch
      \n enable_snapshot_restore_privilege: true<\/span>
      \n check_snapshot_restore_write_privileges: true<\/span>
      \n restapi:
      \n roles_enabled: [<\/span>"all_access"<\/span>, "security_rest_api_access"<\/span>]<\/span>
      \n system_indices:
      \n enabled: true<\/span>
      \n indices:
      \n [<\/span>
      \n ".opendistro-alerting-config"<\/span>,
      \n ".opendistro-alerting-alert*"<\/span>,
      \n ".opendistro-anomaly-results*"<\/span>,
      \n ".opendistro-anomaly-detector*"<\/span>,
      \n ".opendistro-anomaly-checkpoints"<\/span>,
      \n ".opendistro-anomaly-detection-state"<\/span>,
      \n ".opendistro-reports-*"<\/span>,
      \n ".opendistro-notifications-*"<\/span>,
      \n ".opendistro-notebooks"<\/span>,
      \n ".opendistro-asynchronous-search-response*"<\/span>,
      \n ]<\/span>
      \n ######## End OpenSearch Security Demo Configuration ########<\/span>
      \n # log4j2.properties:<\/span><\/p>\n

      # Extra environment variables to append to this nodeGroup<\/span>
      \n# This will be appended to the current 'env:' key. You can use any of the kubernetes env<\/span>
      \n# syntax here<\/span>
      \nextraEnvs: [<\/span>]<\/span>
      \n# – name: MY_ENVIRONMENT_VAR<\/span>
      \n# value: the_value_goes_here<\/span><\/p>\n

      # Allows you to load environment variables from kubernetes secret or config map<\/span>
      \nenvFrom: [<\/span>]<\/span>
      \n# – secretRef:<\/span>
      \n# name: env-secret<\/span>
      \n# – configMapRef:<\/span>
      \n# name: config-map<\/span><\/p>\n

      # A list of secrets and their paths to mount inside the pod<\/span>
      \n# This is useful for mounting certificates for security and for mounting<\/span>
      \n# the X-Pack license<\/span>
      \nsecretMounts: [<\/span>]<\/span><\/p>\n

      hostAliases: [<\/span>]<\/span>
      \n# – ip: "127.0.0.1"<\/span>
      \n# hostnames:<\/span>
      \n# – "foo.local"<\/span>
      \n# – "bar.local"<\/span><\/p>\n

      image:
      \n repository: "opensearchproject\/opensearch"<\/span>
      \n # override image tag, which is .Chart.AppVersion by default<\/span>
      \n tag: ""<\/span>
      \n pullPolicy: "IfNotPresent"<\/span><\/p>\n

      podAnnotations: {<\/span>}<\/span>
      \n # iam.amazonaws.com\/role: es-cluster<\/span><\/p>\n

      # additionals labels<\/span>
      \nlabels: {<\/span>}<\/span><\/p>\n

      opensearchJavaOpts: "-Xmx512M -Xms512M"<\/span><\/p>\n

      resources:
      \n requests:
      \n cpu: "500m"<\/span>
      \n memory: "100Mi"<\/span><\/p>\n

      initResources: {<\/span>}<\/span>
      \n# limits:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span>
      \n# requests:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span><\/p>\n

      sidecarResources: {<\/span>}<\/span>
      \n# limits:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span>
      \n# requests:<\/span>
      \n# cpu: "25m"<\/span>
      \n# memory: "128Mi"<\/span><\/p>\n

      networkHost: "0.0.0.0"<\/span><\/p>\n

      rbac:
      \n create: false<\/span>
      \n serviceAccountAnnotations: {<\/span>}<\/span>
      \n serviceAccountName: ""<\/span><\/p>\n

      podSecurityPolicy:
      \n create: false<\/span>
      \n name: ""<\/span>
      \n spec:
      \n privileged: true<\/span>
      \n fsGroup:
      \n rule: RunAsAny
      \n runAsUser:
      \n rule: RunAsAny
      \n seLinux:
      \n rule: RunAsAny
      \n supplementalGroups:
      \n rule: RunAsAny
      \n volumes:
      \n – secret
      \n – configMap
      \n – persistentVolumeClaim
      \n – emptyDir<\/p>\n

      persistence:
      \n enabled: false<\/span>
      \n # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk.<\/span>
      \n enableInitChown: false<\/span>
      \n # override image, which is busybox by default<\/span>
      \n # image: busybox<\/span>
      \n # override image tag, which is latest by default<\/span>
      \n # imageTag:<\/span>
      \n labels:
      \n # Add default labels for the volumeClaimTemplate of the StatefulSet<\/span>
      \n enabled: false<\/span>
      \n # OpenSearch Persistent Volume Storage Class<\/span>
      \n # If defined, storageClassName: <storageClass><\/span>
      \n # If set to "-", storageClassName: "", which disables dynamic provisioning<\/span>
      \n # If undefined (the default) or set to null, no storageClassName spec is<\/span>
      \n # set, choosing the default provisioner. (gp2 on AWS, standard on<\/span>
      \n # GKE, AWS & OpenStack)<\/span>
      \n #<\/span>
      \n # storageClass: "-"<\/span>
      \n accessModes:
      \n – ReadWriteOnce
      \n size: 1Gi
      \n annotations: {<\/span>}<\/span><\/p>\n

      extraVolumes: [<\/span>]<\/span>
      \n # – name: extras<\/span>
      \n # emptyDir: {}<\/span><\/p>\n

      extraVolumeMounts: [<\/span>]<\/span>
      \n # – name: extras<\/span>
      \n # mountPath: \/usr\/share\/extras<\/span>
      \n # readOnly: true<\/span><\/p>\n

      extraContainers: [<\/span>]<\/span>
      \n # – name: do-something<\/span>
      \n # image: busybox<\/span>
      \n # command: ['do', 'something']<\/span><\/p>\n

      extraInitContainers: [<\/span>]<\/span>
      \n # – name: do-somethings<\/span>
      \n # image: busybox<\/span>
      \n # command: ['do', 'something']<\/span><\/p>\n

      # This is the PriorityClass settings as defined in<\/span>
      \n# https:\/\/kubernetes.io\/docs\/concepts\/configuration\/pod-priority-preemption\/#priorityclass<\/span>
      \npriorityClassName: ""<\/span><\/p>\n

      # By default this will make sure two pods don't end up on the same node<\/span>
      \n# Changing this to a region would allow you to spread pods across regions<\/span>
      \nantiAffinityTopologyKey: "kubernetes.io\/hostname"<\/span><\/p>\n

      # Hard means that by default pods will only be scheduled if there are enough nodes for them<\/span>
      \n# and that they will never end up on the same node. Setting this to soft will do this "best effort"<\/span>
      \nantiAffinity: "soft"<\/span><\/p>\n

      # This is the node affinity settings as defined in<\/span>
      \n# https:\/\/kubernetes.io\/docs\/concepts\/configuration\/assign-pod-node\/#node-affinity-beta-feature<\/span>
      \nnodeAffinity: {<\/span>}<\/span><\/p>\n

      # This is the pod topology spread constraints<\/span>
      \n# https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod-topology-spread-constraints\/<\/span>
      \ntopologySpreadConstraints: [<\/span>]<\/span><\/p>\n

      # The default is to deploy all pods serially. By setting this to parallel all pods are started at<\/span>
      \n# the same time when bootstrapping the cluster<\/span>
      \npodManagementPolicy: "Parallel"<\/span><\/p>\n

      # The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when<\/span>
      \n# there are many services in the current namespace.<\/span>
      \n# If you experience slow pod startups you probably want to set this to `false`.<\/span>
      \nenableServiceLinks: true<\/span><\/p>\n

      protocol: https
      \nhttpPort: 9200<\/span>
      \ntransportPort: 9300<\/span><\/p>\n

      service:
      \n type: NodePort
      \n nodePort: "30601"<\/span><\/p>\n

      updateStrategy: RollingUpdate<\/p>\n

      # This is the max unavailable setting for the pod disruption budget<\/span>
      \n# The default value of 1 will make sure that kubernetes won't allow more than 1<\/span>
      \n# of your pods to be unavailable during maintenance<\/span>
      \nmaxUnavailable: 1<\/span><\/p>\n

      podSecurityContext:
      \n fsGroup: 1000<\/span>
      \n runAsUser: 1000<\/span><\/p>\n

      securityContext:
      \n capabilities:
      \n drop:
      \n – ALL
      \n # readOnlyRootFilesystem: true<\/span>
      \n runAsNonRoot: true<\/span>
      \n runAsUser: 1000<\/span><\/p>\n

      securityConfig:
      \n enabled: true<\/span>
      \n path: "\/usr\/share\/opensearch\/plugins\/opensearch-security\/securityconfig"<\/span>
      \n actionGroupsSecret:
      \n configSecret:
      \n internalUsersSecret:
      \n rolesSecret:
      \n rolesMappingSecret:
      \n tenantsSecret:
      \n # The following option simplifies securityConfig by using a single secret and<\/span>
      \n # specifying the config files as keys in the secret instead of creating<\/span>
      \n # different secrets for for each config file.<\/span>
      \n # Note that this is an alternative to the individual secret configuration<\/span>
      \n # above and shouldn't be used if the above secrets are used.<\/span>
      \n config:
      \n # There are multiple ways to define the configuration here:<\/span>
      \n # * If you define anything under data, the chart will automatically create<\/span>
      \n # a secret and mount it.<\/span>
      \n # * If you define securityConfigSecret, the chart will assume this secret is<\/span>
      \n # created externally and mount it.<\/span>
      \n # * It is an error to define both data and securityConfigSecret.<\/span>
      \n securityConfigSecret: ""<\/span>
      \n dataComplete: true<\/span>
      \n data: {<\/span>}<\/span>
      \n # config.yml: |-<\/span>
      \n # internal_users.yml: |-<\/span>
      \n # roles.yml: |-<\/span>
      \n # roles_mapping.yml: |-<\/span>
      \n # action_groups.yml: |-<\/span>
      \n # tenants.yml: |-<\/span><\/p>\n

      # How long to wait for opensearch to stop gracefully<\/span>
      \nterminationGracePeriod: 120<\/span><\/p>\n

      sysctlVmMaxMapCount: 262144<\/span><\/p>\n

      startupProbe:
      \n tcpSocket:
      \n port: 9200<\/span>
      \n initialDelaySeconds: 5<\/span>
      \n periodSeconds: 10<\/span>
      \n timeoutSeconds: 3<\/span>
      \n failureThreshold: 30<\/span>
      \nreadinessProbe:
      \n tcpSocket:
      \n port: 9200<\/span>
      \n periodSeconds: 5<\/span>
      \n timeoutSeconds: 3<\/span>
      \n failureThreshold: 3<\/span><\/p>\n

      ## Use an alternate scheduler.<\/span>
      \n## ref: https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/configure-multiple-schedulers\/<\/span>
      \n##<\/span>
      \nschedulerName: ""<\/span><\/p>\n

      imagePullSecrets: [<\/span>]<\/span>
      \nnodeSelector: {<\/span>}<\/span>
      \ntolerations: [<\/span>]<\/span><\/p>\n

      # Enabling this will publically expose your OpenSearch instance.<\/span>
      \n# Only enable this if you have security enabled on your cluster<\/span>
      \ningress:
      \n enabled: false<\/span>
      \n # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName<\/span>
      \n # See https:\/\/kubernetes.io\/blog\/2020\/04\/02\/improvements-to-the-ingress-api-in-kubernetes-1.18\/#specifying-the-class-of-an-ingress<\/span>
      \n # ingressClassName: nginx<\/span><\/p>\n

      annotations: {<\/span>}<\/span>
      \n # kubernetes.io\/ingress.class: nginx<\/span>
      \n # kubernetes.io\/tls-acme: "true"<\/span>
      \n path: \/
      \n hosts:
      \n – chart-example.local
      \n tls: [<\/span>]<\/span>
      \n # – secretName: chart-example-tls<\/span>
      \n # hosts:<\/span>
      \n # – chart-example.local<\/span><\/p>\n

      nameOverride: ""<\/span>
      \nfullnameOverride: ""<\/span><\/p>\n

      masterTerminationFix: false<\/span><\/p>\n

      lifecycle: {<\/span>}<\/span>
      \n # preStop:<\/span>
      \n # exec:<\/span>
      \n # command: ["\/bin\/sh", "-c", "echo Hello from the postStart handler > \/usr\/share\/message"]<\/span>
      \n # postStart:<\/span>
      \n # exec:<\/span>
      \n # command:<\/span>
      \n # – bash<\/span>
      \n # – -c<\/span>
      \n # – |<\/span>
      \n # #!\/bin\/bash<\/span>
      \n # # Add a template to adjust number of shards\/replicas1<\/span>
      \n # TEMPLATE_NAME=my_template<\/span>
      \n # INDEX_PATTERN="logstash-*"<\/span>
      \n # SHARD_COUNT=8<\/span>
      \n # REPLICA_COUNT=1<\/span>
      \n # ES_URL=http:\/\/localhost:9200<\/span>
      \n # while [[ "$(curl -s -o \/dev\/null -w '%{http_code}\\\\n' $ES_URL)" != "200" ]]; do sleep 1; done<\/span>
      \n # curl -XPUT "$ES_URL\/_template\/$TEMPLATE_NAME" -H 'Content-Type: application\/json' -d'{"index_patterns":['\\\\""$INDEX_PATTERN"\\\\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}'<\/span><\/p>\n

      keystore: [<\/span>]<\/span>
      \n# To add secrets to the keystore:<\/span>
      \n# – secretName: opensearch-encryption-key<\/span><\/p>\n

      networkPolicy:
      \n create: false<\/span>
      \n ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.<\/span>
      \n ## In order for a Pod to access OpenSearch, it needs to have the following label:<\/span>
      \n ## {{ template "uname" . }}-client: "true"<\/span>
      \n ## Example for default configuration to access HTTP port:<\/span>
      \n ## opensearch-master-http-client: "true"<\/span>
      \n ## Example for default configuration to access transport port:<\/span>
      \n ## opensearch-master-transport-client: "true"<\/span><\/p>\n

      http:
      \n enabled: false<\/span><\/p>\n

      # Deprecated<\/span>
      \n# please use the above podSecurityContext.fsGroup instead<\/span>
      \nfsGroup: ""<\/span><\/p>\n

      ## Set optimal sysctl's. This requires privilege. Can be disabled if<\/span>
      \n## the system has already been preconfigured. (Ex: https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/vm-max-map-count.html)<\/span>
      \n## Also see: https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/sysctl-cluster\/<\/span>
      \nsysctl:
      \n enabled: false<\/span><\/p>\n

      ## Enable to add 3rd Party \/ Custom plugins not offered in the default OpenSearch image.<\/span>
      \nplugins:
      \n enabled: false<\/span>
      \n installList: [<\/span>]<\/span>
      \n # – example-fake-plugin<\/span><\/p>\n

      # — Array of extra K8s manifests to deploy<\/span>
      \nextraObjects: [<\/span>]<\/span>
      \n # – apiVersion: secrets-store.csi.x-k8s.io\/v1<\/span>
      \n # kind: SecretProviderClass<\/span>
      \n # metadata:<\/span>
      \n # name: argocd-secrets-store<\/span>
      \n # spec:<\/span>
      \n # provider: aws<\/span>
      \n # parameters:<\/span>
      \n # objects: |<\/span>
      \n # – objectName: "argocd"<\/span>
      \n # objectType: "secretsmanager"<\/span>
      \n # jmesPath:<\/span>
      \n # – path: "client_id"<\/span>
      \n # objectAlias: "client_id"<\/span>
      \n # – path: "client_secret"<\/span>
      \n # objectAlias: "client_secret"<\/span>
      \n # secretObjects:<\/span>
      \n # – data:<\/span>
      \n # – key: client_id<\/span>
      \n # objectName: client_id<\/span>
      \n # – key: client_secret<\/span>
      \n # objectName: client_secret<\/span>
      \n # secretName: argocd-secrets-store<\/span>
      \n # type: Opaque<\/span>
      \n # labels:<\/span>
      \n # app.kubernetes.io\/part-of: argocd<\/span><\/p>\n

      helm install<\/span> opensearch-client -f openserach-client.yaml –version 2.5<\/span>.1 opensearch\/opensearch<\/p>\n

      \u8bbf\u95ee\u6d4b\u8bd5 \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

      yaml\u6587\u4ef6\u90e8\u7f72opensearch\u4e09\u8282\u70b9<\/h4>\n

      \u90e8\u7f72\u6587\u4ef6\u5982\u4e0b: os_cm.yml\u3001os_headless.yml\u3001os_statefulset_hostpath.yml\u3001os_svc.yml<\/p>\n

      \u9700\u8981\u6ce8\u610f\u955c\u50cf\u5730\u5740\u53ef\u4ee5\u62c9\u53d6\u5230,\u6b64\u65b9\u6848\u91c7\u7528\u7684\u662fhostpath\u65b9\u5f0f\u9700\u8981\u6bcf\u4e2apod\u8282\u70b9\u521b\u5efa\u76ee\u5f55,\u4e5f\u53ef\u91c7\u7528nfs\u5171\u4eab\u76ee\u5f55\u65b9\u5f0f\u505a\u6570\u636e\u6301\u4e45\u5316\u3002 \u6267\u884c<\/p>\n

      kubectl apply -f os_cm.yml
      \nkubectl apply -f os_headless.yml
      \nkubectl apply -f os_statefulset_hostpath.yml
      \nkubectl apply -f os_svc.yml <\/p>\n

      \u67e5\u770b\u6587\u4ef6\u5185\u5bb9<\/p>\n

      [<\/span>root@master01 openserach_install]<\/span># cat os_cm.yml<\/span><\/p>\n

      apiVersion: v1
      \ndata:
      \n opensearch.yml: |<\/span>
      \n cluster.name: opensearch-cluster<\/p>\n

      # Bind to all interfaces because we don't know what IP address Docker will assign to us.<\/span>
      \n network.host: 0.0<\/span>.0.0<\/p>\n

      # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.<\/span>
      \n # Implicitly done if ".singleNode" is set to "true".<\/span>
      \n # discovery.type: single-node<\/span><\/p>\n

      # Start OpenSearch Security Demo Configuration<\/span>
      \n # WARNING: revise all the lines below before you go into production<\/span>
      \n plugins:
      \n security:
      \n ssl:
      \n transport:
      \n pemcert_filepath: esnode.pem
      \n pemkey_filepath: esnode-key.pem
      \n pemtrustedcas_filepath: root-ca.pem
      \n enforce_hostname_verification: false<\/span>
      \n http:
      \n enabled: true<\/span>
      \n pemcert_filepath: esnode.pem
      \n pemkey_filepath: esnode-key.pem
      \n pemtrustedcas_filepath: root-ca.pem
      \n allow_unsafe_democertificates: true<\/span>
      \n allow_default_init_securityindex: true<\/span>
      \n authcz:
      \n admin_dn:
      \n – CN<\/span>=<\/span>kirk,OU=<\/span>client,O=<\/span>client,L=<\/span>test,C=<\/span>de
      \n audit.type: internal_opensearch
      \n enable_snapshot_restore_privilege: true<\/span>
      \n check_snapshot_restore_write_privileges: true<\/span>
      \n restapi:
      \n roles_enabled: [<\/span>"all_access"<\/span>, "security_rest_api_access"<\/span>]<\/span>
      \n system_indices:
      \n enabled: true<\/span>
      \n indices:
      \n [<\/span>
      \n ".opendistro-alerting-config"<\/span>,
      \n ".opendistro-alerting-alert*"<\/span>,
      \n ".opendistro-anomaly-results*"<\/span>,
      \n ".opendistro-anomaly-detector*"<\/span>,
      \n ".opendistro-anomaly-checkpoints"<\/span>,
      \n ".opendistro-anomaly-detection-state"<\/span>,
      \n ".opendistro-reports-*"<\/span>,
      \n ".opendistro-notifications-*"<\/span>,
      \n ".opendistro-notebooks"<\/span>,
      \n ".opendistro-asynchronous-search-response*"<\/span>,
      \n ]<\/span>
      \n ######## End OpenSearch Security Demo Configuration ########<\/span>
      \nkind: ConfigMap
      \nmetadata:
      \n labels:
      \n app.kubernetes.io\/component: opensearch-cluster-master
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n name: opensearch-cluster-master-config
      \n namespace: default
      \n[<\/span>root@master01 openserach_install]<\/span># cat os_headless.yml<\/span>
      \napiVersion: v1
      \nkind: Service
      \nmetadata:
      \n annotations:
      \n service.alpha.kubernetes.io\/tolerate-unready-endpoints: "true"<\/span>
      \n labels:
      \n app.kubernetes.io\/component: opensearch-cluster-master
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n name: opensearch-cluster-master-headless
      \n namespace: default
      \nspec:
      \n clusterIP: None
      \n clusterIPs:
      \n – None
      \n internalTrafficPolicy: Cluster
      \n ipFamilies:
      \n – IPv4
      \n ipFamilyPolicy: SingleStack
      \n ports:
      \n – name: http
      \n port: 9200<\/span>
      \n protocol: TCP
      \n targetPort: 9200<\/span>
      \n – name: transport
      \n port: 9300<\/span>
      \n protocol: TCP
      \n targetPort: 9300<\/span>
      \n publishNotReadyAddresses: true<\/span>
      \n selector:
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n sessionAffinity: None<\/p>\n

      cat<\/span> os_statefulset_hostpath.yml <\/p>\n

      apiVersion: v1
      \nitems:
      \n– apiVersion: apps\/v1
      \n kind: StatefulSet
      \n metadata:
      \n annotations:
      \n majorVersion: "2"<\/span>
      \n generation: 1<\/span>
      \n labels:
      \n app.kubernetes.io\/component: opensearch-cluster-master
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n name: opensearch-cluster-master
      \n namespace: default
      \n spec:
      \n podManagementPolicy: Parallel
      \n replicas: 3<\/span>
      \n revisionHistoryLimit: 10<\/span>
      \n selector:
      \n matchLabels:
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n serviceName: opensearch-cluster-master-headless
      \n template:
      \n metadata:
      \n creationTimestamp: null
      \n labels:
      \n app.kubernetes.io\/component: opensearch-cluster-master
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n name: opensearch-cluster-master
      \n spec:
      \n affinity:
      \n podAntiAffinity:
      \n preferredDuringSchedulingIgnoredDuringExecution:
      \n – podAffinityTerm:
      \n labelSelector:
      \n matchExpressions:
      \n – key: app.kubernetes.io\/instance
      \n operator: In
      \n values:
      \n – opensearch-server
      \n – key: app.kubernetes.io\/name
      \n operator: In
      \n values:
      \n – opensearch
      \n topologyKey: kubernetes.io\/hostname
      \n weight: 1<\/span>
      \n containers:
      \n – env:
      \n – name: node.name
      \n valueFrom:
      \n fieldRef:
      \n apiVersion: v1
      \n fieldPath: metadata.name
      \n – name: cluster.initial_master_nodes
      \n value: opensearch-cluster-master-0,opensearch-cluster-master-1,opensearch-cluster-master-2,
      \n – name: discovery.seed_hosts
      \n value: opensearch-cluster-master-headless
      \n – name: cluster.name
      \n value: opensearch-cluster
      \n – name: network.host
      \n value: 0.0<\/span>.0.0
      \n – name: OPENSEARCH_JAVA_OPTS
      \n value: -Xmx512M -Xms512M
      \n – name: node.roles
      \n value: master,ingest,data,remote_cluster_client,
      \n image: opensearchproject\/opensearch:2.0.0
      \n imagePullPolicy: IfNotPresent
      \n name: opensearch
      \n ports:
      \n – containerPort: 9200<\/span>
      \n name: http
      \n protocol: TCP
      \n – containerPort: 9300<\/span>
      \n name: transport
      \n protocol: TCP
      \n readinessProbe:
      \n failureThreshold: 3<\/span>
      \n periodSeconds: 5<\/span>
      \n successThreshold: 1<\/span>
      \n tcpSocket:
      \n port: 9200<\/span>
      \n timeoutSeconds: 3<\/span>
      \n resources:
      \n requests:
      \n cpu: "1"<\/span>
      \n memory: 100Mi
      \n securityContext:
      \n capabilities:
      \n drop:
      \n – ALL
      \n runAsNonRoot: true<\/span>
      \n runAsUser: 1000<\/span>
      \n startupProbe:
      \n failureThreshold: 30<\/span>
      \n initialDelaySeconds: 5<\/span>
      \n periodSeconds: 10<\/span>
      \n successThreshold: 1<\/span>
      \n tcpSocket:
      \n port: 9200<\/span>
      \n timeoutSeconds: 3<\/span>
      \n terminationMessagePath: \/dev\/termination-log
      \n terminationMessagePolicy: File
      \n volumeMounts:
      \n – mountPath: \/usr\/share\/opensearch\/data
      \n name: opensearch-cluster-master
      \n – mountPath: \/usr\/share\/opensearch\/config\/opensearch.yml
      \n name: config
      \n subPath: opensearch.yml
      \n dnsPolicy: ClusterFirst
      \n enableServiceLinks: true<\/span>
      \n initContainers:
      \n – args:
      \n – chown<\/span> -R 1000<\/span>:1000 \/usr\/share\/opensearch\/data
      \n command:
      \n – sh<\/span>
      \n – -c
      \n image: busybox:latest
      \n imagePullPolicy: Always
      \n name: fsgroup-volume
      \n resources: {<\/span>}<\/span>
      \n securityContext:
      \n runAsUser: 0<\/span>
      \n terminationMessagePath: \/dev\/termination-log
      \n terminationMessagePolicy: File
      \n volumeMounts:
      \n – mountPath: \/usr\/share\/opensearch\/data
      \n name: opensearch-cluster-master
      \n restartPolicy: Always
      \n schedulerName: default-scheduler
      \n securityContext:
      \n fsGroup: 1000<\/span>
      \n runAsUser: 1000<\/span>
      \n terminationGracePeriodSeconds: 120<\/span>
      \n volumes:
      \n – configMap:
      \n defaultMode: 420<\/span>
      \n name: opensearch-cluster-master-config
      \n name: config
      \n – hostPath:
      \n path: \/tmp\/osdata
      \n name: opensearch-cluster-master
      \n updateStrategy:
      \n type: RollingUpdate
      \nkind: List<\/p>\n

      cat<\/span> os_svc.yml<\/p>\n

      apiVersion: v1
      \nkind: Service
      \nmetadata:
      \n labels:
      \n app.kubernetes.io\/component: opensearch-cluster-master
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n name: opensearch-cluster-master
      \n namespace: default
      \nspec:
      \n internalTrafficPolicy: Cluster
      \n ipFamilies:
      \n – IPv4
      \n ipFamilyPolicy: SingleStack
      \n ports:
      \n – name: http
      \n port: 9200<\/span>
      \n nodePort: 32001<\/span>
      \n protocol: TCP
      \n targetPort: 9200<\/span>
      \n – name: transport
      \n port: 9300<\/span>
      \n protocol: TCP
      \n targetPort: 9300<\/span>
      \n selector:
      \n app.kubernetes.io\/instance: opensearch-server
      \n app.kubernetes.io\/name: opensearch
      \n sessionAffinity: None
      \n type: NodePort<\/p>\n","protected":false},"excerpt":{"rendered":"

      \u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb2.5k\u6b21\uff0c\u70b9\u8d5e30\u6b21\uff0c\u6536\u85cf23\u6b21\u3002\u5176\u4e2ddata\u8282\u70b9\u4e5f\u53ef\u62c6\u5206\u51fa\u6765\u672c\u6587\u4e0d\u505a\u5c55\u793a\u3002do sleep 1;\u5b89\u88c5\u547d\u4ee4\u3002_opensearch\u90e8\u7f72<\/p>\n","protected":false},"author":2,"featured_media":22631,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[27,1745,1744],"topic":[],"class_list":["post-22651","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server","tag-docker","tag-helm","tag-opensearch"],"yoast_head":"\nOpensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.wsisp.com\/helps\/22651.html\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"og:description\" content=\"\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb2.5k\u6b21\uff0c\u70b9\u8d5e30\u6b21\uff0c\u6536\u85cf23\u6b21\u3002\u5176\u4e2ddata\u8282\u70b9\u4e5f\u53ef\u62c6\u5206\u51fa\u6765\u672c\u6587\u4e0d\u505a\u5c55\u793a\u3002do sleep 1;\u5b89\u88c5\u547d\u4ee4\u3002_opensearch\u90e8\u7f72\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.wsisp.com\/helps\/22651.html\" \/>\n<meta property=\"og:site_name\" content=\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-18T22:13:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/04\/20250418221304-6802ce70c9b79.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"22 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/22651.html\",\"url\":\"https:\/\/www.wsisp.com\/helps\/22651.html\",\"name\":\"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"isPartOf\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\"},\"datePublished\":\"2025-04-18T22:13:08+00:00\",\"dateModified\":\"2025-04-18T22:13:08+00:00\",\"author\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/22651.html#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.wsisp.com\/helps\/22651.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/22651.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.wsisp.com\/helps\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\",\"url\":\"https:\/\/www.wsisp.com\/helps\/\",\"name\":\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"description\":\"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"contentUrl\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/wp.wsisp.com\"],\"url\":\"https:\/\/www.wsisp.com\/helps\/author\/admin\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.wsisp.com\/helps\/22651.html","og_locale":"zh_CN","og_type":"article","og_title":"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","og_description":"\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb2.5k\u6b21\uff0c\u70b9\u8d5e30\u6b21\uff0c\u6536\u85cf23\u6b21\u3002\u5176\u4e2ddata\u8282\u70b9\u4e5f\u53ef\u62c6\u5206\u51fa\u6765\u672c\u6587\u4e0d\u505a\u5c55\u793a\u3002do sleep 1;\u5b89\u88c5\u547d\u4ee4\u3002_opensearch\u90e8\u7f72","og_url":"https:\/\/www.wsisp.com\/helps\/22651.html","og_site_name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","article_published_time":"2025-04-18T22:13:08+00:00","og_image":[{"url":"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/04\/20250418221304-6802ce70c9b79.png"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"admin","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"22 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.wsisp.com\/helps\/22651.html","url":"https:\/\/www.wsisp.com\/helps\/22651.html","name":"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","isPartOf":{"@id":"https:\/\/www.wsisp.com\/helps\/#website"},"datePublished":"2025-04-18T22:13:08+00:00","dateModified":"2025-04-18T22:13:08+00:00","author":{"@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41"},"breadcrumb":{"@id":"https:\/\/www.wsisp.com\/helps\/22651.html#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.wsisp.com\/helps\/22651.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.wsisp.com\/helps\/22651.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.wsisp.com\/helps"},{"@type":"ListItem","position":2,"name":"Opensearch\u96c6\u7fa4\u90e8\u7f72\u3010docker\u3001\u670d\u52a1\u5668\u3001Helm\u591a\u79cd\u90e8\u7f72\u65b9\u5f0f\u3011"}]},{"@type":"WebSite","@id":"https:\/\/www.wsisp.com\/helps\/#website","url":"https:\/\/www.wsisp.com\/helps\/","name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","description":"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41","name":"admin","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/","url":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","contentUrl":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","caption":"admin"},"sameAs":["http:\/\/wp.wsisp.com"],"url":"https:\/\/www.wsisp.com\/helps\/author\/admin"}]}},"_links":{"self":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/22651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/comments?post=22651"}],"version-history":[{"count":0,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/22651\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media\/22631"}],"wp:attachment":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media?parent=22651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/categories?post=22651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/tags?post=22651"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/topic?post=22651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}