WATING FOR OS TO START

[deanfourie1]

Hi there,

When attempting to run this container, I am receiving multiple

"WAITING FOR OS TO START" messages.

I have confirmed that OpenSearch is running and accessible via web at http://ip:5601

Any ideas?

Thanks

[mammo0]

Hi,

I assume you are running Opensearch (OS) with a separate environment? Because port 5601 belongs to the dashboard image of OS and this is not part of the Docker compose file of this repo.

Then your error message means that the Arkime container can't reach port 9200 (default for OS REST API) of your OS node (not the dashboard). Can you ping the OS node container from the Arkime container?

It would be easier for me if you describe your setup in more detail.

[deanfourie1]

Sure, sorry.

I have installed OpenSearch using docker-compose from the OpenSearch documentation directly.

This when run, has created the following containers

root@arkime:/home/opensearch# docker container ls -a
CONTAINER ID   IMAGE                                            COMMAND                  CREATED          STATUS                        PORTS                                                                                                      NAMES
ae0a203db722   mammo0/docker-arkime:latest                      "/data/startarkime.sh"   42 minutes ago   Exited (137) 41 minutes ago                                                                                                              sweet_roentgen
5c018ec144f3   mammo0/docker-arkime:latest                      "/data/startarkime.sh"   44 minutes ago   Exited (137) 42 minutes ago                                                                                                              hungry_mclean
7c6aaf66f0cc   opensearchproject/opensearch:latest              "./opensearch-docker…"   46 hours ago     Up 48 seconds                 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 9300/tcp, 0.0.0.0:9600->9600/tcp, :::9600->9600/tcp, 9650/tcp   opensearch-node1
a098c3349b43   opensearchproject/opensearch-dashboards:latest   "./opensearch-dashbo…"   46 hours ago     Up 48 seconds                 0.0.0.0:5601->5601/tcp, :::5601->5601/tcp                                                                  opensearch-dashboards
e7b736bd76ed   opensearchproject/opensearch:latest              "./opensearch-docker…"   46 hours ago     Up 48 seconds                 9200/tcp, 9300/tcp, 9600/tcp, 9650/tcp                                                                     opensearch-node2

This appears there is a active node listening to connections on 9200.
I have also set a password in the .env environment file for OpenSearch

I am attempting to run the container with the following docker command

docker run -e OS_HOST=127.0.0.1 -e OS_PORT=9200 -v /home/arkime/config:/data/config -v /home/arkime/data:/data/pcap -v /home/arkime/log:/data/logs mammo0/docker-arkime:latest

Thanks

[mammo0]

Can you ping the opensearch-node1 container from the Arkime container?

You are using the compose file from here, right? Then Docker compose creates a separate network for OS.
According to your docker run command the Arkime container uses the default bridge network. I guess that the Arkime container cannot reach the port 9200 on your local machine from the bridged network.

One possibility to solve that is to add the Arkime container to the OS network.

[ajtrevi2]

Fix some problems with the script in /data/startarkime.sh but arkime did not open a port in 8005. I checked using "cat /etc/services" no port for 8005 is active. I installed systemctl to verify arkime loaded. arkime isn't loaded.

changed http to https
to verify opensearch status you need to put the username and password in curl
since no ssl is being used --insecure option must be active

#!/bin/bash

echo "Giving OS time to start..."
until curl -u <USERNAME>:<PASSWORD> --insecure -sS https://<IP>:<PORT>/_cluster/health?wait_for_status=yellow > /dev/null 2>&1
do
    echo "Waiting for OS to start"
    sleep 1
done
echo
echo "OS started..."

# set runtime environment variables
export ARKIME_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w32 | head -n1)  # random password
export ARKIME_LOCALELASTICSEARCH=no
export ARKIME_ELASTICSEARCH=https://IP:PORT
export ARKIME_INET=no

if [ ! -f $ARKIMEDIR/etc/.initialized ]; then
    echo -e "$ARKIME_LOCALELASTICSEARCH\n$ARKIME_INET" | $ARKIMEDIR/bin/Configure
    echo INIT | $ARKIMEDIR/db/db.pl https://IP:PORT init
    $ARKIMEDIR/bin/arkime_add_user.sh admin "Admin User" $ARKIME_ADMIN_PASSWORD --admin
    echo $ARKIME_VERSION > $ARKIMEDIR/etc/.initialized
else
    # possible update
    read old_ver < $ARKIMEDIR/etc/.initialized
    # detect the newer version
    newer_ver=`echo -e "$old_ver\n$ARKIME_VERSION" | sort -rV | head -n 1`
    # the old version should not be the same as the newer version
    # otherwise -> upgrade
    if [ "$old_ver" != "$newer_ver" ]; then
        echo "Upgrading OS database..."
        echo -e "$ARKIME_LOCALELASTICSEARCH\n$ARKIME_INET" | $ARKIMEDIR/bin/Configure
        $ARKIMEDIR/db/db.pl https://$OS_HOST:$OS_PORT upgradenoprompt
        echo $ARKIME_VERSION > $ARKIMEDIR/etc/.initialized
    fi
fi

# start cron daemon for logrotate
service cron start


echo "Look at log files for errors"
if [ "$CAPTURE" = "on" ]; then
    echo "  /data/logs/capture.log"
fi
if [ "$VIEWER" = "on" ]; then
    echo "  /data/logs/viewer.log"
fi


# check if the capture process should be started
if [ "$CAPTURE" = "on" ]; then
    # ensure /data/pcap directory is writable for user 'nobody' (used by the capture process)
    chmod 757 /data/pcap

    echo "Launch capture..."
    if [ "$VIEWER" = "on" ]; then
        # Background execution
        exec $ARKIMEDIR/bin/capture --config $ARKIMEDIR/etc/config.ini --host $ARKIME_HOSTNAME >> $ARKIMEDIR/logs/capture.log 2>&1 &
    else
        # If only capture, foreground execution
        exec $ARKIMEDIR/bin/capture --config $ARKIMEDIR/etc/config.ini --host $ARKIME_HOSTNAME >> $ARKIMEDIR/logs/capture.log 2>&1
    fi
fi

# check if the viewer should be started
if [ "$VIEWER" = "on" ]; then
    echo "Launch viewer..."
    echo "Visit http://127.0.0.1:8005 with your favorite browser."
    echo "  user: admin"
    echo "  password: $ARKIME_ADMIN_PASSWORD"

    pushd $ARKIMEDIR/viewer
    exec $ARKIMEDIR/bin/node viewer.js -c $ARKIMEDIR/etc/config.ini --host $ARKIME_HOSTNAME >> $ARKIMEDIR/logs/viewer.log 2>&1
    popd
fi

also tried to run arkime-parse-pcap-folder.sh
since arkime isnt loaded it couldnt find the config.ini

[mammo0]

Hello @ajtrevi2,

changed http to https

To use Arkime with SSL enabled OS, changes in the config.ini must be made. Mainly the elasticsearch= must be correctly set. This can be done through the startarkime.sh script. There the ARKIME_ELASTICSEARCH must be changed.
But currently it is not intended to use this Docker image with a OS node in SSL mode. I will update the README file. Edit: Updated README file

@deanfourie1
Your issue can be a consequence of the SSL problem, because in the default Docker compose file of OS an admin password is set via the env variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
This is currently also not supported.

Please try to set the following environment variables for your OS nodes:

• DISABLE_SECURITY_PLUGIN=true
• DISABLE_INSTALL_DEMO_CONFIG=true

And do not set OPENSEARCH_INITIAL_ADMIN_PASSWORD.