Properly separate 1.x/2.x/default opensearch docker entrypoint like in opensearch-dashboards (#4452)

Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>

Author: peterzhuamazon

docker/release/README.md

@@ -103,11 +103,11 @@ Here are three example scenarios of using above variables:
 #### Scenario 2: No demo certs/configs + disable security on both OpenSearch and OpenSearch-Dashboards:
   * OpenSearch:
      ```
-     docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "DISABLE_INSTALL_DEMO_CONFIG=true" -e "DISABLE_SECURITY_PLUGIN=true" opensearchproject/opensearch:1.1.0
+     $ docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "DISABLE_INSTALL_DEMO_CONFIG=true" -e "DISABLE_SECURITY_PLUGIN=true" opensearchproject/opensearch:1.1.0
      ```
-    Note: For OpenSearch > 2.11.1 and > 1.3.14, `DISABLE_SECURITY_PLUGIN` when set to true will automatically disable the security demo configuration setup and will no longer require `DISABLE_INSTALL_DEMO_CONFIG` to be explicitly set.
+    Note: For OpenSearch 2.12 and later, `DISABLE_SECURITY_PLUGIN` when set to true will automatically disable the security demo configuration setup and will no longer require `DISABLE_INSTALL_DEMO_CONFIG` to be explicitly set.
      ```
-     docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "DISABLE_SECURITY_PLUGIN=true" opensearchproject/opensearch:2.12.0
+     $ docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "DISABLE_SECURITY_PLUGIN=true" opensearchproject/opensearch:2.12.0
      ```
   * OpenSearch-Dashboards:
      ```

docker/release/config/opensearch/opensearch-docker-entrypoint-1.x.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This script specify the entrypoint startup actions for opensearch
+# It will start both opensearch and performance analyzer plugin cli
+# If either process failed, the entire docker container will be removed
+# in favor of a newly started container
+
+# Export OpenSearch Home
+export OPENSEARCH_HOME=/usr/share/opensearch
+export OPENSEARCH_PATH_CONF=$OPENSEARCH_HOME/config
+
+# The virtual file /proc/self/cgroup should list the current cgroup
+# membership. For each hierarchy, you can follow the cgroup path from
+# this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+# introspect the statistics for the cgroup for the given
+# hierarchy. Alas, Docker breaks this by mounting the container
+# statistics at the root while leaving the cgroup paths as the actual
+# paths. Therefore, OpenSearch provides a mechanism to override
+# reading the cgroup path from /proc/self/cgroup and instead uses the
+# cgroup path defined the JVM system property
+# opensearch.cgroups.hierarchy.override. Therefore, we set this value here so
+# that cgroup statistics are available for the container this process
+# will run in.
+export OPENSEARCH_JAVA_OPTS="-Dopensearch.cgroups.hierarchy.override=/ $OPENSEARCH_JAVA_OPTS"
+
+# Security Plugin
+function setupSecurityPlugin {
+    SECURITY_PLUGIN="opensearch-security"
+
+    if [ -d "$OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN" ]; then
+        if [ "$DISABLE_INSTALL_DEMO_CONFIG" = "true" ]; then
+            echo "Disabling execution of install_demo_configuration.sh for OpenSearch Security Plugin"
+        else
+            echo "Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin"
+            bash $OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN/tools/install_demo_configuration.sh -y -i -s
+        fi
+
+        if [ "$DISABLE_SECURITY_PLUGIN" = "true" ]; then
+            echo "Disabling OpenSearch Security Plugin"
+            opensearch_opt="-Eplugins.security.disabled=true"
+            opensearch_opts+=("${opensearch_opt}")
+        else
+            echo "Enabling OpenSearch Security Plugin"
+        fi
+    else
+        echo "OpenSearch Security Plugin does not exist, disable by default"
+    fi
+}
+
+# Performance Analyzer Plugin
+function setupPerformanceAnalyzerPlugin {
+    PERFORMANCE_ANALYZER_PLUGIN="opensearch-performance-analyzer"
+    if [ -d "$OPENSEARCH_HOME/plugins/$PERFORMANCE_ANALYZER_PLUGIN" ]; then
+        if [ "$DISABLE_PERFORMANCE_ANALYZER_AGENT_CLI" = "true" ]; then
+            echo "Disabling execution of $OPENSEARCH_HOME/bin/$PERFORMANCE_ANALYZER_PLUGIN/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin"
+        else
+            echo "Enabling execution of OPENSEARCH_HOME/bin/$PERFORMANCE_ANALYZER_PLUGIN/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin"
+            $OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli > $OPENSEARCH_HOME/logs/PerformanceAnalyzer.log 2>&1 & disown
+        fi
+    else
+        echo "OpenSearch Performance Analyzer Plugin does not exist, disable by default"
+    fi
+}
+
+# Start up the opensearch and performance analyzer agent processes.
+# When either of them halts, this script exits, or we receive a SIGTERM or SIGINT signal then we want to kill both these processes.
+function runOpensearch {
+    # Files created by OpenSearch should always be group writable too
+    umask 0002
+
+    if [[ "$(id -u)" == "0" ]]; then
+        echo "OpenSearch cannot run as root. Please start your container as another user."
+        exit 1
+    fi
+
+    # Parse Docker env vars to customize OpenSearch
+    #
+    # e.g. Setting the env var cluster.name=testcluster
+    # will cause OpenSearch to be invoked with -Ecluster.name=testcluster
+    opensearch_opts=()
+    while IFS='=' read -r envvar_key envvar_value
+    do
+        # OpenSearch settings need to have at least two dot separated lowercase
+        # words, e.g. `cluster.name`, except for `processors` which we handle
+        # specially
+        if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ || "$envvar_key" == "processors" ]]; then
+            if [[ ! -z $envvar_value ]]; then
+            opensearch_opt="-E${envvar_key}=${envvar_value}"
+            opensearch_opts+=("${opensearch_opt}")
+            fi
+        fi
+    done < <(env)
+
+    setupSecurityPlugin
+    setupPerformanceAnalyzerPlugin
+
+    # Start opensearch
+    "$@" "${opensearch_opts[@]}"
+
+}
+
+# Prepend "opensearch" command if no argument was provided or if the first
+# argument looks like a flag (i.e. starts with a dash).
+if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
+    set -- opensearch "$@"
+fi
+
+if [ "$1" = "opensearch" ]; then
+    # If the first argument is opensearch, then run the setup script.
+    runOpensearch "$@"
+else
+    # Otherwise, just exec the command.
+    exec "$@"
+fi

docker/release/config/opensearch/opensearch-docker-entrypoint.sh docker/release/config/opensearch/opensearch-docker-entrypoint-2.x.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This script specify the entrypoint startup actions for opensearch
+# It will start both opensearch and performance analyzer plugin cli
+# If either process failed, the entire docker container will be removed
+# in favor of a newly started container
+
+# Export OpenSearch Home
+export OPENSEARCH_HOME=/usr/share/opensearch
+export OPENSEARCH_PATH_CONF=$OPENSEARCH_HOME/config
+
+# The virtual file /proc/self/cgroup should list the current cgroup
+# membership. For each hierarchy, you can follow the cgroup path from
+# this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+# introspect the statistics for the cgroup for the given
+# hierarchy. Alas, Docker breaks this by mounting the container
+# statistics at the root while leaving the cgroup paths as the actual
+# paths. Therefore, OpenSearch provides a mechanism to override
+# reading the cgroup path from /proc/self/cgroup and instead uses the
+# cgroup path defined the JVM system property
+# opensearch.cgroups.hierarchy.override. Therefore, we set this value here so
+# that cgroup statistics are available for the container this process
+# will run in.
+export OPENSEARCH_JAVA_OPTS="-Dopensearch.cgroups.hierarchy.override=/ $OPENSEARCH_JAVA_OPTS"
+
+# Security Plugin
+function setupSecurityPlugin {
+    SECURITY_PLUGIN="opensearch-security"
+
+    if [ -d "$OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN" ]; then
+        if [ "$DISABLE_SECURITY_PLUGIN" = "true" ]; then
+            echo "Disabling OpenSearch Security Plugin"
+            opensearch_opt="-Eplugins.security.disabled=true"
+            opensearch_opts+=("${opensearch_opt}")
+        else
+            echo "Enabling OpenSearch Security Plugin"
+            if [ "$DISABLE_INSTALL_DEMO_CONFIG" = "true" ]; then
+                echo "Disabling execution of install_demo_configuration.sh for OpenSearch Security Plugin"
+            else
+                echo -e "Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin \nOpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. \nPlease define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. \nIf a password is not provided, the setup will quit. \n For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/"
+                bash $OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN/tools/install_demo_configuration.sh -y -i -s || exit 1
+            fi
+        fi
+    else
+        echo "OpenSearch Security Plugin does not exist, disable by default"
+    fi
+}
+
+# Performance Analyzer Plugin
+function setupPerformanceAnalyzerPlugin {
+    PERFORMANCE_ANALYZER_PLUGIN="opensearch-performance-analyzer"
+    if [ -d "$OPENSEARCH_HOME/plugins/$PERFORMANCE_ANALYZER_PLUGIN" ]; then
+        if [ "$DISABLE_PERFORMANCE_ANALYZER_AGENT_CLI" = "true" ]; then
+            echo "Disabling execution of $OPENSEARCH_HOME/bin/$PERFORMANCE_ANALYZER_PLUGIN/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin"
+        else
+            echo "Enabling execution of OPENSEARCH_HOME/bin/$PERFORMANCE_ANALYZER_PLUGIN/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin"
+            $OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli > $OPENSEARCH_HOME/logs/PerformanceAnalyzer.log 2>&1 & disown
+        fi
+    else
+        echo "OpenSearch Performance Analyzer Plugin does not exist, disable by default"
+    fi
+}
+
+# Start up the opensearch and performance analyzer agent processes.
+# When either of them halts, this script exits, or we receive a SIGTERM or SIGINT signal then we want to kill both these processes.
+function runOpensearch {
+    # Files created by OpenSearch should always be group writable too
+    umask 0002
+
+    if [[ "$(id -u)" == "0" ]]; then
+        echo "OpenSearch cannot run as root. Please start your container as another user."
+        exit 1
+    fi
+
+    # Parse Docker env vars to customize OpenSearch
+    #
+    # e.g. Setting the env var cluster.name=testcluster
+    # will cause OpenSearch to be invoked with -Ecluster.name=testcluster
+    opensearch_opts=()
+    while IFS='=' read -r envvar_key envvar_value
+    do
+        # OpenSearch settings need to have at least two dot separated lowercase
+        # words, e.g. `cluster.name`, except for `processors` which we handle
+        # specially
+        if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ || "$envvar_key" == "processors" ]]; then
+            if [[ ! -z $envvar_value ]]; then
+            opensearch_opt="-E${envvar_key}=${envvar_value}"
+            opensearch_opts+=("${opensearch_opt}")
+            fi
+        fi
+    done < <(env)
+
+    setupSecurityPlugin
+    setupPerformanceAnalyzerPlugin
+
+    # Start opensearch
+    "$@" "${opensearch_opts[@]}"
+
+}
+
+# Prepend "opensearch" command if no argument was provided or if the first
+# argument looks like a flag (i.e. starts with a dash).
+if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
+    set -- opensearch "$@"
+fi
+
+if [ "$1" = "opensearch" ]; then
+    # If the first argument is opensearch, then run the setup script.
+    runOpensearch "$@"
+else
+    # Otherwise, just exec the command.
+    exec "$@"
+fi

docker/release/config/opensearch/opensearch-docker-entrypoint-default.x.sh

@@ -36,6 +36,7 @@ COPY * $TEMP_DIR/
 RUN tar -xzpf $TEMP_DIR/opensearch-dashboards-`uname -p`.tgz -C $OPENSEARCH_DASHBOARDS_HOME --strip-components=1 && \
     MAJOR_VERSION_ENTRYPOINT=`echo $VERSION | cut -d. -f1` && \
     MAJOR_VERSION_YML=`echo $VERSION | cut -d. -f1` && \
+    echo $MAJOR_VERSION_ENTRYPOINT && echo $MAJOR_VERSION_YML && \
     if ! (ls $TEMP_DIR | grep -E "opensearch-dashboards-docker-entrypoint-.*.x.sh" | grep $MAJOR_VERSION_ENTRYPOINT); then MAJOR_VERSION_ENTRYPOINT="default"; fi && \
     if ! (ls $TEMP_DIR | grep -E "opensearch_dashboards-.*.x.yml" | grep $MAJOR_VERSION_YML); then MAJOR_VERSION_YML="default"; fi && \
     cp -v $TEMP_DIR/opensearch-dashboards-docker-entrypoint-$MAJOR_VERSION_ENTRYPOINT.x.sh $OPENSEARCH_DASHBOARDS_HOME/opensearch-dashboards-docker-entrypoint.sh && \

docker/release/dockerfiles/opensearch-dashboards.al2.dockerfile

@@ -18,6 +18,7 @@ FROM public.ecr.aws/amazonlinux/amazonlinux:2 AS linux_stage_0
 
 ARG UID=1000
 ARG GID=1000
+ARG VERSION
 ARG TEMP_DIR=/tmp/opensearch
 ARG OPENSEARCH_HOME=/usr/share/opensearch
 ARG OPENSEARCH_PATH_CONF=$OPENSEARCH_HOME/config
@@ -39,10 +40,14 @@ RUN groupadd -g $GID opensearch && \
 COPY * $TEMP_DIR/
 RUN ls -l $TEMP_DIR && \
     tar -xzpf /tmp/opensearch/opensearch-`uname -p`.tgz -C $OPENSEARCH_HOME --strip-components=1 && \
+    MAJOR_VERSION_ENTRYPOINT=`echo $VERSION | cut -d. -f1` && \
+    echo $MAJOR_VERSION_ENTRYPOINT && \
+    if ! (ls $TEMP_DIR | grep -E "opensearch-docker-entrypoint-.*.x.sh" | grep $MAJOR_VERSION_ENTRYPOINT); then MAJOR_VERSION_ENTRYPOINT="default"; fi && \
     mkdir -p $OPENSEARCH_HOME/data && chown -Rv $UID:$GID $OPENSEARCH_HOME/data && \
     if [[ -d $SECURITY_PLUGIN_DIR ]] ; then chmod -v 750 $SECURITY_PLUGIN_DIR/tools/* ; fi && \
     if [[ -d $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR ]] ; then cp -v $TEMP_DIR/performance-analyzer.properties $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR; fi && \
-    cp -v $TEMP_DIR/opensearch-docker-entrypoint.sh $TEMP_DIR/opensearch-onetime-setup.sh $OPENSEARCH_HOME/ && \
+    cp -v $TEMP_DIR/opensearch-docker-entrypoint-$MAJOR_VERSION_ENTRYPOINT.x.sh $OPENSEARCH_HOME/opensearch-docker-entrypoint.sh && \
+    cp -v $TEMP_DIR/opensearch-onetime-setup.sh $OPENSEARCH_HOME/ && \
     cp -v $TEMP_DIR/log4j2.properties $TEMP_DIR/opensearch.yml $OPENSEARCH_PATH_CONF/ && \
     ls -l $OPENSEARCH_HOME && \
     rm -rf $TEMP_DIR

docker/release/dockerfiles/opensearch.al2.dockerfile

@@ -18,6 +18,7 @@ FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS linux_stage_0
 
 ARG UID=1000
 ARG GID=1000
+ARG VERSION
 ARG TEMP_DIR=/tmp/opensearch
 ARG OPENSEARCH_HOME=/usr/share/opensearch
 ARG OPENSEARCH_PATH_CONF=$OPENSEARCH_HOME/config
@@ -39,10 +40,14 @@ RUN groupadd -g $GID opensearch && \
 COPY * $TEMP_DIR/
 RUN ls -l $TEMP_DIR && \
     tar -xzpf /tmp/opensearch/opensearch-`uname -p`.tgz -C $OPENSEARCH_HOME --strip-components=1 && \
+    MAJOR_VERSION_ENTRYPOINT=`echo $VERSION | cut -d. -f1` && \
+    echo $MAJOR_VERSION_ENTRYPOINT && \
+    if ! (ls $TEMP_DIR | grep -E "opensearch-docker-entrypoint-.*.x.sh" | grep $MAJOR_VERSION_ENTRYPOINT); then MAJOR_VERSION_ENTRYPOINT="default"; fi && \
     mkdir -p $OPENSEARCH_HOME/data && chown -Rv $UID:$GID $OPENSEARCH_HOME/data && \
     if [[ -d $SECURITY_PLUGIN_DIR ]] ; then chmod -v 750 $SECURITY_PLUGIN_DIR/tools/* ; fi && \
     if [[ -d $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR ]] ; then cp -v $TEMP_DIR/performance-analyzer.properties $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR; fi && \
-    cp -v $TEMP_DIR/opensearch-docker-entrypoint.sh $TEMP_DIR/opensearch-onetime-setup.sh $OPENSEARCH_HOME/ && \
+    cp -v $TEMP_DIR/opensearch-docker-entrypoint-$MAJOR_VERSION_ENTRYPOINT.x.sh $OPENSEARCH_HOME/opensearch-docker-entrypoint.sh && \
+    cp -v $TEMP_DIR/opensearch-onetime-setup.sh $OPENSEARCH_HOME/ && \
     cp -v $TEMP_DIR/log4j2.properties $TEMP_DIR/opensearch.yml $OPENSEARCH_PATH_CONF/ && \
     ls -l $OPENSEARCH_HOME && \
     rm -rf $TEMP_DIR