OpenSearch "OpenSearch Security not initialized" in CI
OpenSearch returns "OpenSearch Security not initialized" (or HTTP 503) while the security plugin is still loading its config index, or rejects plain HTTP because the demo configuration enables TLS. For CI, either wait for it to initialize or disable the security plugin.
What this error means
Requests fail with "OpenSearch Security not initialized (SG11)" and a 503, or the client cannot complete a TLS handshake against the demo certificates.
{"error":"OpenSearch Security not initialized (SG11) for OpenSearch.","status":503}Common causes
The security config index is not yet populated
On startup the security plugin must initialize its internal index. Until that completes, requests get a 503 "not initialized".
The demo security configuration enables TLS
The default OpenSearch image enables the security plugin with demo certs, so plain HTTP clients fail and credentials are required.
How to fix it
Disable the security plugin for tests
Set DISABLE_SECURITY_PLUGIN=true so the node serves plain HTTP with no auth, which is fine for a throwaway CI instance.
- name: Start OpenSearch (test mode)
run: |
docker run -d --name os -p 9200:9200 \
-e discovery.type=single-node \
-e DISABLE_SECURITY_PLUGIN=true \
opensearchproject/opensearch:2.13.0Or wait for security to initialize
If you keep security on, poll the health endpoint with the demo credentials until it stops returning 503.
until curl -sk -u admin:admin https://localhost:9200/_cluster/health \
| grep -q '"status"'; do
echo "waiting for opensearch security"; sleep 3
doneHow to prevent it
- For CI, disable the security plugin on a throwaway OpenSearch node.
- If keeping security, wait past the "not initialized" 503 before testing.
- Match the client scheme and credentials to the demo configuration.