Skip to content
Latchkey

OpenSearch "OpenSearch Security not initialized" in CI

OpenSearch ships with the Security plugin enabled by default. Until the plugin loads its configuration index, requests are refused with "OpenSearch Security not initialized". In CI you either wait for initialization and authenticate, or disable the plugin for a throwaway test cluster.

What this error means

Requests return HTTP 503 with "OpenSearch Security not initialized (SG11)" shortly after the container starts, or persist if the security config never gets applied.

opensearch
OpenSearch Security not initialized (SG11) : Open Distro not initialized

Common causes

The security plugin has not finished loading config

On startup the plugin needs its configuration index before it can serve requests; until then it returns SG11.

Requests hit the cluster during initialization

A test that connects immediately races the security bootstrap and sees "not initialized".

How to fix it

Disable the security plugin for CI

  1. Set DISABLE_SECURITY_PLUGIN=true (or plugins.security.disabled=true) on the container.
  2. The cluster then serves plain HTTP with no auth for tests.
  3. Use this only for ephemeral CI clusters.
.github/workflows/ci.yml
services:
  opensearch:
    image: opensearchproject/opensearch:2.13.0
    env:
      discovery.type: single-node
      DISABLE_SECURITY_PLUGIN: "true"

Or wait for security and authenticate

Keep the plugin on, wait for the cluster to be ready, and authenticate with the admin credentials over HTTPS.

Terminal
until curl -sk -u admin:admin "https://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=5s"; do
  sleep 2
done

How to prevent it

  • Disable the security plugin for throwaway CI clusters, or wait for it and authenticate.
  • Poll cluster health before the first request.
  • Do not connect during the security bootstrap window.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →