OpenSearch "OpenSearch Security not initialized" in CI
OpenSearch ships with the Security plugin enabled by default. Until the plugin loads its configuration index, requests are refused with "OpenSearch Security not initialized". In CI you either wait for initialization and authenticate, or disable the plugin for a throwaway test cluster.
What this error means
Requests return HTTP 503 with "OpenSearch Security not initialized (SG11)" shortly after the container starts, or persist if the security config never gets applied.
OpenSearch Security not initialized (SG11) : Open Distro not initializedCommon causes
The security plugin has not finished loading config
On startup the plugin needs its configuration index before it can serve requests; until then it returns SG11.
Requests hit the cluster during initialization
A test that connects immediately races the security bootstrap and sees "not initialized".
How to fix it
Disable the security plugin for CI
- Set
DISABLE_SECURITY_PLUGIN=true(orplugins.security.disabled=true) on the container. - The cluster then serves plain HTTP with no auth for tests.
- Use this only for ephemeral CI clusters.
services:
opensearch:
image: opensearchproject/opensearch:2.13.0
env:
discovery.type: single-node
DISABLE_SECURITY_PLUGIN: "true"Or wait for security and authenticate
Keep the plugin on, wait for the cluster to be ready, and authenticate with the admin credentials over HTTPS.
until curl -sk -u admin:admin "https://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=5s"; do
sleep 2
doneHow to prevent it
- Disable the security plugin for throwaway CI clusters, or wait for it and authenticate.
- Poll cluster health before the first request.
- Do not connect during the security bootstrap window.