docker搭建ES集群并设置密码
Elasticsearch从6.8开始,就已经允许免费用户使用X-Pack的安全功能,如此,裸奔的ES就有基础的安全认证了
我们基于docker-compose来搭建该环境
先找个目录来存放docker-compose.yaml
以及es的数据和日志等文件
我这里存放在~/DockerFile/es
下
创建docker-compose文件以及数据文件
mkdir work # 数据和日志都会放这里
mkdir work/data # 存放数据
mkdir work/logs # 存放日志
touch work/elasticsearch.yml # es相关配置
touch work/kibana.yml # kibana相关配置
elasticsearch.yml
的文件内容如下:
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true
kibana.yml
的文件内容如下
#
# ** THIS IS AN AUTO-GENERATED FILE **
#
# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: "elastic"
elasticsearch.password: ""
再创建docker-compose.yaml
vim docker-compose.yaml
docker-compose.yaml
的文件内容如下
version: '2.2'
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- cluster.initial_master_nodes=es01
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./work/data:/usr/share/elasticsearch/data
- ./work/logs:/usr/share/elasticsearch/logs
- ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
networks:
- elastic
kib01:
image: docker.elastic.co/kibana/kibana:7.12.1
container_name: kib01
ports:
- 5601:5601
environment:
ELASTICSEARCH_URL: http://es01:9200
ELASTICSEARCH_HOSTS: '["http://es01:9200"]'
volumes:
- ./work/kibana.yml:/usr/share/kibana/config/kibana.yml
networks:
- elastic
networks:
elastic:
driver: bridge
该配置为单节点配置,服务启动后只有一个节点,如果需要多节点,可以在work
目录下建立多个日志数据目录
多节点配置
mkdir -p work/es01/data
mkdir -p work/es01/logs
mkdir -p work/es02/data
mkdir -p work/es02/logs
mkdir -p work/es03/data
mkdir -p work/es03/logs
之后在docker-composer.yaml
的services
里增加相应的es02
、es03
的节点配置,然后修改每个节点里的environment
里的cluster.initial_master_nodes
的值为es01,es02,es03
,再接着在每个节点里的environment
里增加一项discovery.seed_hosts
,其值为其他两个节点的名字,比如es01的discovery.seed_hosts
值为es02,es03
完整配置如下:
version: '2.2'
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./work/es01/data:/usr/share/elasticsearch/data
- ./work/es01/logs:/usr/share/elasticsearch/logs
- ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
networks:
- elastic
es02:
image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
container_name: es02
environment:
- node.name=es02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./work/es02/data:/usr/share/elasticsearch/data
- ./work/es02/logs:/usr/share/elasticsearch/logs
- ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9201:9200
networks:
- elastic
es03:
image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
container_name: es03
environment:
- node.name=es03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./work/es03/data:/usr/share/elasticsearch/data
- ./work/es03/logs:/usr/share/elasticsearch/logs
- ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9202:9200
networks:
- elastic
kib01:
image: docker.elastic.co/kibana/kibana:7.12.1
container_name: kib01
ports:
- 5601:5601
environment:
ELASTICSEARCH_URL: http://es01:9200
ELASTICSEARCH_HOSTS: '["http://es01:9200"]'
volumes:
- ./work/kibana.yml:/usr/share/kibana/config/kibana.yml
networks:
- elastic
networks:
elastic:
driver: bridge
创建elastic-certificates.p12
首先运行实例
docker run -dit --name=es docker.elastic.co/elasticsearch/elasticsearch:7.12.1 /bin/bash
之后进入实例
docker exec -it es /bin/bash
执行证书生成命令
./bin/elasticsearch-certutil ca # 选择默认即可,可以不设置密码
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
复制证书出来, ctrl+d退出容器内部
docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .
# 关闭这个容器
docker kill es
docker rm es
启动容器
docker-compose up -d
生成密码
进入es01容器(多节点的话,任意一台都是可以的)
docker exec -it es01 /bin/bash
可以通过-h
查看相关帮助
./bin/elasticsearch-setup-passwords -h
我们通过auto
来自动生成密码
./bin/elasticsearch-setup-passwords auto
修改kibana
的配置文件
修改./work/kibana.yml
文件
将elasticsearch.password
这一项替换成上一步elastic
的密码
之后重启kibana
docker-compose restart kib01
然后~搞定