Elasticsearch从6.8开始,就已经允许免费用户使用X-Pack的安全功能,如此,裸奔的ES就有基础的安全认证了

我们基于docker-compose来搭建该环境

先找个目录来存放docker-compose.yaml以及es的数据和日志等文件

我这里存放在~/DockerFile/es

创建docker-compose文件以及数据文件

mkdir work # 数据和日志都会放这里
mkdir work/data # 存放数据
mkdir work/logs # 存放日志
touch work/elasticsearch.yml # es相关配置
touch work/kibana.yml  # kibana相关配置

elasticsearch.yml的文件内容如下:

network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12

xpack.security.audit.enabled: true

kibana.yml的文件内容如下

#
# ** THIS IS AN AUTO-GENERATED FILE **
#

# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: "elastic"
elasticsearch.password: ""

再创建docker-compose.yaml

vim docker-compose.yaml

docker-compose.yaml的文件内容如下

version: '2.2'
services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - cluster.initial_master_nodes=es01
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./work/data:/usr/share/elasticsearch/data
      - ./work/logs:/usr/share/elasticsearch/logs
      - ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9200:9200
    networks:
      - elastic
  kib01:
    image: docker.elastic.co/kibana/kibana:7.12.1
    container_name: kib01
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_URL: http://es01:9200
      ELASTICSEARCH_HOSTS: '["http://es01:9200"]'
    volumes:
      - ./work/kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic

networks:
  elastic:
    driver: bridge

该配置为单节点配置,服务启动后只有一个节点,如果需要多节点,可以在work目录下建立多个日志数据目录

多节点配置

mkdir -p work/es01/data
mkdir -p work/es01/logs
mkdir -p work/es02/data
mkdir -p work/es02/logs
mkdir -p work/es03/data
mkdir -p work/es03/logs

之后在docker-composer.yamlservices里增加相应的es02es03的节点配置,然后修改每个节点里的environment里的cluster.initial_master_nodes的值为es01,es02,es03,再接着在每个节点里的environment里增加一项discovery.seed_hosts,其值为其他两个节点的名字,比如es01的discovery.seed_hosts值为es02,es03

完整配置如下:

version: '2.2'
services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./work/es01/data:/usr/share/elasticsearch/data
      - ./work/es01/logs:/usr/share/elasticsearch/logs
      - ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9200:9200
    networks:
      - elastic
  es02:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
    container_name: es02
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./work/es02/data:/usr/share/elasticsearch/data
      - ./work/es02/logs:/usr/share/elasticsearch/logs
      - ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9201:9200
    networks:
      - elastic
  es03:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
    container_name: es03
    environment:
      - node.name=es03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./work/es03/data:/usr/share/elasticsearch/data
      - ./work/es03/logs:/usr/share/elasticsearch/logs
      - ./work/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9202:9200
    networks:
      - elastic
  kib01:
    image: docker.elastic.co/kibana/kibana:7.12.1
    container_name: kib01
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_URL: http://es01:9200
      ELASTICSEARCH_HOSTS: '["http://es01:9200"]'
    volumes:
      - ./work/kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic

networks:
  elastic:
    driver: bridge

创建elastic-certificates.p12

首先运行实例

docker run -dit --name=es docker.elastic.co/elasticsearch/elasticsearch:7.12.1 /bin/bash

之后进入实例

docker exec -it es /bin/bash

执行证书生成命令

./bin/elasticsearch-certutil ca # 选择默认即可,可以不设置密码

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

复制证书出来, ctrl+d退出容器内部

docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .
# 关闭这个容器
docker kill es
docker rm es

启动容器

docker-compose up -d

生成密码

进入es01容器(多节点的话,任意一台都是可以的)

docker exec -it es01 /bin/bash

可以通过-h查看相关帮助

./bin/elasticsearch-setup-passwords -h

我们通过auto来自动生成密码

./bin/elasticsearch-setup-passwords auto

修改kibana的配置文件

修改./work/kibana.yml文件

elasticsearch.password这一项替换成上一步elastic的密码

之后重启kibana

docker-compose restart kib01

然后~搞定

标签: docker, elasticsearch, docker-compose

添加新评论