ES部署文档（开启安全验证）超详细

一、在物理机上分别创建要挂载的目录

//elasticsearch.yml
mkdir -p /usr/elasticsearch/es01/config
mkdir -p /usr/elasticsearch/es02/config
mkdir -p /usr/elasticsearch/es03/config

//data目录
mkdir -p /usr/elasticsearch/es01/data
mkdir -p /usr/elasticsearch/es02/data
mkdir -p /usr/elasticsearch/es03/data

//插件目录
mkdir -p /usr/elasticsearch/es01/plugins/ik
mkdir -p /usr/elasticsearch/es02/plugins/ik
mkdir -p /usr/elasticsearch/es03/plugins/ik
//授权所有es目录下文件
chmod -R 777 /usr/elasticsearch/*

//kibana.yml
mkdir -p /usr/kibana/config

二、拷贝elasticsearch.yml到3个config目录下，修改对应的端口

cd /usr/elasticsearch
vi es01/config/elasticsearch.yml

network.host: 0.0.0.0 # 同时设置bind_host和publish_host
http.port: 8201  # rest客户端连接端口
transport.tcp.port: 8400  # 集群中节点互相通信端口
node.master: true # 设置master角色
node.data: true # 设置data角色
node.ingest: true # 设置ingest角色 在索引之前，对文档进行预处理，支持pipeline管道，相当于过滤器
node.max_local_storage_nodes: 1
http.cors.enabled: true # 跨域配置
http.cors.allow-origin: "*" # 跨域配置
ingest.geoip.downloader.enabled: false

vi es02/config/elasticsearch.yml

network.host: 0.0.0.0 # 同时设置bind_host和publish_host
http.port: 8202  # rest客户端连接端口
transport.tcp.port: 8500  # 集群中节点互相通信端口
node.master: true # 设置master角色
node.data: true # 设置data角色
node.ingest: true # 设置ingest角色 在索引之前，对文档进行预处理，支持pipeline管道，相当于过滤器
node.max_local_storage_nodes: 1
http.cors.enabled: true # 跨域配置
http.cors.allow-origin: "*" # 跨域配置
ingest.geoip.downloader.enabled: false

vi es03/config/elasticsearch.yml

network.host: 0.0.0.0 # 同时设置bind_host和publish_host
http.port: 8203  # rest客户端连接端口
transport.tcp.port: 8600  # 集群中节点互相通信端口
node.master: true # 设置master角色
node.data: true # 设置data角色
node.ingest: true # 设置ingest角色 在索引之前，对文档进行预处理，支持pipeline管道，相当于过滤器
node.max_local_storage_nodes: 1
http.cors.enabled: true # 跨域配置
http.cors.allow-origin: "*" # 跨域配置
ingest.geoip.downloader.enabled: false

vi /usr/kibana/config/kibana.yml

server.port: 8601
server.host: "0.0.0.0"
i18n.locale: "zh-CN"
#elasticsearch.username: "elastic"
#elasticsearch.password: "Baidu@123"

三、安装docker、docker-compose、上传es、kibnan、ik

tar -zxvf docker-20.10.9.tgz
cp docker-20.10.9/* /usr/local/bin
docker -v

mv docker-compose.txt docker-compose
chmod +x docker-compose
cp docker-compose /usr/local/bin
docker-compose -v

docker load -i elasticsearch.tar 
docker tag  [imageId] elasticsearch:7.16.3

kibnan包太大没法上传知识库，可以本地拉，再上传tar包
docker pull kibnan:7.16.3
docker save -o kibnan.tar [imageId]

docker load -i kibnan.tar
docker tag  [imageId] kibnan:7.16.3

cd /usr/elasticsearch/es01/plugins/ik/
上传解压ik压缩包

四、 编写docker-compose.yml并拷贝至/usr/elasticsearch下

version: '3'
services: 
  es01:
    image: elasticsearch:7.16.3
    container_name: es01
    restart: always
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02:8500,es03:8600
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"   
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /usr/elasticsearch/es01/data:/usr/share/elasticsearch/data
      - /usr/elasticsearch/es01/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /usr/elasticsearch/es01/plugins:/usr/share/elasticsearch/plugins
    ports:
      - 8201:8201
    networks:
      - es
  es02:
    image: elasticsearch:7.16.3
    container_name: es02
    restart: always
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01:8400,es03:8600
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /usr/elasticsearch/es02/data:/usr/share/elasticsearch/data
      - /usr/elasticsearch/es02/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /usr/elasticsearch/es02/plugins:/usr/share/elasticsearch/plugins
    ports:
      - 8202:8202
    networks:
      - es
  es03:
    image: elasticsearch:7.16.3
    container_name: es03
    restart: always
    environment:
      - node.name=es03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01:8400,es02:8500
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /usr/elasticsearch/es03/data:/usr/share/elasticsearch/data
      - /usr/elasticsearch/es03/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /usr/elasticsearch/es03/plugins:/usr/share/elasticsearch/plugins
    ports:
      - 8203:8203
    networks:
      - es
  kibana:
    image: kibana:7.16.3
    container_name: kibana
    restart: always
    depends_on:
      - es01
    environment:
      ELASTICSEARCH_URL: http://es01:8201
      ELASTICSEARCH_HOSTS: http://es01:8201
    volumes:
      - /usr/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - es
    ports:
      - 8601:8601
networks:
  es:
    driver: bridge

五、修改物理机参数

vi /etc/sysctl.conf

vm.max_map_count=655360

vim /etc/security/limits.conf

* soft nofile 100001
* hard nofile 100002
* soft memlock unlimited
* hard memlock unlimited
* soft nproc 65535
* hard nproc 65535

sysctl -p

docker network create --subnet=10.153.108.17/16 elasticsearch_es
docker-compose up -d

六、查看集群状态

查看集群状态：http://10.153.108.17:8201/_cluster/health?pretty
查看主节点：http://10.153.108.17:8201/_cat/master
查看所有节点：http://10.153.108.17:8201/_cat/nodes

kibnan：http://10.153.108.17:8601/
es01: http://10.153.108.17:8201/
es02: http://10.153.108.17:8202/
es03: http://10.153.108.17:8203/

七、开启身份认证

docker exec -it es01 bash
bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
期间输入密码，一直enter就行
exit
docker cp es01:/usr/share/elasticsearch/elastic-certificates.p12 /usr/elasticsearch/

mkdir -p /usr/share/elasticsearch/data/cert/
cp elastic-certificates.p12  /usr/share/elasticsearch/data/cert/

在每个elasticsearch.yml后加上

# 开启 xpack 身份验证
xpack.security.enabled: true
# 开启 ssl 认证
xpack.security.transport.ssl.enabled: true
# ssl 证书模式
xpack.security.transport.ssl.verification_mode: certificate
# 证书路径
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/data/cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/data/cert/elastic-certificates.p12

docker-compose down
docker network create --subnet=10.153.108.17/16 elasticsearch_es
docker-compose up -d

八、设置密码

docker exec -it es01 bash
bin/elasticsearch-setup-passwords interactive

输入密码

九、修改kibnan

vi /usr/kibana/config/kibana.yml 

elasticsearch.username: "elastic"
elasticsearch.password: "Baidu@123"

docker-compose down
docker network create --subnet=10.153.108.17/16 elasticsearch_es
docker-compose up -d

十、查看集群状态

查看的时候会弹窗输入密码

查看集群状态：http://10.153.108.17:8201/_cluster/health?pretty
查看主节点：http://10.153.108.17:8201/_cat/master
查看所有节点：http://10.153.108.17:8201/_cat/nodes

kibnan：http://10.153.108.17:8601/
es01: http://10.153.108.17:8201/
es02: http://10.153.108.17:8202/
es03: http://10.153.108.17:8203/