参考:
https://www.elastic.co/guide/en/elasticsearch/reference/7.10/get-started-built-in-users.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.10/how-security-works.html
https://blog.51cto.com/poseidon/2414399
https://www.codenong.com/cs106417903/
https://blog.51cto.com/poseidon/2414399?source=dra
https://blog.csdn.net/chajing8141/article/details/100959727
网上很多会出现以下错误信息,是由于自生成的签证不合法,需要忽略ca验证:
client did not trust this server's certificate
解决思路:
vi elasticsearch.yml
...
xpack.security.transport.ssl.verification_mode: none #加密传输验证关闭
xpack.security.http.ssl.client_authentication: none #关闭秘钥验证
xpack.http.ssl.verification_mode: none #关闭秘钥验证,此处很多文档写的不一样,可能是版本变化,亲测此方法最有效。
#文章使用的镜像
docker.elastic.co/elasticsearch/elasticsearch:7.10.0
docker.elastic.co/kibana/kibana:7.10.0
docker.elastic.co/logstash/logstash:7.10.0
#所有主机(134/135/136)
部署3台es的集群,一台kibana
cat << EOF >> /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 32000
* hard nproc 32000
* hard memlock unlimited
* soft memlock unlimited
EOF
cat << EOF >> /etc/systemd/system.conf
DefaultLimitNOFILE=65536
DefaultLimitNPROC=32000
DefaultLimitMEMLOCK=infinity
EOF
mkdir -p data/es_new_data/data
chmod -R 777 /data/es_new_data/
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -p
sysctl -w vm.max_map_count=262144
grep vm.max_map_count /etc/sysctl.conf
cat << EOF > /data/es_new_data/elasticsearch.yml
cluster.name: "es-cluster" #集群名称
network.host: 0.0.0.0 #监听地址
http.cors.enabled: true #允许head插件访问es
http.cors.allow-origin: "*" #解决跨域问题
xpack.security.enabled: true #开启安全访问
xpack.security.transport.ssl.enabled: true #开启ssl加密传输
xpack.security.transport.ssl.verification_mode: none #加密传输验证关闭
#此秘钥需要进入容器创建,需要预先创建
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/data/elastic-certificates.p12 #秘钥
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/data/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: none #关闭秘钥验证
xpack.http.ssl.verification_mode: none #关闭秘钥验证,此处很多文档写的不一样,可能是版本变化,亲测此方法最有效。
EOF
#进入容器生成秘钥
docker run --rm -name es_test -it docker.elastic.co/elasticsearch/elasticsearch:7.10.0 bash
elasticsearch-certutil ca #生成证书
elasticsearch-certutil cert --ca elastic-stack-ca.p12 #生成秘钥
cp elastic-certificates.p12 /usr/share/elasticsearch/data/elastic-certificates.p12
#主机操作:
chmod 666 /usr/share/elasticsearch/data/elastic-*
复制lastic-certificates.p12 到各主机 /data/es_new_data/data 目录下,注意权限,
es容器内部运行的用户为elasticsearch,主机下给666权限,也可以到容器内部
chown elasticsearch:elasticsearch lastic-certificates.p12
134
docker run -d --name es_new --hostname es_new \
-p 9200:9200 -p 9300:9300 \
-e node.name=master04 \ #主机名称
-e network.publish_host=172.31.64.134 \ #本机地址
-e discovery.seed_hosts=172.31.64.135,172.31.64.136 \ #另外几台主机
-e cluster.initial_master_nodes=172.31.64.134,172.31.64.135,172.31.64.136 \ #所有主机
-e cluster.name=es-cluster \ #集群名称,必须一致
-e bootstrap.memory_lock=false \ #内存锁,不关会报错
-v /etc/localtime:/etc/localtime \
-v /data/es_new_data/data:/usr/share/elasticsearch/data \
-v /data/es_new_data/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
172.31.64.130:443/project/elasticsearch:7.10.0
135
docker run -d --name es_new --hostname es_new \
-p 9200:9200 -p 9300:9300 \
-e node.name=master05 \
-e network.publish_host=172.31.64.135 \
-e discovery.seed_hosts=172.31.64.134,172.31.64.136 \
-e cluster.initial_master_nodes=172.31.64.134,172.31.64.135,172.31.64.136 \
-e cluster.name=es-cluster \
-e bootstrap.memory_lock=false \
-v /etc/localtime:/etc/localtime \
-v /data/es_new_data/data:/usr/share/elasticsearch/data \
-v /data/es_new_data/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
172.31.64.130:443/project/elasticsearch:7.10.0
136
docker run -d --name es_new --hostname es_new \
-p 9200:9200 -p 9300:9300 \
-e node.name=master06 \
-e network.publish_host=172.31.64.136 \
-e discovery.seed_hosts=172.31.64.134,172.31.64.135 \
-e cluster.initial_master_nodes=172.31.64.134,172.31.64.135,172.31.64.136 \
-e cluster.name=es-cluster \
-e bootstrap.memory_lock=false \
-v /etc/localtime:/etc/localtime \
-v /data/es_new_data/data:/usr/share/elasticsearch/data \
-v /data/es_new_data/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
172.31.64.130:443/project/elasticsearch:7.10.0
#创建秘钥
docker exec -it es_new elasticsearch-setup-passwords auto
Changed password for user apm_system
PASSWORD apm_system = fnwxpvFcE0
Changed password for user kibana_system
PASSWORD kibana_system = 7y5vKf5
Changed password for user kibana
PASSWORD kibana = 7y5vKf5M5h
Changed password for user logstash_system
PASSWORD logstash_system = bBiW
Changed password for user beats_system
PASSWORD beats_system = JpA7zpRp
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = GgmY
Changed password for user elastic
PASSWORD elastic = LxUwwJW4sK3
136
#kibana 设置
cat <<EOF >>/data/kibana_new_data/kibana.yml
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://172.31.64.134:9200","http://172.31.64.135:9200","http://172.31.64.136:9200" ]
elasticsearch.username: "kibana"
elasticsearch.password: "7y5vKf5M5hsXN8wQEiWL"
xpack.monitoring.ui.container.elasticsearch.enabled: true
i18n.locale: "zh-CN"
EOF
启动kibana
mkdir -p /data/kibana_new_data/data
chmod -R 777 /data/kibana_new_data
#启动kibana
docker run -p 5601:5601 --name kibana_new \
-v /etc/localtime:/etc/localtime \
-v /data/kibana_new_data/data:/usr/share/kibana/data \
-v /data/kibana_new_data/kibana.yml:/usr/share/kibana/config/kibana.yml \
-d 172.31.64.130:443/project/kibana:7.10.0