Docker安装Elasticsearch7.14.0集群并设置密码

Elasticsearch从6.8开始， 允许免费用户使用X-Pack的安全功能， 以前安装es都是裸奔。接下来记录配置安全认证的方法。

1. 环境：CentOS 8.5

2. Elasticsearch版本：7.14.0

3. 用户：root

   本次执行全部使用root 用户执行，如果使用的是普通用户，记得前面加 sudo

一、基础配置

1. 修改 Linux 的 vm.max_map_count 参数。

   设置vm.max_map_count=262144

   vim /etc/sysctl.conf
   vm.max_map_count=262144
   

   • 不重启， 直接生效当前的命令

     sysctl -w vm.max_map_count=262144
     

2. 安装 3 个 Elasticsearch 做集群，找到合适位置新建文件夹，配置文件、日志文件、数据文件夹

   mkdir -p elasticsearch01/data elasticsearch01/logs
   mkdir -p elasticsearch02/data elasticsearch02/logs
   mkdir -p elasticsearch03/data elasticsearch03/logs
   mkdir config && touch config/elasticsearch.yml
   mkdir plugins
   

   

3. 创建用户，并获取用户的id

   # 新建 elasticsearch 用户
   useradd elasticsearch
   # 为 elasticsearch 用户设置密码
   passwd elasticsearch
   # 将 elasticsearch 添加到 docker 用户组（如果不存在用户组，创建 docker 用户组）
   usermod -G docker elasticsearch
   # 重启 docker
   systemctl restart docker
   

4. 将刚才创建的文件夹的所有权赋予 elasticsearch 用户

   # 返回到上一级，进行赋权
   chown -R elasticsearch elasticsearch
   

   

5. 获取用户 elasticsearch 的id

   cat /etc/passwd | grep elasticsearch
   # 获取到id为 1001
   

   

二、拉取镜像、编写执行文件

1. 拉取镜像

   docker pull elasticsearch:7.14.0
   

2. 创建docker-compose.yml

   version: '3.8'
   services:
     elasticsearch01:
       image: elasticsearch:7.14.0
       container_name: elasticsearch01
       environment:
         - node.name=elasticsearch01
         - cluster.name=elasticsearch-docker-cluster
         - discovery.seed_hosts=elasticsearch02,elasticsearch03
         - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03
         - bootstrap.memory_lock=true
         - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m"
       user: "1001"
       ulimits:
         memlock:
           soft: -1
           hard: -1
       volumes:
         - ./elasticsearch01/data:/usr/share/elasticsearch/data
         - ./elasticsearch01/logs:/usr/share/elasticsearch/logs
         - ./plugins:/usr/share/elasticsearch/plugins
         - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
         - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
       ports:
         - 9200:9200
       networks:
         mynet:
           ipv4_address: 172.88.0.5
   
     elasticsearch02:
       image: elasticsearch:7.14.0
       container_name: elasticsearch02
       environment:
         - node.name=elasticsearch02
         - cluster.name=elasticsearch-docker-cluster
         - discovery.seed_hosts=elasticsearch01,elasticsearch03
         - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03
         - bootstrap.memory_lock=true
         - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m"
       user: "1001"
       ulimits:
         memlock:
           soft: -1
           hard: -1
       volumes:
         - ./elasticsearch02/data:/usr/share/elasticsearch/data
         - ./elasticsearch02/logs:/usr/share/elasticsearch/logs
         - ./plugins:/usr/share/elasticsearch/plugins
         - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
         - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
       networks:
         mynet:
           ipv4_address: 172.88.0.6
   
     elasticsearch03:
       image: elasticsearch:7.14.0
       container_name: elasticsearch03
       environment:
         - node.name=elasticsearch03
         - cluster.name=elasticsearch-docker-cluster
         - discovery.seed_hosts=elasticsearch01,elasticsearch02
         - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03
         - bootstrap.memory_lock=true
         - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m"
       user: "1001"
       ulimits:
         memlock:
           soft: -1
           hard: -1
       volumes:
         - ./elasticsearch03/data:/usr/share/elasticsearch/data
         - ./elasticsearch03/logs:/usr/share/elasticsearch/logs
         - ./plugins:/usr/share/elasticsearch/plugins
         - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
         - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
       networks:
         mynet:
           ipv4_address: 172.88.0.7
   
   networks:
     mynet:
       external: true
   

   1. version：需要安装 docker 官网查询

   2. user 里面填写刚才添加用户 id

3. 编写配置文件 elasticsearch.yml

   vim config/elasticsearch.yml
   

   

   内容如下：

   network.host: 0.0.0.0
   xpack.security.enabled: true
   xpack.security.transport.ssl.enabled: true
   xpack.security.transport.ssl.keystore.type: PKCS12
   xpack.security.transport.ssl.verification_mode: certificate
   xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
   xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
   xpack.security.transport.ssl.keystore.password: 一会儿生成 elastic-certificates.p12 设置的密码，没有不要这个配置
   xpack.security.transport.ssl.truststore.password: 一会儿生成 elastic-certificates.p12 设置的密码，没有不要这个配置
   xpack.security.transport.ssl.truststore.type: PKCS12
   xpack.security.audit.enabled: true
   

   • network.host 设置允许其他ip访问，解除ip绑定
   • xpack.security 则是安全相关配置，其中ssl的证书需要手动生成

4. 生成证书elastic-certificates.p12

   es提供了生成证书的工具elasticsearch-certutil，我们可以在docker实例中生成它，然后复制出来，统一使用。

   首先运行es实例

   docker run -d --name=elasticsearch -e "discovery.type=single-node" elasticsearch:7.14.0
   

   进入实例内部

   docker exec -it elasticsearch bash
   

5. 生成ca: elastic-stack-ca.p12

   ./bin/elasticsearch-certutil ca
   

   

6. 再生成cert: elastic-certificates.p12

   ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
   

   

   生成 elastic-certificates.p12 ，一会儿复制后放到 config 目录下

   

7. 退出容器，复制证书，退出容器快捷键 Ctrl + D

   # 在每一个config目录下复制下面命令：
   docker cp elasticsearch:/usr/share/elasticsearch/elastic-certificates.p12 ./config
   

   

8. 删除该容器

   docker rm -f elasticsearch
   

三、安装镜像

1. 进入创建的用户 elasticsearch

   su elasticsearch
   

2. 在ES集群目录上一层目录执行 docker-compose 安装集群

   docker-compose up
   

   

3. 进入其中一台进行生成密码

   docker exec -it elasticsearch01 bash
   

   

四、生成密码

1. 生成密码用auto， 自己设置用 interactive

[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h
Sets the passwords for reserved users

Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user

Non-option arguments:
command              

Option             Description        
------             -----------        
-E <KeyValuePair>  Configure a setting
-h, --help         Show help          
-s, --silent       Show minimal output
-v, --verbose      Show verbose output



[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws

Changed password for user kibana
PASSWORD kibana = 8NnThbj0N02iDaTGhidU

Changed password for user logstash_system
PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj

Changed password for user beats_system
PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D

Changed password for user elastic
PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ

五、测试

浏览器访问localhost:9200/9201/9202 需要输入账号

输入对应的elastic/password就好

浏览器访问localhost:5601

六、忘记密码

如果生成后忘记密码了怎么办， 可以进入机器去修改。

进入es的机器

sudo docker exec -it es01 /bin/bash

创建一个临时的超级用户RyanMiao

./bin/elasticsearch-users useradd ryan -r superuser
Enter new password: 
ERROR: Invalid password...passwords must be at least [6] characters long
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuser
Enter new password: 
Retype new password: 

用这个用户去修改elastic的密码：

curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
{
  "password": "q5f2qNfUJQyvZPIz57MZ"
}'