一、在本地Linux服务器创建目录,并授权
# 数据目录指定三台es服务
mkdir -p /es/es01/data1
mkdir -p /es/es01/data2
mkdir -p /es/es01/data3
# 配置文件目录
mkdir -p /es/es01/plugins
mkdir -p /es/es01/plugins
mkdir -p /es/es01/plugins
# 为文件授权
chmod 777 es* -R
二、创建docker-compose.yml 文件并上传至/es文件内
docker-compose.yml
version: '2.2'
services:
es01:
image: elasticsearch:7.16.2
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- /es/es01/elasticsearch.yml:/usr/share/elasticsearch/elasticsearch.yml
- /es/es01/data:/usr/share/elasticsearch/data
- /es/es01/plugins:/usr/share/elasticsearch/plugins
ports:
- 9200:9200
networks:
- elastic
es02:
image: elasticsearch:7.16.2
container_name: es02
environment:
- node.name=es02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es03
- cluster.initial_master_nodes=es01,es02,es03
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- /es/es02/elasticsearch.yml:/usr/share/elasticsearch/elasticsearch.yml
- /es/es02/data:/usr/share/elasticsearch/data
- /es/es02/plugins:/usr/share/elasticsearch/plugins
ports:
ports:
- 9201:9200
networks:
- elastic
es03:
image: elasticsearch:7.16.2
container_name: es03
environment:
- node.name=es03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02,es03
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- /es/es03/elasticsearch.yml:/usr/share/elasticsearch/elasticsearch.yml
- /es/es03/data:/usr/share/elasticsearch/data
- /es/es03/plugins:/usr/share/elasticsearch/plugins
networks:
- elastic
ports:
- 9202:9200
networks:
elastic:
driver: bridge
三、先使用docker命令启动单节点es,获取 elastic-certificates.p12证书,为后面集群复制证书做准备
# 启动es容器
sudo docker run -dit --name=es elasticsearch:7.16.2 /bin/bash
# 进入实例内部 获取证书
sudo docker exec -it es /bin/bash
# 生成ca: elastic-stack-ca.p12
root@8553527d3dfb:/usr/share/elasticsearch# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
# 再生成cert: elastic-certificates.p12
root@8553527d3dfb:/usr/share/elasticsearch# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
四、可以输入 ls查看证书,此时生成的证书为 elastic-certificates.p12
退出实例,快捷方式 Ctrl+d
# 将刚生成的证书复制到第一步创建的es文件中 最后一位参数表示宿主机文件存放位置 docker cp es01:/usr/share/elasticsearch/elastic-certificates.p12 /es # 关闭此容器 docker kill es # 删除容器 docker删除容器前先停止 docker rm es
此时,获取了证书 要授权 否则无法使用
chmod 777 elastic-certificates.p12
五、进入/es/es01/ 目录创建elasticsearch.yml文件
创建elasticsearch.yml
touch elasticsearch.yml
编辑此文件
elasticsearch.yml
network.host: 0.0.0.0 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.audit.enabled: true
依次进入es02、es03文件内重复创建此文件 并填充内容
六、进入docker-compose所在目录 启动集群
docker-compose up -d
此时,es集群创建完毕,查看集群
docker ps -a
此时浏览器输入 ip:9200 开始访问es集群 未设置密码状态
也可使用 cerebro工具查看es集群状态
七、复制文件
将创建的elasticsearch.yml文件依次复制到容器内部
docker cp /es/es01/elasticsearch.yml es01:/usr/share/elasticsearch/config/elasticsearch.yml
实例 es02、es03一样复制过去
之后 将之前生成的证书复制到三个es实例内
docker cp /es/elastic-certificates.p12 es01:/usr/share/elasticsearch/config/
实例 2 3 同样需要证书 执行相同操作
docker cp /es/elastic-certificates.p12 es02:/usr/share/elasticsearch/config/
docker cp /es/elastic-certificates.p12 es03:/usr/share/elasticsearch/config/
八、进入任意容器内部,设置账号密码
首先进入容器内部
docker exec -it es01 /bin/bash
自动生成密码用auto, 自己设置用
interactive
root@8553527d3dfb:/usr/share/elasticsearch# ./bin/elasticsearch-setup-passwords -h Sets the passwords for reserved users Commands -------- auto - Uses randomly generated passwords interactive - Uses passwords entered by a user Non-option arguments: command Option Description ------ ----------- -E <KeyValuePair> Configure a setting -h, --help Show help -s, --silent Show minimal output -v, --verbose Show verbose output root@8553527d3dfb:/usr/share/elasticsearch# ./bin/elasticsearch-setup-passwords auto Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y Changed password for user apm_system PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws Changed password for user kibana PASSWORD kibana = 8NnThbj0N02iDaTGhidU Changed password for user logstash_system PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj Changed password for user beats_system PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D Changed password for user elastic PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ
此时,浏览器访问 ip:9200 输入账号密码即可
九、设置密码问题
在进入容器内部设置密码时,如果提示错误可以浏览器直接访问 ip:9200 此时集群默认会存在账号密码 由于密码未知,需要修改
在容器内创建临时用户
./bin/elasticsearch-users useradd yang -r superuser Enter new password: ERROR: Invalid password...passwords must be at least [6] characters long root@8553527d3dfb:/usr/share/elasticsearch# ./bin/elasticsearch-users useradd yang -r superuser Enter new password: Retype new password:
输入临时用户的密码 即可创建临时用户,用临时用户的身份修改密码即可
curl -XPUT -u yang:123456 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d ' { "password": "123456" }'
参数 -u后跟刚才创建的临时用户名和密码
JSON括号内设置es修改的密码
此时 浏览器输入 ip:9200 即可提示输入账号密码访问
因为集群端口设定 9200、9201、9202 所以访问任意端口即可
输入刚才设置的密码 用户名默认 elastic
输入完成即可成功登录es
此时 表示登录成功!