参考官方文档
Install Elasticsearch with Docker | Elasticsearch Guide [7.14] | Elastic
Running the Elastic Stack on Docker | Getting Started [7.14] | Elastic
Configure security for the Elastic Stack | Elasticsearch Guide [7.14] | Elastic
一、单节点配置
1.安装es
1.1拉取镜像
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.11.0
1.2构建容器并运行
docker run --name es -d -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.11.0
或者直接利用docker-compose文件,可以在容器运行后拷贝出配置文件等进行编辑然后挂载
1.2.1docker-compose
version: '3.1' services:es01:container_name: es01image: docker.elastic.co/elasticsearch/elasticsearch:7.11.0ports:- "9200:9200"- "9300:9300"volumes:- /root/docker/d-elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml- /root/docker/d-elasticsearch/data:/usr/share/elasticsearch/data- /root/docker/d-elasticsearch/logs:/usr/share/elasticsearch/logsenvironment:- TZ=Asia/Shanghai# - "ES_JAVA_OPTS=-Xms1024m -Xmx2048m"- "discovery.type=single-node"restart: alwaysnetworks:- elasticb01:depends_on:- es01image: docker.elastic.co/kibana/kibana:7.11.0container_name: kib01ports:- 5601:5601environment:ELASTICSEARCH_URL: http://es01:9200ELASTICSEARCH_HOSTS: http://es01:9200volumes:- /root/docker/d-elasticsearch/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.ymlnetworks:- elasticnetworks:elastic:driver: bridge
1.3修改配置
1.3.1进入容器打开文件
docker exec -it es bashcd configvi elasticsearch.yml
1.3.2编辑文件增加属性
http.cors.enabled: truehttp.cors.allow-origin: "*"http.cors.allow-headers: Authorizationxpack.security.enabled: truexpack.security.transport.ssl.enabled: true并重启
1.3.3设置密码
cd binelasticsearch-setup-passwords interactive
// 输出内容Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.You will be prompted to enter passwords as the process progresses.Please confirm that you would like to continue [y/N]YEnter password for [elastic]:Reenter password for [elastic]:Enter password for [apm_system]:Reenter password for [apm_system]:Enter password for [kibana_system]:Reenter password for [kibana_system]:Enter password for [logstash_system]:Reenter password for [logstash_system]:Enter password for [beats_system]:Reenter password for [beats_system]:Enter password for [remote_monitoring_user]:Reenter password for [remote_monitoring_user]:Changed password for user [apm_system]Changed password for user [kibana_system]Changed password for user [kibana]Changed password for user [logstash_system]Changed password for user [beats_system]Changed password for user [remote_monitoring_user]Changed password for user [elastic]
1.3.4退出并重启
exitdocker restart es
2.安装Kibana
2.1拉取镜像
docker pull docker.elastic.co/kibana/kibana:7.11.0
2.2构建容器并运行
docker run --name kibana -d --link YOUR_ELASTICSEARCH_CONTAINER_NAME_OR_ID:elasticsearch -p 5601:5601 docker.elastic.co/kibana/kibana:7.11.0
2.3修改配置
2.3.1进入容器打开文件
docker exec -it kibana bashcd configvi kibana.yml
2.3.2编辑文件
IpAddress:docker inspect es查看es容器内部的ip地址。或者直接用es的容器名
server.name: kibanaserver.host: "0.0.0.0"elasticsearch.hosts: [ "http://{IpAddress}:9200" ]monitoring.ui.container.elasticsearch.enabled: trueelasticsearch.username: "elastic"elasticsearch.password: "password"i18n.locale: "zh-CN"
2.3.3退出并重启
exitdocker restart kibana
二、多节点集群配置
集群加密需要利用ssl证书。包括集群节点之间(防止非法节点),以及客户端/Kibana等访问es时的证书加密
1.创建相应文件
1.1 instances.yml 标明需要创建证书的文件
instances:- name: es01dns:- es01- localhostip:- 127.0.0.1- name: es02dns:- es02- localhostip:- 127.0.0.1- name: es03dns:- es03- localhostip:- 127.0.0.1- name: 'kib01'dns:- kib01- localhost
1.2 .env 设置es的环境变量
COMPOSE_PROJECT_NAME=esCERTS_DIR=/usr/share/elasticsearch/config/certificatesVERSION=7.11.0
1.3 create-certs.yml 用于创建容器来为 Elasticsearch和Kibana生成证书
version: '3.1'services:create_certs:image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}container_name: create_certscommand: >bash -c 'yum install -y -q -e 0 unzip;if [[ ! -f /certs/bundle.zip ]]; thenbin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;unzip /certs/bundle.zip -d /certs;fi;chown -R 1000:0 /certs'working_dir: /usr/share/elasticsearchvolumes:- certs:/certs- .:/usr/share/elasticsearch/config/certificatesnetworks:- elasticvolumes:certs:driver: localnetworks:elastic:driver: bridge
1.4 elastic-docker-tls.yml 用于创建带有ssl认证的Elasticsearch集群和Kibana
其中
xpack.security.http.ssl等数据用于加密客户端的访问
在内网机访问情况下,可以不对客户端访问es进行ssl验证
elastic-docker-tls.yml配置文件中去掉pack.security.http.ssl相关配置:
xpack.security.transport用于加密节点间的访问
version: '3.1'services:es01:image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}container_name: es01environment:- node.name=es01- cluster.name=es-docker-cluster- discovery.seed_hosts=es02,es03- cluster.initial_master_nodes=es01,es02,es03- bootstrap.memory_lock=true- "ES_JAVA_OPTS=-Xms512m -Xmx512m"- xpack.license.self_generated.type=trial- xpack.security.enabled=true- xpack.security.http.ssl.enabled=true- xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt- xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt- xpack.security.transport.ssl.enabled=true- xpack.security.transport.ssl.verification_mode=certificate- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt- xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt- xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.keyulimits:memlock:soft: -1hard: -1volumes:- data01:/usr/share/elasticsearch/data- certs:$CERTS_DIRports:- 9200:9200networks:- elastichealthcheck:test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fiinterval: 30stimeout: 10sretries: 5es02:image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}container_name: es02environment:- node.name=es02- cluster.name=es-docker-cluster- discovery.seed_hosts=es01,es03- cluster.initial_master_nodes=es01,es02,es03- bootstrap.memory_lock=true- "ES_JAVA_OPTS=-Xms512m -Xmx512m"- xpack.license.self_generated.type=trial- xpack.security.enabled=true- xpack.security.http.ssl.enabled=true- xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt- xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt- xpack.security.transport.ssl.enabled=true- xpack.security.transport.ssl.verification_mode=certificate- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt- xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt- xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.keyulimits:memlock:soft: -1hard: -1volumes:- data02:/usr/share/elasticsearch/data- certs:$CERTS_DIRnetworks:- elastices03:image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}container_name: es03environment:- node.name=es03- cluster.name=es-docker-cluster- discovery.seed_hosts=es01,es02- cluster.initial_master_nodes=es01,es02,es03- bootstrap.memory_lock=true- "ES_JAVA_OPTS=-Xms512m -Xmx512m"- xpack.license.self_generated.type=trial- xpack.security.enabled=true- xpack.security.http.ssl.enabled=true- xpack.security.http.ssl.key=$CERTS_DIR/es03/es03.key- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt- xpack.security.http.ssl.certificate=$CERTS_DIR/es03/es03.crt- xpack.security.transport.ssl.enabled=true- xpack.security.transport.ssl.verification_mode=certificate- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt- xpack.security.transport.ssl.certificate=$CERTS_DIR/es03/es03.crt- xpack.security.transport.ssl.key=$CERTS_DIR/es03/es03.keyulimits:memlock:soft: -1hard: -1volumes:- data03:/usr/share/elasticsearch/data- certs:$CERTS_DIRnetworks:- elastickib01:image: docker.elastic.co/kibana/kibana:${VERSION}container_name: kib01#depends_on: {"es01": {"condition": "service_healthy"}}depends_on:- es01ports:- 5601:5601environment:SERVERNAME: localhostELASTICSEARCH_URL: https://es01:9200ELASTICSEARCH_HOSTS: https://es01:9200ELASTICSEARCH_USERNAME: kibana_systemELASTICSEARCH_PASSWORD: CHANGEMEELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crtSERVER_SSL_ENABLED: "true"SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.keySERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crtvolumes:- certs:$CERTS_DIRnetworks:- elasticvolumes:data01:driver: localdata02:driver: localdata03:driver: localcerts:driver: localnetworks:elastic:driver: bridge
2.启动命令
主要包括:生成相应ssl证书;加密节点间访问;加密客户端访问
(确保Docker有4GB 内存)
2.1利用容器创建es证书
docker-compose -f create-certs.yml run --rm create_certs
2.2启动es集群和kibana
docker-compose -f elastic-docker-tls.yml up -d
3.设置密码
3.1获得es密码
利用bin/elasticsearch-setup-passwords。 后面跟interactive代表自定义密码。auto代表自动生成密码
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \auto --batch --url https://es01:9200"
3.2更新kibana密码配置
kib01:image: docker.elastic.co/kibana/kibana:${VERSION}container_name: kib01depends_on:- es01ports:- 5601:5601environment:SERVERNAME: localhostELASTICSEARCH_URL: https://es01:9200ELASTICSEARCH_HOSTS: https://es01:9200ELASTICSEARCH_USERNAME: kibana_systemELASTICSEARCH_PASSWORD: CHANGEMEELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crtSERVER_SSL_ENABLED: "true"SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.keySERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crtvolumes:- certs:$CERTS_DIRnetworks:- elastic
3.3重启es集群和kibana
docker-compose stopdocker-compose -f elastic-docker-tls.yml up -d
4.测试
按照上述配置,外部访问及kibana访问都是https
curl -k -u elastic:pwd https://localhost:9200
5.利用外部配置文件挂载
可以利用外部配置文件挂载。例如:
volumes:- data01:/usr/share/elasticsearch/data- certs:$CERTS_DIR- ./es01.yml:/usr/share/elasticsearch/config/elasticsearch.ymlvolumes:- certs:$CERTS_DIR- ./kibana.yml:/usr/share/kibana/config/kibana.yml