docker安装Elasticsearch+Kibana+密码配置

参考官方文档

Install Elasticsearch with Docker | Elasticsearch Guide [7.14] | Elastic

Running the Elastic Stack on Docker | Getting Started [7.14] | Elastic

Configure security for the Elastic Stack | Elasticsearch Guide [7.14] | Elastic

一、单节点配置

1.安装es

1.1拉取镜像

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.11.0

1.2构建容器并运行

docker run --name es -d -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.11.0

或者直接利用docker-compose文件，可以在容器运行后拷贝出配置文件等进行编辑然后挂载

1.2.1docker-compose

version: '3.1'
services:

  es01:

    container_name: es01

    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.0

    ports:

      - "9200:9200"

      - "9300:9300"

    volumes:

      - /root/docker/d-elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml

      - /root/docker/d-elasticsearch/data:/usr/share/elasticsearch/data

      - /root/docker/d-elasticsearch/logs:/usr/share/elasticsearch/logs

    environment:

      - TZ=Asia/Shanghai

    #  - "ES_JAVA_OPTS=-Xms1024m -Xmx2048m"

      - "discovery.type=single-node"

    restart: always

    networks:

      - elastic

  b01:

    depends_on: 

      - es01

    image: docker.elastic.co/kibana/kibana:7.11.0

    container_name: kib01

    ports:

      - 5601:5601

    environment:

      ELASTICSEARCH_URL: http://es01:9200

      ELASTICSEARCH_HOSTS: http://es01:9200

    volumes:

      - /root/docker/d-elasticsearch/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml

    networks:

      - elastic

networks:

  elastic:

    driver: bridge

1.3修改配置

1.3.1进入容器打开文件

docker exec -it es bash

cd config

vi elasticsearch.yml

1.3.2编辑文件增加属性

http.cors.enabled: true

http.cors.allow-origin: "*"

http.cors.allow-headers: Authorization

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

并重启

1.3.3设置密码

cd bin

elasticsearch-setup-passwords interactive

// 输出内容

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

Please confirm that you would like to continue [y/N]Y

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana_system]:

Reenter password for [kibana_system]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

Changed password for user [apm_system]

Changed password for user [kibana_system]

Changed password for user [kibana]

Changed password for user [logstash_system]

Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]

Changed password for user [elastic]

1.3.4退出并重启

exit

docker restart es

2.安装Kibana

2.1拉取镜像

docker pull docker.elastic.co/kibana/kibana:7.11.0

2.2构建容器并运行

docker run --name kibana -d --link YOUR_ELASTICSEARCH_CONTAINER_NAME_OR_ID:elasticsearch -p 5601:5601 docker.elastic.co/kibana/kibana:7.11.0

2.3修改配置

2.3.1进入容器打开文件

docker exec -it kibana bash

cd config

vi kibana.yml

2.3.2编辑文件

IpAddress：docker inspect es查看es容器内部的ip地址。或者直接用es的容器名

server.name: kibana

server.host: "0.0.0.0"

elasticsearch.hosts: [ "http://{IpAddress}:9200" ]

monitoring.ui.container.elasticsearch.enabled: true

elasticsearch.username: "elastic"

elasticsearch.password: "password"

i18n.locale: "zh-CN"

2.3.3退出并重启

exit

docker restart kibana

二、多节点集群配置

集群加密需要利用ssl证书。包括集群节点之间（防止非法节点），以及客户端/Kibana等访问es时的证书加密

1.创建相应文件

1.1 instances.yml 标明需要创建证书的文件

instances:

  - name: es01

    dns:

      - es01

      - localhost

    ip:

      - 127.0.0.1

  - name: es02

    dns:

      - es02

      - localhost

    ip:

      - 127.0.0.1

  - name: es03

    dns:

      - es03

      - localhost

    ip:

      - 127.0.0.1

  - name: 'kib01'

    dns:

      - kib01

      - localhost

1.2 .env 设置es的环境变量

COMPOSE_PROJECT_NAME=es

CERTS_DIR=/usr/share/elasticsearch/config/certificates

VERSION=7.11.0

1.3 create-certs.yml 用于创建容器来为 Elasticsearch和Kibana生成证书

version: '3.1'

services:

  create_certs:

    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}

    container_name: create_certs

    command: >

      bash -c '

        yum install -y -q -e 0 unzip;

        if [[ ! -f /certs/bundle.zip ]]; then

          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;

          unzip /certs/bundle.zip -d /certs;

        fi;

        chown -R 1000:0 /certs

      '

    working_dir: /usr/share/elasticsearch

    volumes:

      - certs:/certs

      - .:/usr/share/elasticsearch/config/certificates

    networks:

      - elastic

volumes:

  certs:

    driver: local

networks:

  elastic:

    driver: bridge

1.4 elastic-docker-tls.yml 用于创建带有ssl认证的Elasticsearch集群和Kibana

其中

xpack.security.http.ssl等数据用于加密客户端的访问

在内网机访问情况下，可以不对客户端访问es进行ssl验证

elastic-docker-tls.yml配置文件中去掉pack.security.http.ssl相关配置：

xpack.security.transport用于加密节点间的访问

version: '3.1'  

services:

  es01:

    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}

    container_name: es01

    environment:

      - node.name=es01

      - cluster.name=es-docker-cluster

      - discovery.seed_hosts=es02,es03

      - cluster.initial_master_nodes=es01,es02,es03

      - bootstrap.memory_lock=true

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"

      - xpack.license.self_generated.type=trial 

      - xpack.security.enabled=true

      - xpack.security.http.ssl.enabled=true 

      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key

      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt

      - xpack.security.transport.ssl.enabled=true 

      - xpack.security.transport.ssl.verification_mode=certificate 

      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt

      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key

    ulimits:

      memlock:

        soft: -1

        hard: -1

    volumes:

      - data01:/usr/share/elasticsearch/data

      - certs:$CERTS_DIR

    ports:

      - 9200:9200

    networks:

      - elastic

    healthcheck:

      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi

      interval: 30s

      timeout: 10s

      retries: 5

  es02:

    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}

    container_name: es02

    environment:

      - node.name=es02

      - cluster.name=es-docker-cluster

      - discovery.seed_hosts=es01,es03

      - cluster.initial_master_nodes=es01,es02,es03

      - bootstrap.memory_lock=true

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"

      - xpack.license.self_generated.type=trial

      - xpack.security.enabled=true

      - xpack.security.http.ssl.enabled=true

      - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key

      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

      - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt

      - xpack.security.transport.ssl.enabled=true

      - xpack.security.transport.ssl.verification_mode=certificate

      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt

      - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key

    ulimits:

      memlock:

        soft: -1

        hard: -1

    volumes:

      - data02:/usr/share/elasticsearch/data

      - certs:$CERTS_DIR

    networks:

      - elastic

  es03:

    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}

    container_name: es03

    environment:

      - node.name=es03

      - cluster.name=es-docker-cluster

      - discovery.seed_hosts=es01,es02

      - cluster.initial_master_nodes=es01,es02,es03

      - bootstrap.memory_lock=true

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"

      - xpack.license.self_generated.type=trial

      - xpack.security.enabled=true

      - xpack.security.http.ssl.enabled=true

      - xpack.security.http.ssl.key=$CERTS_DIR/es03/es03.key

      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

      - xpack.security.http.ssl.certificate=$CERTS_DIR/es03/es03.crt

      - xpack.security.transport.ssl.enabled=true

      - xpack.security.transport.ssl.verification_mode=certificate

      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es03/es03.crt

      - xpack.security.transport.ssl.key=$CERTS_DIR/es03/es03.key

    ulimits:

      memlock:

        soft: -1

        hard: -1

    volumes:

      - data03:/usr/share/elasticsearch/data

      - certs:$CERTS_DIR

    networks:

      - elastic

  kib01:

    image: docker.elastic.co/kibana/kibana:${VERSION}

    container_name: kib01

    #depends_on: {"es01": {"condition": "service_healthy"}}

    depends_on: 

      - es01

    ports:

      - 5601:5601

    environment:

      SERVERNAME: localhost

      ELASTICSEARCH_URL: https://es01:9200

      ELASTICSEARCH_HOSTS: https://es01:9200

      ELASTICSEARCH_USERNAME: kibana_system

      ELASTICSEARCH_PASSWORD: CHANGEME

      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt

      SERVER_SSL_ENABLED: "true"

      SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key

      SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt

    volumes:

      - certs:$CERTS_DIR

    networks:

      - elastic

volumes:

  data01:

    driver: local

  data02:

    driver: local

  data03:

    driver: local

  certs:

    driver: local

networks:

  elastic:

    driver: bridge

2.启动命令

主要包括：生成相应ssl证书；加密节点间访问；加密客户端访问

（确保Docker有4GB 内存）

2.1利用容器创建es证书

docker-compose -f create-certs.yml run --rm create_certs

2.2启动es集群和kibana

docker-compose -f elastic-docker-tls.yml up -d

3.设置密码

3.1获得es密码

利用bin/elasticsearch-setup-passwords。 后面跟interactive代表自定义密码。auto代表自动生成密码

docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \

auto --batch --url https://es01:9200"

3.2更新kibana密码配置

 kib01:

    image: docker.elastic.co/kibana/kibana:${VERSION}

    container_name: kib01

    depends_on: 

      - es01

    ports:

      - 5601:5601

    environment:

      SERVERNAME: localhost

      ELASTICSEARCH_URL: https://es01:9200

      ELASTICSEARCH_HOSTS: https://es01:9200

      ELASTICSEARCH_USERNAME: kibana_system

      ELASTICSEARCH_PASSWORD: CHANGEME

      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt

      SERVER_SSL_ENABLED: "true"

      SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key

      SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt

    volumes:

      - certs:$CERTS_DIR

    networks:

      - elastic

3.3重启es集群和kibana

docker-compose stop

docker-compose -f elastic-docker-tls.yml up -d

4.测试

按照上述配置，外部访问及kibana访问都是https

https://localhost:5601.

curl -k -u elastic:pwd https://localhost:9200

5.利用外部配置文件挂载

可以利用外部配置文件挂载。例如：

 volumes:

      - data01:/usr/share/elasticsearch/data

      - certs:$CERTS_DIR

      - ./es01.yml:/usr/share/elasticsearch/config/elasticsearch.yml

    volumes:

      - certs:$CERTS_DIR

      - ./kibana.yml:/usr/share/kibana/config/kibana.yml