centos7.7环境下使用docker-compose部署elasticsearch7.4集群并设置密码


Elasticsearch从6.8开始,允许免费用户使用X-Pack的安全功能,设置密码了会让系统安全很多

因为es是有状态的系统,生产环境中最好直接部署在宿主机中,此次部署是测试开发环境,直接使用docker进行部署,方便快速创建集群


环境:centos7.7_x86_64

宿主机IP:http://10.10.17.64/

安装环境和卷均挂载到 /data/elasticsearch 目录中

1.es需要修改linux宿主机的一些参数

设置vm.max_map_count=262144

sudo vim /etc/sysctl.conf
vm.max_map_count=262144

不重启, 直接生效当前的命令
sysctl -w vm.max_map_count=262144

2.创建对应的数据存储文件

mkdir /data/elasticsearch
cd /data/elasticsearch
mkdir -p elastic01/data
mkdir -p elastic01/logs
mkdir -p elastic02/data
mkdir -p elastic02/logs
mkdir -p elastic03/data
mkdir -p elastic03/logs


## 为简单起见,这里暂且授权给所有人好了
sudo chmod 777 elastic* -R

3.获取基础镜像

# docker pull docker.elastic.co/elasticsearch/elasticsearch:7.4.0


4.创建docker-compose.yml

# elasticsearch集群暴露在宿主机中使用的端口分别9201/9202/9203(将集群内部elasticsearch的9200端口分布映射出来)

# cat /data/elasticsearch/docker-compose.yml

version: '2.2'
services:
  elastic01:
    image: elasticsearch:7.4.0
    container_name: elastic01
    environment:
      - node.name=elastic01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=elastic02,elastic03
      - cluster.initial_master_nodes=elastic01,elastic02,elastic03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic01/data:/usr/share/elasticsearch/data
      - ./elastic01/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9201:9200
    networks:
      - elastic
  elastic02:
    image: elasticsearch:7.4.0
    container_name: elastic02
    environment:
      - node.name=elastic02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=elastic01,elastic03
      - cluster.initial_master_nodes=elastic01,elastic02,elastic03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic02/data:/usr/share/elasticsearch/data
      - ./elastic02/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9202:9200
    networks:
      - elastic
  elastic03:
    image: elasticsearch:7.4.0
    container_name: elastic03
    environment:
      - node.name=elastic03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=elastic01,elastic02
      - cluster.initial_master_nodes=elastic01,elastic02,elastic03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic03/data:/usr/share/elasticsearch/data
      - ./elastic03/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9203:9200
    networks:
      - elastic
  kib01:
    depends_on: 
      - elastic01
    image: kibana:7.4.0
    container_name: kib01
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_URL: http://elastic01:9200
      ELASTICSEARCH_HOSTS: http://elastic01:9200
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic
networks:
  elastic:
    driver: bridge

5.配置elasticsearch

# cat /data/elasticsearch/elasticsearch.yml

network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12

network.host 设置允许其他ip访问,解除ip绑定
xpack.security 则是安全相关配置,其中ssl的证书需要自己生成

6.生成证书elastic-certificates.p12

# 临时运行一个容器,在其中生成证书

docker run -dit --name=es elasticsearch:7.4.0 /bin/bash

es提供了生成证书的工具elasticsearch-certutil,我们可以在docker实例中生成它,然后拷贝出来,然后给集群使用

首先运行一个叫做 es 的docker实例

docker run -dit --name=es elasticsearch:7.4.0 /bin/bash

进入实例内部,生成证书

docker exec -it es /bin/bash

生成ca: elastic-stack-ca.p12

[root@36g848ff62 elasticsearch]# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 
再生成cert: elastic-certificates.p12
[root@36g848ff62 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.

这个生成elastic-certificates.p12 就是我们需要使用的。

复制出证书, ctrl+d退出容器内部

docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 /data/elasticsearch/

至此,生成证书完毕


7.生成密码

我们首先要启动es集群,去里面生成密码。

在启动容器前需要配置kibana.yml,否则启动会失败,记得后面密码生成完成后需要修改密码部分

# cat /data/elasticsearch/kibana.yml 
server.host: "0.0.0.0"
elasticsearch.username: "kibana"
elasticsearch.password: "pass"
docker-compose up

然后进入其中一台

docker exec -it elastic01 /bin/bash

生成密码用auto, 自己设置用 interactive

[root@5760a2da8831 elasticsearch]# ./bin/elasticsearch-setup-passwords -h
Sets the passwords for reserved users
Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user
Non-option arguments:
command              
Option         Description        
------         -----------        
-h, --help     show help          
-s, --silent   show minimal output
-v, --verbose  show verbose output
# 自动生成密码
[root@5760a2da8831 elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = O49pTKFDnKLohMZniEod
Changed password for user kibana
PASSWORD kibana = bsrRfRjpmFi8YEKZ9VKa
Changed password for user logstash_system
PASSWORD logstash_system = bLdyzqjFtVVcCH0nj9vu
Changed password for user beats_system
PASSWORD beats_system = O9J9C0JeO9spv9mWCdIH
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = jEZc6IPOyWXE9I7Qj9F7
Changed password for user elastic
PASSWORD elastic = B6NoHgkYRdQiuwTP8r32

8.验证集群状态

# 进入集群内部测试验证集群的状态

[root@sz_cxzx_n004dev03_17_64 elasticsearch]# docker exec -it elastic03 bash
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic01:9200/_cluster/health?pretty
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic02:9200/_cluster/health?pretty
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic03:9200/_cluster/health?pretty
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0

通过浏览器访问

kibana配置

# 如果中途 docker-compose.yml 有变更

需要先清理环境
docker-compose stop
docker-compose rm

更新文件后重新启动集群
docker-compose up -d

重新启动后的集群,密码信息还继续保留

忘记密码

如果生成后忘记密码了可以进入机器去修改

进入es的机器

docker exec -it elastic03 /bin/bash

创建一个临时的超级用户 jack

./bin/elasticsearch-users useradd jack -r superuser
Enter new password:
ERROR: Invalid password...passwords must be at least [6] characters long

./bin/elasticsearch-users useradd jack -r superuser
Enter new password:
Retype new password:

用这个用户去修改elastic的密码:

curl -XPUT -u jack:jack123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
{
  "password": "B6NoHgkYRdQiuwTP8r32"
}'