centos7.7环境下使用docker-compose部署elasticsearch7.4集群并设置密码
Elasticsearch从6.8开始,允许免费用户使用X-Pack的安全功能,设置密码了会让系统安全很多
因为es是有状态的系统,生产环境中最好直接部署在宿主机中,此次部署是测试开发环境,直接使用docker进行部署,方便快速创建集群
环境:centos7.7_x86_64
宿主机IP:http://10.10.17.64/
安装环境和卷均挂载到 /data/elasticsearch 目录中
1.es需要修改linux宿主机的一些参数
设置vm.max_map_count=262144
sudo vim /etc/sysctl.conf
vm.max_map_count=262144
不重启, 直接生效当前的命令
sysctl -w vm.max_map_count=262144
2.创建对应的数据存储文件
mkdir /data/elasticsearch
cd /data/elasticsearch
mkdir -p elastic01/data
mkdir -p elastic01/logs
mkdir -p elastic02/data
mkdir -p elastic02/logs
mkdir -p elastic03/data
mkdir -p elastic03/logs
## 为简单起见,这里暂且授权给所有人好了
sudo chmod 777 elastic* -R
3.获取基础镜像
# docker pull docker.elastic.co/elasticsearch/elasticsearch:7.4.0
4.创建docker-compose.yml
# elasticsearch集群暴露在宿主机中使用的端口分别9201/9202/9203(将集群内部elasticsearch的9200端口分布映射出来)
# cat /data/elasticsearch/docker-compose.yml
version: '2.2'
services:
elastic01:
image: elasticsearch:7.4.0
container_name: elastic01
environment:
- node.name=elastic01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=elastic02,elastic03
- cluster.initial_master_nodes=elastic01,elastic02,elastic03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./elastic01/data:/usr/share/elasticsearch/data
- ./elastic01/logs:/usr/share/elasticsearch/logs
- ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9201:9200
networks:
- elastic
elastic02:
image: elasticsearch:7.4.0
container_name: elastic02
environment:
- node.name=elastic02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=elastic01,elastic03
- cluster.initial_master_nodes=elastic01,elastic02,elastic03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./elastic02/data:/usr/share/elasticsearch/data
- ./elastic02/logs:/usr/share/elasticsearch/logs
- ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9202:9200
networks:
- elastic
elastic03:
image: elasticsearch:7.4.0
container_name: elastic03
environment:
- node.name=elastic03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=elastic01,elastic02
- cluster.initial_master_nodes=elastic01,elastic02,elastic03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./elastic03/data:/usr/share/elasticsearch/data
- ./elastic03/logs:/usr/share/elasticsearch/logs
- ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9203:9200
networks:
- elastic
kib01:
depends_on:
- elastic01
image: kibana:7.4.0
container_name: kib01
ports:
- 5601:5601
environment:
ELASTICSEARCH_URL: http://elastic01:9200
ELASTICSEARCH_HOSTS: http://elastic01:9200
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
networks:
- elastic
networks:
elastic:
driver: bridge
5.配置elasticsearch
# cat /data/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
network.host 设置允许其他ip访问,解除ip绑定
xpack.security 则是安全相关配置,其中ssl的证书需要自己生成
6.生成证书elastic-certificates.p12
# 临时运行一个容器,在其中生成证书
docker run -dit --name=es elasticsearch:7.4.0 /bin/bash
es提供了生成证书的工具elasticsearch-certutil,我们可以在docker实例中生成它,然后拷贝出来,然后给集群使用
首先运行一个叫做 es 的docker实例
docker run -dit --name=es elasticsearch:7.4.0 /bin/bash
进入实例内部,生成证书
docker exec -it es /bin/bash
生成ca: elastic-stack-ca.p12
[root@36g848ff62 elasticsearch]# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
再生成cert: elastic-certificates.p12
[root@36g848ff62 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
这个生成elastic-certificates.p12 就是我们需要使用的。
复制出证书, ctrl+d退出容器内部
docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 /data/elasticsearch/
至此,生成证书完毕
7.生成密码
我们首先要启动es集群,去里面生成密码。
在启动容器前需要配置kibana.yml,否则启动会失败,记得后面密码生成完成后需要修改密码部分
# cat /data/elasticsearch/kibana.yml
server.host: "0.0.0.0"
elasticsearch.username: "kibana"
elasticsearch.password: "pass"
docker-compose up
然后进入其中一台
docker exec -it elastic01 /bin/bash
生成密码用auto, 自己设置用 interactive
[root@5760a2da8831 elasticsearch]# ./bin/elasticsearch-setup-passwords -h
Sets the passwords for reserved users
Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
# 自动生成密码
[root@5760a2da8831 elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = O49pTKFDnKLohMZniEod
Changed password for user kibana
PASSWORD kibana = bsrRfRjpmFi8YEKZ9VKa
Changed password for user logstash_system
PASSWORD logstash_system = bLdyzqjFtVVcCH0nj9vu
Changed password for user beats_system
PASSWORD beats_system = O9J9C0JeO9spv9mWCdIH
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = jEZc6IPOyWXE9I7Qj9F7
Changed password for user elastic
PASSWORD elastic = B6NoHgkYRdQiuwTP8r32
8.验证集群状态
# 进入集群内部测试验证集群的状态
[root@sz_cxzx_n004dev03_17_64 elasticsearch]# docker exec -it elastic03 bash
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic01:9200/_cluster/health?pretty
"cluster_name" : "es-docker-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 1,
"active_shards" : 2,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic02:9200/_cluster/health?pretty
"cluster_name" : "es-docker-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 1,
"active_shards" : 2,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic03:9200/_cluster/health?pretty
"cluster_name" : "es-docker-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 1,
"active_shards" : 2,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
通过浏览器访问
kibana配置
# 如果中途 docker-compose.yml 有变更
需要先清理环境
docker-compose stop
docker-compose rm
更新文件后重新启动集群
docker-compose up -d
重新启动后的集群,密码信息还继续保留
忘记密码
如果生成后忘记密码了可以进入机器去修改
进入es的机器
docker exec -it elastic03 /bin/bash
创建一个临时的超级用户 jack
./bin/elasticsearch-users useradd jack -r superuser
Enter new password:
ERROR: Invalid password...passwords must be at least [6] characters long
./bin/elasticsearch-users useradd jack -r superuser
Enter new password:
Retype new password:
用这个用户去修改elastic的密码:
curl -XPUT -u jack:jack123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
{
"password": "B6NoHgkYRdQiuwTP8r32"
}'