docker安裝Elasticsearch7.6集群並設置密碼

docker安裝Elasticsearch7.6集群並設置密碼

Elasticsearch從6.8開始, 允許免費用戶使用X-Pack的安全功能, 以前安裝es都是裸奔。接下來記錄配置安全認證的方法。

為了簡化物理安裝過程,我們將使用docker安裝我們的服務。

一些基礎配置

es需要修改linux的一些參數。

設置vm.max_map_count=262144

sudo vim /etc/sysctl.conf  vm.max_map_count=262144  

不重啟, 直接生效當前的命令

sysctl -w vm.max_map_count=262144  

es的data和logs目錄需要給1000的用戶授權, 我們假設安裝3個實力的es集群,先創建對應的數據存儲文件

mkdir -p es01/data  mkdir -p es01/logs  mkdir -p es02/data  mkdir -p es02/logs  mkdir -p es03/data  mkdir -p es03/logs    ## es的用戶id為1000,這裡暫且授權給所有人好了  sudo chmod 777 es* -R    

關於版本和docker鏡像

Elasticsearch分幾種licenses,其中Open Source和Basic是免費的, 而在6.8之後安全功能才開始集成在es的Basic授權上。

Basic對應docker鏡像為

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.6.2  

同時dockerhub同步為elasticsearch. 我們直接拉取elasticsearch:7.6.2就好。

開始

安裝文件均放在GitHub: https://github.com/Ryan-Miao/docker-china-source/tree/master/docker-elasticsearch

首先,創建docker-compose.yml

version: '2.2'  services:    es01:      image: elasticsearch:7.6.2      container_name: es01      environment:        - node.name=es01        - cluster.name=es-docker-cluster        - discovery.seed_hosts=es02,es03        - cluster.initial_master_nodes=es01,es02,es03        - bootstrap.memory_lock=true        - "ES_JAVA_OPTS=-Xms512m -Xmx512m"      ulimits:        memlock:          soft: -1          hard: -1      volumes:        - ./es01/data:/usr/share/elasticsearch/data        - ./es01/logs:/usr/share/elasticsearch/logs        - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml        - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12      ports:        - 9200:9200      networks:        - elastic      es02:      image: elasticsearch:7.6.2      container_name: es02      environment:        - node.name=es02        - cluster.name=es-docker-cluster        - discovery.seed_hosts=es01,es03        - cluster.initial_master_nodes=es01,es02,es03        - bootstrap.memory_lock=true        - "ES_JAVA_OPTS=-Xms512m -Xmx512m"      ulimits:        memlock:          soft: -1          hard: -1      volumes:        - ./es02/data:/usr/share/elasticsearch/data        - ./es02/logs:/usr/share/elasticsearch/logs        - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml        - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12      ports:        - 9201:9200      networks:        - elastic      es03:      image: elasticsearch:7.6.2      container_name: es03      environment:        - node.name=es03        - cluster.name=es-docker-cluster        - discovery.seed_hosts=es01,es02        - cluster.initial_master_nodes=es01,es02,es03        - bootstrap.memory_lock=true        - "ES_JAVA_OPTS=-Xms512m -Xmx512m"      ulimits:        memlock:          soft: -1          hard: -1      volumes:        - ./es03/data:/usr/share/elasticsearch/data        - ./es03/logs:/usr/share/elasticsearch/logs        - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml        - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12      ports:        - 9202:9200      networks:        - elastic      kib01:      depends_on:        - es01      image: kibana:7.6.2      container_name: kib01      ports:        - 5601:5601      environment:        ELASTICSEARCH_URL: http://es01:9200        ELASTICSEARCH_HOSTS: http://es01:9200      volumes:        - ./kibana.yml:/usr/share/kibana/config/kibana.yml      networks:        - elastic    networks:    elastic:      driver: bridge  

關於elasticsearch.yml

內容如下

network.host: 0.0.0.0  xpack.security.enabled: true  xpack.security.transport.ssl.enabled: true  xpack.security.transport.ssl.keystore.type: PKCS12  xpack.security.transport.ssl.verification_mode: certificate  xpack.security.transport.ssl.keystore.path: elastic-certificates.p12  xpack.security.transport.ssl.truststore.path: elastic-certificates.p12  xpack.security.transport.ssl.truststore.type: PKCS12    xpack.security.audit.enabled: true  
  • network.host 設置允許其他ip訪問,解除ip綁定
  • xpack.security 則是安全相關配置,其中ssl的證書需要自己生成

關於證書elastic-certificates.p12

es提供了生成證書的工具elasticsearch-certutil,我們可以在docker實例中生成它,然後複製出來,後面統一使用。

首先運行es實例

sudo docker run -dit --name=es elasticsearch:7.6.2 /bin/bash  

進入實例內部

sudo docker exec -it es /bin/bash  

生成ca: elastic-stack-ca.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil ca  This tool assists you in the generation of X.509 certificates and certificate  signing requests for use with SSL/TLS in the Elastic stack.    The 'ca' mode generates a new 'certificate authority'  This will create a new X.509 certificate and private key that can be used  to sign certificate when running in 'cert' mode.    Use the 'ca-dn' option if you wish to configure the 'distinguished name'  of the certificate authority    By default the 'ca' mode produces a single PKCS#12 output file which holds:      * The CA certificate      * The CA's private key    If you elect to generate PEM format certificates (the -pem option), then the output will  be a zip file containing individual files for the CA certificate and private key    Please enter the desired output file [elastic-stack-ca.p12]:  Enter password for elastic-stack-ca.p12 :  

再生成cert: elastic-certificates.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12  This tool assists you in the generation of X.509 certificates and certificate  signing requests for use with SSL/TLS in the Elastic stack.    The 'cert' mode generates X.509 certificate and private keys.    

這個生成elastic-certificates.p12 就是我們需要使用的。

複製出證書, ctrl+d退出容器內部

sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .  # 關閉這個容器  sudo docker kill es  sudo docker rm es  

如此獲取了證書。

生成密碼

我們首先要啟動es集群,去裡面生成密碼。

sudo docker-compose up  

然後進入其中一台

sudo docker exec -it es01 /bin/bash  

生成密碼用auto, 自己設置用 interactive

[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h  Sets the passwords for reserved users    Commands  --------  auto - Uses randomly generated passwords  interactive - Uses passwords entered by a user    Non-option arguments:  command    Option             Description  ------             -----------  -E <KeyValuePair>  Configure a setting  -h, --help         Show help  -s, --silent       Show minimal output  -v, --verbose      Show verbose output        [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto  Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.  The passwords will be randomly generated and printed to the console.  Please confirm that you would like to continue [y/N]y      Changed password for user apm_system  PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws    Changed password for user kibana  PASSWORD kibana = 8NnThbj0N02iDaTGhidU    Changed password for user logstash_system  PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj    Changed password for user beats_system  PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ    Changed password for user remote_monitoring_user  PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D    Changed password for user elastic  PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ  

使用密碼

瀏覽器訪問localhost:9200/9201/9202 需要輸入帳號

輸入對應的elastic/password就好

瀏覽器訪問localhost:5601

忘記密碼

如果生成後忘記密碼了怎麼辦, 可以進入機器去修改。

進入es的機器

sudo docker exec -it es01 /bin/bash  

創建一個臨時的超級用戶RyanMiao

./bin/elasticsearch-users useradd ryan -r superuser  Enter new password:  ERROR: Invalid password...passwords must be at least [6] characters long  [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuser  Enter new password:  Retype new password:  

用這個用戶去修改elastic的密碼:

curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '  {    "password": "q5f2qNfUJQyvZPIz57MZ"  }'  

參考