注意:Elasticsearch从6.8开始, 允许免费用户使用X-Pack的安全功能, 以前安装es都是裸奔。接下来记录配置安全认证的方法。
获取镜像
# 查看可用的稳定版本sudo docker search elasticsearchsudo docker pull elasticsearch:7.6.2sudo docker pull kibana:7.6.2sudo docker pull elastic/metricbeat:7.6.2sudo docker image ls |grep elasticsearch
基本配置
修改系统文件句柄数
方案1(临时):
sudo sysctl -w vm.max_map_count=262144
方案2(永久):
sudo vi /etc/sysctl.conf
添加配置:
vm.max_map_count=262144
修改完成后执行:
sysctl -p
创建es数据存储文件
mkdir -p /share/es/es01/datamkdir -p /share/es/es01/logsmkdir -p /share/es/es02/datamkdir -p /share/es/es02/logsmkdir -p /share/es/es03/datamkdir -p /share/es/es03/logs# es的用户id为1000,这里暂且授权给所有人cd /share/essudo chmod 777 es* -R
ES配置
sudo rm -rf /share/es/es762.ymlsudo vi /share/es/es762.yml
配置如下:
# 设置允许其他ip访问,解除ip绑定network.host: 0.0.0.0xpack.security.enabled: truexpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.keystore.type: PKCS12xpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.keystore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.type: PKCS12xpack.security.audit.enabled: true
kibana配置
sudo rm -rf /share/es/kibana.yml
sudo vi /share/es/kibana.yml
内容如下(密码生成后需要更新):
server.name: kibana
server.host: "0"
# elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: kibana
elasticsearch.password: iUqpe8FDfwdKaI0MnmFW
SSL证书制作
es提供了生成证书的工具elasticsearch-certutil,可以在docker实例中生成,然后复制出来统一使用。
sudo docker run -dit --name=es762 elasticsearch:7.6.2 /bin/bash
sudo docker exec -it es762 /bin/bash
# 生成ca: elastic-stack-ca.p12
./bin/elasticsearch-certutil ca
# 生成cert: elastic-certificates.p12
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# 退出容器
sudo docker cp es762:/usr/share/elasticsearch/elastic-certificates.p12 .
# 关闭这个容器
sudo docker kill es762
sudo docker rm es762
服务编排
mkdir -p /share/es && cd /share/es
rm -rf /share/es/docker-compose.yml
vi /share/es/docker-compose.yml
服务编排内容如下:
version: '2.2'
services:
es01:
image: elasticsearch:7.6.2
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./es01/data:/usr/share/elasticsearch/data
- ./es01/logs:/usr/share/elasticsearch/logs
- ./es762.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
networks:
- elastic
es02:
image: elasticsearch:7.6.2
container_name: es02
environment:
- node.name=es02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./es02/data:/usr/share/elasticsearch/data
- ./es02/logs:/usr/share/elasticsearch/logs
- ./es762.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9201:9200
networks:
- elastic
es03:
image: elasticsearch:7.6.2
container_name: es03
environment:
- node.name=es03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./es03/data:/usr/share/elasticsearch/data
- ./es03/logs:/usr/share/elasticsearch/logs
- ./es762.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9202:9200
networks:
- elastic
kib01:
depends_on:
- es01
image: kibana:7.6.2
container_name: kib01
ports:
- 5601:5601
environment:
ELASTICSEARCH_URL: http://es01:9200
ELASTICSEARCH_HOSTS: http://es01:9200
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
networks:
- elastic
networks:
elastic:
driver: bridge
生成密码
sudo docker-compose up
sudo docker exec -it es01 /bin/bash
# 创建密码(-h:查看帮助,auto:自动生成,interactive:自定义密码)
./bin/elasticsearch-setup-passwords -h
./bin/elasticsearch-setup-passwords auto
密码信息如下:
Changed password for user apm_system
PASSWORD apm_system = qlqQxSJucy3lZJ2aQLk4
Changed password for user kibana
PASSWORD kibana = iUqpe8FDfwdKaI0MnmFW
Changed password for user logstash_system
PASSWORD logstash_system = bT6bXMTrLcCLGwN7sK9B
Changed password for user beats_system
PASSWORD beats_system = ueSJAjziK46LPu77LPMy
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = JGiYfZJCVTmdTuxRLSo7
Changed password for user elastic
PASSWORD elastic = kaVX704IdocCaMaohPEZ
重启:
sudo docker-compose stop
sudo docker-compose up
服务构建
cd /share/es
sudo docker-compose -f docker-compose.yml build --no-cache # 不带缓存构建(只创建镜像,不会启动容器)
sudo docker-compose -f docker-compose.yml up -d # 构建后运行
sudo docker-compose -f docker-compose.yml up --build # 跟踪方式构建,可用于调试
sudo docker-compose -f docker-compose.yml stop # 停止
sudo docker-compose -f docker-compose.yml down # 移除
验证
# 进入终端
sudo docker exec -it es01 /bin/bash
# 查看日志
sudo docker logs es01
sudo docker logs -f -t --tail=50 es01
# 查看网络
sudo docker network ls
sudo docker inspect es01
ES Web UI:http://192.168.0.99:9200、http://192.168.0.99:9201、http://192.168.0.99:9202
Kibana Web UI:http://192.168.0.99:5601
注意:**kibana里输入elastic和对应密码而不是kibana用户密码。**
安装metricbeat
1. 加载metricbeat自带的dashboard模板
sudo docker run --name mb762 \
--network=es_elastic \
elastic/metricbeat:7.6.2 \
setup -E setup.kibana.host=kib01:5601 \
-E output.elasticsearch.hosts=["es01:9200"] \
-E output.elasticsearch.username=elastic \
-E output.elasticsearch.password=kaVX704IdocCaMaohPEZ
sudo docker start mb762
sudo docker restart mb762
sudo docker stop mb762
sudo docker rm mb762
2. 自定义dashboard模板
# 需要确保yml文件用户为root
sudo rm -rf /tmp/metricbeat.docker.yml
sudo vi /tmp/metricbeat.docker.yml
chown root:root /tmp/metricbeat.docker.yml
内容如下:
metricbeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
metricbeat.autodiscover:
providers:
- type: docker
hints.enabled: true
metricbeat.modules:
- module: docker
metricsets:
- "container"
- "cpu"
- "diskio"
- "healthcheck"
- "info"
- "memory"
- "network"
hosts: ["unix:///var/run/docker.sock"]
period: 10s
enabled: true
processors:
- add_cloud_metadata: ~
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:}'
password: '${ELASTICSEARCH_PASSWORD:}'
收集宿主机运行的docker实例信息:
sudo docker run -d -it \
--network=es_elastic \
--name=metricbeat \
--privileged \
--user=root \
--volume="/tmp/metricbeat.docker.yml:/usr/share/metricbeat/metricbeat.yml" \
--volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
--volume="/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro" \
--volume="/proc:/hostfs/proc:ro" \
--volume="/:/hostfs:ro" \
elastic/metricbeat:7.6.2 metricbeat \
-E ELASTICSEARCH_HOSTS=es01:9200 \
-E ELASTICSEARCH_USERNAME=elastic \
-E ELASTICSEARCH_PASSWORD=kaVX704IdocCaMaohPEZ
sudo docker start metricbeat
sudo docker restart metricbeat
sudo docker stop metricbeat
sudo docker rm metricbeat
3. 查看dashboard
搜索“[Metricbeat Docker] Overview ECS”。![[Metricbeat Docker] Overview ECS - Kibana2.png](/uploads/projects/polaris-docs@container/4f7bf7e6b08ec44276f5d99ac8958640.png)
忘记密码
如果生成后忘记密码了怎么办, 可以进入容器去修改。创建一个临时的超级用户,然后用这个用户去修改elastic的密码。
# 进入容器
sudo docker exec -it es01 /bin/bash
# 创建超级用户
./bin/elasticsearch-users useradd ryan -r superuser
# 更新密码
curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
{
"password": "q5f2qNfUJQyvZPIz57MZ"
}'
参考
博文:docker安装Elasticsearch7.6集群并设置密码
https://www.cnblogs.com/woshimrf/p/docker-es7.html
若有收获,就点个赞吧
0 人点赞
