docker-compose

version: "2"
services:
  es-node01:
    container_name: es-node01
    image: docker.elastic.co/elasticsearch/elasticsearch:8.1.0
    restart: always
    mem_limit: 32g
    ports:
      - 9200:9200
      - 9300:9300
    environment:
      - TAKE_FILE_OWNERSHIP=true
      - ES_JAVA_OPTS=-Xms16g -Xmx16g
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
    volumes:
      - ./data/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./data/logs:/usr/share/elasticsearch/logs
      - ./data/plugins:/usr/share/elasticsearch/plugins
      - ./data/certs:/usr/share/elasticsearch/config/certs
      - /mnt/disk1/es-data1:/mnt/data1
      - /mnt/disk2/es-data2:/mnt/data2
      - /mnt/disk3/es-data3:/mnt/data3
      - /mnt/disk4/es-data4:/mnt/data4

.env

ELASTIC_PASSWORD=password

data/config/elasticsearch.yml

cluster.name: test-es-cluster
node.name: es-node01
node.roles:
  - master
  - data
network.host: 0.0.0.0
network.publish_host: 192.168.20.21
http.port: 9200
transport.port: 9300
path.data:
  - /mnt/data1
  - /mnt/data2
  - /mnt/data3
  - /mnt/data4
discovery.seed_hosts:
  - 192.168.20.22:9300
  - 192.168.20.23:9300
cluster.initial_master_nodes:
  - es-node01
  - es-node02
  - es-node03
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/es-node02.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node02.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
xpack.security.http.ssl.verification_mode: certificate
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/es-node02.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node02.crt
xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
xpack.security.transport.ssl.verification_mode: certificate
xpack.license.self_generated.type: basic

生成证书

version: "2.2"
services:
  setup:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.1.0
    volumes:
      - ./certs:/usr/share/elasticsearch/config/certs
    user: "0"
    command: >
      bash -c '
        if [ ! -f certs/ca.zip ]; then
          echo "Creating CA";
          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
          unzip config/certs/ca.zip -d config/certs;
        fi;
        if [ ! -f certs/certs.zip ]; then
          echo "Creating certs";
          echo -ne \
          "instances:\n"\
          "  - name: es-node01\n"\
          "    dns:\n"\
          "      - es-node01\n"\
          "    ip:\n"\
          "      - 192.168.20.21\n"\
          "  - name: es-node02\n"\
          "    dns:\n"\
          "      - es-node02\n"\
          "    ip:\n"\
          "      - 192.168.20.22\n"\
          "  - name: es-node03\n"\
          "    dns:\n"\
          "      - es-node03\n"\
          "    ip:\n"\
          "      - 192.168.20.23\n"\
          > config/certs/instances.yml;
          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
          unzip config/certs/certs.zip -d config/certs;
        fi;
      '

注意事项

1、echo “vm.max_map_count=262144” > /etc/sysctl.conf ; sysctl -p
2、在容器中，程序是以elasticsearch用户启动的，其uid:gid为1000:1000
如果要绑定挂载本地目录或文件，则elasticsearch用户必须可以读取它。此外，该用户必须具有对配置、数据和日志目录的写入权限。所以要修改本地数据目录uid为1000。

部署参考：
https://www.elastic.co/guide/en/elasticsearch/reference/8.1/docker.html