Docker部署Elasticsearch集群并开启安全设置
Posted 悟能的师兄
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker部署Elasticsearch集群并开启安全设置相关的知识,希望对你有一定的参考价值。
一:准备资料
- 部署了docker的centos
- 两或者三台服务器部署elasticsearch
- ip1、ip2
二:docker安装、Elasticsearch安装
1.1安装docker
[root@ecs-b3bf-0225795 ~]# yum install docker
[root@ecs-b3bf-0225795 ~]# systemctl start docker
1.2ES需要开启文件读取的配置
[root@ecs-b3bf-0225795 ~]# vi /etc/sysctl.conf
#加入这一行配置
vm.max_map_count = 655350
[root@ecs-b3bf-0225795 ~]# sysctl -p
1.3安装Elasticsearch
[root@ecs-b3bf-0225795 ~]# mkdir -p /home/docker/elasticsearch
[root@ecs-b3bf-0225795 ~]# cd /home/docker/elasticsearch/
[root@ecs-b3bf-0225795 elasticsearch]# docker pull docker.io/library/elasticsearch:7.6.2
安装完成后----先别启动
创建好我们后期的所有数据存储、插件、日志、配置目录
[root@ecs-b3bf-0225795 elasticsearch]# mkdir data
[root@ecs-b3bf-0225795 elasticsearch]# mkdir logs
[root@ecs-b3bf-0225795 elasticsearch]# mkdir -p plugins/ik
[root@ecs-b3bf-0225795 elasticsearch]# mkdir config
[root@ecs-b3bf-0225795 elasticsearch]#
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 data
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 logs
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 plugins
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 config
安装ik分词器
[root@ecs-b3bf-0225795 plugins]# cd plugins/ik
[root@ecs-b3bf-0225795 ik]# wget https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.6.2/elasticsearch-analysis-ik-7.6.2.zip
[root@ecs-b3bf-0225795 ik]# unzip elasticsearch-analysis-ik-7.6.2.zip
[root@ecs-b3bf-0225795 ik]#
[root@ecs-b3bf-0225795 ik]#
将配置文件copy出来,放在到挂在路径
[root@ecs-b3bf-0225795 elasticsearch]# cd /home/docker/elasticsearch/
[root@ecs-b3bf-0225795 elasticsearch]#
[root@ecs-b3bf-0225795 elasticsearch]# docker run -p 9200:9200 -p 9300:9300 \\
--privileged=true --name es7 \\
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \\
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \\
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \\
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \\
-d elasticsearch:7.6.2
[root@ecs-b3bf-0225795 elasticsearch]#
[root@ecs-b3bf-0225795 elasticsearch]#
[root@ecs-b3bf-0225795 elasticsearch]# docker cp -a es7:/usr/share/elasticsearch/config/ /home/docker/elasticsearch/
[root@ecs-b3bf-0225795 elasticsearch]# docker kill es7
[root@ecs-b3bf-0225795 elasticsearch]# docker rm es7
将我们es启动系统内的配置文件cp到我们挂载的物理路径
elasticsearch.yml
#集群名称
cluster.name: material-es
#当前该节点的名称
node.name: node-1
#是不是有资格竞选主节点
node.master: true
#是否存储数据
node.data: true
#最大集群节点数
node.max_local_storage_nodes: 3
#给当前节点自定义属性(可以省略)
#node.attr.rack: r1
#数据存档位置
path.data: /usr/share/elasticsearch/data
#日志存放位置
path.logs: /usr/share/elasticsearch/log
#是否开启时锁定内存(默认为是)
#bootstrap.memory_lock: true
#设置网关地址,我是被这个坑死了,这个地址我原先填写了自己的实际物理IP地址,
#然后启动一直报无效的IP地址,无法注入9300端口,这里只需要填写0.0.0.0
network.host: 0.0.0.0
#设置其它结点和该结点交互的ip地址,如果不设置它会自动判断,值必须是个真实的ip地址,设置当前物理机地址,
#如果是docker安装节点的IP将会是配置的IP而不是docker网管ip
network.publish_host: 175.6.3.132
#设置映射端口
http.port: 9200
#内部节点之间沟通端口
transport.tcp.port: 9300
#集群发现默认值为127.0.0.1:9300,如果要在其他主机上形成包含节点的群集,如果搭建集群则需要填写
#es7.x 之后新增的配置,写入候选主节点的设备地址,在开启服务后可以被选为主节点,也就是说把所有的节点都写上
discovery.seed_hosts: ["175.6.3.132:9300","175.6.3.133:9300","175.6.3.134:9300"]
#当你在搭建集群的时候,选出合格的节点集群,有些人说的太官方了,
#其实就是,让你选择比较好的几个节点,在你节点启动时,在这些节点中选一个做领导者,
#如果你不设置呢,elasticsearch就会自己选举,这里我们把三个节点都写上
cluster.initial_master_nodes: ["node-1","node-2","node-3"]
#在群集完全重新启动后阻止初始恢复,直到启动N个节点
#简单点说在集群启动后,至少复活多少个节点以上,那么这个服务才可以被使用,否则不可以被使用,
gateway.recover_after_nodes: 2
#删除索引是是否需要显示其名称,默认为显示
#action.destructive_requires_name: true
# 是否支持跨域,默认为false
http.cors.enabled: true
# 当设置允许跨域,默认为*,表示支持所有域名,如果我们只是允许某些网站能访问,那么可以使用正则表达式。比如只允许本地地址。/https?:\\/\\/localhost(:[0-9]+)?/
http.cors.allow-origin: "*"
替换好新的配置文件
启动命令-每台机器都执行同样的指令
[root@ecs-b3bf-0225795 elasticsearch]# docker run -p 9200:9200 -p 9300:9300 \\
--privileged=true --name es7 \\
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \\
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \\
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \\
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \\
-v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \\
-d elasticsearch:7.6.2
三:安全设置
安全性处理:基于上述已经在运行的容器之上,在主机上执行此运行方式即可
获取p12文件 打开安全设置
3.1生成 p12文件
[root@ecs-b3bf-0225795 elasticsearch]# cd /
[root@ecs-b3bf-0225795 ~]# docker run -dit --name=es elasticsearch:7.6.2 /bin/bash
f87b0e87cbe6cc5a1c53e6e343914072369641cef216815ca0d4f18e50a9da5e
[root@ecs-b3bf-0225795 elasticsearch]# 进入我们临时的es容器内去执行命令
[root@ecs-b3bf-0225795 elasticsearch]# bin/elasticsearch-certutil ca
[root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作
[root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作
[root@ecs-b3bf-0225795 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作
[root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作
[root@ecs-b3bf-0225795 elasticsearch]# 生成完成后
[root@ecs-b3bf-0225795 elasticsearch]#
[root@ecs-b3bf-0225795 elasticsearch]# ls
-rw------- 1 root root 3451 Mar 1 17:42 elastic-certificates.p12
...
[root@ecs-b3bf-0225795 elasticsearch]# 退出当前容器
[root@ecs-b3bf-0225795 elasticsearch]# exit;
exit
[root@ecs-b3bf-0225795 ~]# 复制我们生成的p12到物理路径
[root@ecs-b3bf-0225795 ~]# docker cp -a es:/usr/share/elasticsearch/elastic-certificates.p12 /home/docker/elasticsearch/config/
[root@ecs-b3bf-0225795 ~]#
[root@ecs-b3bf-0225795 ~]# docker kill es
es
[root@ecs-b3bf-0225795 ~]# docker rm es
es
[root@ecs-b3bf-0225795 ~]# 停止es集群所有节点
[root@ecs-b3bf-0225795 ~]# docker kill es7
[root@ecs-b3bf-0225795 ~]# docker rm es7
elasticsearch.yml 开启安全配置
# 打开安全设置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true
将新文件配置文件,elasticsearch.yml 、elastic-certificates.p12 推送到每个节点的目录:
/home/docker/elasticsearch/config
并授权所有用户可读
[root@ecs-b3bf-0225795 ~]# 授权所有用户可读
[root@ecs-b3bf-0225795 ~]# chmod +r /home/docker/elasticsearch/config/elastic-certificates.p12
3.2生成Es的访问密码
切记:集群三个节点之间的9200,9300 一定要都可以互通,自动生成密码:需要记录下来,需要开启9200,9300端口
[root@ecs-b3bf-0225795 ~]# 启动我们的集群
[root@ecs-b3bf-0225795 ~]# docker run -p 9200:9200 -p 9300:9300 \\
--privileged=true --name es7 \\
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \\
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \\
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \\
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \\
-v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \\
-v /home/docker/elasticsearch/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 \\
-d elasticsearch:7.6.2
[root@ecs-b3bf-0225795 ~]#
[root@ecs-b3bf-0225795 ~]# 进入当前启动节点es7的容器内
[root@ecs-b3bf-0225795 ~]# docker exec -it es7 /bin/bash
[root@ac0fa780b8db elasticsearch]#
[root@ac0fa780b8db elasticsearch]#
[root@ac0fa780b8db elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = I5kYgua12jyhTWgGE6DoR
Changed password for user kibana
PASSWORD kibana = QehLVOFFTmoVSlK2121n4hU
Changed password for user logstash_system
PASSWORD logstash_system = e0woYM550en2121kSmfCph0
......
Changed password for user elastic
PASSWORD elastic = qRJvpTYcvslk1WhfvRfHE
我们需要的是:elastic 这个用户
备注:生成的账户与密码会互传到子节点,子节点不需要去执行此操作
有效参考资料:
《CentOS ES7.6集群搭建Elasticsearch安全策略-开启密码账号访问CentOS ES7.6集群搭建》
以上是关于Docker部署Elasticsearch集群并开启安全设置的主要内容,如果未能解决你的问题,请参考以下文章
docker-compose快速部署elasticsearch-8.x集群+kibana
docker-compose快速部署elasticsearch-8.x集群+kibana
Elasticsearch 集群不适用于 Docker Swarm