• centos7.7环境下使用docker-compose部署elasticsearch7.4集群并设置密码

    centos7.7环境下使用docker-compose部署elasticsearch7.4集群并设置密码


    Elasticsearch从6.8开始,允许免费用户使用X-Pack的安全功能,设置密码了会让系统安全很多

    因为es是有状态的系统,生产环境中最好直接部署在宿主机中,此次部署是测试开发环境,直接使用docker进行部署,方便快速创建集群


    环境:centos7.7_x86_64

    宿主机IP:http://10.10.17.64/

    安装环境和卷均挂载到 /data/elasticsearch 目录中

    1.es需要修改linux宿主机的一些参数

    设置vm.max_map_count=262144

    sudo vim /etc/sysctl.conf
    vm.max_map_count=262144

    不重启, 直接生效当前的命令
    sysctl -w vm.max_map_count=262144

    2.创建对应的数据存储文件

    mkdir /data/elasticsearch
cd /data/elasticsearch

mkdir -p elastic01/data
mkdir -p elastic01/logs
mkdir -p elastic02/data
mkdir -p elastic02/logs
mkdir -p elastic03/data
mkdir -p elastic03/logs


    ## 为简单起见,这里暂且授权给所有人好了
    sudo chmod 777 elastic* -R

    3.获取基础镜像

    # docker pull docker.elastic.co/elasticsearch/elasticsearch:7.4.0


    4.创建docker-compose.yml

    # elasticsearch集群暴露在宿主机中使用的端口分别9201/9202/9203(将集群内部elasticsearch的9200端口分布映射出来)

    # cat /data/elasticsearch/docker-compose.yml

    version: '2.2'
services:
  elastic01:
    image: elasticsearch:7.4.0
    container_name: elastic01
    environment:
      - node.name=elastic01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=elastic02,elastic03
      - cluster.initial_master_nodes=elastic01,elastic02,elastic03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic01/data:/usr/share/elasticsearch/data
      - ./elastic01/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9201:9200
    networks:
      - elastic

  elastic02:
    image: elasticsearch:7.4.0
    container_name: elastic02
    environment:
      - node.name=elastic02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=elastic01,elastic03
      - cluster.initial_master_nodes=elastic01,elastic02,elastic03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic02/data:/usr/share/elasticsearch/data
      - ./elastic02/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9202:9200
    networks:
      - elastic

  elastic03:
    image: elasticsearch:7.4.0
    container_name: elastic03
    environment:
      - node.name=elastic03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=elastic01,elastic02
      - cluster.initial_master_nodes=elastic01,elastic02,elastic03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic03/data:/usr/share/elasticsearch/data
      - ./elastic03/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9203:9200
    networks:
      - elastic

  kib01:
    depends_on: 
      - elastic01
    image: kibana:7.4.0
    container_name: kib01
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_URL: http://elastic01:9200
      ELASTICSEARCH_HOSTS: http://elastic01:9200
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic

networks:
  elastic:
    driver: bridge

    5.配置elasticsearch

    # cat /data/elasticsearch/elasticsearch.yml 

    network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12

    network.host 设置允许其他ip访问,解除ip绑定
    xpack.security 则是安全相关配置,其中ssl的证书需要自己生成

    6.生成证书elastic-certificates.p12

    # 临时运行一个容器,在其中生成证书

    docker run -dit --name=es elasticsearch:7.4.0 /bin/bash

    es提供了生成证书的工具elasticsearch-certutil,我们可以在docker实例中生成它,然后拷贝出来,然后给集群使用

    首先运行一个叫做 es 的docker实例

    docker run -dit --name=es elasticsearch:7.4.0 /bin/bash

    进入实例内部,生成证书

    docker exec -it es /bin/bash

    生成ca: elastic-stack-ca.p12

    [root@36g848ff62 elasticsearch]# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 


再生成cert: elastic-certificates.p12

[root@36g848ff62 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.

    这个生成elastic-certificates.p12 就是我们需要使用的。

    复制出证书, ctrl+d退出容器内部

    docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 /data/elasticsearch/

    至此,生成证书完毕


    7.生成密码

    我们首先要启动es集群,去里面生成密码。

    在启动容器前需要配置kibana.yml,否则启动会失败,记得后面密码生成完成后需要修改密码部分

    # cat /data/elasticsearch/kibana.yml 
server.host: "0.0.0.0"
elasticsearch.username: "kibana"
elasticsearch.password: "pass"

    启动集群

    docker-compose up

    然后进入其中一台

    docker exec -it elastic01 /bin/bash

    生成密码用auto, 自己设置用 interactive

    [root@5760a2da8831 elasticsearch]# ./bin/elasticsearch-setup-passwords -h
Sets the passwords for reserved users

Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user

Non-option arguments:
command              

Option         Description        
------         -----------        
-h, --help     show help          
-s, --silent   show minimal output
-v, --verbose  show verbose output

# 自动生成密码

[root@5760a2da8831 elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = O49pTKFDnKLohMZniEod

Changed password for user kibana
PASSWORD kibana = bsrRfRjpmFi8YEKZ9VKa

Changed password for user logstash_system
PASSWORD logstash_system = bLdyzqjFtVVcCH0nj9vu

Changed password for user beats_system
PASSWORD beats_system = O9J9C0JeO9spv9mWCdIH

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = jEZc6IPOyWXE9I7Qj9F7

Changed password for user elastic
PASSWORD elastic = B6NoHgkYRdQiuwTP8r32

    8.验证集群状态

    # 进入集群内部测试验证集群的状态

    [root@sz_cxzx_n004dev03_17_64 elasticsearch]# docker exec -it elastic03 bash
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic01:9200/_cluster/health?pretty
{
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic02:9200/_cluster/health?pretty
{
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
[root@bf67589ab0f3 elasticsearch]# curl -u elastic:B6NoHgkYRdQiuwTP8r32 elastic03:9200/_cluster/health?pretty
{
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

    通过浏览器访问

    kibana配置

    # 如果中途 docker-compose.yml 有变更

    需要先清理环境
    docker-compose stop
    docker-compose rm

    更新文件后重新启动集群
    docker-compose up -d

    重新启动后的集群,密码信息还继续保留

    忘记密码

    如果生成后忘记密码了可以进入机器去修改

    进入es的机器

    docker exec -it elastic03 /bin/bash

    创建一个临时的超级用户 jack

    ./bin/elasticsearch-users useradd jack -r superuser
    Enter new password:
    ERROR: Invalid password...passwords must be at least [6] characters long

    ./bin/elasticsearch-users useradd jack -r superuser
    Enter new password:
    Retype new password:

    用这个用户去修改elastic的密码:

    curl -XPUT -u jack:jack123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
    {
      "password": "B6NoHgkYRdQiuwTP8r32"
    }'
  • 相关阅读:
    数据分析05 /pandas的高级操作
    ABP之应用服务(2)
    ABP之应用服务(1)
    ABP之仓储
    ABP之创建实体
    ABP之框架体系
    ABP之项目的搭建
    2018年,加油!!!
    WF的简单使用
    WCF之通信工厂的简单使用
  • 原文地址:https://www.cnblogs.com/reblue520/p/13962797.html
Copyright © 2020-2023  润新知