Elasticsearch從6.8開始， 允許免費用戶使用X-Pack的安全功能， 以前安裝es都是裸奔。接下來記錄配置安全認證的方法。

為了簡化物理安裝過程，我們將使用docker安裝我們的服務。

一些基礎配置

es需要修改linux的一些參數。

設置vm.max_map_count=262144

sudo vim /etc/sysctl.confvm.max_map_count=262144

不重啟， 直接生效當前的命令

sysctl -w vm.max_map_count=262144

es的data和logs目錄需要給1000的用戶授權， 我們假設安裝3個實力的es集群，先創建對應的數據存儲文件

mkdir -p es01/datamkdir -p es01/logsmkdir -p es02/datamkdir -p es02/logsmkdir -p es03/datamkdir -p es03/logs## es的用戶id為1000，這里暫且授權給所有人好了sudo chmod 777 es* -R

關于版本和docker鏡像

Elasticsearch分幾種licenses，其中Open Source和Basic是免費的， 而在6.8之后安全功能才開始集成在es的Basic授權上。

Basic對應docker鏡像為

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.6.2

同時dockerhub同步為elasticsearch. 我們直接拉取elasticsearch:7.6.2就好。

開始

安裝文件均放在GitHub： https://github.com/Ryan-Miao/docker-china-source/tree/master/docker-elasticsearch

首先，創建docker-compose.yml

version: ’2.2’services: es01: image: elasticsearch:7.6.2 container_name: es01 environment: - node.name=es01 - cluster.name=es-docker-cluster - discovery.seed_hosts=es02,es03 - cluster.initial_master_nodes=es01,es02,es03 - bootstrap.memory_lock=true - 'ES_JAVA_OPTS=-Xms512m -Xmx512m' ulimits: memlock: soft: -1 hard: -1 volumes: - ./es01/data:/usr/share/elasticsearch/data - ./es01/logs:/usr/share/elasticsearch/logs - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 ports: - 9200:9200 networks: - elastic es02: image: elasticsearch:7.6.2 container_name: es02 environment: - node.name=es02 - cluster.name=es-docker-cluster - discovery.seed_hosts=es01,es03 - cluster.initial_master_nodes=es01,es02,es03 - bootstrap.memory_lock=true - 'ES_JAVA_OPTS=-Xms512m -Xmx512m' ulimits: memlock: soft: -1 hard: -1 volumes: - ./es02/data:/usr/share/elasticsearch/data - ./es02/logs:/usr/share/elasticsearch/logs - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 ports: - 9201:9200 networks: - elastic es03: image: elasticsearch:7.6.2 container_name: es03 environment: - node.name=es03 - cluster.name=es-docker-cluster - discovery.seed_hosts=es01,es02 - cluster.initial_master_nodes=es01,es02,es03 - bootstrap.memory_lock=true - 'ES_JAVA_OPTS=-Xms512m -Xmx512m' ulimits: memlock: soft: -1 hard: -1 volumes: - ./es03/data:/usr/share/elasticsearch/data - ./es03/logs:/usr/share/elasticsearch/logs - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 ports: - 9202:9200 networks: - elastic kib01: depends_on: - es01 image: kibana:7.6.2 container_name: kib01 ports: - 5601:5601 environment: ELASTICSEARCH_URL: http://es01:9200 ELASTICSEARCH_HOSTS: http://es01:9200 volumes: - ./kibana.yml:/usr/share/kibana/config/kibana.yml networks: - elasticnetworks: elastic: driver: bridge

關于elasticsearch.yml

內容如下

network.host: 0.0.0.0xpack.security.enabled: truexpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.keystore.type: PKCS12xpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.keystore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.type: PKCS12xpack.security.audit.enabled: true network.host 設置允許其他ip訪問，解除ip綁定 xpack.security 則是安全相關配置，其中ssl的證書需要自己生成

關于證書elastic-certificates.p12

es提供了生成證書的工具elasticsearch-certutil，我們可以在docker實例中生成它，然后復制出來，后面統一使用。

首先運行es實例

sudo docker run -dit --name=es elasticsearch:7.6.2 /bin/bash

進入實例內部

sudo docker exec -it es /bin/bash

生成ca: elastic-stack-ca.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil caThis tool assists you in the generation of X.509 certificates and certificatesigning requests for use with SSL/TLS in the Elastic stack.The ’ca’ mode generates a new ’certificate authority’This will create a new X.509 certificate and private key that can be usedto sign certificate when running in ’cert’ mode.Use the ’ca-dn’ option if you wish to configure the ’distinguished name’of the certificate authorityBy default the ’ca’ mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA’s private keyIf you elect to generate PEM format certificates (the -pem option), then the output willbe a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12 :

再生成cert: elastic-certificates.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12This tool assists you in the generation of X.509 certificates and certificatesigning requests for use with SSL/TLS in the Elastic stack.The ’cert’ mode generates X.509 certificate and private keys.

這個生成elastic-certificates.p12 就是我們需要使用的。

復制出證書, ctrl+d退出容器內部

sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .# 關閉這個容器sudo docker kill essudo docker rm es

如此獲取了證書。

生成密碼

我們首先要啟動es集群，去里面生成密碼。

sudo docker-compose up

然后進入其中一臺

sudo docker exec -it es01 /bin/bash

生成密碼用auto， 自己設置用 interactive

[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -hSets the passwords for reserved usersCommands--------auto - Uses randomly generated passwordsinteractive - Uses passwords entered by a userNon-option arguments:command Option Description ------ ----------- -E <KeyValuePair> Configure a setting-h, --help Show help -s, --silent Show minimal output-v, --verbose Show verbose output[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords autoInitiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.The passwords will be randomly generated and printed to the console.Please confirm that you would like to continue [y/N]yChanged password for user apm_systemPASSWORD apm_system = YxVzeT9B2jEDUjYp66WsChanged password for user kibanaPASSWORD kibana = 8NnThbj0N02iDaTGhidUChanged password for user logstash_systemPASSWORD logstash_system = 9nIDGe7KSV8SQidSk8DjChanged password for user beats_systemPASSWORD beats_system = qeuVaf1VEALpJHfEUOjJChanged password for user remote_monitoring_userPASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3DChanged password for user elasticPASSWORD elastic = q5f2qNfUJQyvZPIz57MZ

使用密碼

瀏覽器訪問localhost:9200/9201/9202 需要輸入賬號

輸入對應的elastic/password就好

瀏覽器訪問localhost:5601

忘記密碼

如果生成后忘記密碼了怎么辦， 可以進入機器去修改。

進入es的機器

sudo docker exec -it es01 /bin/bash

創建一個臨時的超級用戶RyanMiao

./bin/elasticsearch-users useradd ryan -r superuserEnter new password: ERROR: Invalid password...passwords must be at least [6] characters long[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuserEnter new password: Retype new password:

用這個用戶去修改elastic的密碼：

curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H 'Content-Type: application/json' -d ’{ 'password': 'q5f2qNfUJQyvZPIz57MZ'}’

參考

http://codingfundas.com/setting-up-elasticsearch-6-8-with-kibana-and-x-pack-security-enabled/index.html

到此這篇關于docker安裝Elasticsearch7.6集群并設置密碼的文章就介紹到這了,更多相關docker安裝Elasticsearch集群內容請搜索好吧啦網以前的文章或繼續瀏覽下面的相關文章希望大家以后多多支持好吧啦網！