Elasticsearch|Docker部署Elasticsearch集群并开启安全设置

一:准备资料

  • 部署了docker的centos
  • 两或者三台服务器部署elasticsearch
  • ip1、ip2
二:docker安装、Elasticsearch安装 1.1安装docker
[root@ecs-b3bf-0225795 ~]# yum install docker[root@ecs-b3bf-0225795 ~]# systemctl start docker

1.2ES需要开启文件读取的配置
[root@ecs-b3bf-0225795 ~]# vi /etc/sysctl.conf#加入这一行配置 vm.max_map_count = 655350[root@ecs-b3bf-0225795 ~]# sysctl -p

1.3安装Elasticsearch
[root@ecs-b3bf-0225795 ~]# mkdir -p /home/docker/elasticsearch[root@ecs-b3bf-0225795 ~]# cd /home/docker/elasticsearch/[root@ecs-b3bf-0225795 elasticsearch]# docker pull docker.io/library/elasticsearch:7.6.2安装完成后----先别启动

创建好我们后期的所有数据存储、插件、日志、配置目录 [root@ecs-b3bf-0225795 elasticsearch]# mkdir data [root@ecs-b3bf-0225795 elasticsearch]# mkdir logs [root@ecs-b3bf-0225795 elasticsearch]# mkdir -p plugins/ik [root@ecs-b3bf-0225795 elasticsearch]# mkdir config [root@ecs-b3bf-0225795 elasticsearch]# [root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 data [root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 logs [root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 plugins [root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 config

安装ik分词器
[root@ecs-b3bf-0225795 plugins]# cd plugins/ik [root@ecs-b3bf-0225795 ik]# wget https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.6.2/elasticsearch-analysis-ik-7.6.2.zip [root@ecs-b3bf-0225795 ik]# unzip elasticsearch-analysis-ik-7.6.2.zip [root@ecs-b3bf-0225795 ik]# [root@ecs-b3bf-0225795 ik]#

将配置文件copy出来,放在到挂在路径
[root@ecs-b3bf-0225795 elasticsearch]# cd /home/docker/elasticsearch/ [root@ecs-b3bf-0225795 elasticsearch]# [root@ecs-b3bf-0225795 elasticsearch]# docker run -p 9200:9200 -p 9300:9300 \ --privileged=true --name es7 \ -e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \ -v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \ -v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \ -v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \ -d elasticsearch:7.6.2 [root@ecs-b3bf-0225795 elasticsearch]# [root@ecs-b3bf-0225795 elasticsearch]# [root@ecs-b3bf-0225795 elasticsearch]# docker cp -a es7:/usr/share/elasticsearch/config/ /home/docker/elasticsearch/ [root@ecs-b3bf-0225795 elasticsearch]# docker kill es7 [root@ecs-b3bf-0225795 elasticsearch]# docker rm es7将我们es启动系统内的配置文件cp到我们挂载的物理路径

elasticsearch.yml
#集群名称 cluster.name: material-es #当前该节点的名称 node.name: node-1 #是不是有资格竞选主节点 node.master: true #是否存储数据 node.data: true #最大集群节点数 node.max_local_storage_nodes: 3 #给当前节点自定义属性(可以省略) #node.attr.rack: r1 #数据存档位置 path.data: /usr/share/elasticsearch/data #日志存放位置 path.logs: /usr/share/elasticsearch/log #是否开启时锁定内存(默认为是) #bootstrap.memory_lock: true #设置网关地址,我是被这个坑死了,这个地址我原先填写了自己的实际物理IP地址, #然后启动一直报无效的IP地址,无法注入9300端口,这里只需要填写0.0.0.0 network.host: 0.0.0.0 #设置其它结点和该结点交互的ip地址,如果不设置它会自动判断,值必须是个真实的ip地址,设置当前物理机地址, #如果是docker安装节点的IP将会是配置的IP而不是docker网管ip network.publish_host: 175.6.3.132 #设置映射端口 http.port: 9200 #内部节点之间沟通端口 transport.tcp.port: 9300 #集群发现默认值为127.0.0.1:9300,如果要在其他主机上形成包含节点的群集,如果搭建集群则需要填写 #es7.x 之后新增的配置,写入候选主节点的设备地址,在开启服务后可以被选为主节点,也就是说把所有的节点都写上 discovery.seed_hosts: ["175.6.3.132:9300","175.6.3.133:9300","175.6.3.134:9300"] #当你在搭建集群的时候,选出合格的节点集群,有些人说的太官方了, #其实就是,让你选择比较好的几个节点,在你节点启动时,在这些节点中选一个做领导者, #如果你不设置呢,elasticsearch就会自己选举,这里我们把三个节点都写上 cluster.initial_master_nodes: ["node-1","node-2","node-3"] #在群集完全重新启动后阻止初始恢复,直到启动N个节点 #简单点说在集群启动后,至少复活多少个节点以上,那么这个服务才可以被使用,否则不可以被使用, gateway.recover_after_nodes: 2 #删除索引是是否需要显示其名称,默认为显示 #action.destructive_requires_name: true # 是否支持跨域,默认为false http.cors.enabled: true # 当设置允许跨域,默认为*,表示支持所有域名,如果我们只是允许某些网站能访问,那么可以使用正则表达式。比如只允许本地地址。/https?:\/\/localhost(:[0-9]+)?/ http.cors.allow-origin: "*"

替换好新的配置文件
启动命令-每台机器都执行同样的指令 [root@ecs-b3bf-0225795 elasticsearch]# docker run -p 9200:9200 -p 9300:9300 \ --privileged=true --name es7 \ -e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \ -v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \ -v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \ -v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \ -v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \ -d elasticsearch:7.6.2

三:安全设置 安全性处理:基于上述已经在运行的容器之上,在主机上执行此运行方式即可
获取p12文件 打开安全设置
3.1生成 p12文件
[root@ecs-b3bf-0225795 elasticsearch]# cd / [root@ecs-b3bf-0225795 ~]# docker run -dit --name=es elasticsearch:7.6.2 /bin/bash f87b0e87cbe6cc5a1c53e6e343914072369641cef216815ca0d4f18e50a9da5e[root@ecs-b3bf-0225795 elasticsearch]# 进入我们临时的es容器内去执行命令 [root@ecs-b3bf-0225795 elasticsearch]# bin/elasticsearch-certutil ca [root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作 [root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作 [root@ecs-b3bf-0225795 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 [root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作 [root@ecs-b3bf-0225795 elasticsearch]# 一路回车操作 [root@ecs-b3bf-0225795 elasticsearch]# 生成完成后 [root@ecs-b3bf-0225795 elasticsearch]# [root@ecs-b3bf-0225795 elasticsearch]# ls -rw------- 1 root root 3451 Mar1 17:42 elastic-certificates.p12 ... [root@ecs-b3bf-0225795 elasticsearch]# 退出当前容器 [root@ecs-b3bf-0225795 elasticsearch]# exit; exit [root@ecs-b3bf-0225795 ~]# 复制我们生成的p12到物理路径 [root@ecs-b3bf-0225795 ~]# docker cp -a es:/usr/share/elasticsearch/elastic-certificates.p12 /home/docker/elasticsearch/config/ [root@ecs-b3bf-0225795 ~]# [root@ecs-b3bf-0225795 ~]# docker kill es es [root@ecs-b3bf-0225795 ~]# docker rm es es [root@ecs-b3bf-0225795 ~]# 停止es集群所有节点 [root@ecs-b3bf-0225795 ~]# docker kill es7 [root@ecs-b3bf-0225795 ~]# docker rm es7

elasticsearch.yml 开启安全配置
# 打开安全设置 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.audit.enabled: true

将新文件配置文件,elasticsearch.yml 、elastic-certificates.p12推送到每个节点的目录:
/home/docker/elasticsearch/config
并授权所有用户可读
[root@ecs-b3bf-0225795 ~]# 授权所有用户可读 [root@ecs-b3bf-0225795 ~]# chmod +r /home/docker/elasticsearch/config/elastic-certificates.p12

3.2生成Es的访问密码
切记:集群三个节点之间的9200,9300 一定要都可以互通,自动生成密码:需要记录下来,需要开启9200,9300端口 [root@ecs-b3bf-0225795 ~]# 启动我们的集群 [root@ecs-b3bf-0225795 ~]# docker run -p 9200:9200 -p 9300:9300 \ --privileged=true --name es7 \ -e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \ -v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \ -v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \ -v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \ -v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \ -v /home/docker/elasticsearch/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 \ -d elasticsearch:7.6.2 [root@ecs-b3bf-0225795 ~]# [root@ecs-b3bf-0225795 ~]# 进入当前启动节点es7的容器内 [root@ecs-b3bf-0225795 ~]# docker exec -it es7 /bin/bash [root@ac0fa780b8db elasticsearch]# [root@ac0fa780b8db elasticsearch]# [root@ac0fa780b8db elasticsearch]# ./bin/elasticsearch-setup-passwords auto Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]yChanged password for user apm_system PASSWORD apm_system = I5kYgua12jyhTWgGE6DoRChanged password for user kibana PASSWORD kibana = QehLVOFFTmoVSlK2121n4hUChanged password for user logstash_system PASSWORD logstash_system = e0woYM550en2121kSmfCph0 ......Changed password for user elastic PASSWORD elastic = qRJvpTYcvslk1WhfvRfHE

我们需要的是:elastic 这个用户
备注:生成的账户与密码会互传到子节点,子节点不需要去执行此操作
Elasticsearch|Docker部署Elasticsearch集群并开启安全设置
文章图片

Elasticsearch|Docker部署Elasticsearch集群并开启安全设置
文章图片

有效参考资料:
《CentOS ES7.6集群搭建》
《CentOS ES7.6.2 Docker安装部署》
【Elasticsearch|Docker部署Elasticsearch集群并开启安全设置】《CentOS ES7.6集群搭建Elasticsearch安全策略-开启密码账号访问CentOS ES7.6集群搭建》

    推荐阅读