docker-compose + elasticsearch7.6(配置密碼及證書) + kibana7.6 + elasticsearch-head搭建叢集

目錄

• • 描述
  • 制作自定義elasticsearch7.6鏡像
  • 制作自定義elasticsearch-head鏡像
  • elasticsearch.yml配置
  • kibana.yml配置
  • docker-compose.yml配置
  • 啟動容器
  • 配置密碼
  • 登陸 kibana 和 elasticsearch-head

描述

最近研究了一下docker-compose釋出elasticsearch7.6，雖然網上有一些教程，但是根據教程操作，最後根本跑不起來或者有三個節點的叢集，配置密碼後隻有一個節點是活的，其他節點無法跟這個節點通信。踩了不少坑，最後還是看官方文檔學習。

ES官網docker配置文檔

ES官網證書配置文檔

如果您隻是簡單的玩一玩，不需要配置證書、密碼，隻需參照ES官網docker配置文檔即可

制作自定義elasticsearch7.6鏡像

ES_Dockerfile配置，包含了ik分詞器、生成證書。

ik分詞器下載下傳位址

ik下載下傳之後是zip包，需要将zip解壓後，壓縮成tar.gz格式的

#官方鏡像
FROM elasticsearch:7.6.2

USER root
##添加ik分詞器
ADD elasticsearch-analysis-ik-7.6.2.tar.gz /usr/share/elasticsearch/plugins/
RUN mv /usr/share/elasticsearch/plugins/elasticsearch-analysis-ik-7.6.2 /usr/share/elasticsearch/plugins/ik
RUN chmod 777 /usr/share/elasticsearch/plugins/ik -R

#生成證書，密碼可自己配置
RUN bin/elasticsearch-certutil ca --out config/elastic-stack-ca.p12 --pass 123456

#生成證書，密碼可自己配置
RUN bin/elasticsearch-certutil cert --ca config/elastic-stack-ca.p12 --ca-pass 123456 --out config/elastic-certificates.p12 --pass 123456

#建立keystore
RUN bin/elasticsearch-keystore create

#将密碼添加至keystore
RUN sh -c '/bin/echo -e "123456" | sh bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password'
RUN sh -c '/bin/echo -e "123456" | sh bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password'

#檔案賦權限
RUN chmod 777 /usr/share/elasticsearch/config/elastic-certificates.p12
RUN chmod 777 /usr/share/elasticsearch/config/elastic-stack-ca.p12
           

建構鏡像

注：centos7docker:443是我自己搭建的harbor鏡像倉庫，如果您沒有鏡像倉庫您也可以使用阿裡雲的容器鏡像服務。如果您隻是在本地做測試，也可以不用鏡像倉庫。

生成的鏡像

[[email protected] elasticsearch]# docker images | grep '7.6.2'
centos7docker:443/aliang-xyl/elasticsearch        7.6.2                            66d1054960ee        46 minutes ago      820MB
kibana                                            7.6.2                            f70986bc5191        5 months ago        1.01GB
elasticsearch                                     7.6.2                            f29a1ee41030        5 months ago        791MB

           

推送至鏡像倉庫

制作自定義elasticsearch-head鏡像

如果使用原版elasticsearch-head鏡像會出現無法使用的情況，報錯如下：

出現這種錯誤是因為Content-Type不支援，支援的格式是application/json;charset=UTF-8

啟動elasticsearch-head容器，将容器中的/usr/src/app/_site/vendor.js拷貝出來，然後将vendor.js裡面的application/x-www-form-urlencoded替換成application/json;charset=UTF-8。

ES_Head_DockerFile配置：

#原版鏡像
FROM mobz/elasticsearch-head:5

USER root
#删除原本的vendor.js
RUN rm -f /usr/src/app/_site/vendor.js
#将修改後的vendor.js添加進來
ADD vendor.js /usr/src/app/_site/
RUN chmod 777 /usr/src/app/_site/vendor.js
           

建構鏡像

推送鏡像

elasticsearch.yml配置

注意證書的配置要和自定義鏡像中的證書資訊一緻

network.host: 0.0.0.0
#master節點es01
cluster.initial_master_nodes: ["es01"]
discovery.seed_hosts: ["es01","es02","es03"]
cluster.name: "es-docker-cluster"
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
#開啟kibana監控配置,如果不開啟，也可以在kibana監控界面開啟
xpack.monitoring.collection.enabled: true
#開啟安全認證相關配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.audit.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
#名字要和自定義鏡像中的名字一緻
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
           

kibana.yml配置

這裡我事先定義好了賬号的密碼資訊

server.name: kibana
server.host: "0"
kibana.index: ".kibana"
elasticsearch.hosts: [ "http://192.168.147.129:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: true
i18n.locale: zh-CN
elasticsearch.username: 'kibana'
elasticsearch.password: 'Es123456'
           

docker-compose.yml配置

version: '2.2'
services:
  es01:
    image: centos7docker:443/aliang-xyl/elasticsearch:7.6.2
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02,es03
      - cluster.initial_master_nodes=es01
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - TZ=Asia/Shanghai
      - node.master=true
      - node.data=true
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - http.cors.allow-headers=Authorization,X-Requested-With,Content-Length,Content-Type
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.audit.enabled=true
      - xpack.license.self_generated.type=basic
      - xpack.monitoring.collection.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es01/data:/usr/share/elasticsearch/data
      - ./es01/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    ports:
      - 9200:9200
    networks:
      - elastic

  es02:
    image: centos7docker:443/aliang-xyl/elasticsearch:7.6.2
    container_name: es02
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es03
      - cluster.initial_master_nodes=es01
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - TZ=Asia/Shanghai
      - node.master=true
      - node.data=true
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - http.cors.allow-headers=Authorization,X-Requested-With,Content-Length,Content-Type
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.audit.enabled=true
      - xpack.license.self_generated.type=basic
      - xpack.monitoring.collection.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es02/data:/usr/share/elasticsearch/data
      - ./es02/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    ports:
      - 9202:9200
    networks:
      - elastic

  es03:
    image: centos7docker:443/aliang-xyl/elasticsearch:7.6.2
    container_name: es03
    environment:
      - node.name=es03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - TZ=Asia/Shanghai
      - node.master=true
      - node.data=true
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - http.cors.allow-headers=Authorization,X-Requested-With,Content-Length,Content-Type
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.audit.enabled=true
      - xpack.license.self_generated.type=basic
      - xpack.monitoring.collection.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es03/data:/usr/share/elasticsearch/data
      - ./es03/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    ports:
      - 9203:9200
    networks:
      - elastic

  kibana:
    depends_on: 
      - es01
    image: kibana:7.6.2
    container_name: kibana
    ports:
      - 5601:5601
    environment:
      - elasticsearch.url=http://es01:9200
      - elasticsearch.hosts=http://es01:9200
      - i18n.locale=zh-CN   
      - TZ=Asia/Shanghai
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
      - /etc/localtime:/etc/localtime
    networks:
      - elastic

  eshead:    
    image: centos7docker:443/aliang-xyl/elasticsearch-head:5
    container_name: eshead
    networks:
      - elastic
    ports:
      - 9100:9100

networks:
  elastic:
    driver: bridge

           

啟動容器

建立檔案夾并給權限：

# mkdir -p es01/logs es01/data es02/logs es02/data es03/logs es03/data
# chmod 777 es0* -R
           

此時目前目錄下檔案：

[[email protected] elasticsearch]# ll
總用量 4636
-rw-r--r--. 1 root root    4063 9月   2 10:40 docker-compose.yml
-rw-r--r--. 1 root root 4261000 8月  23 16:36 elasticsearch-analysis-ik-7.6.2.tar.gz
-rwxrwxrwx. 1 root root     770 9月   1 21:03 elasticsearch.yml
drwxrwxrwx. 4 root root      30 9月   1 14:47 es01
drwxrwxrwx. 4 root root      30 9月   1 14:47 es02
drwxrwxrwx. 4 root root      30 9月   1 14:47 es03
-rw-r--r--. 1 root root     925 9月   1 22:24 ES_DockerFile
-rw-r--r--. 1 root root     162 8月  23 17:43 ES_Head_DockerFile
-rwxrwxrwx. 1 root root     261 9月   1 15:21 kibana.yml
-rw-r--r--. 1 root root  459899 8月  23 17:41 vendor.js
           

啟動

# docker-compose -f docker-compose.yml up -d
Creating es01 ... done
Creating kibana ... done
Creating eshead ... 
Creating es03 ... 
Creating es01 ... 
Creating kibana ... 
[[email protected] elasticsearch]# docker-compose ps
 Name               Command               State                Ports              
----------------------------------------------------------------------------------
es01     /usr/local/bin/docker-entr ...   Up      0.0.0.0:9200->9200/tcp, 9300/tcp
es02     /usr/local/bin/docker-entr ...   Up      0.0.0.0:9202->9200/tcp, 9300/tcp
es03     /usr/local/bin/docker-entr ...   Up      0.0.0.0:9203->9200/tcp, 9300/tcp
eshead   /bin/sh -c grunt server          Up      0.0.0.0:9100->9100/tcp          
kibana   /usr/local/bin/dumb-init - ...   Up      0.0.0.0:5601->5601/tcp
           

配置密碼

進入master節點容器配置密碼

[[email protected] elasticsearch]# docker exec -it es01 /bin/bash
[[email protected] elasticsearch]# ./bin/elasticsearch-setup-passwords interactive --verbose
Running with configuration path: /usr/share/elasticsearch/config

Testing if bootstrap password is valid for http://172.20.0.3:9200/_security/_authenticate?pretty
{
  "username" : "elastic",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "_reserved" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  },
  "lookup_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  }
}


Checking cluster health: http://172.20.0.3:9200/_cluster/health?pretty
{
  "cluster_name" : "es-docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 

Trying user password change call http://172.20.0.3:9200/_security/user/apm_system/_password?pretty
{ }

Changed password for user [apm_system]

Trying user password change call http://172.20.0.3:9200/_security/user/kibana/_password?pretty
{ }

Changed password for user [kibana]

Trying user password change call http://172.20.0.3:9200/_security/user/logstash_system/_password?pretty
{ }

Changed password for user [logstash_system]

Trying user password change call http://172.20.0.3:9200/_security/user/beats_system/_password?pretty
{ }

Changed password for user [beats_system]

Trying user password change call http://172.20.0.3:9200/_security/user/remote_monitoring_user/_password?pretty
{ }

Changed password for user [remote_monitoring_user]

Trying user password change call http://172.20.0.3:9200/_security/user/elastic/_password?pretty
{ }

Changed password for user [elastic]
           

登陸 kibana 和 elasticsearch-head

浏覽器通路：http://centos7docker:5601/

我的谷歌浏覽器通路時，登陸成功但是無法跳轉至首頁，一直在登陸頁。

谷歌浏覽器無法登陸kibana，具體原因沒有去查，直接使用了火狐浏覽器。

登陸成功後進入監控界面：

elasticsearch-head界面

通路http://centos7docker:9100/?auth_user=elastic&auth_password=Es123456

這裡的centos7docker:9100換成你自己的ip和端口号即可