docker安裝Elasticsearch6.8集群並設置密碼

參考：

• https://cloud.tencent.com/developer/article/1612794

Elasticsearch從6.8開始， 允許免費用戶使用X-Pack的安全功能， 以前安裝es都是裸奔。接下來記錄配置安全認證的方法。

為了簡化物理安裝過程，我們將使用docker安裝我們的服務。

一些基礎配置
es需要修改linux的一些參數。

永久修改
設置 vm.max_map_count=262144

vim /etc/sysctl.conf

vm.max_map_count=262144

臨時修改

# 不重啟， 直接生效當前的命令

sysctl -w vm.max_map_count=262144

我們假設安裝3個實力的es集群，先創建對應的數據存儲文件

mkdir -p es1/data
mkdir -p es1/logs
mkdir -p es2/data
mkdir -p es2/logs
mkdir -p es3/data
mkdir -p es3/logs

關於版本和docker鏡像
Elasticsearch分幾種licenses，其中Open Source和Basic是免費的， 而在6.8之后安全功能才開始集成在es的Basic授權上。

Basic對應docker鏡像為

docker pull elasticsearch:6.8.18
docker pull kibana:6.8.18

同時dockerhub同步為elasticsearch. 我們直接拉取elasticsearch:6.8.18 就好

首先，創建docker-compose.yml，此版本只測試單es版本

version: '2.2'
services:
  es1:
    image: elasticsearch:6.8.18
    container_name: es1
    environment:
      - node.name=es1
      #- cluster.name=es-docker-cluster
      #- discovery.seed_hosts=es2,es3
      #- cluster.initial_master_nodes=es1,es2,es3
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms256m -Xmx256m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es1/data:/usr/share/elasticsearch/data
      - ./es1/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yaml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 # 運行前需要創建證書，下文會詳細展開
    ports:
      - 9400:9200 # 因本機9200已經占用，映射主機9400給容器9200
    networks:
      - elastic
    command: elasticsearch

#  es2:
#    image: elasticsearch:6.8.18
#    container_name: es2
#    environment:
#      - node.name=es2
#      - cluster.name=es-docker-cluster
#      - discovery.seed_hosts=es1,es3
#      - cluster.initial_master_nodes=es1,es2,es3
#      - bootstrap.memory_lock=true
#      - "ES_JAVA_OPTS=-Xms256m -Xmx256m"
#    ulimits:
#      memlock:
#        soft: -1
#        hard: -1
#    volumes:
#      - ./es2/data:/usr/share/elasticsearch/data
#      - ./es2/logs:/usr/share/elasticsearch/logs
#      - ./elasticsearch.yaml:/usr/share/elasticsearch/config/elasticsearch.yml
#      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
#    ports:
#      - 9401:9200
#    networks:
#      - elastic

#  es3:
#    image: elasticsearch:6.8.18
#    container_name: es3
#    environment:
#      - node.name=es3
#      - cluster.name=es-docker-cluster
#      - discovery.seed_hosts=es1,es2
#      - cluster.initial_master_nodes=es1,es2,es3
#      - bootstrap.memory_lock=true
#      - "ES_JAVA_OPTS=-Xms256m -Xmx256m"
#    ulimits:
#      memlock:
#        soft: -1
#        hard: -1
#    volumes:
#      - ./es3/data:/usr/share/elasticsearch/data
#      - ./es3/logs:/usr/share/elasticsearch/logs
#      - ./elasticsearch.yaml:/usr/share/elasticsearch/config/elasticsearch.yml
#      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 # 實測時，發現證書需要設置權限，我的是644
#    ports:
#      - 9402:9200
#    networks:
#      - elastic

  kib01:
    depends_on: 
      - es1
    image: kibana:6.8.18
    container_name: kib01
    ports:
      - 5701:5601 
    environment:
      ELASTICSEARCH_URL: http://es1:9200 #由於同一網段，可以dns出es1
      ELASTICSEARCH_HOSTS: http://es1:9200
    volumes:
      - ./kibana.yaml:/usr/share/kibana/config/kibana.yml # 后文會詳細展開
    networks:
      - elastic

networks:
  elastic:
    driver: bridge

關於elasticsearch.yml

network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12

xpack.security.audit.enabled: true

• network.host 設置允許其他ip訪問，解除ip綁定
• xpack.security 則是安全相關配置，其中ssl的證書需要自己生成

關於kibana.yaml

server.name: kibana
server.host: 0.0.0.0
elasticsearch.hosts: "http://172.17.0.2:9200" # es1的ip為172.17.0.2
elasticsearch.username: admin #同后設置的超級用戶
elasticsearch.password: 123456 #超級用戶對應的密碼

生成證書elastic-certificates.p12
es提供了生成證書的工具elasticsearch-certutil，我們可以在docker實例中生成它，然后復制出來，后面統一使用。

首先運行es實例

sudo docker run -dit --name=es elasticsearch:7.6.2 /bin/bash

進入實例內部

sudo docker exec -it es /bin/bash

生成ca: elastic-stack-ca.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 

再生成cert: elastic-certificates.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.

這個生成elastic-certificates.p12 就是我們需要使用的。

復制出證書, ctrl+d退出容器內部

sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .
# 關閉這個容器
sudo docker kill es
sudo docker rm es

如此獲取了證書。

生成密碼
我們首先要啟動es集群，去里面生成密碼。

sudo docker-compose up

然后進入其中一台

sudo docker exec -it es01 /bin/bash

# 自行創建超級用戶
./bin/elasticsearch-users useradd admin -r superuser
Enter new password: 
Retype new password: 

docker-compose啟動服務

# cd到docker-compose.yaml目錄
docker-compose up -d

# 查看服務 
docker-compose ps

# 如果有不是up狀態的容器
docker-compose logs -f 容器名

測試是否開啟了認證

# 測試不輸入密碼下get
curl localhost:9400 #主機映射的端口是9400

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

# 測試輸入密碼時
curl -u admin:123456  localhost:9400
{
  "name" : "hoGlED6",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "9o_94RdASQyvRNzIBagRfg",
  "version" : {
    "number" : "6.8.18",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "aca2329",
    "build_date" : "2021-07-28T16:06:05.232873Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.3",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

# 測試kibana是否需要密碼登錄
地址欄輸入：localhost:5701

待正確輸入密碼后可登錄查看。