参考
Install Elasticsearch with Docker
Images
环境
docker
shell
# docker version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:08:01 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:08:01 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.26
GitCommit: 3dd1e886e55dd695541fdcd67420c2888645a495
runc:
Version: 1.1.10
GitCommit: v1.1.10-0-g18a0cb0
docker-init:
Version: 0.19.0
GitCommit: de40ad0
# docker compose version
Docker Compose version v2.21.0images
| image | tag |
|---|---|
| docker.elastic.co/kibana/kibana | 8.11.2-amd64 |
| docker.elastic.co/elasticsearch/elasticsearch | 8.11.2-amd64 |
环境
| node | role | MountPoint |
|---|---|---|
| 172.22.175.110 | es01 kibana | /opt/data/es01 /opt/data/kibana |
| 172.22.175.111 | es02 | /opt/data/es02 |
| 172.22.175.112 | es03 | /opt/data/es03 |
- /etc/hosts
text
127.0.0.1 localhost
172.22.175.110 es01
172.22.175.111 es02
172.22.175.112 es03-
sysctl
echo "vm.max_map_count=262144" >>/etc/sysctl.conf
sysctl -p
部署
es01
- 挂载目录准备
shell
# mkdir -p /opt/data/{es01,kibana}
### container 中使用非 root 运行的 es 和 kibana, 他们账户的 id 是 1000
# chown -R 1000:1000 /opt/data/{es01,kibana}- .env
shell
# Password for the 'elastic' user (at least 6 characters)
ELASTIC_PASSWORD=1qazXSW@
# Password for the 'kibana_system' user (at least 6 characters)
KIBANA_PASSWORD=1qazXSW@
# Version of Elastic products
STACK_VERSION=8.11.2-amd64
# Set the cluster name
CLUSTER_NAME=bj-es-docker
# Set to 'basic' or 'trial' to automatically start the 30-day trial
LICENSE=basic
#LICENSE=trial
# Port to expose Elasticsearch HTTP API to the host
ES_PORT=9200
#ES_PORT=127.0.0.1:9200
# Port to expose Kibana to the host
KIBANA_PORT=5601
#KIBANA_PORT=80
# Increase or decrease based on the available host memory (in bytes)
MEM_LIMIT=17179869184
# Project namespace (defaults to the current folder name if not set)
#COMPOSE_PROJECT_NAME=myproject- docker-compose.yaml
yaml
version: "3"
services:
setup:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
user: "0"
command: >
bash -c '
if [ x${ELASTIC_PASSWORD} == x ]; then
echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
exit 1;
elif [ x${KIBANA_PASSWORD} == x ]; then
echo "Set the KIBANA_PASSWORD environment variable in the .env file";
exit 1;
fi;
if [ ! -f config/certs/ca.zip ]; then
echo "Creating CA";
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
unzip config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo "Creating certs";
echo -ne \
"instances:\n"\
" - name: es01\n"\
" dns:\n"\
" - es01\n"\
" ip:\n"\
" - 172.22.175.110\n"\
" - name: es02\n"\
" dns:\n"\
" - es02\n"\
" ip:\n"\
" - 172.22.175.111\n"\
" - name: es03\n"\
" dns:\n"\
" - es03\n"\
" ip:\n"\
" - 172.22.175.112\n"\
> config/certs/instances.yml;
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip config/certs/certs.zip -d config/certs;
fi;
echo "Setting file permissions"
chown -R root:root config/certs;
find . -type d -exec chmod 750 \{\} \;;
find . -type f -exec chmod 640 \{\} \;;
echo "Waiting for Elasticsearch availability";
until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
echo "Setting kibana_system password";
until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
echo "All done!";
'
healthcheck:
test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
interval: 1s
timeout: 5s
retries: 120
es01:
depends_on:
setup:
condition: service_healthy
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
- /opt/data/es01:/usr/share/elasticsearch/data
environment:
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es02,es03
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es01/es01.key
- xpack.security.http.ssl.certificate=certs/es01/es01.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es01/es01.key
- xpack.security.transport.ssl.certificate=certs/es01/es01.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
restart: always
network_mode: host
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -k --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
kibana:
depends_on:
es01:
condition: service_healthy
image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
volumes:
- ./certs:/usr/share/kibana/config/certs
- /opt/data/kibana:/usr/share/kibana/data
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://es01:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
restart: always
network_mode: host
healthcheck:
test:
[
"CMD-SHELL",
"curl -k -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120- 启动
shell
# docker compose up -d
[+] Running 4/4
✔ Network es_default Created 0.2s
✔ Container es-setup-1 Healthy 0.4s
✔ Container es-es01-1 Healthy 0.1s
✔ Container es-kibana-1 Started 0.1s- 同步 certs 和 .env 到其他节点
shell
# scp -r certs/ .env es02:/opt/compose/es/
ca.crt 100% 1200 899.3KB/s 00:00
ca.key 100% 1675 1.4MB/s 00:00
certs.zip 100% 7615 6.8MB/s 00:00
ca.zip 100% 2515 2.5MB/s 00:00
es03.crt 100% 1176 1.3MB/s 00:00
es03.key 100% 1675 1.8MB/s 00:00
instances.yml 100% 230 228.9KB/s 00:00
es01.crt 100% 1176 1.2MB/s 00:00
es01.key 100% 1675 1.7MB/s 00:00
es02.key 100% 1675 1.2MB/s 00:00
es02.crt 100% 1172 1.1MB/s 00:00
.env
# scp -r certs/ .env es03:/opt/compose/es/
ca.crt 100% 1200 197.9KB/s 00:00
ca.key 100% 1675 849.8KB/s 00:00
certs.zip 100% 7615 3.3MB/s 00:00
ca.zip 100% 2515 1.5MB/s 00:00
es03.crt 100% 1176 604.2KB/s 00:00
es03.key 100% 1675 932.1KB/s 00:00
instances.yml 100% 230 140.3KB/s 00:00
es01.crt 100% 1176 652.2KB/s 00:00
es01.key 100% 1675 1.2MB/s 00:00
es02.key 100% 1675 672.5KB/s 00:00
es02.crt 100% 1172 844.9KB/s 00:00
.env es02
- 挂载目录准备
shell
# mkdir -p /opt/data/es02
# chown -R 1000:1000 /opt/data/es02- .env
同 es01 - docker-compose.yaml
yaml
version: '3'
services:
es02:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
- /opt/data/es02/:/usr/share/elasticsearch/data
environment:
- node.name=es02
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es03
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es02/es02.key
- xpack.security.http.ssl.certificate=certs/es02/es02.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es02/es02.key
- xpack.security.transport.ssl.certificate=certs/es02/es02.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
restart: always
network_mode: host
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -k --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120- 启动
shell
# docker compose up -d
[+] Running 1/1
✔ Container es-es02-1 Started
### 等一会儿,等 health 变成 healthy
# docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
es-es02-1 docker.elastic.co/elasticsearch/elasticsearch:8.11.2-amd64 "/bin/tini -- /usr/local/bin/docker-entrypoint.sh eswrapper" es02 12 seconds ago Up 10 seconds (health: starting)
。。。
# docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
es-es02-1 docker.elastic.co/elasticsearch/elasticsearch:8.11.2-amd64 "/bin/tini -- /usr/local/bin/docker-entrypoint.sh eswrapper" es02 3 minutes ago Up 3 minutes (healthy)es03
- 挂载目录准备
shell
# mkdir -p /opt/data/es03
# chown -R 1000:1000 /opt/data/es03- .env
同 es01 - docker-compose.yaml
yaml
version: '3'
services:
es03:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
- /opt/data/es03:/usr/share/elasticsearch/data
environment:
- node.name=es03
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es02
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es03/es03.key
- xpack.security.http.ssl.certificate=certs/es03/es03.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es03/es03.key
- xpack.security.transport.ssl.certificate=certs/es03/es03.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
restart: always
network_mode: host
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -k --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120- 启动
shell
s# docker compose up -d
[+] Running 1/1
✔ Container es-es03-1 Started
### 等一会儿,等 health 变成 healthy
# docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
es-es03-1 docker.elastic.co/elasticsearch/elasticsearch:8.11.2-amd64 "/bin/tini -- /usr/local/bin/docker-entrypoint.sh eswrapper" es03 12 seconds ago Up 11 seconds (health: starting)
。。。
# docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
es-es03-1 docker.elastic.co/elasticsearch/elasticsearch:8.11.2-amd64 "/bin/tini -- /usr/local/bin/docker-entrypoint.sh eswrapper" es03 About a minute ago Up About a minute (healthy)验证
shell
# curl --user "elastic:1qazXSW@" -k https://172.22.175.110:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
172.22.175.111 6 67 1 0.31 0.83 0.54 cdfhilmrstw * es02
172.22.175.112 10 65 2 1.58 0.80 0.31 cdfhilmrstw - es03
172.22.175.110 12 90 2 0.67 0.82 0.88 cdfhilmrstw - es01
# curl --user "elastic:1qazXSW@" -k https://172.22.175.110:9200/_cat/health?v
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1705029621 03:20:21 bj-es-docker green 3 3 61 30 0 0 0 0 - 100.0%
### PS: kibana 也能通过浏览器访问和使用总结
官网的例子是在 1 个节点上通过 docker-compose 跑起来的 3 个实例,不符合需求,故将官方的 docker-compose.yml 进行拆分加上适当的调整来满足需求;因犯懒癌,所以将网络都设置为 host 模式,避免网络问题去 troubleshooting 半天,从而运气不错,一次性搞定。