docker安装的es配置密码认证

docker安装的es配置密码认证

前言

​ 今天客户提出来，说es的端口是暴露出来的，可以直接取出来数据，按照要求，必须对9200进行密码配置。准备好几种方案，nginx的反向代理加上认证配置（但是是一个单体的服务，只在一台机器，所以没办法采用）。防火墙的配置（但是因为客户服务器的防火墙是关闭的，不能轻易打开防火墙）等

测试环境安装es

采用docker-compose安装

version: "3"
services:
  es-master:
    container_name: es-master
    image: elasticsearch:7.9.3
    hostname: es-master
    restart: always
    user: root
    ports:
      - 9200:9200
      - 9300:9300
    volumes:
      - ./elasticsearch/master/config:/usr/share/elasticsearch/config
      - ./elasticsearch/master/data:/usr/share/elasticsearch/data
      - ./elasticsearch/master/logs:/usr/share/elasticsearch/logs
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "TZ=Asia/Shanghai"

启动后会报错，因此先不要挂载目录，先运行起来将容器的目录先copy出来

docker run -itd --name es -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.9.3

docker cp es:/usr/share/elasticsearch/config   /root/retec/elasticsearch/master/
Successfully copied 18.9kB to /root/retec/elasticsearch/master/

设置虚拟缓存

#修改文件
sudo vim /etc/sysctl.conf
 
#添加参数
...
vm.max_map_count = 262144

加载配置

sysctl -p

添加权限

chmod -R 777 ./elasticsearch/

配置文件

cluster.name: es-cluster
# 节点名称
node.name: es-master
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: true
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9200
# 设置节点间交互的tcp端口
transport.port: 9300
# 集群发现
discovery.seed_hosts:
  - es-master
# 手动指定可以成为 mater 的所有节点的 name 或者 ip，这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:
  - es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

删除测试容器启动docker-compose

[root@bogon ~]# docker rm -f es
es
[root@bogon ~]# cd retec/
[root@bogon xxx]# ls
docker-compose.yml  elasticsearch
[root@bogon xxx]# docker-compose up -d

配置认证

• 进入容器

  [root@bogon ~]# docker exec -it es-master bash
  [root@es-master elasticsearch]# 

• 生成证书1

  [root@es-master elasticsearch]# ./bin/elasticsearch-certutil ca       一直回车

• 生成证书2

  [root@es-master elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

  一直回车即可

• 将证书移动到config

  [root@es-master elasticsearch]# mv elastic-certificates.p12 ./config

  [root@es-master elasticsearch]# mv elastic-certificates.p12 ./config
  [root@es-master elasticsearch]# ll config/
  total 32
  -rw------- 1 root root 3451 May 11 11:39 elastic-certificates.p12
  -rwxrwxrwx 1 root root  199 May 11 11:23 elasticsearch.keystore
  -rwxrwxrwx 1 root root  537 May 11 11:35 elasticsearch.yml
  -rwxrwxrwx 1 root root 2301 Oct 16  2020 jvm.options
  drwxrwxrwx 2 root root    6 Oct 16  2020 jvm.options.d
  -rwxrwxrwx 1 root root 7734 Oct 16  2020 log4j2.properties
  -rwxrwxrwx 1 root root  473 Oct 16  2020 role_mapping.yml
  -rwxrwxrwx 1 root root  197 Oct 16  2020 roles.yml
  -rwxrwxrwx 1 root root    0 Oct 16  2020 users
  -rwxrwxrwx 1 root root    0 Oct 16  2020 users_roles
  [root@es-master elasticsearch]# 

• 生成密码

  [root@es-master elasticsearch]# ./bin/elasticsearch-setup-passwords auto
  Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
  The passwords will be randomly generated and printed to the console.
  Please confirm that you would like to continue [y/N]y
  
  
  Changed password for user apm_system
  PASSWORD apm_system = vIB9alCzx09vLZY1jnrZ
  
  Changed password for user kibana_system
  PASSWORD kibana_system = 7Kr2v8XV180M2IJf79ic
  
  Changed password for user kibana
  PASSWORD kibana = 7Kr2v8XV180M2IJf79ic
  
  Changed password for user logstash_system
  PASSWORD logstash_system = GMKQlmsRSkp0nWkjDlqi
  
  Changed password for user beats_system
  PASSWORD beats_system = oi5YAtZAesAeuZ3ThxTi
  
  Changed password for user remote_monitoring_user
  PASSWORD remote_monitoring_user = jZZqmOkFLvXDnOzAs53p
  
  Changed password for user elastic
  PASSWORD elastic = n7U0AvcGdfg8QsUXzeOx

  一路回车，回车完后会打印生成的密码 打印出来6个用户和密码

• 退出容器，增加配置并保存

  cluster.name: es-cluster
  # 节点名称
  node.name: es-master
  # 是否可以成为master节点
  node.master: true
  # 是否允许该节点存储数据,默认开启
  node.data: true
  # 网络绑定
  network.host: 0.0.0.0
  # 设置对外服务的http端口
  http.port: 9200
  # 设置节点间交互的tcp端口
  transport.port: 9300
  # 集群发现
  discovery.seed_hosts:
    - es-master
  # 手动指定可以成为 mater 的所有节点的 name 或者 ip，这些配置将会在第一次选举中进行计算
  cluster.initial_master_nodes:
    - es-master
  # 支持跨域访问
  http.cors.enabled: true
  http.cors.allow-origin: "*"
  # 安全认证
  xpack.security.enabled: true
  xpack.security.transport.ssl.enabled: true
  xpack.security.transport.ssl.keystore.type: PKCS12
  xpack.security.transport.ssl.verification_mode: certificate
  xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
  xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
  xpack.security.transport.ssl.truststore.type: PKCS12
  xpack.security.audit.enabled: true

• 增加文件可访问权限

  chmod -R 777 ./elasticsearch/

• 重启镜像

  docker restart es-master

修改密码的规则

curl -u elastic:your_password -X POST http://localhost:9200/_security/user/elastic/_password -H 'Content-Type: application/json' -d '{"password" : "new_password"}'

elastic:your_password 现有的用户名和现在的密码

将其中的new_password替换为你想要设置的新密码