docker安装的es配置密码认证
前言
今天客户提出来,说es的端口是暴露出来的,可以直接取出来数据,按照要求,必须对9200进行密码配置。准备好几种方案,nginx的反向代理加上认证配置(但是是一个单体的服务,只在一台机器,所以没办法采用)。防火墙的配置(但是因为客户服务器的防火墙是关闭的,不能轻易打开防火墙)等
测试环境安装es
采用docker-compose安装
shell
version: "3"
services:
es-master:
container_name: es-master
image: elasticsearch:7.9.3
hostname: es-master
restart: always
user: root
ports:
- 9200:9200
- 9300:9300
volumes:
- ./elasticsearch/master/config:/usr/share/elasticsearch/config
- ./elasticsearch/master/data:/usr/share/elasticsearch/data
- ./elasticsearch/master/logs:/usr/share/elasticsearch/logs
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "TZ=Asia/Shanghai"
启动后会报错,因此先不要挂载目录,先运行起来将容器的目录先copy出来
shell
docker run -itd --name es -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.9.3
shell
docker cp es:/usr/share/elasticsearch/config /root/retec/elasticsearch/master/
Successfully copied 18.9kB to /root/retec/elasticsearch/master/
设置虚拟缓存
shell
#修改文件
sudo vim /etc/sysctl.conf
#添加参数
...
vm.max_map_count = 262144
加载配置
shell
sysctl -p
添加权限
shell
chmod -R 777 ./elasticsearch/
配置文件
shell
cluster.name: es-cluster
# 节点名称
node.name: es-master
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: true
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9200
# 设置节点间交互的tcp端口
transport.port: 9300
# 集群发现
discovery.seed_hosts:
- es-master
# 手动指定可以成为 mater 的所有节点的 name 或者 ip,这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:
- es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
删除测试容器启动docker-compose
shell
[root@bogon ~]# docker rm -f es
es
[root@bogon ~]# cd retec/
[root@bogon xxx]# ls
docker-compose.yml elasticsearch
[root@bogon xxx]# docker-compose up -d
配置认证
-
进入容器
shell[root@bogon ~]# docker exec -it es-master bash [root@es-master elasticsearch]#
-
生成证书1
shell[root@es-master elasticsearch]# ./bin/elasticsearch-certutil ca 一直回车
-
生成证书2
shell[root@es-master elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
一直回车即可
-
将证书移动到config
shell[root@es-master elasticsearch]# mv elastic-certificates.p12 ./config
shell[root@es-master elasticsearch]# mv elastic-certificates.p12 ./config [root@es-master elasticsearch]# ll config/ total 32 -rw------- 1 root root 3451 May 11 11:39 elastic-certificates.p12 -rwxrwxrwx 1 root root 199 May 11 11:23 elasticsearch.keystore -rwxrwxrwx 1 root root 537 May 11 11:35 elasticsearch.yml -rwxrwxrwx 1 root root 2301 Oct 16 2020 jvm.options drwxrwxrwx 2 root root 6 Oct 16 2020 jvm.options.d -rwxrwxrwx 1 root root 7734 Oct 16 2020 log4j2.properties -rwxrwxrwx 1 root root 473 Oct 16 2020 role_mapping.yml -rwxrwxrwx 1 root root 197 Oct 16 2020 roles.yml -rwxrwxrwx 1 root root 0 Oct 16 2020 users -rwxrwxrwx 1 root root 0 Oct 16 2020 users_roles [root@es-master elasticsearch]#
-
生成密码
shell[root@es-master elasticsearch]# ./bin/elasticsearch-setup-passwords auto Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y Changed password for user apm_system PASSWORD apm_system = vIB9alCzx09vLZY1jnrZ Changed password for user kibana_system PASSWORD kibana_system = 7Kr2v8XV180M2IJf79ic Changed password for user kibana PASSWORD kibana = 7Kr2v8XV180M2IJf79ic Changed password for user logstash_system PASSWORD logstash_system = GMKQlmsRSkp0nWkjDlqi Changed password for user beats_system PASSWORD beats_system = oi5YAtZAesAeuZ3ThxTi Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = jZZqmOkFLvXDnOzAs53p Changed password for user elastic PASSWORD elastic = n7U0AvcGdfg8QsUXzeOx
一路回车,回车完后会打印生成的密码 打印出来6个用户和密码
-
退出容器,增加配置并保存
shellcluster.name: es-cluster # 节点名称 node.name: es-master # 是否可以成为master节点 node.master: true # 是否允许该节点存储数据,默认开启 node.data: true # 网络绑定 network.host: 0.0.0.0 # 设置对外服务的http端口 http.port: 9200 # 设置节点间交互的tcp端口 transport.port: 9300 # 集群发现 discovery.seed_hosts: - es-master # 手动指定可以成为 mater 的所有节点的 name 或者 ip,这些配置将会在第一次选举中进行计算 cluster.initial_master_nodes: - es-master # 支持跨域访问 http.cors.enabled: true http.cors.allow-origin: "*" # 安全认证 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.audit.enabled: true
-
增加文件可访问权限
shellchmod -R 777 ./elasticsearch/
-
重启镜像
shelldocker restart es-master
修改密码的规则
shell
curl -u elastic:your_password -X POST http://localhost:9200/_security/user/elastic/_password -H 'Content-Type: application/json' -d '{"password" : "new_password"}'
elastic:your_password 现有的用户名和现在的密码
将其中的new_password替换为你想要设置的新密码