1、启动好es
2、进入es容器
docker exec -it es /bin/bash
3、生成ca证书
./bin/elasticsearch-certutil ca
注:两个红方框位置直接回车
4、生成cert证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
注:前两个红框直接回车,第三个红框可以直接回车,也可以输入证书密码
5、查看证书
ls
6、拷贝es容器的证书
-
进入es的config文件夹
-
拷贝容器证书
-
docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 ./
-
授权证书
-
chmod 777 elastic-certificates.p12
7、添加配置文档
vi elasticsearch.yml
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true8、修改docker-compose.yml文件
services:
es:
image: harbor-operation.maas.com.cn/library/elasticsearch:8.6.0
container_name: es
environment:
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./data:/usr/share/elasticsearch/data
- ./log:/usr/share/elasticsearch/log
- ./plugins:/usr/share/elasticsearch/plugins
- /home/clouduser/cxb/efk/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
- /home/clouduser/cxb/efk/config/elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12
ports:
- "9200:9200"
- "9300:9300"
networks:
- docker-common-net
networks:
docker-common-net:
external: true9、重启es容器
docker-compose关闭es容器
docker-compose down
docker-compose开启es容器
docker-compose up -d
10、设置账号密码
进入es容器
docker exec -it es /bin/bash
设置密码(账号默认为 elastic)
./bin/elasticsearch-setup-passwords interactive
11、创建新用户
因为es 不允许使用elastic用户登录kibana,所以这里需要创建一个自定义用户。
进入es容器,docker exec -it es bash,执行bin/elasticsearch-users useradd test
添加了用户,并需要给这个用户添加角色不然会报错
角色授权
bin/elasticsearch-users roles -a superuser test
bin/elasticsearch-users roles -a kibana_system test
12、ip+9200 验证
使用默认账户elastic登录或者使用自定义的账号登录
13、遇到的问题
ERROR: Elasticsearch did not exit normally - check the logs at /usr/share/elasticsearch/logs/docker-cluster.log
max virtual memory areas vm.max_map_count 65530 is too low, increase to at least 262144
es | bootstrap check failure 2 of 2: the default discovery settings are unsuitable for production use; at least one of discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes must be configured
上面的问题解决方案就是14,配置对应的yml解决
14、配套能启动es的yml
elasticsearch.yml
http.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true证书
15、kibana
services:
kibana:
image: harbor-operation.maas.com.cn/library/kibana:8.6.0
restart: always
container_name: kibana
environment:
- TZ=Asia/Shanghai
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
ports:
- "5601:5601"
networks:
- docker-common-net
networks:
docker-common-net:
external: truekibana.yml
i18n.locale: zh-CN
server.host: "0.0.0.0"
server.shutdownTimeout: "5s"
elasticsearch.hosts: [ "http://es:9200" ]
elasticsearch.username: "root"
elasticsearch.password: "123456"验证,输入上面的账号密码,登录成功。
