Docker部署单节点Elasticsearch

1.Docker部署单节点ES

1.前置条件

配置内核参数

echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

• 准备密码

• 本文所有涉及密码的配置，均使用通用密码 Zzwl@2024。

  生产环境，请用密码生成器生成20位以上 不带特殊符号只包含大小写字母和数字混合组成的密码。

创建数据目录

mkdir -p /data/containers/elasticsearch/{data,plugins,logs}
chown 1000:0 /data/containers/elasticsearch/{data,logs}
mkdir -p /data/containers/elasticsearch/config/certs

1.2 创建 ElasticSearch 自定义配置文件

实现 ElasticSearch 服务自定义配置有两种方案:

• Docker-compose 中设置环境变量
• 编写 elasticsearch.yml 配置文件，挂载到容器配置文件目录

本文选择第二种，编辑 elasticsearch.yml 配置文件，挂载到容器 /usr/share/elasticsearch/config 目录的方案。

# 基本配置
cluster.name: es-cluster
discovery.type: single-node
network.host: 0.0.0.0
http.port: 9200

# 启用 xpack 及 TLS
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

# 证书配置
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.keystore.password: PleaseChangeMe
#xpack.security.transport.ssl.truststore.password: PleaseChangeMe

# 其他配置
# 禁用 geoip
ingest.geoip.downloader.enabled: false

# 启用审计
xpack.security.audit.enabled: true

创建配置文件，vi /data/containers/elasticsearch/config/elasticsearch.yml

name: 'elasticsearch'
services:
  elasticsearch:
    restart: always
    image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3
    container_name: es-single
    ulimits:
      nproc: 65535
      memlock:
        soft: -1
        hard: -1
    environment:
      - TZ=Asia/Shanghai
      - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
      - KEYSTORE_PASSWORD=Zzwl@2024
    volumes:
      - ./data:/usr/share/elasticsearch/data
      - ./plugins:/usr/share/elasticsearch/plugins
      - ./logs:/usr/share/elasticsearch/logs
      - ./config/certs/:/usr/share/elasticsearch/config/certs
      - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore
    networks:
      - app-tier
    ports:
      - 9200:9200
      - 9300:9300
networks:
  app-tier:
    name: app-tier
    driver: bridge
    #external: true
    #ipam:
    #  config:
    #    - subnet: 172.22.1.0/24

2.创建CA文件

1.生成CA文件

cd /data/containers/elasticsearch

docker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "Zzwl@2024"

正确输出如下图所示:

[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config/certs:/usr/share/elasticsearch/config/certs \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "Zzwl@2024"
Unable to find image 'swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3' locally
7.17.3: Pulling from ddn-k8s/docker.io/library/elasticsearch
e0b25ef51634: Pull complete
0ed156f90b4d: Pull complete
0b3c161c8ebd: Pull complete
157de9ee3c7a: Pull complete
eea187b8272b: Pull complete
a04594f99bf2: Pull complete
c88cab9df767: Pull complete
b95579404185: Pull complete
3da4afe05b7a: Pull complete
Digest: sha256:7167ec15528cca7e968736c73290506082305ee72e5ecb54ec0af2700326a34e
Status: Downloaded newer image for swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

3.创建 elastic-certificates.p12 证书

docker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-certutil cert --silent --ca config/certs/elastic-stack-ca.p12 --out config/certs/elastic-certificates.p12 --ca-pass "Zzwl@2024" --pass "Zzwl@2024"

说明：

• --ca-pass CA 证书的密码
• --pass p12 证书的密码

正确执行后，输出结果如下：

[root@worker1 elasticsearch]# ls config/certs/
elastic-certificates.p12  elastic-stack-ca.p12

2.配置证书文件权限

chown -R 1000.0 config/certs/

4.生成加密的keysrore

默认情况下，Elasticsearch 自动生成用于安全设置的密钥存储库文件elasticsearch.keystore。

该文件的用途是存储需要加密的 key/value 配置数据。但是该文件默认只是被简单的模糊（obfuscated）处理，并没有加密。用命令 elasticsearch-keystore list 可以轻松读取到文件内容。生产环境建议做加密处理。

1.执行下面命令创建elasticsearch.keystore 文件

docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore create -p

注 :命令执行过程中，需按提示输入两次密码

2.添加 p12 证书的密码配置添加到 keystore 文件

# keystore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

# truststore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

• 命令执行过程中，请按提示输入两次密码
• 第一次密码是 elasticsearch.keystore 文件的密码，第二次密码是 secure_password 的密码

3.验证 elasticsearch.keystore 是否加密

docker run -it --rm \
-v ./config/:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore list

正确执行后，输出结果如下：

[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config:/usr/share/elasticsearch/config \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter password for the elasticsearch keystore :
Enter value for xpack.security.transport.ssl.truststore.secure_password:
[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config/:/usr/share/elasticsearch/config \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-keystore list
Enter password for the elasticsearch keystore :
keystore.seed
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

5.密码设置

docker exec -it es-single bin/elasticsearch-setup-passwords auto

正确执行后，输出结果如下：

[root@worker1 elasticsearch]# docker exec -it es-single bin/elasticsearch-setup-passwords auto
Enter password for the elasticsearch keystore :
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = EWQtj06iSDTpNxWdM2Cl

Changed password for user kibana_system
PASSWORD kibana_system = hYPm7AlnEHeu2LSDVRTy

Changed password for user kibana
PASSWORD kibana = hYPm7AlnEHeu2LSDVRTy

Changed password for user logstash_system
PASSWORD logstash_system = ri7euSsZIULH830wvbbw

Changed password for user beats_system
PASSWORD beats_system = piLisfgUM74vAgL1bhLo

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = bCuVrHD4RHKqfZRjKeHo

Changed password for user elastic
PASSWORD elastic = YvogvFIHOvzoK0U4CzF8

说明：

• 命令执行时需要输入 elasticsearch keystore 文件的密码
• 请记录并妥善保存自动生成的密码

4.2 创建自定义管理员用户

创建一个自定义的管理员用户用于日常管理。

执行下面的命令：

docker exec -it es-single bin/elasticsearch-users useradd elasticadmin -p Zzwl@2024 -r superuser

正确执行后，输出结果如下：

[root@docker-node-1 elasticsearch]# curl -X GET -u elasticadmin "localhost:9200/_cat/nodes?v=true&pretty"
Enter host password for user 'elasticadmin':
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
172.20.0.2           16          45   0    0.04    0.14     0.34 cdfhilmrstw *      5e53c312d114

说明： 按提示输入用户 elasticadmin 的密码。

6.python链接使用

1.新增数据

pip install elasticsearch

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : demo.py
@Desc    : 测试连接
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':
    es_index = "news"
    # Elasticsearch集群的URL（替换为你的远程集群URL）
    es_url = "http://192.168.100.202:9200"
    # 用户名和密码（替换为你的凭据）
    username = "elasticadmin"
    password = "Zzwl@2024"
    es = Elasticsearch([es_url], basic_auth=(username, password))
    # 验证连接是否成功（例如，获取集群的健康状态）
    # try:
    #     print(es.cluster.health())
    # except Exception as e:
    #     print(f"Error connecting to Elasticsearch: {e}")
    # es.indices.create(index="news",ignore=None)

2.新增数据

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : demo.py
@Desc    : 
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':
    es_index = "news"
    # Elasticsearch集群的URL（替换为你的远程集群URL）
    es_url = "http://192.168.100.202:9200"
    # 用户名和密码（替换为你的凭据）
    username = "elasticadmin"
    password = "Zzwl@2024"
    es = Elasticsearch([es_url], basic_auth=(username, password))
    data = {
        "title": "好好学习zzwl",
        "url": "http://www.tieyongjie.cn"
    }
    # 插入数据
    # 向 Elasticsearch 写入数据
    try:
        response = es.index(index=es_index, body=data,id=123)
        print("文档写入成功:", response['result'])
    except Exception as e:
        print(f"写入文档失败: {e}")

3.查询数据

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : search_dmeo.py
@Desc    : 
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':
    es_index = "news"
    # Elasticsearch集群的URL（替换为你的远程集群URL）
    es_url = "http://192.168.100.202:9200"
    # 用户名和密码（替换为你的凭据）
    username = "elasticadmin"
    password = "Zzwl@2024"
    es = Elasticsearch([es_url], basic_auth=(username, password))   
   # 构建查询请求
    query = {
        "query": {
            "match": {
                "title": "好好学习"  # 查询字段为 title，查询内容为 'Sample'
            }
        }
    }
    # 查询 Elasticsearch 索引
    try:
        response = es.search(index=es_index, body=query)
        print("查询结果:")
        print(response.body)
        # 处理查询结果
        if response['hits']['total']['value'] > 0:
            for hit in response['hits']['hits']:
                print(f"ID: {hit['_id']}")
                print(f"Source: {hit['_source']}")
                print("-" * 50)
        else:
            print("未找到匹配的文档")
    except Exception as e:
        print(f"查询失败: {e}")