适用系统:CentOS 7
依赖:Docker ≥ 20.10、docker-compose ≥ v2.0
1 部署前检查
| 检查项 | 命令/路径 | 期望结果 |
|---|---|---|
| Docker 已安装 | docker -v |
版本 ≥ 20.10 |
| docker-compose 已安装 | docker compose version |
版本 ≥ v2.0 |
| 内核参数 | sysctl vm.max_map_count |
≥ 262144 |
| 防火墙 | firewall-cmd --state |
如开启需放行 9200/9300/5601/80 |
若
vm.max_map_count不足,请执行
bash
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p2 节点规划
| 节点 | 主机名 | IP | 角色 |
|---|---|---|---|
| ES-1 | es-node-1 | 10.32.0.32 | master & data |
| ES-2 | es-node-2 | 10.32.0.33 | master & data |
| ES-3 | es-node-3 | 10.32.0.34 | master & data |
| LB+Kibana | ------ | 10.32.0.35 | Nginx + Kibana |
3 生成 TLS 证书(仅需一次)
bash
# 在任一 ES 节点执行
cd /opt/elasticsearch
mkdir tmp
chown -R 1000:1000 tmp
# 生成 CA
docker run --rm -v $PWD/tmp:/tmp/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.12.0 \
bash -c "elasticsearch-certutil ca --silent --out /tmp/certs/elastic-stack-ca.p12"
# 签发节点证书
docker run --rm -v $PWD/tmp:/tmp/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.12.0 \
bash -c "elasticsearch-certutil cert --ca /tmp/certs/elastic-stack-ca.p12 --out /tmp/certs/elastic-certificates.p12"
mv tmp/elastic-certificates.p12 config4 节点目录结构(所有 ES 节点保持一致)
/opt/elasticsearch/
├── config/
│ ├── elasticsearch.yml
│ └── elastic-certificates.p12
├── data/
├── logs/
└── docker-compose.yml5 配置 elasticsearch.yml(示例:es-node-2)
yaml
cluster.name: my-es-cluster
node.name: es-node-2
network.host: 0.0.0.0
network.publish_host: 10.32.0.33 # ← 本机实际 IP
# TLS
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
# 路径
path.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs6 docker-compose.yml(所有 ES 节点)
仅需修改
node.name与container_name即可复用
yaml
version: '3.7'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0
container_name: es-node-2
environment:
- node.name=es-node-2
- cluster.name=my-es-cluster
- discovery.seed_hosts=10.32.0.32,10.32.0.33,10.32.0.34
- cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
- ES_JAVA_OPTS=-Xms8g -Xmx8g
- xpack.security.enabled=true
volumes:
- ./data:/usr/share/elasticsearch/data
- ./logs:/usr/share/elasticsearch/logs
- ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
- ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/certs/elastic-certificates.p12:ro
ports:
- "9200:9200"
- "9300:9300"
restart: unless-stopped7 启动集群 & 设置密码
bash
# 依次在 3 台节点执行
cd /opt/elasticsearch
docker compose up -d
# 任选一台节点重置 elastic 用户密码
docker exec -it es-node-1 elasticsearch-reset-password -u elastic -i8 验证集群
bash
curl -u elastic:<密码> http://10.32.0.32:9200/_cat/nodes?v预期输出包含 3 个节点,master 列有且仅有一个 *。
9 部署 Nginx(10.32.0.35)
9.1 编译安装 Nginx(如需最新版)
bash
# 安装依赖
sudo yum groupinstall -y "Development Tools"
sudo yum install -y pcre-devel zlib-devel openssl-devel
# 下载 & 编译
cd /usr/local/src
wget http://nginx.org/download/nginx-1.28.0.tar.gz
tar -xzf nginx-1.28.0.tar.gz && cd nginx-1.28.0
./configure \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-stream
make && sudo make install
# systemd 服务
sudo tee /etc/systemd/system/nginx.service > /dev/null <<'EOF'
[Unit]
Description=NGINX
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now nginx9.2 配置负载均衡
新建 /usr/local/nginx/conf/conf.d/es.conf:
nginx
upstream es {
ip_hash; # 会话保持
server 10.32.0.32:9200 max_fails=3 fail_timeout=5s;
server 10.32.0.33:9200 max_fails=3 fail_timeout=5s;
server 10.32.0.34:9200 max_fails=3 fail_timeout=5s;
}
server {
listen 80;
server_name 10.32.0.35;
location / {
proxy_pass http://es;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}重载:
bash
nginx -t && systemctl reload nginx10 部署 Kibana(10.32.0.35)
10.1 安装
bash
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.12.0-linux-x86_64.tar.gz
tar -xzf kibana-8.12.0-linux-x86_64.tar.gz
mv kibana-8.12.0 /opt/kibana
useradd -r -s /bin/false kibana
chown -R kibana:kibana /opt/kibana10.2 重置 kibana_system 密码
bash
# 在 ES 容器内执行
elasticsearch-reset-password -u kibana_system -i10.3 配置 /opt/kibana/config/kibana.yml
yaml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts:
- http://10.32.0.32:9200
- http://10.32.0.33:9200
- http://10.32.0.34:9200
elasticsearch.username: "kibana_system"
elasticsearch.password: "<上一步密码>"10.4 创建系统用户
bash
# 创建系统用户,禁止登录
sudo useradd -r -s /bin/false kibana
# 赋权
sudo chown -R kibana:kibana /opt/kibana10.5 systemd 服务
bash
sudo tee /etc/systemd/system/kibana.service > /dev/null <<'EOF'
[Unit]
Description=Kibana
After=network.target
[Service]
Type=simple
User=kibana
Group=kibana
ExecStart=/opt/kibana/bin/kibana
Restart=always
WorkingDirectory=/opt/kibana
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now kibana10.6 验证
浏览器访问 http://10.32.0.35:5601,使用 elastic 用户登录即可。
11 常见问题 FAQ
| 现象 | 根因 | 快速修复 |
|---|---|---|
vm.max_map_count too low |
内核参数不足 | 见"部署前检查" |
| 节点无法发现对方 | network.publish_host 未配或 node.name 重复 |
检查 elasticsearch.yml 与 docker-compose.yml,清理 data/ 后重启容器 |
AccessDeniedException |
目录权限错误 | chown -R 1000:1000 data/ logs/ |
| Kibana 无法连接 ES | 密码错误 / ES 未开启 TLS | 确认 kibana_system 密码正确,且 ES 对外 9200 可达 |
下一篇:阿里云 ES 产品数据迁移至自建 ES 集群