docker 单节点生产模式部署 elasticsearch
|
264
|
0
|
服务器运维

924 字
|
4 分钟

1、前置条件

母鸡使用的为 linux 系统,需要配置系统内核参数,其他系统请自行DeepSeek。

echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

准备密码,本文的密码为随机生成的 20 位不带特殊符号的密码,可自行修改。

2、准备前置数据

    2.1、创建数据目录

    mkdir -p /data/containers/elasticsearch/{data,plugins,logs}
chown 1000:0 /data/containers/elasticsearch/{data,logs}
mkdir -p /data/containers/elasticsearch/config/certs

    2.2 创建 ElasticSearch 自定义配置文件

    实现配置文件有两种方案:

    • Docker-compose 中设置环境变了
    • 编写 elasticsearch.yml 配置文件,挂载到容器的文件目录。

    本次安装选择第二种。编辑 elasticsearch.yml 配置文件,挂载到容器 /usr/share/elasticsearch/config 目录的方案。

    创建配置文件,/data/containers/elasticsearch/config/elasticsearch.yml。文件内容如下:

    # 基本配置
cluster.name: es-cluster
discovery.type: single-node
network.host: 0.0.0.0
http.port: 9200

# 启用 xpack 及 TLS
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

# 证书配置
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.keystore.password: PleaseChangeMe
#xpack.security.transport.ssl.truststore.password: PleaseChangeMe

# 其他配置
# 禁用 geoip
ingest.geoip.downloader.enabled: false

# 启用审计
xpack.security.audit.enabled: true

    2.3 创建 CA 文件

    执行下面的命令来创建 CA 文件

    cd /data/containers/elasticsearch
docker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
elasticsearch:9.0.1 \
bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "3vswhRUumkP145zQGRDT"

    这里–pass 后面的内容就需要替换为自己的自定义密码了

    当正确执行之后,就会输出类似下面的结果:

    [root@docker-node-1 elasticsearch]# docker run -it --rm \
> -v ./config/certs:/usr/share/elasticsearch/config/certs \
> elasticsearch:7.17.20 \
> bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "PleaseChangeMe"
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

    可以通过以下命令来查看证书文件是否正确生成。

    [root@docker-node-1 elasticsearch]# ls config/certs/
elastic-stack-ca.p12

    2.4、创建 elstic-certificates.p12 证书

    命令如下:

    docker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
elasticsearch:9.0.1 \
bin/elasticsearch-certutil cert --silent --ca config/certs/elastic-stack-ca.p12 --out config/certs/elastic-certificates.p12 --ca-pass "3vswhRUumkP145zQGRDT" --pass "DMssAZ2zov5Fdp0mD4G5"

    –ca-pass CA 证书的密码,需要输入步骤 2.3 哪里设置的密码

    –pass p12 证书的密码,需要重新随机生成一个

    正确执行之后,就可以到文件夹中查看证书文件是否生成:

    [root@docker-node-1 elasticsearch]# ls config/certs/
elastic-certificates.p12  elastic-stack-ca.p12

    配置证书文件的权限

    chown -R 1000.0 config/certs/

    2.5、生成加密的 keystore 文件

    默认情况下,Elasticsearch 自动生成用于安全设置的密钥存储库文件elasticsearch.keystore

    该文件的用途是存储需要加密的 key/value 配置数据。但是该文件默认只是被简单的模糊(obfuscated)处理,并没有加密。用命令 elasticsearch-keystore list 可以轻松读取到文件内容。生产环境建议做加密处理

    执行下面的命令创建 elasticsearch-keystore 文件

    docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
elasticsearch:9.0.1 \
bin/elasticsearch-keystore create -p

    正确执行之后,输出的结果类似如下:

    docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
elasticsearch:9.0.1 \
bin/elasticsearch-keystore create -p
Enter new password for the elasticsearch keystore (empty for no password):
Enter same password again:
Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore
[root@docker-node-1 elasticsearch]# ls config/
certs  elasticsearch.keystore  elasticsearch.yml

    注意:命令执行过程中,需按提示输入两次密码。这里创建的密码为 elasticsearch.keystore 的密码

    将 p12 证书的密码配置添加到 keystore 文件

    docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
elasticsearch:9.0.1 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

# truststore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
elasticsearch:9.0.1 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

    注意:命令执行的过程中也需要输入两次密码。第一次密码为elasticsearch.keystore 的密码。第二次为创建 p12 证书的密码。

    验证elasticsearch.keystore 是否加密

    docker run -it --rm \
-v ./config/:/usr/share/elasticsearch/config \
elasticsearch:9.0.1  \
bin/elasticsearch-keystore list

    正确执行之后会有类似下面的输出:

    docker run -it --rm \
-v ./config/:/usr/share/elasticsearch/config \
elasticsearch:9.0.1  \
bin/elasticsearch-keystore list
Enter password for the elasticsearch keystore :
keystore.seed
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

    注意: 提示 Enter password for the elasticsearch keystore : 输入正确的密码后显示文件内容,说明文件已经加密。

    3、安装部署 ElasticSearch

    3.1、创建 docker-compose.yml 文件

    创建配置文件:/data/containers/elasticsearch/docker-compose.yml

    name: 'elasticsearch'
services:
  elasticsearch:
    restart: always
    image: elasticsearch:9.0.1
    container_name: es-single
    ulimits:
      nproc: 65535
      memlock:
        soft: -1
        hard: -1
    environment:
      - TZ=Asia/Shanghai
      - ES_JAVA_OPTS=-Xms2048m -Xmx4096m
      - KEYSTORE_PASSWORD=ovpNMD2XkcDzNKpx8ZUx
    volumes:
      - ./data:/usr/share/elasticsearch/data
      - ./plugins:/usr/share/elasticsearch/plugins
      - ./logs:/usr/share/elasticsearch/logs
      - ./config/certs/:/usr/share/elasticsearch/config/certs
      - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore
    networks:
      - app-tier
    ports:
      - 9200:9200
      - 9300:9300
networks:
  app-tier:
    name: app-tier
    driver: bridge
    #external: true
    #ipam:
    #  config:
    #    - subnet: 172.22.1.0/24

    注意:

    • ES_JAVA_OPTS 需根据服务器实际配置调整 JAVA_OPTS 配置
    • KEYSTORE_PASSWORD 必须跟生成加密的 elasticsearch.keystore 文件时使用的密码一致,否则 ES 启动会失败
    • ipam 配置了 app-tier 的网络地址,本文注释了,生产环境建议合理规划配置。
    • external: true, 同一台服务器其他服务已经创建网络 app-tier 时,创建 elasticsearch 服务时会报错,可以启用这个参数。

    3.2、创建并启动 ElasticSearch 服务

    cd /data/containers/elasticsearch
docker-compose up -d

    正确执行后,输出结果如下:

    [root@docker-node-1 elasticsearch]# docker-compose up -d
[+] Running 1/2
 ⠸ Network app-tier     Created                                                                                                                                 0.4s
 ✔ Container es-single  Started

    4、密码配置

    4.1 、为保留用户自动生成初始密码

    docker exec -it es-single bin/elasticsearch-setup-passwords auto

    执行结果大概如下,注意保存密码:

    [root@docker-node-1 elasticsearch]# docker exec -it es-single bin/elasticsearch-setup-passwords auto
Enter password for the elasticsearch keystore :
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = dFeUZ5kSgq3Gh4GNVZSJ

Changed password for user kibana_system
PASSWORD kibana_system = YUuHRRQ9NX7ZbdGj40hY

Changed password for user kibana
PASSWORD kibana = YUuHRRQ9NX7ZbdGj40hY

Changed password for user logstash_system
PASSWORD logstash_system = oCqLt1l1ZWCB9eWkKoMS

Changed password for user beats_system
PASSWORD beats_system = iMGY5hLUJBCBHPUrBm2k

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = 7YJ8pTA1fIiTJEGKcHIT

Changed password for user elastic
PASSWORD elastic = Uhfiv3zGRvGsNN58shT0
    暂无评论

    发送评论 编辑评论 

    
				
    
			
    
						
    
				
    
					
    
						
    
							
    
								
							
    
							
						
    
					
    
				
    
				
    
					
    
						
    
							
    
								
							
    
							
						
    
					
    
				
    
				
    
					
    
						
    
							
    
								
							
    
							
							
													
    
					
    
				
    
			
    
			
			
    
				
    
					
				
    
			
    
				
    
											
    
							
							
						
    
																				
					
											
						
    
	
    
		
    |´・ω・)ノ
    ヾ(≧∇≦*)ゝ
    (☆ω☆)
    (╯‵□′)╯︵┴─┴
     ̄﹃ ̄
    (/ω\)
    ∠( ᐛ 」∠)_
    (๑•̀ㅁ•́ฅ)
    →_→
    ୧(๑•̀⌄•́๑)૭
    ٩(ˊᗜˋ*)و
    (ノ°ο°)ノ
    (´இ皿இ`)
    ⌇●﹏●⌇
    (ฅ´ω`ฅ)
    (╯°A°)╯︵○○○
    φ( ̄∇ ̄o)
    ヾ(´・ ・`。)ノ"
    ( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
    (ó﹏ò。)
    Σ(っ °Д °;)っ
    ( ,,´・ω・)ノ"(´っω・`。)
    ╮(╯▽╰)╭
    o(*////▽////*)q
    >﹏<
    ( ๑´•ω•) "(ㆆᴗㆆ)
    😂
    😀
    😅
    😊
    🙂
    🙃
    😌
    😍
    😘
    😜
    😝
    😏
    😒
    🙄
    😳
    😡
    😔
    😫
    😱
    😭
    💩
    👻
    🙌
    🖕
    👍
    👫
    👬
    👭
    🌚
    🌝
    🙈
    💊
    😶
    🙏
    🍦
    🍉
    😣
    Source: github.com/k4yt3x/flowerhd
    	
    
	
    
		
    颜文字
    Emoji
    小恐龙
    花!
    	
    

    									
    
			
    
			
			
		
    
	
    

    



    上一篇