如何部署Docker ElasticSearch 7.13.2的安全认证?
- By : Will
- Category : Docker, Elastic Stack
Docker
1 前言
一个问题,一篇文章,一出故事。
本章将实现启用Docker ElasticSearch 7.13.2的安全认证。
2 最佳时间
2.1 测试环境
2.2 集群配置前的准备
In hd01,
2.2.1 进入容器主机
docker exec -it $(docker container ls | grep es-cluster_es | awk '{print $1}') /bin/bash
2.2.2 创建CA证书
docker exec -it $(docker container ls | grep es-cluster_es | awk '{print $1}') /bin/bash
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
具体向导如下,
#... By default the 'ca' mode produces a single PKCS#12 output file which holds: #... Please enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12 :
需要注意的是,当前范例密码留空
2.2.3 创建SSL证书
docker exec -it $(docker container ls | grep es-cluster_es | awk '{print $1}') /bin/bash
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
具体向导如下,
#... By default the 'cert' mode produces a single PKCS#12 output file which holds: #... Enter password for CA (elastic-stack-ca.p12) : Please enter the desired output file [elastic-certificates.p12]: Enter password for elastic-certificates.p12 : Certificates written to /usr/share/elasticsearch/elastic-certificates.p12 #...
需要注意的是,当前范例密码留空
2.2.4 退出容器主机
exit
2.2.5 将容器创建的证书复制到宿主机保存
docker container cp $(docker container ls | grep es-cluster_es | awk '{print $1}'):/usr/share/elasticsearch/elastic-stack-ca.p12 /data/docker/certs/
docker container cp $(docker container ls | grep es-cluster_es | awk '{print $1}'):/usr/share/elasticsearch/elastic-certificates.p12 /data/docker/certs/
2.2.6 部署证书
ssh hd01 mkdir -p /data/docker/container-data/elasticsearch/config ssh hd02 mkdir -p /data/docker/container-data/elasticsearch/config ssh hd03 mkdir -p /data/docker/container-data/elasticsearch/config scp /data/docker/certs/elastic-certificates.p12 hd01:/data/docker/container-data/elasticsearch/certs/ scp /data/docker/certs/elastic-certificates.p12 hd02:/data/docker/container-data/elasticsearch/certs/ scp /data/docker/certs/elastic-certificates.p12 hd03:/data/docker/container-data/elasticsearch/certs/ ssh hd01 chmod 660 /data/docker/container-data/elasticsearch/certs/elastic-certificates.p12 ssh hd02 chmod 660 /data/docker/container-data/elasticsearch/certs/elastic-certificates.p12 ssh hd03 chmod 660 /data/docker/container-data/elasticsearch/certs/elastic-certificates.p12
2.2.7 清空节点数据(谨慎操作且可选)
docker stack rm es-cluster ssh hd01 rm -rf /data/docker/container-data/elasticsearch/data/* ssh hd02 rm -rf /data/docker/container-data/elasticsearch/data/* ssh hd03 rm -rf /data/docker/container-data/elasticsearch/data/*
需要注意的是,该方法适用于没有任何数据的集群
2.3 配置集群
2.3.1 修改配置
In hd01,
vim /data/docker/yml/es7132-01-stack.yml
配置修改如下,
version: '3.8'
services:
es01:
image: hd01.sae.com.hk:5000/elasticsearch:7.13.2
environment:
- node.name=es01
- cluster.name=es-cluster
- discovery.seed_hosts=es01,es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- "ES_JAVA_OPTS=-Xms8G -Xmx8G"
- TZ=Asia/Shanghai
- node.ingest=true
- network.host=0.0.0.0
- network.publish_host=_eth0:ipv4_
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.monitoring.collection.enabled=true
volumes:
- /data/docker/container-data/elasticsearch/data:/usr/share/elasticsearch/data
- /data/docker/container-data/elasticsearch/certs/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
networks:
- elknet
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "10"
deploy:
replicas: 1
endpoint_mode: dnsrr
placement:
constraints: [node.labels.es01 == true]
networks:
elknet:
external: true
name: elknet
In hd02,
vim /data/docker/yml/es7132-02-stack.yml
配置修改如下,
version: '3.8'
services:
es02:
image: hd01.sae.com.hk:5000/elasticsearch:7.13.2
environment:
- node.name=es02
- cluster.name=es-cluster
- discovery.seed_hosts=es01,es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- "ES_JAVA_OPTS=-Xms8G -Xmx8G"
- TZ=Asia/Shanghai
- node.ingest=true
- network.host=0.0.0.0
- network.publish_host=_eth0:ipv4_
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.monitoring.collection.enabled=true
volumes:
- /data/docker/container-data/elasticsearch/data:/usr/share/elasticsearch/data
- /data/docker/container-data/elasticsearch/certs/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
networks:
- elknet
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "10"
deploy:
replicas: 1
endpoint_mode: dnsrr
placement:
constraints: [node.labels.es02 == true]
networks:
elknet:
external: true
name: elknet
In hd03,
vim /data/docker/yml/es7132-03-stack.yml
配置修改如下,
version: '3.8'
services:
es03:
image: hd01.sae.com.hk:5000/elasticsearch:7.13.2
environment:
- node.name=es03
- cluster.name=es-cluster
- discovery.seed_hosts=es01,es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- "ES_JAVA_OPTS=-Xms8G -Xmx8G"
- TZ=Asia/Shanghai
- node.ingest=true
- network.host=0.0.0.0
- network.publish_host=_eth0:ipv4_
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.monitoring.collection.enabled=true
volumes:
- /data/docker/container-data/elasticsearch/data:/usr/share/elasticsearch/data
- /data/docker/container-data/elasticsearch/certs/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
networks:
- elknet
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "10"
deploy:
replicas: 1
endpoint_mode: dnsrr
placement:
constraints: [node.labels.es03 == true]
networks:
elknet:
external: true
name: elknet
2.3.2 启动服务
docker stack deploy -c /data/docker/yml/es7132-01-stack.yml es-cluster docker stack deploy -c /data/docker/yml/es7132-02-stack.yml es-cluster docker stack deploy -c /data/docker/yml/es7132-03-stack.yml es-cluster
2.3.3 初始化集群密码
In hd01,
docker exec -it $(docker container ls | grep es-cluster_es | awk '{print $1}') /bin/bash
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive -u 'http://es01:9200'
具体向导如下,
#... Do you want to continue with the password setup process [y/N]y #... Please confirm that you would like to continue [y/N]y #... Enter password for [elastic]: elasticpwd Reenter password for [elastic]: elasticpwd Enter password for [apm_system]: apmpwd Reenter password for [apm_system]: apmpwd Enter password for [kibana_system]: kibanapwd Reenter password for [kibana_system]: kibanapwd Enter password for [logstash_system]: logstashpwd Reenter password for [logstash_system]: logstashpwd Enter password for [beats_system]: beatspwd Reenter password for [beats_system]: beatspwd Enter password for [remote_monitoring_user]: remote_monitoringpwd Reenter password for [remote_monitoring_user]: remote_monitoringpwd #...
2.4 检查集群
2.4.1 测试集群连接
In hd01,
curl -u elastic:elasticpwd http://es01:9200 http://es02:9200 http://es03:9200
可见如下显示,
{
"name" : "es01",
"cluster_name" : "es-cluster",
"cluster_uuid" : "qTI-rl-eS4GWqhPbs7AtFA",
"version" : {
"number" : "7.13.2",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "4d960a0733be83dd2543ca018aa4ddc42e956800",
"build_date" : "2021-06-10T21:01:55.251515791Z",
"build_snapshot" : false,
"lucene_version" : "8.8.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
{
"name" : "es02",
"cluster_name" : "es-cluster",
"cluster_uuid" : "qTI-rl-eS4GWqhPbs7AtFA",
"version" : {
"number" : "7.13.2",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "4d960a0733be83dd2543ca018aa4ddc42e956800",
"build_date" : "2021-06-10T21:01:55.251515791Z",
"build_snapshot" : false,
"lucene_version" : "8.8.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
{
"name" : "es03",
"cluster_name" : "es-cluster",
"cluster_uuid" : "qTI-rl-eS4GWqhPbs7AtFA",
"version" : {
"number" : "7.13.2",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "4d960a0733be83dd2543ca018aa4ddc42e956800",
"build_date" : "2021-06-10T21:01:55.251515791Z",
"build_snapshot" : false,
"lucene_version" : "8.8.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
2.4.2 检查集群健康状态
In hd01,
curl -u elastic:elasticpwd -X GET "es01:9200/_cluster/health?pretty" "es02:9200/_cluster/health?pretty" "es03:9200/_clus ter/health?pretty"
可见如下显示,
{
"cluster_name" : "es-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 2,
"active_shards" : 4,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
{
"cluster_name" : "es-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 2,
"active_shards" : 4,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
{
"cluster_name" : "es-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 2,
"active_shards" : 4,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
没有评论