Shulou(Shulou.com)06/02 Report--

What the editor wants to share with you this time is how docker installs the Elasticsearch7.6 cluster and sets the password. The article is rich in content, and interested friends can learn about it. I hope you can get something after reading this article.

Elasticsearch, which allows free users to use the security features of X-Pack from 6.8, used to install es streaking. Next, record the method of configuring security authentication.

To simplify the physical installation process, we will install our service using docker.

Some basic configurations

Es needs to modify some parameters of linux.

Set up vm.max_map_count=262144

Sudo vim / etc/sysctl.confvm.max_map_count=262144

Do not restart, directly take effect of the current command

Sysctl-w vm.max_map_count=262144

The data and logs directories of es need to authorize 1000 users. We assume that three powerful es clusters are installed, and the corresponding data storage files are created first.

The user id of mkdir-p es01/datamkdir-p es01/logsmkdir-p es02/datamkdir-p es02/logsmkdir-p es03/datamkdir-p es03/logs## es is 1000. Here, sudo chmod 777 es*-R is granted to all.

About versions and docker images

There are several types of licenses for Elasticsearch, of which Open Source and Basic are free, but security features are not integrated into es's Basic license until after 6.8.

The corresponding docker image of Basic is

Docker pull docker.elastic.co/elasticsearch/elasticsearch:7.6.2

At the same time, dockerhub synchronization is elasticsearch. Let's just pull the elasticsearch:7.6.2.

Start

The installation files are all placed in GitHub: https://github.com/Ryan-Miao/docker-china-source/tree/master/docker-elasticsearch

First, create a docker-compose.yml

Version: '2.2'services: es01: image: elasticsearch:7.6.2 container_name: es01 environment:-node.name=es01-cluster.name=es-docker-cluster-discovery.seed_hosts=es02,es03-cluster.initial_master_nodes=es01,es02 Es03-bootstrap.memory_lock=true-"ES_JAVA_OPTS=-Xms512m-Xmx512m" ulimits: memlock: soft:-1 hard:-1 volumes: -. / es01/data:/usr/share/elasticsearch/data -. / es01/logs:/usr/share/elasticsearch/logs -. / elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -. / elastic-certificates.p12:/usr/share/elasticsearch/config/elastic -certificates.p12 ports:-9200 certificates.p12 ports 9200 networks:-elastic es02: image: elasticsearch:7.6.2 container_name: es02 environment:-node.name=es02-cluster.name=es-docker-cluster-discovery.seed_hosts=es01 Es03-cluster.initial_master_nodes=es01,es02 Es03-bootstrap.memory_lock=true-"ES_JAVA_OPTS=-Xms512m-Xmx512m" ulimits: memlock: soft:-1 hard:-1 volumes: -. / es02/data:/usr/share/elasticsearch/data -. / es02/logs:/usr/share/elasticsearch/logs -. / elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -. / elastic-certificates.p12:/usr/share/elasticsearch/config/elastic -certificates.p12 ports:-9201 image 9200 networks:-elastic es03: image: elasticsearch:7.6.2 container_name: es03 environment:-node.name=es03-cluster.name=es-docker-cluster-discovery.seed_hosts=es01 Es02-cluster.initial_master_nodes=es01,es02 Es03-bootstrap.memory_lock=true-"ES_JAVA_OPTS=-Xms512m-Xmx512m" ulimits: memlock: soft:-1 hard:-1 volumes: -. / es03/data:/usr/share/elasticsearch/data -. / es03/logs:/usr/share/elasticsearch/logs -. / elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -. / elastic-certificates.p12:/usr/share/elasticsearch/config/elastic -certificates.p12 ports:-9202 networks 9200 networks:-elastic kib01: depends_on:-es01 image: kibana:7.6.2 container_name: kib01 ports:-5601 networks: ELASTICSEARCH_URL: http://es01:9200 ELASTICSEARCH_HOSTS: http://es01:9200 volumes: -. / kibana.yml:/usr/share/kibana/config/kibana.yml networks:-elasticnetworks: elastic: driver: bridge

About elasticsearch.yml

The contents are as follows

Network.host: 0.0.0.0xpack.security.enabled: truexpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.keystore.type: PKCS12xpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.keystore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.type: PKCS12xpack.security.audit.enabled: truenetwork.host setting allows other ip access. Unbinding xpack.security from ip is a security-related configuration. The certificate of ssl needs to be generated by yourself.

About Certificate elastic-certificates.p12

Es provides a tool for generating certificates, elasticsearch-certutil, which we can generate in an docker instance, then copy it, and then use it uniformly later.

First run the es instance

Sudo docker run-dit-- name=es elasticsearch:7.6.2 / bin/bash

Enter inside the instance

Sudo docker exec-it es / bin/bash

Generate ca: elastic-stack-ca.p12

[root@25dee1848942 elasticsearch] #. / bin/elasticsearch-certutil caThis tool assists you in the generation of X.509 certificates and certificatesigning requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new' certificate authority'This will create a new X.509 certificate and private key that can be usedto sign certificate when running in 'cert' mode.Use the' ca-dn' option if you wish to configure the 'distinguished name'of the certificate authorityBy default the' ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private keyIf you elect to generate PEM format certificates (the-pem option) Then the output willbe a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12:

Regenerated into cert: elastic-certificates.p12

[root@25dee1848942 elasticsearch] #. / bin/elasticsearch-certutil cert-- ca elastic-stack-ca.p12This tool assists you in the generation of X.509 certificates and certificatesigning requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.

This generation elastic-certificates.p12 is exactly what we need to use.

Copy out the certificate, and ctrl+d exits inside the container

Sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12. # close this container sudo docker kill essudo docker rm es

In this way, the certificate was obtained.

Generate password

First of all, we need to start the es cluster and go inside to generate the password.

Sudo docker-compose up

And then enter one of them.

Sudo docker exec-it es01 / bin/bash

Generate the password with auto, and set it with interactive by yourself.

[root@cfeeab4bb0eb elasticsearch] #. / bin/elasticsearch-setup-passwords-hSets the passwords for reserved usersCommands-auto-Uses randomly generated passwordsinteractive-Uses passwords entered by a userNon-option arguments:command Option Description-E Configure a setting-h,-- help Show help-s,-- silent Show minimal output-v -- verbose Show verbose output [root@cfeeab4bb0eb elasticsearch] #. / bin/elasticsearch-setup-passwords autoInitiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system Remote_monitoring_user.The passwords will be randomly generated and printed to the console.Please confirm that you would like to continue [DtZCrCkVTZsinRn3tW3DChanged password for user elasticPASSWORD elastic N] yChanged password for user apm_systemPASSWORD apm_system = YxVzeT9B2jEDUjYp66WsChanged password for user kibanaPASSWORD kibana = 8NnThbj0N02iDaTGhidUChanged password for user logstash_systemPASSWORD logstash_system = 9nIDGe7KSV8SQidSk8DjChanged password for user beats_systemPASSWORD beats_system = qeuVaf1VEALpJHfEUOjJChanged password for user remote_monitoring_userPASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3DChanged password for user elasticPASSWORD elastic = q5f2qNfUJQyvZPIz57MZ

Use password

The browser needs to enter an account number to access localhost:9200/9201/9202

Just enter the corresponding elastic/password

Browsers access localhost:5601

Forget the password.

If you forget your password after generation, you can go to the machine to modify it.

Access to the es machine

Sudo docker exec-it es01 / bin/bash

Create a temporary superuser RyanMiao

. / bin/elasticsearch-users useradd ryan-r superuserEnter new password: ERROR: Invalid password...passwords must be at least [6] characters long [root@cfeeab4bb0eb elasticsearch] #. / bin/elasticsearch-users useradd ryan-r superuserEnter new password: Retype new password:

Use this user to change the elastic password:

Curl-XPUT-u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password-H "Content-Type: application/json"-d'{"password": "q5f2qNfUJQyvZPIz57MZ"} 'after reading this article on how docker installs Elasticsearch7.6 clusters and setting passwords, if you think the article is well written, you can share it with more people.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.