Elasticsearch从6.8开始, 允许免费用户使用X-Pack的安全功能, 以前安装es都是裸奔。接下来记录配置安全认证的方法。
环境:CentOS 8.5
Elasticsearch版本:7.14.0
用户:root
本次执行全部使用root 用户执行,如果使用的是普通用户,记得前面加 sudo
一、基础配置修改 Linux 的 vm.max_map_count 参数。
设置vm.max_map_count=262144
vim /etc/sysctl.conf vm.max_map_count=262144不重启, 直接生效当前的命令
sysctl -w vm.max_map_count=262144安装 3 个 Elasticsearch 做集群,找到合适位置新建文件夹,配置文件、日志文件、数据文件夹
mkdir -p elasticsearch01/data elasticsearch01/logs mkdir -p elasticsearch02/data elasticsearch02/logs mkdir -p elasticsearch03/data elasticsearch03/logs mkdir config && touch config/elasticsearch.yml mkdir plugins创建用户,并获取用户的id
# 新建 elasticsearch 用户 useradd elasticsearch # 为 elasticsearch 用户设置密码 passwd elasticsearch # 将 elasticsearch 添加到 docker 用户组(如果不存在用户组,创建 docker 用户组) usermod -G docker elasticsearch # 重启 docker systemctl restart docker将刚才创建的文件夹的所有权赋予 elasticsearch 用户
# 返回到上一级,进行赋权 chown -R elasticsearch elasticsearch获取用户 elasticsearch 的id
cat /etc/passwd | grep elasticsearch # 获取到id为 1001 二、拉取镜像、编写执行文件拉取镜像
docker pull elasticsearch:7.14.0创建docker-compose.yml
version: '3.8' services: elasticsearch01: image: elasticsearch:7.14.0 container_name: elasticsearch01 environment: - node.name=elasticsearch01 - cluster.name=elasticsearch-docker-cluster - discovery.seed_hosts=elasticsearch02,elasticsearch03 - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" user: "1001" ulimits: memlock: soft: -1 hard: -1 volumes: - ./elasticsearch01/data:/usr/share/elasticsearch/data - ./elasticsearch01/logs:/usr/share/elasticsearch/logs - ./plugins:/usr/share/elasticsearch/plugins - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 ports: - 9200:9200 networks: mynet: ipv4_address: 172.88.0.5 elasticsearch02: image: elasticsearch:7.14.0 container_name: elasticsearch02 environment: - node.name=elasticsearch02 - cluster.name=elasticsearch-docker-cluster - discovery.seed_hosts=elasticsearch01,elasticsearch03 - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" user: "1001" ulimits: memlock: soft: -1 hard: -1 volumes: - ./elasticsearch02/data:/usr/share/elasticsearch/data - ./elasticsearch02/logs:/usr/share/elasticsearch/logs - ./plugins:/usr/share/elasticsearch/plugins - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 networks: mynet: ipv4_address: 172.88.0.6 elasticsearch03: image: elasticsearch:7.14.0 container_name: elasticsearch03 environment: - node.name=elasticsearch03 - cluster.name=elasticsearch-docker-cluster - discovery.seed_hosts=elasticsearch01,elasticsearch02 - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" user: "1001" ulimits: memlock: soft: -1 hard: -1 volumes: - ./elasticsearch03/data:/usr/share/elasticsearch/data - ./elasticsearch03/logs:/usr/share/elasticsearch/logs - ./plugins:/usr/share/elasticsearch/plugins - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 networks: mynet: ipv4_address: 172.88.0.7 networks: mynet: external: trueversion:需要安装 docker 官网查询
user 里面填写刚才添加用户 id
编写配置文件 elasticsearch.yml
vim config/elasticsearch.yml内容如下:
network.host: 0.0.0.0 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.transport.ssl.keystore.password: 一会儿生成 elastic-certificates.p12 设置的密码,没有不要这个配置 xpack.security.transport.ssl.truststore.password: 一会儿生成 elastic-certificates.p12 设置的密码,没有不要这个配置 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.audit.enabled: true network.host 设置允许其他ip访问,解除ip绑定xpack.security 则是安全相关配置,其中ssl的证书需要手动生成生成证书elastic-certificates.p12
es提供了生成证书的工具elasticsearch-certutil,我们可以在docker实例中生成它,然后复制出来,统一使用。
首先运行es实例
docker run -d --name=elasticsearch -e "discovery.type=single-node" elasticsearch:7.14.0进入实例内部
docker exec -it elasticsearch bash生成ca: elastic-stack-ca.p12
./bin/elasticsearch-certutil ca再生成cert: elastic-certificates.p12
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12生成 elastic-certificates.p12 ,一会儿复制后放到 config 目录下
退出容器,复制证书,退出容器快捷键 Ctrl + D
# 在每一个config目录下复制下面命令: docker cp elasticsearch:/usr/share/elasticsearch/elastic-certificates.p12 ./config删除该容器
docker rm -f elasticsearch 三、安装镜像进入创建的用户 elasticsearch
su elasticsearch在ES集群目录上一层目录执行 docker-compose 安装集群
docker-compose up进入其中一台进行生成密码
docker exec -it elasticsearch01 bash 四、生成密码 生成密码用auto, 自己设置用 interactive [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h Sets the passwords for reserved users Commands -------- auto - Uses randomly generated passwords interactive - Uses passwords entered by a user Non-option arguments: command Option Description ------ ----------- -E <KeyValuePair> Configure a setting -h, --help Show help -s, --silent Show minimal output -v, --verbose Show verbose output [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y Changed password for user apm_system PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws Changed password for user kibana PASSWORD kibana = 8NnThbj0N02iDaTGhidU Changed password for user logstash_system PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj Changed password for user beats_system PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D Changed password for user elastic PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ 五、测试浏览器访问localhost:9200/9201/9202 需要输入账号
输入对应的elastic/password就好
浏览器访问localhost:5601
六、忘记密码如果生成后忘记密码了怎么办, 可以进入机器去修改。
进入es的机器
sudo docker exec -it es01 /bin/bash创建一个临时的超级用户RyanMiao
./bin/elasticsearch-users useradd ryan -r superuser Enter new password: ERROR: Invalid password...passwords must be at least [6] characters long [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuser Enter new password: Retype new password:用这个用户去修改elastic的密码:
curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d ' { "password": "q5f2qNfUJQyvZPIz57MZ" }'
1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,会注明原创字样,如未注明都非原创,如有侵权请联系删除!;3.作者投稿可能会经我们编辑修改或补充;4.本站不提供任何储存功能只提供收集或者投稿人的网盘链接。 |
标签: #Docker #ElasticSearch #设置密码 #sudo一基础配置修改 #Linux