ELK docker elasticsearch7 设置xpack账号密码

之前写过一篇 设置的，感觉不大对。ELK elasticsearch7 设置账号、权限

还是重新配置一下。

准备资料：elasticsearch7.1.1、kibana7.1.1镜像文件。

在docker下成功安装集群。注意的是，所有的需要安装es相关的ELK版本都要一致，甚至es的插件版本也都是要一致

[ config]# docker images | grep 7.1.1
115.28.136.252/third/logstash                 7.1.1               b0cb1543380d        12 months ago       847MB
115.28.136.252/third/kibana                   7.1.1               67f17df6ca3e        12 months ago       746MB
115.28.136.252/third/elasticsearch            7.1.1               b0e9f9f047e6        12 months ago       894MB
115.28.136.252/third/filebeat                 7.1.1               0bd69a03e199        12 months ago       288MB

我这集群两台服务器：

创建相应目录：

mkdir -p /home/soft/elasticsearch/config
mkdir -p /home/soft/elasticsearch/data/data00
mkdir -p /home/soft/elasticsearch/data/data01
mkdir -p /home/soft/elasticsearch/logs/logs00
mkdir -p /home/soft/elasticsearch/logs/logs01

配置脚本：

es00.yml==============
cluster.name: mses-cluster
node.name: es00
node.master: true
node.data: true
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
network.host: 172.20.0.10
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
discovery.seed_hosts: ["172.20.0.10:9300","172.20.0.11:9300"]
cluster.initial_master_nodes: ["es00","es01"]
discovery.zen.minimum_master_nodes: 2
http.cors.allow-headers: Authorization

es00.yml==============
cluster.name: mses-cluster
node.name: es01
node.master: true
node.data: true
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
network.host: 172.20.0.11
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
discovery.seed_hosts: ["172.20.0.10:9300","172.20.0.11:9300"]
cluster.initial_master_nodes: ["es00","es01"]
discovery.zen.minimum_master_nodes: 2
http.cors.allow-headers: Authorization

启动脚本：其中的esnetwork 是我创建的es专属网络，其中的IP地址172.20.0.xxx也是依赖这里网络来的。

查看网络列表
docker network ls  
进入网络查看绑定情况
docker network inspect esnetwork

docker run --restart=always -m 1000m -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -d --net esnetwork --ip 172.20.0.10 -p 9200:9200 -p 9300:9300 -v /home/soft/ES/config/es00.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /home/soft/ES/data/data00:/usr/share/elasticsearch/data -v /home/soft/ES/logs/logs00:/usr/share/elasticsearch/logs --name es00 elasticsearch:7.1.1

docker run --restart=always -m 1000m -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -d --net esnetwork --ip 172.20.0.11 -p 9201:9201 -p 9301:9301 -v /home/soft/ES/config/es01.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /home/soft/ES/data/data01:/usr/share/elasticsearch/data -v /home/soft/ES/logs/logs01:/usr/share/elasticsearch/logs --name es01 elasticsearch:7.1.1

启动后通过IP:PORT可以查看到当前单台情况

{
  "name" : "es00",
  "cluster_name" : "mses-cluster",
  "cluster_uuid" : "_na_",
  "version" : {
    "number" : "7.1.1",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "7a013de",
    "build_date" : "2019-05-23T14:04:00.380842Z",
    "build_snapshot" : false,
    "lucene_version" : "8.0.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

通过IP:PORT/_cat/nodes?pretty 可以当前集群情况

172.20.0.10 29 83 11 1.40 1.47 1.01 mdi - es00
172.20.0.11 28 83 11 1.40 1.47 1.01 mdi * es01

以上说明能正常访问。

下面是重点============配置xpack，es的账号密码

停掉服务。

docker stop es00 es01

删除data数据

rm -rf data/data0*/*

修改es00.yml配置，重新启动。

末尾增加 xpack.security.enabled: true

[ elasticsearch]# vi config/es00.yml 
cluster.name: mses-cluster
node.name: es00
node.master: true
node.data: true
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
network.host: 172.20.0.10
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
discovery.seed_hosts: ["172.20.0.10:9300","172.20.0.11:9300"]
cluster.initial_master_nodes: ["es00","es01"]
discovery.zen.minimum_master_nodes: 2
http.cors.allow-headers: Authorization
xpack.security.enabled: true

重启

docker restart es00

查看启动日志

docker logs -f --tail=10 es00

看到启动完成后，访问ip:端口，会弹出登录对话窗口

进入容器，

docker exec -it es00 /bin/bash

生成配置ca证书：这里可输入密码，也可直接回车不输密码，我这里密码：不输入，

bin/elasticsearch-certutil ca

证书生成位置是当前位置，会生成一个证书名字：elastic-stack-ca.p12

当然也可以用 out指定生成证书位置。

[ elasticsearch]# bin/elasticsearch-certutil ca
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.drbg.DRBG (file:/usr/share/elasticsearch/lib/tools/security-cli/bcprov-jdk15on-1.61.jar) to constructor sun.security.provider.Sun()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.drbg.DRBG
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The ‘ca‘ mode generates a new ‘certificate authority‘
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in ‘cert‘ mode.

Use the ‘ca-dn‘ option if you wish to configure the ‘distinguished name‘
of the certificate authority

By default the ‘ca‘ mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA‘s private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 
[ elasticsearch]# ls
123456  LICENSE.txt  NOTICE.txt  README.textile  bin  config  data  elastic-stack-ca.p12  jdk  lib  logs  modules  plugins

生成私钥证书

将证书复制到宿主机

将证书复制到所有需要集群的es节点

修改所有需要集群的节点

重启所有节点

测试查看结果