国产精品1,在线一级片,日韩高清一区二区

elasticsearch從6.8開始，允許免費用戶使用x-pack的安全功能，以前安裝es都是裸奔。接下來記錄配置安全認證的方法。

為了簡化物理安裝過程，我們將使用docker安裝我們的服務。

一些基礎配置

es需要修改linux的一些參數。

設置vm.max_map_count=262144

1 2	`sudo` `vim` `/etc/sysctl.conf` `vm.max_map_count=262144`

不重啟，直接生效當前的命令

1	`sysctl -w vm.max_map_count=262144`

es的data和logs目錄需要給1000的用戶授權，我們假設安裝3個實力的es集群，先創建對應的數據存儲文件

									mkdir -p es01/data

									mkdir -p es01/logs

									mkdir -p es02/data

									mkdir -p es02/logs

									mkdir -p es03/data

									mkdir -p es03/logs

									## es的用戶id為1000，這里暫且授權給所有人好了

									sudo chmod 777 es* -r

關于版本和docker鏡像

elasticsearch分幾種licenses，其中open source和basic是免費的，而在6.8之后安全功能才開始集成在es的basic授權上。

docker安裝Elasticsearch7.6集群并設置密碼

basic對應docker鏡像為

1	`docker pull docker.elastic.co/elasticsearch/elasticsearch:7.6.2`

同時dockerhub同步為elasticsearch. 我們直接拉取elasticsearch:7.6.2就好。

開始

安裝文件均放在github： https://github.com/ryan-miao/docker-china-source/tree/master/docker-elasticsearch

首先，創建docker-compose.yml

				?

									version: '2.2'

									services:

									 es01:

									  image: elasticsearch:7.6.2

									  container_name: es01

									  environment:

									   - node.name=es01

									   - cluster.name=es-docker-cluster

									   - discovery.seed_hosts=es02,es03

									   - cluster.initial_master_nodes=es01,es02,es03

									   - bootstrap.memory_lock=true

									   - "es_java_opts=-xms512m -xmx512m"

									  ulimits:

									   memlock:

									    soft: -1

									    hard: -1

									  volumes:

									   - ./es01/data:/usr/share/elasticsearch/data

									   - ./es01/logs:/usr/share/elasticsearch/logs

									   - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml

									   - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12

									  ports:

									   - 9200:9200

									  networks:

									   - elastic

									 es02:

									  image: elasticsearch:7.6.2

									  container_name: es02

									  environment:

									   - node.name=es02

									   - cluster.name=es-docker-cluster

									   - discovery.seed_hosts=es01,es03

									   - cluster.initial_master_nodes=es01,es02,es03

									   - bootstrap.memory_lock=true

									   - "es_java_opts=-xms512m -xmx512m"

									  ulimits:

									   memlock:

									    soft: -1

									    hard: -1

									  volumes:

									   - ./es02/data:/usr/share/elasticsearch/data

									   - ./es02/logs:/usr/share/elasticsearch/logs

									   - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml

									   - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12

									  ports:

									   - 9201:9200

									  networks:

									   - elastic

									 es03:

									  image: elasticsearch:7.6.2

									  container_name: es03

									  environment:

									   - node.name=es03

									   - cluster.name=es-docker-cluster

									   - discovery.seed_hosts=es01,es02

									   - cluster.initial_master_nodes=es01,es02,es03

									   - bootstrap.memory_lock=true

									   - "es_java_opts=-xms512m -xmx512m"

									  ulimits:

									   memlock:

									    soft: -1

									    hard: -1

									  volumes:

									   - ./es03/data:/usr/share/elasticsearch/data

									   - ./es03/logs:/usr/share/elasticsearch/logs

									   - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml

									   - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12

									  ports:

									   - 9202:9200

									  networks:

									   - elastic

									 kib01:

									  depends_on: 

									   - es01

									  image: kibana:7.6.2

									  container_name: kib01

									  ports:

									   - 5601:5601

									  environment:

									   elasticsearch_url: http://es01:9200

									   elasticsearch_hosts: http://es01:9200

									  volumes:

									   - ./kibana.yml:/usr/share/kibana/config/kibana.yml

									  networks:

									   - elastic

									networks:

									 elastic:

									  driver: bridge

關于elasticsearch.yml

內容如下

				?

									network.host: 0.0.0.0

									xpack.security.enabled: true

									xpack.security.transport.ssl.enabled: true

									xpack.security.transport.ssl.keystore.type: pkcs12

									xpack.security.transport.ssl.verification_mode: certificate

									xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

									xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

									xpack.security.transport.ssl.truststore.type: pkcs12

									xpack.security.audit.enabled: true

network.host 設置允許其他ip訪問，解除ip綁定
xpack.security 則是安全相關配置，其中ssl的證書需要自己生成

關于證書elastic-certificates.p12

es提供了生成證書的工具elasticsearch-certutil，我們可以在docker實例中生成它，然后復制出來，后面統一使用。

首先運行es實例

				?

									sudo docker run -dit --name=es elasticsearch:7.6.2 /bin/bash

進入實例內部

				?

									sudo docker exec -it es /bin/bash

生成ca: elastic-stack-ca.p12

				?

									[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil ca

									this tool assists you in the generation of x.509 certificates and certificate

									signing requests for use with ssl/tls in the elastic stack.

									the 'ca' mode generates a new 'certificate authority'

									this will create a new x.509 certificate and private key that can be used

									to sign certificate when running in 'cert' mode.

									use the 'ca-dn' option if you wish to configure the 'distinguished name'

									of the certificate authority

									by default the 'ca' mode produces a single pkcs#12 output file which holds:

									  * the ca certificate

									  * the ca's private key

									if you elect to generate pem format certificates (the -pem option), then the output will

									be a zip file containing individual files for the ca certificate and private key

									please enter the desired output file [elastic-stack-ca.p12]: 

									enter password for elastic-stack-ca.p12 :

再生成cert: elastic-certificates.p12

				?

									[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

									this tool assists you in the generation of x.509 certificates and certificate

									signing requests for use with ssl/tls in the elastic stack.

									the 'cert' mode generates x.509 certificate and private keys.

這個生成elastic-certificates.p12 就是我們需要使用的。

復制出證書, ctrl+d退出容器內部

				?

									sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .

									# 關閉這個容器

									sudo docker kill es

									sudo docker rm es

如此獲取了證書。

生成密碼

我們首先要啟動es集群，去里面生成密碼。

				?

									sudo docker-compose up

然后進入其中一臺

				?

									sudo docker exec -it es01 /bin/bash

生成密碼用auto，自己設置用 interactive

				?

									[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h

									sets the passwords for reserved users

									commands

									--------

									auto - uses randomly generated passwords

									interactive - uses passwords entered by a user

									non-option arguments:

									command       

									option       description    

									------       -----------    

									-e <keyvaluepair> configure a setting

									-h, --help     show help     

									-s, --silent    show minimal output

									-v, --verbose   show verbose output

									[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto

									initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.

									the passwords will be randomly generated and printed to the console.

									please confirm that you would like to continue [y/n]y

									changed password for user apm_system

									password apm_system = yxvzet9b2jedujyp66ws

									changed password for user kibana

									password kibana = 8nnthbj0n02idatghidu

									changed password for user logstash_system

									password logstash_system = 9nidge7ksv8sqidsk8dj

									changed password for user beats_system

									password beats_system = qeuvaf1vealpjhfeuojj

									changed password for user remote_monitoring_user

									password remote_monitoring_user = dtzcrckvtzsinrn3tw3d

									changed password for user elastic

									password elastic = q5f2qnfujqyvzpiz57mz

使用密碼

瀏覽器訪問localhost:9200/9201/9202 需要輸入賬號

輸入對應的elastic/password就好

瀏覽器訪問localhost:5601

docker安裝Elasticsearch7.6集群并設置密碼

忘記密碼

如果生成后忘記密碼了怎么辦，可以進入機器去修改。

進入es的機器

				?

									sudo docker exec -it es01 /bin/bash

創建一個臨時的超級用戶ryanmiao

				?

									./bin/elasticsearch-users useradd ryan -r superuser

									enter new password: 

									error: invalid password...passwords must be at least [6] characters long

									[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuser

									enter new password: 

									retype new password:

用這個用戶去修改elastic的密碼：

				?

									curl -xput -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -h "content-type: application/json" -d '

									{

									 "password": "q5f2qnfujqyvzpiz57mz"

									}'