一：準(zhǔn)備資料

• 部署了docker的centos
• 兩或者三臺(tái)服務(wù)器部署elasticsearch
• ip1、ip2

二：docker安裝、Elasticsearch安裝

1.1安裝docker

[root@ecs-b3bf-0225795 ~]# yum install docker

[root@ecs-b3bf-0225795 ~]# systemctl start docker

1.2ES需要開啟文件讀取的配置

[root@ecs-b3bf-0225795 ~]# vi /etc/sysctl.conf

#加入這一行配置
vm.max_map_count = 655350

[root@ecs-b3bf-0225795 ~]# sysctl -p

1.3安裝Elasticsearch

[root@ecs-b3bf-0225795 ~]# mkdir -p /home/docker/elasticsearch

[root@ecs-b3bf-0225795 ~]# cd /home/docker/elasticsearch/

[root@ecs-b3bf-0225795 elasticsearch]# docker pull docker.io/library/elasticsearch:7.6.2

安裝完成后----先別啟動(dòng)

創(chuàng)建好我們后期的所有數(shù)據(jù)存儲(chǔ)、插件、日志、配置目錄
[root@ecs-b3bf-0225795 elasticsearch]# mkdir data
[root@ecs-b3bf-0225795 elasticsearch]# mkdir logs
[root@ecs-b3bf-0225795 elasticsearch]# mkdir -p plugins/ik
[root@ecs-b3bf-0225795 elasticsearch]# mkdir config
[root@ecs-b3bf-0225795 elasticsearch]# 
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 data
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 logs
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 plugins
[root@ecs-b3bf-0225795 elasticsearch]# chmod -R 775 config

安裝ik分詞器

[root@ecs-b3bf-0225795 plugins]# cd plugins/ik
[root@ecs-b3bf-0225795 ik]# wget https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.6.2/elasticsearch-analysis-ik-7.6.2.zip
[root@ecs-b3bf-0225795 ik]# unzip elasticsearch-analysis-ik-7.6.2.zip
[root@ecs-b3bf-0225795 ik]# 
[root@ecs-b3bf-0225795 ik]# 

將配置文件copy出來，放在到掛在路徑

[root@ecs-b3bf-0225795 elasticsearch]# cd /home/docker/elasticsearch/
[root@ecs-b3bf-0225795 elasticsearch]# 
[root@ecs-b3bf-0225795 elasticsearch]# docker run -p 9200:9200 -p 9300:9300 \
--privileged=true --name es7 \
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \
-d elasticsearch:7.6.2
[root@ecs-b3bf-0225795 elasticsearch]# 
[root@ecs-b3bf-0225795 elasticsearch]# 
[root@ecs-b3bf-0225795 elasticsearch]# docker cp -a es7:/usr/share/elasticsearch/config/ /home/docker/elasticsearch/
[root@ecs-b3bf-0225795 elasticsearch]# docker kill es7
[root@ecs-b3bf-0225795 elasticsearch]# docker rm es7

將我們es啟動(dòng)系統(tǒng)內(nèi)的配置文件cp到我們掛載的物理路徑

elasticsearch.yml

#集群名稱
cluster.name: material-es
#當(dāng)前該節(jié)點(diǎn)的名稱
node.name: node-1
#是不是有資格競選主節(jié)點(diǎn)
node.master: true
#是否存儲(chǔ)數(shù)據(jù)
node.data: true
#最大集群節(jié)點(diǎn)數(shù)
node.max_local_storage_nodes: 3
#給當(dāng)前節(jié)點(diǎn)自定義屬性（可以省略）
#node.attr.rack: r1
#數(shù)據(jù)存檔位置
path.data: /usr/share/elasticsearch/data
#日志存放位置
path.logs: /usr/share/elasticsearch/log
#是否開啟時(shí)鎖定內(nèi)存（默認(rèn)為是）
#bootstrap.memory_lock: true
#設(shè)置網(wǎng)關(guān)地址，我是被這個(gè)坑死了，這個(gè)地址我原先填寫了自己的實(shí)際物理IP地址，
#然后啟動(dòng)一直報(bào)無效的IP地址，無法注入9300端口，這里只需要填寫0.0.0.0
network.host: 0.0.0.0
#設(shè)置其它結(jié)點(diǎn)和該結(jié)點(diǎn)交互的ip地址，如果不設(shè)置它會(huì)自動(dòng)判斷，值必須是個(gè)真實(shí)的ip地址，設(shè)置當(dāng)前物理機(jī)地址,
#如果是docker安裝節(jié)點(diǎn)的IP將會(huì)是配置的IP而不是docker網(wǎng)管ip
network.publish_host: 175.6.3.132
#設(shè)置映射端口
http.port: 9200
#內(nèi)部節(jié)點(diǎn)之間溝通端口
transport.tcp.port: 9300
#集群發(fā)現(xiàn)默認(rèn)值為127.0.0.1:9300,如果要在其他主機(jī)上形成包含節(jié)點(diǎn)的群集,如果搭建集群則需要填寫
#es7.x 之后新增的配置，寫入候選主節(jié)點(diǎn)的設(shè)備地址，在開啟服務(wù)后可以被選為主節(jié)點(diǎn)，也就是說把所有的節(jié)點(diǎn)都寫上
discovery.seed_hosts: ["175.6.3.132:9300","175.6.3.133:9300","175.6.3.134:9300"]
#當(dāng)你在搭建集群的時(shí)候，選出合格的節(jié)點(diǎn)集群，有些人說的太官方了，
#其實(shí)就是，讓你選擇比較好的幾個(gè)節(jié)點(diǎn)，在你節(jié)點(diǎn)啟動(dòng)時(shí)，在這些節(jié)點(diǎn)中選一個(gè)做領(lǐng)導(dǎo)者，
#如果你不設(shè)置呢，elasticsearch就會(huì)自己選舉，這里我們把三個(gè)節(jié)點(diǎn)都寫上
cluster.initial_master_nodes: ["node-1","node-2","node-3"]
#在群集完全重新啟動(dòng)后阻止初始恢復(fù)，直到啟動(dòng)N個(gè)節(jié)點(diǎn)
#簡單點(diǎn)說在集群啟動(dòng)后，至少復(fù)活多少個(gè)節(jié)點(diǎn)以上，那么這個(gè)服務(wù)才可以被使用，否則不可以被使用，
gateway.recover_after_nodes: 2
#刪除索引是是否需要顯示其名稱，默認(rèn)為顯示
#action.destructive_requires_name: true
# 是否支持跨域，默認(rèn)為false
http.cors.enabled: true
# 當(dāng)設(shè)置允許跨域，默認(rèn)為*,表示支持所有域名，如果我們只是允許某些網(wǎng)站能訪問，那么可以使用正則表達(dá)式。比如只允許本地地址。/https?:\/\/localhost(:[0-9]+)?/
http.cors.allow-origin: "*"

替換好新的配置文件

啟動(dòng)命令-每臺(tái)機(jī)器都執(zhí)行同樣的指令
[root@ecs-b3bf-0225795 elasticsearch]# docker run -p 9200:9200 -p 9300:9300 \
--privileged=true --name es7 \
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \
-v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \
-d elasticsearch:7.6.2

三：安全設(shè)置

安全性處理：基于上述已經(jīng)在運(yùn)行的容器之上,在主機(jī)上執(zhí)行此運(yùn)行方式即可
獲取p12文件 打開安全設(shè)置

3.1生成 p12文件

[root@ecs-b3bf-0225795 elasticsearch]# cd /
[root@ecs-b3bf-0225795 ~]# docker run -dit --name=es elasticsearch:7.6.2 /bin/bash
f87b0e87cbe6cc5a1c53e6e343914072369641cef216815ca0d4f18e50a9da5e

[root@ecs-b3bf-0225795 ~]# docker exec -it es /bin/bash
[root@ecs-b3bf-0225795 elasticsearch]# 進(jìn)入我們臨時(shí)的es容器內(nèi)去執(zhí)行命令
[root@ecs-b3bf-0225795 elasticsearch]# bin/elasticsearch-certutil ca
[root@ecs-b3bf-0225795 elasticsearch]# 一路回車操作
[root@ecs-b3bf-0225795 elasticsearch]# 一路回車操作
[root@ecs-b3bf-0225795 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@ecs-b3bf-0225795 elasticsearch]# 一路回車操作
[root@ecs-b3bf-0225795 elasticsearch]# 一路回車操作
[root@ecs-b3bf-0225795 elasticsearch]# 生成完成后
[root@ecs-b3bf-0225795 elasticsearch]# 
[root@ecs-b3bf-0225795 elasticsearch]# ls
-rw------- 1 root root 3451 Mar  1 17:42 elastic-certificates.p12
...
[root@ecs-b3bf-0225795 elasticsearch]# 退出當(dāng)前容器
[root@ecs-b3bf-0225795 elasticsearch]# exit; 
exit
[root@ecs-b3bf-0225795 ~]# 復(fù)制我們生成的p12到物理路徑
[root@ecs-b3bf-0225795 ~]# docker cp -a es:/usr/share/elasticsearch/elastic-certificates.p12 /home/docker/elasticsearch/config/
[root@ecs-b3bf-0225795 ~]# 
[root@ecs-b3bf-0225795 ~]# docker kill es
es
[root@ecs-b3bf-0225795 ~]# docker rm es
es
[root@ecs-b3bf-0225795 ~]# 停止es集群所有節(jié)點(diǎn)
[root@ecs-b3bf-0225795 ~]# docker kill es7
[root@ecs-b3bf-0225795 ~]# docker rm es7

elasticsearch.yml 開啟安全配置

# 打開安全設(shè)置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true

將新文件配置文件，elasticsearch.yml 、elastic-certificates.p12? 推送到每個(gè)節(jié)點(diǎn)的目錄：

/home/docker/elasticsearch/config

并授權(quán)所有用戶可讀

[root@ecs-b3bf-0225795 ~]# 授權(quán)所有用戶可讀
[root@ecs-b3bf-0225795 ~]# chmod +r /home/docker/elasticsearch/config/elastic-certificates.p12

3.2生成Es的訪問密碼

切記：集群三個(gè)節(jié)點(diǎn)之間的9200,9300 一定要都可以互通，自動(dòng)生成密碼：需要記錄下來，需要開啟9200,9300端口
[root@ecs-b3bf-0225795 ~]# 啟動(dòng)我們的集群
[root@ecs-b3bf-0225795 ~]# docker run -p 9200:9200 -p 9300:9300 \
--privileged=true --name es7 \
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \
-v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \
-v /home/docker/elasticsearch/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 \
-d elasticsearch:7.6.2
[root@ecs-b3bf-0225795 ~]# 
[root@ecs-b3bf-0225795 ~]# 進(jìn)入當(dāng)前啟動(dòng)節(jié)點(diǎn)es7的容器內(nèi)
[root@ecs-b3bf-0225795 ~]# docker exec -it es7 /bin/bash
[root@ac0fa780b8db elasticsearch]#
[root@ac0fa780b8db elasticsearch]#
[root@ac0fa780b8db elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = I5kYgua12jyhTWgGE6DoR

Changed password for user kibana
PASSWORD kibana = QehLVOFFTmoVSlK2121n4hU

Changed password for user logstash_system
PASSWORD logstash_system = e0woYM550en2121kSmfCph0
......

Changed password for user elastic
PASSWORD elastic = qRJvpTYcvslk1WhfvRfHE

如果你是單機(jī)啟動(dòng)，配置文件內(nèi)只需要有這些就夠了
[root@iZ8vb3lp570ckrtrhp6f42Z config]# cat elasticsearch.yml 
cluster.name: "material-es"
network.host: 0.0.0.0
#當(dāng)前該節(jié)點(diǎn)的名稱
node.name: "node-1"

# 打開安全設(shè)置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true

啟動(dòng)時(shí)需要加個(gè)參數(shù)，告知非集群啟動(dòng)
[root@ecs-b3bf-0225795 ~]# docker run -p 9200:9200 -p 9300:9300 \
--privileged=true --name es7 \
-e "discovery.type=single-node" \
-e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" \
-v /home/docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
-v /home/docker/elasticsearch/data:/usr/share/elasticsearch/data \
-v /home/docker/elasticsearch/logs:/usr/share/elasticsearch/logs \
-v /home/docker/elasticsearch/config:/usr/share/elasticsearch/config \
-v /home/docker/elasticsearch/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 \
-d elasticsearch:7.6.2

我們需要的是：elastic 這個(gè)用戶

備注：生成的賬戶與密碼會(huì)互傳到子節(jié)點(diǎn)，子節(jié)點(diǎn)不需要去執(zhí)行此操作

?有效參考資料：

《CentOS ES7.6集群搭建》

《CentOS ES7.6.2 Docker安裝部署》

《CentOS ES7.6集群搭建Elasticsearch安全策略-開啟密碼賬號(hào)訪問CentOS ES7.6集群搭建》文章來源地址http://www.zghlxwxcb.cn/news/detail-493525.html

到了這里，關(guān)于Docker部署Elasticsearch集群并開啟安全設(shè)置的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！