要在生产环境建一套Elasticsearch 8.0,单节点搭配Kibana,确实是困难重重,新版本需要TLS验证了
现在这个时间节点,2025年9月2日,Elasticsearch最新版本是9.0,后撤2个版本是8.18.6
那就用这个版本了,然后根据官方的文档会把人搞糊涂的。
正确的方法如下:
一、建立自签的证书
其实可以用ACME的证书,但是没有人会三个月就去重启一下ES的容器,更新证书吧!
那只能选择自建CA,自签一个证书了!
因为有2个pod,es和kibana,所以要签两张证书,签证书随便用ES的一个版本就可以:
1wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.4.1-linux-x86_64.tar.gz
2
3tar -zxf elasticsearch-8.4.1-linux-x86_64.tar.gz
4
5cd elasticsearch-8.4.1/
6./bin/elasticsearch-certutil ca --pem
7
8# 得到CA证书,放在当前目录ca目录下
9unzip elastic-stack-ca.zip
10
11# 生成签发配置文件
12cat << EOF >instances.yml
13instances:
14 - name: es01
15 dns:
16 - es01
17 - localhost
18 ip:
19 - 127.0.0.1
20 - name: kibana
21 dns:
22 - kibana
23 - localhost
24 ip:
25 - 127.0.0.1
26EOF
27
28# 签发2个pod的证书
29./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --in instances.yml
30
31# 得到2张证书和key
32unzip certificate-bundle.zip
33# 生成两个目录,es01和kibana
34
35# 准备好证书目录
36mkdir -p /data/elasticsearch/certs
37mv ca es01 kibana /data/elasticsearch/certs
38
39# 准备好持久化卷
40mkdir -p /data/elasticsearch/kibanadata
41mkdir -p /data/elasticsearch/esdata01
二、配置docker-compose.yaml
8.18.6版本的docker-compose.yaml文件,位于:/data/elasticsearch/docker-compose.yaml
1# docker-compose.yaml
2services:
3 es01:
4 container_name: es
5 # The Docker image to use for this service
6 image: docker.elastic.co/elasticsearch/elasticsearch:8.18.6
7 # The volumes to mount into this service
8 volumes:
9 - ./certs:/usr/share/elasticsearch/config/certs
10 - ./esdata01:/usr/share/elasticsearch/data
11 # The ports to expose from this service
12 ports:
13 - 9200:9200
14 # The environment variables to set inside the container
15 environment:
16 - node.name=es01
17 - cluster.name=lancode-cluster
18 - discovery.type=single-node
19 - ELASTIC_PASSWORD=aaaaaaaaaaaa
20 - bootstrap.memory_lock=true
21 - "ES_JAVA_OPTS=-Xms10g -Xmx10g"
22 - xpack.security.enabled=true
23 - xpack.security.http.ssl.enabled=true
24 - xpack.security.http.ssl.key=certs/es01/es01.key
25 - xpack.security.http.ssl.certificate=certs/es01/es01.crt
26 - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
27 - xpack.security.http.ssl.verification_mode=certificate
28 - xpack.security.transport.ssl.enabled=true
29 - xpack.security.transport.ssl.key=certs/es01/es01.key
30 - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
31 - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
32 - xpack.security.transport.ssl.verification_mode=certificate
33 - xpack.license.self_generated.type=basic
34 # The memory limit for this service 12g = 1024*1024*1024*12
35 mem_limit: 12884901888
36 # The ulimits to set for this service
37 ulimits:
38 memlock:
39 soft: -1
40 hard: -1
41 # The healthcheck to determine the health of this service
42 healthcheck:
43 test:
44 [
45 "CMD-SHELL",
46 "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
47 ]
48 interval: 10s
49 timeout: 10s
50 retries: 120
51 # The kibana service represents a Kibana instance
52 kibana:
53 # This service depends on the es01 service
54 depends_on:
55 es01:
56 condition: service_healthy
57 container_name: kibana
58 # The Docker image to use for this service
59 image: docker.elastic.co/kibana/kibana:8.18.6
60 # The volumes to mount into this service
61 volumes:
62 - ./certs:/usr/share/kibana/config/certs
63 - ./kibanadata:/usr/share/kibana/data
64 # The ports to expose from this service
65 ports:
66 - 5601:5601
67 # The environment variables to set inside the container
68 environment:
69 - SERVERNAME=kibana
70 - ELASTICSEARCH_HOSTS=https://es01:9200
71 - ELASTICSEARCH_USERNAME=kibana_system
72 - ELASTICSEARCH_PASSWORD=bbbbbbbbbbbbbbb
73 - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
74 - xpack.security.audit.enabled=true
75 - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=cccccccccccccccccccccc
76 # The memory limit for this service 2g = 1024*1024*1024*2
77 mem_limit: 2147483648
78 # The healthcheck to determine the health of this service
79 healthcheck:
80 test:
81 [
82 "CMD-SHELL",
83 "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
84 ]
85 interval: 10s
86 timeout: 10s
87 retries: 120
注意上面的计算:
- 内存,系统是16G,2G保留,2G给kibana,12G给es,java启动参数给10g
- ELASTIC_PASSWORD=aaaaaaaaaaaa 这里的pass是指ES的独立用户elastic
- ELASTICSEARCH_PASSWORD=bbbbbbbbbbbbbb 这里的pass是指需要单独给kibana开的一个es用户kibana_system
最后登录kibana的密码是elastic用户的密码aaaaaaaaa
这里差点被绕糊涂了,ES升级后需要启用https,然后也多加了用户。kibana需要单独用一个用户kibana_system去连接es,而es呢,也有一个独立的用户elastic进行管理。登录kibanna呢,实际是要用elastic这个用户登录。Faint!!!
三、启动
1docker compose up -d
2
3# 启动后必然报错,因为里面只有elastic这个用户,没有kibana_system用户
4# 进入容器
5docker exec -it es /bin/bash
6
7# 生成密码
8curl -X POST --cacert config/certs/ca/ca.crt -u "elastic:aaaaaaaa" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d '{"password": "bbbbbbbb"}'
9
10# 或者这样也行
11docker-compose exec -T es bin/elasticsearch-reset-password --batch --user kibana_system
12Password for the [kibana_system] user successfully reset.
13New value: bbbbbbbb
然后就ok了,登录的时候用elastic的密码,不要用kibana_system!
四、题外
最鬼畜的地方就是kibana
里面设置的两个配置项ELASTICSEARCH_USERNAME和ELASTICSEARCH_PASSWORD还有ELASTICSEARCH_HOSTS, 居然是环境变量
进入容器里看到的kibana.yaml,倒数第二行elasticsearch.hosts 根本就是错的,误导群众,这里是环境变量优先,根本没有用到kibana.yaml中的配置!!!一定要注意。
五、后记
无语啊无语,弄了自签证书,结果同事反映连接报证书错误
算了,给个不要证书的配置docker-compose.yaml
1services:
2 es01:
3 container_name: es
4 # The Docker image to use for this service
5 image: docker.elastic.co/elasticsearch/elasticsearch:8.18.6
6 # The volumes to mount into this service
7 volumes:
8 - ./certs:/usr/share/elasticsearch/config/certs
9 - ./esdata01:/usr/share/elasticsearch/data
10 # The ports to expose from this service
11 ports:
12 - 9200:9200
13 # The environment variables to set inside the container
14 environment:
15 - node.name=es01
16 - cluster.name=lancode-cluster
17 - discovery.type=single-node
18 - ELASTIC_PASSWORD=aaaaaaaaaaaa
19 - bootstrap.memory_lock=true
20 - "ES_JAVA_OPTS=-Xms10g -Xmx10g"
21 - xpack.security.enabled=false
22 - xpack.license.self_generated.type=basic
23 # The memory limit for this service 12g = 1024*1024*1024*12
24 mem_limit: 12884901888
25 # The ulimits to set for this service
26 ulimits:
27 memlock:
28 soft: -1
29 hard: -1
30 # The healthcheck to determine the health of this service
31 healthcheck:
32 test:
33 [
34 "CMD-SHELL",
35 "curl -s -I http://localhost:9200 | grep -q 'HTTP/1.1 200 OK'",
36 ]
37 interval: 10s
38 timeout: 10s
39 retries: 120
40 # The kibana service represents a Kibana instance
41 kibana:
42 # This service depends on the es01 service
43 depends_on:
44 es01:
45 condition: service_healthy
46 container_name: kibana
47 # The Docker image to use for this service
48 image: docker.elastic.co/kibana/kibana:8.18.6
49 # The volumes to mount into this service
50 volumes:
51 - ./certs:/usr/share/kibana/config/certs
52 - ./kibanadata:/usr/share/kibana/data
53 # The ports to expose from this service
54 ports:
55 - 5601:5601
56 # The environment variables to set inside the container
57 environment:
58 - SERVERNAME=kibana
59 - ELASTICSEARCH_HOSTS=http://es01:9200
60 - ELASTICSEARCH_USERNAME=kibana_system
61 - ELASTICSEARCH_PASSWORD=bbbbbbbbbbbbbbb
62 - xpack.security.enabled=false
63 - xpack.security.audit.enabled=true
64 - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=cccccccccccccccccccccc
65 # The memory limit for this service 2g = 1024*1024*1024*2
66 mem_limit: 2147483648
67 # The healthcheck to determine the health of this service
68 healthcheck:
69 test:
70 [
71 "CMD-SHELL",
72 "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
73 ]
74 interval: 10s
75 timeout: 10s
76 retries: 120
区别在于 xpack.security.enabled=false和healthcheck
