docker swarm 搭建ES集群(TLS版)
ES集群如果想要开启密码访问,则需要开启集群的TLS功能
所以在docker swarm 搭建ES集群的基础上增加TLS版的ES集群
docker-compose文件准备
- docker-compose-es-cluster-tls.yml
version: '3.3'
services:
setup:
image: elasticsearch:7.10.1
volumes:
- certs:/usr/share/elasticsearch/config/certs
command: >
bash -c '
if [ ! -f config/certs/ca.zip ]; then
echo "Creating CA";
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
unzip config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo "Creating certs";
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip config/certs/certs.zip -d config/certs;
echo "Setting file permissions"
chown -R root:root config/certs;
find . -type d -exec chmod 750 \{\} \;;
find . -type f -exec chmod 640 \{\} \;;
fi;
'
networks:
- elastic
deploy:
# mode: global
placement:
constraints:
- node.labels.es.replica==1 # 部署位置
kibana:
image: kibana:7.10.1
environment:
- ELASTICSEARCH_URL=http://es01:9200
- ELASTICSEARCH_HOSTS=http://es01:9200
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=vsUZGKNvjWRtTKPmDG
ports:
- "5601:5601"
networks:
- elastic
deploy:
mode: replicated
replicas: 1
resources:
limits:
memory: 800M
placement:
constraints:
- node.labels.es.replica==1 # 部署位置
es01:
image: elasticsearch:7.10.1
hostname: es01
environment:
- network.publish_host=es01
- network.host=0.0.0.0
- node.name=es01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- path.repo=/usr/share/elasticsearch/backups
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTIC_PASSWORD=vsUZGKNvjWRtTKPmDG
- xpack.security.enabled=true
# - xpack.security.http.ssl.enabled=true
# - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
# - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.crt
# - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
# - xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/ca/ca.key
- xpack.security.transport.ssl.certificate=certs/ca/ca.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=basic
volumes:
- certs:/usr/share/elasticsearch/config/certs
- es01_data:/usr/share/elasticsearch/data
- es01_logs:/usr/share/elasticsearch/logs
ports:
- "9200:9200"
networks:
- elastic
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.es.replica==1 # 部署位置
es02:
image: elasticsearch:7.10.1
hostname: es02
environment:
- network.publish_host=es02
- network.host=0.0.0.0
- node.name=es02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es03
- cluster.initial_master_nodes=es01,es02,es03
- path.repo=/usr/share/elasticsearch/backups
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- xpack.security.enabled=true
# - xpack.security.http.ssl.enabled=true
# - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
# - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.crt
# - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
# - xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/ca/ca.key
- xpack.security.transport.ssl.certificate=certs/ca/ca.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=basic
volumes:
- certs:/usr/share/elasticsearch/config/certs
- es02_data:/usr/share/elasticsearch/data
- es02_logs:/usr/share/elasticsearch/logs
networks:
- elastic
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.es.replica==2 # 部署位置
es03:
image: elasticsearch:7.10.1
hostname: es03
environment:
- network.publish_host=es03
- network.host=0.0.0.0
- node.name=es03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02,es03
- path.repo=/usr/share/elasticsearch/backups
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- xpack.security.enabled=true
# - xpack.security.http.ssl.enabled=true
# - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
# - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.crt
# - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
# - xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/ca/ca.key
- xpack.security.transport.ssl.certificate=certs/ca/ca.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=basic
volumes:
- certs:/usr/share/elasticsearch/config/certs
- es03_data:/usr/share/elasticsearch/data
- es03_logs:/usr/share/elasticsearch/logs
networks:
- elastic
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.es.replica==3 # 部署位置
volumes:
certs:
driver: local
es01_data:
driver: local
es01_logs:
driver: local
es02_data:
driver: local
es02_logs:
driver: local
es03_data:
driver: local
es03_logs:
driver: local
networks:
elastic:
external: true # 用已经创建好的网络
针对ES集群,如果需要使用密码,则需要开启tls功能,以下内容详细说明了如何在docker-swarm集群中创建tls版的ES集群
1. 创建ca证书
使用docker-compose-es-cluster-tls.yml文件部署es集群
docker stack deploy -c docker-compose-es-cluster-tls.yml es
此时,只有es01有证书,需要将es01的证书拷贝到其他机器
# 可以在es01机器上用python起一个文件服务器,在其他节点下载解压到certs volume目录即可
# es01执行
cd /alidata1/docker/volumes/es_certs/_data && python -m SimpleHTTPServer
# 如果是python3,则执行:python -m http.server
# 在其他节点执行
wget http://172.25.173.133:8000/ca.zip|unzip -d /alidata1/docker/volumes/es_certs/_data
# 重新启动es即可
- 例如:scp -r ca 172.25.114.14:/alidata1/docker/volumes/es_certs/_data
2. 查看每个es服务的启动日志
- 每个节点都显示如下日志,则ES集群启动成功
{"type": "server", "timestamp": "2023-03-17T07:52:21,844Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "es-docker-cluster", "node.name": "es03", "message": "started", "cluster.uuid": "06ycAo0wQJeiWsF8keBiFg", "node.id": "_TPFdso3Ss6_A-lqdx3e5Q" }
- 如果有节点没有起来,则可以再执行一遍部署命令,然后在观察
docker stack deploy -c docker-compose-es-cluster-tls.yml es
3. 访问kibana验证服务
- 在kibana的Dev Tools中访问:
GET /_cat/nodes,显示如下结果:
10.0.5.31 60 97 6 0.50 0.44 0.30 cdhilmrstw * es01
10.0.5.108 24 95 3 0.02 0.37 0.44 cdhilmrstw - es02
10.0.5.149 44 96 5 0.14 0.60 0.68 cdhilmrstw - es03
以上信息表示集群启动成功
至此,tls版的ES集群启动成功,可以实现密码访问控制
好记性不如烂笔头!
浙公网安备 33010602011771号