ES加密集群部署

一、ELK架构说明

  • elasticsearh:日志存储与检索服务,提供RESTful接口;
  • logstash:数据采集和过滤分析,主要是做数据过滤;
  • kibana:负责页面的展示,包含日志展示、ES操作等;

二、ES单节点部署

2.1 准备工作
mkdir -p /data/application/es1/{data,logs,conf}
chmod 777 /data/application/es1/{data,logs}
2.2 定义配置
vim /data/application/es1/conf/elasticsearch.yml
#
path.logs: /usr/share/elasticsearch/logs
path.data: /usr/share/elasticsearch/data
xpack.security.enabled: true
2.3 编排服务
vim /data/application/es1/docker-compose.yml
version: '3'
services:
  es:
    image: docker.io/library/elasticsearch:7.9.3
    environment:
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
      - network.host=0.0.0.0
      - node.name=es1
      - bootstrap.memory_lock=true
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - http.port=9200
      - discovery.type=single-node
    restart: always 
    ports:
      - 9200:9200
    volumes:
      - ./data:/usr/share/elasticsearch/data
      - ./logs:/usr/share/elasticsearch/logs
      - ./conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    hostname: es1
    ulimits:
      memlock:
        soft: -1 
        hard: -1
      nofile:
        soft: 655360 
        hard: 655360
docker-compose up -d
2.4 创建账号
docker exec -it f706 bash                 #进入es容器
elasticsearch-setup-passwords auto        #自动设置账号密码,推荐
elasticsearch-setup-passwords interactive #手动创置账号密码


2.5 访问验证
curl -u elastic:rfGRAV7OA1GLTKIaa6Mv http://10.0.0.21:9200/

三、ES加密集群

3.1 集群特点
  • 索引的分片会将数据分配到不同节点上;
  • 每个分片可设置多个副本,提供查询效率和备份;
  • 集群中任意节点查询结果一致;
  • 集群使用证书加密交互,用户访问需要账号密码;
3.2 证书创建
docker exec -it f706 bash                 #进入es容器
elasticsearch-certutil ca -out data/elastic-certificates.p12 -pass ""  #生成证书到data下
3.3 证书拷贝
# 退出容器,将挂载data目录下的证书发送到每台es节点(注意证书权限)
scp ./data/elastic-certificates.p12 root@10.0.0.22:~
3.4 修改配置
vim /data/application/es1/conf/elasticsearch.yml
#
path.logs: /usr/share/elasticsearch/logs
path.data: /usr/share/elasticsearch/data
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/data/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/data/elastic-certificates.p12
3.5 定义编排
# es-master-node
version: '3'
services:
  es:
    image: docker.io/library/elasticsearch:7.9.3
    environment:
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
      - network.host=0.0.0.0
      - node.name=es1
      - bootstrap.memory_lock=true
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - http.port=9200
      - cluster.initial_master_nodes=es1
      - cluster.name=docker-es-cluster
      - node.master=true
      - node.data=true
      - node.ingest=true
      - transport.tcp.port=9300
      - discovery.zen.ping.unicast.hosts=es1:9300,es2:9300
      - discovery.zen.minimum_master_nodes=1
    restart: always
    network_mode: "host"
    extra_hosts: 
      - "es1:10.0.0.21" 
      - "es2:10.0.0.22" 
    volumes:
      - ./data:/usr/share/elasticsearch/data
      - ./logs:/usr/share/elasticsearch/logs
      - ./conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    hostname: es
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
# es-data-node
version: '3'
services:
  es:
    image: docker.io/library/elasticsearch:7.9.3
    environment:
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
      - network.host=0.0.0.0
      - node.name=es2
      - bootstrap.memory_lock=true
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - http.port=9200
      - cluster.initial_master_nodes=es1
      - cluster.name=docker-es-cluster
      - node.data=true
      - node.ingest=true
      - transport.tcp.port=9300
      - discovery.zen.ping.unicast.hosts=es1:9300,es2:9300
      - discovery.zen.minimum_master_nodes=1
    restart: always
    network_mode: "host"
    extra_hosts:
      - "es1:10.0.0.21"
      - "es2:10.0.0.22"
    volumes:
      - ./data:/usr/share/elasticsearch/data
      - ./logs:/usr/share/elasticsearch/logs
      - ./conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    hostname: es
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360 
        hard: 655360
docker-compose up -d
3.6 设置账号
docker exec -it 138c bash
elasticsearch-setup-passwords auto
3.7 访问验证