docker安装的es配置密码认证

前言

今天客户提出来，说es的端口是暴露出来的，可以直接取出来数据，按照要求，必须对9200进行密码配置。准备好几种方案，nginx的反向代理加上认证配置（但是是一个单体的服务，只在一台机器，所以没办法采用）。防火墙的配置（但是因为客户服务器的防火墙是关闭的，不能轻易打开防火墙）等

测试环境安装es

采用docker-compose安装

version: "3"
services:es-master:container_name: es-masterimage: elasticsearch:7.9.3hostname: es-masterrestart: alwaysuser: rootports:- 9200:9200- 9300:9300volumes:- ./elasticsearch/master/config:/usr/share/elasticsearch/config- ./elasticsearch/master/data:/usr/share/elasticsearch/data- ./elasticsearch/master/logs:/usr/share/elasticsearch/logsenvironment:- "ES_JAVA_OPTS=-Xms512m -Xmx512m"- "TZ=Asia/Shanghai"

启动后会报错，因此先不要挂载目录，先运行起来将容器的目录先copy出来

docker run -itd --name es -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.9.3

docker cp es:/usr/share/elasticsearch/config   /root/retec/elasticsearch/master/
Successfully copied 18.9kB to /root/retec/elasticsearch/master/

设置虚拟缓存

#修改文件
sudo vim /etc/sysctl.conf#添加参数
...
vm.max_map_count = 262144

加载配置

sysctl -p

添加权限

chmod -R 777 ./elasticsearch/

配置文件

cluster.name: es-cluster
# 节点名称
node.name: es-master
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: true
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9200
# 设置节点间交互的tcp端口
transport.port: 9300
# 集群发现
discovery.seed_hosts:- es-master
# 手动指定可以成为 mater 的所有节点的 name 或者 ip，这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:- es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

删除测试容器启动docker-compose

[root@bogon ~]# docker rm -f es
es
[root@bogon ~]# cd retec/
[root@bogon xxx]# ls
docker-compose.yml  elasticsearch
[root@bogon xxx]# docker-compose up -d

配置认证

进入容器

[root@bogon ~]# docker exec -it es-master bash
[root@es-master elasticsearch]#

生成证书1

[root@es-master elasticsearch]# ./bin/elasticsearch-certutil ca       一直回车

生成证书2

[root@es-master elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

一直回车即可

将证书移动到config

[root@es-master elasticsearch]# mv elastic-certificates.p12 ./config

[root@es-master elasticsearch]# mv elastic-certificates.p12 ./config
[root@es-master elasticsearch]# ll config/
total 32
-rw------- 1 root root 3451 May 11 11:39 elastic-certificates.p12
-rwxrwxrwx 1 root root  199 May 11 11:23 elasticsearch.keystore
-rwxrwxrwx 1 root root  537 May 11 11:35 elasticsearch.yml
-rwxrwxrwx 1 root root 2301 Oct 16  2020 jvm.options
drwxrwxrwx 2 root root    6 Oct 16  2020 jvm.options.d
-rwxrwxrwx 1 root root 7734 Oct 16  2020 log4j2.properties
-rwxrwxrwx 1 root root  473 Oct 16  2020 role_mapping.yml
-rwxrwxrwx 1 root root  197 Oct 16  2020 roles.yml
-rwxrwxrwx 1 root root    0 Oct 16  2020 users
-rwxrwxrwx 1 root root    0 Oct 16  2020 users_roles
[root@es-master elasticsearch]#

生成密码

[root@es-master elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]yChanged password for user apm_system
PASSWORD apm_system = vIB9alCzx09vLZY1jnrZChanged password for user kibana_system
PASSWORD kibana_system = 7Kr2v8XV180M2IJf79icChanged password for user kibana
PASSWORD kibana = 7Kr2v8XV180M2IJf79icChanged password for user logstash_system
PASSWORD logstash_system = GMKQlmsRSkp0nWkjDlqiChanged password for user beats_system
PASSWORD beats_system = oi5YAtZAesAeuZ3ThxTiChanged password for user remote_monitoring_user
PASSWORD remote_monitoring_user = jZZqmOkFLvXDnOzAs53pChanged password for user elastic
PASSWORD elastic = n7U0AvcGdfg8QsUXzeOx

一路回车，回车完后会打印生成的密码打印出来6个用户和密码

退出容器，增加配置并保存

cluster.name: es-cluster
# 节点名称
node.name: es-master
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: true
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9200
# 设置节点间交互的tcp端口
transport.port: 9300
# 集群发现
discovery.seed_hosts:- es-master
# 手动指定可以成为 mater 的所有节点的 name 或者 ip，这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:- es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true

增加文件可访问权限
```
chmod -R 777 ./elasticsearch/
```
重启镜像
```
docker restart es-master
```

修改密码的规则

curl -u elastic:your_password -X POST http://localhost:9200/_security/user/elastic/_password -H 'Content-Type: application/json' -d '{"password" : "new_password"}'

elastic:your_password 现有的用户名和现在的密码

将其中的new_password替换为你想要设置的新密码

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/diannao/10608.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！