How to install Elasticsearch7.6 cluster in docker and set password

Some basic configuration
About versions and docker images
start
About elasticsearch.yml
About the certificate elastic-certificates.p12
Generate Password
Use password
forget the password

Starting from Elasticsearch 6.8, free users are allowed to use the security features of X-Pack. Previously, installing es was a naked process. Next, we will record how to configure security authentication.

To simplify the physical installation process, we will use docker to install our service.

Some basic configuration

es needs to modify some parameters of linux.

Set vm.max_map_count=262144

sudo vim /etc/sysctl.conf
vm.max_map_count=262144

Do not restart, directly take effect of the current command

sysctl -w vm.max_map_count=262144

The data and logs directories of es need to be authorized to 1000 users. We assume that three es clusters are installed and create the corresponding data storage files first.

mkdir -p es01/data
mkdir -p es01/logs
mkdir -p es02/data
mkdir -p es02/logs
mkdir -p es03/data
mkdir -p es03/logs

## es's user ID is 1000, so let's temporarily authorize it to everyone sudo chmod 777 es* -R

About versions and docker images

Elasticsearch has several licenses, of which Open Source and Basic are free. Security features were only integrated into the Basic license after version 6.8.

The corresponding docker image of Basic is

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.6.2

At the same time, Dockerhub is synchronized to elasticsearch. We can directly pull elasticsearch:7.6.2 .

start

First, create docker-compose.yml

version: '2.2'
services:
  es01:
    image: elasticsearch:7.6.2
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es01/data:/usr/share/elasticsearch/data
      - ./es01/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9200:9200
    networks:
      - elastic

  es02:
    image: elasticsearch:7.6.2
    container_name: es02
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es02/data:/usr/share/elasticsearch/data
      - ./es02/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9201:9200
    networks:
      - elastic

  es03:
    image: elasticsearch:7.6.2
    container_name: es03
    environment:
      - node.name=es03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./es03/data:/usr/share/elasticsearch/data
      - ./es03/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    ports:
      - 9202:9200
    networks:
      - elastic

  kib01:
    depends_on: 
      -es01
    image: kibana:7.6.2
    container_name: kib01
    ports:
      -5601:5601
    environment:
      ELASTICSEARCH_URL: http://es01:9200
      ELASTICSEARCH_HOSTS: http://es01:9200
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic

networks:
  elastic:
    driver: bridge

About elasticsearch.yml

The content is as follows

network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12

xpack.security.audit.enabled: true

network.host setting allows other IPs to access and releases IP binding
xpack.security is a security-related configuration, in which the SSL certificate needs to be generated by yourself

About the certificate elastic-certificates.p12

es provides a tool for generating certificates elasticsearch-certutil , which we can generate in the docker instance, copy out, and use uniformly later.

First run the es instance

sudo docker run -dit --name=es elasticsearch:7.6.2 /bin/bash

Enter the instance

sudo docker exec -it es /bin/bash

Generate ca: elastic-stack-ca.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 :

Regenerate cert: elastic-certificates.p12

[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.

The elastic-certificates.p12 generated is what we need to use.

Copy the certificate and press ctrl+d to exit the container.

sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .
# Close this container sudo docker kill es
sudo docker rm es

The certificate is thus obtained.

Generate Password

We first need to start the es cluster and generate a password in it.

sudo docker-compose up

Then enter one of

sudo docker exec -it es01 /bin/bash

Use auto to generate passwords and interactive to set them yourself

[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h
Sets the passwords for reserved users

Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user

Non-option arguments:
command              

Option Description        
------ -----------        
-E <KeyValuePair> Configure a setting
-h, --help Show help          
-s, --silent Show minimal output
-v, --verbose Show verbose output



[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws

Changed password for user kibana
PASSWORD kibana = 8NnThbj0N02iDaTGhidU

Changed password for user logstash_system
PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj

Changed password for user beats_system
PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D

Changed password for user elastic
PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ

Use password

The browser accesses localhost:9200/9201/9202 and needs to enter the account

Just enter the corresponding elastic/password

Browse to localhost:5601

forget the password

What if you forget the password after generating it? You can log into the machine to modify it.

Enter the es machine

sudo docker exec -it es01 /bin/bash

Create a temporary superuser RyanMiao

./bin/elasticsearch-users useradd ryan -r superuser
Enter new password: 
ERROR: Invalid password...passwords must be at least [6] characters long
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuser
Enter new password: 
Retype new password:

Use this user to change the password of elastic:

curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
{
  "password": "q5f2qNfUJQyvZPIz57MZ"
}'

Reference http://codingfundas.com/setting-up-elasticsearch-6-8-with-kibana-and-x-pack-security-enabled/index.html

This is the end of this article about how to install Elasticsearch 7.6 cluster with docker and set passwords. For more information about installing Elasticsearch 7.6 cluster with docker, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in: