本文共 4071 字,大约阅读时间需要 13 分钟。
安装 Docker 和 Docker Compose 是quisites 的前提条件,安装方法请参考标准文档或之前的相关文章。
instances.ymlinstances: - name: es01 dns: ["es01", "localhost"] ip: ["127.0.0.1"] - name: kib01 dns: ["kib01", "localhost"]
.env 配置文件COMPOSE_PROJECT_NAME=esCERTS_DIR=/usr/share/elasticsearch/config/certificatesVERSION=7.8.0
create-certs.yml 适用version: '2.2'services: create_certs: image: elasticsearch:${VERSION} container_name: create_certs command: - bash -c 'yum install -y -q -e 0 unzip; if [[ ! -f /certs/bundle.zip ]]; then bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip; unzip /certs/bundle.zip -d /certs; fi; chown -R 1000:0 /certs' working_dir: /usr/share/elasticsearch volumes: - certs:/certs - .:/usr/share/elasticsearch/config/certificates networks: - elasticvolumes: certs: elastic-docker-tls.yml 配置文件version: '2.2'services: es01: image: elasticsearch:${VERSION} container_name: es01 environment: - node.name=es01 - cluster.name=es-docker - discovery.type=single-node - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - xpack.license.self_generated.type=trial - xpack.security.enabled=true - xpack.security.http.ssl.enabled=true - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.verification_mode=certificate - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key ulimits: memlock: soft: -1 hard: -1 volumes: - data01:/usr/share/elasticsearch/data - certs:$CERTS_DIR ports: - 9200:9200 networks: - elastic healthcheck: test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 interval: 30s timeout: 10s retries: 5 kib01: image: kibana:${VERSION} container_name: kib01 depends_on: {"es01": {"condition": "service_healthy"}} ports: - 5601:5601 environment: SERVERNAME: localhost ELASTICSEARCH_URL: https://es01:9200 ELASTICSEARCH_HOSTS: https://es01:9200 ELASTICSEARCH_USERNAME: kibana_system ELASTICSEARCH_PASSWORD: CHANGEME ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt SERVER_SSL_ENABLED: "true" SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt volumes: - certs:$CERTS_DIR networks: - elasticvolumes: data01: certs: docker-compose -f create-certs.yml run --rm create_certs
此时应生成 /var/lib/docker/volumes/es_certs/_data 目录下的证书文件,如 bundle.zip、ca、es01、kib01 等。
docker-compose -f elastic-docker-tls.yml up -d
docker exec es01 /bin/bash -c \"bin/elasticsearch-setup-passwords auto --batch --url https://es01:9200"
请记录生成的密码以供后续使用。
elastic-docker-tls.yml 中的 Kibana 密码Kibana 部分添加以下内容:
- ELASTICSEARCH_PASSWORD: your_kibana_password
确保将密码替换为安全的强密码。
docker-compose -f elastic-docker-tls.yml stopdocker-compose -f elastic-docker-tls.yml up -d
访问 https://<hostname>:5601,即可进入 Kibana界面。
Filebeat 可以通过多种方式安装,这里采用 tar 包安装方式,并进行相关配置,确保 SSL 通信支持。
# 输出到 Elasticsearch 的配置output.elasticsearch: hosts: ["https://127.0.0.1:9200"] protocol: "https" username: elastic password: rMesfHfEETESJEliJSIv ssl.certificate_authorities: /root/filebeat/ca.crt ssl.certificate: /root/filebeat/es01.crt ssl.key: /root/filebeat/es01.key index: "tiktok-%{+yyyy.MM.dd}" 以上配置为 Filebeat 与 Elasticsearch 的通信提供了必要的 SSL 信息。完成配置后,Filebeat 支持通过 HTTPS 收集日志并写入 Elasticsearch。
转载地址:http://oheyk.baihongyu.com/