项目中间件升级以及安全加固,这里记录一下,有需要的同学可以参考下
需要升级内容:elasticsearch、kibana、ik分词器
准备工作:下载ik分词器6.8.4版本放入elasticearch插件dir
elasticserach 配置 dir
[root@localhost elasticsearch]# ls /docker/elasticsearch
config data logs plugins
docker 配置 dir
[root@localhost elastic]# ls /opt/elastic/
elastic.yml
1. 进入elasticearch插件 dir
cd /docker/elasticsearch/plugins/ik
2. 修改插件对应版本号
vim plugin-descriptor.properties
elasticsearch.version=6.8.4
3. 修改midleware.yml
vim midleware.yml
elasticsearch:
image: elasticsearch:6.8.4 //原镜像版本6.6.0
environment:
TZ: Asia/Shanghai
volumes:
- /docker/elasticsearch/data:/usr/share/elasticsearch/data
- /docker/elasticsearch/config:/usr/share/elasticsearch/config
- /docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins
- /etc/localtime:/etc/localtime
container_name: elasticsearch
network_mode: host
restart: always
docker-compose -f /opt/midleware/midleware.yml down \ docker stop elasticsearch 关闭容器
docker-compose -f /opt/midleware/midleware.yml up -d \ docker start elasticsearch 启动容器
elasticsearch升级ok
kibana配置 dir
[root@localhost opt]# ls /docker/kibana/
config data
docker配置 dir
[root@localhost kibana]# ls /opt/kibana/
kibana.yml
修改kibana.yml
vim kibana.yml
kibana:
image: kibana:6.8.4 //原版本6.6.0
environment:
TZ: Asia/Shanghai
volumes:
- /docker/kibana/data:/usr/share/kibana/data
- /docker/kibana/config:/usr/share/kibana/config
- /etc/localtime:/etc/localtime
container_name: kibana
network_mode: "host"
restart: always
docker-compose -f /opt/kibana/kibana.yml down \ docker stop kibana 关闭容器
docker-compose -f /opt/kibana/kibana.yml up -d \ docker start kibana 启动容器
kibana升级ok
添加x-pack验证
vim /docker/elasticsearch/config/elasticsearch.yml
cluster.name: "elasticsearch"
http.port: 9201
transport.tcp.port: 9301
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
# add x-pack验证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
重启容器
docker restart elasticsearch
进入容器
docker exec -it elasticsearch bash
容器内部elastic
[root@localhost elasticsearch]# ls
LICENSE.txt README.textile config lib modules
NOTICE.txt bin data logs plugins
bin/elasticsearch-setup-passwords指令 help
[root@localhost elasticsearch]# bin/elasticsearch-setup-passwords --help
Sets the passwords for reserved users
Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
bin/elasticsearch-setup-passwords interactive --设置密码
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
测试连接
curl --user elastic:passwd localhost:9201
配置文件中添加连接elastic的用户密码
vim /docker/kibana/config/kibana.yml
[root@localhost opt]# cat /docker/kibana/config/kibana.yml
---
# Default Kibana configuration from kibana-docker.
server.name: kibana
server.host: "0"
elasticsearch.url: http://localhost:9201
xpack.monitoring.ui.container.elasticsearch.enabled: false
# add elastic用户密码
elasticsearch.username: "elastic"
elasticsearch.password: "passwd"
docker restart kibana 重启容器
访问:localhost:5601 user --kibana passwd --passwd
注:
1. 索引状态为red时设置密码失败率极大
2. 进入容器后检查esticsearch-keystore这个文件是否存在,如果有直接设置密码,如果没有可以调用
[root@localhost elasticsearch]# bin/elasticsearch-keystore create
bin/elasticsearch-keystore指令 help
[root@localhost elasticsearch]# bin/elasticsearch-keystore --help
A tool for managing settings stored in the elasticsearch keystore
Commands
--------
create - Creates a new elasticsearch keystore
list - List entries in the keystore
add - Add a string setting to the keystore
add-file - Add a file setting to the keystore
remove - Remove a setting from the keystore
upgrade - Upgrade the keystore format
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
3. 如果要已经创建过密码了,想要重新创建,执行
bin/elasticsearch-setup-passwords interactive --设置密码
可能会出现如下内容:
Possible causes include:
* The password for the 'elastic' user has already been changed on this cluster
* Your elasticsearch node is running against a different keystore
* This tool used the keystore at /usr/share/elasticsearch/config/elasticsearch.keystore
这要如何解决呢
删除创建密码时生成的密码索引就ok了
curl -XDELETE -u user:passwd http://localhsot:9201/.security-6
然后就可以愉快的重新创建了
4. 如果密码忘了的话可以把x-pack验证关掉
# close x-pack验证
#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
重启es,查到密码索引删除即可,然后就可以重新设置新密码了
curl -XGET http://localhost/_cat/indices
.security-6这个即是密码索引(可能其他版本是其他的,不过应该都是 .security-*类似这样的名称)
1. 在docker 配置 dir中添加 users 、user_roles俩目录
[root@localhost opt]# echo > /docker/elastic/users
[root@localhost opt]# echo > /docker/elastic/users_roles
2. 启动进入容器
[root@localhost opt]# docker start elsaticsearch
[root@localhost opt]# docker exec -it elsaticsearch bash
3. 查看自定义用户相关命令
[root@localhost elasticsearch]# bin/elasticsearch-users -h
Manages elasticsearch file users
Commands
--------
useradd - Adds a file user
userdel - Deletes a file based user
passwd - Changes the password of an existing file based user
roles - Edit roles of an existing user
list - List existing file based users and their corresponding roles
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
4. 查看elastic用户角色名称
[root@localhost elasticsearch]# bin/elasticsearch-setup-passwords interactive -v
Running with configuration path: /usr/share/elasticsearch/configs interactive -v
Testing if bootstrap password is valid for http://192.168.2.211:19200/_xpack/security/_authenticate?pretty
{
"username" : "elastic",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true,
"authentication_realm" : {
"name" : "reserved",
"type" : "reserved"
},
"lookup_realm" : {
"name" : "reserved",
"type" : "reserved"
}
}
Checking cluster health: http://192.168.2.211:19200/_cluster/health?pretty
{
"cluster_name" : "qgs-elasticsearch",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 3,
"active_shards" : 3,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]
4. 创建用户
[root@localhost elasticsearch]# bin/elasticsearch-users useradd admin --创建用户
[root@localhost elasticsearch]# bin/elasticsearch-users roles admin -a superuser--添加角色
curl -u admin:admin localhost:9201/_cat/indices?v --测试访问
5. 密码修改
[root@localhost elasticsearch]# bin/elasticsearch-users passwd admin --修改admin用户密码
ok~.~