elasticsearch6.8.4-docker部署升级方式以及安全加密

docker部署升级方式

项目中间件升级以及安全加固,这里记录一下,有需要的同学可以参考下
需要升级内容:elasticsearch、kibana、ik分词器
准备工作:下载ik分词器6.8.4版本放入elasticearch插件dir

  • elasticsearch升级
elasticserach 配置 dir
[root@localhost elasticsearch]# ls /docker/elasticsearch
config  data  logs  plugins
docker 配置 dir
[root@localhost elastic]# ls /opt/elastic/
elastic.yml

1. 进入elasticearch插件 dir
cd /docker/elasticsearch/plugins/ik

2. 修改插件对应版本号
vim plugin-descriptor.properties
elasticsearch.version=6.8.4

3. 修改midleware.yml
vim midleware.yml
elasticsearch:
    image: elasticsearch:6.8.4 //原镜像版本6.6.0
    environment:
      TZ: Asia/Shanghai    
    volumes:
      - /docker/elasticsearch/data:/usr/share/elasticsearch/data
      - /docker/elasticsearch/config:/usr/share/elasticsearch/config
      - /docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins
      - /etc/localtime:/etc/localtime
    container_name: elasticsearch
    network_mode: host
    restart: always

docker-compose -f /opt/midleware/midleware.yml down \ docker stop elasticsearch 关闭容器
docker-compose -f /opt/midleware/midleware.yml up -d \ docker start elasticsearch 启动容器
elasticsearch升级ok
  • kibana升级
kibana配置 dir
[root@localhost opt]# ls /docker/kibana/
config  data
docker配置 dir
[root@localhost kibana]# ls /opt/kibana/
kibana.yml

修改kibana.yml
vim kibana.yml
kibana:
    image: kibana:6.8.4 //原版本6.6.0
    environment:
      TZ: Asia/Shanghai
    volumes:
      - /docker/kibana/data:/usr/share/kibana/data
      - /docker/kibana/config:/usr/share/kibana/config
      - /etc/localtime:/etc/localtime      
    container_name: kibana
    network_mode: "host"
    restart: always
docker-compose -f /opt/kibana/kibana.yml down \ docker stop kibana 关闭容器
docker-compose -f /opt/kibana/kibana.yml up -d \ docker start kibana 启动容器
kibana升级ok
  • elasticsearch 添加安全验证
添加x-pack验证
vim /docker/elasticsearch/config/elasticsearch.yml
cluster.name: "elasticsearch"
http.port: 9201
transport.tcp.port: 9301 
network.host: 0.0.0.0 
http.cors.enabled: true
http.cors.allow-origin: "*"
# add x-pack验证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

重启容器
docker restart elasticsearch
进入容器
docker exec -it elasticsearch bash
容器内部elastic
[root@localhost elasticsearch]# ls
LICENSE.txt  README.textile  config  lib   modules
NOTICE.txt   bin             data    logs  plugins

bin/elasticsearch-setup-passwords指令 help
[root@localhost elasticsearch]# bin/elasticsearch-setup-passwords --help
Sets the passwords for reserved users

Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user

Non-option arguments:
command              

Option         Description        
------         -----------        
-h, --help     show help          
-s, --silent   show minimal output
-v, --verbose  show verbose output

bin/elasticsearch-setup-passwords interactive --设置密码

Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

测试连接
curl --user elastic:passwd localhost:9201
  • kibana添加安全验证
配置文件中添加连接elastic的用户密码
vim /docker/kibana/config/kibana.yml
[root@localhost opt]# cat /docker/kibana/config/kibana.yml 
---
# Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: "0"
elasticsearch.url: http://localhost:9201
xpack.monitoring.ui.container.elasticsearch.enabled: false
# add elastic用户密码
elasticsearch.username: "elastic"
elasticsearch.password: "passwd"

docker restart kibana 重启容器
访问:localhost:5601  user --kibana passwd --passwd


注:


1. 索引状态为red时设置密码失败率极大
2. 进入容器后检查esticsearch-keystore这个文件是否存在,如果有直接设置密码,如果没有可以调用
[root@localhost elasticsearch]# bin/elasticsearch-keystore create
bin/elasticsearch-keystore指令 help
[root@localhost elasticsearch]# bin/elasticsearch-keystore --help
A tool for managing settings stored in the elasticsearch keystore

Commands
--------
create - Creates a new elasticsearch keystore
list - List entries in the keystore
add - Add a string setting to the keystore
add-file - Add a file setting to the keystore
remove - Remove a setting from the keystore
upgrade - Upgrade the keystore format

Non-option arguments:
command              

Option         Description        
------         -----------        
-h, --help     show help          
-s, --silent   show minimal output
-v, --verbose  show verbose output
3. 如果要已经创建过密码了,想要重新创建,执行
bin/elasticsearch-setup-passwords interactive --设置密码
可能会出现如下内容:
Possible causes include:
 * The password for the 'elastic' user has already been changed on this cluster
 * Your elasticsearch node is running against a different keystore
 * This tool used the keystore at /usr/share/elasticsearch/config/elasticsearch.keystore
这要如何解决呢
删除创建密码时生成的密码索引就ok了
curl -XDELETE -u user:passwd http://localhsot:9201/.security-6
然后就可以愉快的重新创建了
4. 如果密码忘了的话可以把x-pack验证关掉
# close x-pack验证
#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
重启es,查到密码索引删除即可,然后就可以重新设置新密码了
curl -XGET http://localhost/_cat/indices
.security-6这个即是密码索引(可能其他版本是其他的,不过应该都是 .security-*类似这样的名称)
  • elasticsearch 自定义添加用户方式:
1. 在docker 配置 dir中添加 users 、user_roles俩目录
[root@localhost opt]# echo > /docker/elastic/users
[root@localhost opt]# echo > /docker/elastic/users_roles
2. 启动进入容器
[root@localhost opt]# docker start elsaticsearch
[root@localhost opt]# docker exec -it elsaticsearch bash
3. 查看自定义用户相关命令
[root@localhost elasticsearch]# bin/elasticsearch-users -h
Manages elasticsearch file users

Commands
--------
useradd - Adds a file user
userdel - Deletes a file based user
passwd - Changes the password of an existing file based user
roles - Edit roles of an existing user
list - List existing file based users and their corresponding roles

Non-option arguments:
command              

Option         Description        
------         -----------        
-h, --help     show help          
-s, --silent   show minimal output
-v, --verbose  show verbose output
4. 查看elastic用户角色名称
[root@localhost elasticsearch]# bin/elasticsearch-setup-passwords interactive -v
Running with configuration path: /usr/share/elasticsearch/configs interactive -v 

Testing if bootstrap password is valid for http://192.168.2.211:19200/_xpack/security/_authenticate?pretty
{
  "username" : "elastic",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "_reserved" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  },
  "lookup_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  }
}


Checking cluster health: http://192.168.2.211:19200/_cluster/health?pretty
{
  "cluster_name" : "qgs-elasticsearch",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 3,
  "active_shards" : 3,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]
4. 创建用户
[root@localhost elasticsearch]# bin/elasticsearch-users useradd admin --创建用户
[root@localhost elasticsearch]# bin/elasticsearch-users roles admin -a superuser--添加角色
curl -u admin:admin localhost:9201/_cat/indices?v --测试访问
5. 密码修改
[root@localhost elasticsearch]# bin/elasticsearch-users passwd admin --修改admin用户密码

ok~.~

你可能感兴趣的:(Docker,elasticsearch,kibana)