- 1. 创建配置文件
- 1.1 配置变量定义文件
- 1.2 集群内部互信证书
- 1.2.1 实例定义文件
- 1.2.2 证书服务配置文件
- 1.3 集群配置文件
- 1.3.1 集群镜像构建配置文件
- 1.3.2 节点配置文件
本指引在Elasticsearch 官方安装文档之基础上,经过实际多次实机操作并记录备查。 1. 创建配置文件
1.1 配置变量定义文件以下配置文件均参考官方配置改造,在实际生产中如遇问题,请参考。
原始配置文件: https://github.com/elastic/stack-docs/tree/main/docs/en/getting-started/docker
parameter.properties
#需要安装的ES版本号
VERSION=7.15.2
# username替换成用户名
WORKING_DIR=/home/${username}/es
1.2 集群内部互信证书 1.2.1 实例定义文件username替换成操作系统用户名
instances.yml
instances:
- name: es01
dns:
- es01
- localhost
ip:
- 127.0.0.1
- name: es02
dns:
- es02
- localhost
ip:
- 127.0.0.1
- name: es03
dns:
- es03
- localhost
ip:
- 127.0.0.1
1.2.2 证书服务配置文件
create-cert.yml
version: '2.2'
services:
create_certs:
container_name: create_certs
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
command: >
bash -c '
if [[ ! -f /certs/bundle.zip ]]; then
bin/elasticsearch-certutil cert
--silent --pem --in config/certificates/instances.yml
-out /certs/bundle.zip;
unzip /certs/bundle.zip -d /certs;
fi;
chown -R 1000:0 /certs
'
user: "0"
working_dir: /usr/share/elasticsearch
volumes: ['${WORKING_DIR}/certs:/certs', '/data/es/certificates:/usr/share/elasticsearch/config/certificates']
1.3 集群配置文件 1.3.1 集群镜像构建配置文件本配置文件为Docker-compose配置文件,仅用于生成集群内部互信证书。证书生成完成后可停用,需要重置或新增证书的时候再启动。
cluster-componse.yml
version: '2.2'
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: es01
environment:
- TAKE_FILE_OWNERSHIP=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ${WORKING_DIR}/nodes/1/data:/usr/share/elasticsearch/data:rw
- ${WORKING_DIR}/nodes/1/logs:/usr/share/elasticsearch/logs:rw
- ${WORKING_DIR}/nodes/1/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ${WORKING_DIR}/plugins/ik:/usr/share/elasticsearch/plugins/ik
- ${WORKING_DIR}/certs/es01:/usr/share/elasticsearch/config/certs
- ${WORKING_DIR}/certs/ca:/usr/share/elasticsearch/config/ca
ports:
- 9061:9200
networks:
- elastic
es02:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: es02
restart: always
environment:
- TAKE_FILE_OWNERSHIP=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ${WORKING_DIR}/nodes/2/data:/usr/share/elasticsearch/data:rw
- ${WORKING_DIR}/nodes/2/logs:/usr/share/elasticsearch/logs:rw
- ${WORKING_DIR}/nodes/2/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ${WORKING_DIR}/plugins/ik:/usr/share/elasticsearch/plugins/ik
- ${WORKING_DIR}/certs/es02:/usr/share/elasticsearch/config/certs
- ${WORKING_DIR}/certs/ca:/usr/share/elasticsearch/config/ca
depends_on:
- es01
networks:
- elastic
es03:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: es03
restart: always
environment:
- TAKE_FILE_OWNERSHIP=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ${WORKING_DIR}/nodes/3/data:/usr/share/elasticsearch/data:rw
- ${WORKING_DIR}/nodes/3/logs:/usr/share/elasticsearch/logs:rw
- ${WORKING_DIR}/nodes/3/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ${WORKING_DIR}/plugins/ik:/usr/share/elasticsearch/plugins/ik
- ${WORKING_DIR}/certs/es03:/usr/share/elasticsearch/config/certs
- ${WORKING_DIR}/certs/ca:/usr/share/elasticsearch/config/ca
depends_on:
- es01
networks:
- elastic
networks:
elastic:
driver: bridge
1.3.2 节点配置文件本配置文件为Docker-compose配置文件。
elasticsearch.yml
cluster.name: laza-es-cluster node.name: es02 node.master: true node.data: true path.data: /usr/share/elasticsearch/data path.logs: /usr/share/elasticsearch/logs bootstrap.memory_lock: true network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 discovery.zen.ping.unicast.hosts: ["es01:9300", "es02:9300", "es03:9300"] cluster.initial_master_nodes: ["es01"] #开放跨域访问权限 http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization http.cors.allow-credentials: true #配置内部集群内部TLS机密通信 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: certs/es02.key xpack.security.transport.ssl.certificate: certs/es02.crt xpack.security.transport.ssl.certificate_authorities: ca/ca.crt xpack.monitoring.collection.enabled: true #配置远端访问权限 xpack.security.http.ssl.enabled: false
- 每个节点一个单独的配置文件,以上为参考。本案例中应该有三个配置文件。
- 本节点配置文件未配置远程SSL加密访,因为自己还未验证所以未加上,后续补充。
