1、啟動一台ES容器;
2、docker exec -it xxxx /bin/bash 進入容器;
3、執行如下指令
bin/elasticsearch-certutil ca //自定義一個密碼
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 //輸入上面定義的密碼
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password //執行此指令,輸入上面定義的密碼
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password //執行此指令,輸入上面定義的密碼
4、複制檔案到config目錄
mv elastic-certificates.p12 config
mv elastic-stack-ca.p12 config
5、複制容器中config如下檔案到主控端目錄(配置檔案挂載目錄,多個節點配置目錄均需複制),使用sudo docker cp指令:
elastic-certificates.p12、elastic-stack-ca.p12、elasticsearch.keystore
#格式
#docker cp CONTAINER ID:容器目錄 本地目錄
#示例
docker ps -a #檢視本地容器ID
sudo docker cp 52ea915e6527:/config /home/config1
給檔案授權,必須!必須!必須!
chmod 777 *
6、使用如下配置檔案:
# 配置es的叢集名稱,預設是elasticsearch
cluster.name: my-application
# 節點名稱
node.name: node-1
# es是預設叢集中的第一台機器為master,如果這台機挂了就會重新選舉master
node.master: true
node.data: true
network.bind_host: 0.0.0.0
network.publish_host: 192.168.3.18
# 設定對外服務的http端口
http.port: 9201
# 設定節點間互動的tcp端口 和 http端口不能一緻
transport.tcp.port: 9301
http.cors.enabled: true
http.cors.allow-origin: "*"
# 設定叢集中master節點的初始清單,可以通過這些節點來自動發現新加入叢集的節點
discovery.zen.ping.unicast.hosts: ["192.168.3.18:9301","192.168.3.18:9302","192.168.3.18:9303"]
discovery.zen.ping_timeout: 3s
# 設定這個參數來保證叢集中的節點可以知道其它N個有master資格的節點
discovery.zen.minimum_master_nodes: 2
cluster.initial_master_nodes: node-1
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
#xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#xpack.security.authc.accept_default_password: false
7、删除原來容器,建立并啟動新容器(多個檔案執行多次,需修改下面細節配置:命名、端口、目錄),挂載證書相關檔案:
docker run -d -e ES_JAVA_OPTS="-Xms512m -Xmx512m" --name=elasticsearch-1 --net=host -p 9201:9201 -p 9301:9301 --privileged=true -v /opt/elasticsearch/config1/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /opt/elasticsearch/config1/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 -v /opt/elasticsearch/config1/elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12 -v /opt/elasticsearch/config1/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore -v /opt/elasticsearch/data1:/usr/share/elasticsearch/data -v /opt/elasticsearch/logs1:/usr/share/elasticsearch/logs elasticsearch:7.11.1
8、啟動好叢集後,進入master節點容器中:
docker exec -it f28a7675197b /bin/bash
9、執行如下指令,根據提示為相應使用者建立密碼(隻需要在其中一個節點運作,不需要所有節點運作):
./bin/elasticsearch-setup-passwords interactive
10、通路主節點ES位址進行驗證:http://192.168.3.18:9201/_cat/nodes?pretty
限制如下輸入使用者名密碼視窗,及驗證開啟成功,輸入elastic使用者名及設定的密碼即可通過驗證