基础路径

/usr/share/elasticsearch

bin  config  data  lib  logs  modules  plugins

/usr/share/elasticsearch/config

elasticsearch.keystore  ingest-geoip  log4j2.properties  roles.yml  users_roles
elasticsearch.yml       jvm.options   role_mapping.yml   users

系统设置

进程中内存映射区域的最大数量

sysctl -w vm.max_map_count=262144

查看生效情况

grep vm.max_map_count /etc/sysctl.conf

文件

instances.yml:

instances:
  - name: es01
    dns:
      - es01 
      - localhost
      - elasticsearch.xgnote.com
    ip:
      - 127.0.0.1

  - name: es02
    dns:
      - es02
      - localhost
      - elasticsearch.xgnote.com
    ip:
      - 127.0.0.1
  #	fluentd端    
  - name: rancher
    ip:
      - 0.0.0.0

create-certs.yml:

version: '2.2'

services:
  create_certs:
    container_name: create_certs
    image: cnhub/elasticsearch:6.5.4
    command: >
      bash -c '
        if [[ ! -d config/certificates/certs ]]; then
          mkdir -p config/certificates/certs;
        fi;
        if [[ ! -f /local/certs/bundle.zip ]]; then
          bin/elasticsearch-certutil cert --pem --silent --in config/certificates/instances.yml --out config/certificates/certs/bundle.zip;
          unzip config/certificates/certs/bundle.zip -d config/certificates/certs; 
        fi;
        chgrp -R 0 config/certificates/certs
      '
    working_dir: /usr/share/elasticsearch
    volumes: ['.:/usr/share/elasticsearch/config/certificates']

.env

ELASTIC_CERTS_DIR=/usr/share/elasticsearch/config/certificates
KIBANA_CERTS_DIR=/usr/share/kibana/config/certificates
ELASTIC_PASSWORD=nidemima
KIBANA_PASSWORD=nidemima

docker-compose.yml

version: '2.2'

services:
  es01:
    container_name: es01
    image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
    environment:
      - node.name=es01
      - discovery.zen.minimum_master_nodes=2
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD 
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial 
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate 
      - xpack.ssl.certificate_authorities=$ELASTIC_CERTS_DIR/ca/ca.crt
      - xpack.ssl.certificate=$ELASTIC_CERTS_DIR/es01/es01.crt
      - xpack.ssl.key=$ELASTIC_CERTS_DIR/es01/es01.key
    volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$ELASTIC_CERTS_DIR']
    networks:
      - esnet
    ports:
      - 9200:9200
    healthcheck:
      test: curl --cacert $ELASTIC_CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5

  es02:
    container_name: es02
    image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
    environment:
      - node.name=es02
      - discovery.zen.minimum_master_nodes=2
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
      - discovery.zen.ping.unicast.hosts=es01
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.ssl.certificate_authorities=$ELASTIC_CERTS_DIR/ca/ca.crt
      - xpack.ssl.certificate=$ELASTIC_CERTS_DIR/es02/es02.crt
      - xpack.ssl.key=$ELASTIC_CERTS_DIR/es02/es02.key
    volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$ELASTIC_CERTS_DIR']
    networks:
      - esnet
  kibana:
    image: cnhub/kibana:6.5.4
    container_name: kibana
    environment:
      - SERVER_HOST="0"
      - SERVER_NAME=kibana
      - ELASTICSEARCH_URL="https://es01:9200"
      - ELASTICSEARCH_USERNAME=kibana
      - ELASTICSEARCH_PASSWORD=$KIBANA_PASSWORD
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=$KIBANA_CERTS_DIR/ca/ca.crt
    volumes: ['./certs:$KIBANA_CERTS_DIR']
    depends_on: {"es01": {"condition": "service_healthy"}}
    ports:
      - 5601:5601
    ulimits:
      nproc: 65535
      memlock:
        soft: -1
        hard: -1
    networks:
      - esnet
volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}
networks:
  esnet:
   name: esnet

生成cert文件然后创建并启动集群

docker-compose -f create-certs.yml up
docker-compose up -d

验证是否正常

curl --cacert certs/ca/ca.crt -u elastic:nidemima https://localhost:9200

生成用户随机密码

docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
auto --batch \
-Expack.ssl.certificate=certificates/es01/es01.crt \
-Expack.ssl.certificate_authorities=certificates/ca/ca.crt \
-Expack.ssl.key=certificates/es01/es01.key \
--url https://localhost:9200"
Changed password for user apm_system
PASSWORD apm_system = egDeUVVwDjGtid0eFj8Z

Changed password for user kibana
PASSWORD kibana = 9WwjVsakO7kBRotvsTfG

Changed password for user logstash_system
PASSWORD logstash_system = Jj9j5ih8ulLG8Jb8FZhn

Changed password for user beats_system
PASSWORD beats_system = dfVNqp8RNx6Nv3a7802I

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = BISoMwqgplzWsuKJardq

Changed password for user elastic
PASSWORD elastic = lOs49RzwAYtnoP8sLwnA

更改.env文件elastic和kibana的密码,然后重新编排

docker-compose up -d