Docker部署單節點Elasticsearch

1.Docker部署單節點ES

1.前置條件

配置內核參數

echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

準備密碼
本文所有涉及密碼的配置，均使用通用密碼 Zzwl@2024。

生產環境，請用密碼生成器生成20位以上不帶特殊符號只包含大小寫字母和數字混合組成的密碼。

創建數據目錄

mkdir -p /data/containers/elasticsearch/{data,plugins,logs}
chown 1000:0 /data/containers/elasticsearch/{data,logs}
mkdir -p /data/containers/elasticsearch/config/certs

1.2 創建 ElasticSearch 自定義配置文件

實現 ElasticSearch 服務自定義配置有兩種方案:

Docker-compose 中設置環境變量
編寫 elasticsearch.yml 配置文件，掛載到容器配置文件目錄

本文選擇第二種，編輯 elasticsearch.yml 配置文件，掛載到容器 /usr/share/elasticsearch/config 目錄的方案。

# 基本配置
cluster.name: es-cluster
discovery.type: single-node
network.host: 0.0.0.0
http.port: 9200# 啟用 xpack 及 TLS
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true# 證書配置
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.keystore.password: PleaseChangeMe
#xpack.security.transport.ssl.truststore.password: PleaseChangeMe# 其他配置
# 禁用 geoip
ingest.geoip.downloader.enabled: false# 啟用審計
xpack.security.audit.enabled: true

創建配置文件，vi /data/containers/elasticsearch/config/elasticsearch.yml

name: 'elasticsearch'
services:elasticsearch:restart: alwaysimage: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3container_name: es-singleulimits:nproc: 65535memlock:soft: -1hard: -1environment:- TZ=Asia/Shanghai- ES_JAVA_OPTS=-Xms2048m -Xmx2048m- KEYSTORE_PASSWORD=Zzwl@2024volumes:- ./data:/usr/share/elasticsearch/data- ./plugins:/usr/share/elasticsearch/plugins- ./logs:/usr/share/elasticsearch/logs- ./config/certs/:/usr/share/elasticsearch/config/certs- ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml- ./config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystorenetworks:- app-tierports:- 9200:9200- 9300:9300
networks:app-tier:name: app-tierdriver: bridge#external: true#ipam:#  config:#    - subnet: 172.22.1.0/24

2.創建CA文件

1.生成CA文件

cd /data/containers/elasticsearchdocker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "Zzwl@2024"

正確輸出如下圖所示:

[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config/certs:/usr/share/elasticsearch/config/certs \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "Zzwl@2024"
Unable to find image 'swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3' locally
7.17.3: Pulling from ddn-k8s/docker.io/library/elasticsearch
e0b25ef51634: Pull complete
0ed156f90b4d: Pull complete
0b3c161c8ebd: Pull complete
157de9ee3c7a: Pull complete
eea187b8272b: Pull complete
a04594f99bf2: Pull complete
c88cab9df767: Pull complete
b95579404185: Pull complete
3da4afe05b7a: Pull complete
Digest: sha256:7167ec15528cca7e968736c73290506082305ee72e5ecb54ec0af2700326a34e
Status: Downloaded newer image for swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

3.創建 elastic-certificates.p12 證書

docker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-certutil cert --silent --ca config/certs/elastic-stack-ca.p12 --out config/certs/elastic-certificates.p12 --ca-pass "Zzwl@2024" --pass "Zzwl@2024"

說明：

–ca-pass CA 證書的密碼
–pass p12 證書的密碼

正確執行后，輸出結果如下：

[root@worker1 elasticsearch]# ls config/certs/
elastic-certificates.p12  elastic-stack-ca.p12

2.配置證書文件權限

chown -R 1000.0 config/certs/

4.生成加密的keysrore

默認情況下，Elasticsearch 自動生成用于安全設置的密鑰存儲庫文件elasticsearch.keystore。

該文件的用途是存儲需要加密的 key/value 配置數據。但是該文件默認只是被簡單的模糊（obfuscated）處理，并沒有加密。用命令 elasticsearch-keystore list 可以輕松讀取到文件內容。生產環境建議做加密處理。

1.執行下面命令創建elasticsearch.keystore 文件

docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore create -p

注:命令執行過程中，需按提示輸入兩次密碼

2.添加 p12 證書的密碼配置添加到 keystore 文件

# keystore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password# truststore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

命令執行過程中，請按提示輸入兩次密碼
第一次密碼是 elasticsearch.keystore 文件的密碼，第二次密碼是 secure_password 的密碼

3.驗證 elasticsearch.keystore 是否加密

docker run -it --rm \
-v ./config/:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore list

正確執行后，輸出結果如下：

[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config:/usr/share/elasticsearch/config \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter password for the elasticsearch keystore :
Enter value for xpack.security.transport.ssl.truststore.secure_password:
[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config/:/usr/share/elasticsearch/config \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-keystore list
Enter password for the elasticsearch keystore :
keystore.seed
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

5.密碼設置

docker exec -it es-single bin/elasticsearch-setup-passwords auto

正確執行后，輸出結果如下：

[root@worker1 elasticsearch]# docker exec -it es-single bin/elasticsearch-setup-passwords auto
Enter password for the elasticsearch keystore :
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]yChanged password for user apm_system
PASSWORD apm_system = EWQtj06iSDTpNxWdM2ClChanged password for user kibana_system
PASSWORD kibana_system = hYPm7AlnEHeu2LSDVRTyChanged password for user kibana
PASSWORD kibana = hYPm7AlnEHeu2LSDVRTyChanged password for user logstash_system
PASSWORD logstash_system = ri7euSsZIULH830wvbbwChanged password for user beats_system
PASSWORD beats_system = piLisfgUM74vAgL1bhLoChanged password for user remote_monitoring_user
PASSWORD remote_monitoring_user = bCuVrHD4RHKqfZRjKeHoChanged password for user elastic
PASSWORD elastic = YvogvFIHOvzoK0U4CzF8

說明：

命令執行時需要輸入 elasticsearch keystore 文件的密碼
請記錄并妥善保存自動生成的密碼

4.2 創建自定義管理員用戶

創建一個自定義的管理員用戶用于日常管理。

執行下面的命令：

docker exec -it es-single bin/elasticsearch-users useradd elasticadmin -p Zzwl@2024 -r superuser

正確執行后，輸出結果如下：

[root@docker-node-1 elasticsearch]# curl -X GET -u elasticadmin "localhost:9200/_cat/nodes?v=true&pretty"
Enter host password for user 'elasticadmin':
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
172.20.0.2           16          45   0    0.04    0.14     0.34 cdfhilmrstw *      5e53c312d114

說明： 按提示輸入用戶 elasticadmin 的密碼。

6.python鏈接使用

1.新增數據

pip install elasticsearch

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : demo.py
@Desc    : 測試連接
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':es_index = "news"# Elasticsearch集群的URL（替換為你的遠程集群URL）es_url = "http://192.168.100.202:9200"# 用戶名和密碼（替換為你的憑據）username = "elasticadmin"password = "Zzwl@2024"es = Elasticsearch([es_url], basic_auth=(username, password))# 驗證連接是否成功（例如，獲取集群的健康狀態）# try:#     print(es.cluster.health())# except Exception as e:#     print(f"Error connecting to Elasticsearch: {e}")# es.indices.create(index="news",ignore=None)

2.新增數據

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : demo.py
@Desc    : 
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':es_index = "news"# Elasticsearch集群的URL（替換為你的遠程集群URL）es_url = "http://192.168.100.202:9200"# 用戶名和密碼（替換為你的憑據）username = "elasticadmin"password = "Zzwl@2024"es = Elasticsearch([es_url], basic_auth=(username, password))data = {"title": "好好學習zzwl","url": "http://www.tieyongjie.cn"}# 插入數據# 向 Elasticsearch 寫入數據try:response = es.index(index=es_index, body=data,id=123)print("文檔寫入成功:", response['result'])except Exception as e:print(f"寫入文檔失敗: {e}")

3.查詢數據

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : search_dmeo.py
@Desc    : 
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':es_index = "news"# Elasticsearch集群的URL（替換為你的遠程集群URL）es_url = "http://192.168.100.202:9200"# 用戶名和密碼（替換為你的憑據）username = "elasticadmin"password = "Zzwl@2024"es = Elasticsearch([es_url], basic_auth=(username, password))   # 構建查詢請求query = {"query": {"match": {"title": "好好學習"  # 查詢字段為 title，查詢內容為 'Sample'}}}# 查詢 Elasticsearch 索引try:response = es.search(index=es_index, body=query)print("查詢結果:")print(response.body)# 處理查詢結果if response['hits']['total']['value'] > 0:for hit in response['hits']['hits']:print(f"ID: {hit['_id']}")print(f"Source: {hit['_source']}")print("-" * 50)else:print("未找到匹配的文檔")except Exception as e:print(f"查詢失敗: {e}")