Docker部署单节点Elasticsearch

1.Docker部署单节点ES

1.前置条件

配置内核参数

echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

准备密码
本文所有涉及密码的配置，均使用通用密码 Zzwl@2024。

生产环境，请用密码生成器生成20位以上不带特殊符号只包含大小写字母和数字混合组成的密码。

创建数据目录

mkdir -p /data/containers/elasticsearch/{data,plugins,logs}
chown 1000:0 /data/containers/elasticsearch/{data,logs}
mkdir -p /data/containers/elasticsearch/config/certs

1.2 创建 ElasticSearch 自定义配置文件

实现 ElasticSearch 服务自定义配置有两种方案:

Docker-compose 中设置环境变量
编写 elasticsearch.yml 配置文件，挂载到容器配置文件目录

本文选择第二种，编辑 elasticsearch.yml 配置文件，挂载到容器 /usr/share/elasticsearch/config 目录的方案。

# 基本配置
cluster.name: es-cluster
discovery.type: single-node
network.host: 0.0.0.0
http.port: 9200# 启用 xpack 及 TLS
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true# 证书配置
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.keystore.password: PleaseChangeMe
#xpack.security.transport.ssl.truststore.password: PleaseChangeMe# 其他配置
# 禁用 geoip
ingest.geoip.downloader.enabled: false# 启用审计
xpack.security.audit.enabled: true

创建配置文件，vi /data/containers/elasticsearch/config/elasticsearch.yml

name: 'elasticsearch'
services:elasticsearch:restart: alwaysimage: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3container_name: es-singleulimits:nproc: 65535memlock:soft: -1hard: -1environment:- TZ=Asia/Shanghai- ES_JAVA_OPTS=-Xms2048m -Xmx2048m- KEYSTORE_PASSWORD=Zzwl@2024volumes:- ./data:/usr/share/elasticsearch/data- ./plugins:/usr/share/elasticsearch/plugins- ./logs:/usr/share/elasticsearch/logs- ./config/certs/:/usr/share/elasticsearch/config/certs- ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml- ./config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystorenetworks:- app-tierports:- 9200:9200- 9300:9300
networks:app-tier:name: app-tierdriver: bridge#external: true#ipam:#  config:#    - subnet: 172.22.1.0/24

2.创建CA文件

1.生成CA文件

cd /data/containers/elasticsearchdocker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "Zzwl@2024"

正确输出如下图所示:

[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config/certs:/usr/share/elasticsearch/config/certs \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass "Zzwl@2024"
Unable to find image 'swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3' locally
7.17.3: Pulling from ddn-k8s/docker.io/library/elasticsearch
e0b25ef51634: Pull complete
0ed156f90b4d: Pull complete
0b3c161c8ebd: Pull complete
157de9ee3c7a: Pull complete
eea187b8272b: Pull complete
a04594f99bf2: Pull complete
c88cab9df767: Pull complete
b95579404185: Pull complete
3da4afe05b7a: Pull complete
Digest: sha256:7167ec15528cca7e968736c73290506082305ee72e5ecb54ec0af2700326a34e
Status: Downloaded newer image for swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

3.创建 elastic-certificates.p12 证书

docker run -it --rm \
-v ./config/certs:/usr/share/elasticsearch/config/certs \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-certutil cert --silent --ca config/certs/elastic-stack-ca.p12 --out config/certs/elastic-certificates.p12 --ca-pass "Zzwl@2024" --pass "Zzwl@2024"

说明：

–ca-pass CA 证书的密码
–pass p12 证书的密码

正确执行后，输出结果如下：

[root@worker1 elasticsearch]# ls config/certs/
elastic-certificates.p12  elastic-stack-ca.p12

2.配置证书文件权限

chown -R 1000.0 config/certs/

4.生成加密的keysrore

默认情况下，Elasticsearch 自动生成用于安全设置的密钥存储库文件elasticsearch.keystore。

该文件的用途是存储需要加密的 key/value 配置数据。但是该文件默认只是被简单的模糊（obfuscated）处理，并没有加密。用命令 elasticsearch-keystore list 可以轻松读取到文件内容。生产环境建议做加密处理。

1.执行下面命令创建elasticsearch.keystore 文件

docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore create -p

注:命令执行过程中，需按提示输入两次密码

2.添加 p12 证书的密码配置添加到 keystore 文件

# keystore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password# truststore.secure_password
docker run -it --rm \
-v ./config:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

命令执行过程中，请按提示输入两次密码
第一次密码是 elasticsearch.keystore 文件的密码，第二次密码是 secure_password 的密码

3.验证 elasticsearch.keystore 是否加密

docker run -it --rm \
-v ./config/:/usr/share/elasticsearch/config \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
bin/elasticsearch-keystore list

正确执行后，输出结果如下：

[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config:/usr/share/elasticsearch/config \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter password for the elasticsearch keystore :
Enter value for xpack.security.transport.ssl.truststore.secure_password:
[root@worker1 elasticsearch]# docker run -it --rm \
> -v ./config/:/usr/share/elasticsearch/config \
> swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/elasticsearch:7.17.3 \
> bin/elasticsearch-keystore list
Enter password for the elasticsearch keystore :
keystore.seed
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

5.密码设置

docker exec -it es-single bin/elasticsearch-setup-passwords auto

正确执行后，输出结果如下：

[root@worker1 elasticsearch]# docker exec -it es-single bin/elasticsearch-setup-passwords auto
Enter password for the elasticsearch keystore :
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]yChanged password for user apm_system
PASSWORD apm_system = EWQtj06iSDTpNxWdM2ClChanged password for user kibana_system
PASSWORD kibana_system = hYPm7AlnEHeu2LSDVRTyChanged password for user kibana
PASSWORD kibana = hYPm7AlnEHeu2LSDVRTyChanged password for user logstash_system
PASSWORD logstash_system = ri7euSsZIULH830wvbbwChanged password for user beats_system
PASSWORD beats_system = piLisfgUM74vAgL1bhLoChanged password for user remote_monitoring_user
PASSWORD remote_monitoring_user = bCuVrHD4RHKqfZRjKeHoChanged password for user elastic
PASSWORD elastic = YvogvFIHOvzoK0U4CzF8

说明：

命令执行时需要输入 elasticsearch keystore 文件的密码
请记录并妥善保存自动生成的密码

4.2 创建自定义管理员用户

创建一个自定义的管理员用户用于日常管理。

执行下面的命令：

docker exec -it es-single bin/elasticsearch-users useradd elasticadmin -p Zzwl@2024 -r superuser

正确执行后，输出结果如下：

[root@docker-node-1 elasticsearch]# curl -X GET -u elasticadmin "localhost:9200/_cat/nodes?v=true&pretty"
Enter host password for user 'elasticadmin':
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
172.20.0.2           16          45   0    0.04    0.14     0.34 cdfhilmrstw *      5e53c312d114

说明： 按提示输入用户 elasticadmin 的密码。

6.python链接使用

1.新增数据

pip install elasticsearch

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : demo.py
@Desc    : 测试连接
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':es_index = "news"# Elasticsearch集群的URL（替换为你的远程集群URL）es_url = "http://192.168.100.202:9200"# 用户名和密码（替换为你的凭据）username = "elasticadmin"password = "Zzwl@2024"es = Elasticsearch([es_url], basic_auth=(username, password))# 验证连接是否成功（例如，获取集群的健康状态）# try:#     print(es.cluster.health())# except Exception as e:#     print(f"Error connecting to Elasticsearch: {e}")# es.indices.create(index="news",ignore=None)

2.新增数据

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : demo.py
@Desc    : 
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':es_index = "news"# Elasticsearch集群的URL（替换为你的远程集群URL）es_url = "http://192.168.100.202:9200"# 用户名和密码（替换为你的凭据）username = "elasticadmin"password = "Zzwl@2024"es = Elasticsearch([es_url], basic_auth=(username, password))data = {"title": "好好学习zzwl","url": "http://www.tieyongjie.cn"}# 插入数据# 向 Elasticsearch 写入数据try:response = es.index(index=es_index, body=data,id=123)print("文档写入成功:", response['result'])except Exception as e:print(f"写入文档失败: {e}")

3.查询数据

"""
@Time    : 2024/11/16 11:39
@Author  : white.tie
@File    : search_dmeo.py
@Desc    : 
"""
from elasticsearch import Elasticsearch
from elasticsearch.exceptions import AuthenticationException
if __name__ == '__main__':es_index = "news"# Elasticsearch集群的URL（替换为你的远程集群URL）es_url = "http://192.168.100.202:9200"# 用户名和密码（替换为你的凭据）username = "elasticadmin"password = "Zzwl@2024"es = Elasticsearch([es_url], basic_auth=(username, password))   # 构建查询请求query = {"query": {"match": {"title": "好好学习"  # 查询字段为 title，查询内容为 'Sample'}}}# 查询 Elasticsearch 索引try:response = es.search(index=es_index, body=query)print("查询结果:")print(response.body)# 处理查询结果if response['hits']['total']['value'] > 0:for hit in response['hits']['hits']:print(f"ID: {hit['_id']}")print(f"Source: {hit['_source']}")print("-" * 50)else:print("未找到匹配的文档")except Exception as e:print(f"查询失败: {e}")