相关的docker-file 文件目录结构,可参考: 使用 docker 创建 php 8.3 的开发环境
elk 官方网站: 点击跳转
elasticsearch使用docker搭建的相关文档地址: 点击跳转
1. 首先需要下载 通过 docker compose 搭建 es 所需要的环境变量通用文件 .env, 文件示例地址: 点击跳转
# Password for the 'elastic' user (at least 6 characters)
ELASTIC_PASSWORD=123456# Password for the 'kibana_system' user (at least 6 characters)KIBANA_PASSWORD=123456# Version of Elastic productsSTACK_VERSION={version}# Set the cluster nameCLUSTER_NAME=docker-cluster# Set to 'basic' or 'trial' to automatically start the 30-day trialLICENSE=basic#LICENSE=trial# Port to expose Elasticsearch HTTP API to the hostES_PORT=9200#ES_PORT=127.0.0.1:9200# Port to expose Kibana to the hostKIBANA_PORT=5601#KIBANA_PORT=80# Increase or decrease based on the available host memory (in bytes)MEM_LIMIT=1073741824# Project namespace (defaults to the current folder name if not set)#COMPOSE_PROJECT_NAME=myproject
2. docker-compose.yml 参考示例,官方文档地址: 点击跳转
version: "2.2"* 如果直接使用,可能会出现安全验证错误的问题,因此需要做一些调整
services:
setup:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- certs:/usr/share/elasticsearch/config/certs
user: "0"
command: >
bash -c '
if [ x${ELASTIC_PASSWORD} == x ]; then
echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
exit 1;
elif [ x${KIBANA_PASSWORD} == x ]; then
echo "Set the KIBANA_PASSWORD environment variable in the .env file";
exit 1;
fi;
if [ ! -f config/certs/ca.zip ]; then
echo "Creating CA";
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
unzip config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo "Creating certs";
echo -ne \
"instances:\n"\
" - name: es01\n"\
" dns:\n"\
" - es01\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
" - name: es02\n"\
" dns:\n"\
" - es02\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
" - name: es03\n"\
" dns:\n"\
" - es03\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
> config/certs/instances.yml;
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip config/certs/certs.zip -d config/certs;
fi;
echo "Setting file permissions"
chown -R root:root config/certs;
find . -type d -exec chmod 750 \{\} \;;
find . -type f -exec chmod 640 \{\} \;;
echo "Waiting for Elasticsearch availability";
until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
echo "Setting kibana_system password";
until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
echo "All done!";
'
healthcheck:
test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
interval: 1s
timeout: 5s
retries: 120
es01:
depends_on:
setup:
condition: service_healthy
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- certs:/usr/share/elasticsearch/config/certs
- esdata01:/usr/share/elasticsearch/data
ports:
- ${ES_PORT}:9200
environment:
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es02,es03
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es01/es01.key
- xpack.security.http.ssl.certificate=certs/es01/es01.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es01/es01.key
- xpack.security.transport.ssl.certificate=certs/es01/es01.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
- xpack.ml.use_auto_machine_memory_percent=true
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
es02:
depends_on:
- es01
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- certs:/usr/share/elasticsearch/config/certs
- esdata02:/usr/share/elasticsearch/data
environment:
- node.name=es02
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es03
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es02/es02.key
- xpack.security.http.ssl.certificate=certs/es02/es02.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es02/es02.key
- xpack.security.transport.ssl.certificate=certs/es02/es02.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
- xpack.ml.use_auto_machine_memory_percent=true
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
es03:
depends_on:
- es02
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- certs:/usr/share/elasticsearch/config/certs
- esdata03:/usr/share/elasticsearch/data
environment:
- node.name=es03
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es02
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es03/es03.key
- xpack.security.http.ssl.certificate=certs/es03/es03.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es03/es03.key
- xpack.security.transport.ssl.certificate=certs/es03/es03.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
- xpack.ml.use_auto_machine_memory_percent=true
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
kibana:
depends_on:
es01:
condition: service_healthy
es02:
condition: service_healthy
es03:
condition: service_healthy
image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
volumes:
- certs:/usr/share/kibana/config/certs
- kibanadata:/usr/share/kibana/data
ports:
- ${KIBANA_PORT}:5601
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://es01:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
mem_limit: ${MEM_LIMIT}
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120
volumes:
certs:
driver: local
esdata01:
driver: local
esdata02:
driver: local
esdata03:
driver: local
kibanadata:
driver: local
* 首先,上面的配置中,通过 setup 这个容器来创建证书,因为现在es和kibana之间通信是需要通过自签的ca证书来进行安全验证的,证书会创建在 certs 目录下, 并将此目录做为了共享磁盘配置,分别给 es01,es02,es03,kibana 容器做了文件映射
* 为了使用方便,我会只保留 es01 这个节点,并且会将 setup 的启动脚本命令放到一个 start.sh 目录下
* 另外,会将 es01,kibana,logstash 的配置文件映射到宿主机,方便后续修改
* 题外话,如果不知道 es01,kibana,logstash 容器中有哪些配置文件,可以单独先跑一个容器,然后进到容器中, 一般进去后的工作目录下就有一个 config 目录,可以看看里面有哪些配置文件,然后将配置文件拷本一份到宿主机上,再做为后续要映射的文件, 因此会使用到 以下命令
docker cp <container_id>:<container_path> <host_path>* 拷贝 es01 配置文件
docker cp 6c473446388f:/usr/share/elasticsearch/config/elasticsearch.yml docker-file/elasticsearch/es01/config/* 拷贝 kibana 配置文件
docker cp f9332cf6e185:/usr/share/kibana/config/kibana.yml docker-file/kibana/config/* 拷贝 logstash 配置文件
docker cp f1234ab7d873:/usr/share/logstash/config/logstash.yml docker-file/logstash/config/
docker cp f1234ab7d873:/usr/share/logstash/config/pipelines.yml docker-file/logstash/config/
docker cp f1234ab7d873:/usr/share/logstash/pipeline/logstash.conf docker-file/logstash/pipeline/
3. 因此,修改后的目录结构为
- docker-compose.yml
- .env
- elasticsearch
- config
- certs
- es01
- config
- elasticsearch.yml
- Dockerfile
- start.sh
- kibana
- config
- kibana.yml
- Dockerfile
- logstash
- config
- logstash.yml
- pipelines.yml
- pipeline
- logstash.conf
- Dockerfile
5. 另外, 在 elasticsearch 目录下,会有一个 start.sh 文件,就是将上面官方的setup容器的启动命令,放到这个shell脚本中,做了少部分修改,内容如下:
#!/bin/bash# source /etc/profileif [ x${ELASTIC_PASSWORD} == x ]; thenecho "Set the ELASTIC_PASSWORD environment variable in the .env file";exit 1;elif [ x${KIBANA_PASSWORD} == x ]; thenecho "Set the KIBANA_PASSWORD environment variable in the .env file";exit 1;fi;if [ ! -f config/certs/ca.zip ]; thenecho "Creating CA";bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;unzip config/certs/ca.zip -d config/certs;fi;if [ ! -f config/certs/certs.zip ]; thenecho "Creating certs";echo -ne \"instances:\n"\" - name: es01\n"\" dns:\n"\" - es01\n"\" - localhost\n"\" - name: es02\n"\" dns:\n"\" - es02\n"\" - localhost\n"\" - name: es03\n"\" dns:\n"\" - es03\n"\" - localhost\n"\> config/certs/instances.yml;bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;unzip config/certs/certs.zip -d config/certs;fi;echo "Setting file permissions"chown -R root:root config/certs;find . -type d -exec chmod 750 \{\} \;;find . -type f -exec chmod 640 \{\} \;;echo "Waiting for Elasticsearch availability";until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;echo "Setting kibana_system password";until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;echo "Setting kibana_user";until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_user -d "{\"password\":\"${KIBANA_PASSWORD}\",\"roles\": [\"kibana_admin\"],\"enabled\": true}" | grep -q "{"; do sleep 10; done;echo "All done!";
7. 调整之后的 docker-compose.yml 文件示例,大概如下:
services:
...
# elk: es-setup,es01,logstash,kibana
es-setup:
# image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
# 必须将 .env 文件和 docker-compose.yml 文件放在同一个目录下,才能正确自动加载环境变量
# 或者在启动命令中添加env文件路径,如: docker-compose --env-file ./path/to/.env up -d
build: ./elasticsearch
# 显示指定 env 路径,保证启动的脚本能正确加载环境变量
env_file:
- .env
volumes:
- ./elasticsearch/setup/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:rw
- certs:/usr/share/elasticsearch/config/certs:rw
- ../../data/data/es/es-setup:/usr/share/elasticsearch/data:rw
#获取root权限
privileged: true
user: root
# command: bash -c "sh /start.sh"
# 在某些情况下,使用 entrypoint 可以确保容器启动时加载环境变量,特别是当需要通过脚本启动服务时。
entrypoint: bash -c "cd /usr/share/elasticsearch && source ./start.sh"
healthcheck:
test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
interval: 1s
timeout: 5s
retries: 120
es01:
depends_on:
- es-setup
# image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
build: ./elasticsearch
volumes:
# 不能添加整个config目录的映射,否则会出现文件权限的问题 ERROR: Missing logging config file at /usr/share/elasticsearch/config/log4j2.properties, with exit code 78
- ./elasticsearch/es01/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:rw
- certs:/usr/share/elasticsearch/config/certs
- ../../data/data/es/es01:/usr/share/elasticsearch/data
ports:
- ${ES_PORT}:9200
environment:
# 单节点使用
# - discovery.type=single-node
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01
# - discovery.seed_hosts=es02,es03
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
# 如果禁用安全功能,则密码设置会失效,但可以关闭https证书认证
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es01/es01.key
- xpack.security.http.ssl.certificate=certs/es01/es01.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
# 如果 xpack.security.enabled=true 则必须启用,用于节点间通信
- xpack.security.transport.ssl.enabled=true
# 如果 xpack.security.transport.ssl.enabled=true 则以下的验证配置必须设置
- xpack.security.transport.ssl.key=certs/es01/es01.key
- xpack.security.transport.ssl.certificate=certs/es01/es01.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
- xpack.ml.use_auto_machine_memory_percent=true
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
logstash:
depends_on:
- es01
# image: docker.elastic.co/logstash/logstash:8.10.0
build: ./logstash
ports:
# 用于接收来自 Beats(如 Filebeat、Metricbeat)发送的数据
- "5044:5044"
# 用于接收 TCP 或 UDP 数据
- "5000:5000"
# Logstash 的 HTTP API 端口
- "9600:9600"
volumes:
- certs:/usr/share/logstash/config/certs
- ./logstash/pipeline:/usr/share/logstash/pipeline:rw
- ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:rw
- ./logstash/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:rw
environment:
- xpack.monitoring.enabled=true
- xpack.monitoring.elasticsearch.hosts=http://es01:9200
- xpack.monitoring.elasticsearch.username=elastic
- xpack.monitoring.elasticsearch.password=${ELASTIC_PASSWORD}
- xpack.monitoring.elasticsearch.ssl.certificate_authority=config/certs/ca/ca.crt
- LOGSTASH_JAVA_OPTS=-Xms256m -Xmx256m
- ELASTICSEARCH_HOST=https://es01:9200
- ELASTICSEARCH_USER=elastic
- ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD}
- ELASTICSEARCH_CACERT=config/certs/ca/ca.crt
kibana:
depends_on:
- es01
# image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
build: ./kibana
volumes:
- ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:rw
- certs:/usr/share/kibana/config/certs
- ../../data/data/kibana:/usr/share/kibana/data
ports:
- ${KIBANA_PORT}:5601
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://es01:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
# 如果不设置下面的属性,则会禁用安全功能,密码设置会无效
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
mem_limit: ${MEM_LIMIT}
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120
volumes:
certs:
driver: local
driver_opts:
o: bind
type: none
device: ./elasticsearch/config/certs
8. 注意和 services 同级的 volumes 配置
9. 等待 es-setup 完成,查看 es-setup 的日志,如果输出 All done! 则说明ok了,同时应该会在 /elasticsearch/config/certs 目录下生成 ca 相关的证书
10. 浏览器访问 https://localhost:9200/ ,输入 用户名:elastic, 密码:123456, 应该会有输出
11. 浏览器访问 http://localhost:5601/, 输入用户名: kibana_user, 密码:123456, 应该就能登录到kibana控制台了
