docker-compose快速部署elasticsearch-8.x集群+kibana

技术分享 3年前 (2023-08-23) 0 999+

关注

欢迎访问我的GitHub

这里分类和汇总了欣宸的全部原创(含配套源码)：https://github.com/zq2599/blog_demos

本篇概览

前文《Docker下elasticsearch8部署、扩容、基本操作实战(含kibana)》介绍了用docker快速部署es和kibana的过程，然而整个过程人工操作步骤还是多了点，能不能更简单些呢？毕竟很多时候大家关注的是使用，不愿在部署上费太多时间
借助docker-compose，可以将es集群+kibana的安装过程可以进一步简化，精简后的步骤如下图，已经省的不能再省了...
本文会按照上述流程进行实战，一共实战两次：第一次部署带证书账号密码的安全版本，第二次部署没有任何安全检查的版本，装好直接访问使用
请注意docker部署ElasticSearch的适用场景：我这边只在开发过程中使用，此种方式在生产环境是否适合是有待商榷的，用于生产环境时请您慎重考虑
本篇由以下内容构成

介绍我这边实战的环境供您参考
Linxu用户需要额外注意的地方
编写配置文件
启动
验证

环境信息

以下是本次实战的环境信息，可以作为参考

操作系统：macOS Monterey（M1 Pro芯片的MacBook Pro，16G内存）
Docker：Docker Desktop 4.7.1 (77678)
ElasticSearch：8.2.2
Kibana：8.2.2

Linux用户请注意

如果您的环境是Linux，注意要做以下操作，否则es可能会启动失败

用编辑工具打开文件/etc/sysctl.conf
在尾部添加一行配置vm.max_map_count = 262144，如果已存在就修改，数值不能低于262144
修改保存，然后执行命令sudo sysctl -p使其立即生效

编写配置文件

再次确认接下来工作的目标：用docker-compose快速部署es集群+kibana，这个集群是带安全检查的（自签证书+账号密码）
找个干净目录，新建名为.env的文件，内容如下，这是给docker-compose用到的配置文件每个配置项都有详细注释说明

# elastic账号的密码 (至少六个字符) ELASTIC_PASSWORD=123456  # kibana_system账号的密码 (至少六个字符)，该账号仅用于一些kibana的内部设置，不能用来查询es KIBANA_PASSWORD=abcdef  # es和kibana的版本 STACK_VERSION=8.2.2  # 集群名字 CLUSTER_NAME=docker-cluster  # x-pack安全设置，这里选择basic，基础设置，如果选择了trail，则会在30天后到期 LICENSE=basic #LICENSE=trial  # es映射到宿主机的的端口 ES_PORT=9200  # kibana映射到宿主机的的端口 KIBANA_PORT=5601  # es容器的内存大小，请根据自己硬件情况调整 MEM_LIMIT=1073741824  # 命名空间，会体现在容器名的前缀上 COMPOSE_PROJECT_NAME=demo

然后是docker-compose.yaml文件，这里面会用到刚才创建的.env文件，一共创建了五个容器：启动操作、三个es组成集群，一个kibana（多说一句：官方脚本，放心用）

version: "2.2"  services:   setup:     image: elasticsearch:${STACK_VERSION}     volumes:       - certs:/usr/share/elasticsearch/config/certs     user: "0"     command: >       bash -c '         if [ x${ELASTIC_PASSWORD} == x ]; then           echo "Set the ELASTIC_PASSWORD environment variable in the .env file";           exit 1;         elif [ x${KIBANA_PASSWORD} == x ]; then           echo "Set the KIBANA_PASSWORD environment variable in the .env file";           exit 1;         fi;         if [ ! -f config/certs/ca.zip ]; then           echo "Creating CA";           bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;           unzip config/certs/ca.zip -d config/certs;         fi;         if [ ! -f config/certs/certs.zip ]; then           echo "Creating certs";           echo -ne            "instances:n"           "  - name: es01n"           "    dns:n"           "      - es01n"           "      - localhostn"           "    ip:n"           "      - 127.0.0.1n"           "  - name: es02n"           "    dns:n"           "      - es02n"           "      - localhostn"           "    ip:n"           "      - 127.0.0.1n"           "  - name: es03n"           "    dns:n"           "      - es03n"           "      - localhostn"           "    ip:n"           "      - 127.0.0.1n"           > config/certs/instances.yml;           bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;           unzip config/certs/certs.zip -d config/certs;         fi;         echo "Setting file permissions"         chown -R root:root config/certs;         find . -type d -exec chmod 750 {} ;;         find . -type f -exec chmod 640 {} ;;         echo "Waiting for Elasticsearch availability";         until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;         echo "Setting kibana_system password";         until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{"password":"${KIBANA_PASSWORD}"}" | grep -q "^{}"; do sleep 10; done;         echo "All done!";       '     healthcheck:       test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]       interval: 1s       timeout: 5s       retries: 120    es01:     depends_on:       setup:         condition: service_healthy     image: elasticsearch:${STACK_VERSION}     volumes:       - certs:/usr/share/elasticsearch/config/certs       - esdata01:/usr/share/elasticsearch/data     ports:       - ${ES_PORT}:9200     environment:       - node.name=es01       - cluster.name=${CLUSTER_NAME}       - cluster.initial_master_nodes=es01,es02,es03       - discovery.seed_hosts=es02,es03       - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}       - bootstrap.memory_lock=true       - xpack.security.enabled=true       - xpack.security.http.ssl.enabled=true       - xpack.security.http.ssl.key=certs/es01/es01.key       - xpack.security.http.ssl.certificate=certs/es01/es01.crt       - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt       - xpack.security.http.ssl.verification_mode=certificate       - xpack.security.transport.ssl.enabled=true       - xpack.security.transport.ssl.key=certs/es01/es01.key       - xpack.security.transport.ssl.certificate=certs/es01/es01.crt       - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt       - xpack.security.transport.ssl.verification_mode=certificate       - xpack.license.self_generated.type=${LICENSE}     mem_limit: ${MEM_LIMIT}     ulimits:       memlock:         soft: -1         hard: -1     healthcheck:       test:         [           "CMD-SHELL",           "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",         ]       interval: 10s       timeout: 10s       retries: 120    es02:     depends_on:       - es01     image: elasticsearch:${STACK_VERSION}     volumes:       - certs:/usr/share/elasticsearch/config/certs       - esdata02:/usr/share/elasticsearch/data     environment:       - node.name=es02       - cluster.name=${CLUSTER_NAME}       - cluster.initial_master_nodes=es01,es02,es03       - discovery.seed_hosts=es01,es03       - bootstrap.memory_lock=true       - xpack.security.enabled=true       - xpack.security.http.ssl.enabled=true       - xpack.security.http.ssl.key=certs/es02/es02.key       - xpack.security.http.ssl.certificate=certs/es02/es02.crt       - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt       - xpack.security.http.ssl.verification_mode=certificate       - xpack.security.transport.ssl.enabled=true       - xpack.security.transport.ssl.key=certs/es02/es02.key       - xpack.security.transport.ssl.certificate=certs/es02/es02.crt       - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt       - xpack.security.transport.ssl.verification_mode=certificate       - xpack.license.self_generated.type=${LICENSE}     mem_limit: ${MEM_LIMIT}     ulimits:       memlock:         soft: -1         hard: -1     healthcheck:       test:         [           "CMD-SHELL",           "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",         ]       interval: 10s       timeout: 10s       retries: 120    es03:     depends_on:       - es02     image: elasticsearch:${STACK_VERSION}     volumes:       - certs:/usr/share/elasticsearch/config/certs       - esdata03:/usr/share/elasticsearch/data     environment:       - node.name=es03       - cluster.name=${CLUSTER_NAME}       - cluster.initial_master_nodes=es01,es02,es03       - discovery.seed_hosts=es01,es02       - bootstrap.memory_lock=true       - xpack.security.enabled=true       - xpack.security.http.ssl.enabled=true       - xpack.security.http.ssl.key=certs/es03/es03.key       - xpack.security.http.ssl.certificate=certs/es03/es03.crt       - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt       - xpack.security.http.ssl.verification_mode=certificate       - xpack.security.transport.ssl.enabled=true       - xpack.security.transport.ssl.key=certs/es03/es03.key       - xpack.security.transport.ssl.certificate=certs/es03/es03.crt       - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt       - xpack.security.transport.ssl.verification_mode=certificate       - xpack.license.self_generated.type=${LICENSE}     mem_limit: ${MEM_LIMIT}     ulimits:       memlock:         soft: -1         hard: -1     healthcheck:       test:         [           "CMD-SHELL",           "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",         ]       interval: 10s       timeout: 10s       retries: 120    kibana:     depends_on:       es01:         condition: service_healthy       es02:         condition: service_healthy       es03:         condition: service_healthy     image: kibana:${STACK_VERSION}     volumes:       - certs:/usr/share/kibana/config/certs       - kibanadata:/usr/share/kibana/data     ports:       - ${KIBANA_PORT}:5601     environment:       - SERVERNAME=kibana       - ELASTICSEARCH_HOSTS=https://es01:9200       - ELASTICSEARCH_USERNAME=kibana_system       - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}       - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt     mem_limit: ${MEM_LIMIT}     healthcheck:       test:         [           "CMD-SHELL",           "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",         ]       interval: 10s       timeout: 10s       retries: 120  volumes:   certs:     driver: local   esdata01:     driver: local   esdata02:     driver: local   esdata03:     driver: local   kibanadata:     driver: local

注意：.env和docker-compose.yaml两个文件在同一目录下

启动应用

在docker-compose.yaml文件所在目录，执行命令docker-compose up -d启动所有容器

❯ docker-compose up -d Creating network "demo_default" with the default driver Pulling setup (elasticsearch:8.2.2)... 8.2.2: Pulling from library/elasticsearch Digest: sha256:8c666cb1e76650306655b67644a01663f9c7a5422b2c51dd570524267f11ce3d Status: Downloaded newer image for elasticsearch:8.2.2 Pulling kibana (kibana:8.2.2)... 8.2.2: Pulling from library/kibana Digest: sha256:cf34801f36a2e79c834b3cdeb0a3463ff34b8d8588c3ccdd47212c4e0753f8a5 Status: Downloaded newer image for kibana:8.2.2 Creating demo_setup_1 ... done Creating demo_es01_1  ... done Creating demo_es02_1  ... done Creating demo_es03_1  ... done Creating demo_kibana_1 ... done

查看容器状态，负责启动的demo_setup_1已退出，其他的正常运行

❯ docker ps -a CONTAINER ID   IMAGE                 COMMAND                  CREATED          STATUS                      PORTS                              NAMES c8ce010cddfc   kibana:8.2.2          "/bin/tini -- /usr/l…"   20 minutes ago   Up 20 minutes (healthy)     0.0.0.0:5601->5601/tcp             demo_kibana_1 78662d44ae31   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   21 minutes ago   Up 21 minutes (healthy)     9200/tcp, 9300/tcp                 demo_es03_1 7e96273872cb   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   21 minutes ago   Up 21 minutes (healthy)     9200/tcp, 9300/tcp                 demo_es02_1 8b8be1d645ba   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   21 minutes ago   Up 21 minutes (healthy)     0.0.0.0:9200->9200/tcp, 9300/tcp   demo_es01_1 c48ffb724ca2   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   21 minutes ago   Exited (0) 20 minutes ago                                      demo_setup_1

看看demo_setup_1的日志，提示启动顺利

❯ docker logs demo_setup_1 Setting file permissions Waiting for Elasticsearch availability Setting kibana_system password All done!

如果要使用curl命令向ES发请求，需要提前将crt文件从容器中复制出来

docker cp demo_es01_1:/usr/share/elasticsearch/config/certs/es01/es01.crt .

验证

现在来验证es集群和kibana能不能正常工作
浏览器访问https://localhost:9200/，注意是https，会看到以下警告页面
此时直接键入thisisunsafe再回车，会提示输入账号密码，根据之前的配置账号elastic，密码123456

浏览器显示如下，证明es成功响应了
如果chrome上安装了eshead插件，此时就能查看es集群情况了(注意内部的地址栏中，要用https，而非http)，如下图，一共三个节点，es02前面有五角星标志，表示其主节点的身份
目前看来es集群部署和运行都已经正常，再看kibana是否可用
访问http://localhost:5601/，账号elastic，密码123456
点击下图红框位置，进入输入命令的页面
如下图，左侧输入创建索引的命令，再点击红框中的按钮，右侧会显示执行结果
批量写入两条记录
最后是查询操作

清理

如果要删除es，执行docker-compose down就会删除容器，但是，此命令不会删除数据，下次执行docker-compose up -d后，新的es集群中会出现刚才创建的test001索引，并且数据也在
这是因为docker-compose.yaml中使用了数据卷volume存储es集群的关键数据，这些输入被保存在宿主机的磁盘上

❯ docker volume ls DRIVER    VOLUME NAME local     demo_certs local     demo_esdata01 local     demo_esdata02 local     demo_esdata03 local     demo_kibanadata

执行docker volume rm demo_certs demo_esdata01 demo_esdata02 demo_esdata03即可将它们彻底清除
以上就是快速部署es集群+kibana的整个过程了，是不是很简单呢？

不带密码的集群

有时候咱们部署es不需要安全认证，例如开发环境，或者有防火墙禁止外部访问的环境，那么刚才的部署就不够用了，咱们需要一个更简单的、部署完了立刻能用的集群，接下来动手试试吧
找个干净目录，新建名为.env的文件，内容如下，和安全版相比去掉了一些不需要的内容

# kibana_system账号的密码 (至少六个字符)，该账号仅用于一些kibana的内部设置，不能用来查询es KIBANA_PASSWORD=abcdef  # es和kibana的版本 STACK_VERSION=8.2.2  # 集群名字 CLUSTER_NAME=docker-cluster  # es映射到宿主机的的端口 ES_PORT=9200  # kibana映射到宿主机的的端口 KIBANA_PORT=5601  # es容器的内存大小，请根据自己硬件情况调整 MEM_LIMIT=1073741824  # 命名空间，会体现在容器名的前缀上 COMPOSE_PROJECT_NAME=demo

然后是docker-compose.yaml文件，这里面会用到刚才创建的.env文件，和安全版相比去掉了启动容器，和安全相关的配置和脚本也删除了

version: "2.2"  services:   es01:     image: elasticsearch:${STACK_VERSION}     volumes:       - esdata01:/usr/share/elasticsearch/data     ports:       - ${ES_PORT}:9200     environment:       - node.name=es01       - cluster.name=${CLUSTER_NAME}       - cluster.initial_master_nodes=es01,es02,es03       - discovery.seed_hosts=es02,es03       - bootstrap.memory_lock=true       - xpack.security.enabled=false       - xpack.security.http.ssl.enabled=false       - xpack.security.transport.ssl.enabled=false     mem_limit: ${MEM_LIMIT}     ulimits:       memlock:         soft: -1         hard: -1    es02:     depends_on:       - es01     image: elasticsearch:${STACK_VERSION}     volumes:       - esdata02:/usr/share/elasticsearch/data     environment:       - node.name=es02       - cluster.name=${CLUSTER_NAME}       - cluster.initial_master_nodes=es01,es02,es03       - discovery.seed_hosts=es01,es03       - bootstrap.memory_lock=true       - xpack.security.enabled=false       - xpack.security.http.ssl.enabled=false       - xpack.security.transport.ssl.enabled=false     mem_limit: ${MEM_LIMIT}     ulimits:       memlock:         soft: -1         hard: -1    es03:     depends_on:       - es02     image: elasticsearch:${STACK_VERSION}     volumes:       - esdata03:/usr/share/elasticsearch/data     environment:       - node.name=es03       - cluster.name=${CLUSTER_NAME}       - cluster.initial_master_nodes=es01,es02,es03       - discovery.seed_hosts=es01,es02       - bootstrap.memory_lock=true       - xpack.security.enabled=false       - xpack.security.http.ssl.enabled=false       - xpack.security.transport.ssl.enabled=false     mem_limit: ${MEM_LIMIT}     ulimits:       memlock:         soft: -1         hard: -1   kibana:     image: kibana:${STACK_VERSION}     volumes:       - kibanadata:/usr/share/kibana/data     ports:       - ${KIBANA_PORT}:5601     environment:       - SERVERNAME=kibana       - ELASTICSEARCH_HOSTS=http://es01:9200       - ELASTICSEARCH_USERNAME=kibana_system       - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}     mem_limit: ${MEM_LIMIT}  volumes:   esdata01:     driver: local   esdata02:     driver: local   esdata03:     driver: local   kibanadata:     driver: local

注意：.env和docker-compose.yaml两个文件在同一目录下

启动和验证

启动前，请先停止和清理掉刚才部署的安全版
在docker-compose.yaml文件所在目录，执行命令docker-compose up -d启动所有容器，稍等片刻，可见所有容器已经就绪

❯ docker ps -a CONTAINER ID   IMAGE                 COMMAND                  CREATED         STATUS         PORTS                              NAMES 11663375288d   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   4 minutes ago   Up 4 minutes   9200/tcp, 9300/tcp                 demo_es03_1 ad6f0390b9cf   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   4 minutes ago   Up 4 minutes   9200/tcp, 9300/tcp                 demo_es02_1 5080709e5358   kibana:8.2.2          "/bin/tini -- /usr/l…"   4 minutes ago   Up 4 minutes   0.0.0.0:5601->5601/tcp             demo_kibana_1 4b1e576fbfd3   elasticsearch:8.2.2   "/bin/tini -- /usr/l…"   4 minutes ago   Up 4 minutes   0.0.0.0:9200->9200/tcp, 9300/tcp   demo_es01_1