{"id":2107,"date":"2024-07-27T09:02:40","date_gmt":"2024-07-27T07:02:40","guid":{"rendered":"https:\/\/blog.mhasin.eu\/?p=2107"},"modified":"2024-07-27T09:03:05","modified_gmt":"2024-07-27T07:03:05","slug":"elasticsearch-docker-ssl","status":"publish","type":"post","link":"https:\/\/blog.mhasin.eu\/?p=2107","title":{"rendered":"Elasticsearch docker ssl"},"content":{"rendered":"\n

env file:<\/p>\n\n\n\n

# Password for the 'elastic' user (at least 6 characters)\nELASTIC_PASSWORD=\n\n# Password for the 'kibana_system' user (at least 6 characters)\nKIBANA_PASSWORD=\n\n# Version of Elastic products\nSTACK_VERSION=8.1.1\n\n# Set the cluster name\nCLUSTER_NAME=docker-cluster\n\n# Set to 'basic' or 'trial' to automatically start the 30-day trial\nLICENSE=basic\n#LICENSE=trial\n\n# Port to expose Elasticsearch HTTP API to the host\nES_PORT=9200\n#ES_PORT=127.0.0.1:9200\n\n# Port to expose Kibana to the host\nKIBANA_PORT=5601\n#KIBANA_PORT=80\n\n# Increase or decrease based on the available host memory (in bytes)\nMEM_LIMIT=1073741824\n\n# Project namespace (defaults to the current folder name if not set)\n#COMPOSE_PROJECT_NAME=myproject<\/code><\/pre>\n\n\n\n
DOcker compose:<\/p>\n\n\n\n
version: \"2.2\"\n\nservices:\n  setup:\n    image: docker.elastic.co\/elasticsearch\/elasticsearch:${STACK_VERSION}\n    volumes:\n      - certs:\/usr\/share\/elasticsearch\/config\/certs\n    user: \"0\"\n    command: >\n      bash -c '\n        if [ x${ELASTIC_PASSWORD} == x ]; then\n          echo \"Set the ELASTIC_PASSWORD environment variable in the .env file\";\n          exit 1;\n        elif [ x${KIBANA_PASSWORD} == x ]; then\n          echo \"Set the KIBANA_PASSWORD environment variable in the .env file\";\n          exit 1;\n        fi;\n        if [ ! -f certs\/ca.zip ]; then\n          echo \"Creating CA\";\n          bin\/elasticsearch-certutil ca --silent --pem -out config\/certs\/ca.zip;\n          unzip config\/certs\/ca.zip -d config\/certs;\n        fi;\n        if [ ! -f certs\/certs.zip ]; then\n          echo \"Creating certs\";\n          echo -ne \\\n          \"instances:\\n\"\\\n          \"  - name: es01\\n\"\\\n          \"    dns:\\n\"\\\n          \"      - es01\\n\"\\\n          \"      - localhost\\n\"\\\n          \"    ip:\\n\"\\\n          \"      - 127.0.0.1\\n\"\\\n          \"  - name: es02\\n\"\\\n          \"    dns:\\n\"\\\n          \"      - es02\\n\"\\\n          \"      - localhost\\n\"\\\n          \"    ip:\\n\"\\\n          \"      - 127.0.0.1\\n\"\\\n          \"  - name: es03\\n\"\\\n          \"    dns:\\n\"\\\n          \"      - es03\\n\"\\\n          \"      - localhost\\n\"\\\n          \"    ip:\\n\"\\\n          \"      - 127.0.0.1\\n\"\\\n          > config\/certs\/instances.yml;\n          bin\/elasticsearch-certutil cert --silent --pem -out config\/certs\/certs.zip --in config\/certs\/instances.yml --ca-cert config\/certs\/ca\/ca.crt --ca-key config\/certs\/ca\/ca.key;\n          unzip config\/certs\/certs.zip -d config\/certs;\n        fi;\n        echo \"Setting file permissions\"\n        chown -R root:root config\/certs;\n        find . -type d -exec chmod 750 \\{\\} \\;;\n        find . -type f -exec chmod 640 \\{\\} \\;;\n        echo \"Waiting for Elasticsearch availability\";\n        until curl -s --cacert config\/certs\/ca\/ca.crt https:\/\/es01:9200 | grep -q \"missing authentication credentials\"; do sleep 30; done;\n        echo \"Setting kibana_system password\";\n        until curl -s -X POST --cacert config\/certs\/ca\/ca.crt -u elastic:${ELASTIC_PASSWORD} -H \"Content-Type: application\/json\" https:\/\/es01:9200\/_security\/user\/kibana_system\/_password -d \"{\\\"password\\\":\\\"${KIBANA_PASSWORD}\\\"}\" | grep -q \"^{}\"; do sleep 10; done;\n        echo \"All done!\";\n      '\n    healthcheck:\n      test: [\"CMD-SHELL\", \"[ -f config\/certs\/es01\/es01.crt ]\"]\n      interval: 1s\n      timeout: 5s\n      retries: 120\n\n  es01:\n    depends_on:\n      setup:\n        condition: service_healthy\n    image: docker.elastic.co\/elasticsearch\/elasticsearch:${STACK_VERSION}\n    volumes:\n      - certs:\/usr\/share\/elasticsearch\/config\/certs\n      - esdata01:\/usr\/share\/elasticsearch\/data\n    ports:\n      - ${ES_PORT}:9200\n    environment:\n      - node.name=es01\n      - cluster.name=${CLUSTER_NAME}\n      - cluster.initial_master_nodes=es01,es02,es03\n      - discovery.seed_hosts=es02,es03\n      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}\n      - bootstrap.memory_lock=true\n      - xpack.security.enabled=true\n      - xpack.security.http.ssl.enabled=true\n      - xpack.security.http.ssl.key=certs\/es01\/es01.key\n      - xpack.security.http.ssl.certificate=certs\/es01\/es01.crt\n      - xpack.security.http.ssl.certificate_authorities=certs\/ca\/ca.crt\n      - xpack.security.http.ssl.verification_mode=certificate\n      - xpack.security.transport.ssl.enabled=true\n      - xpack.security.transport.ssl.key=certs\/es01\/es01.key\n      - xpack.security.transport.ssl.certificate=certs\/es01\/es01.crt\n      - xpack.security.transport.ssl.certificate_authorities=certs\/ca\/ca.crt\n      - xpack.security.transport.ssl.verification_mode=certificate\n      - xpack.license.self_generated.type=${LICENSE}\n    mem_limit: ${MEM_LIMIT}\n    ulimits:\n      memlock:\n        soft: -1\n        hard: -1\n    healthcheck:\n      test:\n        [\n          \"CMD-SHELL\",\n          \"curl -s --cacert config\/certs\/ca\/ca.crt https:\/\/localhost:9200 | grep -q 'missing authentication credentials'\",\n        ]\n      interval: 10s\n      timeout: 10s\n      retries: 120\n\n  es02:\n    depends_on:\n      - es01\n    image: docker.elastic.co\/elasticsearch\/elasticsearch:${STACK_VERSION}\n    volumes:\n      - certs:\/usr\/share\/elasticsearch\/config\/certs\n      - esdata02:\/usr\/share\/elasticsearch\/data\n    environment:\n      - node.name=es02\n      - cluster.name=${CLUSTER_NAME}\n      - cluster.initial_master_nodes=es01,es02,es03\n      - discovery.seed_hosts=es01,es03\n      - bootstrap.memory_lock=true\n      - xpack.security.enabled=true\n      - xpack.security.http.ssl.enabled=true\n      - xpack.security.http.ssl.key=certs\/es02\/es02.key\n      - xpack.security.http.ssl.certificate=certs\/es02\/es02.crt\n      - xpack.security.http.ssl.certificate_authorities=certs\/ca\/ca.crt\n      - xpack.security.http.ssl.verification_mode=certificate\n      - xpack.security.transport.ssl.enabled=true\n      - xpack.security.transport.ssl.key=certs\/es02\/es02.key\n      - xpack.security.transport.ssl.certificate=certs\/es02\/es02.crt\n      - xpack.security.transport.ssl.certificate_authorities=certs\/ca\/ca.crt\n      - xpack.security.transport.ssl.verification_mode=certificate\n      - xpack.license.self_generated.type=${LICENSE}\n    mem_limit: ${MEM_LIMIT}\n    ulimits:\n      memlock:\n        soft: -1\n        hard: -1\n    healthcheck:\n      test:\n        [\n          \"CMD-SHELL\",\n          \"curl -s --cacert config\/certs\/ca\/ca.crt https:\/\/localhost:9200 | grep -q 'missing authentication credentials'\",\n        ]\n      interval: 10s\n      timeout: 10s\n      retries: 120\n\n  es03:\n    depends_on:\n      - es02\n    image: docker.elastic.co\/elasticsearch\/elasticsearch:${STACK_VERSION}\n    volumes:\n      - certs:\/usr\/share\/elasticsearch\/config\/certs\n      - esdata03:\/usr\/share\/elasticsearch\/data\n    environment:\n      - node.name=es03\n      - cluster.name=${CLUSTER_NAME}\n      - cluster.initial_master_nodes=es01,es02,es03\n      - discovery.seed_hosts=es01,es02\n      - bootstrap.memory_lock=true\n      - xpack.security.enabled=true\n      - xpack.security.http.ssl.enabled=true\n      - xpack.security.http.ssl.key=certs\/es03\/es03.key\n      - xpack.security.http.ssl.certificate=certs\/es03\/es03.crt\n      - xpack.security.http.ssl.certificate_authorities=certs\/ca\/ca.crt\n      - xpack.security.http.ssl.verification_mode=certificate\n      - xpack.security.transport.ssl.enabled=true\n      - xpack.security.transport.ssl.key=certs\/es03\/es03.key\n      - xpack.security.transport.ssl.certificate=certs\/es03\/es03.crt\n      - xpack.security.transport.ssl.certificate_authorities=certs\/ca\/ca.crt\n      - xpack.security.transport.ssl.verification_mode=certificate\n      - xpack.license.self_generated.type=${LICENSE}\n    mem_limit: ${MEM_LIMIT}\n    ulimits:\n      memlock:\n        soft: -1\n        hard: -1\n    healthcheck:\n      test:\n        [\n          \"CMD-SHELL\",\n          \"curl -s --cacert config\/certs\/ca\/ca.crt https:\/\/localhost:9200 | grep -q 'missing authentication credentials'\",\n        ]\n      interval: 10s\n      timeout: 10s\n      retries: 120\n\n  kibana:\n    depends_on:\n      es01:\n        condition: service_healthy\n      es02:\n        condition: service_healthy\n      es03:\n        condition: service_healthy\n    image: docker.elastic.co\/kibana\/kibana:${STACK_VERSION}\n    volumes:\n      - certs:\/usr\/share\/kibana\/config\/certs\n      - kibanadata:\/usr\/share\/kibana\/data\n    ports:\n      - ${KIBANA_PORT}:5601\n    environment:\n      - SERVERNAME=kibana\n      - ELASTICSEARCH_HOSTS=https:\/\/es01:9200\n      - ELASTICSEARCH_USERNAME=kibana_system\n      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}\n      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config\/certs\/ca\/ca.crt\n    mem_limit: ${MEM_LIMIT}\n    healthcheck:\n      test:\n        [\n          \"CMD-SHELL\",\n          \"curl -s -I http:\/\/localhost:5601 | grep -q 'HTTP\/1.1 302 Found'\",\n        ]\n      interval: 10s\n      timeout: 10s\n      retries: 120\n\nvolumes:\n  certs:\n    driver: local\n  esdata01:\n    driver: local\n  esdata02:\n    driver: local\n  esdata03:\n    driver: local\n  kibanadata:\n    driver: local<\/code><\/pre>\n\n\n\n
Viac info:<\/p>\n\n\n\n
\nhttps:\/\/www.elastic.org.cn\/docs\/8.1\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/docker.html\n<\/div><\/figure>\n
 \t
 \t\t \t\t\"\"<\/a> \t\t\u00a0\u00a0<\/span> \t\tSend article as PDF<\/span> \t\t\u00a0\u00a0<\/span> \t\t \t\t \t<\/form> <\/div>","protected":false},"excerpt":{"rendered":"env file: DOcker compose: Viac info: \u00a0\u00a0 Send article as PDF \u00a0\u00a0\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"arc_restricted_post":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2107","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/2107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2107"}],"version-history":[{"count":1,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/2107\/revisions"}],"predecessor-version":[{"id":2108,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/2107\/revisions\/2108"}],"wp:attachment":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}