Featured image of post ElasticSearch 8.x 集群部署(docker-compose)

ElasticSearch 8.x 集群部署(docker-compose)

elasticsearch cluster

环境准备

主机要求

  • 至少3台主机(推荐奇数个节点)

  • Docker和Docker Compose已安装

  • 主机间网络互通

  • 每台主机至少4GB内存

主机信息示例

  • 主机1: 192.168.1.10 (es-node-1)

  • 主机2: 192.168.1.11 (es-node-2)

  • 主机3: 192.168.1.12 (es-node-3)

第一步:准备工作

1. 在每台主机上创建目录结构

1
2
3
mkdir -p /opt/elasticsearch/{data,logs,config,certs}
chmod 777 /opt/elasticsearch/data
chmod 777 /opt/elasticsearch/logs

2. 设置系统参数

1
2
3
4
5
6
# 设置虚拟内存
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -p
# 设置文件描述符限制
echo '* soft nofile 65536' >> /etc/security/limits.conf
echo '* hard nofile 65536' >> /etc/security/limits.conf

3. 创建Docker网络(每台主机)

1
docker network create elasticsearch-net

第二步:生成SSL证书

在第一台主机上生成证书

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# 首先设置正确的目录权限
sudo chown -R 1000:1000 /opt/elasticsearch/certs
sudo chmod 755 /opt/elasticsearch/certs

# 方法一:使用临时容器生成证书(推荐)
# 1. 生成CA证书
docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil ca --out /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 --pass ''

# 2. 为每个节点生成证书
docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --name es-node-1 \
  --dns es-node-1,localhost \
  --ip 192.168.1.10,127.0.0.1 \
  --ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
  --ca-pass '' \
  --out /usr/share/elasticsearch/config/certs/es-node-1.p12 \
  --pass ''

docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --name es-node-2 \
  --dns es-node-2,localhost \
  --ip 192.168.1.11,127.0.0.1 \
  --ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
  --ca-pass '' \
  --out /usr/share/elasticsearch/config/certs/es-node-2.p12 \
  --pass ''

docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --name es-node-3 \
  --dns es-node-3,localhost \
  --ip 192.168.1.12,127.0.0.1 \
  --ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
  --ca-pass '' \
  --out /usr/share/elasticsearch/config/certs/es-node-3.p12 \
  --pass ''

# 3. 验证证书生成是否成功
ls -la /opt/elasticsearch/certs/

# 方法二:如果方法一有问题,使用配置文件方式(需要先有CA证书)
# 确保先生成了CA证书后再执行以下步骤:
cat > /opt/elasticsearch/certs/instances.yml << EOF
instances:
  - name: es-node-1
    dns:
      - es-node-1
      - localhost
    ip:
      - 192.168.1.10
      - 127.0.0.1
  - name: es-node-2
    dns:
      - es-node-2
      - localhost
    ip:
      - 192.168.1.11
      - 127.0.0.1
  - name: es-node-3
    dns:
      - es-node-3
      - localhost
    ip:
      - 192.168.1.12
      - 127.0.0.1
EOF

# 使用配置文件和CA证书生成节点证书
docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --silent \
  --ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
  --ca-pass '' \
  --in /usr/share/elasticsearch/config/certs/instances.yml \
  --out /usr/share/elasticsearch/config/certs/bundle.zip \
  --pass ''

# 解压证书包
cd /opt/elasticsearch/certs
unzip bundle.zip

# 方法三:最简单的自签名证书方式(如果上述方法都有问题)
# 为每个节点生成自签名证书
docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --self-signed \
  --name es-node-1 \
  --dns es-node-1,localhost \
  --ip 192.168.1.10,127.0.0.1 \
  --out /usr/share/elasticsearch/config/certs/es-node-1.p12 \
  --pass ''

docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --self-signed \
  --name es-node-2 \
  --dns es-node-2,localhost \
  --ip 192.168.1.11,127.0.0.1 \
  --out /usr/share/elasticsearch/config/certs/es-node-2.p12 \
  --pass ''

docker run --rm --user 1000:1000 \
  -v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
  docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
  elasticsearch-certutil cert \
  --self-signed \
  --name es-node-3 \
  --dns es-node-3,localhost \
  --ip 192.168.1.12,127.0.0.1 \
  --out /usr/share/elasticsearch/config/certs/es-node-3.p12 \
  --pass ''

将证书复制到其他主机

1
2
3
# 从主机1复制证书到主机2和主机3
scp -r /opt/elasticsearch/certs root@192.168.1.11:/opt/elasticsearch/
scp -r /opt/elasticsearch/certs root@192.168.1.12:/opt/elasticsearch/

去其他机器修改证书属主,不然起不来!

1
chown -R 1000:1000 /opt/elasticsearch/certs

第三步:创建配置文件

主机1 (192.168.1.10)

/opt/elasticsearch/docker-compose.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
services:
  es-node-1:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.19.3
    container_name: es-node-1
    environment:
      - node.name=es-node-1
      - cluster.name=my-es-cluster
      - discovery.seed_hosts=172.19.3.49:9300,172.19.3.84:9300,172.19.3.117:9300
      - cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g"
      - network.host=0.0.0.0
      - network.publish_host=172.19.3.49
      - transport.host=0.0.0.0
      - http.host=0.0.0.0
      - transport.port=9300
      - transport.publish_host=172.19.3.49
      - http.port=9200
      # XPack Security配置
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-1.p12
      - xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/certs/es-node-1.p12
      - xpack.security.transport.ssl.verification_mode=none
      - xpack.security.http.ssl.enabled=false
      - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-1.p12
      - xpack.license.self_generated.type=basic
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /opt/elasticsearch/data:/usr/share/elasticsearch/data
      - /opt/elasticsearch/logs:/usr/share/elasticsearch/logs
      - /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs
    ports:
      - "9200:9200"
      - "9300:9300"
    networks:
      - elasticsearch-net
    restart: unless-stopped

networks:
  elasticsearch-net:
    external: true

主机1 (192.168.1.10)

/opt/elasticsearch/docker-compose.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
services:
  es-node-2:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.19.3
    container_name: es-node-2
    environment:
      - node.name=es-node-2
      - cluster.name=my-es-cluster
      - discovery.seed_hosts=172.19.3.49:9300,172.19.3.84:9300,172.19.3.117:9300
      - cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g"
      - network.host=0.0.0.0
      - network.publish_host=172.19.3.84
      - transport.host=0.0.0.0
      - http.host=0.0.0.0
      - transport.port=9300
      - transport.publish_host=172.19.3.84
      - http.port=9200
      # XPack Security配置
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-2.p12
      - xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/certs/es-node-2.p12
      - xpack.security.transport.ssl.verification_mode=none
      - xpack.security.http.ssl.enabled=false
      - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-2.p12
      - xpack.license.self_generated.type=basic
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /opt/elasticsearch/data:/usr/share/elasticsearch/data
      - /opt/elasticsearch/logs:/usr/share/elasticsearch/logs
      - /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs
    ports:
      - "9200:9200"
      - "9300:9300"
    networks:
      - elasticsearch-net
    restart: unless-stopped

networks:
  elasticsearch-net:
    external: true

主机1 (192.168.1.10)

/opt/elasticsearch/docker-compose.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
services:
  es-node-3:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.19.3
    container_name: es-node-3
    environment:
      - node.name=es-node-3
      - cluster.name=my-es-cluster
      - discovery.seed_hosts=172.19.3.49:9300,172.19.3.84:9300,172.19.3.117:9300
      - cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g"
      - network.host=0.0.0.0
      - network.publish_host=172.19.3.117
      - transport.host=0.0.0.0
      - http.host=0.0.0.0
      - transport.port=9300
      - transport.publish_host=172.19.3.117
      - http.port=9200
      # XPack Security配置
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-3.p12
      - xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/certs/es-node-3.p12
      - xpack.security.transport.ssl.verification_mode=none
      - xpack.security.http.ssl.enabled=false
      - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-3.p12
      - xpack.license.self_generated.type=basic
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /opt/elasticsearch/data:/usr/share/elasticsearch/data
      - /opt/elasticsearch/logs:/usr/share/elasticsearch/logs
      - /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs
    ports:
      - "9200:9200"
      - "9300:9300"
    networks:
      - elasticsearch-net
    restart: unless-stopped

networks:
  elasticsearch-net:
    external: true

第四步:启动集群

1. 依次启动节点

1
2
3
# 在主机1上启动
cd /opt/elasticsearch
docker-compose up -d
1
2
3
# 等待30秒后在主机2上启动
cd /opt/elasticsearch
docker-compose up -d
1
2
3
# 等待30秒后在主机3上启动
cd /opt/elasticsearch
docker-compose up -d

2. 查看启动日志

1
docker logs -f es-node-1

第五步:设置密码

在任意一台主机上执行

1
2
# 设置内置用户密码
docker exec -it es-node-1 /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

按提示设置以下用户的密码:

  • elastic (超级管理员)
  • kibana_system
  • logstash_system
  • beats_system
  • apm_system
  • remote_monitoring_user

第六步:验证集群状态

1. 检查集群健康状态

1
curl -k -u elastic:your_password "https://192.168.1.10:9200/_cluster/health?pretty"

2. 查看集群节点

1
curl -k -u elastic:your_password "https://192.168.1.10:9200/_cat/nodes?v"

3. 查看集群信息

1
curl -k -u elastic:your_password "https://192.168.1.10:9200/_cluster/stats?pretty"