From ebac9576e44d0691fd14e9cf2222db923af3a946 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Mon, 6 Dec 2021 16:12:18 -0500 Subject: [PATCH 01/11] [DOCS] Update Docker Compose setup --- docs/en/getting-started/docker/.env | 28 +- .../getting-started/docker/create-certs.yml | 29 --- .../getting-started/docker/docker-compose.yml | 246 ++++++++++++++---- .../docker/elastic-docker-tls.yml | 136 ---------- docs/en/getting-started/docker/instances.yml | 26 -- .../get-started-docker.asciidoc | 189 +++++--------- docs/en/getting-started/index.asciidoc | 1 + 7 files changed, 289 insertions(+), 366 deletions(-) delete mode 100644 docs/en/getting-started/docker/create-certs.yml delete mode 100644 docs/en/getting-started/docker/elastic-docker-tls.yml delete mode 100644 docs/en/getting-started/docker/instances.yml diff --git a/docs/en/getting-started/docker/.env b/docs/en/getting-started/docker/.env index 2d2edc9db..6f9295d41 100644 --- a/docs/en/getting-started/docker/.env +++ b/docs/en/getting-started/docker/.env @@ -1,3 +1,25 @@ -COMPOSE_PROJECT_NAME=es -CERTS_DIR=/usr/share/elasticsearch/config/certificates -VERSION={version} +# Password for the 'elastic' user (at least 6 characters) +ELASTIC_PASSWORD= + +# Password for the 'kibana_system' user (at least 6 characters) +KIBANA_PASSWORD= + +# Version of Elastic products +STACK_VERSION={version} + +# Set to 'basic' or 'trial' to automatically start the 30-day trial +LICENSE=basic +#LICENSE=trial + +# Port to expose Elasticsearch HTTP API to the host +ES_PORT=9200 + +# Port to expose Kibana to the host +KIBANA_PORT=5601 +#KIBANA_PORT=80 + +# Increase or decrease based on the available host memory (in bytes) +MEM_LIMIT=1073741824 + +# Project namespace (defaults to the current folder name if not set) +#COMPOSE_PROJECT_NAME=myproject \ No newline at end of file diff --git a/docs/en/getting-started/docker/create-certs.yml b/docs/en/getting-started/docker/create-certs.yml deleted file mode 100644 index 36c1573aa..000000000 --- a/docs/en/getting-started/docker/create-certs.yml +++ /dev/null @@ -1,29 +0,0 @@ -version: '2.2' - -services: - create_certs: - image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION} - container_name: create_certs - command: > - bash -c ' - yum install -y -q -e 0 unzip; - if [[ ! -f /certs/bundle.zip ]]; then - bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip; - unzip /certs/bundle.zip -d /certs; - fi; - chown -R 1000:0 /certs - ' - working_dir: /usr/share/elasticsearch - volumes: - - certs:/certs - - .:/usr/share/elasticsearch/config/certificates - networks: - - elastic - -volumes: - certs: - driver: local - -networks: - elastic: - driver: bridge diff --git a/docs/en/getting-started/docker/docker-compose.yml b/docs/en/getting-started/docker/docker-compose.yml index ab6ba579c..f61942132 100644 --- a/docs/en/getting-started/docker/docker-compose.yml +++ b/docs/en/getting-started/docker/docker-compose.yml @@ -1,83 +1,231 @@ version: "2.2" + services: - es-node01: + setup: + image: docker.elastic.co/elasticsearch/elasticsearch:{version} + volumes: + - certs:/usr/share/elasticsearch/config/certs + user: "0" + command: > + bash -c ' + if [ x${ELASTIC_PASSWORD} == x ]; then + echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; + exit 1; + elif [ x${KIBANA_PASSWORD} == x ]; then + echo "Set the KIBANA_PASSWORD environment variable in the .env file"; + exit 1; + fi; + if [ ! -f certs/ca.zip ]; then + echo "Creating CA"; + bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; + unzip config/certs/ca.zip -d config/certs; + fi; + if [ ! -f certs/certs.zip ]; then + echo "Creating certs"; + echo -ne \ + "instances:\n"\ + " - name: es01\n"\ + " dns:\n"\ + " - es01\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + " - name: es02\n"\ + " dns:\n"\ + " - es02\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + " - name: es03\n"\ + " dns:\n"\ + " - es03\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > config/certs/instances.yml; + bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; + unzip config/certs/certs.zip -d config/certs; + fi; + echo "Setting file permissions" + chown -R root:root config/certs; + find . -type d -exec chmod 750 \{\} \;; + find . -type f -exec chmod 640 \{\} \;; + echo "Waiting for Elasticsearch availability"; + until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; + echo "Setting kibana_system password"; + until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; + echo "All done!"; + ' + healthcheck: + test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + interval: 1s + timeout: 5s + retries: 120 + + es01: + depends_on: + setup: + condition: service_healthy image: docker.elastic.co/elasticsearch/elasticsearch:{version} - container_name: es-node01 + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata01:/usr/share/elasticsearch/data + ports: + - ${ES_PORT}:9200 environment: - - node.name=es-node01 - - cluster.name=es-docker-cluster - - discovery.seed_hosts=es-node02,es-node03 - - cluster.initial_master_nodes=es-node01,es-node02,es-node03 + - node.name=es01 + - cluster.name=docker-cluster + - cluster.initial_master_nodes=es01,es02,es03 + - discovery.seed_hosts=es02,es03 + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} ulimits: memlock: soft: -1 hard: -1 - volumes: - - data01:/usr/share/elasticsearch/data - ports: - - 9200:9200 - networks: - - elastic + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 - es-node02: + es02: + depends_on: + - es01 image: docker.elastic.co/elasticsearch/elasticsearch:{version} - container_name: es-node02 + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata02:/usr/share/elasticsearch/data environment: - - node.name=es-node02 - - cluster.name=es-docker-cluster - - discovery.seed_hosts=es-node01,es-node03 - - cluster.initial_master_nodes=es-node01,es-node02,es-node03 + - node.name=es02 + - cluster.name=docker-cluster + - cluster.initial_master_nodes=es01,es02,es03 + - discovery.seed_hosts=es01,es03 - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es02/es02.key + - xpack.security.http.ssl.certificate=certs/es02/es02.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es02/es02.key + - xpack.security.transport.ssl.certificate=certs/es02/es02.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} ulimits: memlock: soft: -1 hard: -1 - volumes: - - data02:/usr/share/elasticsearch/data - networks: - - elastic + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 - es-node03: + es03: + depends_on: + - es02 image: docker.elastic.co/elasticsearch/elasticsearch:{version} - container_name: es-node03 + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata03:/usr/share/elasticsearch/data environment: - - node.name=es-node03 - - cluster.name=es-docker-cluster - - discovery.seed_hosts=es-node01,es-node02 - - cluster.initial_master_nodes=es-node01,es-node02,es-node03 + - node.name=es03 + - cluster.name=docker-cluster + - cluster.initial_master_nodes=es01,es02,es03 + - discovery.seed_hosts=es01,es02 - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es03/es03.key + - xpack.security.http.ssl.certificate=certs/es03/es03.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es03/es03.key + - xpack.security.transport.ssl.certificate=certs/es03/es03.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} ulimits: memlock: soft: -1 hard: -1 - volumes: - - data03:/usr/share/elasticsearch/data - networks: - - elastic + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 - kib01: + kibana: + depends_on: + es01: + condition: service_healthy + es02: + condition: service_healthy + es03: + condition: service_healthy image: docker.elastic.co/kibana/kibana:{version} - container_name: kib01 + volumes: + - certs:/usr/share/kibana/config/certs + - kibanadata:/usr/share/kibana/data ports: - - 5601:5601 + - ${KIBANA_PORT}:5601 environment: - ELASTICSEARCH_URL: http://es-node01:9200 - ELASTICSEARCH_HOSTS: '["http://es-node01:9200","http://es-node02:9200","http://es-node03:9200"]' - networks: - - elastic + - SERVERNAME=kibana + - ELASTICSEARCH_URL=https://es01:9200 + - ELASTICSEARCH_HOSTS=https://es01:9200 + - ELASTICSEARCH_USERNAME=kibana_system + - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + mem_limit: ${MEM_LIMIT} + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", + ] + interval: 10s + timeout: 10s + retries: 120 volumes: - data01: + certs: driver: local - data02: + esdata01: driver: local - data03: + esdata02: + driver: local + esdata03: + driver: local + kibanadata: driver: local - -networks: - elastic: - driver: bridge diff --git a/docs/en/getting-started/docker/elastic-docker-tls.yml b/docs/en/getting-started/docker/elastic-docker-tls.yml deleted file mode 100644 index 8ea9c68bd..000000000 --- a/docs/en/getting-started/docker/elastic-docker-tls.yml +++ /dev/null @@ -1,136 +0,0 @@ -version: "2.2" - -services: - es-node01: - image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION} - container_name: es-node01 - environment: - - node.name=es-node01 - - cluster.name=es-docker-cluster - - discovery.seed_hosts=es-node02,es-node03 - - cluster.initial_master_nodes=es-node01,es-node02,es-node03 - - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - - xpack.license.self_generated.type=trial # <1> - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true # <2> - - xpack.security.http.ssl.key=$CERTS_DIR/es-node01/es-node01.key - - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.security.http.ssl.certificate=$CERTS_DIR/es-node01/es-node01.crt - - xpack.security.transport.ssl.enabled=true # <3> - - xpack.security.transport.ssl.verification_mode=certificate # <4> - - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.security.transport.ssl.certificate=$CERTS_DIR/es-node01/es-node01.crt - - xpack.security.transport.ssl.key=$CERTS_DIR/es-node01/es-node01.key - ulimits: - memlock: - soft: -1 - hard: -1 - volumes: - - data01:/usr/share/elasticsearch/data - - certs:$CERTS_DIR - ports: - - 9200:9200 - networks: - - elastic - - healthcheck: - test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi - interval: 30s - timeout: 10s - retries: 5 - - es-node02: - image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION} - container_name: es-node02 - environment: - - node.name=es-node02 - - cluster.name=es-docker-cluster - - discovery.seed_hosts=es-node01,es-node03 - - cluster.initial_master_nodes=es-node01,es-node02,es-node03 - - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - - xpack.license.self_generated.type=trial - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=$CERTS_DIR/es-node02/es-node02.key - - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.security.http.ssl.certificate=$CERTS_DIR/es-node02/es-node02.crt - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.security.transport.ssl.certificate=$CERTS_DIR/es-node02/es-node02.crt - - xpack.security.transport.ssl.key=$CERTS_DIR/es-node02/es-node02.key - ulimits: - memlock: - soft: -1 - hard: -1 - volumes: - - data02:/usr/share/elasticsearch/data - - certs:$CERTS_DIR - networks: - - elastic - - es-node03: - image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION} - container_name: es-node03 - environment: - - node.name=es-node03 - - cluster.name=es-docker-cluster - - discovery.seed_hosts=es-node01,es-node02 - - cluster.initial_master_nodes=es-node01,es-node02,es-node03 - - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - - xpack.license.self_generated.type=trial - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=$CERTS_DIR/es-node03/es-node03.key - - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.security.http.ssl.certificate=$CERTS_DIR/es-node03/es-node03.crt - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.security.transport.ssl.certificate=$CERTS_DIR/es-node03/es-node03.crt - - xpack.security.transport.ssl.key=$CERTS_DIR/es-node03/es-node03.key - ulimits: - memlock: - soft: -1 - hard: -1 - volumes: - - data03:/usr/share/elasticsearch/data - - certs:$CERTS_DIR - networks: - - elastic - kib01: - image: docker.elastic.co/kibana/kibana:${VERSION} - container_name: kib01 - depends_on: { "es-node01": { "condition": "service_healthy" } } - ports: - - 5601:5601 - environment: - SERVERNAME: localhost - ELASTICSEARCH_URL: https://es-node01:9200 - ELASTICSEARCH_HOSTS: https://es-node01:9200 - ELASTICSEARCH_USERNAME: kibana_system - ELASTICSEARCH_PASSWORD: CHANGEME - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key - SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt - volumes: - - certs:$CERTS_DIR - networks: - - elastic -volumes: - data01: - driver: local - data02: - driver: local - data03: - driver: local - certs: - driver: local - -networks: - elastic: - driver: bridge diff --git a/docs/en/getting-started/docker/instances.yml b/docs/en/getting-started/docker/instances.yml deleted file mode 100644 index c60e5f4a0..000000000 --- a/docs/en/getting-started/docker/instances.yml +++ /dev/null @@ -1,26 +0,0 @@ -instances: - - name: es-node01 - dns: - - es-node01 - - localhost - ip: - - 127.0.0.1 - - - name: es-node02 - dns: - - es-node02 - - localhost - ip: - - 127.0.0.1 - - - name: es-node03 - dns: - - es-node03 - - localhost - ip: - - 127.0.0.1 - - - name: "kib01" - dns: - - kib01 - - localhost diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index f0f81aea0..9d4e8a352 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -13,8 +13,7 @@ and configured by default. This option is great for quickly getting started with You can also <> to create a secured, multi-node cluster with a connected {kib} instance. This -option requires more manual steps, but results in a more resilient cluster with -greater capacity and reliability. +option results in a more resilient cluster with greater capacity and reliability. [[run-docker-secure]] [discrete] @@ -272,6 +271,10 @@ docker rm kib01 To get a multi-node {es} cluster and {kib} up and running in Docker with security enabled, you can use Docker Compose. +This configuration provides a simple method of starting a secured cluster that +you can use for development before building a distributed deployment with +multiple hosts. + [discrete] ==== Prerequisites @@ -288,173 +291,112 @@ Settings (Windows). [discrete] ==== Prepare the environment -Create the following Docker Compose and configuration files. These files are also -available from the +Create the following configuration files in a new, empty directory. These files +are also available from the https://github.com/elastic/stack-docs/blob/master/docs/en/getting-started/docker/[elastic/stack-docs] repository on GitHub. -- ifeval::["{release-state}"=="unreleased"] NOTE: Version {version} of {es} has not been released, -so the sample compose and configuration files are not yet available for this version. -See the {stack-gs-current}/get-started-docker.html[current version] for the latest sample files. +so the sample Docker Compose and configuration files are not yet available for +this version. See the {stack-gs-current}/get-started-docker.html[current version] +for the latest sample files. endif::[] +-- -* `instances.yml` identifies the instances you need to create certificates for. -* `.env` sets environment variables to specify the {es} version and -the location where the {es} certificates will be created. -* `create-certs.yml` is a Docker Compose file that launches a container to generate the certificates -for {es} and {kib}. -* `elastic-docker-tls.yml` is a Docker Compose file that brings up a three-node {es} cluster -and a {kib} instance with TLS enabled so you can see how things work. -This all-in-one configuration is a handy way to bring up your first dev cluster before -you build a distributed deployment with multiple hosts. +* <> +* <> +-- ifeval::["{release-state}"!="unreleased"] -[discrete] -===== `instances.yml` -["source","yaml"] ----- -include::docker/instances.yml[] ----- [discrete] +[[docker-env]] ===== `.env` + +The `.env` file sets environment variables that are used when you run the +`docker-compose.yml` configuration file. Ensure that you specify a strong +password for the `elastic` and `kibana_system` users with the +`ELASTIC_PASSWORD` and `KIBANA_PASSWORD` variables. These variable are +referenced by the `docker-compose.yml` file. + ["source","txt",subs="attributes"] ---- include::docker/.env[] ---- [discrete] -===== `create-certs.yml` -["source","txt"] ----- -include::docker/create-certs.yml[] ----- +[[docker-compose]] +===== `docker-compose.yml` -[discrete] -===== `elastic-docker-tls.yml` -["source","txt"] +The `docker-compose.yml` file is a Docker Compose file that defines generates +node security certificates for {es}, configures a three-node {es} cluster with +TLS enabled for client and internode communications, and securely enrolls a {kib} +instance with the cluster. + +.Exposing ports on Linux +**** +This configuration exposes port `9200` on all network interfaces. Given how +Docker manipulates `iptables` on Linux, this means that your {es} cluster is +publicly accessible, potentially ignoring any firewall settings. If you don't +want to expose port `9200` and instead use a reverse proxy, replace `9200:9200` +with `127.0.0.1:9200:9200` in the `docker-compose.yml` file. {es} will then only +be accessible from the host machine itself. +**** + +[source,yaml,subs="attributes"] ---- -include::docker/elastic-docker-tls.yml[] +include::docker/docker-compose.yml[] ---- -<1> Generate and apply a trial license that supports Transport Layer Security. -<2> Enable Transport Layer Security to encrypt client communications. -<3> Enable Transport Layer Security to encrypt internode communications. -<4> Allow the use of self-signed certificates by not requiring hostname verification. endif::[] -- [discrete] ==== Start your cluster with security enabled and configured -. Generate certificates for {es} by bringing up the `create-certs` container: -+ --- -["source","sh"] ----- -docker-compose -f create-certs.yml run --rm create_certs ----- - --- +. Modify the `.env` file and enter a password value for the `ELASTIC_PASSWORD` +and `KIBANA_PASSWORD` variables. -. Bring up the three-node {es} cluster: +. Create and start the three-node {es} cluster: + --- ["source","sh"] ---- -docker-compose -f elastic-docker-tls.yml up -d +docker-compose -f docker-compose.yml up -d ---- -IMPORTANT: At this point, {kib} cannot connect to the {es} cluster. -You must generate a password for the built-in `kibana_system` user, update the `ELASTICSEARCH_PASSWORD` -in the compose file, and restart to enable {kib} to communicate with the secured cluster. - --- +. Open a browser and navigate to http://localhost:5601[http://localhost:5601] to +access {kib}, where you can load sample data and interact with your cluster. -. Run the `elasticsearch-setup-passwords` tool to generate passwords for all built-in users, -including the `kibana_system` user. If you don't use PowerShell on Windows, remove the trailing `\`characters -and join the lines before running this command. -+ --- -["source","sh"] ----- -docker exec es-node01 /bin/bash -c "bin/elasticsearch-setup-passwords \ -auto --batch --url https://es-node01:9200" ----- - -IMPORTANT: Make a note of the generated passwords. -You must configure the `kibana_system` user password in the compose file to enable {kib} to connect to {es}, -and you'll need the password for the `elastic` superuser to -log in to {kib} and submit requests to {es}. --- +When you're done experimenting, you can tear down the containers, network, and +volumes by running `docker-compose -f elastic-docker-tls.yml down -v`. -. Set `ELASTICSEARCH_PASSWORD` in the `elastic-docker-tls.yml` compose file to the password -generated for the `kibana_system` user. -+ --- -ifeval::["{release-state}"=="unreleased"] -NOTE: Version {version} of {es} has not been released, -so the sample compose file is not yet available for this version. -See the {stack-gs-current}/get-started-docker.html[current version] for the latest sample files. -endif::[] +[[docker-compose-remove-containers]] +[discrete] +==== Remove Docker Compose containers -ifeval::["{release-state}"!="unreleased"] -["source","yaml",subs=+quotes] ----- - kib01: - image: docker.elastic.co/kibana/kibana:${VERSION} - container_name: kib01 - depends_on: {"es-node01": {"condition": "service_healthy"}} - ports: - - 5601:5601 - environment: - SERVERNAME: localhost - ELASTICSEARCH_URL: https://es-node01:9200 - ELASTICSEARCH_HOSTS: https://es-node01:9200 - ELASTICSEARCH_USERNAME: kibana_system - **ELASTICSEARCH_PASSWORD: CHANGEME** - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key - SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt - volumes: - - certs:$CERTS_DIR - networks: - - elastic ----- -endif::[] --- +To remove the containers and their network, run: -. Use `docker-compose` to restart the cluster and {kib}: -+ --- -["source","sh"] +[source,sh] ---- -docker-compose stop -docker-compose -f elastic-docker-tls.yml up -d +docker network rm _default +docker rm ---- --- - -. Open {kib} to load sample data and interact with the cluster: -https://localhost:5601. -+ -NOTE: Because SSL is also enabled for communications between {kib} and client browsers, -you must access {kib} via the HTTPS protocol. -When you're done experimenting, you can tear down the containers, network, and -volumes by running `docker-compose -f elastic-docker-tls.yml down -v`. +`directory-name`:: Name of the directory that you created for the `.env` and +`docker-compose.yml` files. [discrete] [[load-settings-file]] -==== Loading settings from a file +==== Load settings from a file -Specifying settings for {es} and {{kib}} directly in the compose file is a convenient way to get started, -but loading settings from a file is preferable once you get past the experimental stage. +Specifying settings for {es} and {kib} directly in the Docker Compose file is a +convenient way to get started, but loading settings from a file is preferable +after you get past the experimental stage. -For example, to use `es-node01.yml` as the configuration file for the `es-node01` {es} node, -you can create a bind mount in the volumes section. +For example, to use `es-node01.yml` as the configuration file for the `es-node01` +{es} node, you can create a bind mount in the volumes section. ["source","yaml"] ---- @@ -464,7 +406,8 @@ you can create a bind mount in the volumes section. - ./es-node01.yml:/usr/share/elasticsearch/config/elasticsearch.yml ---- -Similarly, to load {kib} settings from a file, you overwrite `/usr/share/kibana/config/kibana.yml`: +Similarly, to load {kib} settings from a file, you overwrite +`/usr/share/kibana/config/kibana.yml`: ["source","yaml"] ---- diff --git a/docs/en/getting-started/index.asciidoc b/docs/en/getting-started/index.asciidoc index 623a77cad..790e3b74a 100644 --- a/docs/en/getting-started/index.asciidoc +++ b/docs/en/getting-started/index.asciidoc @@ -13,6 +13,7 @@ :kib-repo-dir: {kibana-root}/docs :xes-repo-dir: {elasticsearch-root}/x-pack/docs/en +:es-repo-dir: {elasticsearch-root}/docs/reference include::{docs-root}/shared/versions/stack/{source_branch}.asciidoc[] include::{docs-root}/shared/attributes.asciidoc[] From fde41e6a102bd91020bc14a92ad5a9379d222f06 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Tue, 7 Dec 2021 08:25:48 -0500 Subject: [PATCH 02/11] Update remove instructions and rename section ids --- .../getting-started/get-started-docker.asciidoc | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index 9d4e8a352..d18c17e94 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -305,14 +305,14 @@ for the latest sample files. endif::[] -- -* <> -* <> +* <> +* <> -- ifeval::["{release-state}"!="unreleased"] [discrete] -[[docker-env]] +[[docker-env-file]] ===== `.env` The `.env` file sets environment variables that are used when you run the @@ -327,7 +327,7 @@ include::docker/.env[] ---- [discrete] -[[docker-compose]] +[[docker-compose-file]] ===== `docker-compose.yml` The `docker-compose.yml` file is a Docker Compose file that defines generates @@ -369,19 +369,17 @@ docker-compose -f docker-compose.yml up -d . Open a browser and navigate to http://localhost:5601[http://localhost:5601] to access {kib}, where you can load sample data and interact with your cluster. -When you're done experimenting, you can tear down the containers, network, and -volumes by running `docker-compose -f elastic-docker-tls.yml down -v`. - [[docker-compose-remove-containers]] [discrete] ==== Remove Docker Compose containers -To remove the containers and their network, run: +When you're done experimenting, you can remove the network, containers, and +volumes: [source,sh] ---- docker network rm _default -docker rm +docker-compose -f docker-compose.yml down --volumes ---- `directory-name`:: Name of the directory that you created for the `.env` and From a3c2da4d58dbb13df516f441be5751722e0671b4 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Tue, 7 Dec 2021 08:42:19 -0500 Subject: [PATCH 03/11] Remove cross-links, which won't display and cause errors for unreleased versions --- docs/en/getting-started/get-started-docker.asciidoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index d18c17e94..ffda18dd7 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -305,9 +305,6 @@ for the latest sample files. endif::[] -- -* <> -* <> - -- ifeval::["{release-state}"!="unreleased"] From c5a20475e269176c8cb479877faeeb839f7fc49c Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Thu, 9 Dec 2021 11:16:32 -0500 Subject: [PATCH 04/11] Incorporate feedback from Fabio Co-authored-by: Fabio Busatto <52658645+bytebilly@users.noreply.github.com> --- .../get-started-docker.asciidoc | 26 ++++++++----------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index ffda18dd7..180ecaa2d 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -327,10 +327,7 @@ include::docker/.env[] [[docker-compose-file]] ===== `docker-compose.yml` -The `docker-compose.yml` file is a Docker Compose file that defines generates -node security certificates for {es}, configures a three-node {es} cluster with -TLS enabled for client and internode communications, and securely enrolls a {kib} -instance with the cluster. +This `docker-compose.yml` file creates a three-node secure {es} cluster with authentication and network encryption enabled, and a {kib} instance securely connected to it. .Exposing ports on Linux **** @@ -338,7 +335,7 @@ This configuration exposes port `9200` on all network interfaces. Given how Docker manipulates `iptables` on Linux, this means that your {es} cluster is publicly accessible, potentially ignoring any firewall settings. If you don't want to expose port `9200` and instead use a reverse proxy, replace `9200:9200` -with `127.0.0.1:9200:9200` in the `docker-compose.yml` file. {es} will then only +with `localhost:9200:9200` in the `docker-compose.yml` file. {es} will then only be accessible from the host machine itself. **** @@ -356,14 +353,14 @@ endif::[] . Modify the `.env` file and enter a password value for the `ELASTIC_PASSWORD` and `KIBANA_PASSWORD` variables. -. Create and start the three-node {es} cluster: +. Create and start the three-node {es} cluster and {kib} instance: + ["source","sh"] ---- -docker-compose -f docker-compose.yml up -d +docker-compose up -d ---- -. Open a browser and navigate to http://localhost:5601[http://localhost:5601] to +. When the deployment has started, open a browser and navigate to http://localhost:5601[http://localhost:5601] to access {kib}, where you can load sample data and interact with your cluster. [[docker-compose-remove-containers]] @@ -375,8 +372,7 @@ volumes: [source,sh] ---- -docker network rm _default -docker-compose -f docker-compose.yml down --volumes +docker-compose down -v ---- `directory-name`:: Name of the directory that you created for the `.env` and @@ -390,22 +386,22 @@ Specifying settings for {es} and {kib} directly in the Docker Compose file is a convenient way to get started, but loading settings from a file is preferable after you get past the experimental stage. -For example, to use `es-node01.yml` as the configuration file for the `es-node01` -{es} node, you can create a bind mount in the volumes section. +For example, to use a custom `es01.yml` as the configuration file for the `es01` +{es} node, you can create a bind mount in the **volumes** section for the **es01** service. ["source","yaml"] ---- volumes: - data01:/usr/share/elasticsearch/data - certs:$CERTS_DIR - - ./es-node01.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./es01.yml:/usr/share/elasticsearch/config/elasticsearch.yml ---- -Similarly, to load {kib} settings from a file, you overwrite -`/usr/share/kibana/config/kibana.yml`: +Similarly, to load {kib} settings from a file, you can add the following mount in the **volumes** section for the **kibana** service. ["source","yaml"] ---- + - ./kibana.yml:/usr/share/kibana/config/kibana.yml volumes: - certs:$CERTS_DIR - ./kibana.yml:/usr/share/kibana/config/kibana.yml From 43f22bce009ea4eaab68ff275d48fd19c029f53e Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Thu, 9 Dec 2021 12:33:10 -0500 Subject: [PATCH 05/11] Clarifications and adding Docker Compose link --- .../getting-started/get-started-docker.asciidoc | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index 180ecaa2d..02c059572 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -43,6 +43,8 @@ security settings from your {es} cluster, authenticates to {es} with the . Install the appropriate https://docs.docker.com/get-docker/[Docker application] for your operating system. +. If you're running on Linux, install https://docs.docker.com/compose/install/[Docker Compose]. + . Pull the {es} Docker image. + -- @@ -350,8 +352,12 @@ endif::[] [discrete] ==== Start your cluster with security enabled and configured -. Modify the `.env` file and enter a password value for the `ELASTIC_PASSWORD` -and `KIBANA_PASSWORD` variables. +. Modify the `.env` file and enter a strong password values for both the +`ELASTIC_PASSWORD` and `KIBANA_PASSWORD` variables. ++ +NOTE: You must use the `ELASTIC_PASSWORD` value for further interactions with +the cluster. The `KIBANA_PASSWORD` value is only used internally when +configuring {kib}. . Create and start the three-node {es} cluster and {kib} instance: + @@ -387,7 +393,8 @@ convenient way to get started, but loading settings from a file is preferable after you get past the experimental stage. For example, to use a custom `es01.yml` as the configuration file for the `es01` -{es} node, you can create a bind mount in the **volumes** section for the **es01** service. +{es} node, you can create a bind mount in the `volumes` section for the `es01` +service. ["source","yaml"] ---- @@ -397,11 +404,11 @@ For example, to use a custom `es01.yml` as the configuration file for the `es01` - ./es01.yml:/usr/share/elasticsearch/config/elasticsearch.yml ---- -Similarly, to load {kib} settings from a file, you can add the following mount in the **volumes** section for the **kibana** service. +Similarly, to load {kib} settings from a file, you can add the following mount +in the `volumes` section for the `kibana` service. ["source","yaml"] ---- - - ./kibana.yml:/usr/share/kibana/config/kibana.yml volumes: - certs:$CERTS_DIR - ./kibana.yml:/usr/share/kibana/config/kibana.yml From 7fee466b6f427305165a411ba4ab746f761dc152 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Mon, 13 Dec 2021 06:56:36 -0500 Subject: [PATCH 06/11] Remove directory name --- docs/en/getting-started/get-started-docker.asciidoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index 02c059572..82e7ad43e 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -381,9 +381,6 @@ volumes: docker-compose down -v ---- -`directory-name`:: Name of the directory that you created for the `.env` and -`docker-compose.yml` files. - [discrete] [[load-settings-file]] ==== Load settings from a file From a3d1ffb81660fc4f218b097c63438c9b4ddb0f73 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Mon, 13 Dec 2021 10:41:38 -0500 Subject: [PATCH 07/11] Update container names and config file snippets --- .../get-started-docker.asciidoc | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index 82e7ad43e..be0a7ba8b 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -43,8 +43,6 @@ security settings from your {es} cluster, authenticates to {es} with the . Install the appropriate https://docs.docker.com/get-docker/[Docker application] for your operating system. -. If you're running on Linux, install https://docs.docker.com/compose/install/[Docker Compose]. - . Pull the {es} Docker image. + -- @@ -114,7 +112,7 @@ endif::[] ifeval::["{release-state}"!="unreleased"] [source,sh,subs="attributes"] ---- -docker run --name es-node01 --net elastic -p 9200:9200 -it docker.elastic.co/elasticsearch/elasticsearch:{version} +docker run --name es01 --net elastic -p 9200:9200 -it docker.elastic.co/elasticsearch/elasticsearch:{version} ---- endif::[] @@ -131,7 +129,7 @@ to the `http_ca.crt` certificate, which you'll use in the next step. + [source,sh] ---- -docker exec -it es-node01 /bin/bash -c "find /usr/share/elasticsearch -name http_ca.crt" +docker exec -it es01 /bin/bash -c "find /usr/share/elasticsearch -name http_ca.crt" ---- . Copy the `http_ca.crt` security certificate from your Docker container to @@ -139,7 +137,7 @@ your local machine. + [source,sh] ---- -docker cp es-node01:/usr/share/elasticsearch/config/tls_auto_config_/http_ca.crt . +docker cp es01:/usr/share/elasticsearch/config/tls_auto_config_/http_ca.crt . ---- ``:: The timestamp of when the auto-configuration process created the security files directory in your Docker container. @@ -211,7 +209,7 @@ endif::[] ifeval::["{release-state}"!="unreleased"] [source,sh,subs="attributes"] ---- -docker run --name kib01 --net elastic -p 5601:5601 docker.elastic.co/kibana/kibana:{version} +docker run --name kibana --net elastic -p 5601:5601 docker.elastic.co/kibana/kibana:{version} ---- When you start {kib}, a unique link is output to your terminal. @@ -238,7 +236,7 @@ For example, to reset the password for the `elastic` user: [source,sh] ---- -docker exec -it es-node01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic +docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic ---- If you need to generate new enrollment tokens for {kib} or {es} nodes, run the @@ -249,7 +247,7 @@ For example, to generate a new enrollment token for {kib}: [source,sh] ---- -docker exec -it es-node01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana +docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana ---- @@ -262,8 +260,8 @@ To remove the containers and their network, run: [source,sh] ---- docker network rm elastic -docker rm es-node01 -docker rm kib01 +docker rm es01 +docker rm kibana ---- [discrete] @@ -283,6 +281,8 @@ multiple hosts. Install the appropriate https://docs.docker.com/get-docker/[Docker application] for your operating system. +If you're running on Linux, install https://docs.docker.com/compose/install/[Docker Compose]. + [NOTE] ==== Make sure that Docker is allotted at least 4GB of memory. In Docker Desktop, @@ -396,9 +396,8 @@ service. ["source","yaml"] ---- volumes: - - data01:/usr/share/elasticsearch/data - - certs:$CERTS_DIR - ./es01.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ... ---- Similarly, to load {kib} settings from a file, you can add the following mount @@ -407,8 +406,8 @@ in the `volumes` section for the `kibana` service. ["source","yaml"] ---- volumes: - - certs:$CERTS_DIR - ./kibana.yml:/usr/share/kibana/config/kibana.yml + - ... ---- [discrete] From d0ed267638671e9fa010fa86aa81de63bacde002 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Tue, 14 Dec 2021 14:40:28 -0500 Subject: [PATCH 08/11] Fix typo --- docs/en/getting-started/get-started-docker.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index be0a7ba8b..2de79e884 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -352,7 +352,7 @@ endif::[] [discrete] ==== Start your cluster with security enabled and configured -. Modify the `.env` file and enter a strong password values for both the +. Modify the `.env` file and enter strong password values for both the `ELASTIC_PASSWORD` and `KIBANA_PASSWORD` variables. + NOTE: You must use the `ELASTIC_PASSWORD` value for further interactions with From 2a234077c6f1f5e54b4f4abac4966586c6ce1122 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Thu, 16 Dec 2021 08:54:02 -0500 Subject: [PATCH 09/11] Incorporating final changes --- docs/en/getting-started/get-started-docker.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index 2de79e884..8a242faa4 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -336,8 +336,8 @@ This `docker-compose.yml` file creates a three-node secure {es} cluster with aut This configuration exposes port `9200` on all network interfaces. Given how Docker manipulates `iptables` on Linux, this means that your {es} cluster is publicly accessible, potentially ignoring any firewall settings. If you don't -want to expose port `9200` and instead use a reverse proxy, replace `9200:9200` -with `localhost:9200:9200` in the `docker-compose.yml` file. {es} will then only +want to expose port `9200` to external hosts, set the value for `ES_PORT` in +the `.env` file to something like `127.0.0.1:9200`. {es} will then only be accessible from the host machine itself. **** @@ -371,7 +371,7 @@ access {kib}, where you can load sample data and interact with your cluster. [[docker-compose-remove-containers]] [discrete] -==== Remove Docker Compose containers +==== Stop and remove the deployment When you're done experimenting, you can remove the network, containers, and volumes: From 4a16b841ccb0fbbc51c2f49d6e612dfd5b38cbff Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Thu, 16 Dec 2021 10:33:53 -0500 Subject: [PATCH 10/11] Update note on exposing ports --- .../en/getting-started/get-started-docker.asciidoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/en/getting-started/get-started-docker.asciidoc b/docs/en/getting-started/get-started-docker.asciidoc index 8a242faa4..a281682de 100644 --- a/docs/en/getting-started/get-started-docker.asciidoc +++ b/docs/en/getting-started/get-started-docker.asciidoc @@ -331,14 +331,14 @@ include::docker/.env[] This `docker-compose.yml` file creates a three-node secure {es} cluster with authentication and network encryption enabled, and a {kib} instance securely connected to it. -.Exposing ports on Linux +.Exposing ports **** -This configuration exposes port `9200` on all network interfaces. Given how -Docker manipulates `iptables` on Linux, this means that your {es} cluster is -publicly accessible, potentially ignoring any firewall settings. If you don't -want to expose port `9200` to external hosts, set the value for `ES_PORT` in -the `.env` file to something like `127.0.0.1:9200`. {es} will then only -be accessible from the host machine itself. +This configuration exposes port `9200` on all network interfaces. Because +of how Docker handles ports, a port that isn't bound to `localhost` leaves your +{es} cluster publicly accessible, potentially ignoring any firewall settings. +If you don't want to expose port `9200` to external hosts, set the value for +`ES_PORT` in the `.env` file to something like `127.0.0.1:9200`. {es} will +then only be accessible from the host machine itself. **** [source,yaml,subs="attributes"] From db40742643d787bf0b960bdaac4e25cc8a092445 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Thu, 16 Dec 2021 12:29:03 -0500 Subject: [PATCH 11/11] Updating .env and docker-compose.yml files --- docs/en/getting-started/docker/.env | 4 + .../getting-started/docker/docker-compose.yml | 461 +++++++++--------- 2 files changed, 234 insertions(+), 231 deletions(-) diff --git a/docs/en/getting-started/docker/.env b/docs/en/getting-started/docker/.env index 6f9295d41..1ab47e8d5 100644 --- a/docs/en/getting-started/docker/.env +++ b/docs/en/getting-started/docker/.env @@ -7,12 +7,16 @@ KIBANA_PASSWORD= # Version of Elastic products STACK_VERSION={version} +# Set the cluster name +CLUSTER_NAME=docker-cluster + # Set to 'basic' or 'trial' to automatically start the 30-day trial LICENSE=basic #LICENSE=trial # Port to expose Elasticsearch HTTP API to the host ES_PORT=9200 +#ES_PORT=127.0.0.1:9200 # Port to expose Kibana to the host KIBANA_PORT=5601 diff --git a/docs/en/getting-started/docker/docker-compose.yml b/docs/en/getting-started/docker/docker-compose.yml index f61942132..c783d4975 100644 --- a/docs/en/getting-started/docker/docker-compose.yml +++ b/docs/en/getting-started/docker/docker-compose.yml @@ -1,231 +1,230 @@ -version: "2.2" - -services: - setup: - image: docker.elastic.co/elasticsearch/elasticsearch:{version} - volumes: - - certs:/usr/share/elasticsearch/config/certs - user: "0" - command: > - bash -c ' - if [ x${ELASTIC_PASSWORD} == x ]; then - echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; - exit 1; - elif [ x${KIBANA_PASSWORD} == x ]; then - echo "Set the KIBANA_PASSWORD environment variable in the .env file"; - exit 1; - fi; - if [ ! -f certs/ca.zip ]; then - echo "Creating CA"; - bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; - unzip config/certs/ca.zip -d config/certs; - fi; - if [ ! -f certs/certs.zip ]; then - echo "Creating certs"; - echo -ne \ - "instances:\n"\ - " - name: es01\n"\ - " dns:\n"\ - " - es01\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - " - name: es02\n"\ - " dns:\n"\ - " - es02\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - " - name: es03\n"\ - " dns:\n"\ - " - es03\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - > config/certs/instances.yml; - bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; - unzip config/certs/certs.zip -d config/certs; - fi; - echo "Setting file permissions" - chown -R root:root config/certs; - find . -type d -exec chmod 750 \{\} \;; - find . -type f -exec chmod 640 \{\} \;; - echo "Waiting for Elasticsearch availability"; - until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; - echo "Setting kibana_system password"; - until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; - echo "All done!"; - ' - healthcheck: - test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] - interval: 1s - timeout: 5s - retries: 120 - - es01: - depends_on: - setup: - condition: service_healthy - image: docker.elastic.co/elasticsearch/elasticsearch:{version} - volumes: - - certs:/usr/share/elasticsearch/config/certs - - esdata01:/usr/share/elasticsearch/data - ports: - - ${ES_PORT}:9200 - environment: - - node.name=es01 - - cluster.name=docker-cluster - - cluster.initial_master_nodes=es01,es02,es03 - - discovery.seed_hosts=es02,es03 - - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} - - bootstrap.memory_lock=true - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=certs/es01/es01.key - - xpack.security.http.ssl.certificate=certs/es01/es01.crt - - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.http.ssl.verification_mode=certificate - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.key=certs/es01/es01.key - - xpack.security.transport.ssl.certificate=certs/es01/es01.crt - - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.license.self_generated.type=${LICENSE} - mem_limit: ${MEM_LIMIT} - ulimits: - memlock: - soft: -1 - hard: -1 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", - ] - interval: 10s - timeout: 10s - retries: 120 - - es02: - depends_on: - - es01 - image: docker.elastic.co/elasticsearch/elasticsearch:{version} - volumes: - - certs:/usr/share/elasticsearch/config/certs - - esdata02:/usr/share/elasticsearch/data - environment: - - node.name=es02 - - cluster.name=docker-cluster - - cluster.initial_master_nodes=es01,es02,es03 - - discovery.seed_hosts=es01,es03 - - bootstrap.memory_lock=true - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=certs/es02/es02.key - - xpack.security.http.ssl.certificate=certs/es02/es02.crt - - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.http.ssl.verification_mode=certificate - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.key=certs/es02/es02.key - - xpack.security.transport.ssl.certificate=certs/es02/es02.crt - - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.license.self_generated.type=${LICENSE} - mem_limit: ${MEM_LIMIT} - ulimits: - memlock: - soft: -1 - hard: -1 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", - ] - interval: 10s - timeout: 10s - retries: 120 - - es03: - depends_on: - - es02 - image: docker.elastic.co/elasticsearch/elasticsearch:{version} - volumes: - - certs:/usr/share/elasticsearch/config/certs - - esdata03:/usr/share/elasticsearch/data - environment: - - node.name=es03 - - cluster.name=docker-cluster - - cluster.initial_master_nodes=es01,es02,es03 - - discovery.seed_hosts=es01,es02 - - bootstrap.memory_lock=true - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=certs/es03/es03.key - - xpack.security.http.ssl.certificate=certs/es03/es03.crt - - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.http.ssl.verification_mode=certificate - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.key=certs/es03/es03.key - - xpack.security.transport.ssl.certificate=certs/es03/es03.crt - - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.license.self_generated.type=${LICENSE} - mem_limit: ${MEM_LIMIT} - ulimits: - memlock: - soft: -1 - hard: -1 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", - ] - interval: 10s - timeout: 10s - retries: 120 - - kibana: - depends_on: - es01: - condition: service_healthy - es02: - condition: service_healthy - es03: - condition: service_healthy - image: docker.elastic.co/kibana/kibana:{version} - volumes: - - certs:/usr/share/kibana/config/certs - - kibanadata:/usr/share/kibana/data - ports: - - ${KIBANA_PORT}:5601 - environment: - - SERVERNAME=kibana - - ELASTICSEARCH_URL=https://es01:9200 - - ELASTICSEARCH_HOSTS=https://es01:9200 - - ELASTICSEARCH_USERNAME=kibana_system - - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} - - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt - mem_limit: ${MEM_LIMIT} - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", - ] - interval: 10s - timeout: 10s - retries: 120 - -volumes: - certs: - driver: local - esdata01: - driver: local - esdata02: - driver: local - esdata03: - driver: local - kibanadata: - driver: local +version: "2.2" + +services: + setup: + image: docker.elastic.co/elasticsearch/elasticsearch:{version} + volumes: + - certs:/usr/share/elasticsearch/config/certs + user: "0" + command: > + bash -c ' + if [ x${ELASTIC_PASSWORD} == x ]; then + echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; + exit 1; + elif [ x${KIBANA_PASSWORD} == x ]; then + echo "Set the KIBANA_PASSWORD environment variable in the .env file"; + exit 1; + fi; + if [ ! -f certs/ca.zip ]; then + echo "Creating CA"; + bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; + unzip config/certs/ca.zip -d config/certs; + fi; + if [ ! -f certs/certs.zip ]; then + echo "Creating certs"; + echo -ne \ + "instances:\n"\ + " - name: es01\n"\ + " dns:\n"\ + " - es01\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + " - name: es02\n"\ + " dns:\n"\ + " - es02\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + " - name: es03\n"\ + " dns:\n"\ + " - es03\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > config/certs/instances.yml; + bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; + unzip config/certs/certs.zip -d config/certs; + fi; + echo "Setting file permissions" + chown -R root:root config/certs; + find . -type d -exec chmod 750 \{\} \;; + find . -type f -exec chmod 640 \{\} \;; + echo "Waiting for Elasticsearch availability"; + until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; + echo "Setting kibana_system password"; + until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; + echo "All done!"; + ' + healthcheck: + test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + interval: 1s + timeout: 5s + retries: 120 + + es01: + depends_on: + setup: + condition: service_healthy + image: docker.elastic.co/elasticsearch/elasticsearch:{version} + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata01:/usr/share/elasticsearch/data + ports: + - ${ES_PORT}:9200 + environment: + - node.name=es01 + - cluster.name=${CLUSTER_NAME} + - cluster.initial_master_nodes=es01,es02,es03 + - discovery.seed_hosts=es02,es03 + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} + - bootstrap.memory_lock=true + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 + + es02: + depends_on: + - es01 + image: docker.elastic.co/elasticsearch/elasticsearch:{version} + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata02:/usr/share/elasticsearch/data + environment: + - node.name=es02 + - cluster.name=${CLUSTER_NAME} + - cluster.initial_master_nodes=es01,es02,es03 + - discovery.seed_hosts=es01,es03 + - bootstrap.memory_lock=true + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es02/es02.key + - xpack.security.http.ssl.certificate=certs/es02/es02.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es02/es02.key + - xpack.security.transport.ssl.certificate=certs/es02/es02.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 + + es03: + depends_on: + - es02 + image: docker.elastic.co/elasticsearch/elasticsearch:{version} + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata03:/usr/share/elasticsearch/data + environment: + - node.name=es03 + - cluster.name=${CLUSTER_NAME} + - cluster.initial_master_nodes=es01,es02,es03 + - discovery.seed_hosts=es01,es02 + - bootstrap.memory_lock=true + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es03/es03.key + - xpack.security.http.ssl.certificate=certs/es03/es03.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es03/es03.key + - xpack.security.transport.ssl.certificate=certs/es03/es03.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 + + kibana: + depends_on: + es01: + condition: service_healthy + es02: + condition: service_healthy + es03: + condition: service_healthy + image: docker.elastic.co/kibana/kibana:{version} + volumes: + - certs:/usr/share/kibana/config/certs + - kibanadata:/usr/share/kibana/data + ports: + - ${KIBANA_PORT}:5601 + environment: + - SERVERNAME=kibana + - ELASTICSEARCH_HOSTS=https://es01:9200 + - ELASTICSEARCH_USERNAME=kibana_system + - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + mem_limit: ${MEM_LIMIT} + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", + ] + interval: 10s + timeout: 10s + retries: 120 + +volumes: + certs: + driver: local + esdata01: + driver: local + esdata02: + driver: local + esdata03: + driver: local + kibanadata: + driver: local