Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
lqb
/
elasticsearch
-ын хуулбар https://gitee.com/mirrors/elasticsearch.git
1
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Мод: 1a23417aeb
Салаанууд Тагууд
elasticsearch
/
docs
/
reference
/
security
/
securing-communications
/
configuring-tls-docker.asciidoc

configuring-tls-docker.asciidoc 6.1 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 
  1. [role="xpack"]
    2. 

  2. [[configuring-tls-docker]]
    3. 

  3. === Encrypting communications in an {es} Docker Container
    4. 

  4. 

  5. Starting with version 6.0.0, {stack} {security-features}
    6. 

  6. (Gold, Platinum or Enterprise subscriptions)
    7. 

  7. https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[require SSL/TLS]
    8. 

  8. encryption for the transport networking layer.
    9. 

  9. 

  10. This section demonstrates an easy path to get started with SSL/TLS for both
    11. 

  11. HTTPS and transport using the {es} Docker image. The example uses
    12. 

  12. Docker Compose to manage the containers.
    13. 

  13. 

  14. For further details, please refer to
    15. 

  15. {stack-ov}/encrypting-communications.html[Encrypting communications] and
    16. 

  16. https://www.elastic.co/subscriptions[available subscriptions].
    17. 

  17. 

  18. [float]
    19. 

  19. ==== Prepare the environment
    20. 

  20. 

  21. <<docker,Install {es} with Docker>>.
    22. 

  22. 

  23. Inside a new, empty directory, create the following four files:
    24. 

  24. 

  25. `instances.yml`:
    26. 

  26. ["source","yaml"]
    27. 

  27. ----
    28. 

  28. instances:
    29. 

  29.   - name: es01
    30. 

  30.     dns:
    31. 

  31.       - es01 <1>
    32. 

  32.       - localhost
    33. 

  33.     ip:
    34. 

  34.       - 127.0.0.1
    35. 

  35. 

  36.   - name: es02
    37. 

  37.     dns:
    38. 

  38.       - es02
    39. 

  39.       - localhost
    40. 

  40.     ip:
    41. 

  41.       - 127.0.0.1
    42. 

  42. ----
    43. 

  43. <1> Allow use of embedded Docker DNS server names.
    44. 

  44. 

  45. `.env`:
    46. 

  46. [source,yaml]
    47. 

  47. ----
    48. 

  48. CERTS_DIR=/usr/share/elasticsearch/config/certificates <1>
    49. 

  49. ELASTIC_PASSWORD=PleaseChangeMe <2>
    50. 

  50. ----
    51. 

  51. <1> The path, inside the Docker image, where certificates are expected to be found.
    52. 

  52. <2> Initial password for the `elastic` user.
    53. 

  53. 

  54. [[getting-starter-tls-create-certs-composefile]]
    55. 

  55. `create-certs.yml`:
    56. 

  56. ifeval::["{release-state}"=="unreleased"]
    57. 

  57. 

  58. WARNING: Version {version} of {es} has not yet been released, so a
    59. 

  59. `create-certs.yml` is not available for this version.
    60. 

  60. 

  61. endif::[]
    62. 

  62. 

  63. ifeval::["{release-state}"!="unreleased"]
    64. 

  64. ["source","yaml",subs="attributes"]
    65. 

  65. ----
    66. 

  66. version: '2.2'
    67. 

  67. 

  68. services:
    69. 

  69.   create_certs:
    70. 

  70.     container_name: create_certs
    71. 

  71.     image: {docker-image}
    72. 

  72.     command: >
    73. 

  73.       bash -c '
    74. 

  74.         if [[ ! -d config/certificates/certs ]]; then
    75. 

  75.           mkdir config/certificates/certs;
    76. 

  76.         fi;
    77. 

  77.         if [[ ! -f /local/certs/bundle.zip ]]; then
    78. 

  78.           bin/elasticsearch-certgen --silent --in config/certificates/instances.yml --out config/certificates/certs/bundle.zip;
    79. 

  79.           unzip config/certificates/certs/bundle.zip -d config/certificates/certs; <1>
    80. 

  80.         fi;
    81. 

  81.         chgrp -R 0 config/certificates/certs
    82. 

  82.       '
    83. 

  83.     user: $\{UID:-1000\}
    84. 

  84.     working_dir: /usr/share/elasticsearch
    85. 

  85.     volumes: ['.:/usr/share/elasticsearch/config/certificates']
    86. 

  86. ----
    87. 

  87. 

  88. <1> The new node certificates and CA certificate+key are placed under the local directory `certs`.
    89. 

  89. endif::[]
    90. 

  90. 

  91. [[getting-starter-tls-create-docker-compose]]
    92. 

  92. `docker-compose.yml`:
    93. 

  93. ifeval::["{release-state}"=="unreleased"]
    94. 

  94. 

  95. WARNING: Version {version} of {es} has not yet been released, so a
    96. 

  96. `docker-compose.yml` is not available for this version.
    97. 

  97. 

  98. endif::[]
    99. 

  99. 

  100. ifeval::["{release-state}"!="unreleased"]
    101. 

  101. ["source","yaml",subs="attributes"]
    102. 

  102. ----
    103. 

  103. version: '2.2'
    104. 

  104. 

  105. services:
    106. 

  106.   es01:
    107. 

  107.     container_name: es01
    108. 

  108.     image: {docker-image}
    109. 

  109.     environment:
    110. 

  110.       - node.name=es01
    111. 

  111.       - cluster.initial_master_nodes=es01,es02
    112. 

  112.       - ELASTIC_PASSWORD=$ELASTIC_PASSWORD <1>
    113. 

  113.       - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    114. 

  114.       - xpack.license.self_generated.type=trial <2>
    115. 

  115.       - xpack.security.enabled=true
    116. 

  116.       - xpack.security.http.ssl.enabled=true
    117. 

  117.       - xpack.security.transport.ssl.enabled=true
    118. 

  118.       - xpack.security.transport.ssl.verification_mode=certificate <3>
    119. 

  119.       - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
    120. 

  120.       - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
    121. 

  121.       - xpack.ssl.key=$CERTS_DIR/es01/es01.key
    122. 

  122.     volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
    123. 

  123.     ports:
    124. 

  124.       - 9200:9200
    125. 

  125.     healthcheck:
    126. 

  126.       test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
    127. 

  127.       interval: 30s
    128. 

  128.       timeout: 10s
    129. 

  129.       retries: 5
    130. 

  130. 

  131.   es02:
    132. 

  132.     container_name: es02
    133. 

  133.     image: {docker-image}
    134. 

  134.     environment:
    135. 

  135.       - node.name=es02
    136. 

  136.       - discovery.zen.ping.unicast.hosts=es01
    137. 

  137.       - cluster.initial_master_nodes=es01,es02
    138. 

  138.       - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
    139. 

  139.       - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    140. 

  140.       - xpack.license.self_generated.type=trial
    141. 

  141.       - xpack.security.enabled=true
    142. 

  142.       - xpack.security.http.ssl.enabled=true
    143. 

  143.       - xpack.security.transport.ssl.enabled=true
    144. 

  144.       - xpack.security.transport.ssl.verification_mode=certificate
    145. 

  145.       - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
    146. 

  146.       - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
    147. 

  147.       - xpack.ssl.key=$CERTS_DIR/es02/es02.key
    148. 

  148.     volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
    149. 

  149. 

  150.   wait_until_ready:
    151. 

  151.     image: {docker-image}
    152. 

  152.     command: /usr/bin/true
    153. 

  153.     depends_on: {"es01": {"condition": "service_healthy"}}
    154. 

  154. 

  155. volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}
    156. 

  156. ----
    157. 

  157. 

  158. <1> Bootstrap `elastic` with the password defined in `.env`. See
    159. 

  159. {stack-ov}/built-in-users.html#bootstrap-elastic-passwords[the Elastic Bootstrap Password].
    160. 

  160. <2> Automatically generate and apply a trial subscription, in order to enable
    161. 

  161. {security-features}.
    162. 

  162. <3> Disable verification of authenticity for inter-node communication. Allows
    163. 

  163. creating self-signed certificates without having to pin specific internal IP addresses.
    164. 

  164. endif::[]
    165. 

  165. 

  166. [float]
    167. 

  167. ==== Run the example
    168. 

  168. . Generate the certificates (only needed once):
    169. 

  169. +
    170. 

  170. --
    171. 

  171. ["source","sh"]
    172. 

  172. ----
    173. 

  173. docker-compose -f create-certs.yml up
    174. 

  174. ----
    175. 

  175. --
    176. 

  176. . Start two {es} nodes configured for SSL/TLS:
    177. 

  177. +
    178. 

  178. --
    179. 

  179. ["source","sh"]
    180. 

  180. ----
    181. 

  181. docker-compose up -d
    182. 

  182. ----
    183. 

  183. --
    184. 

  184. . Access the {es} API over SSL/TLS using the bootstrapped password:
    185. 

  185. +
    186. 

  186. --
    187. 

  187. ["source","sh"]
    188. 

  188. ----
    189. 

  189. curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe https://localhost:9200
    190. 

  190. ----
    191. 

  191. // NOTCONSOLE
    192. 

  192. --
    193. 

  193. . The `elasticsearch-setup-passwords` tool can also be used to generate random
    194. 

  194. passwords for all users:
    195. 

  195. +
    196. 

  196. --
    197. 

  197. WARNING: Windows users not running PowerShell will need to remove `\` and join lines in the snippet below.
    198. 

  198. ["source","sh"]
    199. 

  199. ----
    200. 

  200. docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
    201. 

  201. auto --batch \
    202. 

  202. -Expack.ssl.certificate=certificates/es01/es01.crt \
    203. 

  203. -Expack.ssl.certificate_authorities=certificates/ca/ca.crt \
    204. 

  204. -Expack.ssl.key=certificates/es01/es01.key \
    205. 

  205. --url https://localhost:9200"
    206. 

  206. ----
    207. 

  207. --
    208.