docker部署升級方式
項目中間件升級以及安全加固,這裏記錄一下,有需要的同學可以參考下
需要升級內容:elasticsearch、kibana、ik分詞器
準備工作:下載ik分詞器6.8.4版本放入elasticearch插件dir
- elasticsearch升級
elasticserach 配置 dir
[root@localhost elasticsearch]# ls /docker/elasticsearch
config data logs plugins
docker 配置 dir
[root@localhost elastic]# ls /opt/elastic/
elastic.yml
1. 進入elasticearch插件 dir
cd /docker/elasticsearch/plugins/ik
2. 修改插件對應版本號
vim plugin-descriptor.properties
elasticsearch.version=6.8.4
3. 修改midleware.yml
vim midleware.yml
elasticsearch:
image: elasticsearch:6.8.4 //原鏡像版本6.6.0
environment:
TZ: Asia/Shanghai
volumes:
- /docker/elasticsearch/data:/usr/share/elasticsearch/data
- /docker/elasticsearch/config:/usr/share/elasticsearch/config
- /docker/elasticsearch/plugins:/usr/share/elasticsearch/plugins
- /etc/localtime:/etc/localtime
container_name: elasticsearch
network_mode: host
restart: always
docker-compose -f /opt/midleware/midleware.yml down \ docker stop elasticsearch 關閉容器
docker-compose -f /opt/midleware/midleware.yml up -d \ docker start elasticsearch 啓動容器
elasticsearch升級ok
- kibana升級
kibana配置 dir
[root@localhost opt]# ls /docker/kibana/
config data
docker配置 dir
[root@localhost kibana]# ls /opt/kibana/
kibana.yml
修改kibana.yml
vim kibana.yml
kibana:
image: kibana:6.8.4 //原版本6.6.0
environment:
TZ: Asia/Shanghai
volumes:
- /docker/kibana/data:/usr/share/kibana/data
- /docker/kibana/config:/usr/share/kibana/config
- /etc/localtime:/etc/localtime
container_name: kibana
network_mode: "host"
restart: always
docker-compose -f /opt/kibana/kibana.yml down \ docker stop kibana 關閉容器
docker-compose -f /opt/kibana/kibana.yml up -d \ docker start kibana 啓動容器
kibana升級ok
- elasticsearch 添加安全驗證
添加x-pack驗證
vim /docker/elasticsearch/config/elasticsearch.yml
cluster.name: "elasticsearch"
http.port: 9201
transport.tcp.port: 9301
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
# add x-pack驗證
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
重啓容器
docker restart elasticsearch
進入容器
docker exec -it elasticsearch bash
容器內部elastic
[root@localhost elasticsearch]# ls
LICENSE.txt README.textile config lib modules
NOTICE.txt bin data logs plugins
bin/elasticsearch-setup-passwords指令 help
[root@localhost elasticsearch]# bin/elasticsearch-setup-passwords --help
Sets the passwords for reserved users
Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
bin/elasticsearch-setup-passwords interactive --設置密碼
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
測試連接
curl --user elastic:passwd localhost:9201
- kibana添加安全驗證
配置文件中添加連接elastic的用戶密碼
vim /docker/kibana/config/kibana.yml
[root@localhost opt]# cat /docker/kibana/config/kibana.yml
---
# Default Kibana configuration from kibana-docker.
server.name: kibana
server.host: "0"
elasticsearch.url: http://localhost:9201
xpack.monitoring.ui.container.elasticsearch.enabled: false
# add elastic用戶密碼
elasticsearch.username: "elastic"
elasticsearch.password: "passwd"
docker restart kibana 重啓容器
訪問:localhost:5601 user --kibana passwd --passwd
注:
1. 索引狀態爲red時設置密碼失敗率極大
2. 進入容器後檢查esticsearch-keystore這個文件是否存在,如果有直接設置密碼,如果沒有可以調用
[root@localhost elasticsearch]# bin/elasticsearch-keystore create
bin/elasticsearch-keystore指令 help
[root@localhost elasticsearch]# bin/elasticsearch-keystore --help
A tool for managing settings stored in the elasticsearch keystore
Commands
--------
create - Creates a new elasticsearch keystore
list - List entries in the keystore
add - Add a string setting to the keystore
add-file - Add a file setting to the keystore
remove - Remove a setting from the keystore
upgrade - Upgrade the keystore format
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
3. 如果要已經創建過密碼了,想要重新創建,執行
bin/elasticsearch-setup-passwords interactive --設置密碼
可能會出現如下內容:
Possible causes include:
* The password for the 'elastic' user has already been changed on this cluster
* Your elasticsearch node is running against a different keystore
* This tool used the keystore at /usr/share/elasticsearch/config/elasticsearch.keystore
這要如何解決呢
刪除創建密碼時生成的密碼索引就ok了
curl -XDELETE -u user:passwd http://localhsot:9201/.security-6
然後就可以愉快的重新創建了
4. 如果密碼忘了的話可以把x-pack驗證關掉
# close x-pack驗證
#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
重啓es,查到密碼索引刪除即可,然後就可以重新設置新密碼了
curl -XGET http://localhost/_cat/indices
.security-6這個即是密碼索引(可能其他版本是其他的,不過應該都是 .security-*類似這樣的名稱)
- elasticsearch 自定義添加用戶方式:
1. 在docker 配置 dir中添加 users 、user_roles倆目錄
[root@localhost opt]# echo > /docker/elastic/users
[root@localhost opt]# echo > /docker/elastic/users_roles
2. 啓動進入容器
[root@localhost opt]# docker start elsaticsearch
[root@localhost opt]# docker exec -it elsaticsearch bash
3. 查看自定義用戶相關命令
[root@localhost elasticsearch]# bin/elasticsearch-users -h
Manages elasticsearch file users
Commands
--------
useradd - Adds a file user
userdel - Deletes a file based user
passwd - Changes the password of an existing file based user
roles - Edit roles of an existing user
list - List existing file based users and their corresponding roles
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
4. 查看elastic用戶角色名稱
[root@localhost elasticsearch]# bin/elasticsearch-setup-passwords interactive -v
Running with configuration path: /usr/share/elasticsearch/configs interactive -v
Testing if bootstrap password is valid for http://192.168.2.211:19200/_xpack/security/_authenticate?pretty
{
"username" : "elastic",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true,
"authentication_realm" : {
"name" : "reserved",
"type" : "reserved"
},
"lookup_realm" : {
"name" : "reserved",
"type" : "reserved"
}
}
Checking cluster health: http://192.168.2.211:19200/_cluster/health?pretty
{
"cluster_name" : "qgs-elasticsearch",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 3,
"active_shards" : 3,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]
4. 創建用戶
[root@localhost elasticsearch]# bin/elasticsearch-users useradd admin --創建用戶
[root@localhost elasticsearch]# bin/elasticsearch-users roles admin -a superuser--添加角色
curl -u admin:admin localhost:9201/_cat/indices?v --測試訪問
5. 密碼修改
[root@localhost elasticsearch]# bin/elasticsearch-users passwd admin --修改admin用戶密碼
ok~.~