docker - Elasticsearch 密码工具总是返回“设置已设置”错误
问题描述
我正在按照此处的官方 ES 文档使用 docker compose 配置具有 TLS 的基本 dev 3 节点集群,但我停留在第 5 步 - 使用该elasticsearch-setup-passwords
工具创建用户密码。
到目前为止,我已经能够让 3 节点集群在没有 TLS 的情况下工作。正如文档所说,我还拆除了它并重新启动,创建了证书并启用了 TLS,并看到各种容器输出看起来不错。任何尝试运行
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords auto --batch -Expack.security.http.ssl.certificate=certificates/es01/es01.crt -Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt -Expack.security.http.ssl.key=certificates/es01/es01.key --url https://es01:9200"
如文档中所述,总是返回
Sets the passwords for reserved users
Non-option arguments:
command
Option Description
------ -----------
-E <KeyValuePair> Configure a setting
-h, --help Show help
-s, --silent Show minimal output
-v, --verbose Show verbose output
ERROR: setting [xpack.security.http.ssl.certificate_authorities] already set, saw [certificates/ca/ca.crt] and [/usr/share/elasticsearch/config/certificates/ca/ca.crt]
上述命令中指定的任何一项设置都会抛出此“已设置”错误,但它已在官方文档中列出。如果我只是运行命令
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords auto --batch --url https://es01:9200"
它将按预期生成密码。
如果我没有指定 xpack 安全设置,是否会使用正确的证书?容器中存在一些我不想使用的其他默认证书,有没有办法可以验证是否使用了正确的集合?有没有办法覆盖“已经设置”的设置?
官方文档没有清楚地解释这一点,我无法在 SO 或网络上找到任何专门针对此的内容。
我正在为 MacOS Catalina 版本 10.15.4 使用 Docker Desktop 版本 2.2.0.5,Docker Compose 版本 1.25.4 和 ES 版本 7.7.0
我的 docker compose 文件如下所示:
version: '2.2'
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=basic
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- data01:/usr/share/elasticsearch/data
- certs:$CERTS_DIR
ports:
- 9200:9200
networks:
- elastic
healthcheck:
test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
interval: 30s
timeout: 10s
retries: 5
es02:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: es02
environment:
- node.name=es02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=basic
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- data02:/usr/share/elasticsearch/data
- certs:$CERTS_DIR
networks:
- elastic
es03:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: es03
environment:
- node.name=es03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=basic
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es03/es03.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es03/es03.crt
- xpack.security.transport.ssl.key=$CERTS_DIR/es03/es03.key
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- data03:/usr/share/elasticsearch/data
- certs:$CERTS_DIR
networks:
- elastic
kib01:
image: docker.elastic.co/kibana/kibana:${VERSION}
container_name: kib01
depends_on: {"es01": {"condition": "service_healthy"}}
ports:
- 5601:5601
environment:
SERVERNAME: localhost
ELASTICSEARCH_URL: https://es01:9200
ELASTICSEARCH_HOSTS: https://es01:9200
ELASTICSEARCH_USERNAME: kibana
ELASTICSEARCH_PASSWORD: CHANGEME
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt
SERVER_SSL_ENABLED: "true"
SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key
SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt
volumes:
- certs:$CERTS_DIR
networks:
- elastic
volumes:
data01:
driver: local
name: data01
data02:
driver: local
name: data02
data03:
driver: local
name: data03
certs:
driver: local
name: certs
networks:
elastic:
driver: bridge
name: elastic
解决方案
您的方法没有问题,只需按给定顺序键入以下命令;
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ auto --batch \ --url https://localhost:9200 "
码头工人-撰写下来
- docker-compose -f 弹性docker-tls.yml up -d
重新启动浏览器并等待重新加载。
推荐阅读
- c++ - c++ 对象输出错误信息
- c# - Xamarin 标签绑定
- visual-studio-code - vscode中自定义片段的键绑定?
- r - 根据符号拆分 data.frame 中的行
- php - PHP html mysql在where条件下更新多个复选框
- php - php json插入mysql数据并插入控制限制
- python - Openpyxl:需要在 Excel 中有数据的列中的最大行数
- asp.net - 将站点从 IIS 7.5 移动到 IIS 10 并且 json 字符串有问题
- plsql - 将参数传递给 Oracle 应用程序中的 PL/SQL 函数并在过程中调用它
- php - 如何将年龄字段添加到 woocommerce 编辑帐户