diff --git a/elasticsearch/.example.env b/elasticsearch/.example.env index 5c27ef5..7ba1a35 100644 --- a/elasticsearch/.example.env +++ b/elasticsearch/.example.env @@ -1,17 +1,17 @@ discovery.type=single-node bootstrap.memory_lock=true -ES_JAVA_OPTS=-Xms512m -Xmx512m +ES_JAVA_OPTS=-Xms1g -Xmx1g node.name=elasticsearch cluster.name=es-cluster ELASTIC_PASSWORD=secret xpack.security.enabled=true xpack.security.http.ssl.enabled=true -xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.key -xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt -xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.crt +xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/elasticsearch/elasticsearch.key +xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt +xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/elasticsearch/elasticsearch.crt xpack.security.http.ssl.client_authentication=optional xpack.security.transport.ssl.enabled=true xpack.security.transport.ssl.verification_mode=certificate -xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt -xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.crt -xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.key +xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt +xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/elasticsearch/elasticsearch.crt +xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/elasticsearch/elasticsearch.key diff --git a/elasticsearch/certs/.gitignore b/elasticsearch/certs/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/elasticsearch/certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/elasticsearch/compose.elasticsearch.example.yaml b/elasticsearch/compose.elasticsearch.example.yaml index b07df42..4cc471c 100644 --- a/elasticsearch/compose.elasticsearch.example.yaml +++ b/elasticsearch/compose.elasticsearch.example.yaml @@ -1,8 +1,6 @@ volumes: elasticsearch-data: driver: local - elasticsearch-logs: - driver: local services: elasticsearch: @@ -15,9 +13,11 @@ services: - common-elasticsearch volumes: - elasticsearch-data:/usr/share/elasticsearch/data/ - - elasticsearch-logs:/usr/share/elasticsearch/logs/ - - ../.commons/certs/elasticsearch:/usr/share/elasticsearch/config/certificates/elasticsearch - - ../.commons/certs/ca:/usr/share/elasticsearch/config/certificates/ca + - ./certs:/usr/share/elasticsearch/config/certs + deploy: + resources: + limits: + memory: 1GB ulimits: nofile: soft: 65536 @@ -25,8 +25,3 @@ services: memlock: soft: -1 hard: -1 - healthcheck: - test: curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt -s https://localhost:9200 > /dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi - interval: 30s - timeout: 10s - retries: 5 diff --git a/elasticsearch/readme.md b/elasticsearch/readme.md new file mode 100644 index 0000000..4fc0707 --- /dev/null +++ b/elasticsearch/readme.md @@ -0,0 +1,37 @@ +# ElasticSearch + +Elasticsearch is commonly used for log analytics, full-text search, security intelligence, business analytics, and operational intelligence use cases. + +## Usage + +*P.S.* Usage approach may change in different version. Do check updated process here: [Install Elastic with Docker](https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html) + +1. When starting the elasticsearch container for first time, view the log to get the elastic password that it auto generates. We store this password in the env `ELASTIC_PASSWORD`. If need to regenerate, run: `docker compose exec elasticsearch /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic` +1. For kibana, run: `docker compose exec elasticsearch /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic` + + + + + + + +bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; +unzip config/certs/ca.zip -d config/certs; + + +echo -ne \ +"instances:\n"\ +" - name: elasticsearch\n"\ +" dns:\n"\ +" - elasticsearch\n"\ +" - common-elasticsearch\n"\ +" - localhost\n"\ +" ip:\n"\ +" - 127.0.0.1\n"\ +> config/certs/instances.yml; + +bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; +unzip config/certs/certs.zip -d config/certs; + + + diff --git a/elasticsearch/setup.sh b/elasticsearch/setup.sh new file mode 100755 index 0000000..4780abe --- /dev/null +++ b/elasticsearch/setup.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +set -e + +cp --update=none .example.env .env +cp --update=none compose.elasticsearch.example.yaml compose.elasticsearch.yaml + +COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-common} + +if [ ! -f certs/instances.yml ]; then + echo -ne \ + "instances:\n"\ + " - name: elasticsearch\n"\ + " dns:\n"\ + " - elasticsearch\n"\ + " - common-elasticsearch\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > certs/instances.yml +fi + +if [ ! -f certs/ca.zip ]; then + docker compose -f compose.elasticsearch.yaml -f ../compose.networks.yaml run --rm elasticsearch bash -c 'bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip && unzip -q config/certs/ca.zip -d config/certs' + echo 'ElasticSearch: CA Files Created!' +fi + +if [ ! -f certs/certs.zip ]; then + docker compose -f compose.elasticsearch.yaml -f ../compose.networks.yaml run --rm elasticsearch bash -c 'bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key && unzip -q config/certs/certs.zip -d config/certs' + echo 'ElasticSearch: Cert Files Created!' +fi + +echo 'ElasticSearch: Ready to start!!!'