Install Elasticsearch with Docker – cài đặt docker trên windows

Install Elasticsearch with Dockeredit

Elasticsearch is also available as Docker images. Α danh sách of all published Docker
images and tags is available at
www.docker.elastic.co. The source files are
in
Github.

This package contains both free and subscription features.
Start α 30-day trial to try out all of the features.

Starting in Elasticsearch 8.0, security is enabled by default. With security enabled,
Elastic Stack security features require TLS encryption for the transport networking
layer, or your cluster will fail to start.

Install Docker Desktop or Docker Engineedit

Install the appropriate Docker application
for your operating system.

Make sure that Docker is allotted at least 4GiB of memory. In Docker
Desktop, you configure resource usage on the Advanced tab in Preference (macOS)
or Settings (Windows).

Pull the Elasticsearch Docker imageedit

Obtaining Elasticsearch for Docker is as simple as issuing α docker pull command
against the Elastic Docker registry.

docker pull docker.elastic.co/elasticsearch/elasticsearch:8.0.1

Now that you have the Elasticsearch Docker image, you can start α
single-node or multi-node
cluster.

Start α single-node cluster with Dockeredit

If you’re starting α single-node Elasticsearch cluster in α Docker container, security
will be automatically enabled and configured for you. When you start Elasticsearch for
the first time, the following security configuration occurs automatically:

• Certificates and keys are generated
  for the transport and HTTP layers.
• The Transport Layer Security (TLS) configuration settings are written to
  elasticsearch.yml.
• Α password is generated for the elastic user.
• An enrollment token is generated for Kibana.

You can then start Kibana and enter the enrollment
token, which is valid for 30 minutes. This token automatically applies the
security settings from your Elasticsearch cluster, authenticates to Elasticsearch with the
kibana_system user, and writes the security configuration to kibana.yml.

The following command starts α single-node Elasticsearch cluster for development or
testing.

1. Start Elasticsearch in Docker. Α password is generated for the elastic user and
   output to the terminal, plus an enrollment token for enrolling Kibana.

   docker run --name es01 --net elastic -p 9200:9200 -p 9300:9300 -it docker.elastic.co/elasticsearch/elasticsearch:8.0.1

   You might need to scroll back α bit in the terminal to lượt xem the password
   and enrollment token.

2. Sao chép the generated password and enrollment token and save them in α secure
   location. These values are shown only when you start Elasticsearch for the first time.

   If you need to reset the password for the elastic user or other
   built-in users, run the elasticsearch-reset-password tool.
   This tool is available in the Elasticsearch /bin directory of the Docker container.
   For example:

   docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password

3. Sao chép the http_ca.crt security certificate from your Docker container to
   your local machine.

   docker cp es01:/usr/share/elasticsearch/config/certs/http_ca.crt .

4. Open α new terminal and verify that you can kết nối to your Elasticsearch cluster by
   making an authenticated call, using the http_ca.crt file that you copied from
   your Docker container. Enter the password for the elastic user when prompted.

   curl --cacert http_ca.crt -u elastic https://localhost:9200

Enroll additional nodesedit

When you start Elasticsearch for the first time, the installation process configures α single-node cluster by default. This process also generates an enrollment token
and prints it to your terminal. If you want α node to join an existing cluster,
start the new node with the generated enrollment token.

Generating enrollment tokens

The enrollment token is valid for 30 minutes. If you need to generate α
new enrollment token, run the
elasticsearch-create-enrollment-token tool on your
existing node. This tool is available in the Elasticsearch bin directory of the Docker
container.

For example, run the following command on the existing es01 node to
generate an enrollment token for new Elasticsearch nodes:

docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node

1. In the terminal where you started your first node, sao chép the generated
   enrollment token for adding new Elasticsearch nodes.

2. On your new node, start Elasticsearch and include the generated enrollment token.

   docker run -e ENROLLMENT_TOKEN="<token>" --name es02 --net elastic -it docker.elastic.co/elasticsearch/elasticsearch:8.0.1

   Elasticsearch is now configured to join the existing cluster.

Setting JVM heap sizeedit

If you experience issues where the container where your first node is running
exits when your second node starts, explicitly set values for the JVM heap size.
To manually configure the heap size, include the
ES_JAVA_OPTS variable and set values for -Xms and -Xmx when starting each
node. For example, the following command starts node es02 and sets the
minimum and maximum JVM heap size to 1 GB:

docker run -e ES_JAVA_OPTS="-Xms1g -Xmx1g" -e ENROLLMENT_TOKEN="<token>" --name es02 -p 9201:9200 --net elastic -it docker.elastic.co/elasticsearch/elasticsearch:docker.elastic.co/elasticsearch/elasticsearch:8.0.1

Next stepsedit

You now have α check Elasticsearch environment set up. Before you start
serious development or go into production with Elasticsearch, review the
requirements and recommendations to apply when running Elasticsearch in Docker in production.

Security certificates and keysedit

When you start Elasticsearch for the first time, the following certificates and keys are
generated in the
/usr/share/elasticsearch/config/certs
directory in the Docker container, and allow you to kết nối α Kibana instance
to your secured Elasticsearch cluster and encrypt internode communication. The files are
listed here for reference.

http_ca.crt

The CA certificate that is used to sign the certificates for the HTTP layer of
this Elasticsearch cluster.

http.p12

Keystore that contains the key and certificate for the HTTP layer for this node.

transport.p12

Keystore that contains the key and certificate for the transport layer for all
the nodes in your cluster.

Start α multi-node cluster with Docker Composeedit

To get α multi-node Elasticsearch cluster and Kibana up and running in Docker with
security enabled, you can use Docker Compose.

This configuration provides α simple method of starting α secured cluster that
you can use for development before building α distributed deployment with
multiple hosts.

Prerequisitesedit

Install the appropriate Docker application
for your operating system.

If you’re running on Linux, install Docker Compose.

Make sure that Docker is allotted at least 4GB of memory. In Docker Desktop,
you configure resource usage on the Advanced tab in Preferences (macOS) or
Settings (Windows).

Prepare the environmentedit

Create the following configuration files in α new, empty directory. These files
are also available from the
elasticsearch
repository on GitHub.

.envedit

The .env file sets environment variables that are used when you run the
docker-compose.yml configuration file. Ensure that you specify α strong
password for the elastic and kibana_system users with the
ELASTIC_PASSWORD and KIBANA_PASSWORD variables. These variable are
referenced by the docker-compose.yml file.

# Password for the 'elastic' user (at least 6 characters)
ELASTIC_PASSWORD=

# Password for the 'kibana_system' user (at least 6 characters)
KIBANA_PASSWORD=

# Version of Elastic products
STACK_VERSION=8.0.1

# Set the cluster name
CLUSTER_NAME=docker-cluster

# Set to 'basic' or 'trial' to automatically start the 30-day trial
LICENSE=basic
#LICENSE=trial

# Port to expose Elasticsearch HTTP API to the hosting
ES_PORT=9200
#ES_PORT=127.0.0.1:9200

# Port to expose Kibana to the hosting
KIBANA_PORT=5601
#KIBANA_PORT=80

# Increase or decrease based on the available hosting memory (in bytes)
MEM_LIMIT=1073741824

# Project namespace (defaults to the current folder name if not set)
#COMPOSE_PROJECT_NAME=myproject

docker-compose.ymledit

This docker-compose.yml file creates α three-node secure Elasticsearch cluster with authentication and network encryption enabled, and α Kibana instance securely connected to it.

Exposing ports

This configuration exposes port 9200 on all network interfaces. Because
of how Docker handles ports, α port that isn’t bound to localhost leaves your
Elasticsearch cluster publicly accessible, potentially ignoring any firewall settings.
If you don’t want to expose port 9200 to external hosts, set the value for
ES_PORT in the .env file to something like 127.0.0.1:9200. Elasticsearch will
then only be accessible from the hosting machine itself.

version: "2.2"

services:
  cài đặt:
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    volumes:
      - certs:/usr/share/elasticsearch/config/certs
    user: "0"
    command: >
      bash -c '
        if [ x${ELASTIC_PASSWORD} == x ]; then
          echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
          exit 1;
        elif [ x${KIBANA_PASSWORD} == x ]; then
          echo "Set the KIBANA_PASSWORD environment variable in the .env file";
          exit 1;
        fi;
        if [ ! -f certs/ca.zip ]; then
          echo "Creating CA";
          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
          unzip config/certs/ca.zip -d config/certs;
        fi;
        if [ ! -f certs/certs.zip ]; then
          echo "Creating certs";
          echo -ne 
          "instances:n"
          "  - name: es01n"
          "    dns:n"
          "      - es01n"
          "      - localhostn"
          "    ip:n"
          "      - 127.0.0.1n"
          "  - name: es02n"
          "    dns:n"
          "      - es02n"
          "      - localhostn"
          "    ip:n"
          "      - 127.0.0.1n"
          "  - name: es03n"
          "    dns:n"
          "      - es03n"
          "      - localhostn"
          "    ip:n"
          "      - 127.0.0.1n"
          > config/certs/instances.yml;
          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
          unzip config/certs/certs.zip -d config/certs;
        fi;
        echo "Setting file permissions"
        chown -Ŕ root:root config/certs;
        find . -type {d} -exec chmod 750 {} ;;
        find . -type ƒ -exec chmod 640 {} ;;
        echo "Waiting for Elasticsearch availability";
        until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
        echo "Setting kibana_system password";
        until curl -s -Ҳ POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -Н "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{"password":"${KIBANA_PASSWORD}"}" | grep -q "^{}"; do sleep 10; done;
        echo "All done!";
      '
    healthcheck:
      check: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
      interval: 1s
      timeout: 5s
      retries: 120

  es01:
    depends_on:
      cài đặt:
        condition: service_healthy
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    volumes:
      - certs:/usr/share/elasticsearch/config/certs
      - esdata01:/usr/share/elasticsearch/data
    ports:
      - ${ES_PORT}:9200
    environment:
      - node.name=es01
      - cluster.name=${CLUSTER_NAME}
      - cluster.initial_master_nodes=es01,es02,es03
      - discovery.seed_hosts=es02,es03
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/es01/es01.key
      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/es01/es01.key
      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
    mem_limit: ${MEM_LIMIT}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    healthcheck:
      check:
        [
          "CMD-SHELL",
          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
        ]
      interval: 10s
      timeout: 10s
      retries: 120

  es02:
    depends_on:
      - es01
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    volumes:
      - certs:/usr/share/elasticsearch/config/certs
      - esdata02:/usr/share/elasticsearch/data
    environment:
      - node.name=es02
      - cluster.name=${CLUSTER_NAME}
      - cluster.initial_master_nodes=es01,es02,es03
      - discovery.seed_hosts=es01,es03
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/es02/es02.key
      - xpack.security.http.ssl.certificate=certs/es02/es02.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/es02/es02.key
      - xpack.security.transport.ssl.certificate=certs/es02/es02.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
    mem_limit: ${MEM_LIMIT}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    healthcheck:
      check:
        [
          "CMD-SHELL",
          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
        ]
      interval: 10s
      timeout: 10s
      retries: 120

  es03:
    depends_on:
      - es02
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    volumes:
      - certs:/usr/share/elasticsearch/config/certs
      - esdata03:/usr/share/elasticsearch/data
    environment:
      - node.name=es03
      - cluster.name=${CLUSTER_NAME}
      - cluster.initial_master_nodes=es01,es02,es03
      - discovery.seed_hosts=es01,es02
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/es03/es03.key
      - xpack.security.http.ssl.certificate=certs/es03/es03.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/es03/es03.key
      - xpack.security.transport.ssl.certificate=certs/es03/es03.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
    mem_limit: ${MEM_LIMIT}
    ulimits:
      memlock:
        soft: -1
        hard: -1
    healthcheck:
      check:
        [
          "CMD-SHELL",
          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
        ]
      interval: 10s
      timeout: 10s
      retries: 120

  kibana:
    depends_on:
      es01:
        condition: service_healthy
      es02:
        condition: service_healthy
      es03:
        condition: service_healthy
    image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
    volumes:
      - certs:/usr/share/kibana/config/certs
      - kibanadata:/usr/share/kibana/data
    ports:
      - ${KIBANA_PORT}:5601
    environment:
      - SERVERNAME=kibana
      - ELASTICSEARCH_HOSTS=https://es01:9200
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
    mem_limit: ${MEM_LIMIT}
    healthcheck:
      check:
        [
          "CMD-SHELL",
          "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
        ]
      interval: 10s
      timeout: 10s
      retries: 120

volumes:
  certs:
    driver: local
  esdata01:
    driver: local
  esdata02:
    driver: local
  esdata03:
    driver: local
  kibanadata:
    driver: local

Start your cluster with security enabled and configurededit

1. Modify the .env file and enter strong password values for both the
   ELASTIC_PASSWORD and KIBANA_PASSWORD variables.

   You must use the ELASTIC_PASSWORD value for further interactions with
   the cluster. The KIBANA_PASSWORD value is only used internally when
   configuring Kibana.

2. Create and start the three-node Elasticsearch cluster and Kibana instance:

   docker-compose up -d

3. When the deployment has started, open α browser and navigate to http://localhost:5601 to
   access Kibana, where you can load sample data and interact with your cluster.

Stop and remove the deploymentedit

To stop the cluster, run docker-compose down. The data in the Docker volumes
is preserved and loaded when you restart the cluster with docker-compose up.

docker-compose down

To delete the network, containers, and volumes when you stop the cluster,
specify the -v option:

docker-compose down -v

Next stepsedit

You now have α check Elasticsearch environment set up. Before you start
serious development or go into production with Elasticsearch, review the
requirements and recommendations to apply when running Elasticsearch in Docker in production.

Configuring Elasticsearch with Dockeredit

When you run in Docker, the Elasticsearch configuration files are loaded from
/usr/share/elasticsearch/config/.

To use custom configuration files, you bind-mount the files
over the configuration files in the image.

You can set individual Elasticsearch configuration parameters using Docker environment variables.
The sample compose file and the
single-node example use this method. You can
use the setting name directly as the environment variable name. If
you cannot do this, for example because your orchestration platform forbids
periods in environment variable names, then you can use an alternative
style by converting the setting name as follows.

1. Change the setting name to uppercase
2. Prefix it with ES_SETTING_
3. Escape any underscores (_) by duplicating them
4. Convert all periods (.) to underscores (_)

For example, -e bootstrap.memory_lock=true becomes
-e ES_SETTING_BOOTSTRAP_MEMORY__LOCK=true.

You can use the contents of α file to set the value of the
ELASTIC_PASSWORD or KEYSTORE_PASSWORD environment variables, by
suffixing the environment variable name with _FILE. This is useful for
passing secrets such as passwords to Elasticsearch without specifying them directly.

For example, to set the Elasticsearch bootstrap password from α file, you can bind mount the
file and set the ELASTIC_PASSWORD_FILE environment variable to the mount location.
If you mount the password file to /run/secrets/bootstrapPassword.txt, specify:

-e ELASTIC_PASSWORD_FILE=/run/secrets/bootstrapPassword.txt

You can override the default command for the image to pass Elasticsearch configuration
parameters as command line options. For example:

docker run <various parametersvàgt; bin/elasticsearch -Ecluster.name=mynewclustername

While bind-mounting your configuration files is usually the preferred method in production,
you can also create α custom Docker image
that contains your configuration.

Mounting Elasticsearch configuration filesedit

Create custom config files and bind-mount them over the corresponding files in the Docker image.
For example, to bind-mount custom_elasticsearch.yml with docker run, specify:

-v full_path_to/custom_elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml

If you bind-mount α custom elasticsearch.yml file, ensure it includes the
network.hosting: 0.0.0.0 setting. This setting ensures the node is reachable for
HTTP and transport lượt truy cập, provided its ports are exposed. The Docker image’s
built-in elasticsearch.yml file includes this setting by default.

The container runs Elasticsearch as user elasticsearch using
uid:gid 1000:0. Bind mounted hosting directories and files must be accessible by this user,
and the data and log directories must be writable by this user.

Create an encrypted Elasticsearch keystoreedit

By default, Elasticsearch will tự động-generate α keystore file for secure
settings. This file is obfuscated but not encrypted.

To encrypt your secure settings with α password and have them persist outside
the container, use α docker run command to manually create the keystore
instead. The command must:

• Bind-mount the config directory. The command will create an
  elasticsearch.keystore file in this directory. To avoid errors, do
  not directly bind-mount the elasticsearch.keystore file.
• Use the elasticsearch-keystore tool with the create -p option. You’ll be
  prompted to enter α password for the keystore.

For example:

docker run -it --rm 
-v full_path_to/config:/usr/share/elasticsearch/config 
docker.elastic.co/elasticsearch/elasticsearch:8.0.1 
bin/elasticsearch-keystore create -p

You can also use α docker run command to add or cập nhật secure settings in the
keystore. You’ll be prompted to enter the setting values. If the keystore is
encrypted, you’ll also be prompted to enter the keystore password.

docker run -it --rm 
-v full_path_to/config:/usr/share/elasticsearch/config 
docker.elastic.co/elasticsearch/elasticsearch:8.0.1 
bin/elasticsearch-keystore 
add my.secure.setting 
my.other.secure.setting

If you’ve already created the keystore and don’t need to cập nhật it, you can
bind-mount the elasticsearch.keystore file directly. You can use the
KEYSTORE_PASSWORD environment variable to provide the keystore password to the
container at khởi ngiệp. For example, α docker run command might have the
following options:

-v full_path_to/config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore
-e KEYSTORE_PASSWORD=mypassword

Using custom Docker imagesedit

In some environments, it might make more sense to prepare α custom image that contains
your configuration. Α Dockerfile to achieve this might be as simple as:

FROM docker.elastic.co/elasticsearch/elasticsearch:8.0.1
COPY --chown=elasticsearch:elasticsearch elasticsearch.yml /usr/share/elasticsearch/config/

You could then build and run the image with:

docker build --tag=elasticsearch-custom .
docker run -ti -v /usr/share/elasticsearch/data elasticsearch-custom

Some plugins require additional security permissions.
You must explicitly accept them either by:

• Attaching α tty when you run the Docker image and allowing the permissions when prompted.
• Inspecting the security permissions and accepting them (if appropriate) by adding the --batch flag to the plugin install command.

See Plugin management
for more information.

Troubleshoot Docker errors for Elasticsearchedit

Here’s how to resolve common errors when running Elasticsearch with Docker.

elasticsearch.keystore is α directoryedit

Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: java.io.IOException: Is α directory: SimpleFSIndexInput(path="/usr/share/elasticsearch/config/elasticsearch.keystore") Likely root cause: java.io.IOException: Is α directory

Α keystore-related docker run command attempted
to directly bind-mount an elasticsearch.keystore file that doesn’t exist. If
you use the -v or --volume flag to mount α file that doesn’t exist, Docker
instead creates α directory with the same name.

To resolve this error:

1. Delete the elasticsearch.keystore directory in the config directory.
2. Cập nhật the -v or --volume flag to point to the config directory path
   rather than the keystore file’s path. For an example, see
   Create an encrypted Elasticsearch keystore.
3. Retry the command.

elasticsearch.keystore: Device or resource busyedit

Exception in thread "main" java.nio.file.FileSystemException: /usr/share/elasticsearch/config/elasticsearch.keystore.tmp -> /usr/share/elasticsearch/config/elasticsearch.keystore: Device or resource busy

Α docker run command attempted to cập nhật the
keystore while directly bind-mounting the elasticsearch.keystore file. To
cập nhật the keystore, the container requires access to other files in the
config directory, such as keystore.tmp.

To resolve this error:

1. Cập nhật the -v or --volume flag to point to the config directory
   path rather than the keystore file’s path. For an example, see
   Create an encrypted Elasticsearch keystore.
2. Retry the command.