Hello Experts
I'm working on setting up ELK stack on docker swarm. I'm trying to configure the official elastic search image with the ssl certs. The containers are failing with no logs. Can someone suggest what is wrong here?
Dockerfile:
FROM docker.elastic.co/elasticsearch/elasticsearch:6.4.2
# General environment values
ENV VAULT_VERSION=0.9.0 \
CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
# Install vault
RUN curl -L "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" -o /tmp/vault.zip && \
unzip /tmp/vault.zip -d /usr/local/bin && \
rm -f /tmp/vault.zip
# Create directory for ssl certs
COPY ./entrypoint.sh /opt/entrypoint.sh
RUN chmod 775 /opt/entrypoint.sh
USER elasticsearch
RUN mkdir -p /usr/share/elasticsearch/config/x-pack \
mkdir -p /usr/share/elasticsearch/config/x-pack/certificates \
mkdir -p $CERTS_DIR/ca \
mkdir -p $CERTS_DIR/master \
mkdir -p $CERTS_DIR/data \
mkdir -p $CERTS_DIR/coordinator
RUN touch $CERTS_DIR/ca/ca.crt \
touch $CERTS_DIR/master/master1.crt \
touch $CERTS_DIR/master/master1.key \
touch $CERTS_DIR/data/data1.key \
touch $CERTS_DIR/data/data1.crt
USER root
RUN chmod 600 $CERTS_DIR/ca/*
RUN chmod 600 $CERTS_DIR/master/*
RUN chmod 600 $CERTS_DIR/data/*
RUN chown -R elasticsearch:root $CERTS_DIR/*
USER elasticsearch
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
CMD ["/opt/entrypoint.sh"]
entrypoint.sh
#!/bin/sh
if [ -s $TOKEN_PATH ]; then
TOKEN=$( cat $TOKEN_PATH )
if [ -n "${TOKEN}" ]; then
vault auth -method=github token=$TOKEN
vault read -field=ca.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/ca/ca.crt
vault read -field=data1.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/data/data1.crt
vault read -field=data1.key $VAULT_APPLICATION_PATH > $CERTS_DIR/data/data1.key
vault read -field=master1.key $VAULT_APPLICATION_PATH > $CERTS_DIR/master/master1.key
vault read -field=master1.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/master/master1.crt
fi
fi
docker-compose.yml
version: '3.3'
services:
master1:
image: <Image:tag>
environment:
- cluster.name=elastic-cluster
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD
- CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
- "ES_JAVA_OPTS=-Xms1000m -Xmx1000m"
- node.name=master-1-node
- discovery.zen.minimum_master_nodes=1
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/x-pack/certificates/ca/ca.crt
- xpack.ssl.certificate=/usr/share/elasticsearch/config/x-pack/certificates/master/master1.crt
- xpack.ssl.key=/usr/share/elasticsearch/config/x-pack/certificates/master/master1.key
- VAULT_AUTH_DEFAULT=GITHUB
- VAULT_ADDR=$Vault_addr
- VAULT_APPLICATION_PATH=$Vault_app_path
- TOKEN_PATH=$Token_Path
- VAULT_SKIP_VERIFY=1
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- esmaster1:/usr/share/elasticsearch/master1
secrets:
- source: vault-token
target: token
uid: '1000'
mode: 0400
ports:
- 9200:9200
- 9300:9300
networks:
- docker_net
data1:
image: <Image:tag>
environment:
- cluster.name=elastic-cluster
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD
- CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
- "ES_JAVA_OPTS=-Xms1000m -Xmx1000m"
- node.name=data-1-node
- discovery.zen.minimum_master_nodes=1
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/x-pack/certificates/ca/ca.crt
- xpack.ssl.certificate=/usr/share/elasticsearch/config/x-pack/certificates/data/data1.crt
- xpack.ssl.key=/usr/share/elasticsearch/config/x-pack/certificates/data/data1.key
- VAULT_AUTH_DEFAULT=GITHUB
- VAULT_ADDR=$Vault_addr
- VAULT_APPLICATION_PATH=$Vault_app_path
- TOKEN_PATH=$Token_Path
- VAULT_SKIP_VERIFY=1
volumes:
- esdata1:/usr/share/elasticsearch/data1
secrets:
- source: vault-token
target: token
uid: '1000'
mode: 0400
ports:
- 9211:9200
- 9311:9300
networks:
- docker_net
volumes:
esmaster1:
driver: local
esdata1:
driver: local
networks:
docker_net:
driver: overlay
secrets:
vault-token:
external: true
Thanks!