Elasticsearch container exists with no logs


#1

Hello Experts

I'm working on setting up ELK stack on docker swarm. I'm trying to configure the official elastic search image with the ssl certs. The containers are failing with no logs. Can someone suggest what is wrong here?

Dockerfile:

FROM docker.elastic.co/elasticsearch/elasticsearch:6.4.2

# General environment values
ENV VAULT_VERSION=0.9.0 \
    CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates     


# Install vault

RUN curl -L "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" -o /tmp/vault.zip && \
    unzip /tmp/vault.zip -d /usr/local/bin && \
    rm -f /tmp/vault.zip

# Create directory for ssl certs

COPY ./entrypoint.sh /opt/entrypoint.sh 

RUN chmod 775 /opt/entrypoint.sh

USER elasticsearch

RUN mkdir -p /usr/share/elasticsearch/config/x-pack \
    mkdir -p /usr/share/elasticsearch/config/x-pack/certificates \
    mkdir -p $CERTS_DIR/ca \
    mkdir -p $CERTS_DIR/master \
    mkdir -p $CERTS_DIR/data \
    mkdir -p $CERTS_DIR/coordinator
    
RUN touch $CERTS_DIR/ca/ca.crt \
    touch $CERTS_DIR/master/master1.crt \
    touch $CERTS_DIR/master/master1.key \
    touch $CERTS_DIR/data/data1.key \
    touch $CERTS_DIR/data/data1.crt
    
    
USER root 

RUN chmod 600 $CERTS_DIR/ca/*
    
RUN chmod 600 $CERTS_DIR/master/*

RUN chmod 600 $CERTS_DIR/data/*

RUN chown -R elasticsearch:root $CERTS_DIR/*
        
USER elasticsearch

ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

CMD ["/opt/entrypoint.sh"]

entrypoint.sh

#!/bin/sh

if [ -s $TOKEN_PATH ]; then
   TOKEN=$( cat $TOKEN_PATH )
   
   if [ -n "${TOKEN}" ]; then
     vault auth -method=github token=$TOKEN   
     vault read -field=ca.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/ca/ca.crt
     vault read -field=data1.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/data/data1.crt
     vault read -field=data1.key $VAULT_APPLICATION_PATH > $CERTS_DIR/data/data1.key
     vault read -field=master1.key $VAULT_APPLICATION_PATH > $CERTS_DIR/master/master1.key
     vault read -field=master1.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/master/master1.crt
   fi
   
fi

docker-compose.yml

version: '3.3'

services:
  master1:
image: <Image:tag>
environment:
  - cluster.name=elastic-cluster
  - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
  - CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
  - "ES_JAVA_OPTS=-Xms1000m -Xmx1000m"
  - node.name=master-1-node
  - discovery.zen.minimum_master_nodes=1
  - xpack.license.self_generated.type=trial
  - xpack.security.enabled=true
  - xpack.security.http.ssl.enabled=true
  - xpack.security.transport.ssl.enabled=true
  - xpack.security.transport.ssl.verification_mode=certificate
  - xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/x-pack/certificates/ca/ca.crt
  - xpack.ssl.certificate=/usr/share/elasticsearch/config/x-pack/certificates/master/master1.crt
  - xpack.ssl.key=/usr/share/elasticsearch/config/x-pack/certificates/master/master1.key
  - VAULT_AUTH_DEFAULT=GITHUB           
  - VAULT_ADDR=$Vault_addr
  - VAULT_APPLICATION_PATH=$Vault_app_path
  - TOKEN_PATH=$Token_Path
  - VAULT_SKIP_VERIFY=1
ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536
    hard: 65536
volumes:
  - esmaster1:/usr/share/elasticsearch/master1
secrets:
  - source: vault-token
    target: token
    uid: '1000'
    mode: 0400    
ports:
  - 9200:9200
  - 9300:9300
networks:
  - docker_net

  data1:
image: <Image:tag>
environment:
  - cluster.name=elastic-cluster
  - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
  - CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
  - "ES_JAVA_OPTS=-Xms1000m -Xmx1000m"
  - node.name=data-1-node
  - discovery.zen.minimum_master_nodes=1
  - xpack.license.self_generated.type=trial
  - xpack.security.enabled=true
  - xpack.security.http.ssl.enabled=true
  - xpack.security.transport.ssl.enabled=true
  - xpack.security.transport.ssl.verification_mode=certificate
  - xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/x-pack/certificates/ca/ca.crt
  - xpack.ssl.certificate=/usr/share/elasticsearch/config/x-pack/certificates/data/data1.crt
  - xpack.ssl.key=/usr/share/elasticsearch/config/x-pack/certificates/data/data1.key
  - VAULT_AUTH_DEFAULT=GITHUB           
  - VAULT_ADDR=$Vault_addr
  - VAULT_APPLICATION_PATH=$Vault_app_path
  - TOKEN_PATH=$Token_Path
  - VAULT_SKIP_VERIFY=1
volumes:
  - esdata1:/usr/share/elasticsearch/data1
secrets:
  - source: vault-token
    target: token
    uid: '1000'
    mode: 0400     
ports:
  - 9211:9200
  - 9311:9300
networks:
  - docker_net 
  
volumes:
  esmaster1:
driver: local
  esdata1:
driver: local

networks:
  docker_net:
driver: overlay

secrets:
  vault-token:
external: true

Thanks!


(Toby McLaughlin) #2

Is there really no output at all? Even from Compose?

Did your docker-compose.yml get pasted correctly in the forum? Some of the indentation looks wrong:

volumes:
  esmaster1:
driver: local
  esdata1:
driver: local

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.