Elasticsearch container exists with no logs

aysala · October 17, 2018, 1:53am

Hello Experts

I'm working on setting up ELK stack on docker swarm. I'm trying to configure the official elastic search image with the ssl certs. The containers are failing with no logs. Can someone suggest what is wrong here?

Dockerfile:

FROM docker.elastic.co/elasticsearch/elasticsearch:6.4.2

# General environment values
ENV VAULT_VERSION=0.9.0 \
    CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates     


# Install vault

RUN curl -L "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" -o /tmp/vault.zip && \
    unzip /tmp/vault.zip -d /usr/local/bin && \
    rm -f /tmp/vault.zip

# Create directory for ssl certs

COPY ./entrypoint.sh /opt/entrypoint.sh 

RUN chmod 775 /opt/entrypoint.sh

USER elasticsearch

RUN mkdir -p /usr/share/elasticsearch/config/x-pack \
    mkdir -p /usr/share/elasticsearch/config/x-pack/certificates \
    mkdir -p $CERTS_DIR/ca \
    mkdir -p $CERTS_DIR/master \
    mkdir -p $CERTS_DIR/data \
    mkdir -p $CERTS_DIR/coordinator
    
RUN touch $CERTS_DIR/ca/ca.crt \
    touch $CERTS_DIR/master/master1.crt \
    touch $CERTS_DIR/master/master1.key \
    touch $CERTS_DIR/data/data1.key \
    touch $CERTS_DIR/data/data1.crt
    
    
USER root 

RUN chmod 600 $CERTS_DIR/ca/*
    
RUN chmod 600 $CERTS_DIR/master/*

RUN chmod 600 $CERTS_DIR/data/*

RUN chown -R elasticsearch:root $CERTS_DIR/*
        
USER elasticsearch

ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

CMD ["/opt/entrypoint.sh"]

entrypoint.sh

#!/bin/sh

if [ -s $TOKEN_PATH ]; then
   TOKEN=$( cat $TOKEN_PATH )
   
   if [ -n "${TOKEN}" ]; then
     vault auth -method=github token=$TOKEN   
     vault read -field=ca.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/ca/ca.crt
     vault read -field=data1.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/data/data1.crt
     vault read -field=data1.key $VAULT_APPLICATION_PATH > $CERTS_DIR/data/data1.key
     vault read -field=master1.key $VAULT_APPLICATION_PATH > $CERTS_DIR/master/master1.key
     vault read -field=master1.crt $VAULT_APPLICATION_PATH > $CERTS_DIR/master/master1.crt
   fi
   
fi

docker-compose.yml

version: '3.3'

services:
  master1:
image: <Image:tag>
environment:
  - cluster.name=elastic-cluster
  - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
  - CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
  - "ES_JAVA_OPTS=-Xms1000m -Xmx1000m"
  - node.name=master-1-node
  - discovery.zen.minimum_master_nodes=1
  - xpack.license.self_generated.type=trial
  - xpack.security.enabled=true
  - xpack.security.http.ssl.enabled=true
  - xpack.security.transport.ssl.enabled=true
  - xpack.security.transport.ssl.verification_mode=certificate
  - xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/x-pack/certificates/ca/ca.crt
  - xpack.ssl.certificate=/usr/share/elasticsearch/config/x-pack/certificates/master/master1.crt
  - xpack.ssl.key=/usr/share/elasticsearch/config/x-pack/certificates/master/master1.key
  - VAULT_AUTH_DEFAULT=GITHUB           
  - VAULT_ADDR=$Vault_addr
  - VAULT_APPLICATION_PATH=$Vault_app_path
  - TOKEN_PATH=$Token_Path
  - VAULT_SKIP_VERIFY=1
ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536
    hard: 65536
volumes:
  - esmaster1:/usr/share/elasticsearch/master1
secrets:
  - source: vault-token
    target: token
    uid: '1000'
    mode: 0400    
ports:
  - 9200:9200
  - 9300:9300
networks:
  - docker_net

  data1:
image: <Image:tag>
environment:
  - cluster.name=elastic-cluster
  - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
  - CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates
  - "ES_JAVA_OPTS=-Xms1000m -Xmx1000m"
  - node.name=data-1-node
  - discovery.zen.minimum_master_nodes=1
  - xpack.license.self_generated.type=trial
  - xpack.security.enabled=true
  - xpack.security.http.ssl.enabled=true
  - xpack.security.transport.ssl.enabled=true
  - xpack.security.transport.ssl.verification_mode=certificate
  - xpack.ssl.certificate_authorities=/usr/share/elasticsearch/config/x-pack/certificates/ca/ca.crt
  - xpack.ssl.certificate=/usr/share/elasticsearch/config/x-pack/certificates/data/data1.crt
  - xpack.ssl.key=/usr/share/elasticsearch/config/x-pack/certificates/data/data1.key
  - VAULT_AUTH_DEFAULT=GITHUB           
  - VAULT_ADDR=$Vault_addr
  - VAULT_APPLICATION_PATH=$Vault_app_path
  - TOKEN_PATH=$Token_Path
  - VAULT_SKIP_VERIFY=1
volumes:
  - esdata1:/usr/share/elasticsearch/data1
secrets:
  - source: vault-token
    target: token
    uid: '1000'
    mode: 0400     
ports:
  - 9211:9200
  - 9311:9300
networks:
  - docker_net 
  
volumes:
  esmaster1:
driver: local
  esdata1:
driver: local

networks:
  docker_net:
driver: overlay

secrets:
  vault-token:
external: true

Thanks!

jarpy · October 18, 2018, 1:58am

Is there really no output at all? Even from Compose?

Did your docker-compose.yml get pasted correctly in the forum? Some of the indentation looks wrong:

volumes:
  esmaster1:
driver: local
  esdata1:
driver: local

system · November 15, 2018, 2:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I can't find logs on elasticsearch Elasticsearch	9	315	September 28, 2022
Elastic Kibana TLS/SSL fails on Docker Swarm Elasticsearch elastic-stack-security , docker	5	1204	June 26, 2020
Trying to deploy elk as a docker service with certificate Elasticsearch docker	1	641	January 24, 2022
Kibana TLS/SSL fails on Docker Swarm Elasticsearch	1	526	June 19, 2020
SSL error in docker container Elasticsearch elastic-stack-security , docker	1	750	December 18, 2023

Elasticsearch container exists with no logs

Related topics