Kibana 6.3.2 Docker-Compose SSL


(gatekeeper) #1

Hi there,
i just try to setup an ELK-Stack for our application, to centralize the logs that get produced from our services involved. I first tried to setup the ELK-Stack in our internal network, to get familiar with it and it worked fine. Now i just try to setup the elasticsearch-service and the kibana-service on an external server. I know that it's not recommended to run these services on the same server, but i am not in the stadium to setup a cluster. For the purpose to delegate the services to other machines (webnodes) we will use kubernetes or some similiary tool later on. So to prepare that, i try to delegate my services with a docker-compose.yml file. To connect to kibana i will have to use https and try to setup the ssl for kibana via the docker-compose.yml.

My compose-file looks like this:
//
1 version: '3.6'
2 services:
3 elasticsearch:
4 image: docker.elastic.co/elasticsearch/elasticsearch:6.3.2
5 container_name: elasticsearch
6 environment:
7 - cluster.name=docker-cluster
8 - bootstrap.memory_lock=true
9 - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
10 ulimits:
11 memlock:
12 soft: -1
13 hard: -1
14 volumes:
15 - esdata1:/usr/share/elasticsearch/data
16 ports:
17 - 9200:9200
18 networks:
19 - esnet
20 elasticsearch2:
21 image: docker.elastic.co/elasticsearch/elasticsearch:6.3.2
22 container_name: elasticsearch2
23 environment:
24 - cluster.name=docker-cluster
25 - bootstrap.memory_lock=true
26 - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
27 ulimits:
28 memlock:
29 soft: -1
30 hard: -1
31 volumes:
32 - esdata2:/usr/share/elasticsearch/data
33 networks:
34 - esnet
35 kibana:
36 image: docker.elastic.co/kibana/kibana:6.3.2
37 container_name: kibana
38 secrets:
39 - source: my.crt
40 target: /usr/share/kibana/config/kibana.crt
41 - source: my.key
42 target: /usr/share/kibana/config/certs/kibana.key
43 - source: kibana.yml
44 target: /usr/share/kibana/config/kibana.yml
45 ports: ['5601:5601']
46 volumes:
47 - ./kibana.yml:/usr/share/kibana/config/kibana.yml
48 networks:
49 - esnet
50 depends_on:
51 - elasticsearch
52 - elasticsearch2
53
54 volumes:
55 esdata1:
56 driver: local
57 esdata2:
58 driver: local
59
60 networks:
61 esnet:
62
63 secrets:
64 kibana.yml:
65 file: /home/myuser/elkstack_compose/kibana.yml
66 my.crt:
67 file: /home/myuser/elkstack_compose/my.crt
68 my.key
69 file: /home/myuser/elkstack_compose/my.key
//

My kibana.yml looks like this:

//
1 # Default Kibana configuration from kibana-docker.
2
3 server.name: kibana
4 server.host: "0"
5 elasticsearch.url: http://elasticsearch:9200
6 xpack.monitoring.ui.container.elasticsearch.enabled: true
7
8 server.ssl.enabled: true
9 server.ssl.key: "/usr/share/kibana/config/kibana.key"
10 server.ssl.certificate: "/usr/share/kibana/config/kibana.crt"
//

When i start up my docker-stack i get the following error-message:

//
ide=/, -Xms512m, -Xmx512m, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]
kibana | FATAL { Error: ENOENT: no such file or directory, open '/usr/share/kibana/config/kibana.key'
kibana | at Object.fs.openSync (fs.js:646:18)
kibana | at fs.readFileSync (fs.js:551:33)
kibana | at setupConnection (/usr/share/kibana/src/server/http/setup_connection.js:56:33)
kibana | at KbnServer.exports.default (/usr/share/kibana/src/server/http/index.js:54:41)
kibana | at KbnServer.mixin (/usr/share/kibana/src/server/kbn_server.js:136:16)
kibana | at
kibana | at process._tickCallback (internal/process/next_tick.js:188:7)
kibana | at Function.Module.runMain (module.js:695:11)
kibana | at startup (bootstrap_node.js:191:16)
kibana | at bootstrap_node.js:612:3
kibana | errno: -2,
kibana | code: 'ENOENT',
kibana | syscall: 'open',
kibana | path: '/usr/share/kibana/config/kibana.key' }
kibana exited with code 1
//

Does anybody have an idea, what am i doing wrong? Any help would be welcome :slight_smile:


(Bhavya R M) #2

@jbudz/@jarpy can one of you please get this question?

Thanks,
Bhavya


(Jon Budzenski) #3

I haven't had a chance to use docker secrets yet, so I'm somewhat eyeballing the config here.

The kibana error is either saying we can't find the file or don't have permissions for the file. The kibana image runs as uid 1000, gid 0, username kibana. I'd try and hop in the container and make sure this file is there with the proper permissions/owner.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.