Loading deploy/.env +30 −5 Original line number Diff line number Diff line ES_CLUSTER_INITIAL_MASTER_NODES=es-node1,es-node2,es-node3 ES_DISCOVERY_SEED_HOSTS=elasticsearch # common IMAGE_NAME=docker.elastic.co/elasticsearch/elasticsearch IMAGE_TAG=latest HOSTNAME_PREFIX=es ELASTIC_PASSWORD=changeme # paths ES_PATH_DATA=/usr/share/elasticsearch/data ES_CONFIG_PATH=/usr/share/elasticsearch/config ES_CERT_PATH=/usr/share/elasticsearch/cert # clustering ES_CLUSTER_INITIAL_MASTER_NODES=es-node1,es-node2,es-node3 ES_DISCOVERY_SEED_HOSTS=elasticsearch ES_BOOTSTRAP_MEMORY_LOCK=true # security ES_XPACK_SECURITY_ENABLED=true ES_XPACK_SECURITY_HTTP_SSL_ENABLED=true ES_XPACK_SECURITY_HTTP_SSL_CLIENT_AUTHENTICATION=optional ES_XPACK_SECURITY_HTTP_SSL_VERIFICATION_MODE=full ES_XPACK_SECURITY_TRANSPORT_SSL_ENABLED=true ES_XPACK_SECURITY_TRANSPORT_SSL_CLIENT_AUTHENTICATION=required ES_XPACK_SECURITY_TRANSPORT_SSL_VERIFICATION_MODE=full HOSTNAME_PREFIX=es ELASTIC_PASSWORD=changeme # machine-learning ES_XPACK_ML_USE_AUTO_MACHINE_MEMORY_PERCENT=true # certs SSL_KEY_FILENAME=node.key SSL_CERT_FILENAME=node.crt SSL_CA_KEY_FILEPATH=ca/ca.key SSL_CA_CERT_FILEPATH=ca/ca.crt # volumes DATA_VOL_NAME=elasticsearch-data-vol CONF_VOL_NAME=elasticsearch-conf-vol CERT_VOL_NAME=elasticsearch-cert-vol DEV_VOL_DRIVER=local PRO_VOL_DRIVER=cloudstor:aws deploy/compose.dev.yaml +8 −0 Original line number Diff line number Diff line Loading @@ -20,3 +20,11 @@ volumes: conf-vol: name: ${CONF_VOL_NAME}-{{.Node.Hostname}} driver: ${DEV_VOL_DRIVER} cert-vol: name: ${CERT_VOL_NAME} driver: ${DEV_VOL_DRIVER} driver_opts: type: ${VOL_TYPE:-nfs} o: addr=${VOL_ADDR:-127.0.0.1},vers=${VOL_VERS:-4.2},${VOL_OPTS:-nolock,noacl,noatime,nodiratime} device: :${VOL_DEVICE_PREFIX}${CERT_VOL_DEVICE:-/elasticsearch-cert-vol/} deploy/compose.prod.yaml +6 −0 Original line number Diff line number Diff line Loading @@ -31,3 +31,9 @@ volumes: driver_opts: backing: shared perfmode: maxio cert-vol: name: ${CERT_VOL_NAME} driver: ${PRO_VOL_DRIVER} driver_opts: backing: shared deploy/compose.tmpl.yaml +77 −4 Original line number Diff line number Diff line services: elasticsearch: image: ${IMAGE_NAME:-docker.elastic.co/elasticsearch/elasticsearch}:${IMAGE_TAG:-latest} image: ${IMAGE_NAME}:${IMAGE_TAG} hostname: ${HOSTNAME_PREFIX}-{{.Node.Hostname}} environment: node.name: ${HOSTNAME_PREFIX}-{{.Node.Hostname}} path.data: ${ES_PATH_DATA} bootstrap.memory_lock: ${ES_BOOTSTRAP_MEMORY_LOCK} xpack.security.enabled: ${ES_XPACK_SECURITY_ENABLED} node.name: ${HOSTNAME_PREFIX}-{{.Node.Hostname}} cluster.initial_master_nodes: ${ES_CLUSTER_INITIAL_MASTER_NODES} discovery.seed_hosts: ${ES_DISCOVERY_SEED_HOSTS} ELASTIC_PASSWORD: bootstrap.memory_lock: ${ES_BOOTSTRAP_MEMORY_LOCK} xpack.security.enabled: ${ES_XPACK_SECURITY_ENABLED} xpack.security.http.ssl.enabled: ${ES_XPACK_SECURITY_HTTP_SSL_ENABLED} xpack.security.http.ssl.client_authentication: ${ES_XPACK_SECURITY_HTTP_SSL_CLIENT_AUTHENTICATION} xpack.security.http.ssl.verification_mode: ${ES_XPACK_SECURITY_HTTP_SSL_VERIFICATION_MODE} xpack.security.http.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_KEY_FILENAME} xpack.security.http.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_CERT_FILENAME} xpack.security.http.ssl.certificate_authorities: ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} xpack.security.transport.ssl.enabled: ${ES_XPACK_SECURITY_TRANSPORT_SSL_ENABLED} xpack.security.transport.ssl.client_authentication: ${ES_XPACK_SECURITY_TRANSPORT_SSL_CLIENT_AUTHENTICATION} xpack.security.transport.ssl.verification_mode: ${ES_XPACK_SECURITY_TRANSPORT_SSL_VERIFICATION_MODE} xpack.security.transport.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_KEY_FILENAME} xpack.security.transport.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_CERT_FILENAME} xpack.security.transport.ssl.certificate_authorities: ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} xpack.ml.use_auto_machine_memory_percent: ${ES_XPACK_ML_USE_AUTO_MACHINE_MEMORY_PERCENT} S3_ACCESS_KEY: S3_SECRET_KEY: networks: Loading @@ -18,6 +31,7 @@ services: volumes: - data-vol:${ES_PATH_DATA} - conf-vol:${ES_CONFIG_PATH} - cert-vol:${ES_CERT_PATH} ulimits: memlock: soft: -1 Loading @@ -39,6 +53,65 @@ services: update_config: delay: ${UPDATE_DELAY:-5m} es-cert-setup: image: ${IMAGE_NAME}:${IMAGE_TAG} user: "0" command: > bash -c ' if [ ! -f ${ES_CERT_PATH}/ca.zip ] then echo "Creating CA"; bin/elasticsearch-certutil ca --silent --pem -out ${ES_CERT_PATH}/ca.zip; unzip ${ES_CERT_PATH}/ca.zip -d ${ES_CERT_PATH}; else echo "Found previous CA, omitting creation"; fi; if [ ! -f ${ES_CERT_PATH}/certs.zip ] then echo "Creating certs"; echo -ne "instances:\n" > ${ES_CERT_PATH}/instances.yml; for nodeName in $$(echo "${ES_CLUSTER_NODES:-${ES_CLUSTER_INITIAL_MASTER_NODES}}" | sed "s/,/ /g") do echo " $${nodeName}"; echo -ne \ " - name: $${nodeName}\n"\ " dns:\n"\ " - $${nodeName}\n"\ " - localhost\n"\ " ip:\n"\ " - 127.0.0.1\n"\ >> ${ES_CERT_PATH}/instances.yml; done; bin/elasticsearch-certutil cert --silent --pem --name node \ --out ${ES_CERT_PATH}/certs.zip --in ${ES_CERT_PATH}/instances.yml \ --ca-cert ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} --ca-key ${ES_CERT_PATH}/${SSL_CA_KEY_FILEPATH}; unzip ${ES_CERT_PATH}/certs.zip -d ${ES_CERT_PATH}; else echo "Found previous certs, omitting creation"; fi; echo "Setting file permissions" chown -R root:root ${ES_CERT_PATH}; find ${ES_CERT_PATH} -type d -exec chmod 750 \{\} \;; find ${ES_CERT_PATH} -type f -exec chmod 640 \{\} \;; echo "All done!"; ' networks: elastic-net: volumes: - cert-vol:${ES_CERT_PATH} deploy: mode: replicated replicas: 1 restart_policy: condition: on-failure resources: limits: cpus: '0.5' memory: 16M reservations: cpus: '0.001' memory: 8M networks: elastic-net: name: ${ELASTIC_NET_NAME:-elastic-net} Loading Loading
deploy/.env +30 −5 Original line number Diff line number Diff line ES_CLUSTER_INITIAL_MASTER_NODES=es-node1,es-node2,es-node3 ES_DISCOVERY_SEED_HOSTS=elasticsearch # common IMAGE_NAME=docker.elastic.co/elasticsearch/elasticsearch IMAGE_TAG=latest HOSTNAME_PREFIX=es ELASTIC_PASSWORD=changeme # paths ES_PATH_DATA=/usr/share/elasticsearch/data ES_CONFIG_PATH=/usr/share/elasticsearch/config ES_CERT_PATH=/usr/share/elasticsearch/cert # clustering ES_CLUSTER_INITIAL_MASTER_NODES=es-node1,es-node2,es-node3 ES_DISCOVERY_SEED_HOSTS=elasticsearch ES_BOOTSTRAP_MEMORY_LOCK=true # security ES_XPACK_SECURITY_ENABLED=true ES_XPACK_SECURITY_HTTP_SSL_ENABLED=true ES_XPACK_SECURITY_HTTP_SSL_CLIENT_AUTHENTICATION=optional ES_XPACK_SECURITY_HTTP_SSL_VERIFICATION_MODE=full ES_XPACK_SECURITY_TRANSPORT_SSL_ENABLED=true ES_XPACK_SECURITY_TRANSPORT_SSL_CLIENT_AUTHENTICATION=required ES_XPACK_SECURITY_TRANSPORT_SSL_VERIFICATION_MODE=full HOSTNAME_PREFIX=es ELASTIC_PASSWORD=changeme # machine-learning ES_XPACK_ML_USE_AUTO_MACHINE_MEMORY_PERCENT=true # certs SSL_KEY_FILENAME=node.key SSL_CERT_FILENAME=node.crt SSL_CA_KEY_FILEPATH=ca/ca.key SSL_CA_CERT_FILEPATH=ca/ca.crt # volumes DATA_VOL_NAME=elasticsearch-data-vol CONF_VOL_NAME=elasticsearch-conf-vol CERT_VOL_NAME=elasticsearch-cert-vol DEV_VOL_DRIVER=local PRO_VOL_DRIVER=cloudstor:aws
deploy/compose.dev.yaml +8 −0 Original line number Diff line number Diff line Loading @@ -20,3 +20,11 @@ volumes: conf-vol: name: ${CONF_VOL_NAME}-{{.Node.Hostname}} driver: ${DEV_VOL_DRIVER} cert-vol: name: ${CERT_VOL_NAME} driver: ${DEV_VOL_DRIVER} driver_opts: type: ${VOL_TYPE:-nfs} o: addr=${VOL_ADDR:-127.0.0.1},vers=${VOL_VERS:-4.2},${VOL_OPTS:-nolock,noacl,noatime,nodiratime} device: :${VOL_DEVICE_PREFIX}${CERT_VOL_DEVICE:-/elasticsearch-cert-vol/}
deploy/compose.prod.yaml +6 −0 Original line number Diff line number Diff line Loading @@ -31,3 +31,9 @@ volumes: driver_opts: backing: shared perfmode: maxio cert-vol: name: ${CERT_VOL_NAME} driver: ${PRO_VOL_DRIVER} driver_opts: backing: shared
deploy/compose.tmpl.yaml +77 −4 Original line number Diff line number Diff line services: elasticsearch: image: ${IMAGE_NAME:-docker.elastic.co/elasticsearch/elasticsearch}:${IMAGE_TAG:-latest} image: ${IMAGE_NAME}:${IMAGE_TAG} hostname: ${HOSTNAME_PREFIX}-{{.Node.Hostname}} environment: node.name: ${HOSTNAME_PREFIX}-{{.Node.Hostname}} path.data: ${ES_PATH_DATA} bootstrap.memory_lock: ${ES_BOOTSTRAP_MEMORY_LOCK} xpack.security.enabled: ${ES_XPACK_SECURITY_ENABLED} node.name: ${HOSTNAME_PREFIX}-{{.Node.Hostname}} cluster.initial_master_nodes: ${ES_CLUSTER_INITIAL_MASTER_NODES} discovery.seed_hosts: ${ES_DISCOVERY_SEED_HOSTS} ELASTIC_PASSWORD: bootstrap.memory_lock: ${ES_BOOTSTRAP_MEMORY_LOCK} xpack.security.enabled: ${ES_XPACK_SECURITY_ENABLED} xpack.security.http.ssl.enabled: ${ES_XPACK_SECURITY_HTTP_SSL_ENABLED} xpack.security.http.ssl.client_authentication: ${ES_XPACK_SECURITY_HTTP_SSL_CLIENT_AUTHENTICATION} xpack.security.http.ssl.verification_mode: ${ES_XPACK_SECURITY_HTTP_SSL_VERIFICATION_MODE} xpack.security.http.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_KEY_FILENAME} xpack.security.http.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_CERT_FILENAME} xpack.security.http.ssl.certificate_authorities: ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} xpack.security.transport.ssl.enabled: ${ES_XPACK_SECURITY_TRANSPORT_SSL_ENABLED} xpack.security.transport.ssl.client_authentication: ${ES_XPACK_SECURITY_TRANSPORT_SSL_CLIENT_AUTHENTICATION} xpack.security.transport.ssl.verification_mode: ${ES_XPACK_SECURITY_TRANSPORT_SSL_VERIFICATION_MODE} xpack.security.transport.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_KEY_FILENAME} xpack.security.transport.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_CERT_FILENAME} xpack.security.transport.ssl.certificate_authorities: ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} xpack.ml.use_auto_machine_memory_percent: ${ES_XPACK_ML_USE_AUTO_MACHINE_MEMORY_PERCENT} S3_ACCESS_KEY: S3_SECRET_KEY: networks: Loading @@ -18,6 +31,7 @@ services: volumes: - data-vol:${ES_PATH_DATA} - conf-vol:${ES_CONFIG_PATH} - cert-vol:${ES_CERT_PATH} ulimits: memlock: soft: -1 Loading @@ -39,6 +53,65 @@ services: update_config: delay: ${UPDATE_DELAY:-5m} es-cert-setup: image: ${IMAGE_NAME}:${IMAGE_TAG} user: "0" command: > bash -c ' if [ ! -f ${ES_CERT_PATH}/ca.zip ] then echo "Creating CA"; bin/elasticsearch-certutil ca --silent --pem -out ${ES_CERT_PATH}/ca.zip; unzip ${ES_CERT_PATH}/ca.zip -d ${ES_CERT_PATH}; else echo "Found previous CA, omitting creation"; fi; if [ ! -f ${ES_CERT_PATH}/certs.zip ] then echo "Creating certs"; echo -ne "instances:\n" > ${ES_CERT_PATH}/instances.yml; for nodeName in $$(echo "${ES_CLUSTER_NODES:-${ES_CLUSTER_INITIAL_MASTER_NODES}}" | sed "s/,/ /g") do echo " $${nodeName}"; echo -ne \ " - name: $${nodeName}\n"\ " dns:\n"\ " - $${nodeName}\n"\ " - localhost\n"\ " ip:\n"\ " - 127.0.0.1\n"\ >> ${ES_CERT_PATH}/instances.yml; done; bin/elasticsearch-certutil cert --silent --pem --name node \ --out ${ES_CERT_PATH}/certs.zip --in ${ES_CERT_PATH}/instances.yml \ --ca-cert ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} --ca-key ${ES_CERT_PATH}/${SSL_CA_KEY_FILEPATH}; unzip ${ES_CERT_PATH}/certs.zip -d ${ES_CERT_PATH}; else echo "Found previous certs, omitting creation"; fi; echo "Setting file permissions" chown -R root:root ${ES_CERT_PATH}; find ${ES_CERT_PATH} -type d -exec chmod 750 \{\} \;; find ${ES_CERT_PATH} -type f -exec chmod 640 \{\} \;; echo "All done!"; ' networks: elastic-net: volumes: - cert-vol:${ES_CERT_PATH} deploy: mode: replicated replicas: 1 restart_policy: condition: on-failure resources: limits: cpus: '0.5' memory: 16M reservations: cpus: '0.001' memory: 8M networks: elastic-net: name: ${ELASTIC_NET_NAME:-elastic-net} Loading
