Docker 部署 Elasticsearch 8.12 + Kibana + Nginx 负载均衡
适用系统:CentOS 7
依赖:Docker ≥ 20.10、docker-compose ≥ v2.0
1 部署前检查
| 检查项 | 命令/路径 | 期望结果 |
|---|---|---|
| Docker 已安装 | docker -v | 版本 ≥ 20.10 |
| docker-compose 已安装 | docker compose version | 版本 ≥ v2.0 |
| 内核参数 | sysctl vm.max_map_count | ≥ 262144 |
| 防火墙 | firewall-cmd --state | 如开启需放行 9200/9300/5601/80 |
若
vm.max_map_count不足,请执行
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
2 节点规划
| 节点 | 主机名 | IP | 角色 |
|---|---|---|---|
| ES-1 | es-node-1 | 10.32.0.32 | master & data |
| ES-2 | es-node-2 | 10.32.0.33 | master & data |
| ES-3 | es-node-3 | 10.32.0.34 | master & data |
| LB+Kibana | —— | 10.32.0.35 | Nginx + Kibana |
3 生成 TLS 证书(仅需一次)
# 在任一 ES 节点执行
cd /opt/elasticsearch
mkdir tmp
chown -R 1000:1000 tmp# 生成 CA
docker run --rm -v $PWD/tmp:/tmp/certs \docker.elastic.co/elasticsearch/elasticsearch:8.12.0 \bash -c "elasticsearch-certutil ca --silent --out /tmp/certs/elastic-stack-ca.p12"# 签发节点证书
docker run --rm -v $PWD/tmp:/tmp/certs \docker.elastic.co/elasticsearch/elasticsearch:8.12.0 \bash -c "elasticsearch-certutil cert --ca /tmp/certs/elastic-stack-ca.p12 --out /tmp/certs/elastic-certificates.p12"mv tmp/elastic-certificates.p12 config
4 节点目录结构(所有 ES 节点保持一致)
/opt/elasticsearch/
├── config/
│ ├── elasticsearch.yml
│ └── elastic-certificates.p12
├── data/
├── logs/
└── docker-compose.yml
5 配置 elasticsearch.yml(示例:es-node-2)
cluster.name: my-es-cluster
node.name: es-node-2
network.host: 0.0.0.0
network.publish_host: 10.32.0.33 # ← 本机实际 IP# TLS
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12# 路径
path.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs
6 docker-compose.yml(所有 ES 节点)
仅需修改
node.name与container_name即可复用
version: '3.7'
services:elasticsearch:image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0container_name: es-node-2environment:- node.name=es-node-2- cluster.name=my-es-cluster- discovery.seed_hosts=10.32.0.32,10.32.0.33,10.32.0.34- cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3- ES_JAVA_OPTS=-Xms8g -Xmx8g- xpack.security.enabled=truevolumes:- ./data:/usr/share/elasticsearch/data- ./logs:/usr/share/elasticsearch/logs- ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro- ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/certs/elastic-certificates.p12:roports:- "9200:9200"- "9300:9300"restart: unless-stopped
7 启动集群 & 设置密码
# 依次在 3 台节点执行
cd /opt/elasticsearch
docker compose up -d# 任选一台节点重置 elastic 用户密码
docker exec -it es-node-1 elasticsearch-reset-password -u elastic -i
8 验证集群
curl -u elastic:<密码> http://10.32.0.32:9200/_cat/nodes?v
预期输出包含 3 个节点,master 列有且仅有一个 *。
9 部署 Nginx(10.32.0.35)
9.1 编译安装 Nginx(如需最新版)
# 安装依赖
sudo yum groupinstall -y "Development Tools"
sudo yum install -y pcre-devel zlib-devel openssl-devel# 下载 & 编译
cd /usr/local/src
wget http://nginx.org/download/nginx-1.28.0.tar.gz
tar -xzf nginx-1.28.0.tar.gz && cd nginx-1.28.0./configure \--prefix=/usr/local/nginx \--with-http_ssl_module \--with-http_v2_module \--with-streammake && sudo make install# systemd 服务
sudo tee /etc/systemd/system/nginx.service > /dev/null <<'EOF'
[Unit]
Description=NGINX
After=network.target[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
Restart=on-failure[Install]
WantedBy=multi-user.target
EOFsudo systemctl daemon-reload
sudo systemctl enable --now nginx
9.2 配置负载均衡
新建 /usr/local/nginx/conf/conf.d/es.conf:
upstream es {ip_hash; # 会话保持server 10.32.0.32:9200 max_fails=3 fail_timeout=5s;server 10.32.0.33:9200 max_fails=3 fail_timeout=5s;server 10.32.0.34:9200 max_fails=3 fail_timeout=5s;
}server {listen 80;server_name 10.32.0.35;location / {proxy_pass http://es;proxy_http_version 1.1;proxy_set_header Connection "";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;}
}
重载:
nginx -t && systemctl reload nginx
10 部署 Kibana(10.32.0.35)
10.1 安装
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.12.0-linux-x86_64.tar.gz
tar -xzf kibana-8.12.0-linux-x86_64.tar.gz
mv kibana-8.12.0 /opt/kibana
useradd -r -s /bin/false kibana
chown -R kibana:kibana /opt/kibana
10.2 重置 kibana_system 密码
# 在 ES 容器内执行
elasticsearch-reset-password -u kibana_system -i
10.3 配置 /opt/kibana/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts:- http://10.32.0.32:9200- http://10.32.0.33:9200- http://10.32.0.34:9200
elasticsearch.username: "kibana_system"
elasticsearch.password: "<上一步密码>"
10.4 创建系统用户
# 创建系统用户,禁止登录
sudo useradd -r -s /bin/false kibana# 赋权
sudo chown -R kibana:kibana /opt/kibana
10.5 systemd 服务
sudo tee /etc/systemd/system/kibana.service > /dev/null <<'EOF'
[Unit]
Description=Kibana
After=network.target[Service]
Type=simple
User=kibana
Group=kibana
ExecStart=/opt/kibana/bin/kibana
Restart=always
WorkingDirectory=/opt/kibana[Install]
WantedBy=multi-user.target
EOFsudo systemctl daemon-reload
sudo systemctl enable --now kibana
10.6 验证
浏览器访问 http://10.32.0.35:5601,使用 elastic 用户登录即可。
11 常见问题 FAQ
| 现象 | 根因 | 快速修复 |
|---|---|---|
vm.max_map_count too low | 内核参数不足 | 见“部署前检查” |
| 节点无法发现对方 | network.publish_host 未配或 node.name 重复 | 检查 elasticsearch.yml 与 docker-compose.yml,清理 data/ 后重启容器 |
AccessDeniedException | 目录权限错误 | chown -R 1000:1000 data/ logs/ |
| Kibana 无法连接 ES | 密码错误 / ES 未开启 TLS | 确认 kibana_system 密码正确,且 ES 对外 9200 可达 |
下一篇:阿里云 ES 产品数据迁移至自建 ES 集群