To improve security, need to enter the account and password to access the kibana web page.
Signed-off-by: Wu Zhende wuzhende666@163.com --- container/defconfig.sh | 19 +++++++++++++++++++ container/es/Dockerfile | 7 +++++++ container/es/build | 9 ++++++++- container/es/start | 2 +- 4 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/container/defconfig.sh b/container/defconfig.sh index 50446d8..64a434f 100755 --- a/container/defconfig.sh +++ b/container/defconfig.sh @@ -20,6 +20,12 @@ load_cci_defaults() done }
+load_service_authentication() +{ + shopt -s nullglob + create_yaml_variables '/etc/compass-ci/passwd.yaml' +} + docker_rm() { container=$1 @@ -28,6 +34,19 @@ docker_rm() docker rm -f $container }
+check_auth_es_ready() +{ + local port=$1 + load_service_authentication + local i + for i in {1..30} + do + + curl -s localhost:$port -u $ES_USER:$ES_PASSWORD> /dev/null && return + sleep 2 + done +} + check_service_ready() { local port=$1 diff --git a/container/es/Dockerfile b/container/es/Dockerfile index 44d87ee..f29e677 100644 --- a/container/es/Dockerfile +++ b/container/es/Dockerfile @@ -4,11 +4,16 @@ FROM elasticsearch:7.11.1@sha256:d52cda1e73d1b1915ba2d76ca1e426620c7b5d6942d9d2f432259503974ba786
ARG MEMORY +ARG USER +ARG PASSWORD
RUN sed -i 's:#network.host: _site_:network.host: 0.0.0.0:' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a path.data: /srv/es' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a node.name: node-1' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a cluster.initial_master_nodes: ["node-1"]' /usr/share/elasticsearch/config/elasticsearch.yml && \ + sed -i '$a xpack.security.enabled: true' /usr/share/elasticsearch/config/elasticsearch.yml && \ + sed -i '$a xpack.license.self_generated.type: basic' /usr/share/elasticsearch/config/elasticsearch.yml && \ + sed -i '$a xpack.security.transport.ssl.enabled: true' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i "s/-Xms256m/-Xms${MEMORY}m/g" /usr/share/elasticsearch/config/jvm.options && \ sed -i "s/-Xmx256m/-Xmx${MEMORY}m/g" /usr/share/elasticsearch/config/jvm.options
@@ -17,6 +22,8 @@ RUN mkdir /usr/share/elasticsearch/tmp && \
WORKDIR /usr/share/elasticsearch
+RUN ./bin/elasticsearch-users useradd ${USER} -p ${PASSWORD} -r superuser + ENV PATH /usr/share/elasticsearch/bin:$PATH ENV ES_TMPDIR /usr/share/elasticsearch/tmp
diff --git a/container/es/build b/container/es/build index db5145f..e023227 100755 --- a/container/es/build +++ b/container/es/build @@ -3,10 +3,17 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved. # frozen_string_literal: true
+require 'set' require_relative '../defconfig.rb'
+names = Set.new %w[ + ES_USER + ES_PASSWORD +] + +defaults = relevant_service_authentication(names) docker_skip_rebuild "es:7.11.1"
available_memory = get_available_memory
-system "docker build -t es:7.11.1 --build-arg MEMORY=#{available_memory} --network=host ." +system "docker build -t es:7.11.1 --build-arg MEMORY=#{available_memory} --build-arg USER=#{defaults['ES_USER']} --build-arg PASSWORD=#{defaults['ES_PASSWORD']} --network=host ." diff --git a/container/es/start b/container/es/start index 3aa9525..cff44ea 100755 --- a/container/es/start +++ b/container/es/start @@ -21,5 +21,5 @@ cmd=( "${cmd[@]}"
# set index -check_service_ready 9200 +check_auth_es_ready 9200 find $CCI_SRC/sbin/ -name "es-*-mapping.sh" -exec sh {} ;