From 6b9c2447b43394b4ed1f9f0bcc8f63d545ac6ed2 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 11:14:28 -0700 Subject: [PATCH 01/11] Better handling of configs/volumes/secrets There've been some issues relating to how stack-docker starts up stuff using the docker-compose image. * changing project names * volume mounts not working * some other issues regaring containers not starting. I've moved everything around and more use of docker volumes: * created certs volume, for storing the certs. Now all containers can mount that volume and have access to the certs. * created a config volume for each service * this mounts the config.yml for each service and also stores the keystore. These changes help process a lot of the permissions issues that were happening. This makes it a lot easer to clean up using a 'docker-compose down -v' and restart. known issues: * the setup script doesn't work as cleanly as I'd like and when trying execute it via a 'docker-compose -f setup/setup.yml run setup' the script exits early. --- .env | 4 +- README.md | 9 +- config/apm-server/apm-server.yml | 6 +- config/elasticsearch/elasticsearch.p12 | Bin 3517 -> 0 bytes config/elasticsearch/elasticsearch.yml | 12 +- config/filebeat/filebeat.yml | 6 +- config/heartbeat/heartbeat.yml | 10 +- config/{ssl => }/instances.yml | 0 config/kibana/kibana.p12 | Bin 3471 -> 0 bytes config/kibana/kibana.yml | 6 +- config/logstash/logstash.p12 | Bin 3483 -> 0 bytes config/logstash/logstash.yml | 3 +- config/logstash/pipeline/logstash.conf | 2 +- config/logstash/pipelines.yml | 2 + config/metricbeat/metricbeat.yml | 6 +- config/packetbeat/packetbeat.yml | 10 +- docker-compose.setup.yml | 128 -------------- docker-compose.yml | 227 +++++++++---------------- scripts/setup-beat.sh | 30 ++-- scripts/setup-elasticsearch.sh | 46 ++--- scripts/setup-kibana.sh | 3 +- scripts/setup-logstash.sh | 9 +- scripts/setup-users.sh | 13 +- scripts/setup.sh | 39 +++-- setup/Dockerfile | 2 + setup.yml => setup/setup.yml | 5 +- 26 files changed, 197 insertions(+), 381 deletions(-) delete mode 100644 config/elasticsearch/elasticsearch.p12 rename config/{ssl => }/instances.yml (100%) delete mode 100644 config/kibana/kibana.p12 delete mode 100644 config/logstash/logstash.p12 create mode 100644 config/logstash/pipelines.yml delete mode 100644 docker-compose.setup.yml create mode 100644 setup/Dockerfile rename setup.yml => setup/setup.yml (75%) diff --git a/.env b/.env index ed7b944..b5c1aef 100644 --- a/.env +++ b/.env @@ -1,2 +1,2 @@ -TAG=6.5.2 -ELASTIC_VERSION=6.5.2 +TAG=6.5.4 +ELASTIC_VERSION=6.5.4 diff --git a/README.md b/README.md index 8247d79..3cdb8cd 100644 --- a/README.md +++ b/README.md @@ -43,13 +43,16 @@ By default, the amount of Virtual Memory [is not enough](https://www.elastic.co/ First we need to: 1. set default password -2. create keystores to store passwords -3. install dashboards, index patterns, etc.. for beats and apm +2. Create SSL certs +3. create keystores to store passwords +4. install dashboards, index patterns, etc.. for beats and apm This is accomplished using the setup.yml file: ``` -docker-compose -f setup.yml up +docker-compose -f setup.yml run --rm setup bash +bash ./scripts/setup.sh ``` +When the setup has finished you can type `exit` to quit the setup process Please take note after the setup completes it will output the password that is used for the `elastic` login. diff --git a/config/apm-server/apm-server.yml b/config/apm-server/apm-server.yml index faba2ef..8fba2ee 100644 --- a/config/apm-server/apm-server.yml +++ b/config/apm-server/apm-server.yml @@ -1,3 +1,5 @@ +keystore.path: "/usr/share/apm-server/config/apm-server.keystore" + apm-server.frontend.enabled: true apm-server.host: "0.0.0.0:8200" @@ -7,7 +9,7 @@ output.elasticsearch: username: elastic # Read PW from apm-server.keystore password: "${ELASTIC_PASSWORD}" - ssl.certificate_authorities: ["/usr/share/apm-server/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] setup.kibana: host: "http://kibana:5601" @@ -15,4 +17,4 @@ setup.kibana: password: "${ELASTIC_PASSWORD}" protocol: "http" ssl.enabled: false - ssl.certificate_authorities: ["/usr/share/apm-server/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] diff --git a/config/elasticsearch/elasticsearch.p12 b/config/elasticsearch/elasticsearch.p12 deleted file mode 100644 index 7ee72bbf7e4306be6f03a26091ef7cf0177b8a07..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3517 zcmY+EcQ_ji*T#+5p+=&L+A~HIvsR3%N-0vM)E=psMr>+^5jQHB3fJ^)DIspX~S(oHv=LF8?n<0H_ zj9E7K{SBu6@+O8c-N+BCy~Nc2DrFP0N$rg8AEESHt4n03#)N8}c|(+mre*Z~b<~41 zo(na%sKfJpzCCUFQ&Tn=YmLYA&i$075wdE6shu89QWtxbq%&&X<{Zjj=ou<#68_VU zX|x5A zTKz*j!U3vj;HJUKWoHBx$CtaWyEQnXxynjxiGK?$Jw%SCmIiTZ-E#^|YF$}%g1Yk{L!!&Zf6|g(Qaw< zqkq+nacl|FP2xLN>(wf_yxT_|KUzruhDw9BxN<7g^#GH06$=(($2n9~RUgoFq6Q-g zkg;QU5vx)f+pP7Bx0|>qL!u&=64%`D)1I6a0vRTxLcjZX>Y#WvkWwSyb1fdgD*N?D zF7d>+^dA7YI8~~pzq>`KWKWQqz&CT``q=EP*u$w zBxE2YiX9$Y7y8wa=ysj(JM;_GIDdLTT8Y6qQB=4H@Lpl#H@V#zSH6!BPDb3CCCvxZ zTJ?Wj|8a+x)kHL>V%qqIaVoIKEauNI80$Orj5GJ?lZu_Dw-P6Uu1S$>IwE*Xgo=Xf z+GD!G5Of@si!#KcA<$g{?%;u1U-$(%w zvVNH`a#n7CjiV`7>ZY#B&1wWU!>O@~+enPuMVKO{DLNczoqwL3xX9bfayxg*l#on0 znghsMMX)cMa+baOy4W#yUKRt9W7^}o0hPv{A+H)`~e%mvYwJL_cF1*>9(S-#N ziEpI`|K2Q5h(#vvptx$b1rq3xXM^a0z4W}Qrut6`lWb<%7^H^>_%$j~?Ja(&Nx^gV z83U=+^3@rYop)fA2;UBdnR@^(Nzvt8-@Mz=v9MkL~gJ}k&#{jC<6$_%g0TDqVS|}pzxvarEsHgx>D5Dlk3^-)n$TuH}&63YMLE$#pCb{~7}mk?iTm?+H)3QS2; zL`-zp{x5GMaCG=+4sg5i#|pY(p0szOl~F8V$oIac8BaGH(_5Y=Ft2;hM?@>1b}?BAjEh=m z1;4Tto*#9XIpafoOLeFzd+P{yL7D_>G=L#H>(5UnJR9}cB*Sj8Zfmm(p4+`bIN7}& z!Umcjpq-P@4wI!p-PV!WHRMOz{;}Wn_9hy?liSTs=LueWY(mdnPlki%R=_SR&Jm}T zfc&v(bVV6O5Oeo4FW7Xm6*l$bhSarff8m;OEauasVqR}DdsvLf((3BFN44+FNUjFM zqJ}!>RA7}9pX3y3*cX!JanacChDNLEkE`o-tqgBU!s63rWrUZof>DpM`rf+VV;$N* zD$CGYi+7F>!W%Nt-Bm6B^qq;XBj2`h_H*aSa*XcFH&evbNnVsg*RRI!CsrSVsN(nXu0P(?tJYHWzszC@Xm6)a)|Fnt06tCyG zOA~`Pvjy5l``ViL| zrn*N8+5S@db1<>~B>+Aes5Cpzo;`7Hk~hQf**(;QT{Rn~{Gjr*N;@QI@U^GO6O_nl zhPlg&!;Tld${pliZIJF+jLsz=Dm<$uq6;%X<=T{W`~1yj(T$&ylCnpwl9WFP-8OXg zNl0;dT8OoSa?nF!=$#It8$qW_7QV5)A0zxav+Z%_TAro0Mn*>f_*)G}SXDfo0i#DNuFZwKGJ5^-{=Sn5niUs$p9~Fds&CKoH zu9?5XOi!~N*Yl0#!XCZgIFb-lpr!Hkvrd)@BR@Cn4e`-8!Z0k})NFrDM#dTFrC<_i zsN$*fB-TiyP%tQEJXVD9BSjv0@bP8}PV!rkKmw0t-QgB@DYy-kKt^=n;$0N#`qfF{ z&UV)IZs8i2-eQK5DC|*_O#{pN47V50M%qL3yLIk4Lp-;U{Ovr9VE>x>r09pw)>!v% z7djMqaN3OwrAx<_%||oc%lW7e{M`@o9?vjlMj)Bw=!4YyUkxsswmAqa_fj_URjGrk#?wCJx(o&4qA`NshW}8KfBDns zQ7-JIZS|5u#YhX(#HU@qgtiAcp2RclZ>?!%?#N$!Zv(Rm(u_MI<6H9rzs-GoSpnwQ z>1(IldGI+Sa(Y-!>@xI`kxogv4%Dn|Sa-KT8xD=d97 z!Bj5s;2VRbqVFTDpeiK$uqQU%CeyLVe<_e=5*PAueZ?%HYr@j8$i``w5qS5fxVr;c zl|{TzY~t+ItxcH56nJ5?HkVk3_JABj&U9J2Xcf{V&E${o^o1-{Vqe4eOfZcVMD@gv zYcfemN0+sFb@=_zz|X#6R9@ygVal{~@KKnV&o8QO%jv$b$*nMVO{XKV-O8;83irnJl*akmHZ6Q&AjygFBsCff~mT?&o99 z4J}{|0f*S{@u#W>oSqHrVv%LqLdUSR{Jn)KB<5rIJ%hdk`>5WYAJ;gIXFTqe&{EAY z_QcO$r{q;3i<4F#_1TdM_G|n;{P`1;$5x^9OzIY2G^K7#1dBoadAUplPg&|7BXL#nxAk&?`nrr)6f~+`K6dQ%;Tj`0}07m zyQYft#(ek}f?%3H diff --git a/config/elasticsearch/elasticsearch.yml b/config/elasticsearch/elasticsearch.yml index 0f77d84..6cab4f7 100644 --- a/config/elasticsearch/elasticsearch.yml +++ b/config/elasticsearch/elasticsearch.yml @@ -10,11 +10,11 @@ xpack.license.self_generated.type: trial xpack.security.enabled: true xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode: certificate -xpack.security.http.ssl.key: certs/elasticsearch/elasticsearch.key -xpack.security.http.ssl.certificate: certs/elasticsearch/elasticsearch.crt -xpack.security.http.ssl.certificate_authorities: [ "certs/ca/ca.crt" ] +xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/ssl/docker-cluster/elasticsearch/elasticsearch.key +xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/ssl/docker-cluster/elasticsearch/elasticsearch.crt +xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ssl/ca/ca.crt" ] xpack.security.transport.ssl.enabled: true -xpack.security.transport.ssl.key: certs/elasticsearch/elasticsearch.key -xpack.security.transport.ssl.certificate: certs/elasticsearch/elasticsearch.crt -xpack.security.transport.ssl.certificate_authorities: [ "certs/ca/ca.crt" ] +xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/ssl/docker-cluster/elasticsearch/elasticsearch.key +xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/ssl/docker-cluster/elasticsearch/elasticsearch.crt +xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ssl/ca/ca.crt" ] diff --git a/config/filebeat/filebeat.yml b/config/filebeat/filebeat.yml index 78ccd0a..f6755b4 100644 --- a/config/filebeat/filebeat.yml +++ b/config/filebeat/filebeat.yml @@ -1,3 +1,5 @@ +keystore.path: "/usr/share/filebeat/config/filebeat.keystore" + filebeat.config: prospectors: path: ${path.config}/prospectors.d/*.yml @@ -15,7 +17,7 @@ output.elasticsearch: username: elastic # Read PW from filebeat.keystore password: "${ELASTIC_PASSWORD}" - ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] setup.kibana: host: "http://kibana:5601" @@ -23,6 +25,6 @@ setup.kibana: password: "${ELASTIC_PASSWORD}" protocol: "http" ssl.enabled: false - ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] xpack.monitoring.enabled: true diff --git a/config/heartbeat/heartbeat.yml b/config/heartbeat/heartbeat.yml index bbdba46..77e82f3 100644 --- a/config/heartbeat/heartbeat.yml +++ b/config/heartbeat/heartbeat.yml @@ -1,3 +1,5 @@ +keystore.path: "/usr/share/heartbeat/config/heartbeat.keystore" + heartbeat.monitors: - type: http schedule: '@every 5s' @@ -5,7 +7,9 @@ heartbeat.monitors: - https://elasticsearch:9200 - http://kibana:5601 ssl: - certificate_authorities: ["/usr/share/heartbeat/certs/ca/ca.crt"] + certificate_authorities: ["/certs/ssl/ca/ca.crt"] + username: elastic + password: "${ELASTIC_PASSWORD}" - type: icmp schedule: '@every 5s' @@ -22,7 +26,7 @@ output.elasticsearch: username: elastic # Read PW from heartbeat.keystore password: "${ELASTIC_PASSWORD}" - ssl.certificate_authorities: ["/usr/share/heartbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] setup.kibana: host: "http://kibana:5601" @@ -30,6 +34,6 @@ setup.kibana: password: "${ELASTIC_PASSWORD}" protocol: "http" ssl.enabled: false - ssl.certificate_authorities: ["/usr/share/heartbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] xpack.monitoring.enabled: true diff --git a/config/ssl/instances.yml b/config/instances.yml similarity index 100% rename from config/ssl/instances.yml rename to config/instances.yml diff --git a/config/kibana/kibana.p12 b/config/kibana/kibana.p12 deleted file mode 100644 index 04f9219d9d70d6dfc412a9f66145c21d687ed216..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3471 zcmY+EXEYlC+lE6(>{iiM#jKSg5~FIAnx(b(-WsVbF<&#SU3*ib_H3=7YK96LrDg|B zl~UA-SyA48-+9M*e>~?o=eqCb`FX*y%t_Q#Ksc6J14Mr-Ry+2XnF>r*ie;9i!7?NM zVhK2w7WF?7tu+mn*8DFv{yX|0#(!NgF;G#LVreLFEX^?-3S#&-{`;JZhCRh*HEnN? ztnys#ct?>p89UkFdPoff3>wm4X+~gW#FwaQ4fUFzXfLgWZS%VYi_JIWV~E3pqBdJU zNB1#-;AFe3B~qg;2q&)J*LbyAcFM(nP{B+f+Bo{Gb?nQY+=r;+BFB-d<93ytZQjpq zjs_s{InSj!{htz=XG+Xm+X%NP!Q>E^X*eoZg*rsW%zI&mW**~^UIGQcx&(FTM&v6}xTPzuK zC&-7)gLi39*oL-{!>>i0MnbukOwIE8r=<#FGP(pjh(kPldv<>`o&N~l3){H>`c8{_ zebhB-Y8iY;#V6SvHe)-_a;myv1MMV!eIHz@`3Wtl#+6koLzWJI-sKBo86&W#sm%_! zK1od;yzEWYeTcMBTyHTeaQ7~WwxtwLv_7ADG;tiophqsh8PsZuXkV`!j?hWJZ-|Nz zMX&QHI$#z`WY!ih))sA3FOeB*7sfk*^4zbSh?&v=KcO97T%w+M9ne*L={=$gwZg;& zG7cp?c5-z%z0_<4=+#Yrj=xsS8+06ZRM3EKUpaaI_M?6@t|riH+NOIX%Y7S@ru(2b zZ6%(s|3`|tTqS2F+R?UTlkIlp(VA#rUD$s3h0@y4%Y}sZxfs`n+3KvMLCHkTBel6` ziz84;I{*AW*Tgfk2kDyub`?IhrGZ0N{fckv&<{G*OkNimGHw-rt7S;LIAIri zswkOIOrTpZg?>_>4~&wgogisWPswkz%LZ6o_$~2g;ngQCIH0omlV4Wrbj>lHpboYx zZXiDTi848*kxeYPK{qfbo`uG0aF=cODVO#l$7tC{0%W3kgq`+H2-v^be3dDDn6p6Cvs0KWvNbPd$HB1pC%VxQs>$ zC}XZdXgrc<1oDGkW*F5j+ev+6>y!3?R{xoF8bE#~N2=Xr9bQ;ivp2k{{WR=Qo1CyEH}FcnWF*wT-;AVUmE#b`--lkQa zPDjn_enlcbx9=n_5vZC;Pgxt}i}kdhiT%KL>Ym#n_Thr9f0Ud@QcI~Ovf^)Y5dOliMA%YOXndC%TqvXYoZ#fUZ!f~|-Pm#eTQ47B@l6oel{+=Fxd zN0s#K2o@eDfCm5ta0WO5ya7&d{{My?2zHt)rYJ8rK7_24tQ@M*O zwnQ0W;^@ld zFugZ?mT-9n&=5=S8($#4AXNPHPAXUzKWgheaMrA~dVn=Ob!2vq6r>1P`#CDT(X91s zyCOeP8qOQ1rX|>r1*_H?7{?HQRh1pZQ$8slPoOYlWv+=3jnU+SW(J?ebOhe-Ae=+u zYLM;tnpMo4dD2reHJvBdYd2GO&=|tgJf990_M?w4LeShY5IW!K;ez9GKVIf3_3dfS zt?|}9)eJaKsDl+!(9H3N2LpT?-{?|U{sRa|Qx5Q|?$^!O1&;O`<*fxXAIHp>4_zde z&}Fx%*XpX@=<#!W{A~0$Pb!n3+t5K#Z*4_Qyh5boh8uJ`UcxuBaiK#!yHwt*V{U!n zm&%8(id*9GpeDM<{9fF0qd$y71QFkjUAx2f&2#%~l-Z1JpYS_&x+nz3YpXF;`yX07 z6!FUMyp*R@NNp|H&dGdx(8ohfRH(4KrqIHV$+3nQ@4XIx#`z4g+NS7{ z?@Rjtgk!yhC(nl-NI;N;2DLqVENal~l_eM{Ej^o2d;cu+G_x=+Twp*&jHbWGJg{)S zM`qozVDpp0PBp7Jv7R(dA-7E@?HqgpS}N`llCu@ptLj4|CU4%lNASH|JF^0|o)u0C zK6dUz1&VXLM1Q~D>I#lh>8Y1KzACk*3B80E)G&R?{r!?KnpgHgs@>0yRfK=a>u^XT z=U1u?SX{UBNqUi>M#@ym7oOsv)PX1!ErV5Yz)R`6T~+D%&IJ2RkoF&;wzGxsEsG5t zl;Pe@9Ag2I)!^L!OZ$k(jCc9Td+yIq98f9(>`f13Fyf1N@gh z##WDUYS;OPH50KE)!(JJ9c-YM*;56s*-SS%*2O3%rb?2Q>;m*Q%loVFYy6OfhAsof zuR@Ies)EA5KG%M(j>8h$*yhFupLmRunaGoKE87#~(JGDCeDb{n_PIuHlD1~^(eDW@ zi(O*Vc8Nj^)#)3bBqZ5WZhE`VSA-L|5g`CMBlJ@9c%AE4`INyuj_HMR&oCQ^R*51Q5!_5b(yxMFIV?#04*U&1;xmhA;iz(@QKT3 zcPMKCbDvb5N~5y6=5aqmBEKa+ZRX(RLY!iA(G)q>C+urP_lu|za-kZ3U%F?L!mk5n zgoj$*Y*rghs$+zhZh#}i#YFB^hxuJo#(A{^lHuE>_^d)|mkGQ9@tJ792#^;*(rL}9)+RE-0Hy%_NVPWaC zsS_2G=VOwU)lzK}xFTt3EDGL6-r^J~5U%}d#l`M78Nick7$0#Lfs|(r*_beGxMroT zZGk%9seDYqsJmGzo-0ASb%w4f)Xmi28yu2xvb0sfN|AHVva~AxsTOi? zz$r5Z9=j?C??heGmRa4JT@BIO*B?_1i!GPTyVa7p(<&N0p*vbui+f-3uF`|;E)8Sz zA#;d4g<&U;w3%I@N1-hdl?l?@7%@}nta)5t8EAV)-051doXsJ{6H;&3dftNVr)3Om zDjInGj9y4*Z(5e^+-ceNJG#IfzT+CoMuabRM@y{c~HKCa*h^ zO-h>mAvmLV$>2MGs)0>B|IlPmO4xwy8zatiB!B0(E)8u@b(RVdzP>ov~5d6mqE4vW94ZsnMey(%U^{@gkUM zZ2a5O;MNd^TtHyM*=8SLAhE%v7o$4`gQ6|GFQ&6)vJI;l&HcZ16Ypqhw&DCw^MZzp zD5dRQ;gPPirUn!SrkQyy=w2(f6P#&wwe`t$EK}OBdEQK+M`90 zqNo^o`o7ouKF{@hIOkl~{X6G;ykQ8+EJA`iFa)Imh*Tg}Gxma#fS8~NL8%NxP|E+s zGB5;@$A3jc)<6W2#b0dtw~RpK|93?}MnG7E0A9fmzzY~Zi0uFI-{;Ig@Ns^vSZgMg z(DeB?P9Mu2>xK+T4Z=HsJ_8^EI7DD;`f8J^{oSnHT7IEV4;HMCCxd`fE*<)B2Vz>1 zW?x_gX>LV^yk!#P?J2Q~ym$`qo14xG{rPibk|T6k%`qvcRQ{kx^I3eL1KeZ))j!jw zU=T`B)%vqNg6ZXJ#@i0bg!sv@KdD|jK8;L$;B0hjT{@-sXk%p}S>d~GM}v0_8X^;= zQtCe-zCRuGk+o*{{~#nlK9g?=xD~xe7s9p=>NSSw%Yhf{z8hckpcTzzG)HrR)fyi zT|IzA$g>^16iRU;vN`!C{$wLO>Juu%eK@7;kqlxg`VX(rv>muywt^`SeZ`Xi@`mrl$u%moW9IywxIo9O3N``a8-CZ7ahR3Vn+R2BY(D+ zdy>#u79s|d;NK(ZS%S`Nme}5ZC?;;9!p?n=FOC{4uV)HyRg*58z2ZGO>Q=NrLx{|u zb60z814J+{LHxP=7FZb)koY zZF**V3F<5Kn|fv?bOn80q3W`d#o4JKGA&%Usb0F;Y!qE(*@W4vmO^Z~Ug-m|%5&Rc zpDGaKu>M;Y(^LNN0gW4Mu6B*hVk=dFJ-pgZ_i0+W+lK6$ERfU{iQj}r?KJC2F18(QHm7%HDh+kdod#(457UDk^ zZ+<6#$U><@>Rr#LW^=``{bW+W6yik;F+^P7ozL-7^#}?KG?Qv<4!Z)Fq85M4E-EPh zhKU47&@Gx?KIzl`!Y9FOD7?1e6mc!>{%FoMlxdcW9xxMNmIdqsGF31Vt$XRG!}5r{ zm7WYQ9(aB^kDtO9OGdj?jwSA0ur+Kq>DH5|<#Nt1Y=}HkAMfBB^%m2($0vYNdEis* zUCJK>r}IH(7mxM11ahuLK(irAyu;eYVy9rL9OR3-Cj+5R*jnB?Z|jOqpj_gq94P7; zN$omfURBe7;SBv$&$oV>&On%V_j}i9Y7IwJnE^H-&qlgh$(7C_#)k$|+3{VPX}=x5 z9&IG8C2TEh|477*0qgty%s4bDj$16Vi2My{)3A{y0+SfGY7@J(j%`|3v2H%2(s^r| zwU=mafMepyj-WQ|Z|oLIIh8z2@+kw~A`y~b7#$M_+i()5HMuFK0`1iF6n6Lg6E^gG zgA-0#2|0c{NEHknRO&Tb%IZ8s8?ZlljKWD&ly^_8zaajtd%EjW;+aa(w_KIA!$eF^ zU8di?389FLqJF0MqxD=VLT&~$&HnKlpGbPb&u@yuVgilIjH9l@4=H@^+Nuk%S%$M=wlfB zzg0;J7NujO0k{J^0Zss4fFHp2Z+C`q{%3(f6bz&@cJXlF5S0{@loFMMiHl1~{1q;7 z|G$@rK}87SmcIy1NC5ads{WG@{Fh}x|6^HSNa$Ly_MC^@T^$X{yZY5$lN2%kYuQ%_ zVy{@~I61L<^wovPhv@Z9S4AfL@+3@dK33nfqG-8BT@_+=>i2SrpRN=x{$$pB_sEjYcJ_$gl=5uE*u+Ch4v|52KkH z&LW2OLrR9tdjUoqXWeGIR}%bG9a+m-G zjFui(NS>-xb7R-+SQy)I=Xa{N6m@Re?OWJy4Q#RZEu%yAw6s|-YgC!UBINcHUFgjH zi{z`q$6Qqouj3h*k~{q(D!;6m+^o%bhxX=w7@4hk)4;;RvtsCKn<@Pz=AB}gV>Z3r zVc?vi1T;mi&hK5AfLI^fN+x&6=R%8+vt5qr;^5PC@y$-OUUIR|+^iOSv z7TO`nTJV?A8`~l|Ym@4+9B8@k@wSiIkBgv)!V}1DbfphPezYepWt6uPA)>kt;g@k$em?M3SK| z7QQakI3Pzz5@OPf;4N8`qk^IuMa=dT8;)+VpvKMFx(^SGO#8R`v8E zG44x!9xltLes^Q)i|`7bNe5)1wRNGqS67~Kq8R=5j{8ndZ!Zk(rxZ*3TjuR%2Litb zaZn4;^obrv#*Ys1-1~ZJSU7G>SCyRMmP@tQ!5OptnKD7tQHKcIeYJ#ai$+F3j<*;v zVE(BDS-5I?iQB%}$nc1D%I^Xe%K}|2`h-%Xl%TpRZD-AGS%DH3!)E>UGfpFDcs~3} zD!|d{*jM5P6{`R)w(46HCN|j#Xmb}f0#@+nvS{C_A2bqEmU<6}BhRY6N5>ljGW30n0+AW6p7gh2J0%Ir`~K7ODLq+&2{(UtrM^3zA) zwN<64gsx~+fi=eVrFuqVUTx(s6s4YJ?O*_YCn}u_4(GHAbKhdC5dC$aa&YxIM2P0` zPojq=Urtgq7eA1)>f9dEBc#&+k<{}Cq-<46SHefOt$1oE=}G=n^5piU9_m~8`JZmt zeh)+-gjRYvcdRVvY0>zgI)Bds;J*5iQgR22Fn5h|5P1<})52Gs$BvdrlM^WYYiFPU z8*gc>n09Q}hW$~T%=aeZcK*%1c_vv}GUH>uA+7QPjc&&QpFuJq9XR~v=X9%Hiws6& zY_)f5BBt96;yy^VT7PY+bkSiL%LbtJ#%SRRHibi69YmIQHFqg;u3eE>W{%##PEuJm zDM7S%(;AyXt@LotZr7B`s#9cF^et2i>o_>EwgjSS7H*)``DXEO(0XNBc~^OK)u=Y& zE-PypSuv|!9c$Ujoq~Cw)f5-@qT0FQx}#a}NOST*Qa0&eUI4sSo9}SsXT_C9L!|Pan^ozBudOduU`}y$c(24K>z>% diff --git a/config/logstash/logstash.yml b/config/logstash/logstash.yml index b53754f..943951c 100644 --- a/config/logstash/logstash.yml +++ b/config/logstash/logstash.yml @@ -3,5 +3,4 @@ http.host: 0.0.0.0 xpack.monitoring.elasticsearch.password: ${ELASTIC_PASSWORD} xpack.monitoring.elasticsearch.url: https://elasticsearch:9200 xpack.monitoring.elasticsearch.username: logstash_system -xpack.monitoring.elasticsearch.ssl.ca: /usr/share/logstash/config/certs/ca/ca.crt - +xpack.monitoring.elasticsearch.ssl.ca: /certs/ca/ca.crt diff --git a/config/logstash/pipeline/logstash.conf b/config/logstash/pipeline/logstash.conf index 596ec9a..f9da078 100644 --- a/config/logstash/pipeline/logstash.conf +++ b/config/logstash/pipeline/logstash.conf @@ -11,6 +11,6 @@ output { user => 'elastic' password => "${ELASTIC_PASSWORD}" # read password from logstash.keystore ssl => true - cacert => '/usr/share/logstash/config/certs/ca/ca.crt' + cacert => '/certs/ssl/ca/ca.crt' } } diff --git a/config/logstash/pipelines.yml b/config/logstash/pipelines.yml new file mode 100644 index 0000000..3cbebe2 --- /dev/null +++ b/config/logstash/pipelines.yml @@ -0,0 +1,2 @@ +- pipeline.id: pipeline_1 + path.config: '/usr/share/logstash/pipeline/logstash.conf' diff --git a/config/metricbeat/metricbeat.yml b/config/metricbeat/metricbeat.yml index bfc3a2e..ba4b054 100644 --- a/config/metricbeat/metricbeat.yml +++ b/config/metricbeat/metricbeat.yml @@ -1,3 +1,5 @@ +keystore.path: "/usr/share/metricbeat/config/metricbeat.keystore" + metricbeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false @@ -11,7 +13,7 @@ output.elasticsearch: username: elastic # Read PW from metricbeat.keystore password: "${ELASTIC_PASSWORD}" - ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] setup.kibana: host: "http://kibana:5601" @@ -19,6 +21,6 @@ setup.kibana: password: "${ELASTIC_PASSWORD}" protocol: "http" ssl.enabled: false - ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] xpack.monitoring.enabled: true diff --git a/config/packetbeat/packetbeat.yml b/config/packetbeat/packetbeat.yml index 48c2248..abae754 100644 --- a/config/packetbeat/packetbeat.yml +++ b/config/packetbeat/packetbeat.yml @@ -1,3 +1,5 @@ +keystore.path: "/usr/share/packetbeat/config/packetbeat.keystore" + packetbeat.interfaces.device: any packetbeat.flows: @@ -38,19 +40,19 @@ processors: - add_cloud_metadata: output.elasticsearch: - hosts: ['elasticsearch:9200'] + hosts: ['localhost:9200'] # locahost cause we are using network mode = host protocol: "https" username: elastic # Read PW from packetbeat.keystore password: "${ELASTIC_PASSWORD}" - ssl.certificate_authorities: ["/usr/share/packetbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] setup.kibana: - host: "http://kibana:5601" + host: "http://localhost:5601" # locahost cause we are using network mode = host username: elastic password: "${ELASTIC_PASSWORD}" protocol: "http" ssl.enabled: false - ssl.certificate_authorities: ["/usr/share/packetbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] xpack.monitoring.enabled: true diff --git a/docker-compose.setup.yml b/docker-compose.setup.yml deleted file mode 100644 index 50acaea..0000000 --- a/docker-compose.setup.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -version: '3.6' -services: - # Setup Elasticsearch - # * keystore - # * SSL - setup_elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:${TAG} - container_name: setup_elasticsearch - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-elasticsearch.sh | tr -d "\r" | bash'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - working_dir: '/config' - volumes: - - './config:/config' - - './scripts/setup-elasticsearch.sh:/usr/local/bin/setup-elasticsearch.sh:ro' - - setup_kibana: - image: docker.elastic.co/kibana/kibana:${TAG} - container_name: setup_kibana - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-kibana.sh | tr -d "\r" | bash'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - working_dir: '/config' - volumes: - - './config:/config' - - './scripts/setup-kibana.sh:/usr/local/bin/setup-kibana.sh:ro' - - './config/ssl/ca/ca.crt:/usr/share/kibana/config/ca/ca.crt' - depends_on: ['elasticsearch'] - networks: ['stack'] - - setup_logstash: - image: docker.elastic.co/logstash/logstash:${TAG} - container_name: setup_logstash - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-logstash.sh | tr -d "\r" | bash'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - working_dir: '/config' - volumes: - - './config:/config' - - './scripts/setup-logstash.sh:/usr/local/bin/setup-logstash.sh:ro' - - './config/ssl/ca/ca.crt:/usr/share/logstash/config/ca/ca.crt' - depends_on: ['elasticsearch'] - networks: ['stack'] - - setup_auditbeat: - image: docker.elastic.co/beats/auditbeat:${TAG} - container_name: setup_auditbeat - user: root - pid: host - cap_add: ['AUDIT_CONTROL', 'AUDIT_READ'] - volumes: - - './config:/config' - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - - './config/auditbeat/auditbeat.yml:/usr/share/auditbeat/auditbeat.yml' - - './config/ssl/ca/ca.crt:/usr/share/auditbeat/certs/ca/ca.crt' - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-beat.sh | tr -d "\r" | bash -s auditbeat'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - networks: ['stack'] - depends_on: ['kibana'] - - setup_filebeat: - image: docker.elastic.co/beats/filebeat:${TAG} - container_name: setup_filebeat - user: root - volumes: - - './config:/config' - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - - './config/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml' - - './config/ssl/ca/ca.crt:/usr/share/filebeat/certs/ca/ca.crt' - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-beat.sh | tr -d "\r" | bash -s filebeat'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - networks: ['stack'] - depends_on: ['kibana'] - - setup_heartbeat: - image: docker.elastic.co/beats/heartbeat:${TAG} - container_name: setup_heartbeat - user: root - volumes: - - './config:/config' - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - - './config/heartbeat/heartbeat.yml:/usr/share/heartbeat/heartbeat.yml' - - './config/ssl/ca/ca.crt:/usr/share/heartbeat/certs/ca/ca.crt' - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-beat.sh | tr -d "\r" | bash -s heartbeat'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - networks: ['stack'] - depends_on: ['kibana'] - - setup_metricbeat: - image: docker.elastic.co/beats/metricbeat:${TAG} - container_name: setup_metricbeat - user: root - volumes: - - './config:/config' - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - - './config/metricbeat/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml' - - './config/ssl/ca/ca.crt:/usr/share/metricbeat/certs/ca/ca.crt' - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-beat.sh | tr -d "\r" | bash -s metricbeat'] - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - networks: ['stack'] - depends_on: ['kibana'] - - setup_packetbeat: - image: docker.elastic.co/beats/packetbeat:${TAG} - container_name: setup_packetbeat - user: root - cap_add: ['NET_RAW', 'NET_ADMIN'] - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-beat.sh | tr -d "\r" | bash -s packetbeat'] - volumes: - - './config:/config' - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - - './config/packetbeat/packetbeat.yml:/usr/share/packetbeat/packetbeat.yml' - - './config/ssl/ca/ca.crt:/usr/share/packetbeat/certs/ca/ca.crt' - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - networks: ['stack'] - depends_on: ['kibana'] - - setup_apm_server: - image: docker.elastic.co/apm/apm-server:${TAG} - container_name: setup_apm_server - user: root - command: ['/bin/bash', '-c', 'cat /usr/local/bin/setup-beat.sh | tr -d "\r" | bash -s apm-server'] - volumes: - - './config:/config' - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - - './config/apm-server/apm-server.yml:/usr/share/apm-server/apm-server.yml' - - './config/ssl/ca/ca.crt:/usr/share/apm-server/certs/ca/ca.crt' - environment: ['ELASTIC_PASSWORD=${ELASTIC_PASSWORD}'] - networks: ['stack'] - depends_on: ['kibana'] diff --git a/docker-compose.yml b/docker-compose.yml index 346dd61..5ef12f5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,22 +20,18 @@ services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:${TAG} container_name: elasticsearch - secrets: - - source: ca.crt - target: /usr/share/elasticsearch/config/certs/ca/ca.crt - - source: elasticsearch.yml - target: /usr/share/elasticsearch/config/elasticsearch.yml - - source: elasticsearch.keystore - target: /usr/share/elasticsearch/config/elasticsearch.keystore - - source: elasticsearch.key - target: /usr/share/elasticsearch/config/certs/elasticsearch/elasticsearch.key - - source: elasticsearch.crt - target: /usr/share/elasticsearch/config/certs/elasticsearch/elasticsearch.crt ports: ['9200:9200'] networks: ['stack'] volumes: + - 'es_config:/usr/share/elasticsearch/config/' + - 'certs:/usr/share/elasticsearch/config/certs' + - 'ls_config:/logstash' + - 'kb_config:/kibana' - 'es_data:/usr/share/elasticsearch/data' - './scripts/setup-users.sh:/usr/local/bin/setup-users.sh:ro' + - './scripts/setup-elasticsearch.sh:/usr/local/bin/setup-elasticsearch.sh:ro' + - './config/instances.yml:/usr/share/elasticsearch/config/certs/ssl/instances.yml' + - './config/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml' healthcheck: test: curl --cacert /usr/share/elasticsearch/config/certs/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi interval: 30s @@ -45,19 +41,14 @@ services: kibana: image: docker.elastic.co/kibana/kibana:${TAG} container_name: kibana - secrets: - - source: kibana.yml - target: /usr/share/kibana/config/kibana.yml - - source: kibana.keystore - target: /usr/share/kibana/data/kibana.keystore - - source: ca.crt - target: /usr/share/kibana/config/certs/ca/ca.crt - - source: kibana.key - target: /usr/share/kibana/config/certs/kibana/kibana.key - - source: kibana.crt - target: /usr/share/kibana/config/certs/kibana/kibana.crt ports: ['5601:5601'] networks: ['stack'] + volumes: + - 'kb_config:/usr/share/kibana/config' + - 'kb_data:/usr/share/kibana/data/' + - 'certs:/certs' + - './config/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml' + - './scripts/setup-kibana.sh:/usr/local/bin/setup-kibana.sh:ro' depends_on: ['elasticsearch'] healthcheck: test: curl --cacert /usr/share/elasticsearch/config/certs/ca/ca.crt -s https://localhost:5601 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi @@ -68,16 +59,14 @@ services: logstash: image: docker.elastic.co/logstash/logstash:${TAG} container_name: logstash - secrets: - - source: logstash.conf - target: /usr/share/logstash/pipeline/logstash.conf - - source: logstash.yml - target: /usr/share/logstash/config/logstash.yml - - source: logstash.keystore - target: /usr/share/logstash/config/logstash.keystore - - source: ca.crt - target: /usr/share/logstash/config/certs/ca/ca.crt networks: ['stack'] + volumes: + - 'ls_config:/usr/share/logstash/config' + - 'certs:/certs' + - './config/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml' + - './config/logstash/pipelines.yml:/usr/share/logstash/config/pipelines.yml' + - './config/logstash/pipeline/logstash.conf:/usr/share/logstash/pipeline/logstash.conf' + - './scripts/setup-logstash.sh:/usr/local/bin/setup-logstash.sh:ro' depends_on: ['elasticsearch'] healthcheck: test: bin/logstash -t @@ -85,46 +74,43 @@ services: timeout: 50s retries: 5 - auditbeat: - image: docker.elastic.co/beats/auditbeat:${TAG} - container_name: auditbeat - command: -e --strict.perms=false # -e flag to log to stderr and disable syslog/file output - cap_add: ['AUDIT_CONTROL', 'AUDIT_READ'] - secrets: - - source: auditbeat.yml - target: /usr/share/auditbeat/auditbeat.yml - - source: auditbeat.keystore - target: /usr/share/auditbeat/auditbeat.keystore - - source: ca.crt - target: /usr/share/auditbeat/certs/ca/ca.crt - # Auditbeat must run in the main process namespace. - pid: host - volumes: - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - networks: ['stack'] - depends_on: ['elasticsearch', 'kibana'] - healthcheck: - test: auditbeat --strict.perms=false test config - interval: 30s - timeout: 15s - retries: 5 + # auditbeat: + # image: docker.elastic.co/beats/auditbeat:${TAG} + # container_name: auditbeat + # command: -e --strict.perms=false # -e flag to log to stderr and disable syslog/file output + # cap_add: ['AUDIT_CONTROL', 'AUDIT_READ'] + # secrets: + # - source: auditbeat.yml + # target: /usr/share/auditbeat/auditbeat.yml + # - source: auditbeat.keystore + # target: /usr/share/auditbeat/auditbeat.keystore + # - source: ca.crt + # target: /usr/share/auditbeat/certs/ca/ca.crt + # # Auditbeat must run in the main process namespace. + # pid: host + # volumes: + # - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + # networks: ['stack'] + # depends_on: ['elasticsearch', 'kibana'] + # healthcheck: + # test: auditbeat --strict.perms=false test config + # interval: 30s + # timeout: 15s + # retries: 5 filebeat: image: docker.elastic.co/beats/filebeat:${TAG} container_name: filebeat - command: --strict.perms=false -e # -e flag to log to stderr and disable syslog/file output + hostname: filebeat + command: -e -c=config/filebeat.yml # -e flag to log to stderr and disable syslog/file output # If the host system has logs at "/var/log", mount them at "/mnt/log" # inside the container, where Filebeat can find them. # volumes: ['/var/log:/mnt/log:ro'] - secrets: - - source: filebeat.yml - target: /usr/share/filebeat/filebeat.yml - - source: filebeat.keystore - target: /usr/share/filebeat/filebeat.keystore - - source: ca.crt - target: /usr/share/filebeat/certs/ca/ca.crt volumes: + - 'fb_config:/usr/share/filebeat/config' + - 'certs:/certs' - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + - './config/filebeat/filebeat.yml:/usr/share/filebeat/config/filebeat.yml' networks: ['stack'] depends_on: ['elasticsearch', 'kibana'] healthcheck: @@ -136,16 +122,13 @@ services: heartbeat: image: docker.elastic.co/beats/heartbeat:${TAG} container_name: heartbeat - command: --strict.perms=false -e # -e flag to log to stderr and disable syslog/file output - secrets: - - source: heartbeat.yml - target: /usr/share/heartbeat/heartbeat.yml - - source: heartbeat.keystore - target: /usr/share/heartbeat/heartbeat.keystore - - source: ca.crt - target: /usr/share/heartbeat/certs/ca/ca.crt + hostname: heartbeat + command: -e -c=config/heartbeat.yml # -e flag to log to stderr and disable syslog/file output volumes: + - 'hb_config:/usr/share/heartbeat/config' + - 'certs:/certs' - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + - './config/heartbeat/heartbeat.yml:/usr/share/heartbeat/config/heartbeat.yml' networks: ['stack'] depends_on: ['elasticsearch', 'kibana'] healthcheck: @@ -157,6 +140,7 @@ services: metricbeat: image: docker.elastic.co/beats/metricbeat:${TAG} container_name: metricbeat + hostname: metricbeat # The commented sections below enable Metricbeat to monitor the Docker host, # rather than the Metricbeat container. It's problematic with Docker for # Windows, however, since "/proc", "/sys" etc. don't exist on Windows. @@ -165,16 +149,12 @@ services: # - /proc:/hostfs/proc:ro # - /sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro # - /:/hostfs:ro - command: --strict.perms=false -e # -e flag to log to stderr and disable syslog/file output - secrets: - - source: metricbeat.yml - target: /usr/share/metricbeat/metricbeat.yml - - source: metricbeat.keystore - target: /usr/share/metricbeat/metricbeat.keystore - - source: ca.crt - target: /usr/share/metricbeat/certs/ca/ca.crt + command: -e -c=config/metricbeat.yml # -e flag to log to stderr and disable syslog/file output volumes: + - 'mb_config:/usr/share/metricbeat/config' + - 'certs:/certs' - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + - './config/metricbeat/metricbeat.yml:/usr/share/metricbeat/config/metricbeat.yml' networks: ['stack'] depends_on: ['elasticsearch', 'kibana'] healthcheck: @@ -186,6 +166,7 @@ services: packetbeat: image: docker.elastic.co/beats/packetbeat:${TAG} container_name: packetbeat + hostname: packetbeat # Packetbeat needs some elevated privileges to capture network traffic. # We'll grant them with POSIX capabilities. cap_add: ['NET_RAW', 'NET_ADMIN'] @@ -197,18 +178,13 @@ services: # that the other containers are connected to, and thus can't resolve the # hostname "elasticsearch". Instead, we'll tell it to find Elasticsearch # on "localhost", which is the Docker host machine in this context. - command: -e -E 'output.elasticsearch.hosts=["localhost:9200"]' depends_on: ['elasticsearch'] - command: --strict.perms=false -e -E output.elasticsearch.hosts="https://localhost:9200" # -e flag to log to stderr and disable syslog/file output - secrets: - - source: packetbeat.yml - target: /usr/share/packetbeat/packetbeat.yml - - source: packetbeat.keystore - target: /usr/share/packetbeat/packetbeat.keystore - - source: ca.crt - target: /usr/share/packetbeat/certs/ca/ca.crt + command: --strict.perms=false -e -c=/usr/share/packetbeat/config/packetbeat.yml # -e flag to log to stderr and disable syslog/file output volumes: + - 'pb_config:/usr/share/packetbeat/config' + - 'certs:/certs' - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + - './config/packetbeat/packetbeat.yml:/usr/share/packetbeat/config/packetbeat.yml' depends_on: ['elasticsearch', 'kibana'] healthcheck: test: packetbeat test config @@ -219,21 +195,18 @@ services: apm-server: image: docker.elastic.co/apm/apm-server:${TAG} container_name: apm_server + hostname: apm-server ports: ['8200:8200'] networks: ['stack'] - command: --strict.perms=false -e # -e flag to log to stderr and disable syslog/file output - secrets: - - source: apm-server.yml - target: /usr/share/apm-server/apm-server.yml - - source: apm-server.keystore - target: /usr/share/apm-server/apm-server.keystore - - source: ca.crt - target: /usr/share/apm-server/certs/ca/ca.crt + command: --strict.perms=false -e -c=/usr/share/apm-server/config/apm-server.yml # -e flag to log to stderr and disable syslog/file output volumes: + - 'apm_config:/usr/share/apm-server/config' + - 'certs:/certs' - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + - './config/apm-server/apm-server.yml:/usr/share/apm-server/config/apm-server.yml' depends_on: ['elasticsearch', 'kibana'] healthcheck: - test: curl --cacert /usr/share/elasticsearch/config/certs/ca/ca.crt -s https://localhost:8200/healthcheck >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi + test: curl --cacert /usr/share/apm-server/config/ca/ca.crt -s https://localhost:8200/healthcheck >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi interval: 30s timeout: 10s retries: 5 @@ -241,56 +214,14 @@ services: networks: {stack: {}} # use docker volume to persist ES data outside of a container. volumes: + certs: es_data: - -secrets: - ca.crt: - file: ./config/ssl/ca/ca.crt - logstash.yml: - file: ./config/logstash/logstash.yml - logstash.keystore: - file: ./config/logstash/logstash.keystore - logstash.conf: - file: ./config/logstash/pipeline/logstash.conf - elasticsearch.yml: - file: ./config/elasticsearch/elasticsearch.yml - elasticsearch.keystore: - file: ./config/elasticsearch/elasticsearch.keystore - elasticsearch.key: - file: ./config/elasticsearch/elasticsearch.key - elasticsearch.crt: - file: ./config/elasticsearch/elasticsearch.crt - elasticsearch.p12: - file: ./config/elasticsearch/elasticsearch.p12 - kibana.yml: - file: ./config/kibana/kibana.yml - kibana.keystore: - file: ./config/kibana/kibana.keystore - kibana.key: - file: ./config/kibana/kibana.key - kibana.crt: - file: ./config/kibana/kibana.crt - auditbeat.yml: - file: ./config/auditbeat/auditbeat.yml - auditbeat.keystore: - file: ./config/auditbeat/auditbeat.keystore - filebeat.yml: - file: ./config/filebeat/filebeat.yml - filebeat.keystore: - file: ./config/filebeat/filebeat.keystore - heartbeat.yml: - file: ./config/heartbeat/heartbeat.yml - heartbeat.keystore: - file: ./config/heartbeat/heartbeat.keystore - metricbeat.yml: - file: ./config/metricbeat/metricbeat.yml - metricbeat.keystore: - file: ./config/metricbeat/metricbeat.keystore - packetbeat.yml: - file: ./config/packetbeat/packetbeat.yml - packetbeat.keystore: - file: ./config/packetbeat/packetbeat.keystore - apm-server.yml: - file: ./config/apm-server/apm-server.yml - apm-server.keystore: - file: ./config/apm-server/apm-server.keystore + es_config: + kb_config: + kb_data: + ls_config: + fb_config: + hb_config: + mb_config: + pb_config: + apm_config: diff --git a/scripts/setup-beat.sh b/scripts/setup-beat.sh index 57d6458..13a9e7c 100755 --- a/scripts/setup-beat.sh +++ b/scripts/setup-beat.sh @@ -1,32 +1,30 @@ #!/bin/bash -set -euo pipefail +beat=$(hostname) +command="$beat --c=/usr/share/$beat/config/$beat.yml --strict.perms=false" +echo "Running setup for $beat" -beat=$1 +if [[ $beat == "packetbeat" ]]; then + kibana_domain="localhost" +else + kibana_domain="kibana" +fi -until curl -s "http://kibana:5601/login" | grep "Loading Kibana" > /dev/null; do +until curl -s "http://${kibana_domain}:5601/login" | grep "Loading Kibana" > /dev/null; do echo "Waiting for kibana..." sleep 1 done -chmod go-w /usr/share/$beat/$beat.yml - - echo "Creating keystore..." # create beat keystore -${beat} --strict.perms=false keystore create --force -chown 1000 /usr/share/$beat/$beat.keystore -chmod go-w /usr/share/$beat/$beat.yml +eval "$command keystore create --force" echo "adding ES_PASSWORD to keystore..." -echo "$ELASTIC_PASSWORD" | ${beat} --strict.perms=false keystore add ELASTIC_PASSWORD --stdin -${beat} --strict.perms=false keystore list +echo "$ELASTIC_PASSWORD" | ${command} keystore add ELASTIC_PASSWORD --stdin +eval "$command keystore list" echo "Setting up dashboards..." # Load the sample dashboards for the Beat. # REF: https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-sample-dashboards.html -${beat} --strict.perms=false setup -v - -echo "Copy keystore to ./config dir" -cp /usr/share/$beat/$beat.keystore /config/$beat/$beat.keystore -chown 1000:1000 /config/$beat/$beat.keystore +eval "$command setup -v" +chown -R 1000:1000 config diff --git a/scripts/setup-elasticsearch.sh b/scripts/setup-elasticsearch.sh index 13830e8..585b17b 100755 --- a/scripts/setup-elasticsearch.sh +++ b/scripts/setup-elasticsearch.sh @@ -1,10 +1,5 @@ #!/bin/bash - -if [ -f /config/elasticsearch/elasticsearch.keystore ]; then - echo "Keystore already exists, exiting. If you want to re-run please delete config/elasticsearch/elasticsearch.keystore" - exit 0 -fi - +configdir=/usr/share/elasticsearch/config # Determine if x-pack is enabled echo "Determining if x-pack is installed..." if [[ -d /usr/share/elasticsearch/bin/x-pack ]]; then @@ -12,53 +7,48 @@ if [[ -d /usr/share/elasticsearch/bin/x-pack ]]; then echo "=== CREATE Keystore ===" echo "Elastic password is: $ELASTIC_PASSWORD" - if [ -f /config/elasticsearch/elasticsearch.keystore ]; then + if [ -f $configdir/elasticsearch.keystore ]; then echo "Remove old elasticsearch.keystore" - rm /config/elasticsearch/elasticsearch.keystore + rm $configdir/elasticsearch.keystore fi - [[ -f /usr/share/elasticsearch/config/elasticsearch.keystore ]] || (/usr/share/elasticsearch/bin/elasticsearch-keystore create) + [[ -f $configdir/elasticsearch.keystore ]] || (/usr/share/elasticsearch/bin/elasticsearch-keystore create) echo "Setting bootstrap.password..." (echo "$ELASTIC_PASSWORD" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -x 'bootstrap.password') - mv /usr/share/elasticsearch/config/elasticsearch.keystore /config/elasticsearch/elasticsearch.keystore # Create SSL Certs echo "=== CREATE SSL CERTS ===" # check if old docker-cluster-ca.zip exists, if it does remove and create a new one. - if [ -f /config/ssl/docker-cluster-ca.zip ]; then + if [ -f $configdir/certs/ssl/docker-cluster-ca.zip ]; then echo "Remove old ca zip..." - rm /config/ssl/docker-cluster-ca.zip + rm $configdir/certs/ssl/docker-cluster-ca.zip fi echo "Creating docker-cluster-ca.zip..." - /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem --silent --out /config/ssl/docker-cluster-ca.zip + /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem --silent --out $configdir/certs/ssl/docker-cluster-ca.zip # check if ca directory exists, if does, remove then unzip new files - if [ -d /config/ssl/ca ]; then + if [ -d $configdir/certs/ssl/ca ]; then echo "CA directory exists, removing..." - rm -rf /config/ssl/ca + rm -rf $configdir/certs/ssl/ca fi echo "Unzip ca files..." - unzip /config/ssl/docker-cluster-ca.zip -d /config/ssl + unzip $configdir/certs/ssl/docker-cluster-ca.zip -d $configdir/certs/ssl # check if certs zip exist. If it does remove and create a new one. - if [ -f /config/ssl/docker-cluster.zip ]; then + if [ -f $configdir/certs/ssl/docker-cluster.zip ]; then echo "Remove old docker-cluster.zip zip..." - rm /config/ssl/docker-cluster.zip + rm $configdir/certs/ssl/docker-cluster.zip fi echo "Create cluster certs zipfile..." - /usr/share/elasticsearch/bin/elasticsearch-certutil cert --silent --pem --in /config/ssl/instances.yml --out /config/ssl/docker-cluster.zip --ca-cert /config/ssl/ca/ca.crt --ca-key /config/ssl/ca/ca.key + /usr/share/elasticsearch/bin/elasticsearch-certutil cert --silent --pem --in $configdir/certs/ssl/instances.yml --out $configdir/certs/ssl/docker-cluster.zip --ca-cert $configdir/certs/ssl/ca/ca.crt --ca-key $configdir/certs/ssl/ca/ca.key - if [ -d /config/ssl/docker-cluster ]; then - rm -rf /config/ssl/docker-cluster + if [ -d $configdir/certs/ssl/docker-cluster ]; then + rm -rf $configdir/certs/ssl/docker-cluster fi echo "Unzipping cluster certs zipfile..." - unzip /config/ssl/docker-cluster.zip -d /config/ssl/docker-cluster + unzip $configdir/certs/ssl/docker-cluster.zip -d $configdir/certs/ssl/docker-cluster - echo "Move logstash certs to logstash config dir..." - mv /config/ssl/docker-cluster/logstash/* /config/logstash/ - echo "Move kibana certs to kibana config dir..." - mv /config/ssl/docker-cluster/kibana/* /config/kibana/ - echo "Move elasticsearch certs to elasticsearch config dir..." - mv /config/ssl/docker-cluster/elasticsearch/* /config/elasticsearch/ + chown 1000:1000 -R $configdir/certs + echo "setup-elasticsearch.sh.... done" fi fi diff --git a/scripts/setup-kibana.sh b/scripts/setup-kibana.sh index e7b1851..2c308d0 100755 --- a/scripts/setup-kibana.sh +++ b/scripts/setup-kibana.sh @@ -2,7 +2,7 @@ set -euo pipefail -cacert=/usr/share/kibana/config/ca/ca.crt +cacert=/certs/ssl/ca/ca.crt # Wait for ca file to exist before we continue. If the ca file doesn't exist # then something went wrong. while [ ! -f $cacert ] @@ -39,4 +39,3 @@ fi echo "Setting elasticsearch.password: $ELASTIC_PASSWORD" echo "$ELASTIC_PASSWORD" | /usr/share/kibana/bin/kibana-keystore add 'elasticsearch.password' -x -mv /usr/share/kibana/data/kibana.keystore /config/kibana/kibana.keystore diff --git a/scripts/setup-logstash.sh b/scripts/setup-logstash.sh index 84a7896..d9569f8 100755 --- a/scripts/setup-logstash.sh +++ b/scripts/setup-logstash.sh @@ -2,7 +2,7 @@ set -euo pipefail -cacert=/usr/share/logstash/config/ca/ca.crt +cacert=/certs/ssl/ca/ca.crt # Wait for ca file to exist before we continue. If the ca file doesn't exist # then something went wrong. while [ ! -f $cacert ] @@ -13,15 +13,15 @@ ls -l $cacert es_url=https://elasticsearch:9200 # Wait for Elasticsearch to start up before doing anything. -while [[ "$(curl -u "elastic:${ELASTIC_PASSWORD}" --cacert $cacert -s -o /dev/null -w '%{http_code}' $es_url)" != "200" ]]; do - sleep 5 +while [[ $(curl -u "elastic:${ELASTIC_PASSWORD}" --cacert $cacert -s -o /dev/null -w '%{http_code}' $es_url) != "200" ]]; do + sleep 5 done # Set the password for the logstash user. # REF: https://www.elastic.co/guide/en/x-pack/6.0/setting-up-authentication.html#set-built-in-user-passwords until curl -u "elastic:${ELASTIC_PASSWORD}" --cacert $cacert -s -H 'Content-Type:application/json' \ -XPUT $es_url/_xpack/security/user/logstash_system/_password \ - -d "{\"password\": \"${ELASTIC_PASSWORD}\"}" + -d '{"password": "${ELASTIC_PASSWORD}"}' do sleep 2 echo Retrying... @@ -36,4 +36,3 @@ fi echo "y" | /usr/share/logstash/bin/logstash-keystore create echo "Setting ELASTIC_PASSWORD..." echo "$ELASTIC_PASSWORD" | /usr/share/logstash/bin/logstash-keystore add 'ELASTIC_PASSWORD' -x -mv /usr/share/logstash/config/logstash.keystore /config/logstash/logstash.keystore diff --git a/scripts/setup-users.sh b/scripts/setup-users.sh index 32c62e9..f002f02 100755 --- a/scripts/setup-users.sh +++ b/scripts/setup-users.sh @@ -1,20 +1,21 @@ #!/bin/bash set -euo pipefail - -cacert=/config/elasticsearch/ca/ca.crt +cacert=/usr/share/elasticsearch/config/certs/ssl/ca/ca.crt # Wait for ca file to exist before we continue. If the ca file doesn't exist # then something went wrong. while [ ! -f $cacert ] do - sleep 2 + echo "No cert found at $cacert" + exit 1 done ls -l $cacert es_url=https://elastic:${ELASTIC_PASSWORD}@elasticsearch:9200 # Wait for Elasticsearch to start up before doing anything. until curl -s --cacert $cacert $es_url -o /dev/null; do - sleep 1 + sleep 3 + echo "Waiting for Elasticsearch..." done # Set the password for the kibana user. @@ -24,7 +25,7 @@ until curl --cacert $cacert -s -H 'Content-Type:application/json' \ -d "{\"password\": \"${ELASTIC_PASSWORD}\"}" do sleep 2 - echo Retrying... + echo Failed to set kibana password, retrying... done until curl --cacert $cacert -s -H 'Content-Type:application/json' \ @@ -32,5 +33,5 @@ until curl --cacert $cacert -s -H 'Content-Type:application/json' \ -d "{\"password\": \"${ELASTIC_PASSWORD}\"}" do sleep 2 - echo Retrying... + echo Failed to set logstash_system password, retrying... done diff --git a/scripts/setup.sh b/scripts/setup.sh index daccbf3..46b9c77 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -1,24 +1,31 @@ -#/bin/ash -confdir="${PWD}/config" -chown 1000 -R "$confdir" -find "$confdir" -type f -name "*.keystore" -exec chmod go-wrx {} \; -find "$confdir" -type f -name "*.yml" -exec chmod go-wrx {} \; - -if [ -f "$confdir/elasticsearch/elasticsearch.keystore" ]; then - rm "$confdir/elasticsearch/elasticsearch.keystore" -fi +#/bin/bash PW=$(openssl rand -base64 16;) ELASTIC_PASSWORD="${ELASTIC_PASSWORD:-$PW}" export ELASTIC_PASSWORD -docker-compose -f docker-compose.yml -f docker-compose.setup.yml up setup_elasticsearch +echo "Running 'setup-elasticsearch.sh'\n" +docker-compose run --rm -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD elasticsearch /usr/local/bin/setup-elasticsearch.sh +echo "Starting Elasticsearch...." + +docker-compose up -d elasticsearch +printf "Running 'setup-users.sh'\n" +docker exec -i -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD elasticsearch /usr/local/bin/setup-users.sh + +## setup kibana +printf "Running 'setup-kibana.sh'\n" +docker-compose run --rm -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD kibana /usr/local/bin/setup-kibana.sh +docker-compose up -d kibana +## setup logstash +printf "Running 'setup-logstash.sh'\n" +docker-compose run --rm -u root -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD logstash /usr/local/bin/setup-logstash.sh -# setup kibana and logstash (and system passwords) -docker-compose -f docker-compose.yml -f docker-compose.setup.yml up setup_kibana setup_logstash -# setup beats and apm server -docker-compose -f docker-compose.yml -f docker-compose.setup.yml up setup_auditbeat setup_filebeat setup_heartbeat setup_metricbeat setup_packetbeat setup_apm_server +## setup filebeat +for service in filebeat heartbeat packetbeat metricbeat apm-server +do + setup_command="docker-compose run --rm -u root -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD $service /usr/local/bin/setup-beat.sh" + eval $setup_command +done +printf "\n\n****************************\n\n" printf "Setup completed successfully. To start the stack please run:\n\t docker-compose up -d\n" -printf "\nIf you wish to remove the setup containers please run:\n\tdocker-compose -f docker-compose.yml -f docker-compose.setup.yml down --remove-orphans\n" -printf "\nYou will have to re-start the stack after removing setup containers.\n" printf "\nYour 'elastic' user password is: $ELASTIC_PASSWORD\n" diff --git a/setup/Dockerfile b/setup/Dockerfile new file mode 100644 index 0000000..27fd448 --- /dev/null +++ b/setup/Dockerfile @@ -0,0 +1,2 @@ +FROM docker/compose:1.21.2 +RUN apk update && apk add bash make diff --git a/setup.yml b/setup/setup.yml similarity index 75% rename from setup.yml rename to setup/setup.yml index 2419a4f..47e211a 100644 --- a/setup.yml +++ b/setup/setup.yml @@ -1,7 +1,7 @@ version: "3.6" services: setup: - image: docker/compose:1.21.2 + build: . working_dir: "${PWD}" cap_add: ['SYS_ADMIN'] environment: @@ -9,10 +9,11 @@ services: - "ELASTIC_PASSWORD" - "ELASTIC_VERSION" - "TAG" + - "COMPOSE_PROJECT_NAME=stackdocker" volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "${PWD}:${PWD}" entrypoint: ["/bin/ash", "-c"] - command: ['cat ./scripts/setup.sh | tr -d "\r" | ash'] + command: ['cat ./scripts/setup.sh | tr -d "\r" | bash'] # command: ["./scripts/setup.sh"] From fa0d90bc164a2a643f82053be1aad34f3ce1496f Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 11:20:57 -0700 Subject: [PATCH 02/11] clean up clean target --- Makefile | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 2113cec..a94f61a 100644 --- a/Makefile +++ b/Makefile @@ -27,8 +27,5 @@ $(TARGETS:%=%-checkout): (cd stack/$(@:%-checkout=%) && git fetch && git reset --hard && git checkout origin/$(GIT_BRANCH)) $(TARGETS:%=%-clean): - rm -rf stack/$(@:%-clean=%) && find . -name "*.keystore" -exec rm -f {} \; && \ - docker-compose -f docker-compose.setup.yml -f docker-compose.yml down --remove-orphans && \ - docker-compose -f setup.yml down --remove-orphans && \ - docker volume rm stack-docker_es_data + docker-compose down --remove-orphans -v From 4ad1613a94497e2731a05156ff4885fb5bd37fc7 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 11:21:10 -0700 Subject: [PATCH 03/11] fix up missing ssl cert stuff --- config/auditbeat/auditbeat.yml | 6 ++++-- config/logstash/logstash.yml | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/config/auditbeat/auditbeat.yml b/config/auditbeat/auditbeat.yml index 98f1613..62993a9 100644 --- a/config/auditbeat/auditbeat.yml +++ b/config/auditbeat/auditbeat.yml @@ -1,3 +1,5 @@ +keystore.path: "/usr/share/auditbeat/config/auditbeat.keystore" + auditbeat.modules: - module: auditd @@ -19,7 +21,7 @@ output.elasticsearch: username: elastic # Read PW from auditbeat.keystore password: "${ELASTIC_PASSWORD}" - ssl.certificate_authorities: ["/usr/share/auditbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] setup.kibana: host: "http://kibana:5601" @@ -27,6 +29,6 @@ setup.kibana: password: "${ELASTIC_PASSWORD}" protocol: "http" ssl.enabled: false - ssl.certificate_authorities: ["/usr/share/auditbeat/certs/ca/ca.crt"] + ssl.certificate_authorities: ["/certs/ssl/ca/ca.crt"] xpack.monitoring.enabled: true diff --git a/config/logstash/logstash.yml b/config/logstash/logstash.yml index 943951c..3856890 100644 --- a/config/logstash/logstash.yml +++ b/config/logstash/logstash.yml @@ -3,4 +3,4 @@ http.host: 0.0.0.0 xpack.monitoring.elasticsearch.password: ${ELASTIC_PASSWORD} xpack.monitoring.elasticsearch.url: https://elasticsearch:9200 xpack.monitoring.elasticsearch.username: logstash_system -xpack.monitoring.elasticsearch.ssl.ca: /certs/ca/ca.crt +xpack.monitoring.elasticsearch.ssl.ca: /certs/ssl/ca/ca.crt From 297ec4ddb4eddcdb2324fba4cfe170ddbfa80d29 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 11:21:20 -0700 Subject: [PATCH 04/11] uncomment auditbeat --- docker-compose.yml | 45 ++++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 5ef12f5..3e9416a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -74,29 +74,28 @@ services: timeout: 50s retries: 5 - # auditbeat: - # image: docker.elastic.co/beats/auditbeat:${TAG} - # container_name: auditbeat - # command: -e --strict.perms=false # -e flag to log to stderr and disable syslog/file output - # cap_add: ['AUDIT_CONTROL', 'AUDIT_READ'] - # secrets: - # - source: auditbeat.yml - # target: /usr/share/auditbeat/auditbeat.yml - # - source: auditbeat.keystore - # target: /usr/share/auditbeat/auditbeat.keystore - # - source: ca.crt - # target: /usr/share/auditbeat/certs/ca/ca.crt - # # Auditbeat must run in the main process namespace. - # pid: host - # volumes: - # - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - # networks: ['stack'] - # depends_on: ['elasticsearch', 'kibana'] - # healthcheck: - # test: auditbeat --strict.perms=false test config - # interval: 30s - # timeout: 15s - # retries: 5 + auditbeat: + image: docker.elastic.co/beats/auditbeat:${TAG} + container_name: auditbeat + hostname: auditbeat + command: -e -c=config/auditbeat.yml # -e flag to log to stderr and disable syslog/file output + cap_add: ['AUDIT_CONTROL', 'AUDIT_READ'] + # Auditbeat must run in the main process namespace. + pid: host + volumes: + - 'ab_config:/usr/share/auditbeat/config' + - 'certs:/certs' + - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + - './config/auditbeat/auditbeat.yml:/usr/share/auditbeat/config/auditbeat.yml' + volumes: + - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' + networks: ['stack'] + depends_on: ['elasticsearch', 'kibana'] + healthcheck: + test: auditbeat --strict.perms=false test config + interval: 30s + timeout: 15s + retries: 5 filebeat: image: docker.elastic.co/beats/filebeat:${TAG} From 9178b489be2a0321bf5dd06beb7ebfcc1d184509 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 12:44:14 -0700 Subject: [PATCH 05/11] adding gitattrs --- .gitattributes | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..efdba87 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +* text=auto +*.sh text eol=lf From f728298bcde1a83a7ea3dfc361d357ce81618cc4 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 12:52:31 -0700 Subject: [PATCH 06/11] Update the readme for some windows bits and update the setup command to be correct. --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3cdb8cd..d64e5f1 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,12 @@ with Docker for Windows/Mac. pip install docker-compose ``` +### Windows +Please note that this repo has scripting that's written in `bash`. What this means is the containers that are linux based +are expecting linux style line endings. If you clone this repo and you have windows style line endings, then please +read [The case of Windows line-ending in bash-script](https://techblog.dorogin.com/case-of-windows-line-ending-in-bash-script-7236f056abe). We've included the `.gitattributes` file in this project to help alliviate any issues. But you might need to make +git global config settings. + * Windows Users must set the following 2 ENV vars: * `COMPOSE_CONVERT_WINDOWS_PATHS=1` * `PWD=/path/to/checkout/for/stack-docker` @@ -49,7 +55,7 @@ First we need to: This is accomplished using the setup.yml file: ``` -docker-compose -f setup.yml run --rm setup bash +docker-compose -f setup/setup.yml run --rm setup bash bash ./scripts/setup.sh ``` When the setup has finished you can type `exit` to quit the setup process From 484c9f93411b2d940013d17b238ab91cfed82baa Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 13:24:16 -0700 Subject: [PATCH 07/11] fixes --- docker-compose.yml | 3 +-- scripts/setup.sh | 2 +- setup/Dockerfile | 4 ++-- setup/setup.yml | 8 +++----- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3e9416a..e85dcba 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -87,8 +87,6 @@ services: - 'certs:/certs' - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' - './config/auditbeat/auditbeat.yml:/usr/share/auditbeat/config/auditbeat.yml' - volumes: - - './scripts/setup-beat.sh:/usr/local/bin/setup-beat.sh:ro' networks: ['stack'] depends_on: ['elasticsearch', 'kibana'] healthcheck: @@ -219,6 +217,7 @@ volumes: kb_config: kb_data: ls_config: + ab_config: fb_config: hb_config: mb_config: diff --git a/scripts/setup.sh b/scripts/setup.sh index 46b9c77..45777cf 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -20,7 +20,7 @@ printf "Running 'setup-logstash.sh'\n" docker-compose run --rm -u root -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD logstash /usr/local/bin/setup-logstash.sh ## setup filebeat -for service in filebeat heartbeat packetbeat metricbeat apm-server +for service in auditbeat filebeat heartbeat packetbeat metricbeat apm-server do setup_command="docker-compose run --rm -u root -e ELASTIC_PASSWORD=$ELASTIC_PASSWORD $service /usr/local/bin/setup-beat.sh" eval $setup_command diff --git a/setup/Dockerfile b/setup/Dockerfile index 27fd448..bff493b 100644 --- a/setup/Dockerfile +++ b/setup/Dockerfile @@ -1,2 +1,2 @@ -FROM docker/compose:1.21.2 -RUN apk update && apk add bash make +FROM docker/compose:1.23.2 +RUN apk update && apk add bash \ No newline at end of file diff --git a/setup/setup.yml b/setup/setup.yml index 47e211a..f6ee415 100644 --- a/setup/setup.yml +++ b/setup/setup.yml @@ -9,11 +9,9 @@ services: - "ELASTIC_PASSWORD" - "ELASTIC_VERSION" - "TAG" - - "COMPOSE_PROJECT_NAME=stackdocker" + - "COMPOSE_PROJECT_NAME=stack-docker" volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "${PWD}:${PWD}" - entrypoint: ["/bin/ash", "-c"] - command: ['cat ./scripts/setup.sh | tr -d "\r" | bash'] - - # command: ["./scripts/setup.sh"] + entrypoint: ["/bin/bash", "-c"] + command: ["./scripts/setup.sh"] \ No newline at end of file From fc05c25a7bb64590813493e91c79a0bc4079fd48 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 13:25:06 -0700 Subject: [PATCH 08/11] update read me --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index d64e5f1..b00ef9e 100644 --- a/README.md +++ b/README.md @@ -55,10 +55,8 @@ First we need to: This is accomplished using the setup.yml file: ``` -docker-compose -f setup/setup.yml run --rm setup bash -bash ./scripts/setup.sh +docker-compose -f setup/setup.yml run --rm setup ``` -When the setup has finished you can type `exit` to quit the setup process Please take note after the setup completes it will output the password that is used for the `elastic` login. From b13f5c19665a855f16f942d1fd8071d97847bb37 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 15:31:35 -0700 Subject: [PATCH 09/11] update docs for readme --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b00ef9e..f402613 100644 --- a/README.md +++ b/README.md @@ -7,16 +7,19 @@ Elastic Stack, all running on a single machine under Docker. * Windows and Mac users get Compose installed automatically with Docker for Windows/Mac. + * Ensure that docker-compose version >= 1.21.0, + * Compose introduced a bug wrt project names stripping out hyphens and underscores that was fixed in 1.21.0 + * Linux users can read the [install instructions](https://docs.docker.com/compose/install/#install-compose) or can install via pip: ``` pip install docker-compose ``` -### Windows +### Windows Please note that this repo has scripting that's written in `bash`. What this means is the containers that are linux based -are expecting linux style line endings. If you clone this repo and you have windows style line endings, then please +are expecting linux style line endings. If you clone this repo and you have windows style line endings, then please read [The case of Windows line-ending in bash-script](https://techblog.dorogin.com/case-of-windows-line-ending-in-bash-script-7236f056abe). We've included the `.gitattributes` file in this project to help alliviate any issues. But you might need to make -git global config settings. +git global config settings. * Windows Users must set the following 2 ENV vars: * `COMPOSE_CONVERT_WINDOWS_PATHS=1` From d932b94c2786624795209e8f010e8f55bdec80e4 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Fri, 25 Jan 2019 15:45:11 -0700 Subject: [PATCH 10/11] Add command how to get the ca.crt --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index f402613..e921ff2 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,10 @@ and Heartbeat. Point a browser at [`http://localhost:5601`](http://localhost:5601) to see the results. > *NOTE*: Elasticsearch is now setup with self-signed certs. +> This means anytime you want to interact with elasticsearch by using other tools/clients you must use +> https, and if you want to get the `ca.crt` you can get it by running +> `docker exec -it elasticsearch cat /usr/share/elasticsearch/config/certs/ssl/ca/ca.crt` + Log in with `elastic` and what ever your auto generated elastic password is from the setup. From 69b32c7f7b31d877ac83526d1305e883e1a72758 Mon Sep 17 00:00:00 2001 From: Nick Lang Date: Tue, 29 Jan 2019 08:21:36 -0700 Subject: [PATCH 11/11] More documentation about how to use docker-compose --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index e921ff2..29749da 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,16 @@ docker-compose -f setup/setup.yml run --rm setup Please take note after the setup completes it will output the password that is used for the `elastic` login. +*Please note* that this repository makes the assumption that you will be cloneing the repository into a directory +named `stack-docker`. If you choose to name the directory something else upon cloneing or after, you will have +to specify the `-p stack-docker` flag when running `docker-compose` commands (aside from the setup command). + +From the docker-compose help: +``` +-p, --project-name NAME Specify an alternate project name + (default: directory name) +``` + Now we can launch the stack with `docker-compose up -d` to create a demonstration Elastic Stack with Elasticsearch, Kibana, Logstash, Auditbeat, Metricbeat, Filebeat, Packetbeat, and Heartbeat.