Skip to content

Commit

Permalink
Merge branch 'main' into edit-mode
Browse files Browse the repository at this point in the history
  • Loading branch information
angorayc authored Sep 8, 2023
2 parents 1fb58e5 + 5773a1b commit ea44fc5
Show file tree
Hide file tree
Showing 93 changed files with 1,134 additions and 1,381 deletions.
1 change: 1 addition & 0 deletions config/serverless.oblt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
## Disable plugins
enterpriseSearch.enabled: false
xpack.cloudSecurityPosture.enabled: false
xpack.infra.enabled: false
xpack.securitySolution.enabled: false
xpack.uptime.enabled: false
xpack.legacy_uptime.enabled: false
Expand Down
1 change: 1 addition & 0 deletions config/serverless.security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
## Disable plugins
enterpriseSearch.enabled: false
xpack.apm.enabled: false
xpack.infra.enabled: false
xpack.observability.enabled: false
xpack.uptime.enabled: false
xpack.legacy_uptime.enabled: false
Expand Down
189 changes: 88 additions & 101 deletions docs/setup/docker.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
<titleabbrev>Install with Docker</titleabbrev>
++++

:docker-repo: docker.elastic.co/kibana/kibana
:docker-image: {docker-repo}:{version}
:es-docker-repo: docker.elastic.co/elasticsearch/elasticsearch
:es-docker-image: {es-docker-repo}:{version}
:kib-docker-repo: docker.elastic.co/kibana/kibana
:kib-docker-image: {kib-docker-repo}:{version}
:es-docker-repo: docker.elastic.co/elasticsearch/elasticsearch
:es-docker-image: {es-docker-repo}:{version}

Docker images for {kib} are available from the Elastic Docker registry. The
base image is https://hub.docker.com/_/ubuntu[ubuntu:20.04].
Expand All @@ -21,166 +21,153 @@ These images contain both free and subscription features.

[discrete]
[[run-kibana-on-docker-for-dev]]
=== Run {kib} on Docker for development
=== Run {kib} in Docker for development

. Start an {es} container for development or testing:
+
--
ifeval::["{release-state}"=="unreleased"]

NOTE: No Docker images are currently available for {kib} {version}.
Use Docker commands to run {kib} on a single-node {es} cluster for development or
testing.

endif::[]
TIP: This setup doesn't run multiple {es} nodes by default. To create a
multi-node cluster with {kib}, use Docker Compose instead. Refer to
{ref}/docker.html#docker-compose-file[Start a multi-node cluster with Docker
Compose] in the {es} documentation.

ifeval::["{release-state}"!="unreleased"]
. Install Docker. Visit https://docs.docker.com/get-docker/[Get Docker] to
install Docker for your environment.
+
IMPORTANT: If using Docker Desktop, make sure to allocate at least 4GB of
memory. You can adjust memory usage in Docker Desktop by going to **Settings >
Resources**.

.. Create a new Docker network for {es} and {kib}:
. Create a new Docker network for {es} and {kib}.
+
[source,sh,subs="attributes"]
----
docker network create elastic
----

.. Pull the {es} Docker image:
. Pull the {es} Docker image.
+
--
ifeval::["{release-state}"=="unreleased"]
WARNING: Version {version} has not yet been released.
No Docker image is currently available for {es} {version}.
endif::[]

[source,sh,subs="attributes"]
----
docker pull {es-docker-image}
----
--

.. Optional: Verify the {es} Docker image signature::
. Optional: Install
https://docs.sigstore.dev/system_config/installation/[Cosign] for your
environment. Then use Cosign to verify the {es} image's signature.
+
[source,sh,subs="attributes"]
----
wget https://artifacts.elastic.co/cosign.pub
cosign verify --key cosign.pub {docker-repo}:{version}
cosign verify --key cosign.pub {es-docker-image}
----
+
For details about this step, refer to {ref}/docker.html#docker-verify-signature[Verify the {es} Docker image signature] in the {es} documentation.
The `cosign` command prints the check results and the signature payload in JSON format:
+
[source,sh,subs="attributes"]
--------------------------------------------
Verification for {es-docker-image} --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
--------------------------------------------

.. Start {es} in Docker:
. Start an {es} container.
+
[source,sh,subs="attributes"]
----
docker run --name es-node01 --net elastic -p 9200:9200 -p 9300:9300 -t {es-docker-image}
docker run --name es01 --net elastic -p 9200:9200 -it -m 1GB {es-docker-image}
----



endif::[]

--
+
When you start {es} for the first time, the following security configuration
occurs automatically:
+
* {ref}/configuring-stack-security.html#stack-security-certificates[Certificates and keys]
are generated for the transport and HTTP layers.
* The Transport Layer Security (TLS) configuration settings are written to
`elasticsearch.yml`.
* A password is generated for the `elastic` user.
* An enrollment token is generated for {kib}.
TIP: Use the `-m` flag to set a memory limit for the container. This removes the
need to {ref}/docker.html#docker-set-heap-size[manually set the JVM size].
+
NOTE: You might need to scroll back a bit in the terminal to view the password
and enrollment token.
The command prints the `elastic` user password and an enrollment token for {kib}.

. Copy the generated password and enrollment token and save them in a secure
location. These values are shown only when you start {es} for the first time.
You'll use these to enroll {kib} with your {es} cluster and log in.

. In a new terminal session, start {kib} and connect it to your {es} container:
. Copy the generated `elastic` password and enrollment token. These credentials
are only shown when you start {es} for the first time. You can regenerate the
credentials using the following commands.
+
--
ifeval::["{release-state}"=="unreleased"]

NOTE: No Docker images are currently available for {kib} {version}.

endif::[]

ifeval::["{release-state}"!="unreleased"]

[source,sh,subs="attributes"]
----
docker pull {docker-image}
docker run --name kib-01 --net elastic -p 5601:5601 {docker-image}
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
----

.. Pull the {kib} Docker image:
. Pull the {kib} Docker image.
+
--
ifeval::["{release-state}"=="unreleased"]
WARNING: Version {version} has not yet been released.
No Docker image is currently available for {kib} {version}.
endif::[]

[source,sh,subs="attributes"]
----
docker pull {docker-image}
docker pull {kib-docker-image}
----
--

.. Optional: Verify the {kib} Docker image signature::
. Optional: Verify the {kib} image's signature.
+
[source,sh,subs="attributes"]
----
wget https://artifacts.elastic.co/cosign.pub
cosign verify --key cosign.pub {docker-repo}:{version}
cosign verify --key cosign.pub {kib-docker-image}
----
+
For details about this step, refer to {ref}/docker.html#docker-verify-signature[Verify the {es} Docker image signature] in the {es} documentation.

.. Start {kib} in Docker:
. Start a {kib} container.
+
[source,sh,subs="attributes"]
----
docker run --name kib-01 --net elastic -p 5601:5601 {docker-image}
docker run --name kib01 --net elastic -p 5601:5601 {kib-docker-image}
----

. When {kib} starts, it outputs a unique generated link to the terminal. To
access {kib}, open this link in a web browser.




endif::[]
--
. In your browser, enter the enrollment token that was generated when you started {es}.
+
To regenerate the token, run:
+
When you start {kib}, a unique link is output to your terminal.

. To access {kib}, click the generated link in your terminal.

.. In your browser, paste the enrollment token that you copied when starting
{es} and click the button to connect your {kib} instance with {es}.

.. Log in to {kib} as the `elastic` user with the password that was generated
when you started {es}.

[[docker-generate]]
[discrete]
=== Generate passwords and enrollment tokens
If you need to reset the password for the `elastic` user or other
built-in users, run the {ref}/reset-password.html[`elasticsearch-reset-password`]
tool. This tool is available in the {es} `bin` directory of the Docker container.

For example, to reset the password for the `elastic` user:

[source,sh]
----
docker exec -it es-node01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
----

If you need to generate new enrollment tokens for {kib} or {es} nodes, run the
{ref}/create-enrollment-token.html[`elasticsearch-create-enrollment-token`] tool.
This tool is available in the {es} `bin` directory of the Docker container.

For example, to generate a new enrollment token for {kib}:

. Log in to {kib} as the `elastic` user with the password that was generated
when you started {es}.
+
To regenerate the password, run:
+
[source,sh]
----
docker exec -it es-node01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
----

[discrete]
=== Remove Docker containers
==== Remove Docker containers

To remove the containers and their network, run:

[source,sh]
[source,sh,subs="attributes"]
----
# Remove the Elastic network
docker network rm elastic
docker rm es-node01
docker rm kib-01
# Remove the {es} container
docker rm es01
# Remove the {kib} container
docker rm kib01
----

[discrete]
Expand All @@ -204,7 +191,7 @@ With `docker-compose`, the bind-mount can be specified like this:
version: '2'
services:
kibana:
image: {docker-image}
image: {kib-docker-image}
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
--------------------------------------------
Expand All @@ -215,8 +202,8 @@ By default, {kib} auto-generates a keystore file for secure settings at startup.

["source","sh",subs="attributes"]
----
docker run -it --rm -v full_path_to/config:/usr/share/kibana/config -v full_path_to/data:/usr/share/kibana/data {docker-image} bin/kibana-keystore create
docker run -it --rm -v full_path_to/config:/usr/share/kibana/config -v full_path_to/data:/usr/share/kibana/data {docker-image} bin/kibana-keystore add test_keystore_setting
docker run -it --rm -v full_path_to/config:/usr/share/kibana/config -v full_path_to/data:/usr/share/kibana/data {kib-docker-image} bin/kibana-keystore create
docker run -it --rm -v full_path_to/config:/usr/share/kibana/config -v full_path_to/data:/usr/share/kibana/data {kib-docker-image} bin/kibana-keystore add test_keystore_setting
----

[discrete]
Expand Down Expand Up @@ -254,7 +241,7 @@ These variables can be set with +docker-compose+ like this:
version: '2'
services:
kibana:
image: {docker-image}
image: {kib-docker-image}
environment:
SERVER_NAME: kibana.example.org
ELASTICSEARCH_HOSTS: '["http://es01:9200","http://es02:9200","http://es03:9200"]'
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/user/security/api-keys/images/api-keys.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit ea44fc5

Please sign in to comment.