forked from deviantony/docker-elk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
246 lines (236 loc) · 9.04 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
version: '3.7'
services:
# The 'tls' service runs a one-off script which initializes TLS certificates and
# private keys for all components of the stack inside the local tls/ directory.
#
# This task only needs to be performed once, *before* the first stack startup.
#
# By default, it is excluded from the services started by 'docker compose up'
# due to the non-default profile it belongs to. To run it, either provide the
# '--profile=setup' CLI flag to Compose commands, or "up" the service by name
# such as 'docker compose up tls'.
tls:
profiles:
- setup
build:
context: tls/
args:
ELASTIC_VERSION: ${ELASTIC_VERSION}
user: root # ensures we can write to the local tls/ directory.
init: true
volumes:
- ./tls/entrypoint.sh:/entrypoint.sh:ro,Z
- ./tls/instances.yml:/usr/share/elasticsearch/tls/instances.yml:ro,Z
- ${METRICS_CRTS_DIR}:/usr/share/elasticsearch/tls/certs:z
# The 'setup' service runs a one-off script which initializes users inside
# Elasticsearch — such as 'logstash_internal' and 'kibana_system' — with the
# values of the passwords defined in the '.env' file. It also creates the
# roles required by some of these users.
#
# This task only needs to be performed once, during the *initial* startup of
# the stack. Any subsequent run will reset the passwords of existing users to
# the values defined inside the '.env' file, and the built-in roles to their
# default permissions.
#
# By default, it is excluded from the services started by 'docker compose up'
# due to the non-default profile it belongs to. To run it, either provide the
# '--profile=setup' CLI flag to Compose commands, or "up" the service by name
# such as 'docker compose up setup'.
setup:
profiles:
- setup
build:
context: setup/
args:
ELASTIC_VERSION: ${ELASTIC_VERSION}
init: true
volumes:
- ./setup/entrypoint.sh:/entrypoint.sh:ro,Z
- ./setup/lib.sh:/lib.sh:ro,Z
- ./setup/roles:/roles:ro,Z
# (!) CA certificate. Generate using the 'tls' service.
- ${METRICS_CRTS_DIR}/ca/ca.crt:/ca.crt:ro,z
environment:
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
METRICBEAT_INTERNAL_PASSWORD: ${METRICBEAT_INTERNAL_PASSWORD:-}
FILEBEAT_INTERNAL_PASSWORD: ${FILEBEAT_INTERNAL_PASSWORD:-}
HEARTBEAT_INTERNAL_PASSWORD: ${HEARTBEAT_INTERNAL_PASSWORD:-}
MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
networks:
- elk
depends_on:
- elasticsearch
elasticsearch:
build:
context: elasticsearch/
args:
ELASTIC_VERSION: ${ELASTIC_VERSION}
volumes:
- ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro,Z
- elasticsearch:/usr/share/elasticsearch/data:Z
# (!) TLS certificates. Generate using the 'tls' service.
- ${METRICS_CRTS_DIR}/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro,z
- ${METRICS_CRTS_DIR}/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro,z
- ${METRICS_CRTS_DIR}/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro,z
# ports:
# - 9200:9200
# - 9300:9300
environment:
node.name: elasticsearch
ES_JAVA_OPTS: -Xms3g -Xmx3g
# Bootstrap password.
# Used to initialize the keystore during the initial startup of
# Elasticsearch. Ignored on subsequent runs.
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
# Use single node discovery in order to disable production mode and avoid bootstrap checks.
# see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
discovery.type: single-node
networks:
- elk
healthcheck:
test: curl -k -u "elastic:${ELASTIC_PASSWORD}" https://elasticsearch:9200
interval: 1s
timeout: 5s
retries: 1000
restart: unless-stopped
logstash:
user: root
build:
context: logstash/
args:
ELASTIC_VERSION: ${ELASTIC_VERSION}
volumes:
- ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro,z
- ./logstash/pipeline:/usr/share/logstash/pipeline:ro,z
- ./logstash/config/zero-replica-template.json:/etc/logstash/zero-replica-template.json:ro,Z
# (!) CA certificate. Generate using the 'tls' service.
- ${METRICS_CRTS_DIR}/ca/ca.crt:/usr/share/logstash/config/ca.crt:ro,z
# Easy viewing of logs on host for debug
# - ./logs/logstash:${METRICS_LOGS_DIR}/logstash/
# ports:
# - 5044:5044
# - 50000:50000/tcp
# - 50000:50000/udp
# - 9600:9600
environment:
# https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#heap-size-settings
LS_JAVA_OPTS: -Xms1g -Xmx1g
LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
# TODO: admin elastic user is needed to create the indexes
# https://github.com/deviantony/docker-elk/issues/687
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
networks:
- elk
depends_on:
- elasticsearch
restart: unless-stopped
kibana:
build:
context: kibana/
args:
ELASTIC_VERSION: ${ELASTIC_VERSION}
volumes:
- ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,Z
# (!) TLS certificates. Generate using the 'tls' service.
- ${METRICS_CRTS_DIR}/ca/ca.crt:/usr/share/kibana/config/ca.crt:ro,z
- ${METRICS_CRTS_DIR}/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt:ro,Z
- ${METRICS_CRTS_DIR}/kibana/kibana.key:/usr/share/kibana/config/kibana.key:ro,Z
# ports:
# - 5601:5601
environment:
KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
encryptedSavedObjects_encryptionKey: ${kibana_encryptedSavedObjects_encryptionKey}
reporting_encryptionKey: ${kibana_reporting_encryptionKey}
security_encryptionKey: ${kibana_security_encryptionKey}
SERVER_BASEPATH: '/kibana'
SERVER_REWRITEBASEPATH: 'true'
KIBANA_PUBLIC_BASE_URL: ${KIBANA_PUBLIC_BASE_URL}
networks:
- elk
depends_on:
- elasticsearch
healthcheck:
test: curl -k http://kibana:5601 >/dev/null || exit 1
interval: 1s
timeout: 5s
retries: 1000
restart: unless-stopped
nginx:
build:
context: nginx/
restart: unless-stopped
ports:
- "${KIBANA_PROXY_PORT}:${KIBANA_PROXY_PORT}"
- "${CADDY_PROXY_PORT}:${CADDY_PROXY_PORT}"
# Uncomment and add files in nginx/conf.d_templates if you want to access elastic and logstash by publishing ports
- "${ELASTIC_PROXY_PORT}:${ELASTIC_PROXY_PORT}"
# - "${LOGSTASH_PROXY_PORT}:${LOGSTASH_PROXY_PORT}"
volumes:
- ./nginx/conf.d_templates:/etc/nginx/templates
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro,Z
- ${METRICS_CRTS_DIR}:/etc/nginx/certs
- ./nginx/ssl-params.conf:/etc/nginx/ssl/ssl-params.conf:ro,Z
networks:
- elk
- caddy
environment:
NGINX_ENVSUBST_TEMPLATE_DIR: /etc/nginx/templates
NGINX_ENVSUBST_TEMPLATE_SUFFIX: ".conf"
METRICS_HOSTNAME: ${METRICS_HOSTNAME}
OUTER_PROXY_IP: ${OUTER_PROXY_IP}
OUTER_PROXY_HOSTNAME: ${OUTER_PROXY_HOSTNAME}
CADDY_PROXY_PORT: ${CADDY_PROXY_PORT}
KIBANA_PROXY_PORT: ${KIBANA_PROXY_PORT}
ELASTIC_PROXY_PORT: ${ELASTIC_PROXY_PORT}
# LOGSTASH_PROXY_PORT: ${LOGSTASH_PROXY_PORT}
caddy:
build:
context: caddy/
restart: unless-stopped
# ports:
# - "80:80"
# - "443:443"
# - "443:443/udp"
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
- ${CADDY_PUBLIC_DIR}:/usr/share/caddy/
networks:
- caddy
filebeat:
depends_on:
- logstash
image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION}
restart: unless-stopped
user: root
command:
# Log to stderr.
- -e
# Disable config file permissions checks. Allows mounting
# 'config/filebeat.yml' even if it's not owned by root.
# see: https://www.elastic.co/guide/en/beats/libbeat/current/config-file-permissions.html
- --strict.perms=false
volumes:
- ${METRICS_LOGS_DIR}:${METRICS_LOGS_DIR}
- ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro,Z
- ${FILEBEAT_REGISTRY_DIR}:/usr/share/filebeat/data:rw
environment:
METRICS_LOGS_DIR: ${METRICS_LOGS_DIR:-}
METRICS_LOGFILE_MATCH: ${METRICS_LOGFILE_MATCH-}
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
METRICBEAT_INTERNAL_PASSWORD: ${METRICBEAT_INTERNAL_PASSWORD:-}
FILEBEAT_INTERNAL_PASSWORD: ${FILEBEAT_INTERNAL_PASSWORD:-}
HEARTBEAT_INTERNAL_PASSWORD: ${HEARTBEAT_INTERNAL_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
networks:
- elk
networks:
elk:
driver: bridge
caddy:
driver: bridge
volumes:
elasticsearch: