elasticsearchdockerdocker-composeelasticsearch-x-pack

How to set up default 'elastic' user password while running official Elasticsearch docker image?


I want to use official Elasticsearch docker image via docker-compose.yml as official documentation suggests:

My simplified docker-compose.yml looks like the following:

version: '2'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.5.2
    environment:
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ports:
      - 9200:9200

By default after running docker-compose up I have user elasticbeing created with default password changeme. As documentation suggests I may change user password by calling:

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{
  "password" : "elasticpassword"
}'

But this would require additional step while running Docker image.

Is there a way to configure default elastic user password during docker-compose up command? Maybe through environment variables somehow or via elasticsearch.yml configuration file?

I could create my own image as a wrapper on top of docker.elastic.co/elasticsearch/elasticsearch:5.5.2 image and RUN curl ... command as a part of related Dockerfile but it seems like overhead to me to create my own version of Elasticsearch image just to configure elastic user password...


Solution

  • The solution that worked for me was to put nginx proxy container with basic authentication in front of elasticsearch container. Nginx config may look something like:

    upstream elasticsearch {
        server elasticsearch:9200;
    }
    
    server {
        listen 80;
        server_name server.name.com;
    
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
    
        location / {
            proxy_pass http://elasticsearch;
            proxy_redirect off;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
        }
    }
    

    Where .htpasswd contains user name and encrypted user password (you may use even online services to generate it like http://www.htaccesstools.com/htpasswd-generator/).

    Other than that you may just buy a license for X-pack/Shield and use it instead if you wish.