I am unable to set up a development Elasticsearch/Kibana instance
from Docker images. I cannot get my Kibana service to connect to my Elasticsearch service.
I have the following docker-compose.yml
file.
services:
elasticsearch:
container_name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:8.4.0
environment:
- discovery.type=single-node
- xpack.security.enabled=true
ports:
- "9200:9200"
kibana:
container_name: kibana
image: docker.elastic.co/kibana/kibana:8.4.0
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
- xpack.security.enabled=true
ports:
- "5601:5601"
I start with no containers created and run docker compose up
. From the instructions in Start the Elastic Stack with security enabled automatically, I was expecting to see the following:
A password is generated for the elastic user and output to the terminal, plus an enrollment token for enrolling Kibana.
No password is generated. When I look through the logs I see the following from the Kibana container.
[ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]
2022-08-27T03:18:39.927296590Z
When I try to connect to Kiabana via http://localhost:5601
I see a "Kibana server is not ready yet." message that never goes away.
There are no errors in the Elasticsearch logs. That service appears to have started without a problem.
On the Elasticsearch github, Issue #85047: Elastic User Password Not Generated on New Container, also describes the password not automatically being generated. The solution in that case was to run docker compose up
without a -d
switch, which is what I am already doing.
There is a similar error reported on the Elastic discussion boards, but that was resolved with "The error was that my kibana.yml wasn’t in the config-directory." This isn’t the case with me.
As far as I call tell, I am doing the same thing as what works in this blog post.
I have tried various modifications to my docker-compose.yml
file (e.g. replace ELASTICSEARCH_URL
with ELASTICSEARCH_HOST
or ELASTICSEARCH_HOSTS
, add elasticsearch.username=kibana_system
to the Kibana environment variables, or specify an ELASTIC_PASSWORD
.). I always get the same error. (Though if I set an ELASTIC_PASSWORD=password
environment variable in the Elasticsearch container I can connect via http://localhost:9200
and verify that the Elasticsearch service is running.)
After this failed to work I tried to manually configure minimal security by following the instructions in Set up minimal security for Elasticsearch, but hit the same problem.
If I use elasticsearch-reset-password
as described in the manual minimum security setup instructions to set the password for kibana_system
to password
, the following curl command from my host shell
curl --user kibana_system -X GET "http://localhost:9200/?pretty"
returns a valid response from Elasticsearch. I can also retrieve
curl --user kibana_system -X GET "http://localhost:9200/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip"
the URL mentioned in the Kibana logs error.
So apparently the kibana_system
user is being created with the right password, but it’s not getting used properly during Kibana startup.
The following docker-compose.yml
copied from this blog post file works.
services:
elasticsearch:
image: elasticsearch:2.4
ports:
- "9200:9200"
environment:
- discovery.type=single-node
kibana:
image: kibana:4.6
ports:
- "5601:5601"
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
I can immediately log in to Kibana at http://localhost:5601
.
Presumably versions 2.4/4.6 are old enough that the security features that are causing problems were not implemented yet.
Version 8.4.0 if I copy the files from the Install Elasticsearch with Docker instructions.
2
Answers
The solution for what I was trying to do is to run without security enabled.
A complete answer is detailed in this thread on the Elastic discussion board.
The summary is that starting with version 8.0, Elastic turns on security by default. In the simplest case, Elastic also sets up the security configuration for you as described in Install Elasticsearch with Docker. However, this automatic setup procedure does not work if you use a Docker compose file instead of running the
docker run
commands directly. The reasons are complicated and discussed in the thread linked above.If you want to use Docker compose you can either manually set up security yourself or turn off security.
In my case I am writing one-off proofs of concept so having no security is fine. I'll figure out how to set up security manually if ever need to put something into production.
If I had known to phrase the question as "How do I turn off the automatic security configuration in Elastic versions 8.0 and greater?" the answer would have been straightforward, but I had to figure out the answer in order to realize that was the question to ask.
Did you try the ‘docker-compose.yml’ section from the documentation "Install Elasticsearch with Docker‘ ? Here a tree node cluster is created. Remember to first provide the .env file. TLS is configured through the setup on-off service. I just tried it, and it works as expected without errors.