This project creates a full Elastic stack in docker using docker compose
.
It is based heavily on the work done by elkninja and adds local copies of the Elastic Package Registry (EPR) and Elastic Artifact Registry (EAR) containers for air-gapped environments.
WARNING: The Elastic Package Registry image is ~15G and the Elastic Artifact Registry is ~4G in size.
The EPR and EAR are integrated into the project, but not required for the Elastic stack to function.
The project creates certs and stands up a 3-node Elasticsearch cluster, with Kibana and Fleet-Server already preconfigured. It also stands up Logstash, Metricbeat, Filebeat, and a webapp APM example container using docker profiles.
Elasticsearch and Kibana are preconfigured and insturmented with APM.
This project is broken into multiple docker compose files that build on each other, enabling multiple final configurations when the stack is brought up.
The docker-compose.yml
is the base configuration of the stack. It generates the certs required and brings online the Elasticsearch nodes, Kibana, and Fleet/APM server. Therefore, it will always be used when issuing the docker compose up
command.
The air-gapped.yml
adds to the base configuration provided by the docker-compose.yml
and provides the configuration changes and containers necessary to run the Elastic stack in an air-gapped environment.
The examples.yml
adds different functionality to the base configuration by bringing online different containers using docker's profiles feature. (see below). This file is included at the top of the docker-compose.yml
.
es01
, es02
, es03
)kibana
) - accessible through https://localhost:5601/fleet-server
): Provides fleet and apm server functionsepr
): Provides local copy of required elastic packagesear
): Provides local copy of elastic binaries for agent installml01
): Provides a dediated machine learning node to the cluster (default size is 8GB ram to allow for install of ELSER model)metricbeat01
): Provides stack monitoring in Kibana for Elasticsearch, Kibana, Logstash and Dockerfilebeat01
): Provides the ability to ingest .log files into the cluster through the /filebeat_ingest_data/
folderlogstash01
): Provides the ability to test logstash and ingest data into the cluster through the /logstash_ingest_data/
folderwebapp
): Demo web application that allows triggering of errors visible in the APM section of Kibanacontainer-agent
): Demo elastic agent container to test integrations. It provides the ability to ingest files into the cluster through the /agent_ingest_data/
folder, as well as through UDP port 9003
and TCP port 9004
. 2.20.3
or greaterInitially, internet access is required to build and pull the images. The images are built or pulled automatically when docker compose executes.
Make a copy of the env.template
file and name it .env
. Use the .env
file to change settings. You must set the DOCKER_HOST_IP
variable to the correct host IP for the stack deployment to work
The stack can be deployed in many configurations including air-gapped. The various configurations can be enabled using the profiles feature of docker compose.
To bring up the basic stack (Elasticsearch, Kibana and Fleet/APM Server):
docker compose up -d
To enable included examples reference the profiles section below. For example, to bring up the stack with Metricbeat enabled for cluster monitoring use the following command:
docker compose --profile monitoring up -d
Multiple profiles can also be chained together. The following command enables Metricbeat, Logstash and an APM example.
docker compose --profile monitoring --profile logstash --profile apm up -d
NOTE: You can view the configuration that docker compose will apply prior to starting the project by using the config
parameter instead of up -d
.
Examples:
docker compose config
or
docker compose --profile monitoring config
The air-gapped.yml
configures the stack to utilize local Elastic Package Registry (EPR) and Elastic Artifact Registry (EAR) services. These services are required in an air-gapped environment to install integrations and binaries required by the stack.
Using the air-gapped configuration requires chaining multiple docker-compose files due to configuration changes that need to be made to the base configuration. This is done using the -f <filename>
flag when executing the docker compose
command.
To bring up the basic air-gapped stack (Elasticsearch, Kibana, Fleet/APM Server, EAR, and EPR):
docker compose -f docker-compose.yml -f air-gapped.yml up -d
Profiles may also be used when using air-gapped. Using the same metricbeat example above, the command would be:
docker compose -f docker-compose.yml -f air-gapped.yml --profile monitoring up -d
To bring down the stack without purging the data volumes, execute the same command (including -f <filename>
and --profile
flags) but replace the up -d
with down
docker compose down
or
docker compose --profile monitoring down
or
docker compose -f docker-compose.yml -f air-gapped.yml --profile monitoring down
To bring down the stack and remove the data volumes, add -v
to your command
docker compose down -v
or
docker compose --profile monitoring down -v
or
docker compose -f docker-compose.yml -f air-gapped.yml --profile monitoring down -v
Profiles are enabled to configure different services for demo/example purposes.
To use a profile add --profile <name>
to the docker compose command. Each profile enabled but have its own --profile <name>
, you cannot use a list of comma separated profile names.
Usage Examples:
docker compose --profile monitoring --profile apm up -d
docker compose -f docker-compose.yml -f air-gapped.yml --profile monitoring --profile apm up -d
Machine Learning
ML_MEM_LIMIT
variable in the .env
file--profile ml
in your docker compose startup command to enableMonitoring
--profile monitoring
in your docker compose startup command to enableFilebeat
filebeat_ingest_data
folder--profile filebeat
in your docker compose startup command to enableLogstash
logstash_ingest_data
folderlogstash.conf
file to try out different ingest pipelines--profile logstash
in your docker compose startup command to enableAPM
--profile apm
in your docker compose startup command to enableAgent
--profile agent
in your docker compose startup command to enableagent_ingest_data
folder to ingest logs using the Custom Logs integration. messages
field of the logs-generic-*
index. logs-generic-*
pipeline to extract and format the data..env
file (default: 9003
)logs-udp.generic-*
ingest pipeline for additional formatting or to the settings of the integration.env
file (default: 9004
)logs-TCP.generic-*
ingest pipeline for additional formatting or to the settings of the integrationhttps://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-compose-file