- Elasticsearch Guide: other versions:
- What is Elasticsearch?
- What’s new in 7.14
- Quick start
- Set up Elasticsearch
- Installing Elasticsearch
- Configuring Elasticsearch
- Important Elasticsearch configuration
- Secure settings
- Auditing settings
- Circuit breaker settings
- Cluster-level shard allocation and routing settings
- Cross-cluster replication settings
- Discovery and cluster formation settings
- Field data cache settings
- Index lifecycle management settings
- Index management settings
- Index recovery settings
- Indexing buffer settings
- License settings
- Local gateway settings
- Logging
- Machine learning settings
- Monitoring settings
- Node
- Networking
- Node query cache settings
- Search settings
- Security settings
- Shard request cache settings
- Snapshot lifecycle management settings
- Transforms settings
- Thread pools
- Watcher settings
- Advanced configuration
- Important System Configuration
- Bootstrap Checks
- Heap size check
- File descriptor check
- Memory lock check
- Maximum number of threads check
- Max file size check
- Maximum size virtual memory check
- Maximum map count check
- Client JVM check
- Use serial collector check
- System call filter check
- OnError and OnOutOfMemoryError checks
- Early-access check
- G1GC check
- All permission check
- Discovery configuration check
- Bootstrap Checks for X-Pack
- Starting Elasticsearch
- Stopping Elasticsearch
- Discovery and cluster formation
- Add and remove nodes in your cluster
- Full-cluster restart and rolling restart
- Remote clusters
- Set up X-Pack
- Configuring X-Pack Java Clients
- Plugins
- Upgrade Elasticsearch
- Index modules
- Mapping
- Text analysis
- Overview
- Concepts
- Configure text analysis
- Built-in analyzer reference
- Tokenizer reference
- Token filter reference
- Apostrophe
- ASCII folding
- CJK bigram
- CJK width
- Classic
- Common grams
- Conditional
- Decimal digit
- Delimited payload
- Dictionary decompounder
- Edge n-gram
- Elision
- Fingerprint
- Flatten graph
- Hunspell
- Hyphenation decompounder
- Keep types
- Keep words
- Keyword marker
- Keyword repeat
- KStem
- Length
- Limit token count
- Lowercase
- MinHash
- Multiplexer
- N-gram
- Normalization
- Pattern capture
- Pattern replace
- Phonetic
- Porter stem
- Predicate script
- Remove duplicates
- Reverse
- Shingle
- Snowball
- Stemmer
- Stemmer override
- Stop
- Synonym
- Synonym graph
- Trim
- Truncate
- Unique
- Uppercase
- Word delimiter
- Word delimiter graph
- Character filters reference
- Normalizers
- Index templates
- Data streams
- Ingest pipelines
- Example: Parse logs
- Enrich your data
- Processor reference
- Append
- Bytes
- Circle
- Community ID
- Convert
- CSV
- Date
- Date index name
- Dissect
- Dot expander
- Drop
- Enrich
- Fail
- Fingerprint
- Foreach
- GeoIP
- Grok
- Gsub
- HTML strip
- Inference
- Join
- JSON
- KV
- Lowercase
- Network direction
- Pipeline
- Registered domain
- Remove
- Rename
- Script
- Set
- Set security user
- Sort
- Split
- Trim
- Uppercase
- URL decode
- URI parts
- User agent
- Aliases
- Search your data
- Query DSL
- Aggregations
- Bucket aggregations
- Adjacency matrix
- Auto-interval date histogram
- Children
- Composite
- Date histogram
- Date range
- Diversified sampler
- Filter
- Filters
- Geo-distance
- Geohash grid
- Geotile grid
- Global
- Histogram
- IP range
- Missing
- Multi Terms
- Nested
- Parent
- Range
- Rare terms
- Reverse nested
- Sampler
- Significant terms
- Significant text
- Terms
- Variable width histogram
- Subtleties of bucketing range fields
- Metrics aggregations
- Pipeline aggregations
- Average bucket
- Bucket script
- Bucket count K-S test
- Bucket correlation
- Bucket selector
- Bucket sort
- Cumulative cardinality
- Cumulative sum
- Derivative
- Extended stats bucket
- Inference bucket
- Max bucket
- Min bucket
- Moving average
- Moving function
- Moving percentiles
- Normalize
- Percentiles bucket
- Serial differencing
- Stats bucket
- Sum bucket
- Bucket aggregations
- EQL
- SQL
- Overview
- Getting Started with SQL
- Conventions and Terminology
- Security
- SQL REST API
- SQL Translate API
- SQL CLI
- SQL JDBC
- SQL ODBC
- SQL Client Applications
- SQL Language
- Functions and Operators
- Comparison Operators
- Logical Operators
- Math Operators
- Cast Operators
- LIKE and RLIKE Operators
- Aggregate Functions
- Grouping Functions
- Date/Time and Interval Functions and Operators
- Full-Text Search Functions
- Mathematical Functions
- String Functions
- Type Conversion Functions
- Geo Functions
- Conditional Functions And Expressions
- System Functions
- Reserved keywords
- SQL Limitations
- Scripting
- Data management
- ILM: Manage the index lifecycle
- Overview
- Concepts
- Automate rollover
- Customize built-in ILM policies
- Index lifecycle actions
- Configure a lifecycle policy
- Migrate index allocation filters to node roles
- Troubleshooting index lifecycle management errors
- Start and stop index lifecycle management
- Manage existing indices
- Skip rollover
- Restore a managed data stream or index
- Autoscaling
- Monitor a cluster
- Roll up or transform your data
- Set up a cluster for high availability
- Snapshot and restore
- Secure the Elastic Stack
- Elasticsearch security principles
- Configuring security
- Updating node security certificates
- User authentication
- Built-in users
- Service accounts
- Internal users
- Token-based authentication services
- Realms
- Realm chains
- Active Directory user authentication
- File-based user authentication
- LDAP user authentication
- Native user authentication
- OpenID Connect authentication
- PKI user authentication
- SAML authentication
- Kerberos authentication
- Integrating with other authentication systems
- Enabling anonymous access
- Controlling the user cache
- Configuring SAML single-sign-on on the Elastic Stack
- Configuring single sign-on to the Elastic Stack using OpenID Connect
- User authorization
- Built-in roles
- Defining roles
- Granting access to Stack Management features
- Security privileges
- Document level security
- Field level security
- Granting privileges for data streams and aliases
- Mapping users and groups to roles
- Setting up field and document level security
- Submitting requests on behalf of other users
- Configuring authorization delegation
- Customizing roles and authorization
- Enable audit logging
- Restricting connections with IP filtering
- Cross cluster search, clients, and integrations
- Operator privileges
- Troubleshooting
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Common Kerberos exceptions
- Common SAML issues
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- Failures due to relocation of the configuration files
- Limitations
- Watcher
- Command line tools
- How to
- REST APIs
- API conventions
- Autoscaling APIs
- Compact and aligned text (CAT) APIs
- cat aliases
- cat allocation
- cat anomaly detectors
- cat count
- cat data frame analytics
- cat datafeeds
- cat fielddata
- cat health
- cat indices
- cat master
- cat nodeattrs
- cat nodes
- cat pending tasks
- cat plugins
- cat recovery
- cat repositories
- cat segments
- cat shards
- cat snapshots
- cat task management
- cat templates
- cat thread pool
- cat trained model
- cat transforms
- Cluster APIs
- Cluster allocation explain
- Cluster get settings
- Cluster health
- Cluster reroute
- Cluster state
- Cluster stats
- Cluster update settings
- Nodes feature usage
- Nodes hot threads
- Nodes info
- Nodes reload secure settings
- Nodes stats
- Pending cluster tasks
- Remote cluster info
- Task management
- Voting configuration exclusions
- Cross-cluster replication APIs
- Data stream APIs
- Document APIs
- Enrich APIs
- EQL APIs
- Features APIs
- Fleet APIs
- Find structure API
- Graph explore API
- Index APIs
- Alias exists
- Aliases
- Analyze
- Clear cache
- Clone index
- Close index
- Create index
- Create or update alias
- Create or update component template
- Create or update index template
- Create or update index template (legacy)
- Delete component template
- Delete dangling index
- Delete alias
- Delete index
- Delete index template
- Delete index template (legacy)
- Exists
- Flush
- Force merge
- Freeze index
- Get alias
- Get component template
- Get field mapping
- Get index
- Get index settings
- Get index template
- Get index template (legacy)
- Get mapping
- Import dangling index
- Index recovery
- Index segments
- Index shard stores
- Index stats
- Index template exists (legacy)
- List dangling indices
- Open index
- Refresh
- Resolve index
- Rollover
- Shrink index
- Simulate index
- Simulate template
- Split index
- Synced flush
- Type exists
- Unfreeze index
- Update index settings
- Update mapping
- Index lifecycle management APIs
- Ingest APIs
- Info API
- Licensing APIs
- Logstash APIs
- Machine learning anomaly detection APIs
- Add events to calendar
- Add jobs to calendar
- Close jobs
- Create jobs
- Create calendars
- Create datafeeds
- Create filters
- Delete calendars
- Delete datafeeds
- Delete events from calendar
- Delete filters
- Delete forecasts
- Delete jobs
- Delete jobs from calendar
- Delete model snapshots
- Delete expired data
- Estimate model memory
- Find file structure
- Flush jobs
- Forecast jobs
- Get buckets
- Get calendars
- Get categories
- Get datafeeds
- Get datafeed statistics
- Get influencers
- Get jobs
- Get job statistics
- Get machine learning info
- Get model snapshots
- Get overall buckets
- Get scheduled events
- Get filters
- Get records
- Open jobs
- Post data to jobs
- Preview datafeeds
- Reset jobs
- Revert model snapshots
- Set upgrade mode
- Start datafeeds
- Stop datafeeds
- Update datafeeds
- Update filters
- Update jobs
- Update model snapshots
- Upgrade model snapshots
- Machine learning data frame analytics APIs
- Create data frame analytics jobs
- Create or update trained model aliases
- Create trained models
- Update data frame analytics jobs
- Delete data frame analytics jobs
- Delete trained models
- Delete trained model aliases
- Evaluate data frame analytics
- Explain data frame analytics
- Get data frame analytics jobs
- Get data frame analytics jobs stats
- Get trained models
- Get trained models stats
- Preview data frame analytics
- Start data frame analytics jobs
- Stop data frame analytics jobs
- Migration APIs
- Reload search analyzers API
- Repositories metering APIs
- Rollup APIs
- Script APIs
- Search APIs
- Searchable snapshots APIs
- Security APIs
- Authenticate
- Change passwords
- Clear cache
- Clear roles cache
- Clear privileges cache
- Clear API key cache
- Clear service account token caches
- Create API keys
- Create or update application privileges
- Create or update role mappings
- Create or update roles
- Create or update users
- Create service account tokens
- Delegate PKI authentication
- Delete application privileges
- Delete role mappings
- Delete roles
- Delete service account token
- Delete users
- Disable users
- Enable users
- Get API key information
- Get application privileges
- Get builtin privileges
- Get role mappings
- Get roles
- Get service accounts
- Get service account credentials
- Get token
- Get user privileges
- Get users
- Grant API keys
- Has privileges
- Invalidate API key
- Invalidate token
- OpenID Connect prepare authentication
- OpenID Connect authenticate
- OpenID Connect logout
- SAML prepare authentication
- SAML authenticate
- SAML logout
- SAML invalidate
- SAML complete logout
- SAML service provider metadata
- SSL certificate
- Snapshot and restore APIs
- Snapshot lifecycle management APIs
- SQL APIs
- Transform APIs
- Usage API
- Watcher APIs
- Definitions
- Migration guide
- Release notes
- Elasticsearch version 7.14.2
- Elasticsearch version 7.14.1
- Elasticsearch version 7.14.0
- Elasticsearch version 7.13.4
- Elasticsearch version 7.13.3
- Elasticsearch version 7.13.2
- Elasticsearch version 7.13.1
- Elasticsearch version 7.13.0
- Elasticsearch version 7.12.1
- Elasticsearch version 7.12.0
- Elasticsearch version 7.11.2
- Elasticsearch version 7.11.1
- Elasticsearch version 7.11.0
- Elasticsearch version 7.10.2
- Elasticsearch version 7.10.1
- Elasticsearch version 7.10.0
- Elasticsearch version 7.9.3
- Elasticsearch version 7.9.2
- Elasticsearch version 7.9.1
- Elasticsearch version 7.9.0
- Elasticsearch version 7.8.1
- Elasticsearch version 7.8.0
- Elasticsearch version 7.7.1
- Elasticsearch version 7.7.0
- Elasticsearch version 7.6.2
- Elasticsearch version 7.6.1
- Elasticsearch version 7.6.0
- Elasticsearch version 7.5.2
- Elasticsearch version 7.5.1
- Elasticsearch version 7.5.0
- Elasticsearch version 7.4.2
- Elasticsearch version 7.4.1
- Elasticsearch version 7.4.0
- Elasticsearch version 7.3.2
- Elasticsearch version 7.3.1
- Elasticsearch version 7.3.0
- Elasticsearch version 7.2.1
- Elasticsearch version 7.2.0
- Elasticsearch version 7.1.1
- Elasticsearch version 7.1.0
- Elasticsearch version 7.0.0
- Elasticsearch version 7.0.0-rc2
- Elasticsearch version 7.0.0-rc1
- Elasticsearch version 7.0.0-beta1
- Elasticsearch version 7.0.0-alpha2
- Elasticsearch version 7.0.0-alpha1
- Dependencies and versions
Install Elasticsearch with Docker
editInstall Elasticsearch with Docker
editElasticsearch is also available as Docker images. The images use centos:8 as the base image.
A list of all published Docker images and tags is available at www.docker.elastic.co. The source files are in Github.
This package contains both free and subscription features. Start a 30-day trial to try out all of the features.
Pulling the image
editObtaining Elasticsearch for Docker is as simple as issuing a docker pull
command
against the Elastic Docker registry.
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.14.2
Starting a single node cluster with Docker
editTo start a single-node Elasticsearch cluster for development or testing, specify single-node discovery to bypass the bootstrap checks:
docker run -p 127.0.0.1:9200:9200 -p 127.0.0.1:9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.14.2
Starting a multi-node cluster with Docker Compose
editTo get a three-node Elasticsearch cluster up and running in Docker, you can use Docker Compose:
-
Create a
docker-compose.yml
file:
version: '2.2' services: es01: image: docker.elastic.co/elasticsearch/elasticsearch:7.14.2 container_name: es01 environment: - node.name=es01 - cluster.name=es-docker-cluster - discovery.seed_hosts=es02,es03 - cluster.initial_master_nodes=es01,es02,es03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: soft: -1 hard: -1 volumes: - data01:/usr/share/elasticsearch/data ports: - 9200:9200 networks: - elastic es02: image: docker.elastic.co/elasticsearch/elasticsearch:7.14.2 container_name: es02 environment: - node.name=es02 - cluster.name=es-docker-cluster - discovery.seed_hosts=es01,es03 - cluster.initial_master_nodes=es01,es02,es03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: soft: -1 hard: -1 volumes: - data02:/usr/share/elasticsearch/data networks: - elastic es03: image: docker.elastic.co/elasticsearch/elasticsearch:7.14.2 container_name: es03 environment: - node.name=es03 - cluster.name=es-docker-cluster - discovery.seed_hosts=es01,es02 - cluster.initial_master_nodes=es01,es02,es03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: soft: -1 hard: -1 volumes: - data03:/usr/share/elasticsearch/data networks: - elastic volumes: data01: driver: local data02: driver: local data03: driver: local networks: elastic: driver: bridge
This sample docker-compose.yml
file uses the ES_JAVA_OPTS
environment variable to manually set the heap size to 512MB. We do not recommend
using ES_JAVA_OPTS
in production. See Manually set the heap size.
This sample Docker Compose file brings up a three-node Elasticsearch cluster.
Node es01
listens on localhost:9200
and es02
and es03
talk to es01
over a Docker network.
Please note that this configuration exposes port 9200 on all network interfaces, and given how
Docker manipulates iptables
on Linux, this means that your Elasticsearch cluster is publically accessible,
potentially ignoring any firewall settings. If you don’t want to expose port 9200 and instead use
a reverse proxy, replace 9200:9200
with 127.0.0.1:9200:9200
in the docker-compose.yml file.
Elasticsearch will then only be accessible from the host machine itself.
The Docker named volumes
data01
, data02
, and data03
store the node data directories so the data persists across restarts.
If they don’t already exist, docker-compose
creates them when you bring up the cluster.
-
Make sure Docker Engine is allotted at least 4GiB of memory. In Docker Desktop, you configure resource usage on the Advanced tab in Preference (macOS) or Settings (Windows).
Docker Compose is not pre-installed with Docker on Linux. See docs.docker.com for installation instructions: Install Compose on Linux
-
Run
docker-compose
to bring up the cluster:docker-compose up
-
Submit a
_cat/nodes
request to see that the nodes are up and running:curl -X GET "localhost:9200/_cat/nodes?v=true&pretty"
Log messages go to the console and are handled by the configured Docker logging driver.
By default you can access logs with docker logs
. If you would prefer the Elasticsearch
container to write logs to disk, set the ES_LOG_STYLE
environment variable to file
.
This causes Elasticsearch to use the same logging configuration as other Elasticsearch distribution formats.
To stop the cluster, run docker-compose down
.
The data in the Docker volumes is preserved and loaded
when you restart the cluster with docker-compose up
.
To delete the data volumes when you bring down the cluster,
specify the -v
option: docker-compose down -v
.
Start a multi-node cluster with TLS enabled
editSee Encrypting communications in an Elasticsearch Docker Container and Run the Elastic Stack in Docker with TLS enabled.
Using the Docker images in production
editThe following requirements and recommendations apply when running Elasticsearch in Docker in production.
Set vm.max_map_count
to at least 262144
editThe vm.max_map_count
kernel setting must be set to at least 262144
for production use.
How you set vm.max_map_count
depends on your platform:
-
Linux
The
vm.max_map_count
setting should be set permanently in/etc/sysctl.conf
:grep vm.max_map_count /etc/sysctl.conf vm.max_map_count=262144
To apply the setting on a live system, run:
sysctl -w vm.max_map_count=262144
-
macOS with Docker for Mac
The
vm.max_map_count
setting must be set within the xhyve virtual machine:-
From the command line, run:
screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
-
Press enter and use`sysctl` to configure
vm.max_map_count
:sysctl -w vm.max_map_count=262144
-
To exit the
screen
session, typeCtrl a d
.
-
-
Windows and macOS with Docker Desktop
The
vm.max_map_count
setting must be set via docker-machine:docker-machine ssh sudo sysctl -w vm.max_map_count=262144
-
Windows with Docker Desktop WSL 2 backend
The
vm.max_map_count
setting must be set in the docker-desktop container:wsl -d docker-desktop sysctl -w vm.max_map_count=262144
Configuration files must be readable by the elasticsearch
user
editBy default, Elasticsearch runs inside the container as user elasticsearch
using
uid:gid 1000:0
.
One exception is Openshift,
which runs containers using an arbitrarily assigned user ID.
Openshift presents persistent volumes with the gid set to 0
, which works without any adjustments.
If you are bind-mounting a local directory or file, it must be readable by the elasticsearch
user.
In addition, this user must have write access to the config, data and log dirs
(Elasticsearch needs write access to the config
directory so that it can generate a keystore).
A good strategy is to grant group access to gid 0
for the local directory.
For example, to prepare a local directory for storing data through a bind-mount:
mkdir esdatadir chmod g+rwx esdatadir chgrp 0 esdatadir
You can also run an Elasticsearch container using both a custom UID and GID. Unless you
bind-mount each of the config
, data` and logs
directories, you must pass
the command line option --group-add 0
to docker run
. This ensures that the user
under which Elasticsearch is running is also a member of the root
(GID 0) group inside the
container.
As a last resort, you can force the container to mutate the ownership of
any bind-mounts used for the data and log dirs through the
environment variable TAKE_FILE_OWNERSHIP
. When you do this, they will be owned by
uid:gid 1000:0
, which provides the required read/write access to the Elasticsearch process.
Increase ulimits for nofile and nproc
editIncreased ulimits for nofile and nproc must be available for the Elasticsearch containers. Verify the init system for the Docker daemon sets them to acceptable values.
To check the Docker daemon defaults for ulimits, run:
docker run --rm centos:8 /bin/bash -c 'ulimit -Hn && ulimit -Sn && ulimit -Hu && ulimit -Su'
If needed, adjust them in the Daemon or override them per container.
For example, when using docker run
, set:
--ulimit nofile=65535:65535
Disable swapping
editSwapping needs to be disabled for performance and node stability. For information about ways to do this, see Disable swapping.
If you opt for the bootstrap.memory_lock: true
approach,
you also need to define the memlock: true
ulimit in the
Docker Daemon,
or explicitly set for the container as shown in the sample compose file.
When using docker run
, you can specify:
-e "bootstrap.memory_lock=true" --ulimit memlock=-1:-1
Randomize published ports
editThe image exposes
TCP ports 9200 and 9300. For production clusters, randomizing the
published ports with --publish-all
is recommended,
unless you are pinning one container per host.
Manually set the heap size
editBy default, Elasticsearch automatically sizes JVM heap based on a nodes’s roles and the total memory available to the node’s container. We recommend this default sizing for most production environments. If needed, you can override default sizing by manually setting JVM heap size.
To manually set the heap size in production, bind mount a JVM
options file under /usr/share/elasticsearch/config/jvm.options.d
that
includes your desired heap size settings.
For testing, you can also manually set the heap size using the ES_JAVA_OPTS
environment variable. For example, to use 16GB, specify -e
ES_JAVA_OPTS="-Xms16g -Xmx16g"
with docker run
. The ES_JAVA_OPTS
variable
overrides all other JVM options. The ES_JAVA_OPTS
variable overrides all other
JVM options. We do not recommend using ES_JAVA_OPTS
in production. The
docker-compose.yml
file above sets the heap size to 512MB.
Pin deployments to a specific image version
editPin your deployments to a specific version of the Elasticsearch Docker image. For
example docker.elastic.co/elasticsearch/elasticsearch:7.14.2
.
Always bind data volumes
editYou should use a volume bound on /usr/share/elasticsearch/data
for the following reasons:
- The data of your Elasticsearch node won’t be lost if the container is killed
- Elasticsearch is I/O sensitive and the Docker storage driver is not ideal for fast I/O
- It allows the use of advanced Docker volume plugins
Avoid using loop-lvm
mode
editIf you are using the devicemapper storage driver, do not use the default loop-lvm
mode.
Configure docker-engine to use
direct-lvm.
Centralize your logs
editConsider centralizing your logs by using a different logging driver. Also note that the default json-file logging driver is not ideally suited for production use.
Configuring Elasticsearch with Docker
editWhen you run in Docker, the Elasticsearch configuration files are loaded from
/usr/share/elasticsearch/config/
.
To use custom configuration files, you bind-mount the files over the configuration files in the image.
You can set individual Elasticsearch configuration parameters using Docker environment variables. The sample compose file and the single-node example use this method.
To use the contents of a file to set an environment variable, suffix the environment
variable name with _FILE
. This is useful for passing secrets such as passwords to Elasticsearch
without specifying them directly.
For example, to set the Elasticsearch bootstrap password from a file, you can bind mount the
file and set the ELASTIC_PASSWORD_FILE
environment variable to the mount location.
If you mount the password file to /run/secrets/bootstrapPassword.txt
, specify:
-e ELASTIC_PASSWORD_FILE=/run/secrets/bootstrapPassword.txt
You can also override the default command for the image to pass Elasticsearch configuration parameters as command line options. For example:
docker run <various parameters> bin/elasticsearch -Ecluster.name=mynewclustername
While bind-mounting your configuration files is usually the preferred method in production, you can also create a custom Docker image that contains your configuration.
Mounting Elasticsearch configuration files
editCreate custom config files and bind-mount them over the corresponding files in the Docker image.
For example, to bind-mount custom_elasticsearch.yml
with docker run
, specify:
-v full_path_to/custom_elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
The container runs Elasticsearch as user elasticsearch
using
uid:gid 1000:0
. Bind mounted host directories and files must be accessible by this user,
and the data and log directories must be writable by this user.
Create an encrypted Elasticsearch keystore
editBy default, Elasticsearch will auto-generate a keystore file for secure settings. This file is obfuscated but not encrypted.
To encrypt your secure settings with a password and have them persist outside
the container, use a docker run
command to manually create the keystore
instead. The command must:
-
Bind-mount the
config
directory. The command will create anelasticsearch.keystore
file in this directory. To avoid errors, do not directly bind-mount theelasticsearch.keystore
file. -
Use the
elasticsearch-keystore
tool with thecreate -p
option. You’ll be prompted to enter a password for the keystore.
For example:
docker run -it --rm \ -v full_path_to/config:/usr/share/elasticsearch/config \ docker.elastic.co/elasticsearch/elasticsearch:7.14.2 \ bin/elasticsearch-keystore create -p
You can also use a docker run
command to add or update secure settings in the
keystore. You’ll be prompted to enter the setting values. If the keystore is
encrypted, you’ll also be prompted to enter the keystore password.
docker run -it --rm \ -v full_path_to/config:/usr/share/elasticsearch/config \ docker.elastic.co/elasticsearch/elasticsearch:7.14.2 \ bin/elasticsearch-keystore \ add my.secure.setting \ my.other.secure.setting
If you’ve already created the keystore and don’t need to update it, you can
bind-mount the elasticsearch.keystore
file directly. You can use the
KEYSTORE_PASSWORD
environment variable to provide the keystore password to the
container at startup. For example, a docker run
command might have the
following options:
-v full_path_to/config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore -e KEYSTORE_PASSWORD=mypassword
Using custom Docker images
editIn some environments, it might make more sense to prepare a custom image that contains
your configuration. A Dockerfile
to achieve this might be as simple as:
FROM docker.elastic.co/elasticsearch/elasticsearch:7.14.2 COPY --chown=elasticsearch:elasticsearch elasticsearch.yml /usr/share/elasticsearch/config/
You could then build and run the image with:
docker build --tag=elasticsearch-custom . docker run -ti -v /usr/share/elasticsearch/data elasticsearch-custom
Some plugins require additional security permissions. You must explicitly accept them either by:
-
Attaching a
tty
when you run the Docker image and allowing the permissions when prompted. -
Inspecting the security permissions and accepting them (if appropriate) by adding the
--batch
flag to the plugin install command.
See Plugin management for more information.
Troubleshoot Docker errors for Elasticsearch
editHere’s how to resolve common errors when running Elasticsearch with Docker.
elasticsearch.keystore is a directory
editException in thread "main" org.elasticsearch.bootstrap.BootstrapException: java.io.IOException: Is a directory: SimpleFSIndexInput(path="/usr/share/elasticsearch/config/elasticsearch.keystore") Likely root cause: java.io.IOException: Is a directory
A keystore-related docker run
command attempted
to directly bind-mount an elasticsearch.keystore
file that doesn’t exist. If
you use the -v
or --volume
flag to mount a file that doesn’t exist, Docker
instead creates a directory with the same name.
To resolve this error:
-
Delete the
elasticsearch.keystore
directory in theconfig
directory. -
Update the
-v
or--volume
flag to point to theconfig
directory path rather than the keystore file’s path. For an example, see Create an encrypted Elasticsearch keystore. - Retry the command.
elasticsearch.keystore: Device or resource busy
editException in thread "main" java.nio.file.FileSystemException: /usr/share/elasticsearch/config/elasticsearch.keystore.tmp -> /usr/share/elasticsearch/config/elasticsearch.keystore: Device or resource busy
A docker run
command attempted to update the
keystore while directly bind-mounting the elasticsearch.keystore
file. To
update the keystore, the container requires access to other files in the
config
directory, such as keystore.tmp
.
To resolve this error:
-
Update the
-v
or--volume
flag to point to theconfig
directory path rather than the keystore file’s path. For an example, see Create an encrypted Elasticsearch keystore. - Retry the command.
Next steps
editYou now have a test Elasticsearch environment set up. Before you start serious development or go into production with Elasticsearch, you must do some additional setup:
- Learn how to configure Elasticsearch.
- Configure important Elasticsearch settings.
- Configure important system settings.
On this page
- Pulling the image
- Starting a single node cluster with Docker
- Starting a multi-node cluster with Docker Compose
- Start a multi-node cluster with TLS enabled
- Using the Docker images in production
- Set
vm.max_map_count
to at least262144
- Configuration files must be readable by the
elasticsearch
user - Increase ulimits for nofile and nproc
- Disable swapping
- Randomize published ports
- Manually set the heap size
- Pin deployments to a specific image version
- Always bind data volumes
- Avoid using
loop-lvm
mode - Centralize your logs
- Configuring Elasticsearch with Docker
- Mounting Elasticsearch configuration files
- Create an encrypted Elasticsearch keystore
- Using custom Docker images
- Troubleshoot Docker errors for Elasticsearch
- elasticsearch.keystore is a directory
- elasticsearch.keystore: Device or resource busy
- Next steps