Docker cleaning

Stop and delete containers

docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)

Delete images

docker rmi $(docker images -q)


docker system prune --force

Beats – quick settings

Before first run of any beat from is good to set up number of replicas and shards based on your environment (e.g. number of nodes).

settings: {
  index.number_of_replicas: 0,


Elasticsearch cluster security

Access control

Never ever run elasticsearch as root!


script.inline: false  
script.stored: false  
script.file:   true

Script.inline enable run scripts provided inline in the API. Script.stored enable run stored script using API. Script.file  can run script which are stored in filesystem ( /etc/elasticsearch/scripts (rpm or deb), config/scripts (zip, tar).

Read more about scripting in elasticsearch e.g. Java security policy



rest.action.multi.allow_explicit_index: false

Elasticsearch will reject now multi-search, multi-get and bulk request with explicit index in body.

Filtered alias

For specification and  for better user expirience it is possible to use filtred alias.

POST /_aliases
    "actions" : [
        { "add" : { "indices" : ["test1", "test2"], "alias" : "alias1" } }

Service stability:




Zabezpečení Elasticsearch pomocí SearchGuardu


Elasticsearch scripts

cd /opt/elasticsearch
sudo bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.3.0-11
vim /etc/elasticsearch/elasticsearch.yml

Searchguard settings in elasticsearch.yml

security.manager.enabled: false

root@e58127d1d54e:/opt/elasticsearch# plugins/search-guard-5/tools/ -cd plugins/search-guard-5/sgconfig/ -ks /etc/elasticsearch/node-1-keystore.jks -kspass 95ba06bb222fd7640283 -ts /etc/elasticsearch/truststore.jks -tspass 25cb9058f1b53dd61c69 -nhnv
 Search Guard Admin v5
 Will connect to localhost:9300 ... done
 Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
 Clustername: elasticsearch
 Clusterstate: YELLOW
 Number of nodes: 1
 Number of data nodes: 1
 searchguard index does not exists, attempt to create it ... done (auto expand replicas is on)
 Populate config from /opt/elasticsearch/plugins/search-guard-5/sgconfig
 Will update 'config' with plugins/search-guard-5/sgconfig/sg_config.yml
 SUCC: Configuration for 'config' created or updated
 Will update 'roles' with plugins/search-guard-5/sgconfig/sg_roles.yml
 SUCC: Configuration for 'roles' created or updated
 Will update 'rolesmapping' with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
 SUCC: Configuration for 'rolesmapping' created or updated
 Will update 'internalusers' with plugins/search-guard-5/sgconfig/sg_internal_users.yml
 SUCC: Configuration for 'internalusers' created or updated
 Will update 'actiongroups' with plugins/search-guard-5/sgconfig/sg_action_groups.yml
 SUCC: Configuration for 'actiongroups' created or updated
 Done with success

SearchGuard + Kibana + security

Logstash 5.4.0 – offline filter plugins

Exportovaný zip pluginů obsahuje tyto přidané pluginy:

  • logstash-filter-aggregate
  • logstash-filter-de_dot
  • logstash-filter-json_encode
  • logstash-input-jmx

Pluginy lze nainstalovat pomocí tohoto příkazu:

bin/logstash-plugin install file:///<path_to_zip>/



boot2docker – Elasticsearch a max_map_count

Pokud používáte boot2docker, tak určitě narazíte při startu Elasticsearch služby na podobnou chybu:

Exception in thread "main" java.lang.RuntimeException: bootstrap checks failed
 initial heap size [268435456] not equal to maximum heap size [1073741824]; this can cause resize pauses and prevents mlockall from locking the entire heap
 max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]
 at org.elasticsearch.bootstrap.BootstrapCheck.check(
 at org.elasticsearch.bootstrap.BootstrapCheck.check(
 at org.elasticsearch.bootstrap.Bootstrap$5.validateNodeBeforeAcceptingRequests(
 at org.elasticsearch.node.Node.start(
 at org.elasticsearch.bootstrap.Bootstrap.start(
 at org.elasticsearch.bootstrap.Bootstrap.init(
 at org.elasticsearch.bootstrap.Elasticsearch.init(
 at org.elasticsearch.bootstrap.Elasticsearch.execute(
 at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
 at org.elasticsearch.cli.Command.main(
 at org.elasticsearch.bootstrap.Elasticsearch.main(
 at org.elasticsearch.bootstrap.Elasticsearch.main(
 Refer to the log for complete error details.

Stačí upravit /var/lib/boot2docker/profile přídáním tohoto řádku na konec souboru a následně udělat reboot.

 # Update the vm.max_map_count setting
 sysctl -w vm.max_map_count=262144

Elasticsearch docker container na Ubuntu 16.04

Pokud používáte sebp/elk image, můžete se setkat s chybou

2017-04-05T20:57:53,130][ERROR][o.e.b.Bootstrap          ] [IMZwJd9] node validation exception
bootstrap checks failed
max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]


sudo sysctl -w vm.max_map_count=262144


echo 262144 | sudo tee /proc/sys/vm/max_map_count

Permanentní nastavení:

Do /etc/sysctl.conf přidáme parametr


Poté je nutné restartovat server nebo pustit

sysctl -p



Docker na Ubuntu 16.04

Pro rozběhnutí Docker na Ubuntu, lze bez problémů postupovat podle oficiální dokumentace.

Pro moje potřeby jsem se nepouštěl do testování trial verze Docker EE, ale rovnou zůstal u Docker CE.

Po úspěšné instalaci jsem, pak ještě nastavil prostředí Ubuntu pro běh Docker jako non-root user. Opět jsem postupoval podle oficiální dokumentace.

A nezapomenout restartovat stroj!