GKman's questions

我有一个带有 xpack 基本许可证的 elasticsearch 集群，并且启用了本机用户身份验证（当然是 ssl）。我正在尝试在 docker 容器上设置 kibana，但在浏览器中访问 kibana 时不断出现错误：
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred."}
在 kibana 日志中我有消息：（
"missing authentication credentials for REST request"下面的完整日志）

我的 kibana.yml 文件是：

server.name: kibana
server.host: "0.0.0.0"
elasticsearch.hosts:
 - https://server:9200
server.ssl.certificate: "cert.crt"
server.ssl.key: "vert.key"
server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: ["root-ca.crt"]
elasticsearch.username: "kibana"
elasticsearch.password: "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"

手动请求（使用浏览器或邮递员获取\发布请求）工作正常。任何以(eg )
开头的配置设置都将失败，并出现一些关于无法识别密钥的错误。 使用的容器版本：docker.elastic.co/kibana/kibana-oss:7.7.0xpack.*xpack.security.enabled

可能是在kibana docker容器中默认没有安装xpack吗？
我做错了什么？

-------- 完整的 kibana 日志 ---------

{"type":"log","@timestamp":"2020-05-25T10:06:03Z","tags":["warning","plugins-discovery"],"pid":6,"message":"Expect plugin \"id\" in camelCase, but found: apm_oss"}
{"type":"log","@timestamp":"2020-05-25T10:06:03Z","tags":["info","plugins-system"],"pid":6,"message":"Setting up [32] plugins: [visTypeVega,usageCollection,metrics,telemetryCollectionManager,telemetry,timelion,kibanaLegacy,devTools,apm_oss,uiActions,savedObjects,share,statusPage,newsfeed,kibanaReact,inspector,embeddable,kibanaUtils,discover,esUiShared,bfetch,expressions,visualizations,data,home,console,management,advancedSettings,telemetryManagementSection,navigation,dashboard,charts]"}
{"type":"log","@timestamp":"2020-05-25T10:06:04Z","tags":["info","savedobjects-service"],"pid":6,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
{"type":"log","@timestamp":"2020-05-25T10:06:04Z","tags":["info","savedobjects-service"],"pid":6,"message":"Starting saved objects migrations"}
{"type":"log","@timestamp":"2020-05-25T10:06:04Z","tags":["info","plugins-system"],"pid":6,"message":"Starting [15] plugins: [visTypeVega,usageCollection,metrics,telemetryCollectionManager,telemetry,timelion,kibanaLegacy,apm_oss,share,bfetch,expressions,visualizations,data,home,console]"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["status","plugin:[email protected]","info"],"pid":6,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["listening","info"],"pid":6,"message":"Server running at https://0.0.0.0:5601"}
{"type":"log","@timestamp":"2020-05-25T10:06:05Z","tags":["info","http","server","Kibana"],"pid":6,"message":"http server running at https://0.0.0.0:5601"}
{"type":"log","@timestamp":"2020-05-25T10:06:15Z","tags":["error","http"],"pid":6,"message":"{ [security_exception] missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } } :: {\"path\":\"/.kibana/_doc/config%3A7.7.0\",\"query\":{},\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Bearer realm=\\\"security\\\", ApiKey, Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}\n    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n    at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n    at IncomingMessage.emit (events.js:203:15)\n    at endReadableNT (_stream_readable.js:1145:12)\n    at process._tickCallback (internal/process/next_tick.js:63:19)\n  status: 401,\n  displayName: 'AuthenticationException',\n  message:\n   '[security_exception] missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\\\"security\\\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\" } } }',\n  path: '/.kibana/_doc/config%3A7.7.0',\n  query: {},\n  body:\n   { error:\n      { root_cause: [Array],\n        type: 'security_exception',\n        reason:\n         'missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]',\n        header: [Object] },\n     status: 401 },\n  statusCode: 401,\n  response:\n   '{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\",\"header\":{\"WWW-Authenticate\":[\"Bearer realm=\\\\\"security\\\\\"\",\"ApiKey\",\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\"]}}],\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\",\"header\":{\"WWW-Authenticate\":[\"Bearer realm=\\\\\"security\\\\\"\",\"ApiKey\",\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\"]}},\"status\":401}',\n  wwwAuthenticateDirective:\n   'Bearer realm=\"security\", ApiKey, Basic realm=\"security\" charset=\"UTF-8\"',\n  toString: [Function],\n  toJSON: [Function],\n  isBoom: true,\n  isServer: false,\n  data: null,\n  output:\n   { statusCode: 401,\n     payload:\n      { statusCode: 401,\n        error: 'Unauthorized',\n        message:\n         '[security_exception] missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\\\"security\\\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\" } } }' },\n     headers: { 'WWW-Authenticate': [Array] } },\n  reformat: [Function],\n  [Symbol(ElasticsearchError)]: 'Elasticsearch/notAuthorized',\n  [Symbol(SavedObjectsClientErrorCode)]: 'SavedObjectsClient/notAuthorized' }"}
{"type":"error","@timestamp":"2020-05-25T10:06:15Z","tags":[],"pid":6,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toInternalError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:67:19)\n    at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:165:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/","path":"/","href":"/"},"message":"Internal Server Error"}
{"type":"response","@timestamp":"2020-05-25T10:06:15Z","tags":[],"pid":6,"method":"get","statusCode":500,"req":{"url":"/","method":"get","headers":{"host":"KIBANA-SERVER:5601","connection":"keep-alive","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"XXX.XXX.11.5","userAgent":"XXX.XXX.11.5"},"res":{"statusCode":500,"responseTime":44,"contentLength":9},"message":"GET / 500 44ms - 9.0B"}

======================
更新
======================

尝试使用具有相同配置的 kibana 版本 6.8（docker image docker.elastic.co/kibana/kibana-oss:6.8.0）（一切都相同 - 只是以前的图像）并且它可以工作，虽然我没有得到kibana 登录屏幕，而是由浏览器提示输入凭据。

我有一个具有根 CA 和从属 CA 的环境。我的环境是混合的。我有 Windows 和 Linux（Ubuntu 18）服务器。

在 Windows 机器上，将根 CA 添加到受信任的根证书存储区就足够了，并且从那里开始，由-从属-CA 颁发的所有证书都受到计算机的信任。

在 Ubuntu 机器上，我也将根 CA 安装到了受信任的根 CA 的存储中，但我发现当使用docker pull从属 CA 颁发的证书从私有注册表运行时，我得到了错误：Error response from daemon: Get https://<server>:5000/v2/: x509: certificate signed by unknown authority 只有在花了几个小时后，我意识到我需要安装从属 CA 以及根 CA。

这是为什么？如果从属根 CA 受信任，则不应信任从属签名证书吗？

我对 Elasticsearch 相当陌生，并且正在观看一些有些过时的教程。

在教程中，他们说如果有专用的数据节点，建议禁用对它们的客户端访问，这样它们就不会提供查询服务，而是专注于索引数据。他们使用该设置node.client: false禁用客户端访问，但我了解到该设置已被弃用和删除。

删除该node.client设置的原因是它是多余的，并且通过将node.masterand设置node.data为 false，该节点成为一个专用的客户端节点。如果它们都没有设置为 false，这意味着什么？客户端角色是否始终处于启用状态？可以关闭吗？

是否可以仅在特定的 mongodb 数据库上要求身份验证（让其他数据库可以免费访问而无需身份验证要求）？

在阅读和玩了一会儿 docker 之后，我正在考虑在我的生产环境中使用它。但是，我仍在尝试了解挂载绑定和卷之间的区别。

根据 Dockers 关于挂载绑定的文档（https://docs.docker.com/storage/bind-mounts/）：

绑定挂载从 Docker 早期就已经存在。与卷相比，绑定挂载的功能有限。当您使用绑定挂载时，主机上的文件或目录会挂载到容器中。文件或目录由其在主机上的完整路径或相对路径引用。相比之下，当您使用卷时，会在主机上 Docker 的存储目录中创建一个新目录，并且 Docker 管理该目录的内容。

从这个（以及从玩弄）在我看来，安装绑定和卷是同一件事，唯一的区别是数据的位置。（卷存储在 docker 的“私有”存储区域，而挂载绑定可以存储在任何地方）。是的，安装绑定必须在启动 docker 容器之前存在，而卷可以在容器启动时由 docker 引擎创建 - 但这种差异是不敬的性能或维护明智的。

我无法理解文档（https://docs.docker.com/storage/volumes/）中所述的卷的所谓好处，因为它们似乎都同样适用于挂载绑定。

谁能解释一下volumes和mount-binds（性能和维护方面）之间的主要区别，最重要的是它们的用例？

谢谢您的帮助。