前言提要

昨天的文章中，提供了較為簡單的 docker-compose.yaml。
今天來看看 graylog 提供的設定檔並解析其細節。

正式配置

資料夾架構

|-.
|-docker-compose.yml
|-.env

配置檔內容

• docker-compose.yaml：

  services:
    # MongoDB: https://hub.docker.com/_/mongo/
    mongodb:
      image: "mongo:7.0"
      restart: "on-failure"
      networks:
        - graylog
      volumes:
        - "mongodb_data:/data/db"
        - "mongodb_config:/data/configdb"  
  
    # For DataNode setup, graylog starts with a preflight UI, this is a change from just using OpenSearch/Elasticsearch.
    # Please take a look at the README at the top of this repo or the regular docs for more info.
    # Graylog Data Node: https://hub.docker.com/r/graylog/graylog-datanode
  
    # ⚠️ Make sure this is set on the host before starting:
    # echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
    # sudo sysctl -p
    datanode:
      image: "${DATANODE_IMAGE:-graylog/graylog-datanode:6.3}"
      hostname: "datanode"
      environment:
        GRAYLOG_DATANODE_NODE_ID_FILE: "/var/lib/graylog-datanode/node-id"
        # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
        GRAYLOG_DATANODE_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
        GRAYLOG_DATANODE_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      ulimits:
        memlock:
          hard: -1
          soft: -1
        nofile:
          soft: 65536
          hard: 65536
      ports:
        - "8999:8999/tcp"   # DataNode API
        - "9200:9200/tcp"
        - "9300:9300/tcp"
      networks:
        - graylog  
      volumes:
        - "graylog-datanode:/var/lib/graylog-datanode"
      restart: "on-failure"
  
    # Graylog: https://hub.docker.com/r/graylog/graylog-enterprise
    graylog:
      hostname: "server"
      image: "${GRAYLOG_IMAGE:-graylog/graylog:6.3}"
      depends_on:
        mongodb:
          condition: "service_started"
        datanode:
          condition: "service_started"
      entrypoint: "/usr/bin/tini --  /docker-entrypoint.sh"
      environment:
        GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
        # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
        GRAYLOG_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
        GRAYLOG_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"
        GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
        GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
        GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      ports:
      - "5044:5044/tcp"   # Beats
      - "5140:5140/udp"   # Syslog
      - "5140:5140/tcp"   # Syslog
      - "5555:5555/tcp"   # RAW TCP
      - "5555:5555/udp"   # RAW UDP
      - "9000:9000/tcp"   # Server API
      - "12201:12201/tcp" # GELF TCP
      - "12201:12201/udp" # GELF UDP
      #- "10000:10000/tcp" # Custom TCP port
      #- "10000:10000/udp" # Custom UDP port
      - "13301:13301/tcp" # Forwarder data
      - "13302:13302/tcp" # Forwarder config
      networks:
        - graylog
      volumes:
        - "graylog_data:/usr/share/graylog/data/data"
      restart: "on-failure"
  
  networks:
    graylog:
      driver: "bridge"
  
  volumes:
    mongodb_data:
    mongodb_config:
    graylog-datanode:
    graylog_data:
  

• .env：

  # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
  # Generate one by using for example: pwgen -N 1 -s 96
  # ATTENTION: This value must be the same on all Graylog nodes in the cluster.
  # Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)
  GRAYLOG_PASSWORD_SECRET=""
  
  # You MUST specify a hash password for the root user (which you only need to initially set up the
  # system and in case you lose connectivity to your authentication backend)
  # This password cannot be changed using the API or via the web interface. If you need to change it,
  # modify it in this file.
  # Create one by using for example: echo -n yourpassword | shasum -a 256
  # and put the resulting hash value into the following line
  # CHANGE THIS!
  GRAYLOG_ROOT_PASSWORD_SHA2=""
  

解析

核心服務與持久化 Volume

• MongoDB：官方配置獨立的資料卷 mongodb_data 與 mongodb_config，將資料與配置數據分開持久化，避免資料損壞與災難時一併影響兩者。
• OpenSearch DataNode：專用 opensearch_data 卷，保證索引資料安全。
• Graylog：資料與日誌存儲於 graylog_data，增強容器重建時資料保留。

透過明確的卷掛載，提升資料隔離與恢復能力，符合生產環境持續營運需求。

服務啟動依賴與重啟策略

使用 depends_on 並包含 condition: service_started，確保 MongoDB 和 OpenSearch 完全啟動後，Graylog 才會啟動，避免因依賴服務未就緒造成錯誤。

所有服務設定 restart: unless-stopped，確保容器異常退出後自動重啟，提高系統可用性。

環境變數：安全密鑰與參數管理
GRAYLOG_PASSWORD_SECRET 與 GRAYLOG_ROOT_PASSWORD_SHA2 是 Graylog 的身份與管理密鑰，務必使用強隨機值生成，保持資訊安全。

OpenSearch 採用 OPENSEARCH_PASSWORD 作為管理密碼，搭配 plugins.security.disabled=true 禁用複雜安全設定，方便開發或測試使用，如需生產環境請進行更嚴密設置。

明確指定 Graylog 連接 MongoDB 和 OpenSearch 的 URI，確保容器間通訊正常。

資源限制與系統參數優化

配置 ulimits（如 memlock、nofile）提升系統文件打開數與鎖定記憶體能力，避免 OpenSearch 因系統限制導致異常。

使用 tini 作為 init 進程，優化容器信號處理與退出流程，減少潛在死鎖風險。

網路與埠口設計

所有服務共用 graylog 自訂 docker network，便利服務間溝通與未來拓展。

Graylog 容器開放多個 UDP/TCP 埠口（12201、1514、5044 等），支持多種日誌輸入協定（GELF、Syslog、Beats、RawTCP），便於快速擴充日誌收集來源。