|
|
8 {% r1 k3 g+ L8 A- E+ U; B
5 m* f; G$ R! w0 Z1 c4 h3 Q2 V% M
elasticsearch8版本安装详细步骤
# t2 Y+ _( M1 [# F, K( B1 T- L3 a, b. q, Q' E* S% s
: j9 J, e' n) n, n- b. ^( W9 X1、设置虚拟内存
0 ]) `) G9 i/ _sysctl -w vm.max_map_count=2621443 i' h; j- I) ^9 C4 D. e
echo "vm.max_map_count=262144" >> /etc/sysctl.conf,
* q: P! S0 M ~echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
: p* z) k& t% E& T% \) h! v, d X% \
2 t* A# ~0 q$ Z+ S5 c
. `0 R, y# t& q/ v
7 Y# q" I7 Y. O- f6 ~6 }: q
/ z; r: s) m- \( v加入:vm.max_map_count=2621441 u, U4 V+ Z# n4 D" P2 O
使配置生效:sysctl -p. p" g9 T' H0 S# [7 K8 E
* J" a/ U$ m x, h
' o6 p2 m3 Z3 X6 L6 i$ i2、设置文件打开数:0 h0 O' j0 Y, _* ~
cat >>/etc/security/limits.conf<<EOF; |( e* Z0 u) ^/ P+ N
* soft nofile 65535: b3 v7 U, E o" Q/ s
* hard nofile 65535$ D' D1 W' A8 D, Q
* soft nproc 655356 L, t4 |: M3 |) t: M
* hard nproc 65535
# l/ h/ B5 a. f6 S4 V* V: _8 xEOF' H. Q4 v; f% T0 g
% |8 J* N! {4 c; o
* A* h# L3 X7 R* K2 q# k8 N$ ]! ~
- c* i' m# X1 [- N3 z; m- ~
( d& ?! A% [9 B
设置pam配置:
: Z# a( p( ?5 ~7 J6 t+ F2 xecho "session required pam_limits.so" >> /etc/pam.d/login [7 S0 n- \; ~4 m- M+ d
0 i X/ o: X1 S% F9 j
( S4 ^% k* e& w. ~/ B7 k* b- d
/ h$ r5 o& h6 ^! `4 J- r4 J+ T% Z2 l! g0 U
3、禁用swap交换分区0 w1 U9 M4 p. Q/ k" u# t
swapoff -a #临时禁用
& m1 G6 d7 m2 g# ^ v5 A1 ? [6 Kvi /etc/fstab #永久禁用) }2 ^" N; N$ W/ m5 a6 ~ }. L
找到swap这一行前面使用#符号禁用掉
2 f$ |# g" W$ B# L- Q: J& C
# d6 Q; M4 E# A/ q7 A8 R! Q+ {1 _. P+ B. Y; d+ i& `+ A
4、设置TCP重传超时
8 A# E* Z1 B6 V" I" N* @9 qsysctl -w net.ipv4.tcp_retries2=5
G5 E1 N" u) q( ?. b4 C2 a编辑配置文件:echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf
9 V5 T' F, j3 w- c2 r. T$ I1 }2 r* f! H2 z& @) J
- O/ @/ Y' o5 i) q: s5、创建一个用户
9 W) w q7 }- F2 y0 K& auseradd es
+ G& R! b# b& ~" z6 j7 N2 q8 Z0 u
$ b) Q# [3 @# b' D
i. L; s' p, w0 w% D: r6、创建安装目录
" R( S! C0 A' ]2 R' H; Omkdir /data/elasticsearch/
2 Q" Q( i6 C5 J) z$ u; A+ x) hmkdir /data/elasticsearch/elastic-cluster1' h( P6 c+ c1 y, s- o' m
, J9 x8 g% V2 U7 u
2 v- f% E5 B; b
mkdir /data/elasticsearch/elastic-cluster2% ^$ d7 Z1 B+ ~" [! s' k
# S: n5 X( r& y0 i: o* j' `! H2 W3 r* n
4 {, x' ?; D8 y. g t" @6 P( L/ C9 @' \9 _
" @' t& j s- o; Q1 @6 Y0 T$ x& E4 ?- n+ z7 S: L9 B! B
[root@it-elassearch ~]# ls -p /data/elasticsearch2 c6 ?3 `) Q: z: g( h. }
elastic-cluster1/ elastic-cluster2/
+ N1 V" c | W+ X! y7 M$ o+ b$ b
. Y {& n. r* ~# | k& \
1 [( b4 X! m5 _/ _9 |
: I; ^, g% [# Y F6 u+ v2 N5 b; Z; k" `
8 b9 R# ^4 z: M4 h3 p$ Z7 `% q& D5 m1 S0 |* {+ i
7、下载官网安装包
2 R' {+ H0 E6 `* B) z E官网下载地址,选择对应版本的elasticsearch和kibana:https://www.elastic.co/cn/downloads/past-releases#elasticsearch
8 U- P- R. L; L2 {7 E8 Fhttps://www.elastic.co/cn/downloads/past-releases#elasticsearch
0 r' o; x# l7 y+ R j6 j& V ?* z
I- \/ h5 J! V! h* p4 w% e) C: X' l4 C- y5 ~- L
[root@it-elassearch-2 ~]# chown es:es elasticsearch-8.15.0-linux-x86_64.tar.gz 5 Y! |$ M4 g$ k( ~/ [3 s
[root@it-elassearch-2 ~]# mv elasticsearch-8.15.0-linux-x86_64.tar.gz /data/elasticsearch/* Y) K/ r; L6 B0 P% e
; z! r! |* Y5 A# W
+ Y7 R2 I; ]; G% T+ w* r, f Z
切换到es账号:+ x v" m1 L8 h0 p( b- s
) N( Q' U0 S& T9 j" O# f
4 ]+ S, y! ]8 k3 D7 {/ w7.1 解压:我的安装包下载到了目录下,解压到/elasticsearch/elastic-cluster1/目录下- @7 E1 ^9 @* c2 g ?, e
6 K1 A& v) e0 `
/ S( o" P+ ]4 q: A
cd /data/elasticsearch/elastic-cluster1
( {& I5 o* W c5 u& K3 [[es@it-elassearch elastic-cluster1]$ ls n4 g* ?7 N6 f3 S1 r
i% j2 s( R& S& N
elasticsearch-8.15.0-linux-x86_64.tar.gz4 ~& m) j$ ? o2 ? L
& a! _1 A$ |" ~0 I" q( ]% a
- o) p% G" z1 V* C
/data/elasticsearch/elastic-cluster2( |/ j8 E1 B) n% W) a
[es@it-elassearch-2 elastic-cluster2]$ ls
6 G! v. o: Y/ n& @& oelasticsearch-8.15.0-linux-x86_64.tar.gz# y2 U* J: X7 R4 C9 B( s& \
- f+ }, t. A; \! K! I! E% ~8 @7 M
9 s+ q# W# z% c4 v解压:
' b1 }2 ]2 y5 {$ K+ _& l) I$ U
7 q: m' y W8 |[es@it-elassearch elastic-cluster1]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz ( L& G4 m$ Q6 `( ~) p7 C
9 A9 k3 e& q$ _2 }) D
* ^% f; g0 C1 Z' b9 d
& R9 w* a! _: V, y3 G% G0 m# ~/ i2 [2 ~5 F
[es@it-elassearch-2 elastic-cluster2]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz. B' H% a% F }- Y, q
( }: R: c0 Y: F/ P% o
- n/ @4 B2 L, a进入对应目录下:cd /elasticsearch/elastic-cluster1
3 p+ q7 M) {: B$ U$ Z P: A
' L, }; h* ]2 s" ^
$ l! R; r }2 O7 G. ?配置es参数文件:8 X: A! K( N" E9 T2 K
- c% h# \4 w8 q
1 N' R i6 X) R R) `7 K7 Q3 j# c节点一配置:( I P+ }* Q) ]7 t
#vim elasticsearch-8.15.0/config/elasticsearch.yml2 F+ D; t9 x6 t ^: X9 _
$ m9 B! K0 k) o' s8 J/ j
" G9 U4 j3 Z) ccluster.name: essearch& S% k3 w$ C P$ a Y
node.name: it-elassearch0 x3 B* o; Q- S
path.data: ./elasticsearch-8.15.0/data
. c# ?9 R% H: Y& {, w, {2 x3 `, @path.logs: ./elasticsearch-8.15.0/logs0 `* T7 Y. _" \
network.host: 0.0.0.0
* u* v* n/ c$ x( d, e5 Chttp.port: 9200
0 N+ F" a& o2 n4 k% Kdiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]1 ?9 y9 Z6 i" S" O. w; X6 a+ C! X4 Q
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
' t7 v1 Y3 ~- a8 r#node.master: true' G! `# I' u: ~' n' |
#node.data: true& D6 h f% \& Q5 M' S) Y
. G! D* d& y; U2 d+ R
, z9 r! V. F+ X! a; e2 Zxpack.security.transport.ssl.enabled: false
5 a6 h3 ^; n+ E9 x; y, sxpack.security.enabled: false
4 d' a/ O0 K2 t- O+ |( a3 u! K' R" R" \
' I5 M. l5 \8 x y4 }" G
下面是加鉴权的配置: t7 |. x: W9 ~) o/ m
cluster.name: essearch# W5 r+ J+ i8 h0 ^0 F7 V, H, Z- L
node.name: it-elassearch
' ^8 G, Z* ^" D) {. h9 ypath.data: ./elasticsearch-8.15.0/data& _$ }+ L9 @# j O) ?' Z
path.logs: ./elasticsearch-8.15.0/logs9 J4 U- i; k" `! n1 P, T, H, j1 V) k
network.host: 0.0.0.05 `8 M6 s h/ r; Q& j" A/ N# e
http.port: 92002 y7 V2 J/ @- g/ \
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]0 @- I& l4 G# e9 f
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
" V" p R; u; g9 f9 Bhttp.cors.enabled: true
}/ L1 e+ D0 O( [* khttp.cors.allow-origin: "*"! {3 }+ O% `$ e# q( u% ~4 X+ |
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length8 q( }- i+ L" q
xpack.security.enabled: true
5 U& }" C4 W0 E+ m2 t5 T#xpack.security.authc.accept_default_password: true9 H/ y: R& h- g C6 m$ e
xpack.security.transport.ssl.enabled: true
' c3 M. k" b* ?xpack.security.transport.ssl.verification_mode: certificate& o0 r/ k ?: U! w6 B3 q
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
7 p* k7 j- @- w& [* f1 m7 s( Z) S. u: P
xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12, g, r4 y& r/ W' o; @! F
0 a+ d7 I0 w9 b1 j( A( c
: S4 o; S- L! _$ p/ u( v x% d: ~2 I7 A" ~, l# A2 y* X- M2 k- ^
; L% t; W( b$ s% d* Y# `& @节点二配置
9 r0 V8 Z* f- e4 r' l5 w#vim elasticsearch-8.15.0/config/elasticsearch.yml7 {5 ~, L+ T( n: b, ?, n8 X
6 q7 f1 H$ ^ f' h
' `# i" m5 X5 p/ Z4 \cluster.name: essearch
* ]* Q, O( ]+ h% Knode.name: it-elassearch-2
& B4 V( K$ n$ F! J; S+ k* @path.data: ./elasticsearch-8.15.0/data7 }0 g+ d" ^) W% [" v5 m6 P* R
path.logs: ./elasticsearch-8.15.0/logs2 G8 e; G+ r: F8 L" s$ V
network.host: 0.0.0.08 T+ V" E8 K' r2 d. Q' _* |8 G5 y
http.port: 9200/ C$ W) K8 z7 n: J# u
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]0 b: y* ^$ y) G, d- N
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
; h9 G( A m2 P: k8 i6 P E7 | u#node.master: true0 d3 U5 u0 M9 X! r, c! p
#node.data: true
# m8 N) @ }$ W. _6 |/ z
' C) w, v/ H& r) L; S4 Q2 }6 s/ I
xpack.security.transport.ssl.enabled: false- i+ m# ^; B: _% v: q/ x, e1 ]
xpack.security.enabled: false
# j+ `) v& V7 N, L
9 i, a$ E {4 B& T) O! h' O v. [- K2 W/ P
下面是鉴权的配置:
% h# V, n6 K7 j3 D$ d# |cluster.name: essearch
" {$ C! X" e3 Wnode.name: it-elassearch-2
. E, x' q: n: C1 \- \path.data: ./elasticsearch-8.15.0/data
! {# Z4 k' u$ C( `path.logs: ./elasticsearch-8.15.0/logs \ }( S) j5 W7 k! {# _! p
network.host: 0.0.0.08 H6 d/ }; x$ S+ G4 e! i
http.port: 92005 b0 o' b) H; h. v
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
! A2 ]; g9 h, l* F# \' ^% H# \+ lcluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
* T. a; s$ |! T5 jhttp.cors.enabled: true" b' F% G' f7 v( \6 ]" u2 N
http.cors.allow-origin: "*"
$ E$ I! K5 }5 Y" |) h8 x9 X( W8 ~http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length/ I" y& {$ m. l9 w8 U9 `
xpack.security.enabled: true. O' p! g/ M m4 L ]1 z
#xpack.security.authc.accept_default_password: true$ h, e' F/ @* ^" t' k
xpack.security.transport.ssl.enabled: true
% ~0 ?' K) L8 T$ \' {$ _xpack.security.transport.ssl.verification_mode: certificate
5 Y$ k. V" n1 e/ `xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p124 p' r8 m4 }; a# s8 x) P
: ~" t' z* h) P, r2 dxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12* G' q7 u7 B+ e z$ Q9 M
+ g. A4 ]( x3 s7 I( a0 F
. G; \" i s8 v/ x% o+ ?
* I1 m. X1 P( H0 i0 \0 `
0 n$ g2 T, p( _6 G, n
JVM堆内存大小设置
* R/ ]2 B2 B$ i+ Q0 c- W设置内存大小:
( E5 E7 ?; z- d1 y% N2 J( g4 w$ s8 ?. x; ]: }% x
$ L% |- m, j4 u" B1 v* _/ N9 B5 L/ C& W8 `8 ?
: @# _8 a! Y6 u# S+ f
8 F* t' G5 K4 Z3 X% ]0 X9 t0 Zvim elasticsearch-8.15.0/config/jvm.options! f$ F5 H9 L! {
3 o, b% I) y. q
5 F7 E3 Z! h& `3 E6 Q& G- L
$ `. k& C, Q; {8 v+ t; ], Y# Y! _0 r$ S% s. M
-Xms4g. _7 n M b' `0 E5 @
-Xmx4g
" ~" k& q9 }! O2 N( a3 E. x' y. m) |
2 [/ ?$ [4 l" L/ ^
' T7 o# {! V8 O+ x5 d
+ ]( x) b1 A. \% |, o实际业务线上环境,建议所有Elasticsearch节点都是独立节点,不要部署其他程序、其他后台进程,以提高性能。如果内存足够大,比如:128GB、256GB,单节点是浪费,建议通过虚拟化方式切分开。
2 n7 ?+ E4 s" Q8 b. v. @9 V+ j) Z5 M! Z- Q2 a' }
0 A# q1 `8 N% @/ h3 M$ o, S
|/ ^& Z1 K9 N! j% h" [& V* z
' c) Y/ |1 `# u, V
, G% g/ S0 K0 K; ^! \4 K9 F, b# [& J" b, u4 r
解释:+ U; s, q3 W! T5 H' u8 b( v
* q! a/ @" E$ @4 O5 Y
8 z6 \9 W4 c/ S: ]: ^
目录结构
; K$ z; b' @; ]! m0 ~# S6 t! g' wType Description Default Location Setting
5 \" b. Y1 \8 H( `& b7 Thome Elasticsearch 主目录或 $ES_HOME Directory created by unpacking the archive
2 g* ~9 c# a+ lbin 二进制脚本,包括用于启动节点的 elasticsearch 和用于安装插件的 elasticsearch-plugin $ES_HOME/bin
" J ^/ ]( h- g/ d; A* W0 xconf 配置文件,包括但不限于elasticsearch.yml $ES_HOME/config ES_PATH_CONF
5 _( O3 X3 C* L# hconf 为传输层和 HTTP 层生成 TLS 密钥和证书 $ES_HOME/config/certs
/ `$ [9 S& t4 Xdata 节点上分配的每个索引/分片的数据文件的位置 $ES_HOME/data path.data
$ x( [1 q9 g4 Z* A3 ^6 `2 d/ ]logs 日志文件位置 $ES_HOME/logs path.logs
3 J$ I9 l- \1 `plugins 插件文件位置。每个插件将包含在一个子目录中 $ES_HOME/plugins
) W: J0 v' A. p( l8 G" p& ?repo 共享文件系统存储库位置。可以容纳多个位置。文件系统存储库可以放置在此处指定的任何目录的任何子目录中 Not configured path.repo
7 W }* ?2 [3 ~9 e8 S, P7 S3 I: j6 g R( @3 _( w5 F- f6 b
集群名称设置:cluster.name:
" M0 _0 }. a5 a8 T% I4 [节点名称:node.name:
' s. [! D4 V7 i$ Z6 p4 s网络主机设置:network.host:9 j+ Y4 m& r. Z9 h @* I: U' J& K
发现形成集群:discovery.seed_hosts:2 X! s4 B S! I# a0 }; T
选举主节点master资格的节点:cluster.initial_master_nodes:, A" M, _8 e: d. ^- U
设置集群间通信端口:transport.port:+ E: b; K1 ]+ g# a, H
设置数据存放位置:path.data:
t+ T P1 i5 d$ I设置日志存放位置:path.logs:. E9 A, I: I C: r& A
$ K$ O$ z; Q/ _' J+ U
cluster.name: CollectorDBCluster
( J& X$ ^1 Q$ Bpath.data:/data/elasticsearch/data
9 l0 d0 y* Y% d! Upath.logs: /data/cusc-logs' l! ^' a1 }& _* g% w+ x1 \6 w" P _
network.host: 10.153.61.71
/ i3 G4 y' X4 g9 }+ t/ Ohttp.pち中o砗rt: 92001 u* C1 ^. U! L, K1 \
node.name:node-1
+ C9 a+ Y D3 O. ncluster.initial master nodes: ["node-1”1
1 D% [3 y4 ~5 _7 L& Z7 d" ~各配置项含义:7 h K1 Z; I) k' q' \* `% |' n" M
cluster.name 集群名称,各节点配成相同的集群名称。
1 V" _5 [; P6 R9 W9 B3 i K Fnode.name 节点名称,各节点配置不同。1 k* ?2 H5 I# a$ ]! T
node.master 指示某个节点是否符合成为主节点的条件。
' A& }' b! E: {& k9 A1 Inode.data 指示节点是否为数据节点。数据节点包含并管理索引的一部分,: \# f0 K) |1 {0 l9 N. G
path.data 数据存储目录。
j/ D2 [/ c: \6 K2 Zpath.logs 日志存储目录。$ _& ^4 V/ D- V$ ]( j
bootstrap.memory lock 内存锁定,是否禁用交换
% i$ R* [ `# n" e$ a3 @bootstrap.system call filter 系统调用过滤器。- m$ ~3 x9 R7 S
network.host 绑定节点IP。
2 m7 f8 r \; f3 o: n6 Fhttp.port 端囗。# f8 `5 [! _+ M# Q& u3 S
6 z) L7 m% _ z/ J启动集群: N3 y; x8 d8 ]- U# ?: k6 h. @" ?6 |
Z$ R% C1 f1 k! q
& @0 T5 E9 Z+ h- P4 s( r& h# ^* m
# k8 @1 L$ }+ b1 c- T% F0 N8 p- `
配置文件属组权限,并启动
4 V l8 Y$ q* m3 ]6 S* x[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/! u6 A5 y9 v0 X& r
[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/( S4 A8 ?1 F4 p+ Z$ t& q
3 }+ ^% Q3 a2 f+ i" G3 Z6 u9 l5 G Q" p/ Q6 W4 ^# _
如果直接用es账号配置的,可以不做上面的操作:% k Y0 l8 U2 F$ A% {- f' O
; F; v" [, c) I4 }
; D% L: n, j4 I$ P
3 c) m; b$ {0 M0 c3 w/ m% ?1 R) U
如果添加鉴权配置请按照此处配置,不配置即可略过:
* i; s1 X( t4 {& r; P
6 r, G9 E, q' f8 A2 O2 S& ]* w
( D; A! V) B6 j nes开启认证详细步骤:
Q# |, J) ]) }& I8 J: b/ Z( p) H _% T4 G0 S/ z1 I9 H
/ q c, A+ p6 Y9 ^' K3 m, J, D1、生成证书:: D! d0 n0 e( `1 E2 O$ p
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca, s: n( `. p/ J S# n( s5 Y
This tool assists you in the generation of X.509 certificates and certificate, y6 a- n. d4 Z& E
signing requests for use with SSL/TLS in the Elastic stack.
& y8 ?, Y5 f, D# n9 _" d8 P, X$ {
/ D2 f! c& Z! z8 z& o+ \% J$ D. _3 M; c% |
The 'ca' mode generates a new 'certificate authority'' d- }$ y" P" Q( u! u1 Y G; {& [
This will create a new X.509 certificate and private key that can be used
1 j m4 h, s8 W1 W0 v" q4 jto sign certificate when running in 'cert' mode.# w: j8 [2 A5 x! f+ s# K' V( m# m3 v
0 Q. D/ B' ^+ J! z* j' ^
3 |$ e; u3 n3 e: x+ z1 J, b* o# j& ]Use the 'ca-dn' option if you wish to configure the 'distinguished name'
2 t# u% C$ a8 b% _8 _: G$ |" jof the certificate authority1 J9 U& A$ {; T' B+ z
1 k& G/ @7 ?$ o* z6 o9 i0 g9 [
. S; A3 o2 d3 KBy default the 'ca' mode produces a single PKCS#12 output file which holds:
1 _+ z+ A6 o" _& }1 c: ]4 S# z, c * The CA certificate$ _$ d. D! b* o8 m
* The CA's private key. {9 I m- E# D7 v* M! {6 i. I* w! T7 R
8 m3 c/ a" [7 m- S% x
4 G+ E$ C( n% S1 B: RIf you elect to generate PEM format certificates (the -pem option), then the output will
& G! C: p4 v3 H1 D$ m8 ?# O: Tbe a zip file containing individual files for the CA certificate and private key" _. S9 j- T x- a2 U
! w& [; f! P* ?* U- d+ k3 E
O1 \6 x& U) B& JPlease enter the desired output file [elastic-stack-ca.p12]: 【直接回车】
! r+ H- r; `4 P2 Y& KEnter password for elastic-stack-ca.p12 : 【输入密码】
! `4 `$ T; Z$ l" M/ ~9 s* E" o3 |% A4 d" O& y
# t, \8 t- L& T5 w4 ~ n完成后会生成elastic-stack-ca.p12 文件) J; j' ~0 A# k8 n: Q
. f9 S P) s" p! r" i9 E. f/ X& |: ]- A. U- Y1 }) K8 f$ Q, }. S: o
8 Y X4 X0 A4 A6 v& {! q
- U# i. _0 _% o8 j2、生成密匙:8 `% G$ \% @0 h2 N4 |* J) j
! s" Y5 S5 `- Z' }9 H# `6 |
; I1 \- B; _, [3 y6 D: T6 |
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
7 W9 m9 q2 X" o/ p7 tThis tool assists you in the generation of X.509 certificates and certificate7 l2 A [" e \' Z$ g9 l0 R
signing requests for use with SSL/TLS in the Elastic stack.
1 K& K0 Y Z; T& u& F5 }" e* v) Q, b/ t5 ^
The 'cert' mode generates X.509 certificate and private keys.8 c% x' k+ ~; G
* By default, this generates a single certificate and key for use$ f- w: z9 k) h% F/ Q, c. j2 [
on a single instance.+ R* u# h X; B i' d
* The '-multiple' option will prompt you to enter details for multiple
$ o$ K: D8 J; c% {, Y% ^& K instances and will generate a certificate and key for each one
" P8 c! k3 _3 B6 u, O8 ? * The '-in' option allows for the certificate generation to be automated by describing
2 \3 ]6 ]# P# ]9 l2 Y: Y# C7 M; | the details of each instance in a YAML file
4 F1 v/ c9 k) j+ y& w# L9 C8 U, w( d$ b/ j
* An instance is any piece of the Elastic Stack that requires an SSL certificate.- f9 C3 ]- U% c- M1 u
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats) }: o1 c& m' C5 U2 }& m
may all require a certificate and private key.
6 u+ E- [! h; s5 _8 |) W6 E9 C * The minimum required value for each instance is a name. This can simply be the, x2 k8 F' M. L x3 \5 |( m7 S
hostname, which will be used as the Common Name of the certificate. A full- X" I$ ~% Z" J! I
distinguished name may also be used.
$ G/ e1 v$ R; A0 J' u * A filename value may be required for each instance. This is necessary when the
% Z0 u+ \5 ~0 B$ n name would result in an invalid file or directory name. The name provided here
" K3 n6 U" ]; d is used as the directory name (within the zip) and the prefix for the key and e: |% `2 a$ v- ?( h; w
certificate files. The filename is required if you are prompted and the name0 k2 i# e& r$ {
is not displayed in the prompt.9 \( @3 A- q$ T; N
* IP addresses and DNS names are optional. Multiple values can be specified as a- _9 C0 I' L) e* ?) K9 X
comma separated string. If no IP addresses or DNS names are provided, you may, \# o9 i- N3 j1 z5 B' |9 }
disable hostname verification in your SSL configuration.8 Z, `; r% K4 e3 j( {
% B3 k9 N: m6 X& ?3 ^/ ~) j$ R6 q
/ W5 d3 f+ I# K# ~1 C1 H$ ? * All certificates generated by this tool will be signed by a certificate authority (CA)8 D; c# o2 v/ P Q3 k
unless the --self-signed command line option is specified.' f' X4 C6 w3 E
The tool can automatically generate a new CA for you, or you can provide your own with2 a$ Q# E# K+ H+ K
the --ca or --ca-cert command line options.
$ U9 W% C# I6 j9 }, z( |) h+ m0 _4 }, Q. v( D+ Z
( j1 Y' P8 c/ H' BBy default the 'cert' mode produces a single PKCS#12 output file which holds:
5 _& P3 s- K% P6 x * The instance certificate
5 \6 @( n3 x- T; A: |. W" y+ k" } * The private key for the instance certificate
1 b% d1 q" [: k3 M* f9 B1 m# K * The CA certificate. T& u' G$ R4 _3 J" P6 _: k
) M+ o1 K" L3 i3 S% q
If you specify any of the following options:
f$ D: [- y6 ? }" Z+ T: A l( _! O" l * -pem (PEM formatted output)
& H& t- O( q f, b& a+ @ * -multiple (generate multiple certificates)
; ~8 R* B# K% y9 m" R: v * -in (generate certificates from an input file)
* z* o3 L5 o3 q0 b8 e9 E: Jthen the output will be be a zip file containing individual certificate/key files; l4 Z& M; E4 P1 D6 D3 E3 [
& \; w# h% Q/ J( |% p3 z: l) D& nEnter password for CA (elastic-stack-ca.p12) : 【输入密码】
! j/ C( d7 Q4 A! T3 k$ [Please enter the desired output file [elastic-certificates.p12]: 【直接回车】( n) ?7 e) B+ ^8 Q
Enter password for elastic-certificates.p12 : 【输入密码】# V8 \& T1 A+ M0 w/ D& r
& \, u! ^6 N: \: s% ACertificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p12
7 p+ i- G" m3 q, T
% j6 N: V1 J0 u2 o' SThis file should be properly secured as it contains the private key for ( J& h/ V; W$ c6 L
your instance.
# q: p. w$ R( B* s3 m' w) kThis file is a self contained file and can be copied and used 'as is'6 W) @4 [3 o4 s6 R
For each Elastic product that you wish to configure, you should copy
! w$ I% p4 Z: \9 h! B* uthis '.p12' file to the relevant configuration directory8 I% m- G. N5 t. w& K9 R
and then follow the SSL configuration instructions in the product guide.
0 l7 n3 b; M* d# D8 d
% q3 F% i' X' f1 @ `For client applications, you may only need to copy the CA certificate and
, K% @) z J2 ?* H: }/ z8 Vconfigure the client to trust this certificate.
. D2 Q( U/ _4 V3 h: {2 M2 }$ s2 o; I' z% N4 y
" r0 F% x$ R. R; ^# \此操作中间需要输入刚才设置的密码就直接输入即可,需要输入路劲的地方可以不输入,直接回车就会生成一个文件在当前目录下:
3 v+ M6 P- {# o6 o' r2 d, {elastic-certificates.p12
! p# g, l- f A e% x6 X
* \$ n$ ^1 l2 s! f$ p \. t0 K8 y, A$ g0 V
3、将凭证移至相应的目录即可:
/ I. Y% Y* I3 Z$ o1 Z
" {* {2 v% ?3 F' j+ h! ?
; a F) i+ e& z- q; j##将凭证迁移到指定的目录:
/ ^! g5 j1 k5 G0 n6 q创建目录:
& Z. |: \% Y2 }$ R, l/ J3 @0 Smkdir -p ./config/certificates/' I9 X0 b H/ v
移动凭证到指定目录下:
% }. ]$ Q4 v/ k
b, p6 N/ `0 t, D }5 I' W3 w[es@it-elassearch elasticsearch-8.15.0]$ mv elastic-certificates.p12 elastic-stack-ca.p12 ./config/certificates/
: C; C' y' K% A' H/ f0 j& v. ~$ o# n6 h$ {, n
6 S" p* m6 d$ h V
4、复制凭证到每个节点上:(使用scp或者rsync方式即可)0 p% i7 F8 N& o' d0 q! @. C# P
[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 60028' config/certificates/ es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/" v4 A/ c5 w) N& E- K4 t
es@172.24.110.126's password: 4 Q. D' [: l' j2 y0 i6 T
sending incremental file list
+ \+ d, H6 L, {./% p- C3 `1 j& ~6 U2 }
elastic-certificates.p12
+ A" X1 q `" A2 U- g6 `8 T( d 3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=1/3)7 V; P% b* I: V0 a( ]- H& p
elastic-stack-ca.p12
: i+ D- j, `6 k1 n9 p 2,672 100% 2.55MB/s 0:00:00 (xfr#2, to-chk=0/3)
- {( f, J( Z6 f6 \) V# U0 k6 l; [
6 j @/ |& N" \& G5 l
sent 6,314 bytes received 57 bytes 1,415.78 bytes/sec
3 E/ C* d9 y$ T ]6 Gtotal size is 6,268 speedup is 0.986 Z! d) S$ b# a ~
N7 c4 O; f1 c
! j3 v+ V @$ h% t% Y8 b- T" q
! Q* B( H7 V; K8 g6 z5、修改配置文件:( d1 q% [: e& [
http.cors.enabled: true
3 J' p8 ^/ M5 [6 [. A7 V8 uhttp.cors.allow-origin: "*"6 h( V: ]' _( b! d; [# Q
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
: x/ u2 a! m- d+ Wxpack.security.enabled: true/ R4 o: w% a. [
#xpack.security.authc.accept_default_password: true
. z3 s( k {& D }1 q! i; uxpack.security.transport.ssl.enabled: true
! G& }% r% {( l0 y* X3 ~( V) \# `xpack.security.transport.ssl.verification_mode: certificate4 [0 C0 R5 g8 o+ ~1 q* d
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
7 F9 h3 K: L4 m/ X- L" }xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p127 ?" v, P9 D1 v2 \# t9 V8 ?+ p
. O" P0 P9 c; N) e
9 \; I- p- P- a- b0 W* D& Z4 O加权一样需要切换到es账号:
/ K+ M- ?7 B1 Q. R/ H, R, Y" c* H; I, a2 I
+ A3 e6 W3 a) O# k" L
在各个节点上添加密码:! E3 r$ K( D4 d" \
, w2 D7 a- m% M
& B& m9 ^" j" f! v. @
/ Q( r* S P& g! e1 i# i* v5 s[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password" j( J* `9 l6 V5 F! ~0 @
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y+ @! b8 K, o9 ?6 d3 W. [$ Y5 k9 ?
Enter value for xpack.security.transport.ssl.keystore.secure_password: 2 R5 a3 m1 k7 m, e
0 G F4 I9 t" L- k6 z4 Y5 h
0 ~, V N6 K8 Q5 O" z) o
输入密码:第一次输入密码上面配置的; m* F7 \4 P# x [' I- r% H0 |5 h
# u- ^. _! W) U. f( @! ^
# u A/ M6 X# X+ y' S8 ^& n[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password$ x; ]1 ~# _& r! W
Enter value for xpack.security.transport.ssl.truststore.secure_password:$ i! K6 R6 J9 j2 W' m0 V
% m. ^ m g+ P. f
输入密码: 第二次输入上面的密码:2 J6 `. Q0 s5 r. r; A( F' G# }
_& ?7 x5 k4 C6 @& T& N接下来和没有做鉴权的一样,逐个启动集群:
+ i7 Z, H, O' ]( D
2 w; f2 s& S0 J6 m4 l0 o! }; `, f, A$ p
切换到其它用户,root用户不能启动ES:su es% J0 q% j$ J, P) }
0 Y1 P& e, y- A8 d+ h: ]
' |, ?/ v; F6 H! J5 `! O! P1 R4 K[es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d
. c5 S; g _% E Z.......
+ y9 H! o6 a$ Y1 a9 f% mOct 24, 2024 5:33:34 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
H# }9 V; W4 i% N# s0 f- t[2024-10-24T17:33:40,246][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using native vector library; to disable start with -Dorg.elasticsearch.nativeaccess.enableVectorLibrary=false, n3 ?2 |# g8 S: w' v* F
[2024-10-24T17:33:40,727][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using [jdk] native provider and native methods for [Linux]
) h) N: `$ d2 }& D' E [0 o[2024-10-24T17:33:41,119][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [it-elassearch] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only
* O" G0 E" d2 `) {( I% o; ~7 v[2024-10-24T17:33:42,185][INFO ][o.e.n.Node ] [it-elassearch] version[8.15.0], pid[8520], build[tar/1a77947f34deddb41af25e6f0ddb8e830159c179/2024-08-05T10:05:34.233336849Z], OS[Linux/3.10.0-1160.24.1.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/22.0.1/22.0.1+8-16]
+ U/ O" P# D' w5 T.......$ Y; c" x8 m! K) Z3 X4 ?* K$ L' E- t0 O) z
[2024-10-24T17:34:27,594][WARN ][o.e.c.c.ClusterFormationFailureHelper] [it-elassearch] master not discovered yet, this node has not previously joined a bootstrapped cluster, and this node must discover master-eligible nodes [it-elassearch, it-elassearch-2] to bootstrap a cluster: have discovered [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}]; discovery will continue using [172.24.110.126:9300] from hosts providers and [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}] from last-known cluster state; node term 0, last-accepted version 0 in term 0; for troubleshooting guidance, see https://www.elastic.co/guide/en/ ... roubleshooting.html
# q* Z" A* {! W Y/ C* q5 C[2024-10-24T17:34:27,609][INFO ][o.e.h.AbstractHttpServerTransport] [it-elassearch] publish_address {172.24.110.125:9200}, bound_addresses {[::]:9200}% k% s7 V) m8 |# z) a
[2024-10-24T17:34:27,637][INFO ][o.e.n.Node ] [it-elassearch] started {it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}{ml.max_jvm_size=4294967296, ml.config_version=12.0.0, xpack.installed=true, transform.config_version=10.0.0, ml.machine_memory=8200949760, ml.allocated_processors=4, ml.allocated_processors_double=4.0}
' ?: E1 L4 I/ u# t% t
, W% ?- i: X: j( x# ?- r# @5 \* q) }4 \ ?/ N
0 A/ D4 ?, g" V
5 A7 s! J' Z7 o# K
+ C' w0 U* Q( S" ~+ Q- r3 Z6 q% {. _* Y
9 Z+ L( @# t7 c$ V$ i R) g[es@it-elassearch elasticsearch-8.15.0]$ netstat -ntlp
: F' S. p* U6 f(Not all processes could be identified, non-owned process info& N$ k, R" Q. H8 f4 y/ R4 R8 ]. p
will not be shown, you would have to be root to see it all.)
2 [; p4 y8 f- R! W$ K% t) `" hActive Internet connections (only servers)
7 C6 \( E) ?% _; p8 R7 M$ FProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
& A6 r$ F! G C& L2 itcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - 9 E3 U# Z& N( r/ ~& U. r
tcp 0 0 0.0.0.0:60028 0.0.0.0:* LISTEN - # w& `. k0 ^$ k
tcp6 0 0 :::9300 :::* LISTEN 8520/java
: X8 C4 B2 i, s2 a! n4 `tcp6 0 0 ::1:25 :::* LISTEN - ; u6 j& ? ?' `" b
tcp6 0 0 :::60028 :::* LISTEN - 0 a" [; U: D. Z1 {, z7 ?* [
tcp6 0 0 :::9200 :::* LISTEN 8520/java & ]* {$ J) Q+ L
% D0 E+ j! |2 D& J6 \, P' ]6 B, D" n L/ [* j, L" B" L
' f% m8 L0 k* S5 @" B; g6 r# r0 Z" h G
( i$ \4 i) l! @) a) A' B; ^
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana' R: A3 j% |/ Y/ e {+ r4 X( [
% b, S% Y. p2 `! }+ p' j& S% iERROR: [xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token, with exit code 78. N1 G. u9 N% B' x- k
$ I( H* H/ l4 \$ H$ ^2 j/ z
* c; S& u! g& f8 I在elasticsearch-8.15.0/config/elasticsearch.yml 添加 配置:2 |/ F. R/ [$ @" `& q" J4 G
7 |* U, \ H. M2 {9 s! B# @* Q
[es@it-elassearch-1 elastic-cluster1]$ vim elasticsearch-8.15.0/config/elasticsearch.yml
; u3 G0 r# o* b! {1 [6 s
2 p7 m q! n3 O7 _$ f; S+ m0 E$ z0 M5 [xpack.security.enrollment.enabled: true
2 a: }) B }5 L; U- w* f2 N( S7 T# T: A- x5 t- Q1 I5 p
* J) Y" d8 Y4 i3 Z# `
保存再次执行:
6 s0 F) v: Y4 E' U4 @" J( ^& i, e+ D: l0 B- A- m
u# M* z& o, G: U' _0 j- D
4 G2 j6 a/ {5 I3 r+ [- b! R9 G) Y
* N/ J2 C0 b5 P4 |- J1 j' |- O8 N2 l" i
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana
, \* N' ~, B4 k6 j4 B( JUnable to create enrollment token for scope [kibana]9 O4 U4 B) ^( h4 V( A
# S- H3 u+ g, U. Z; YERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73- K* K! J8 h+ ]4 B* t
- t0 d) T( J# K: d; A如果你的kibana不在同一台主机上就需要加上http或https的访问路径生成,用""扩起来8 X2 V3 K5 K; b& p6 L1 t
1 q# l: |- \- ?! a8 I8 |$ w. Y% o
6 [' @ V9 l4 g4 u! _! G
- [! i& s. c$ h$ q! h) S9 H
% ?0 k: n' o7 @& x/ u" C
1 V5 ^# D& x+ _
4 H' \1 q# o0 \2 Z- M
|
|
发表于 2024-10-31 15:53:27