|
|
" V1 g# L3 Z# y4 L# r+ E/ I; V
, }! X. R. }0 d( H7 ]# l; B
elasticsearch8版本安装详细步骤
2 x" h5 Y& y6 b3 J# f5 r, G7 B. B* w" T3 a( z
6 [4 m Y: h- R$ Q
1、设置虚拟内存$ Q4 D+ J; t2 x, f1 ?9 C9 R$ s
sysctl -w vm.max_map_count=262144
! P6 Y: d9 a3 _' yecho "vm.max_map_count=262144" >> /etc/sysctl.conf,
- W9 o( v+ P$ X3 ^" L0 ~: Gecho "vm.max_map_count = 262144" >> /etc/sysctl.conf
& s9 i# V2 r: v0 j) R2 } a* R$ X2 G7 q+ d, F) n
; w, F+ ]& n) y- I; E4 R9 Q) g. E6 j1 r/ Z6 l
, d7 Y# x0 F* w2 M% U$ O6 F: |4 Z
加入:vm.max_map_count=262144: ~8 `1 J# `& r! @$ a0 k& ]# [
使配置生效:sysctl -p
. e8 c* K& r% ?; E0 R% c) G8 L
" G- l' e# z$ D) K2 `% t2 m- ^. M+ d
2、设置文件打开数:
6 M6 j( m) S6 K, D2 z; I# Lcat >>/etc/security/limits.conf<<EOF
% Z# P, i& A( f* F* soft nofile 655357 `, i x0 E' |9 Z- G9 j4 w
* hard nofile 65535
# d9 j( j6 A1 D* k- }( G* soft nproc 65535
7 T% D0 W! E$ q. S# i" E; c* M* hard nproc 655355 i9 K9 r6 S+ F+ m$ A' k5 _
EOF, G! q) g* U0 \. r* F
% _3 ~) [. [. t5 D
" W/ \9 o+ O, Q! G# M6 @7 T6 Y
6 [7 w8 Q4 p( A3 c
. _; r0 d0 H. H设置pam配置:$ M$ r a: x/ w) m' Y4 D
echo "session required pam_limits.so" >> /etc/pam.d/login
" f* Q) k+ i2 D8 G4 f% R' X
7 e* B9 n) E K( L- w4 e5 F. l/ F! ]! a
) y4 E# b+ @# M. {/ }; j l
# p; [# F+ j& J9 q3、禁用swap交换分区
6 U, O* g3 h$ g5 {! W9 Oswapoff -a #临时禁用
, M+ v/ S$ W% V# Z/ ]8 Dvi /etc/fstab #永久禁用
, x5 y0 W$ b$ M- o找到swap这一行前面使用#符号禁用掉
! x, S4 l6 f: c
$ }/ I6 l, N% M" T* w# {, ]$ U) j6 t! e, x& `# p
4、设置TCP重传超时
! ]# X' S' o G" A1 R. Qsysctl -w net.ipv4.tcp_retries2=5
y. y$ c4 p& N* T9 U编辑配置文件:echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf
" v) ^' v4 t$ i$ p) ^ \7 y9 }
* c1 U2 Z* j, ^5 F8 C4 P6 c+ O1 C, B6 i( o
5、创建一个用户
/ G8 @# r+ [" o8 M9 duseradd es- g- w; g9 E1 \$ m9 c1 o) H+ S( L
; X$ o+ I9 {; x# M
& R* _- P5 Y2 L8 T
6、创建安装目录
$ @4 r4 d. R- Y, y6 H' \4 Smkdir /data/elasticsearch/
4 Q8 C$ f( m; V6 J( i6 S& e6 Smkdir /data/elasticsearch/elastic-cluster1
% Z0 J I" a: ?. n& z$ ]/ l9 S5 H3 H% }& Z
* U( L7 c0 u7 H* ~9 f/ jmkdir /data/elasticsearch/elastic-cluster2
) C, n: L4 p. a3 S2 p
0 c3 {% Y; b3 d2 Q' d+ E2 H8 H& i5 f9 @- l
) C* [- h4 U4 S) ]. o
% w4 `. b0 ?; G6 G% u6 X
4 w. L) {- R# K; h9 l% F& ^) ~4 p9 I r n1 H* z
[root@it-elassearch ~]# ls -p /data/elasticsearch" G" R9 e! R2 U& Q
elastic-cluster1/ elastic-cluster2/
& i# M% ^. t; d9 v! ^. @
. {& z2 K$ }3 y1 V7 k7 O: k: {8 d
4 q, A+ r+ z" H- P
+ d( g! q; O$ [/ I5 {+ p4 s8 E+ q w
$ o$ s2 j5 h5 C2 G3 s6 i
! Y+ Q4 F& m; d% i# j* x
7、下载官网安装包
* I, ^1 R2 O* p& ~% V: I官网下载地址,选择对应版本的elasticsearch和kibana:https://www.elastic.co/cn/downloads/past-releases#elasticsearch
+ ?) D! I1 e5 e. P) x# d1 }https://www.elastic.co/cn/downloads/past-releases#elasticsearch! ]( F5 s2 f# s7 Y3 O3 c- U
2 b# Q. b9 c1 \" c* u: m! j
5 W! B( D8 `! L[root@it-elassearch-2 ~]# chown es:es elasticsearch-8.15.0-linux-x86_64.tar.gz , \0 a& T! T6 k/ i& B2 G, z
[root@it-elassearch-2 ~]# mv elasticsearch-8.15.0-linux-x86_64.tar.gz /data/elasticsearch/6 O( O' Q5 S- h- a; W- b
# ~$ v1 i1 T' h7 E% A
( m3 U9 U7 L' F0 i- r! C8 N* T- U切换到es账号:
( e& Z/ [+ o% j+ ^- [2 j/ U q9 e3 p, C( z
& Y! W" n G6 S
7.1 解压:我的安装包下载到了目录下,解压到/elasticsearch/elastic-cluster1/目录下
4 A- k2 U$ m: g7 b! a
% a2 d1 V, p0 r, _, f* m: o8 }: w
$ q# T2 o. ?( u" Wcd /data/elasticsearch/elastic-cluster1
" w5 X. b& a4 q# l0 }[es@it-elassearch elastic-cluster1]$ ls
! o4 P$ G. }; v" {+ q5 K
5 _& I! q' D' P$ {: O# L9 @- _6 Telasticsearch-8.15.0-linux-x86_64.tar.gz; N2 u* y* b" D F8 Q6 x
: j9 {7 E% u1 _- c* d: X) ?4 P' Y9 Q/ A0 c6 R7 Z
/data/elasticsearch/elastic-cluster2, q; j( A( B, Y5 F
[es@it-elassearch-2 elastic-cluster2]$ ls
" c0 L. c; e, V% belasticsearch-8.15.0-linux-x86_64.tar.gz, ^9 s, o, ?* `: Z8 |3 F8 Z. ~/ q: J
. X( J5 L4 L# L6 c5 C0 E
: C* V- q7 T4 e. i) L
解压:
, z6 k6 ], n0 @4 ? \7 |2 o' X f8 q7 A9 p" V6 d* a# U1 H! @' I/ X
[es@it-elassearch elastic-cluster1]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz 5 [9 \/ Z @3 _7 ^6 R" M
& F, [- o( G, q! E2 f
" A- [2 r& s" N) W9 f( @9 @ b
8 F* N" B, u. n) x4 l: X1 o$ T, P ?; C6 W0 K
[es@it-elassearch-2 elastic-cluster2]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz( e) s" {; z1 b7 ?% ?& ]
0 l# O7 Y3 g Z- _* E; O
8 V3 t* n7 h9 c( a
进入对应目录下:cd /elasticsearch/elastic-cluster1
3 i- q- u0 S+ r [
0 _1 D* ?0 k* D9 B
/ i3 [& `% q1 J: p) |* v' J: [配置es参数文件:
+ i; W3 ~' i- h1 R$ z) z+ i0 T6 `. v) Q& X3 n5 a* O
+ h1 s: z* C2 o: }$ d
节点一配置:. L C( R2 {. ?8 V6 s
#vim elasticsearch-8.15.0/config/elasticsearch.yml
% z1 `3 e3 w6 W |4 T! y/ B/ _# t6 N2 r6 b8 e
$ M2 s1 D! H/ B2 a9 z0 A7 _; s# I
cluster.name: essearch8 X7 l) M o! |- g: v3 u: b
node.name: it-elassearch' @+ z( `: ]6 v: Q) o2 ^) @1 O
path.data: ./elasticsearch-8.15.0/data. b9 y7 t% M1 }7 q& ?
path.logs: ./elasticsearch-8.15.0/logs
1 d! _3 Y( v [network.host: 0.0.0.0' q: i' Y- ~1 {8 Z( o4 u* X
http.port: 9200
, K5 `. j1 W4 o1 ddiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
( B( g. l* |( `+ q* z4 p, b; \1 O ]cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]9 R! L; g; E2 I6 A2 Z9 G
#node.master: true
) f3 L. C. k8 b) x4 h. o! @#node.data: true2 F( I' x& \& S1 i' G) Q% R" E
1 \! t O# I% j8 M) S8 e6 A
" @2 d: @# X7 W" }% cxpack.security.transport.ssl.enabled: false
2 I1 _9 N" [# G% e, A9 B5 Kxpack.security.enabled: false
; K) a) X7 B, W5 U% W4 ?$ w* W) n6 A3 u
8 m! y0 x$ W" s% \! s下面是加鉴权的配置:
3 ^% x% s9 f' U e% a( ocluster.name: essearch+ ]0 q# f, ^# u( U
node.name: it-elassearch
9 V. A2 S* g: h7 Q9 Fpath.data: ./elasticsearch-8.15.0/data4 [* R& [! C* W1 |- F! n% Q, }/ |
path.logs: ./elasticsearch-8.15.0/logs
+ P( e/ M7 \2 F* S4 H# a0 onetwork.host: 0.0.0.0+ E9 B# K; E) [, Y4 h
http.port: 9200
# ?- T1 r8 j' _: H9 D/ h0 ^discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
* U; A( [5 g# A7 ?cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
2 O" c, N% Y& D8 Y0 X- Qhttp.cors.enabled: true
/ w2 m+ s6 t8 fhttp.cors.allow-origin: "*"5 y% [, Q) V! l$ x
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length8 [- S2 i; s3 Y' A* s! |& R$ O* I) x
xpack.security.enabled: true9 s c8 ~+ _& H0 L& {8 E7 x
#xpack.security.authc.accept_default_password: true3 h0 [2 g5 c0 d5 o
xpack.security.transport.ssl.enabled: true; Y7 ?" |0 C9 }9 c6 l. z
xpack.security.transport.ssl.verification_mode: certificate. A6 M+ B- u/ p, Z2 w5 L
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
5 M: ^+ L$ |1 P5 P$ `# n
7 N: d7 m- b1 S% Pxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p123 t2 E* I8 ^1 F# H6 d5 b
% ]' t+ R2 e) _
! P% e( `& c. [7 V8 K5 B2 R% j0 \; @% k0 A2 U/ F
: ~) x4 ?; ^ S* Z节点二配置5 |* E- K' p# g1 y7 F2 r8 l
#vim elasticsearch-8.15.0/config/elasticsearch.yml$ m4 ~- S, D/ W; @: m
: s$ T# f6 y8 e2 O. m1 _/ r5 {; V
: N M; m$ H6 T8 q0 S5 q+ Rcluster.name: essearch+ B8 ?4 Q p5 U; v0 x
node.name: it-elassearch-2
; N( ?# F& L5 W: u% Epath.data: ./elasticsearch-8.15.0/data0 ~6 g- _1 \7 j! V9 c2 \
path.logs: ./elasticsearch-8.15.0/logs9 }+ P3 @1 b# M9 l" W
network.host: 0.0.0.05 y1 c, J/ y: U v' I5 J0 Y
http.port: 9200 B8 j) B$ Z2 i. K
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]& S4 Z4 W$ ]. v- K
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
2 O8 _2 _( d, |#node.master: true
9 m, K+ k. w: A7 {9 s% g P#node.data: true
1 `& X3 Q1 l3 L) t$ x* s& @$ z0 a8 x- m5 m0 }7 F
) _( a& B: l& ~- W4 p# x& \
xpack.security.transport.ssl.enabled: false
( z! n( w/ _8 n7 mxpack.security.enabled: false
& n# o( ^1 X) g @
" q- h2 W0 G% j+ v+ Z
/ o* J9 v$ n1 {4 g下面是鉴权的配置:9 c i. P+ @4 \# [) x$ F: ?
cluster.name: essearch4 @& O" v+ G# h
node.name: it-elassearch-2
7 H; A. w8 m9 S" `/ Epath.data: ./elasticsearch-8.15.0/data
; h1 E# K% g6 ?5 t( ^) D4 tpath.logs: ./elasticsearch-8.15.0/logs
4 l# Q5 ] |# anetwork.host: 0.0.0.0# |5 K3 b, j1 [' q9 \+ m" Q
http.port: 9200
" H0 H o9 _- V& H/ T. {: ]discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
5 R: H& i9 `& h) Pcluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]" q. }2 H2 ]. U! d* F# f/ S9 b
http.cors.enabled: true' y/ [5 l0 ^ r7 `1 x' r2 a5 k
http.cors.allow-origin: "*"
* @- }/ a* N1 }http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length0 w# g3 l' d/ x3 [) [
xpack.security.enabled: true0 P0 ~2 ?0 Z& I9 r
#xpack.security.authc.accept_default_password: true% @) p9 m' p( Q; b: v$ v) u X( _
xpack.security.transport.ssl.enabled: true3 {7 M" k; r4 F6 C% A0 R v( d
xpack.security.transport.ssl.verification_mode: certificate
( C6 y1 S4 B9 S/ @) ?: V' mxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
; O+ `0 U' g4 Y' C
" }* L2 w2 i9 w: V ^xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
. B3 f, S% P: @: v/ N, W
8 x5 K+ X; t7 d) F) b% i; X# O9 B/ N; {4 h8 o u B9 m
0 S- ~- l; Z4 P! e! [# Y8 `
1 S: N1 @6 r4 G+ \$ P9 }% @JVM堆内存大小设置
/ T3 O" V. v6 ~设置内存大小:
) e1 n/ u) E9 O A/ ~/ L4 C; M, n0 B6 t- T) K, B" M
3 d/ b# @3 t0 i( t! P; m1 x+ \
, \" R' S5 Q& X+ j8 e$ g0 _( r/ m7 w' }
2 x: U3 e# ^( U! Y
vim elasticsearch-8.15.0/config/jvm.options
% B* Q! d: Z( A" ]! L3 O* R! J, O. \) D& ?+ V: H
( t) u! @/ {8 y* L8 Y( g
5 ?( Z! P7 [9 m; R
3 y( b* O# E% Q9 h
-Xms4g
5 @% h. M2 ]/ \9 m! p: J-Xmx4g
0 [' d: P' d3 |0 P; v$ z) y1 K. X# i8 b1 L
" U {1 V' c" D/ Q0 N8 A! |9 O- r( {1 w% B0 x0 z0 S, V( E" l5 _
; G* e) J$ D4 c! j4 |实际业务线上环境,建议所有Elasticsearch节点都是独立节点,不要部署其他程序、其他后台进程,以提高性能。如果内存足够大,比如:128GB、256GB,单节点是浪费,建议通过虚拟化方式切分开。
9 l" t% x" i0 O3 ]8 N4 c" Z% R- G
) N4 G! a9 ^ }( `2 C0 `
, Z1 I7 n% X4 B% I1 U5 A+ H9 u, R5 n( e7 T, w6 B- s* h2 Z- E
( [: O- o" P+ M- b+ V9 H& ^, z% r# a
* q# D- E+ Z3 w: L; B( ?) [
* L7 n+ g9 t% n! N7 L7 Q解释:+ r" C, i- z# l( Q2 P" I% l u9 C
; I' G# k7 t( ^; I
0 U* m" s& ^* T# [; D( Z8 P目录结构8 u/ Q4 a) I. K2 S' p$ W. [' G; f
Type Description Default Location Setting+ s5 C9 t: w+ J
home Elasticsearch 主目录或 $ES_HOME Directory created by unpacking the archive
3 b$ {6 i" | L5 `" b8 G# Abin 二进制脚本,包括用于启动节点的 elasticsearch 和用于安装插件的 elasticsearch-plugin $ES_HOME/bin ( ^% j3 U1 v# F
conf 配置文件,包括但不限于elasticsearch.yml $ES_HOME/config ES_PATH_CONF
$ e9 ^. C1 ]& E# v- m J: r3 ]; wconf 为传输层和 HTTP 层生成 TLS 密钥和证书 $ES_HOME/config/certs 3 ]! a( K% O+ D. x
data 节点上分配的每个索引/分片的数据文件的位置 $ES_HOME/data path.data
x2 f( n9 S5 S) g0 G1 ^logs 日志文件位置 $ES_HOME/logs path.logs
3 o8 l3 d u m- ~. oplugins 插件文件位置。每个插件将包含在一个子目录中 $ES_HOME/plugins
6 p- M L/ e2 }9 X* E# Prepo 共享文件系统存储库位置。可以容纳多个位置。文件系统存储库可以放置在此处指定的任何目录的任何子目录中 Not configured path.repo
. t0 q l$ L# U" x, W* F! h8 Q5 j) E* D9 C7 Z& R- k8 n! s
集群名称设置:cluster.name:# q7 @1 [3 [! S+ a- d K6 h
节点名称:node.name:/ R% ?7 p6 n4 E4 r
网络主机设置:network.host:
+ q* f' c. o5 C, ]0 t+ v+ }- F* g; @发现形成集群:discovery.seed_hosts:
x1 l0 p- j& b选举主节点master资格的节点:cluster.initial_master_nodes:' V: S' f7 L' N3 c9 g6 n8 {/ v
设置集群间通信端口:transport.port:. e& o$ J7 C. M3 K( T- D
设置数据存放位置:path.data:
: I9 o6 L2 y/ h7 [3 z- K设置日志存放位置:path.logs:4 C; f/ h' \* l/ C a
1 f1 ]- v7 u$ `) S V2 Z+ q5 ?
cluster.name: CollectorDBCluster
! ~7 X: d" x9 N" S Mpath.data:/data/elasticsearch/data
& ]1 |1 Y9 ]. p5 }8 f2 ~path.logs: /data/cusc-logs
/ N. W# a, Q# Qnetwork.host: 10.153.61.71, X9 H# K1 w: H+ F% P
http.pち中o砗rt: 9200
: o R; |1 j' d% l8 }1 Znode.name:node-1
8 S/ |" V: F$ Jcluster.initial master nodes: ["node-1”1
/ W: F0 k% o8 R g2 t8 e- {各配置项含义:
! T- E b: I$ g% E7 Ocluster.name 集群名称,各节点配成相同的集群名称。
! l3 F f8 B9 l" E0 l7 D* ?% _node.name 节点名称,各节点配置不同。
" w/ p" L! p5 M: v" F- K9 p0 ?/ wnode.master 指示某个节点是否符合成为主节点的条件。1 p6 h! T8 _! Q5 b% m) t; j2 ~0 G& v
node.data 指示节点是否为数据节点。数据节点包含并管理索引的一部分,
& S$ j/ i7 {# Y% K; p- epath.data 数据存储目录。$ _" v& ~! l' V: Q; t: g
path.logs 日志存储目录。8 C9 m8 J: ` X9 H- P
bootstrap.memory lock 内存锁定,是否禁用交换$ w8 x0 m+ O4 u1 Q6 q" n, Y
bootstrap.system call filter 系统调用过滤器。0 r$ B5 r7 N- T
network.host 绑定节点IP。
, H$ g0 ]+ F, W8 F8 `) p9 Fhttp.port 端囗。
" V. o( U, ?$ H4 J& I6 d' X( ?) o/ H: ~$ {' {1 Y6 x7 Z
启动集群:
% z: D0 o6 N/ b6 g
& G9 H# U, A2 ] k5 p( C) a1 Z, }7 B; T1 ^9 R- U8 o- q7 D
# \' I& z% K8 Q
% f1 Y8 S# ^; @+ i' X
配置文件属组权限,并启动' w' W' e( Y6 ~, h
[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/5 B/ e! ^2 y" n. J9 Y {
[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/
# U; c$ |6 z2 F/ T
- w" ^; U- x! a/ |3 A {
$ n. }' x! B% X! V/ ~如果直接用es账号配置的,可以不做上面的操作:
1 }- f" F. M) w; k, @$ G7 @& S2 b7 T( c& d. k% L9 ~
$ {, ^- K+ U4 a1 g( R: F: }
+ Y% r$ X, G0 b& U! e0 z' v# l9 O
8 B! ]& }/ U* [/ ~) Y# ?如果添加鉴权配置请按照此处配置,不配置即可略过:
/ q- m% A1 i3 s% y' T/ ^2 j! e7 d: s- g1 n' i/ x& E1 O
$ O6 o! o4 s6 z" k6 N: x% @es开启认证详细步骤:
5 j! M) q3 Y# P; b T7 \5 G- Z$ u( z. g" E5 ^3 J* t' c9 g: v
2 _9 T. u# P+ d7 q1、生成证书:
1 |7 I1 E. ?* k* q[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca
8 B/ X2 q2 F* ?This tool assists you in the generation of X.509 certificates and certificate
8 \4 \& w; [7 W/ V, {" N* o" m. r2 osigning requests for use with SSL/TLS in the Elastic stack.
8 E3 @- c0 G( Y
+ s' u" r' p" \+ y7 Z$ i* m) y5 n0 r! [4 q6 r1 d
The 'ca' mode generates a new 'certificate authority'
/ v/ Z0 x- U C- }; i, DThis will create a new X.509 certificate and private key that can be used
; a5 A( z, W- yto sign certificate when running in 'cert' mode.
; Z/ n& X7 d5 G# q$ f( Q/ A, j) ?
% y/ I: X% P; b) M7 ^% b1 ~
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
$ D4 ]0 e, g9 f Uof the certificate authority
' U! j/ u0 G* Z9 O5 B* [( m' [
% Y# a' ?; V: n) Y' z
By default the 'ca' mode produces a single PKCS#12 output file which holds:
% ~5 U4 o0 q2 g: j: m * The CA certificate; {! G; @' v7 W3 u- F' z7 ^8 z
* The CA's private key
' G1 M8 f% n% O& `( \9 n9 @# f
6 d. _0 d# v/ J. {- I; I4 h0 t& W! W# c6 Q
If you elect to generate PEM format certificates (the -pem option), then the output will* l7 ]# ^# @% X
be a zip file containing individual files for the CA certificate and private key; n% Y9 p' n2 w0 ]# N$ o* N% ]6 D
0 ~# r. x6 S |' v* G
# ~9 [- a* ^( L+ GPlease enter the desired output file [elastic-stack-ca.p12]: 【直接回车】0 x2 Z2 [, E1 V5 r* ^
Enter password for elastic-stack-ca.p12 : 【输入密码】4 h$ T+ Z0 X* L7 _/ Y
+ X B7 e8 |' }5 d) f0 f6 |
_# y& X! ?$ a% \+ b完成后会生成elastic-stack-ca.p12 文件
2 x+ N# F3 M- |# V4 f$ k2 N4 Z& Z" U) T9 b8 B' V9 }
% S& k7 r- j2 m! W! {2 \1 w( S
- z. c- X! A2 Y: d. k5 g2、生成密匙:
) i7 H( h& V/ n9 Z; U7 W1 m
; I- T* d5 D `8 L- T0 q( B2 T
! F+ Z" L$ ~; p0 C! ?" ]0 I[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
$ h( m" \/ i& i5 g* a7 f, P$ tThis tool assists you in the generation of X.509 certificates and certificate
. ~) q# g W. i" D% z. [% |# msigning requests for use with SSL/TLS in the Elastic stack.3 x2 B, l/ P% j* K& Q
' ^' c; k$ g5 ~# m' pThe 'cert' mode generates X.509 certificate and private keys.: L; w( j% x6 L1 s9 |
* By default, this generates a single certificate and key for use5 L5 a. F, m3 Z8 E3 H* f
on a single instance.. v( ?5 Z: b/ u3 X' D. n B
* The '-multiple' option will prompt you to enter details for multiple( I0 M7 f8 q2 \" W4 u: r) p
instances and will generate a certificate and key for each one
9 s8 d; u+ K( K/ `; h * The '-in' option allows for the certificate generation to be automated by describing3 X" s! x9 a6 r. @/ J/ [
the details of each instance in a YAML file7 g( X- N% A' z% f B; K
9 e. ]& Z6 `7 O2 [# u- B# `: u
* An instance is any piece of the Elastic Stack that requires an SSL certificate.5 N. Q I2 w1 X
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats3 l& `* r u( ^0 m0 W5 ]# K! U
may all require a certificate and private key.
& i- k' f# _. N/ t" x# e: q * The minimum required value for each instance is a name. This can simply be the
. ~; z* ^( l( w! n: b hostname, which will be used as the Common Name of the certificate. A full& u% o5 f9 `6 x) `
distinguished name may also be used.2 t7 G9 k. d4 U2 x; j' s
* A filename value may be required for each instance. This is necessary when the+ K$ y: @* @% W! i
name would result in an invalid file or directory name. The name provided here
! ?! h% f0 c2 z) v) ^8 c1 J is used as the directory name (within the zip) and the prefix for the key and+ G) f! Z6 G: M6 `
certificate files. The filename is required if you are prompted and the name
4 i, w" J4 c L% A+ ~ is not displayed in the prompt.
0 t1 w( K- g* {% A' P" R6 ~- R' G * IP addresses and DNS names are optional. Multiple values can be specified as a e5 }, Z) Z ]9 r) k- m9 i- _
comma separated string. If no IP addresses or DNS names are provided, you may
7 D& z! b% ^3 Y0 N disable hostname verification in your SSL configuration.% e5 T5 C" s- K( ]
8 m9 _' S! J: J' g: d3 [ u+ n+ m- ~. T& h8 w% ]
* All certificates generated by this tool will be signed by a certificate authority (CA)
( H$ O0 X$ E+ B& G- N/ M unless the --self-signed command line option is specified.2 \4 F; d1 E) K; y$ c) o
The tool can automatically generate a new CA for you, or you can provide your own with
, F( ~% X6 Y) b! y5 [ the --ca or --ca-cert command line options.) K1 l& C( ?4 ?2 _
9 y4 j! O2 a% F" a0 G
7 J2 K9 v Y5 q; _+ aBy default the 'cert' mode produces a single PKCS#12 output file which holds:
3 j* Z+ X& n5 e- u4 l * The instance certificate' d6 P/ f P6 Z1 m7 q
* The private key for the instance certificate' D! ]! i h8 x- g8 X3 H
* The CA certificate* U1 H, f6 H: h% P
0 {6 X4 U* I2 J
If you specify any of the following options:
7 F4 r1 [. d' A * -pem (PEM formatted output) W, L9 D: t% ~, F( v* l6 F7 ? {
* -multiple (generate multiple certificates)5 f0 Y: F$ H6 w3 o! Y
* -in (generate certificates from an input file)
& Q1 w7 q4 b% G+ G" n3 A' S$ Lthen the output will be be a zip file containing individual certificate/key files
. @+ @0 X5 |! B. h' z2 r1 T
, `+ q- c" }* p C: g8 M: Z; t( F3 SEnter password for CA (elastic-stack-ca.p12) : 【输入密码】
" m- v. e# n+ s6 c7 H2 M n( OPlease enter the desired output file [elastic-certificates.p12]: 【直接回车】
$ m7 m4 q" D5 {' W* A" rEnter password for elastic-certificates.p12 : 【输入密码】( x, B u: h, i4 }3 \
1 n: q) i B. K* g8 R4 _Certificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p12- S; R" T; {7 K- d* K {; I8 _
* {% F( z; v9 B) h2 |( pThis file should be properly secured as it contains the private key for
4 P1 @2 [7 k3 _+ y- M* myour instance.0 \" n+ t/ a# W& |6 L+ z9 _
This file is a self contained file and can be copied and used 'as is'5 d2 b; y! V+ D. C* m' V
For each Elastic product that you wish to configure, you should copy
. a% c" F+ L1 G1 zthis '.p12' file to the relevant configuration directory
& D9 _8 x3 {/ F) sand then follow the SSL configuration instructions in the product guide.
- z# F4 R5 {# | ^: @- h6 F. M% a
1 Z R6 ]2 ~1 X4 m% l( VFor client applications, you may only need to copy the CA certificate and0 i, v \; o! I- u/ \
configure the client to trust this certificate.
. ^9 y6 l1 r7 s# }$ Q7 [) t( w5 p# j: E- x
1 W, c( T% b5 l0 x/ x: a
此操作中间需要输入刚才设置的密码就直接输入即可,需要输入路劲的地方可以不输入,直接回车就会生成一个文件在当前目录下:) f% U# J! `2 V a# t* c
elastic-certificates.p12
* N4 y" y& S' d8 e5 Y% c Q+ k
% s7 V V0 E: n/ Z2 k5 G* i; A/ Z* r. U8 _! f6 J: r, \
3、将凭证移至相应的目录即可:/ h! v: y, i8 t# C
% u* v U' `; k; W8 M/ A; e% w' y0 o" Q& T: x
##将凭证迁移到指定的目录:
! d; Z4 ^4 [4 O! F4 u4 p创建目录:
* D+ U! ?" j- ~! U! omkdir -p ./config/certificates/2 |8 U' l% H* @6 M* v1 k) |2 M
移动凭证到指定目录下:# f, A1 B! H6 X) p: l
: K) S, N' Q( I/ y[es@it-elassearch elasticsearch-8.15.0]$ mv elastic-certificates.p12 elastic-stack-ca.p12 ./config/certificates/( b7 v) u2 j+ H( M( }: _" ~4 V
" _" T5 F* h6 ]! a% L5 @
" v! n$ l2 W+ i3 Q9 F4、复制凭证到每个节点上:(使用scp或者rsync方式即可). Q, t( o: ]0 a: L
[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 60028' config/certificates/ es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/# j, }' c, W4 j; m N! O% {" Q
es@172.24.110.126's password:
+ [. W; z7 d+ o3 w! Wsending incremental file list# d6 M. B+ J" Z* I9 H/ R; {
./
# N% j/ L% z1 O8 X% Relastic-certificates.p12
) U( z; n3 g: [, c+ U 3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=1/3)9 _5 y8 g1 x' u2 p9 Y
elastic-stack-ca.p12
5 X* r$ K( k) V( A2 f 2,672 100% 2.55MB/s 0:00:00 (xfr#2, to-chk=0/3)
# B X _6 Z5 o8 a, @8 C! P X
& Q% ^% l1 n; h J" [$ {6 E4 H
2 K9 ]! Z! R Rsent 6,314 bytes received 57 bytes 1,415.78 bytes/sec" x. I% u& M# H& Y$ b O) Y, b
total size is 6,268 speedup is 0.986 }0 H+ ?6 j( x& A' t" O2 [! U
1 w3 ], S/ z3 N/ S: o+ h* `& ^1 Q9 b( \) ]4 ^0 D- T* d t |
+ F1 C' L4 N0 z" W3 s" w: E" Q5、修改配置文件:$ g! z: B. [. q) }/ \) z2 D
http.cors.enabled: true
/ f n" n' ]1 [! Whttp.cors.allow-origin: "*"
8 i6 V3 g8 n. B2 X* Yhttp.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length* |$ \6 X. U0 Z& X {; P
xpack.security.enabled: true( Y4 C7 P5 M) H. { G
#xpack.security.authc.accept_default_password: true
+ q7 p9 M* D' v3 V# d( Oxpack.security.transport.ssl.enabled: true
; U+ f* c& `4 o( W( L5 s/ bxpack.security.transport.ssl.verification_mode: certificate4 \! A! p6 V+ a( H6 z" z
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
/ d$ g w& `9 kxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
0 z3 _% x+ u/ v4 z* H7 e! Y ?5 j/ t) x X j$ K
4 s: i N1 D$ |! x$ \; W加权一样需要切换到es账号:- e: n2 N8 o9 I7 v3 m
0 e Z1 _; F: M( F: n
" u3 I$ ]& G! [9 d: x' O在各个节点上添加密码:
1 u1 B6 y; x' m- S1 {8 D' q
5 X% O, R1 I3 f# U; f
/ D9 q" T% a8 T- [& X8 k2 ~2 `$ _
( c+ i7 J, R" l7 m; q; t9 i8 @[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password+ L- T- u5 [. [0 z8 _
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y! m3 {& ?/ g5 H( ] Y$ k. h3 p
Enter value for xpack.security.transport.ssl.keystore.secure_password:
% X. Q- N) O* y2 [6 I3 ], O9 {3 h% C
) E" |2 J9 H- E- t/ ]1 h- ?8 i; J1 v/ H- W. o" T4 Q
输入密码:第一次输入密码上面配置的9 L0 G6 O& K0 o. _
+ }9 Y5 n( T: e8 Q1 @0 n3 E, e
$ J o1 C% R N# @% I
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
9 g& e: [! j J6 EEnter value for xpack.security.transport.ssl.truststore.secure_password:
6 {( @0 h; ^( R' r K' G' g4 {2 j5 d2 [* _
输入密码: 第二次输入上面的密码:
! M9 |& q. W. G% R; E" S# U
. Q4 M0 n i" W7 C1 u8 S" ~* `2 _( W接下来和没有做鉴权的一样,逐个启动集群:" N$ N% L( y: n9 X6 K
- I1 N+ d+ i5 O- `' Y6 f# i" b! } E/ Y) E4 U
切换到其它用户,root用户不能启动ES:su es
' z# A; |: s {1 F5 [6 M7 @/ A1 J% x5 @( d' [
# {9 S* \& ]7 x, u
[es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d
& c4 u7 d6 I3 F0 E. P% X! D.......' H* {! P# R+ h
Oct 24, 2024 5:33:34 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
- O, Z0 |+ Q$ `" c$ j" s[2024-10-24T17:33:40,246][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using native vector library; to disable start with -Dorg.elasticsearch.nativeaccess.enableVectorLibrary=false
" a( f I5 \9 s( c[2024-10-24T17:33:40,727][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using [jdk] native provider and native methods for [Linux]
, F" V( T2 i! m7 V3 j[2024-10-24T17:33:41,119][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [it-elassearch] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only
2 J# v1 `& B0 O. G5 d9 r$ c# X$ Z- S[2024-10-24T17:33:42,185][INFO ][o.e.n.Node ] [it-elassearch] version[8.15.0], pid[8520], build[tar/1a77947f34deddb41af25e6f0ddb8e830159c179/2024-08-05T10:05:34.233336849Z], OS[Linux/3.10.0-1160.24.1.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/22.0.1/22.0.1+8-16]3 Y) l# r( O( }+ y' h0 Z* F7 K
.......
1 A/ j' [3 ~" p& g% `[2024-10-24T17:34:27,594][WARN ][o.e.c.c.ClusterFormationFailureHelper] [it-elassearch] master not discovered yet, this node has not previously joined a bootstrapped cluster, and this node must discover master-eligible nodes [it-elassearch, it-elassearch-2] to bootstrap a cluster: have discovered [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}]; discovery will continue using [172.24.110.126:9300] from hosts providers and [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}] from last-known cluster state; node term 0, last-accepted version 0 in term 0; for troubleshooting guidance, see https://www.elastic.co/guide/en/ ... roubleshooting.html, |* c5 J) ]% r
[2024-10-24T17:34:27,609][INFO ][o.e.h.AbstractHttpServerTransport] [it-elassearch] publish_address {172.24.110.125:9200}, bound_addresses {[::]:9200}
) }) V# M2 u; ~/ Y; C) h3 ?[2024-10-24T17:34:27,637][INFO ][o.e.n.Node ] [it-elassearch] started {it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}{ml.max_jvm_size=4294967296, ml.config_version=12.0.0, xpack.installed=true, transform.config_version=10.0.0, ml.machine_memory=8200949760, ml.allocated_processors=4, ml.allocated_processors_double=4.0}( @( |$ ~8 M. u9 p
) E4 V/ _0 C+ H8 q0 p: X+ P
. }1 y5 v* [5 Z4 I
4 o" E, m) i6 X0 P& O7 I5 r5 u( P8 G ~5 B7 l9 U
f9 [0 n1 x, q" }
, F7 s N, T" o[es@it-elassearch elasticsearch-8.15.0]$ netstat -ntlp
) I* b5 ^) |. _6 ]( ~, J7 K(Not all processes could be identified, non-owned process info
6 x* _+ q6 | Iwill not be shown, you would have to be root to see it all.)6 g$ w, [$ ]9 t, [
Active Internet connections (only servers), D! t" m: h+ {0 h
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name * l6 ~( } o* }7 W/ n
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
: i- v& E; R- N- `8 Rtcp 0 0 0.0.0.0:60028 0.0.0.0:* LISTEN - 1 {2 C* t6 Y2 S1 d2 S: q9 H& E( G
tcp6 0 0 :::9300 :::* LISTEN 8520/java
! g* u7 ?' u; s* ^9 s0 U4 ]4 Otcp6 0 0 ::1:25 :::* LISTEN - ; m- u( V3 T! B' ]. I
tcp6 0 0 :::60028 :::* LISTEN - - m5 a0 n- G" E
tcp6 0 0 :::9200 :::* LISTEN 8520/java
( Q0 S) n4 @: A. v+ r% u4 t3 l( |* T9 I P2 _ L0 F
' ^) Z4 b8 Y. p1 a: }: |* S
$ ~9 K' U) U4 a- J* `" D
; p2 q. B8 E3 W& f+ [7 W4 K% y
; D' \0 o# o% X( P- x+ K4 C[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana
/ e+ v" J; C' m: R v8 W/ x8 x! S& w' [7 J, p- E9 ]5 K
ERROR: [xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token, with exit code 78
6 ?, t4 C' V1 G" V: m6 C+ z) g4 u _! I1 X+ n; `+ Z
. K, ^1 q, d! Y% X5 x+ q( e! t在elasticsearch-8.15.0/config/elasticsearch.yml 添加 配置:/ K0 H& U% ~( W) ^6 O' i# K
) N0 \/ b+ Q# V( n! g[es@it-elassearch-1 elastic-cluster1]$ vim elasticsearch-8.15.0/config/elasticsearch.yml
! ?6 x6 {$ j) H8 u4 R7 I4 X X0 n
xpack.security.enrollment.enabled: true+ v, \- h9 ?4 u# ]" S( E
! b+ |9 }/ R, R+ I4 ], k
8 F) m8 v) _4 I3 E0 M! T/ A
保存再次执行:
4 D) y( ]# d" K, I% l5 [" w6 O q& M2 G7 y6 G1 H8 s1 D% \( g
. L7 v J% [8 Y2 r0 M1 p
: M4 O5 n7 C2 j1 m1 H7 Z2 ^
9 _! C0 P! G! _& w4 P0 I! o
7 |! V: q+ k7 z& A; @
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana: ?; [3 V$ S5 R9 w4 R, l& ]1 Y
Unable to create enrollment token for scope [kibana]
8 q9 _" N8 i3 G7 r# O& h1 w- L+ D/ f" ]" {' K5 { R* C) ?
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73
. P! u' X! F6 O+ p; G$ _
2 L' L2 z) a$ f0 \* T0 @2 ]/ y( |2 |9 A如果你的kibana不在同一台主机上就需要加上http或https的访问路径生成,用""扩起来% X5 `& N* X0 r5 m
2 L/ _4 C% W! r9 k5 h
/ O. l# R! ]5 e$ o3 |% c
: n1 `, `% _, o* {3 o, o& Z
# L+ ^! H0 x5 D$ E6 V0 c( v6 P% o1 I# ?) X+ f( N
6 R* t: Z. i# f# {% h# D8 n2 a* g |
|
发表于 2024-10-31 15:53:27