- 积分
- 16841
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
7 N! _* Q- z# R; K( k
, Z' H* D3 |. S+ A
elasticsearch8版本安装详细步骤
3 {6 C* [; e. l) Q3 U; Y
5 `0 A- H' `, v* K7 @/ d+ Z+ `# M0 D+ G" g$ J5 b" x! y3 A5 }
1、设置虚拟内存
- S/ f( X# e6 ~3 Csysctl -w vm.max_map_count=2621443 |* K j2 g* L4 S% v
echo "vm.max_map_count=262144" >> /etc/sysctl.conf,
B- p3 h2 g8 C% i8 |3 k0 J: N. W: \echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
8 m0 X- Q1 F3 O6 F$ X
3 ^1 Y# ~0 V0 O2 |8 i- K3 O3 h4 l+ K% a/ [
4 `+ M, ^ M v. i* Z
+ O8 U7 w# K$ I y4 x9 |. G W. g加入:vm.max_map_count=262144$ |9 H9 [2 \( \- k' r
使配置生效:sysctl -p3 T% ~, D6 }' d( P
, k e) A! i2 U# w/ q/ z, S
4 ?7 d5 ?8 e g2 t2、设置文件打开数:* K, O; ?5 b9 X& w
cat >>/etc/security/limits.conf<<EOF
5 A0 z+ w5 c5 r* soft nofile 65535" [. s3 Z n" @) S: O$ x; C: T
* hard nofile 65535
9 |' r/ f8 S+ s( H0 X* soft nproc 65535& R) Q3 a0 O2 o2 C0 F
* hard nproc 65535
+ Z, x& F4 J2 u1 yEOF* O- i- _) p' V7 I6 N1 B
$ K- Z% W# X2 Y( { ?: U' J" z2 h1 C( @% \' Y" k! }
9 m: T" r' p7 Z6 w( O& K9 n. a
( Y" I; X# ~0 V- ?4 L: h设置pam配置:! Y% a7 o* \0 B2 ?) ^, c
echo "session required pam_limits.so" >> /etc/pam.d/login
: s/ X+ V; q3 t+ k7 t& G! L' E4 W3 b$ @1 ^( `
1 J" t5 ?/ ]( N. [* Q; Y
. O( C$ j- q; j L+ {/ v$ c
/ g0 l& X( L& I; A! _, u3、禁用swap交换分区+ p" e" w0 G% P8 j
swapoff -a #临时禁用
) m3 z. L) r2 W8 `% P0 v# T! U* cvi /etc/fstab #永久禁用 R1 H4 o; S; N& D
找到swap这一行前面使用#符号禁用掉
4 J* s1 g* C3 H0 Q
: X% |0 a8 q- m2 l0 W
# I- P9 `0 d' [3 Z' o% F( b4、设置TCP重传超时8 g. e5 L, B; k
sysctl -w net.ipv4.tcp_retries2=50 |* w q# e2 X$ B
编辑配置文件:echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf
( E- Q3 y& I% c1 m
& ~2 q% \' i$ U/ r( L( {1 W* S" [5 [& V. j8 c
5、创建一个用户# t8 H& p4 a. s$ V) Z! i
useradd es
6 L. [" V! T. n
$ D/ x4 ?/ Y U/ [, ?$ A2 W. v! { z' [% f( H; w9 ^# P
6、创建安装目录, o" j# M+ D: J8 ?, A7 }* W
mkdir /data/elasticsearch/- ~, s! w) W# m r6 ~- O9 U
mkdir /data/elasticsearch/elastic-cluster1
$ c# Q3 B* `5 h, m
! x2 C4 Y3 O- |& `2 f
?" M$ p. b9 l' Pmkdir /data/elasticsearch/elastic-cluster2
3 X7 A- `, N& Y$ s7 r; o" y# e$ P
# k7 ]- ]- O6 |# y4 n# R8 T
* K, `+ K F* g p% a) ]2 ~) y6 k9 @& J0 l: N% [! v
0 X0 X% P2 @+ H( H+ u1 W6 C2 K
* G9 b& [! N6 h9 ?. m
[root@it-elassearch ~]# ls -p /data/elasticsearch& j/ }$ o$ q0 l! W9 J' g" P
elastic-cluster1/ elastic-cluster2/
3 P7 m1 p1 S n- S2 e+ x# E' n
: J' ?8 c4 X1 K6 U, W; r2 v* ?* L" u; i$ u) |
. Q3 n8 ~# x4 J/ A
) P8 [9 m9 b- ?* P8 q
/ A3 T; l0 N# i( R$ x8 O# x! h' H4 V3 ~* ~4 [) W7 i# P Q$ Q
7、下载官网安装包. D5 n! n' B' u$ Z# P* j
官网下载地址,选择对应版本的elasticsearch和kibana:https://www.elastic.co/cn/downloads/past-releases#elasticsearch: v; C+ E+ y6 E: I" X7 s) f4 t
https://www.elastic.co/cn/downloads/past-releases#elasticsearch
8 H' ?+ j0 T7 U( x7 K: Q2 M6 U5 A1 E/ | j
* T" D, B: {1 r' R- [# L8 c
[root@it-elassearch-2 ~]# chown es:es elasticsearch-8.15.0-linux-x86_64.tar.gz ; m z h% r5 ]
[root@it-elassearch-2 ~]# mv elasticsearch-8.15.0-linux-x86_64.tar.gz /data/elasticsearch/
H# c& @* j! A9 R2 V
) K3 u! _; N. `% F
% E, X h5 {8 I0 w0 ^切换到es账号:! ?: k- E0 Z; ~" k" V5 [
7 s( O Q/ g# @1 K+ S8 P
6 r* ?( x# D& W) p7.1 解压:我的安装包下载到了目录下,解压到/elasticsearch/elastic-cluster1/目录下0 C# A+ S! t8 m' z/ V: m2 s1 C
- v! t. ]6 k, E4 z% h
9 | m; z- y) ^cd /data/elasticsearch/elastic-cluster15 q+ W2 p% F% u$ a# D
[es@it-elassearch elastic-cluster1]$ ls
2 B+ n/ i; m `' G+ z3 M O8 c8 ^8 N' D, o/ W0 h! w6 J# `
elasticsearch-8.15.0-linux-x86_64.tar.gz2 I9 v6 n% i. A, M
; D- g( P$ z; z% Q1 X$ ]' Y1 p; p8 F; F Y' I
/data/elasticsearch/elastic-cluster2
# U ^( p3 j" y[es@it-elassearch-2 elastic-cluster2]$ ls
/ {4 I8 T& Q$ |7 W: j5 qelasticsearch-8.15.0-linux-x86_64.tar.gz- m9 f. v# `1 R6 P6 W- Z
4 K1 X* Q {" A* }
2 f& s. L# b, `1 C
解压:
0 ] U B2 }# \9 O+ K0 b/ {
2 h+ V, X+ E8 w' r% M[es@it-elassearch elastic-cluster1]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz
- T, I) O8 D M! G" H( a
+ s [3 k4 E8 Z/ i" V; A5 [, U0 }, Z3 b/ p
! T! h& T& k8 Q4 p
! g0 h" R! L, f$ c[es@it-elassearch-2 elastic-cluster2]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz9 M) q. R6 o3 s) `$ h0 P1 r4 W2 o
# z! Z1 Y* @* k1 A8 w0 U/ [% o
2 ?" K; u7 ?: A0 z1 i5 Z3 H& l
进入对应目录下:cd /elasticsearch/elastic-cluster1
3 ~4 k: d- t8 K2 R4 w5 s6 Q+ c4 N8 F4 E% d) L
% }6 S3 A5 R: ^" h配置es参数文件:: T+ u5 v7 G- V4 |
: C+ S4 A- s, z2 ]8 t* G
4 p1 j2 O/ z f* P
节点一配置:( z. J H6 g s7 }4 o
#vim elasticsearch-8.15.0/config/elasticsearch.yml
' p8 F4 ]) ^ I. L3 F; K& M! l
; S# l6 w( y/ p7 f" I. t
8 Z+ m2 R V# s$ Z7 Y" o; q: ncluster.name: essearch7 J! N' f5 F; S2 Q e
node.name: it-elassearch8 b5 Q! A1 t4 a4 w: X9 J- R; s
path.data: ./elasticsearch-8.15.0/data
/ O* \4 j( w' _path.logs: ./elasticsearch-8.15.0/logs
J W: k) w$ O4 r' R9 [network.host: 0.0.0.0
' J4 H2 v( m9 Z: w) E+ Rhttp.port: 9200! E4 j1 v; e% e* i8 ^0 h1 Q
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]! n& {! e* X, V
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
4 n) b( [& d; |$ U, x#node.master: true8 k A7 {! x! [
#node.data: true
. w& F0 M% n# f. {" v: Y) E& q( l; S' i, Z& s0 C( N9 `
+ t( r5 U8 O! ?% Fxpack.security.transport.ssl.enabled: false
" {0 Z* s$ m3 ixpack.security.enabled: false
# p9 w2 a/ \# V# l, U8 V5 j4 ~0 u7 {$ `! K8 n7 j4 \
0 J+ Y! U6 W3 b j下面是加鉴权的配置:9 q g8 @: e" _
cluster.name: essearch; m, v' w5 _( c ]2 x9 f: [+ A% e
node.name: it-elassearch7 U* q3 M; D. b k1 c" M( m6 x
path.data: ./elasticsearch-8.15.0/data; Q! Z4 S, U I. ]+ j
path.logs: ./elasticsearch-8.15.0/logs
4 ]1 B$ V2 p qnetwork.host: 0.0.0.0
9 l/ e) E& U- I7 [: {. z2 vhttp.port: 92003 Z. ^- \6 r" D [) a& V
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]1 s9 V8 L* Q t- g
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
" j t$ N6 y3 ohttp.cors.enabled: true5 O! U8 B( ]4 h* z; h9 n! K8 K* r
http.cors.allow-origin: "*"
: G( k4 A5 u# T2 w6 v* B& c2 xhttp.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length7 ]. H4 D( ~# t% h4 X7 s
xpack.security.enabled: true
R1 q! l( r) W#xpack.security.authc.accept_default_password: true
# L, }& C: Q0 Q! Z6 m: r9 z: Sxpack.security.transport.ssl.enabled: true
5 d: @4 Y3 q/ ~6 Txpack.security.transport.ssl.verification_mode: certificate; {8 ^+ S+ \5 t8 p
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12$ Y7 n. R( q$ m T
# V f5 S% i" q& ~" I3 t
xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
# b g* D) @8 x, J8 N! X: B2 \8 I3 S9 H3 Q' J. v3 @1 R" ]: R) R
: C' \: g8 Z' g6 o0 }9 b
! C$ c" t+ W- s. `" u9 ~8 ?0 T& p" n; ?- T
节点二配置
) @* c" `: @ L7 y3 _#vim elasticsearch-8.15.0/config/elasticsearch.yml
7 A% N* I4 M; [7 u* D H3 M- o+ r( G
7 ^; y9 n3 A6 [. ]4 s5 m2 d/ h3 Y. ~cluster.name: essearch6 }2 {- A. i4 H6 t }
node.name: it-elassearch-2
* @$ E! _+ K6 N' q" cpath.data: ./elasticsearch-8.15.0/data2 y# d: l( N- b4 q" ?/ f+ b1 W% W
path.logs: ./elasticsearch-8.15.0/logs
8 E, r# h7 X7 O7 Mnetwork.host: 0.0.0.0
9 F, f3 a5 R) zhttp.port: 9200! P+ @& i- i5 d% }. H$ I
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
7 U+ b' e8 A5 Acluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]9 a- t# G2 c1 y! J, J3 x" u2 J
#node.master: true
1 T% c& R7 j @+ V; {" M: G3 i#node.data: true
7 n' V9 Y3 ]# z. g! W8 \! @7 b! A8 u5 J0 e+ n0 g9 m& Z
/ w& M( o1 d0 a! f6 _9 K, E3 m
xpack.security.transport.ssl.enabled: false1 U. H* k. X7 _5 t! U+ h: ?
xpack.security.enabled: false
- u2 y7 @) @9 e+ N9 U
' z* F0 T% v# K6 ^* Y; }2 S, P' s+ d/ g. ^ _
下面是鉴权的配置: n; ~, J3 f% c& \/ c
cluster.name: essearch( H. z. f+ L9 M: t
node.name: it-elassearch-2* N! m6 v. O! i; h2 i
path.data: ./elasticsearch-8.15.0/data
# J" E" h: u* B5 gpath.logs: ./elasticsearch-8.15.0/logs9 u8 M9 ^1 i1 ]- ^+ A' R" o
network.host: 0.0.0.0, G6 s2 q- I/ L7 V0 q
http.port: 9200
% k8 C U; b/ N/ B2 ^: G* zdiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
1 {, Y( I) b5 {1 c6 i* {cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
/ F* V6 q# u; @8 chttp.cors.enabled: true
$ ]/ z' l! o' g8 }- ohttp.cors.allow-origin: "*"0 U1 L6 G+ ^; k# I, I
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
% _6 ?+ }+ t$ Q% ]1 Uxpack.security.enabled: true! g: y- ~7 B$ F( Y* i
#xpack.security.authc.accept_default_password: true$ G/ ]7 g- _, |9 u* Q
xpack.security.transport.ssl.enabled: true
1 o# n" S2 P2 }xpack.security.transport.ssl.verification_mode: certificate
4 M" e0 `$ j1 i# Mxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p127 D7 M$ x# Y* R* X% l: I( k
1 _6 n; U! O. Xxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p127 r _* y: N' Z) d- i
+ t0 K( x, ~1 g* U
7 K* ?. Z( X$ o- r3 E6 ^1 w
9 Y/ y3 v( X) }7 s6 K$ ]9 C
7 h+ I7 E n0 I' Y( R- |3 \[color=rgba(0, 0, 0, 0.75)]JVM堆内存大小设置
z8 D, t1 z! A C' Q设置内存大小:
" O! d7 c7 N$ D/ e4 H# i' |" C8 j
( ?7 r$ L$ i( }
- L( x9 t; p. @$ C; R. ` E& |0 |% |* L
1 q! x( }+ A0 d' Y+ w! Tvim elasticsearch-8.15.0/config/jvm.options+ v- F- P- Y9 l5 j) y( b
; I$ q6 Y% C, }1 r4 B
/ d+ p& j. W, e7 C* T3 N! o: A1 K7 s8 Q, J% B# w8 B$ W
: _7 U) Z5 a, G6 l/ z-Xms4g0 |$ b) E; B* H
-Xmx4g
t3 L: ?+ F# ^8 {1 R( y% o
+ z. N# ^2 \: ], P
, d. |) X* O3 }. B' |" \
0 q+ ]& G7 z6 @) f* \ b2 S' N6 d! Z* Q9 D% W$ f
实际业务线上环境,建议所有Elasticsearch节点都是独立节点,不要部署其他程序、其他后台进程,以提高性能。如果内存足够大,比如:128GB、256GB,单节点是浪费,建议通过虚拟化方式切分开。
6 c) e' _( [+ U/ B Q9 A! ^$ L T
( z5 Y' N$ D, |5 w! t7 b1 h i4 e& P1 q3 i% }6 ^1 E
/ I; V2 F" \7 N1 I% K% M7 O
8 d- W! {# V, j( Q) K0 U+ K. D' Z, S# a4 W0 p, l+ Q
% _" K* ^+ P) ?
解释:+ J/ D$ L u: R: w \, {3 t$ g
+ n6 w; n0 a( K% `2 `; O& V8 K
% N& \9 x: D& \5 b& c
目录结构/ G9 A/ D- u H# z9 h2 T- u+ C) W, n. V3 R
Type Description Default Location Setting
* x* u' L0 s) R$ }1 S6 Ahome Elasticsearch 主目录或 $ES_HOME Directory created by unpacking the archive 5 D8 Q4 C E3 w
bin 二进制脚本,包括用于启动节点的 elasticsearch 和用于安装插件的 elasticsearch-plugin $ES_HOME/bin 0 d2 m I% E+ U" T& y
conf 配置文件,包括但不限于elasticsearch.yml $ES_HOME/config ES_PATH_CONF
+ O( X7 `# d+ y5 t- jconf 为传输层和 HTTP 层生成 TLS 密钥和证书 $ES_HOME/config/certs
: C. z3 A! \6 G* b* N; qdata 节点上分配的每个索引/分片的数据文件的位置 $ES_HOME/data path.data
. L1 A. U4 z% ~( U: tlogs 日志文件位置 $ES_HOME/logs path.logs
( j. [+ K9 Y: y" J' b1 t- F. Aplugins 插件文件位置。每个插件将包含在一个子目录中 $ES_HOME/plugins # _6 l9 v5 Y2 D b z* r7 J& O
repo 共享文件系统存储库位置。可以容纳多个位置。文件系统存储库可以放置在此处指定的任何目录的任何子目录中 Not configured path.repo
# [+ z' c- C9 g1 S
# |) H& M7 i: v1 p2 p集群名称设置:cluster.name:
3 u' w" k" y( P节点名称:node.name:
" m( ]8 r1 [* I1 r/ r* @. o: M, i, o网络主机设置:network.host:0 B1 r: u! u/ g3 c' B \' a7 F' Y
发现形成集群:discovery.seed_hosts:
9 B1 Q5 v l' p" S3 `选举主节点master资格的节点:cluster.initial_master_nodes:- D3 N+ R. p- X: Y1 s- \
设置集群间通信端口:transport.port:
+ x0 \3 R: H1 X5 y设置数据存放位置:path.data:$ N$ @1 p$ w5 m+ ^3 x0 x$ D
设置日志存放位置:path.logs:
) v3 f/ ]- K% W3 h4 y
( I \3 s* K/ `) ~4 q0 lcluster.name: CollectorDBCluster
* R; L" B0 @2 ?: D$ epath.data:/data/elasticsearch/data
# K% v6 ^7 C' Bpath.logs: /data/cusc-logs
: }# ]3 r x, K' k: E+ ]' pnetwork.host: 10.153.61.71
" `; q! F5 A. s$ m4 whttp.pち中o砗rt: 9200( \" d. g: t3 z/ Z9 u c7 z
node.name:node-1
0 T0 c* o, t. _5 dcluster.initial master nodes: ["node-1”1) i7 i+ b% w& w7 D' d
各配置项含义:
- w- c" y# Z0 \4 Q0 gcluster.name 集群名称,各节点配成相同的集群名称。0 ]+ _1 H( a g- T, \4 G% m( P% t8 x
node.name 节点名称,各节点配置不同。1 L( V6 ]% m0 k, d+ _" e
node.master 指示某个节点是否符合成为主节点的条件。: W6 n: A1 U" M+ J5 p7 T/ ^
node.data 指示节点是否为数据节点。数据节点包含并管理索引的一部分,
$ G7 L' r# g) |path.data 数据存储目录。
' y ^6 T6 v: r# Bpath.logs 日志存储目录。, y% ~: K/ i6 i* D2 y& E
bootstrap.memory lock 内存锁定,是否禁用交换7 X6 z q8 M/ o A
bootstrap.system call filter 系统调用过滤器。1 d9 h: n$ A4 U1 } K; F' }
network.host 绑定节点IP。' X; ?. ]! X- G& a
http.port 端囗。
1 {0 @8 Q$ A5 A, u4 t5 k
0 g" |3 H3 q5 H) w4 O- v4 V" x启动集群: h8 @: k! G5 M3 }3 b3 f, d$ {
: r, C. {, I3 F, D- T# m/ ~
& E* {2 V9 ?; f! i1 O+ e3 s
9 _9 @. Q6 V6 D% I
O ^3 Z7 J* ^9 E+ A* D配置文件属组权限,并启动
; o' V/ P8 k' W: C' k' s1 Y[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/3 l, T# R0 Q2 T, Y/ \
[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/6 ~) H/ [9 L# o8 c8 B3 A" X
; N5 d1 V5 J* H$ D7 y6 l/ a! O. G: r4 N- {
如果直接用es账号配置的,可以不做上面的操作:
. ?1 p6 P/ u- ]
* l) w* p6 R3 b' s) T# u0 J+ `2 K7 g/ M/ x/ U: Z0 P
$ D4 P* j# Q" C' y: `
3 N3 H! n6 t! G
如果添加鉴权配置请按照此处配置,不配置即可略过:/ [( d. F/ j+ [) k* X7 F# g% m
1 l6 e0 c( T4 y* T9 ^: {
! }; ]# |( I: q/ d) E6 Tes开启认证详细步骤:9 A% @4 [3 a) J
3 }" e7 k+ T; S6 V. h$ q% }
* ~" M6 D& H* M/ I$ Z1、生成证书:8 Y1 {0 X* g3 r; v0 i* j" Z# _
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca! B* _0 N! z: S# L7 k; k1 P: x
This tool assists you in the generation of X.509 certificates and certificate
7 G* I. D! [5 c4 ~ Rsigning requests for use with SSL/TLS in the Elastic stack.! Y3 X/ W' ~& w0 m6 d" m0 j& V
1 a9 u# f, p1 ]/ j" s ^$ f4 w& o
' d, I, {9 B! r. o3 t
The 'ca' mode generates a new 'certificate authority'
7 T; H2 J- }( f! z7 ]This will create a new X.509 certificate and private key that can be used8 D. y$ N! j3 _( }) h
to sign certificate when running in 'cert' mode.
$ \" E( i- ]; n& A$ w6 D* O5 i4 ~0 s+ c; I6 n1 s" |
/ Q, a9 X; y7 o0 x2 }; N1 ^
Use the 'ca-dn' option if you wish to configure the 'distinguished name'; i& g6 K7 N. I7 ~, r( Q; }
of the certificate authority1 \8 B7 j" b) w% M7 U* |! V
" F, k( p9 Z, r7 ~) P! q7 \3 K$ o
% }, n2 H6 S, I% O9 }
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* l. k2 w% F" j! {0 n0 A6 C * The CA certificate' f- ]. J4 q7 P! f" I" W+ f! f
* The CA's private key
. n4 c' M2 O! h) ^# b3 P
8 D, b8 G2 L( o% a% K7 |) I" u, g8 d: Y
If you elect to generate PEM format certificates (the -pem option), then the output will3 y2 T J( Y, ?* B$ }
be a zip file containing individual files for the CA certificate and private key
: ?3 B; |: N E; j3 J; V
, |" e& R6 ], G H" T3 }! h
% g, L5 K; p% o/ z: a3 aPlease enter the desired output file [elastic-stack-ca.p12]: 【直接回车】& [+ l6 {; i, |) u* j( |" ]+ l
Enter password for elastic-stack-ca.p12 : 【输入密码】
9 d" t; _0 J& Z7 H
2 O0 Z, I7 i" q" m6 \
. U$ `/ A4 Y% T, y0 @1 Q* @4 Q x3 u完成后会生成elastic-stack-ca.p12 文件/ [6 k0 x* j/ a4 s$ @$ H
$ Q# | l+ P) J8 a
U. |0 s+ W! e' u3 F$ K
4 u. Y- J3 C; `0 N% \/ G& G( @( R) U2 w' _" f1 Q) N1 B7 o" L
2、生成密匙:& Z( c" H9 k2 [& q8 T( t k/ |5 F
9 G/ E% B$ p' G! M& c
: V6 [& r" _3 |9 U, D' }: O) x8 P[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
- x/ C4 s. E# f7 m3 w) g+ IThis tool assists you in the generation of X.509 certificates and certificate
( K9 U, T) b) a. Fsigning requests for use with SSL/TLS in the Elastic stack.$ J/ b: T" Z) s* O& w
% X; S8 X$ F& z3 E! G+ _& t) E
The 'cert' mode generates X.509 certificate and private keys.! Y6 F/ I2 Y$ s' }% P4 M0 d7 [6 B
* By default, this generates a single certificate and key for use
9 |& l9 J j& [" M, P on a single instance.' a I; r: \) G9 ~* I% g/ d$ t) G
* The '-multiple' option will prompt you to enter details for multiple) L- @$ X/ W! Q: H5 G
instances and will generate a certificate and key for each one
. u O% b+ b7 Z7 _- e/ S * The '-in' option allows for the certificate generation to be automated by describing
4 Q% F, e( M& T) b \" w4 n the details of each instance in a YAML file# F+ e+ r# y, w, T6 o' T
& m. w R" r9 g, a. t
* An instance is any piece of the Elastic Stack that requires an SSL certificate./ Z9 y" T" D. i5 I3 ~4 P
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats) X1 f7 e/ {6 Y8 l6 L
may all require a certificate and private key.( l' O, |# I6 b" J
* The minimum required value for each instance is a name. This can simply be the: q8 f' ^1 `) u5 c- V
hostname, which will be used as the Common Name of the certificate. A full& E+ a& z( i" Q! N1 w' H6 D
distinguished name may also be used.
' o' G/ V( E6 Q9 ?. } * A filename value may be required for each instance. This is necessary when the4 ~6 S0 P2 {5 M) U
name would result in an invalid file or directory name. The name provided here
) \: g9 u$ ?) I2 m( n is used as the directory name (within the zip) and the prefix for the key and
% M. j0 z% _+ R certificate files. The filename is required if you are prompted and the name/ W) j4 z2 e7 _* a; A3 a2 H3 _, N: r. z
is not displayed in the prompt.( i5 N% K# ]! f5 }: I
* IP addresses and DNS names are optional. Multiple values can be specified as a1 b- a5 T2 c% B8 L+ j
comma separated string. If no IP addresses or DNS names are provided, you may
/ _% L. d# y9 M: t disable hostname verification in your SSL configuration.6 {- @& A A" F, C" l( L1 r
2 A# R- |; r8 H) X7 w2 H
/ T. L u6 t" u& B( a- b * All certificates generated by this tool will be signed by a certificate authority (CA); ?/ F! k$ W1 z4 @ i
unless the --self-signed command line option is specified.( ]* W X+ k8 w
The tool can automatically generate a new CA for you, or you can provide your own with
7 ]; Z) t! V% I( ^) d. k7 ] the --ca or --ca-cert command line options.$ i" F1 @( I, d, G$ q' V3 C* \
8 f D2 l$ u' n! M/ d2 y+ k
# ~3 i. ?3 T p3 Q* }By default the 'cert' mode produces a single PKCS#12 output file which holds:
4 \8 _( S/ J) t" x" w) r! j. K * The instance certificate
' R6 H0 C! V! ^: k5 @ * The private key for the instance certificate; I6 w) I3 q0 y; Y: u: z0 [
* The CA certificate2 Y! }" J2 w4 q
( T' t |, M- PIf you specify any of the following options: _' ~( o5 W' k/ o8 D
* -pem (PEM formatted output)
; F3 K: i, Y. g |. l * -multiple (generate multiple certificates), S, C+ i5 @, @$ k
* -in (generate certificates from an input file)4 H9 \# w( p- N; h' j1 f
then the output will be be a zip file containing individual certificate/key files
+ d4 X( N2 D. h2 t4 F( l& q2 }$ l1 A# o7 J
Enter password for CA (elastic-stack-ca.p12) : 【输入密码】
" B% l) R0 v$ C8 J/ CPlease enter the desired output file [elastic-certificates.p12]: 【直接回车】
1 Z, @2 J2 z% x+ \8 ~' HEnter password for elastic-certificates.p12 : 【输入密码】
* i t Y& S+ e. V4 p9 s
( B/ q$ [6 R. w5 i; h* WCertificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p12' [# f D* P0 f. G
% {- G, _% e$ n0 B- ]
This file should be properly secured as it contains the private key for 3 w) T" R0 T1 q( T
your instance.
2 ]/ Z2 L+ ^8 C7 A$ h, OThis file is a self contained file and can be copied and used 'as is'
* F% H/ v0 |" O$ B3 NFor each Elastic product that you wish to configure, you should copy$ S7 H, p; o# x+ y: N5 q# ^
this '.p12' file to the relevant configuration directory2 R9 Z& P2 B+ k( S# Y
and then follow the SSL configuration instructions in the product guide.' n' D7 v4 Z4 r+ l8 |5 b
. A+ Y1 l3 C, v2 P+ A
For client applications, you may only need to copy the CA certificate and: f% S w) _7 P+ x: S& k" _: T
configure the client to trust this certificate.! k3 f: q1 R5 g- _/ P
9 e1 z! G6 n- R, {# M h. y* o' x: z" ]3 h4 ?, \7 b6 G. J- B1 M J! U
此操作中间需要输入刚才设置的密码就直接输入即可,需要输入路劲的地方可以不输入,直接回车就会生成一个文件在当前目录下:9 ~! z1 y: i0 g; g/ k5 f3 p5 W
elastic-certificates.p12 7 @; P4 d/ H# }8 k' p
# v0 g( C9 v% c# z, p: t2 e
( E! k6 T9 t7 b3、将凭证移至相应的目录即可:; r& l8 Q" G+ U4 d2 q) c. ~& P
' G* j' [- {1 Y2 ^( z- D" Q
0 S L0 g% r `$ _/ U, P##将凭证迁移到指定的目录:
7 O6 x4 s/ ? b9 H ]9 p创建目录:" m: Y: F2 D( h! v9 V8 O R
mkdir -p ./config/certificates/. K8 b* M( c. D( H& d: g
移动凭证到指定目录下:8 r+ q& a \4 t
( D v2 G h! r7 ^[es@it-elassearch elasticsearch-8.15.0]$ mv elastic-certificates.p12 elastic-stack-ca.p12 ./config/certificates/
- J0 t2 ?# y; m" a# s& L0 X: i/ x2 u2 ]& T2 w& T
. }3 j0 ?9 R, i7 G: r( e" {8 ?3 k F
4、复制凭证到每个节点上:(使用scp或者rsync方式即可)
+ F; P' l. _; g( V[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 60028' config/certificates/ es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/
% {0 ~+ Q) E& H" k1 z: Kes@172.24.110.126's password:
B( q% I( s! }0 d& y% j2 wsending incremental file list
( L; h$ `6 w2 D! z./
2 N$ ~" ~# O) @) V! }! @elastic-certificates.p12( s Q1 v, U# ~0 N9 h- m& T
3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=1/3)
* ?, ]; C+ W( l+ M8 l# Kelastic-stack-ca.p12
0 P+ M5 D4 h, W I 2,672 100% 2.55MB/s 0:00:00 (xfr#2, to-chk=0/3)/ g; |; D2 ^$ Z W) D$ H6 h
9 h. {, c- w2 @. S1 C; |
/ R, {, d4 k7 s7 R1 l) g: `
sent 6,314 bytes received 57 bytes 1,415.78 bytes/sec
1 Q! M+ V% ^. B& M+ l0 ~- btotal size is 6,268 speedup is 0.98+ Q! f: h9 j ^% D* B
/ q1 \( H) O7 n$ G. @/ k$ f' Q; a% i' |: B# T n- K4 h* w
) J5 K/ e% Z. e% C7 f. }/ a6 }) h0 O5、修改配置文件:! j+ Q) c( H- {1 L4 J
http.cors.enabled: true
, O+ A, z( [- b* l- n) whttp.cors.allow-origin: "*"5 D% G! o' D2 Q |1 R
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length! h. p( |: _& c* B; c
xpack.security.enabled: true
4 s" g |: x0 m. t; {#xpack.security.authc.accept_default_password: true; [5 s# j9 g6 t% w, L: X7 P' m
xpack.security.transport.ssl.enabled: true
A n0 x- j8 X/ L rxpack.security.transport.ssl.verification_mode: certificate
A! s h& N9 fxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
8 }: \6 }3 y4 Z& ^ |+ ]# q7 ]xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12+ S- ?* Y; i5 z
$ _# Q' \ w1 ~; o
t1 O0 Y$ g9 w1 D! ]加权一样需要切换到es账号:
4 L0 R5 T8 l9 a7 s( h. j& m
4 x4 _$ p8 n/ ^
$ z4 a/ Q7 w1 s+ W在各个节点上添加密码:+ [0 c4 Q$ L5 |% S. ?3 B& n \
) c/ u" Y) E5 L" O3 q; `; a; N# O
+ ]9 T" ^, S& P- H. R; }; V. T/ Q8 r6 {& c
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
" `7 Y( \$ ]6 n) o z6 O9 j7 g' RThe elasticsearch keystore does not exist. Do you want to create it? [y/N]y( M, c8 \) [, [1 K" i! D+ B& M
Enter value for xpack.security.transport.ssl.keystore.secure_password:
! i$ r& w% A+ \0 w7 }" C
" P/ u( U1 o& |2 `( ~% d7 S( T5 r- L8 h/ E
输入密码:第一次输入密码上面配置的7 t0 q( Q& s3 U, J% P! K
6 O" v! d7 ^; _4 Q
" L8 k9 `/ D5 _" ?9 ], L1 N[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
' ]6 y0 ?4 v! F# REnter value for xpack.security.transport.ssl.truststore.secure_password:
/ r* _0 M# J. A: M8 l. W: x5 K8 p7 f
4 a, M% n" J" w% s输入密码: 第二次输入上面的密码:1 O# E/ C7 F: L/ J2 U0 r
3 N i) F' M9 ] y
接下来和没有做鉴权的一样,逐个启动集群:6 g* v- K8 H" A
- T- L, w# j( L$ e; q1 H
; K- K: Q/ ~8 ~* C
切换到其它用户,root用户不能启动ES:su es
8 J" u1 X" ?4 `6 f# L2 d7 ?3 R1 ~7 A+ n' T% A2 ?* e7 Z9 F& H
' I' ~. e. I3 b4 Q% p' L[es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d
- \$ c9 u% F) p3 x.......
4 m* L$ S9 `2 J% H6 WOct 24, 2024 5:33:34 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>+ b; Q& C' C. W2 q
[2024-10-24T17:33:40,246][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using native vector library; to disable start with -Dorg.elasticsearch.nativeaccess.enableVectorLibrary=false
5 S2 X" W9 u8 x ?- J. k[2024-10-24T17:33:40,727][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using [jdk] native provider and native methods for [Linux]
- c7 M U: Q) r* b/ i[2024-10-24T17:33:41,119][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [it-elassearch] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only; y! a5 X4 C. T) i. B
[2024-10-24T17:33:42,185][INFO ][o.e.n.Node ] [it-elassearch] version[8.15.0], pid[8520], build[tar/1a77947f34deddb41af25e6f0ddb8e830159c179/2024-08-05T10:05:34.233336849Z], OS[Linux/3.10.0-1160.24.1.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/22.0.1/22.0.1+8-16]
5 |7 K- l8 y+ \8 E.......
) v, s" p: t* Q% [9 x$ {$ V[2024-10-24T17:34:27,594][WARN ][o.e.c.c.ClusterFormationFailureHelper] [it-elassearch] master not discovered yet, this node has not previously joined a bootstrapped cluster, and this node must discover master-eligible nodes [it-elassearch, it-elassearch-2] to bootstrap a cluster: have discovered [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}]; discovery will continue using [172.24.110.126:9300] from hosts providers and [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}] from last-known cluster state; node term 0, last-accepted version 0 in term 0; for troubleshooting guidance, see https://www.elastic.co/guide/en/ ... roubleshooting.html) g; V2 D" Z' r5 B1 @
[2024-10-24T17:34:27,609][INFO ][o.e.h.AbstractHttpServerTransport] [it-elassearch] publish_address {172.24.110.125:9200}, bound_addresses {[::]:9200}' z9 K" d9 ^% j+ G0 f
[2024-10-24T17:34:27,637][INFO ][o.e.n.Node ] [it-elassearch] started {it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}{ml.max_jvm_size=4294967296, ml.config_version=12.0.0, xpack.installed=true, transform.config_version=10.0.0, ml.machine_memory=8200949760, ml.allocated_processors=4, ml.allocated_processors_double=4.0}
+ z9 u* k% ?- M }/ z
6 k4 o8 a+ R w0 y3 i! g: d) m/ p+ D
' h4 p9 E* b. s0 y" y! j/ w4 P, u1 ^1 m6 |: C$ k5 ]
5 @9 U8 e9 h/ p. K$ U% I3 G5 { T
$ x3 i* H% K- M! C+ A9 @7 N[es@it-elassearch elasticsearch-8.15.0]$ netstat -ntlp5 d" `9 n! l. ]2 Z+ M$ R
(Not all processes could be identified, non-owned process info
( R4 i9 W5 D% t: e6 R( Fwill not be shown, you would have to be root to see it all.)0 K2 ^4 ^0 ]0 G( K+ y6 a' |
Active Internet connections (only servers)
& X* C& P3 {9 e; f3 R+ s6 {# oProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
3 ?5 r" Q+ H% C) T4 @* U: _8 itcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - 3 j$ K: L" x2 V2 b
tcp 0 0 0.0.0.0:60028 0.0.0.0:* LISTEN - {4 F2 k; F2 Y: n- @
tcp6 0 0 :::9300 :::* LISTEN 8520/java 4 j, d* @$ k$ t! |6 o' d
tcp6 0 0 ::1:25 :::* LISTEN -
0 h" g7 ^/ T8 a! ptcp6 0 0 :::60028 :::* LISTEN -
4 X2 [7 m U, v6 h9 Rtcp6 0 0 :::9200 :::* LISTEN 8520/java
& x3 E. n# t% x
0 b6 }& s6 M' W' X; e9 |
, r. {+ G, Q9 I% |, Y! D! g0 X* K% g6 }' ~' X
) o4 H. Y) ~4 T5 T* M k0 p! e) ^! r @5 D# i
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana
+ B: [. s" b4 H, P e$ V1 }. c, z! @8 _5 X" U7 ?
ERROR: [xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token, with exit code 78
$ r, \4 G7 A9 t2 ~: b0 b3 s; |% S
# L% c1 |/ h+ h) s( f& b/ [+ Y- @" p* Q( m3 O4 z
在elasticsearch-8.15.0/config/elasticsearch.yml 添加 配置:8 O9 {9 Q. {# m
* L( o! W4 f0 H c9 a, R
[es@it-elassearch-1 elastic-cluster1]$ vim elasticsearch-8.15.0/config/elasticsearch.yml
q/ o R7 Q' w; Y
p1 P0 ?4 s0 E8 ^# gxpack.security.enrollment.enabled: true
9 {/ _+ S7 d9 ^, l3 H3 s8 G9 i( T/ T5 L! w' \% Y/ w0 I* i, \
( f) S. z" m+ v3 ~- i6 Q
保存再次执行: X4 U1 s3 \ Q- h' A
) r0 w" M' \: @" I/ {8 V* o7 o
. ~$ N0 C' s# C$ v) L; c( g
; L# @5 D. V/ v4 V
0 ` j$ \) ?; M# t0 {2 p# ~: u! h
- x+ V) D% \4 T7 @# M[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana: K: y2 E; Z1 |+ E
Unable to create enrollment token for scope [kibana]
& ^1 F3 _5 \6 a
8 W, Z- _4 T+ R+ _) QERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73# R5 Z5 U! k! b7 p* X8 Q
! D* P* z+ @ l2 O: p
如果你的kibana不在同一台主机上就需要加上http或https的访问路径生成,用""扩起来- Q9 {$ o) v: X2 p7 f
6 J! f# k; ~# U! I; h9 ] }" K% X$ [$ V2 d5 d+ x
6 t: p0 S5 \6 T7 z. k8 m; r: H$ K; T
- m) o6 q% C' F% r" l- x3 v
$ }) d' Z6 C% o' E) f. l
4 e. S# m/ T) |+ Z
|
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2024-10-31 15:53:27
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主