|
|
0 [& p- R2 y' x+ f" I7 U8 b1 O
( q) ~* T1 f' I) V: H3 delasticsearch8版本安装详细步骤
6 B1 R# _( y% ~. Y% d4 h/ L0 D8 T0 Y5 [0 h* x7 d* G- t! R" X9 z
) X7 H; H& }, r i. I' h1、设置虚拟内存
, A- p% X8 q9 P2 s3 b; ?7 Osysctl -w vm.max_map_count=262144
) Z9 t5 M1 o2 x' ^echo "vm.max_map_count=262144" >> /etc/sysctl.conf,
. ?) Z% c0 W* r4 C/ S$ secho "vm.max_map_count = 262144" >> /etc/sysctl.conf5 Z# n) Q0 W+ J! W8 I0 Z
/ a* J. _( }7 ]7 ?
: G& z# P9 m' l0 s- @ t; p
& k: Q/ K/ R# \8 M5 E3 h$ A" O
1 m$ J! l" F, B$ s+ F4 H2 q9 \加入:vm.max_map_count=262144. k- q9 {& z0 b6 P, C
使配置生效:sysctl -p- ?/ ~+ T3 u% N; C# X* s
' a; m) f+ g2 n) J; f
; ~0 a2 |5 |- n0 c+ h" Y2、设置文件打开数:9 i/ q; M3 i1 Z1 O
cat >>/etc/security/limits.conf<<EOF$ @4 e% y2 o1 G# O5 z
* soft nofile 65535
% v* t, j: k" }2 E! s# R* hard nofile 655357 _3 |# J: k" s9 E9 j' N
* soft nproc 65535, p U7 o! H5 U2 T
* hard nproc 655354 D" W+ {5 J3 a4 d. t
EOF
# k- d0 s$ l) R3 @* P+ s4 k& E; g3 W6 s( J- s5 S$ E
) M$ V" | R8 C# P9 x! x) P6 x5 s3 O* e h
0 c* N( o) W' Q设置pam配置:" U# Y; i1 C) I# u# m
echo "session required pam_limits.so" >> /etc/pam.d/login
! H( U N7 N, l! H6 K. r) M
! d$ S4 L6 S# C/ s q6 v7 S* E: Y+ y' V
2 e! E$ e; V% E: V2 L- t
`3 W# }7 G$ t6 |3、禁用swap交换分区3 C- c6 F* k" @0 m, K1 U. L! T9 O+ e
swapoff -a #临时禁用9 \% P5 W6 O3 e$ Y5 o( N. V# d
vi /etc/fstab #永久禁用
9 j% ?' _! d3 X) H8 m! k找到swap这一行前面使用#符号禁用掉
$ {: u9 ?3 @: r) t7 l' L! ~% P- g3 O* g2 r+ f' G* v
% c5 I* X O5 \8 K. R/ j
4、设置TCP重传超时
! w9 ?; O; d% r$ v9 asysctl -w net.ipv4.tcp_retries2=5; e0 P/ `, F4 {* X; ?+ w
编辑配置文件:echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf
. L; J/ M J/ L. J
( P% E$ f4 V) p4 o- n" c0 q( s, i( g, l
5、创建一个用户) h: M7 u# [" A/ k, b! a' x
useradd es2 W+ _( E0 u9 E5 d
/ @3 Z* k1 c- n$ z! T+ k3 H
' h) p# }# T9 k8 ? C( Q6、创建安装目录' S# }$ S( h5 a( ^, e# J! A
mkdir /data/elasticsearch/
! X. V) l0 o w" \8 Imkdir /data/elasticsearch/elastic-cluster1
0 i/ o& n) ]. p) b2 S/ d0 L6 S/ z L# l7 }' o0 |& E' `
# @8 w+ ~5 U# q( p. }
mkdir /data/elasticsearch/elastic-cluster2
( Z) \, o L) D2 e7 X
' H( T) C6 |, J, z' {% @2 g. w* } s( d8 [9 h% {- A
3 `6 `* S7 J$ s8 e4 |
# {; U# D0 a' a' P0 J
4 T) h6 A& J, c& d/ h: M& y& l% T7 f
% k6 ^8 ~$ J7 j& K* E! t[root@it-elassearch ~]# ls -p /data/elasticsearch
T4 o/ I6 S- {' ~3 X' Belastic-cluster1/ elastic-cluster2/3 T7 G% ~, Z( J& `9 s& d s
- H( |% ^# H+ @( ~9 `
$ I+ F o2 i2 ?& c4 g" O( ?) T4 L1 q1 l) c
6 D" e! L3 G9 s0 z9 c6 m) d
* s7 F8 O" ]2 ^) ~" F
3 a& U! S, g; R6 P" z; m: B7、下载官网安装包
5 ]$ W1 }. x8 |0 @7 I0 Q. \官网下载地址,选择对应版本的elasticsearch和kibana:https://www.elastic.co/cn/downloads/past-releases#elasticsearch4 \( ~# m+ i3 G% D3 j) e
https://www.elastic.co/cn/downloads/past-releases#elasticsearch) z: w0 N6 ^; u+ y
$ {5 K+ w8 q- g) V& C5 z
* C' Z8 b, A u/ B. S4 K
[root@it-elassearch-2 ~]# chown es:es elasticsearch-8.15.0-linux-x86_64.tar.gz 8 Y3 a7 l6 R+ H$ ~% Y+ K+ w
[root@it-elassearch-2 ~]# mv elasticsearch-8.15.0-linux-x86_64.tar.gz /data/elasticsearch/
; p# l0 P- u; K# @1 ~6 C8 M6 G% V8 ^- f! p1 ]! \
# Q! W+ D" V/ t* v' @
切换到es账号:
" g' Y* D" V. m+ v T4 d
5 T$ P$ G8 e" g7 a! |
, x9 V& r: @1 `6 k p$ I2 h* |7.1 解压:我的安装包下载到了目录下,解压到/elasticsearch/elastic-cluster1/目录下
- s( ^, |' R' n0 H$ J$ w! E& _( F7 f, z, h# Y1 A' d5 H
5 T T7 Q, [8 R& r9 B3 B
cd /data/elasticsearch/elastic-cluster18 e" r$ M c4 [5 u; K; r& g6 C! T* M
[es@it-elassearch elastic-cluster1]$ ls
: U+ l* i' u9 K: S3 X+ k: q ^$ T1 B# M1 l
' }% M/ H! [5 L9 ?% h! [; `elasticsearch-8.15.0-linux-x86_64.tar.gz. ~. ?) y0 h6 `' j' T% q
% ^5 ]- } \# D& S" L
& g" s8 ^* p' w5 |/data/elasticsearch/elastic-cluster2
2 w$ m; A+ m: B' `" i! N! ]& d[es@it-elassearch-2 elastic-cluster2]$ ls% \4 T! X9 h1 ^6 P
elasticsearch-8.15.0-linux-x86_64.tar.gz
: m% Y3 G9 `1 w Q- k8 Q( s9 D& G& s$ f0 A4 E+ L; K& }
, \# y3 [5 M5 P9 Y/ b
解压:# ?0 w7 U1 e0 ?2 G3 B& u/ f
. ]- {, C" O6 A
[es@it-elassearch elastic-cluster1]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz
# H/ O1 q6 X# r/ d, n
6 z# C H: b) e! ?, V# F1 P# ?1 U6 F
3 P+ x% ^2 x2 p$ E. T- F* |
4 b& {1 p" J( U( s! j8 Q, b
. k+ V: V8 G) M' F6 ]+ s' Q[es@it-elassearch-2 elastic-cluster2]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz9 X3 H1 l: N& y
7 s4 A, I+ B6 {
5 ?; z( A& A7 Y9 M* l( R
进入对应目录下:cd /elasticsearch/elastic-cluster1! q R- w N2 X, W V: b
3 z/ C+ g+ U9 M i
% T" K0 N4 F P$ S8 w配置es参数文件:
7 Z$ _6 b& Q) f3 a
( b. p+ k; e! \+ B% Q% a# f" G3 l7 \. r) g: G5 C" V' T! S4 g
节点一配置:
' H. D. K+ g( b6 g( U. Q& G& k#vim elasticsearch-8.15.0/config/elasticsearch.yml
6 Y0 s5 M$ D( Q% o0 g4 }1 \# W$ g
+ D. s, T( \/ J
cluster.name: essearch
4 Y' t6 l; n. L8 Q4 @& hnode.name: it-elassearch
/ _# x6 D8 K9 L, L9 R% Wpath.data: ./elasticsearch-8.15.0/data1 ^( B& H X! A6 [8 }; X' G8 [' \7 I
path.logs: ./elasticsearch-8.15.0/logs! r( M7 e! R/ f' n: E$ i) q: _
network.host: 0.0.0.0) ~3 C$ W, a1 S$ f; ]
http.port: 9200
: _0 R, d9 ?) fdiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]$ w S# u8 w2 Q) b; C" h
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
" ^# {, Y( G3 |5 s. @) h# Y7 }#node.master: true2 Q( ]& Q. j/ v0 u5 G G1 A, ^
#node.data: true
0 e' e7 {6 T$ ~' ~% t2 @+ U0 ?# ?0 ]% E1 Q
* w) Q7 C8 {' c; a) K& S8 [/ G) e
xpack.security.transport.ssl.enabled: false
+ f1 K L; z$ O" D" X3 Rxpack.security.enabled: false
% x8 [6 C/ j4 U* v. b1 ?4 `: |) z- M5 o9 l! D
' h" G' x6 i. X9 d0 M
下面是加鉴权的配置:
# H( V! }/ [1 X0 z. ]# X g# Kcluster.name: essearch
- `7 m! s. Q5 q0 t7 j' T! onode.name: it-elassearch
' H7 M" H* b, U4 W1 H7 Upath.data: ./elasticsearch-8.15.0/data6 c* o! {* M; [4 d$ m* R
path.logs: ./elasticsearch-8.15.0/logs
9 N( _) y; m, U' B' wnetwork.host: 0.0.0.0
8 o, I0 J7 q3 }! w/ t( |' X' \9 B7 Ghttp.port: 9200
. {4 @# ~) Q' O; W% Vdiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
2 f7 b1 `- O! J0 [8 `7 ?* {* ?cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
- T; K) q* M2 v9 W0 f( k7 lhttp.cors.enabled: true" }. y9 |" N2 K7 J0 u
http.cors.allow-origin: "*"
- M4 s/ n5 m+ R" Phttp.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
, s( i5 Y5 f3 f2 P3 L$ p) Rxpack.security.enabled: true9 C* T. L. f# N! c; P; ~( `
#xpack.security.authc.accept_default_password: true
& A6 t9 O9 s( e1 {- p! [) n9 Hxpack.security.transport.ssl.enabled: true3 |9 j; e1 O; w! j) q. \! Y( _
xpack.security.transport.ssl.verification_mode: certificate
( u6 R! M" V0 Q6 [- I4 }; Q( Zxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p122 D3 g/ R: C6 q1 C6 {
. v6 V& b% x' t1 j7 f8 K$ Cxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
3 Q2 @" m- X) o r* x: O0 Q, H1 S! C2 J2 ~, s/ ]( y
) W9 ^; w! }- H6 @4 J- u6 l' M1 Q- F/ ]% }+ {# o
: x; _6 U0 U) v: d5 }9 e7 A
节点二配置4 y# C, H! @( j) L; V/ D
#vim elasticsearch-8.15.0/config/elasticsearch.yml4 K& o+ _" v- Y% y* v
8 f, i+ `, ?- a
. L, w( M* a8 i. v2 fcluster.name: essearch
: l* e" d8 T inode.name: it-elassearch-2
8 ~7 B) Q3 x1 q* Cpath.data: ./elasticsearch-8.15.0/data$ Z1 A2 m9 E5 D( A. _ G6 f
path.logs: ./elasticsearch-8.15.0/logs" z% K' G2 h4 G4 u; |
network.host: 0.0.0.0
4 g& h2 j, `9 k# l+ Hhttp.port: 9200
* V) i a8 I/ ]discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
* j; v! s- ^" @cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]' s) Y! M) r0 r5 i$ m1 @
#node.master: true
& b' D9 `& x) B; x8 l#node.data: true
: ]! P. D2 |2 [; \
7 p. O$ c" I! L1 d* a5 @0 Q( B- D0 m6 ?5 G
xpack.security.transport.ssl.enabled: false
2 l) U; N1 P8 K% g" q: rxpack.security.enabled: false8 c* d. s" N; n$ L0 W
9 D% u/ P7 z% N9 q
y! ^+ U9 ]1 J% m. w
下面是鉴权的配置:
& J! F9 d7 }) O% z7 W; Z/ Lcluster.name: essearch
5 p8 D2 h9 Z% M- |3 Pnode.name: it-elassearch-2
+ @& X. Z! K9 a1 @. bpath.data: ./elasticsearch-8.15.0/data$ t; P4 u$ t' r" J- A4 X
path.logs: ./elasticsearch-8.15.0/logs
) m7 t# n/ b/ L) @0 t7 g% {network.host: 0.0.0.0; h2 k: |, ^$ a3 R& @
http.port: 9200
9 h% a$ R9 D4 K H8 J( idiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]; H9 K C% k/ B. w2 }1 ~
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]& G7 J' f# ?/ M" z
http.cors.enabled: true
+ |5 V4 Y8 S$ W0 {+ `http.cors.allow-origin: "*"; [- t( g; B+ j) j
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length9 }0 Z% [& j& |; s! y' g7 A
xpack.security.enabled: true) E1 n# N, K1 X. S1 w1 J
#xpack.security.authc.accept_default_password: true
+ F) O9 p1 e. p/ Nxpack.security.transport.ssl.enabled: true/ V2 P+ l( t9 Q r
xpack.security.transport.ssl.verification_mode: certificate9 B3 L' F5 p2 |. w. w/ H+ M
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12* `( {! G- N7 B: z: W) w( _
% X3 {4 l+ y* s) [5 o2 v
xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p123 y; U. @& X* D" w
* E$ ?+ x" u, r( ` y6 {( h2 o- r
, l: {2 _/ y8 z$ W
) H9 a& z9 y) P
2 X9 w; W2 w, M4 oJVM堆内存大小设置" X/ M$ O: j- x
设置内存大小:
# D" ~7 V/ S1 E1 N) ]
. o8 M& U7 o J7 {7 [: i- q4 \. n3 K7 \
$ Y+ y; n# ?. R- I
2 D" J7 Q/ y( n5 E7 }6 a" N9 r" o9 A( P; T0 Z$ w' g1 D
vim elasticsearch-8.15.0/config/jvm.options
x( l3 u5 L& _
Q* g8 S7 H/ A& Y
~( }. C) {4 e% I2 g
! n! U7 ]; j5 G0 y# h# E1 A; C. s ^
-Xms4g
$ m. E' m" p; t8 z& R2 J-Xmx4g( l/ @( V. V4 N8 \' @
4 z: H$ K) {( a
( I. a* O7 z2 R
0 o; s' l3 v- {7 Y. p" S
0 l$ s y/ u3 ]+ s; G' X! M6 [/ M实际业务线上环境,建议所有Elasticsearch节点都是独立节点,不要部署其他程序、其他后台进程,以提高性能。如果内存足够大,比如:128GB、256GB,单节点是浪费,建议通过虚拟化方式切分开。& v Y/ L; ?: K
7 C2 U. x$ u1 M6 l; m. z
( P6 z* L" X. Y7 S/ C2 }4 A+ p; ]! c+ l
. y! B4 G$ {( A$ g4 g! u5 p; ?# v: O V6 w5 a) D2 m7 P# \
, \+ `6 V: ~' ]解释:7 r3 f# r2 T: h; { k9 Z# _
# I3 Q* V: D; M8 |) \) T
5 f7 s% o! x0 x目录结构5 ^! f0 g9 U, f+ Y
Type Description Default Location Setting
% k. i' A; c H4 C: Ihome Elasticsearch 主目录或 $ES_HOME Directory created by unpacking the archive
a1 u. u7 n+ O. V$ _bin 二进制脚本,包括用于启动节点的 elasticsearch 和用于安装插件的 elasticsearch-plugin $ES_HOME/bin ' A6 g' n) P! ]
conf 配置文件,包括但不限于elasticsearch.yml $ES_HOME/config ES_PATH_CONF6 v8 X" K! Z$ z/ ^0 Y5 C
conf 为传输层和 HTTP 层生成 TLS 密钥和证书 $ES_HOME/config/certs 9 X) L- _" n* Q. O7 o, l; l
data 节点上分配的每个索引/分片的数据文件的位置 $ES_HOME/data path.data: V4 V& Z' d7 i! O/ `* i
logs 日志文件位置 $ES_HOME/logs path.logs/ V- v Z' y9 \, u5 } H. }
plugins 插件文件位置。每个插件将包含在一个子目录中 $ES_HOME/plugins 8 E y9 R# C# t- R
repo 共享文件系统存储库位置。可以容纳多个位置。文件系统存储库可以放置在此处指定的任何目录的任何子目录中 Not configured path.repo* S9 }7 \0 z, r: g- }3 X# [& b
: h2 V7 y. ]7 U+ j! v7 N
集群名称设置:cluster.name:4 w1 i1 t; q& H; M
节点名称:node.name:( h8 Q! J$ [+ _3 G' }; w" C/ m
网络主机设置:network.host:
# H. i: N8 _* Z! {) A发现形成集群:discovery.seed_hosts:
) {" g' X% B1 H1 P5 ?选举主节点master资格的节点:cluster.initial_master_nodes:& V3 n/ K8 ~$ Z- h. K5 u
设置集群间通信端口:transport.port:; l9 Z+ s X" D7 ]; ? a
设置数据存放位置:path.data:
; |% q! ]( r: A9 G设置日志存放位置:path.logs:) M9 F9 N- q0 _! J$ C
! G: ]* t: D$ C
cluster.name: CollectorDBCluster* _9 N4 w' J5 p
path.data:/data/elasticsearch/data
1 P3 p1 @' f3 O+ Dpath.logs: /data/cusc-logs; G; X0 A1 C- T1 s6 B
network.host: 10.153.61.71+ p% v1 o) h/ d3 v
http.pち中o砗rt: 9200
& ^; T; V3 T5 F; s$ t* E, B" X5 ynode.name:node-1
; Y! y8 \' }6 K. k0 d Dcluster.initial master nodes: ["node-1”1
) V/ W# p6 t. q% F, N* D0 }5 G各配置项含义:
7 o) c; `6 T0 [# M$ c$ f4 Y. X% Gcluster.name 集群名称,各节点配成相同的集群名称。
8 s- R: h: d- p d; tnode.name 节点名称,各节点配置不同。! \3 r. ^1 A' A, J" |9 Q1 p& p5 F
node.master 指示某个节点是否符合成为主节点的条件。3 j7 s8 p! g6 V( L; C
node.data 指示节点是否为数据节点。数据节点包含并管理索引的一部分,( p0 i1 w& F1 Z4 P9 J# K/ p
path.data 数据存储目录。
5 ~ I- J! ~; rpath.logs 日志存储目录。
4 h2 S+ N7 C: u! z+ @- Bbootstrap.memory lock 内存锁定,是否禁用交换
' z7 }1 C6 O, {bootstrap.system call filter 系统调用过滤器。) Q/ @' i2 g- Q* Y7 f- n# L' V8 F
network.host 绑定节点IP。% d' H2 a& e" j8 z
http.port 端囗。
@& M" q8 ^2 ?" B
& ?4 k8 J& W, R g; b! p启动集群:: Z8 }! p4 ]! Q$ J% [
/ ?6 _8 p( ^" @! X& B ~
, h, e( v1 b1 Y; Z/ n) r# D' M
! x1 F. r5 I7 A/ B# ~! [3 K/ y1 u' Y; j* \% l6 M
配置文件属组权限,并启动: O" y5 T/ j# a2 Q* Y3 Y) ]6 Q, K
[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/0 _- }! K: Q6 X+ q' y
[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/
" z5 V% J' k" l- V6 f! b% N/ ^$ A0 l) p
- k9 k; v% D$ w) @, k$ q7 p5 A$ \
如果直接用es账号配置的,可以不做上面的操作:
6 P3 m1 y) m$ Q9 R u
2 g }, t& j. ~5 D- y3 {3 r# e, K2 g6 K5 k6 p. x) q
: J( Z# ^# {: j7 y* \; i$ l% [+ y/ S
+ U! D0 H( _3 Y/ @" `如果添加鉴权配置请按照此处配置,不配置即可略过:
4 i" W" O5 r- |9 b7 I3 @: N& C+ Q
& A7 ~% j9 Y# K$ ~: S
es开启认证详细步骤:4 \" H: \8 K8 f, G3 v- h
6 X2 P' |* B0 L9 E/ H7 a) ?& n
. Z7 J4 `$ }0 v1 `# r
1、生成证书:
& ?1 P, |' O/ `; K) j[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca! o# J7 }; Z% a; M6 P1 V( N* D
This tool assists you in the generation of X.509 certificates and certificate
: V, i/ l0 C# U& [; A: q6 `signing requests for use with SSL/TLS in the Elastic stack.8 ?: D {/ M6 Q# Q9 e! a
$ i/ c# t/ R; [6 {. P
/ F4 x: R8 P tThe 'ca' mode generates a new 'certificate authority': M- k( ]: e1 |2 V
This will create a new X.509 certificate and private key that can be used1 A( o# P3 O! I; u8 d; [! f
to sign certificate when running in 'cert' mode.$ d- G0 q, f$ h
, Q- N% Q: w1 b0 n G2 p X1 r
5 b8 G) w% H, P( y- k2 v6 C: B$ U$ oUse the 'ca-dn' option if you wish to configure the 'distinguished name', \0 k6 b7 q! Z. H: `
of the certificate authority+ B1 U- u% N3 l2 w) j
9 N% U6 o' p# n: X( I! P( Z1 _6 p u- }
- m7 c( T& |+ K }8 n6 P) gBy default the 'ca' mode produces a single PKCS#12 output file which holds:
. w) O9 N$ s& K# M * The CA certificate, Z* L. a4 s7 `- y- u
* The CA's private key
. Q6 f6 i; j7 F' `9 a
4 r7 o+ ?/ g0 d* u; \0 a: v9 O3 Y" q+ b. g, B1 e9 |
If you elect to generate PEM format certificates (the -pem option), then the output will
' I" V l3 S" P: r6 R- C( L8 Dbe a zip file containing individual files for the CA certificate and private key: @ Z4 ~) B& `! U8 Q* ]0 o( c2 Q6 h
) O; R" @$ u) M/ C* x) C
: u/ ~' }, Q' U/ xPlease enter the desired output file [elastic-stack-ca.p12]: 【直接回车】9 B! J8 C0 j9 P
Enter password for elastic-stack-ca.p12 : 【输入密码】
/ g% n4 o# F1 |, h' G8 E% A% u; u; R! H
8 L& w) X' P; T! }4 W; E完成后会生成elastic-stack-ca.p12 文件
+ F# V. E/ I1 Z3 ]' C* b% k0 X9 H z* |7 M4 m
; N ~' G+ M2 i( g: L4 N8 L
# T2 ~5 L7 Q0 P) a& d3 ~+ H2 B$ @3 E! @, ~. Z
2、生成密匙:
9 b3 \ h7 w1 f( T' _9 ^, n+ l) d0 ?: d/ z7 Y) C9 ~
+ I6 p; L: r. |" N; z
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 4 ?" c4 Q0 L0 ]" O# D$ e, M
This tool assists you in the generation of X.509 certificates and certificate' Q" [8 \. M3 ^
signing requests for use with SSL/TLS in the Elastic stack.
! D: _9 C9 K8 M7 }9 L& B
5 c* j/ ^* g. O8 h& {The 'cert' mode generates X.509 certificate and private keys.
; f8 Q& h) r* R4 U, t% K: ` * By default, this generates a single certificate and key for use
3 O5 C$ Y/ b" j Y on a single instance.
, H$ i* I; s: U! k- |0 |* q& D * The '-multiple' option will prompt you to enter details for multiple
) q F* ~" ] w2 E1 e instances and will generate a certificate and key for each one) }$ }6 A4 W6 p1 }( p
* The '-in' option allows for the certificate generation to be automated by describing
2 K5 t# p$ d4 k7 d( [) M* f the details of each instance in a YAML file
4 v# J0 ~- z A" \( ^4 Y1 K; `$ Y6 m: @( E4 O, l3 f5 C; x
* An instance is any piece of the Elastic Stack that requires an SSL certificate.# \# ~& u* v: t" ?0 m; h
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
8 D2 s, [3 M$ K# i* j \ may all require a certificate and private key.' i+ V" \. s, _6 P# F% X
* The minimum required value for each instance is a name. This can simply be the# k; W7 d g9 M* h- ]( T
hostname, which will be used as the Common Name of the certificate. A full
; H- {/ v$ B* ^& z# r: r distinguished name may also be used.# r+ p! F& @; f4 |! W: }' |
* A filename value may be required for each instance. This is necessary when the! A; A4 t( ?# Y
name would result in an invalid file or directory name. The name provided here- t5 i: H' R S* s* p" x
is used as the directory name (within the zip) and the prefix for the key and
* y: }! v" f5 e% [9 N/ u certificate files. The filename is required if you are prompted and the name
2 b, G. R9 x% R D is not displayed in the prompt.# d* o5 t) g5 k
* IP addresses and DNS names are optional. Multiple values can be specified as a
0 D9 V2 v. ]$ R, r& S y comma separated string. If no IP addresses or DNS names are provided, you may2 P8 [. E& G6 _1 m
disable hostname verification in your SSL configuration.9 K+ z) D: O+ J+ _" F P9 |6 G
0 v5 F/ K( a- L1 b: q
6 ^7 X9 l; t: a- e* l M * All certificates generated by this tool will be signed by a certificate authority (CA)
# r" H6 A5 V$ m( l) O unless the --self-signed command line option is specified.3 o# d' q! v( S" ]; h. K
The tool can automatically generate a new CA for you, or you can provide your own with S" z( W8 \: u" [9 B
the --ca or --ca-cert command line options.# C4 n: m% J ~3 o4 R! J' u
% O6 G1 M6 [- ^
2 F2 O+ Q: S( L+ D3 Q; F% I
By default the 'cert' mode produces a single PKCS#12 output file which holds:% P1 s! X, a/ Z W% Z( }
* The instance certificate
% G0 V. \3 y) T1 ]4 |1 m * The private key for the instance certificate! R* E* C6 o, b. l8 n/ s( `
* The CA certificate1 p5 Q0 E& [' _! Y7 a0 ^! u( _
7 g e! V* X6 z- q+ Z F$ {If you specify any of the following options:
9 S! R* }$ b3 V1 Q4 v( x * -pem (PEM formatted output)# o( I9 @# W0 T0 T5 k8 Z0 i9 E3 p& \
* -multiple (generate multiple certificates)
! s0 h/ M5 T' ` K/ n0 v * -in (generate certificates from an input file)
! N z7 u2 S' @' r# u% Ithen the output will be be a zip file containing individual certificate/key files0 W5 A y) |- V8 Y1 f; {- U( M# ?# F
% p/ U( D7 e* B* {* eEnter password for CA (elastic-stack-ca.p12) : 【输入密码】
& i( O2 E$ o; ~& s! _% MPlease enter the desired output file [elastic-certificates.p12]: 【直接回车】
5 `; w6 @# _0 R! hEnter password for elastic-certificates.p12 : 【输入密码】6 I& k" l$ Y( C3 q% j* ~# x# K( L
3 s+ B7 `9 A1 Y/ M$ V
Certificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p12; g9 T; d& u6 E+ p" s* u
: }) W! B; l- G- A- Z
This file should be properly secured as it contains the private key for ) t. A/ X0 e+ O* D* X; U9 G
your instance.6 {& _0 m. z$ u% }% _8 \3 d
This file is a self contained file and can be copied and used 'as is'. |3 j% m$ q u" h+ ]( d- R9 X, _
For each Elastic product that you wish to configure, you should copy( P! N4 K9 z' S6 ?% o
this '.p12' file to the relevant configuration directory
8 q' S2 Z0 H. F- S8 p- q$ n0 aand then follow the SSL configuration instructions in the product guide./ @2 U: T6 E" m: p$ F! r
7 i5 h* W1 M9 [6 n& T5 R. z4 v
For client applications, you may only need to copy the CA certificate and
6 P# E' t8 U2 R0 ~configure the client to trust this certificate.
k) O& b) s7 s) s% ~( d/ Z5 ^; y& V. Z4 h/ I% i: k0 Q
Z: S/ }" x2 r0 A! E3 N4 p. a5 Z1 u此操作中间需要输入刚才设置的密码就直接输入即可,需要输入路劲的地方可以不输入,直接回车就会生成一个文件在当前目录下:* w" w+ c" T: o$ N
elastic-certificates.p12
2 J; d, W3 z& E [3 X, a6 `9 H1 \ G, B! [! \
$ o8 |; Y5 l. y- w% z
3、将凭证移至相应的目录即可:
9 [0 _, O) L x$ F. i. ?' ^. c8 k' }# t% I. F
m+ Y8 W9 m2 c, d##将凭证迁移到指定的目录:4 y1 _0 [- T; C$ Z
创建目录:
( y. G1 R8 Q( L! E2 ~" S! ^mkdir -p ./config/certificates/
# e( i8 ]: L2 p1 s4 m2 M( e& `# q移动凭证到指定目录下: j- K( l d( U, U6 [/ o
8 N* l$ ~1 [0 a' H V1 a) Y
[es@it-elassearch elasticsearch-8.15.0]$ mv elastic-certificates.p12 elastic-stack-ca.p12 ./config/certificates/; p8 u$ s% a3 Q3 M9 g
7 L! k" {- d8 }" l" [' i V
0 |3 Y- H5 o4 a! P. n8 \4 R7 k4、复制凭证到每个节点上:(使用scp或者rsync方式即可): ~- A3 v3 c j+ g9 c- r, h
[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 60028' config/certificates/ es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/
% N a$ {# Y: I4 D8 des@172.24.110.126's password: ; ~5 Q8 J! }$ ?8 J9 G( e
sending incremental file list
6 g6 I* O: ?5 `' ~" e( W' t./
3 p0 D4 d& G. _- T, X" e1 welastic-certificates.p12
) A. N+ P! E Z% f3 L9 e6 I0 Z* A# k 3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=1/3)" ?3 V0 j5 c. u+ |4 k o) @5 k( M, f* k
elastic-stack-ca.p12
1 r8 L5 D% W7 V: i% G1 Q 2,672 100% 2.55MB/s 0:00:00 (xfr#2, to-chk=0/3)1 x& k x0 z$ K; x4 o$ a
' m. A' n( l/ a1 w7 l' i1 w1 I
6 |6 z7 `0 T. t9 I, V
sent 6,314 bytes received 57 bytes 1,415.78 bytes/sec
% b) o8 c6 X% X0 ]" f6 [+ Qtotal size is 6,268 speedup is 0.986 H. n% }- o. W/ W) B7 q% I
! p5 H2 E9 b/ f2 C
9 }! {. N1 K# g/ L% P' w+ ^0 K( q; b% H* Q
5、修改配置文件:
U. F* M) a% j8 y. shttp.cors.enabled: true; a8 `" A( B. B. Z
http.cors.allow-origin: "*"
; t$ Q( `) ^- y* v1 `2 L1 w1 p; khttp.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
; _# v/ i+ T! ^+ V- u! a8 J. txpack.security.enabled: true
; [! t a5 J, S#xpack.security.authc.accept_default_password: true3 B' |7 a* F, t# \4 a
xpack.security.transport.ssl.enabled: true
( @6 I8 Z: C2 X6 `2 T; g5 lxpack.security.transport.ssl.verification_mode: certificate* s' z% ]' R& {/ J9 H" q
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p125 N" ^2 M% I) p, S$ j0 \2 i d. ?
xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
7 Q0 S5 y5 N1 U5 b) ^( C
. q5 F4 ~ G" k8 X# ]+ O* q2 L: i; g+ ]3 t6 t
加权一样需要切换到es账号:
. `/ n8 z; D, x# Y0 x" S% }, P" N5 S( A
5 [' J3 \$ Q# R+ D- G( X' y- e+ ^
在各个节点上添加密码:
% t0 g& b- `& u4 A7 \; E7 C* X4 m* f) Q# E' V
4 i' Q* m/ w7 J1 ?0 M/ Q+ @
. M) ~* k; [$ T[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password+ {2 C8 q8 u6 U
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
# ~2 `" ]/ G0 z, [# r5 `Enter value for xpack.security.transport.ssl.keystore.secure_password:
4 h' m2 y% z/ f3 s" \
% E% v% A0 s( H% E# Q8 j5 G
" C" i- F! v+ o! @: a- T ?6 r1 m输入密码:第一次输入密码上面配置的
/ \/ ]% l0 f% e4 n; Y4 |
; c- |) h4 {+ L3 |. F) h6 Y
. u% L8 _' A9 g5 ?1 Z[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
% j* L, T; U( i0 cEnter value for xpack.security.transport.ssl.truststore.secure_password:
! I6 Y# n$ \2 N6 e% c: R' m- V: V. U$ Q" r; k; e
输入密码: 第二次输入上面的密码:. y- I. Y1 u+ M5 \4 d9 A
3 n6 F9 `' j. _" y
接下来和没有做鉴权的一样,逐个启动集群:
+ m8 f( Z' {9 ^1 L4 W6 d; z
- i' @; F6 S3 |% k" O4 e8 z W* Z
切换到其它用户,root用户不能启动ES:su es; h7 m/ L2 q4 ~3 D3 ]) H
9 K( y4 a; f8 J I
% ~1 }: P {( H, l5 \% Q. d) b[es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d$ z0 L5 u$ `1 z* I! _2 J0 P
.......1 \5 ^9 g1 ^; [2 O
Oct 24, 2024 5:33:34 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>' e+ u- t' _6 @8 ?
[2024-10-24T17:33:40,246][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using native vector library; to disable start with -Dorg.elasticsearch.nativeaccess.enableVectorLibrary=false
& M w, |4 [: o2 \ m[2024-10-24T17:33:40,727][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using [jdk] native provider and native methods for [Linux]
% T; Z; C- |* y: A[2024-10-24T17:33:41,119][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [it-elassearch] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only8 {- W2 {! Y: G7 e7 G6 w3 ^1 a
[2024-10-24T17:33:42,185][INFO ][o.e.n.Node ] [it-elassearch] version[8.15.0], pid[8520], build[tar/1a77947f34deddb41af25e6f0ddb8e830159c179/2024-08-05T10:05:34.233336849Z], OS[Linux/3.10.0-1160.24.1.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/22.0.1/22.0.1+8-16]
- d! n( e! X& e" @( U3 a3 L9 v; }.......2 ~% V1 V) Q; n+ b9 e; e8 ~) p
[2024-10-24T17:34:27,594][WARN ][o.e.c.c.ClusterFormationFailureHelper] [it-elassearch] master not discovered yet, this node has not previously joined a bootstrapped cluster, and this node must discover master-eligible nodes [it-elassearch, it-elassearch-2] to bootstrap a cluster: have discovered [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}]; discovery will continue using [172.24.110.126:9300] from hosts providers and [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}] from last-known cluster state; node term 0, last-accepted version 0 in term 0; for troubleshooting guidance, see https://www.elastic.co/guide/en/ ... roubleshooting.html. V5 R+ l! R! ]
[2024-10-24T17:34:27,609][INFO ][o.e.h.AbstractHttpServerTransport] [it-elassearch] publish_address {172.24.110.125:9200}, bound_addresses {[::]:9200}5 J7 o+ O" N9 j8 u
[2024-10-24T17:34:27,637][INFO ][o.e.n.Node ] [it-elassearch] started {it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}{ml.max_jvm_size=4294967296, ml.config_version=12.0.0, xpack.installed=true, transform.config_version=10.0.0, ml.machine_memory=8200949760, ml.allocated_processors=4, ml.allocated_processors_double=4.0}
9 h: O( F3 n2 b+ x7 e
" [' k* H% G, {+ K; v/ U
0 t D: v- I, w
) ~ q; C, F. m9 t3 A1 A8 D4 n! K7 j% d5 P. Q
% X. c* c2 W3 e2 T5 O- H: F
3 S6 j2 j4 q2 t1 m( K
[es@it-elassearch elasticsearch-8.15.0]$ netstat -ntlp
2 K' I8 M% P ^% O$ u# X0 i% r(Not all processes could be identified, non-owned process info$ `) N$ z( f n" k6 S
will not be shown, you would have to be root to see it all.)- T, a; O+ ~; E' X
Active Internet connections (only servers)
6 D, g( @6 P) C) i; |$ I7 h; C7 ZProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
, A! ?. C/ Y2 j. Utcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
9 _6 L# F6 e% \& t, L$ Q/ ktcp 0 0 0.0.0.0:60028 0.0.0.0:* LISTEN -
8 @( B# ~5 ~1 R6 l4 Z9 p& @2 Utcp6 0 0 :::9300 :::* LISTEN 8520/java
5 n% g( a! t2 _ ^$ Xtcp6 0 0 ::1:25 :::* LISTEN -
" k! R% Z8 o) c. I& p( |tcp6 0 0 :::60028 :::* LISTEN -
* ^& i* @+ T y7 g& A, vtcp6 0 0 :::9200 :::* LISTEN 8520/java * M7 p& d z1 E
; e0 P/ l1 A' r! Z' r) K3 f, m4 h# e9 `# ]0 t: \- j* \$ w
. d. I4 Y5 x% a" E$ L k% A$ k, Y0 Y+ G6 g1 B Z
' v& S1 s* ^$ m2 t
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana
$ H' e/ {; x/ p8 [2 D; F3 `" K( a k
0 ]& J! U4 u" t' lERROR: [xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token, with exit code 788 d4 y+ F [! m
$ Y5 U1 n/ e) r' T d9 a/ u* ?2 ]; v+ u
在elasticsearch-8.15.0/config/elasticsearch.yml 添加 配置:
' x6 ]. h# \" w: s4 A( W% [/ T! g a+ K) j
[es@it-elassearch-1 elastic-cluster1]$ vim elasticsearch-8.15.0/config/elasticsearch.yml3 N7 Q/ }8 U: y7 U$ }+ a
) g3 V+ x+ i$ R, sxpack.security.enrollment.enabled: true
7 ^" o/ R- d. T. m) H6 V: c
6 D$ B3 J' d' z# N2 c/ @ G
9 R7 _4 {0 |4 @' o8 A保存再次执行: v! Y9 Y/ O( Z4 Z
) h. J0 Z; l, w) K, {* ]% v
: j) J6 j c; L8 h7 Q) U: D, @6 p8 {" D
t! s" Y G" q1 H
6 P7 P4 r/ Y& _5 C' d W' A# N' _3 }
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana0 J- ^" m6 G3 f( f5 M. ~
Unable to create enrollment token for scope [kibana]* k, O3 w8 ?4 e' x, K6 l
1 ?$ W2 U3 W3 k" y. q4 GERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73- L- {# `$ Z% O0 X
2 v. ], O4 t+ r- X) y) U/ p
如果你的kibana不在同一台主机上就需要加上http或https的访问路径生成,用""扩起来$ X8 A8 g6 `' \/ {
* O" q( n, I! p
& V% n- [6 ?* `$ I( z) ^, ] z( |$ x2 A' K# d
4 O: l5 s% @0 y. R/ s, C$ g( K' {( ?# i* g6 Y+ f
2 {9 l3 [$ P, ~- e8 {
|
|
发表于 2024-10-31 15:53:27