|
|
0 @3 L& W( z* d) L8 K1 _& s( v# Z9 Y* D) r" [! m, c
elasticsearch8版本安装详细步骤
5 C& v/ r4 `3 e/ |
# |5 g' p6 |2 B; q7 h8 \
4 M5 J1 I% ^4 [2 @7 s1、设置虚拟内存
$ j9 [ z% T6 y* bsysctl -w vm.max_map_count=262144# ]- n l, ^4 D
echo "vm.max_map_count=262144" >> /etc/sysctl.conf,0 {8 ^! c6 s( L' e% Z; T
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf3 W- S0 Q; u1 m* v1 n- ~
0 n% G7 q1 L n! U& S( }; _
4 u5 H7 P$ @" Y2 V3 n& w' v2 M$ \
0 y6 l5 e7 }- g. G: b$ G, V) @1 E7 g8 D
加入:vm.max_map_count=262144
8 N/ G: }! [1 ~. H* F: D2 n使配置生效:sysctl -p s; z* t' }8 P
9 `' ?' _. ~( m% y$ I, w! T
1 b! s2 { U# c# Y9 C8 R) ]0 Y2、设置文件打开数:% `8 Z+ q! ^4 [( b4 t. B G& E+ b
cat >>/etc/security/limits.conf<<EOF N$ s, l6 R, R9 L2 Q \: Z0 A
* soft nofile 655350 E1 c, | _. K& O: t" b/ H5 ` v) f8 b
* hard nofile 655354 r. v) }7 v; m. M+ E
* soft nproc 65535
0 [0 }2 E. t" Q4 G3 P( q8 E* hard nproc 65535
6 a% y0 N9 D' ^% u: U1 jEOF, c! P! j u, c" `" ?/ V
: J6 D+ H8 R9 A; [3 S$ B- W6 R0 {0 i, ?/ f
& z. p; a$ T* [7 N0 u/ O* z7 x9 ?1 e- X) K# e$ g) l/ ?
设置pam配置:
9 A) b, p, b/ z1 P- Xecho "session required pam_limits.so" >> /etc/pam.d/login
& |$ ?8 A2 X6 X% U0 y1 ~+ `" f$ v, D8 z3 w
* {4 F! h) L; V
, ^6 b: V5 \" ]: C' }4 ~
% \* t3 `7 D8 Z6 \3、禁用swap交换分区# U$ ^( y8 V9 r
swapoff -a #临时禁用
8 n" C* t7 L2 F+ z9 c! C2 |vi /etc/fstab #永久禁用( O* J1 M. q/ M0 K" G
找到swap这一行前面使用#符号禁用掉9 ~0 A* U, q5 |, K( H
* V: n( P% E$ b$ z
- r; n2 m) g c y6 l4、设置TCP重传超时/ _) G7 F. w; T' D0 c
sysctl -w net.ipv4.tcp_retries2=5
1 M7 U6 P5 x( @$ g: o编辑配置文件:echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf! O* Q6 Z9 K+ h a; y
. k$ A# e2 j9 ^& \, ^
" B1 Z' y2 b4 m$ L" S/ \! ?5、创建一个用户
. P K2 E$ q" F& R7 U' X' {useradd es7 K: S+ u c. D3 F( V6 _
& B0 {1 X" U7 j% B
9 W4 V& u" a d/ X8 n6、创建安装目录7 i6 i. w, o/ u
mkdir /data/elasticsearch/
- t- ~5 `. d* K" a, s8 M5 s1 j4 Wmkdir /data/elasticsearch/elastic-cluster1. g. w9 p9 M q6 w. I& B
: C/ o( I% J- y4 J! X0 T& X+ `
: g3 L f: x" u! imkdir /data/elasticsearch/elastic-cluster2
9 K d* J, q0 I0 d
7 U7 K" L% M) G+ k, l9 w; V+ C9 M* C2 h5 r
, f. e$ `; Q. D# k. g
7 Q' P2 M/ C$ T; @; P8 {$ O* i( g" K
) ]5 a8 k! c3 r, [+ \
[root@it-elassearch ~]# ls -p /data/elasticsearch
5 V R7 k5 e% Lelastic-cluster1/ elastic-cluster2/
$ I0 P' L4 u* Y8 D+ l- y' \1 P; ~$ Q) a/ |3 L
1 J8 M! ?6 I( x1 ?0 d; p
) u7 M, S9 _5 y
2 i4 ^, D4 f6 m& R' g0 e' M1 z, X
, g6 C( Q& A/ p3 B7、下载官网安装包
; I4 Y" Q! L) d8 V* J D: k& h官网下载地址,选择对应版本的elasticsearch和kibana:https://www.elastic.co/cn/downloads/past-releases#elasticsearch0 g( S" W# T8 k5 T8 a
https://www.elastic.co/cn/downloads/past-releases#elasticsearch
. O+ r: q. g6 i: \; P1 b9 f) ^ e9 p; i, b0 _" L
8 y! s' O1 ^, t' N1 \! d. Y[root@it-elassearch-2 ~]# chown es:es elasticsearch-8.15.0-linux-x86_64.tar.gz
3 f( q* E0 i) f2 b* [2 [[root@it-elassearch-2 ~]# mv elasticsearch-8.15.0-linux-x86_64.tar.gz /data/elasticsearch/1 h- Y+ W F; W* X9 x
: y/ {* g! n. D3 k+ d
* u& J. Z6 w2 y* T1 t* F
切换到es账号:" w( U5 b6 V+ y3 d
0 G# t3 k6 M( d/ ?) S/ L9 H/ i3 A
$ m W6 I$ L5 l" P( b7.1 解压:我的安装包下载到了目录下,解压到/elasticsearch/elastic-cluster1/目录下 b8 ? A3 N; `; _1 P
$ _% L! `& p) i# V! H1 Q) t
9 S. M: @: f7 ?( Ecd /data/elasticsearch/elastic-cluster1+ z, [# |+ ?4 h6 V
[es@it-elassearch elastic-cluster1]$ ls% }# [4 r; J$ h# a' T
8 n8 V' {4 q. t# R- ~0 lelasticsearch-8.15.0-linux-x86_64.tar.gz3 u# \- p4 [& q
0 R1 s5 Y# m5 {# Y5 e0 U
' `) i Z% U9 e$ u& E
/data/elasticsearch/elastic-cluster28 U( G1 D4 Y8 B
[es@it-elassearch-2 elastic-cluster2]$ ls
! ~0 t8 h$ B+ o2 Yelasticsearch-8.15.0-linux-x86_64.tar.gz% D1 P( T3 H# Z8 D# _. Y
; Q3 S9 r, f; w% G
_; u/ H* x; v1 X1 X* Z1 s! P解压:$ C# H5 `/ b# r/ x f$ q0 n
6 r' Q' I1 |4 ?1 w, w. H
[es@it-elassearch elastic-cluster1]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz w& s+ S3 u* N6 A* F' Q1 ]
* h1 X7 D' c$ V- L* k# T3 t* P9 A: J3 u. {! ]
- j! ]& F" Q- |. Y0 M/ A4 P, p8 q6 D) n, _3 g2 v! b
[es@it-elassearch-2 elastic-cluster2]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz
N% E/ j* j$ r; l6 O6 v' k* W
4 {" S9 r3 Y) q
8 `, B+ g- X* ?$ S$ O, U* s进入对应目录下:cd /elasticsearch/elastic-cluster1 w( n! _7 v6 S8 }9 a9 f3 D7 o5 s
% L: Y4 m3 L# t4 x7 q" v1 y5 \0 p4 y* H1 }! M3 x
配置es参数文件:
( S" M# P& a' H, C) U% _, b6 v; P6 K! g+ D; w
8 ]3 W5 a% E( u k
节点一配置:
4 ]$ _* b9 L6 j7 F) k#vim elasticsearch-8.15.0/config/elasticsearch.yml
" \& A( m' v2 R
$ r) Q! h: I) M2 V0 z- Z' Z; O6 j6 N0 G$ _8 S: L i
cluster.name: essearch; K; i1 B0 N% c7 N1 {
node.name: it-elassearch
1 H4 x" }, n& v f0 ?3 _path.data: ./elasticsearch-8.15.0/data5 r) N( L/ i5 V! u5 q6 c3 B
path.logs: ./elasticsearch-8.15.0/logs
, V7 I, } z- q2 u8 ]" rnetwork.host: 0.0.0.0
7 p" H; z6 X& `! J/ G% ahttp.port: 9200
- o% l' E* I ?/ X# `' @! k3 ?: idiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
' P" Z3 `% r! A$ ?& @! }/ P; C3 m) ucluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
; b! K9 ]/ j4 M# a! `# R7 X#node.master: true
' N2 |# s+ j! o3 |8 }#node.data: true
, H1 }, l( M% {# F9 I( p; }% f% R4 ?6 a- u' {- R6 g
1 ^4 |- l8 q" y3 S8 v
xpack.security.transport.ssl.enabled: false
3 F) k0 ~* [6 rxpack.security.enabled: false, G4 e' s+ C$ I9 y8 P- d
8 y$ l# H( P. I: d/ g
) Q. h/ I' Q: |& I% @$ Z/ \5 ~9 C下面是加鉴权的配置: x. U5 Y. u' q- l
cluster.name: essearch
* `7 _: @$ Y: ?9 }: Wnode.name: it-elassearch* c, L0 E: f) E2 a6 i
path.data: ./elasticsearch-8.15.0/data2 @: @ O7 r. a$ ~# }7 |: |0 G
path.logs: ./elasticsearch-8.15.0/logs: q# o& t, a9 d( V4 `5 C& C+ U! ^6 Q
network.host: 0.0.0.0( }1 R& t; r. Y# I2 C" p3 X
http.port: 92009 }. q) d6 l4 a1 I+ D9 m0 Q
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]; e- w' \8 m) x9 p* X: w. l3 b
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]" K8 Q: {! C2 V% F+ Z8 x3 e# E
http.cors.enabled: true& _; P& l m& @3 O7 ]
http.cors.allow-origin: "*"
! Q: M" N& P0 P9 J2 F1 ghttp.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length% w- Y9 M; W, t+ L7 B% G$ ?- F
xpack.security.enabled: true! @' X/ V* Y1 n1 P4 X/ i
#xpack.security.authc.accept_default_password: true
% Z& }. ]; ?4 G: d5 g Wxpack.security.transport.ssl.enabled: true, @3 l6 Y2 Y0 h! A( E! g4 B) S
xpack.security.transport.ssl.verification_mode: certificate2 {0 p2 S2 |7 p9 i% e
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
5 Q% x8 ?+ b! u7 q/ K, ^. i+ E
$ ^3 w6 T6 j4 Nxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
Q) _' d* Y7 n {7 K5 t* T. f m% f0 i- T. Z
: O! H* {1 b; B4 f! q. h: K, j
* ~+ a: O$ x. _" o" o" U/ {6 p9 W6 _% b
9 U1 K5 {( ?2 d# e# x5 E
节点二配置
, r) M1 d9 W+ N, Q, r" o#vim elasticsearch-8.15.0/config/elasticsearch.yml7 j' H* z, n# K$ ~/ c+ C
+ u( M- j* g# O' m& y
* Z, @' T3 c1 K# V \' [cluster.name: essearch8 B! Z4 b8 u% _8 Q0 h& g
node.name: it-elassearch-2
1 ]& f4 V/ C" Q; ?" r Z |path.data: ./elasticsearch-8.15.0/data) l$ E- s: T! n- v/ }) Y
path.logs: ./elasticsearch-8.15.0/logs
' s# z5 O' } d" p* qnetwork.host: 0.0.0.0. ?) K0 ?* J+ V8 t1 ?
http.port: 9200
, N9 b# I8 ^' A& f3 h- }1 Tdiscovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
0 V5 h4 _0 u4 l- g- I* @" Zcluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
) J4 C. `; K9 P& p y#node.master: true, W5 q4 s/ g3 h4 o6 S: b
#node.data: true
7 O- \& i) y1 @5 z6 N. f# n
5 U% U4 s) U3 _: X6 k
$ ?" u/ z* Q2 p. s( G- H* mxpack.security.transport.ssl.enabled: false
. i1 Y q% Q! s: y* b# n; Oxpack.security.enabled: false
1 H/ s0 t8 f. N' V1 S, y% a" W5 y: Z9 e& R4 P( @
7 S# M+ @9 q* c5 m. Y
下面是鉴权的配置:
' [, T# s# i1 d/ T4 ~) U) M( qcluster.name: essearch
+ P k! _7 [; H# B0 y6 }! hnode.name: it-elassearch-2
& `/ z Z5 I2 M2 M% cpath.data: ./elasticsearch-8.15.0/data+ h4 y$ s1 h' p
path.logs: ./elasticsearch-8.15.0/logs
5 o6 K# I& Z' j# h; e: snetwork.host: 0.0.0.0& E. B, c# n" }' t, ^9 [
http.port: 9200
7 J) c3 Y/ ~2 q8 ^8 ?discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]) ^- a5 D0 A$ T8 H
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
! i+ {$ f. U6 h1 N. hhttp.cors.enabled: true
a6 v L& p: [" j' `7 z; ihttp.cors.allow-origin: "*". e; ?- H f+ v; x+ L0 b- Z
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
9 T m& X0 F# cxpack.security.enabled: true
) M5 O3 T" G- p& t( N/ X#xpack.security.authc.accept_default_password: true4 L( n% s, ~7 r# Z/ ]; w
xpack.security.transport.ssl.enabled: true
$ s$ n0 [ Z7 L& Uxpack.security.transport.ssl.verification_mode: certificate
0 p8 K" {" _7 U: sxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
3 [7 M. a6 u8 [4 E p5 k3 p) U2 b; k3 d7 e: G
xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12+ E7 y# W8 r# D) t7 O- a* r- z
$ g7 ?6 z) {% y, } M6 f( h4 `- Y* B" s) m" b
6 B' a! J9 B* W, [, r. t4 A* R1 ]$ J& r1 Y) u- Y0 I3 H
JVM堆内存大小设置
$ b0 \$ S/ g& V7 p设置内存大小:' `% x a, A% S2 i. ~( M
@2 s- v3 s6 }( C
4 z5 j' |# Q8 M$ @
0 C7 f6 _% t' B" X! I
; N8 s5 \7 Y- x4 |4 i% A U( s* j% Z- ^# u) {
vim elasticsearch-8.15.0/config/jvm.options$ J# O0 K* h. Y9 A9 C
: {2 H0 m# ]2 A0 P( e5 U
L+ U; J) S% M6 \- K
# s8 b& M ]& v
3 O7 @" m, Z8 Z/ Z4 D/ \-Xms4g
) s. @( M3 ~, t1 f8 K7 H" f-Xmx4g# G$ q$ c0 N7 Q7 U# k
3 V/ N$ D- i5 U' Z3 s! Q9 u9 `4 d
! _& N" }4 ~( j! N' o) k/ i T h7 q9 ^1 |6 [9 l
0 J5 l! g: o: F' Z8 I+ X
实际业务线上环境,建议所有Elasticsearch节点都是独立节点,不要部署其他程序、其他后台进程,以提高性能。如果内存足够大,比如:128GB、256GB,单节点是浪费,建议通过虚拟化方式切分开。
- ^7 D! n' d' ]6 {2 }; L0 y! Y( D6 O! |" H3 ]3 J+ F' N* Z* O
, B" E' I |& y" [) Z$ J: \/ G0 |6 l4 ?( x: ?6 o9 Z) \, Y
. [/ b. [# @$ Q1 n) d( l
" A3 E! |: L7 r8 G, _2 q
' y8 {) F: c4 Y( d$ |解释:
# U+ i' `' a7 m0 l) b# B. z; I- L1 z
. m0 L& v; @$ {/ ^目录结构
0 ~$ m. }$ I, d2 g' o$ HType Description Default Location Setting7 a+ {3 p& a3 J0 v
home Elasticsearch 主目录或 $ES_HOME Directory created by unpacking the archive
/ E+ n3 h! X w( C$ O' }bin 二进制脚本,包括用于启动节点的 elasticsearch 和用于安装插件的 elasticsearch-plugin $ES_HOME/bin
7 s; z3 w/ _ V+ z/ qconf 配置文件,包括但不限于elasticsearch.yml $ES_HOME/config ES_PATH_CONF+ o2 W6 T: W2 a. B$ r
conf 为传输层和 HTTP 层生成 TLS 密钥和证书 $ES_HOME/config/certs
# P# {$ d5 x; F7 Adata 节点上分配的每个索引/分片的数据文件的位置 $ES_HOME/data path.data
4 s8 R+ [; {. v# \/ F. K% Flogs 日志文件位置 $ES_HOME/logs path.logs/ J% j( h/ V* x$ Y. a* Z I6 p
plugins 插件文件位置。每个插件将包含在一个子目录中 $ES_HOME/plugins . M4 B! ?4 \- R# c9 i
repo 共享文件系统存储库位置。可以容纳多个位置。文件系统存储库可以放置在此处指定的任何目录的任何子目录中 Not configured path.repo
+ y9 h( D( h/ E6 @% \. `" G+ X/ t g, o5 R- [4 _% a# Z
集群名称设置:cluster.name:1 q8 P- r2 H8 J2 x) b( i
节点名称:node.name:
! n/ z4 C5 i- S% H. y9 Z9 k网络主机设置:network.host:
6 P3 K! H( W# V; G. p. H4 L发现形成集群:discovery.seed_hosts:
! z* S6 E9 g N+ o! ]3 v, u选举主节点master资格的节点:cluster.initial_master_nodes:
% l7 O2 c6 X0 m6 ]6 r# |: T7 Y W" E设置集群间通信端口:transport.port:
6 O" `* N' t/ R( l2 T: \/ F# E2 ]/ o设置数据存放位置:path.data:
& J# D! i: p; c# x设置日志存放位置:path.logs:. v& D# ?5 x1 e* m! x
5 p* I8 |; a7 v' I0 L# P! z- R8 X
cluster.name: CollectorDBCluster
; k2 c+ Q5 `) k( u1 s% ^# {path.data:/data/elasticsearch/data
. o5 D/ i( b5 A4 L2 c0 Vpath.logs: /data/cusc-logs
" c# @. l, m8 a9 l" R9 q, F5 ?network.host: 10.153.61.71
$ G7 y. V* H% p/ u* Chttp.pち中o砗rt: 9200( ]8 U0 Q- T( x
node.name:node-17 t4 t7 v. b2 `9 h3 {+ _. l
cluster.initial master nodes: ["node-1”1* h+ }( w! Q0 {+ c
各配置项含义:$ M0 g1 g1 \# \" o- h3 E
cluster.name 集群名称,各节点配成相同的集群名称。
$ [( }( o" {3 y3 ]+ ~node.name 节点名称,各节点配置不同。* S0 {; w4 R1 a
node.master 指示某个节点是否符合成为主节点的条件。
% P- Q2 B- i, e) n8 P* Inode.data 指示节点是否为数据节点。数据节点包含并管理索引的一部分,
: ~% q4 d- T% Y, dpath.data 数据存储目录。
w9 h* d {: F) I* T: Qpath.logs 日志存储目录。
5 ^* w2 o ]3 L g4 p9 G5 jbootstrap.memory lock 内存锁定,是否禁用交换! T) B6 Z5 B% d$ F
bootstrap.system call filter 系统调用过滤器。9 i$ f7 O) U! |9 T
network.host 绑定节点IP。
r0 q3 w8 o$ Y4 Khttp.port 端囗。
/ T9 Q) F. J' b* M5 @9 Y Q
. C9 A$ q9 b2 m2 N启动集群:
& ~. T0 K4 I( U$ Q* H, c9 T& z& `1 U- ]
9 O4 C; i, ?7 I7 A. x
0 X" \% }4 I D0 ], X. z4 L2 k. W. ]! h- p
配置文件属组权限,并启动
s8 N! Z9 d) M* a: T0 G& S5 J. l[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/
" O4 C; s2 W, D" x7 q. Y; T# z) t[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/
# \* L5 Y9 r: H& P. ^ B! ^& \! h* ^2 |
+ l$ N5 d3 v# b4 }
如果直接用es账号配置的,可以不做上面的操作:
- D" E( c) u/ L9 [! q& t. C2 s a6 B; x) ^$ q
7 A$ D, O$ a5 J8 [) S
1 }* W* R3 v& I
0 G! o- }: G" \7 _2 y. k" u1 j如果添加鉴权配置请按照此处配置,不配置即可略过:
) t. I7 o+ }3 \' W/ t+ F) W. W7 [+ E4 R$ }8 x- M& T, _
; h" j% _# _) S* H1 G- B
es开启认证详细步骤:9 a9 u ]3 [* l( _
4 H9 F+ P9 f9 q' H# a1 x. N5 R0 W# B Q
1、生成证书:3 g$ l2 ^1 \- |: C% [& s! x. M
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca
5 B1 b& c. v! f( CThis tool assists you in the generation of X.509 certificates and certificate! B7 o% g# D, f7 @
signing requests for use with SSL/TLS in the Elastic stack.
/ K: f3 y7 @! s+ i! m( N$ }* h2 [2 x; j$ Q7 d- i
. B6 Y3 n; a/ {4 l
The 'ca' mode generates a new 'certificate authority'/ J8 |3 U2 X# B% n; e' K
This will create a new X.509 certificate and private key that can be used4 j6 I% i* \5 z' \4 L
to sign certificate when running in 'cert' mode.
) n% b9 r9 k7 j$ z; q. M& N& l3 x8 O! ]( Z) p e, k+ w
h, \% h" Q4 `* _
Use the 'ca-dn' option if you wish to configure the 'distinguished name'6 C: [# T u4 a' Y: o) G7 E( y
of the certificate authority0 }2 U/ U, @5 ^, t
. [! k- X2 N7 o; S$ {3 o$ |( [% B9 N( O
" Y. o0 I; W: h- M; N% BBy default the 'ca' mode produces a single PKCS#12 output file which holds:, _5 Y9 T9 o& c
* The CA certificate; P' i8 |# e3 ]
* The CA's private key
, Z4 U) ]& y6 ^/ r, ]2 b3 h0 m6 M2 j u4 o
# J3 A, Y' B, w2 F! a6 bIf you elect to generate PEM format certificates (the -pem option), then the output will* \6 j m" t7 Q( U2 o" u
be a zip file containing individual files for the CA certificate and private key
. A$ ]1 E6 q, ?
( `7 g# Q4 T0 S9 D; f
+ o9 r9 s; ?" D1 ?, |" o6 \Please enter the desired output file [elastic-stack-ca.p12]: 【直接回车】3 G" G2 ~7 Y3 R3 M* D/ Q
Enter password for elastic-stack-ca.p12 : 【输入密码】
$ l; R" @" [8 x, H
2 m6 u o1 m, k- N+ O- D" Q' @/ q9 o `% x) Q4 f5 R
完成后会生成elastic-stack-ca.p12 文件* v6 J- _2 T9 G! O `
6 w0 P8 T# l# q1 O% m+ s6 X
, k2 E9 H$ u! [; `) h8 F, U/ X1 Z+ ~
& }4 a) @9 M% m1 B) Z2、生成密匙:
: ~7 H9 k. i7 L' i8 j) y
/ P, J/ E/ o4 l; ?2 v/ q8 P; z m! w3 G
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 & {/ Q/ Q& f6 t3 g" t% [$ [$ @
This tool assists you in the generation of X.509 certificates and certificate
/ N4 Y! `8 R0 i) F% C& Lsigning requests for use with SSL/TLS in the Elastic stack.
/ L' n5 M1 ]6 q; B# r
/ W0 [( G" Q# l2 O, aThe 'cert' mode generates X.509 certificate and private keys.
; x- S* S+ h0 n8 q; Y * By default, this generates a single certificate and key for use
$ B% ?- O6 i3 Z; B5 v on a single instance.
% Q/ i+ l% D$ Y5 _% `6 X * The '-multiple' option will prompt you to enter details for multiple% Z7 B7 \0 w+ l# l4 \5 f
instances and will generate a certificate and key for each one
7 P" i: _; I" V; b * The '-in' option allows for the certificate generation to be automated by describing: x0 Q: {# {- u0 X2 J" U3 K9 f3 u' y
the details of each instance in a YAML file
. E" ]: M& x; x p* u9 k4 P) Z9 d# q7 G+ `/ G
* An instance is any piece of the Elastic Stack that requires an SSL certificate.$ ?0 r( h+ Q' X Y4 k
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
& z( r$ ^9 D5 @2 H% H3 f may all require a certificate and private key.
/ h; g, K5 Z1 t1 l * The minimum required value for each instance is a name. This can simply be the9 Z( e, I( _: Q& N7 K3 d& B
hostname, which will be used as the Common Name of the certificate. A full
1 x! p" P! L" g. [, W1 o! W _ distinguished name may also be used.
2 t, N4 }; y+ U% l' }0 o( |/ \- H' D * A filename value may be required for each instance. This is necessary when the
+ {- ]& l3 g8 F2 p3 u! t. W7 n name would result in an invalid file or directory name. The name provided here( A- r% x9 R6 v
is used as the directory name (within the zip) and the prefix for the key and% j2 G, r L+ d$ \
certificate files. The filename is required if you are prompted and the name- J( W5 e8 N/ X0 t" }
is not displayed in the prompt.- J' K' s6 V E0 l5 {1 o
* IP addresses and DNS names are optional. Multiple values can be specified as a
# [9 n) Z% p2 v8 x! [& b0 B1 T0 c* ~ comma separated string. If no IP addresses or DNS names are provided, you may& N8 u; k& O5 `% p
disable hostname verification in your SSL configuration.
! }, ^; M+ [" W6 z7 b" \, e; o. d
) ]% L4 M% v& f }
* All certificates generated by this tool will be signed by a certificate authority (CA)9 w. [9 T$ |9 B, ~
unless the --self-signed command line option is specified.
+ _* y8 C3 ^* [) O) s5 J: o The tool can automatically generate a new CA for you, or you can provide your own with
$ F9 c+ ?! L; w1 T the --ca or --ca-cert command line options.
( P9 w: g. x* B/ {( Y8 M6 l! V
5 A& u) _/ Q& v3 A7 i/ LBy default the 'cert' mode produces a single PKCS#12 output file which holds:0 `. u9 G' C, x! A9 s/ u. K
* The instance certificate6 N( \# L3 G! ~- E* e6 e$ x, ?# }
* The private key for the instance certificate/ V" A$ U1 w, b. u; @
* The CA certificate0 `- S, N" T, w" A
/ h& j8 |' n. }( tIf you specify any of the following options:
! H% ^* \7 O) u! o# B * -pem (PEM formatted output)
# d" S( a5 O3 }$ U2 x+ L1 H * -multiple (generate multiple certificates)4 Q5 }! p/ T( f, ~/ n/ }9 c
* -in (generate certificates from an input file)
; f: a' L, j- e. f% a3 hthen the output will be be a zip file containing individual certificate/key files7 H! I. j- S* N1 x$ D4 M
. r( S) n6 w* ^( l9 O0 d) L @6 aEnter password for CA (elastic-stack-ca.p12) : 【输入密码】
$ _) Q6 E& r1 a3 |% UPlease enter the desired output file [elastic-certificates.p12]: 【直接回车】* ~* M/ b1 _+ \
Enter password for elastic-certificates.p12 : 【输入密码】& J8 |2 b7 n0 }4 D( g6 Z! W# n! S7 L- i1 g
6 v7 e* ~; Z4 D
Certificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p12
8 d" S& _! p/ {6 S7 \+ u$ Z
# g5 B4 s I8 FThis file should be properly secured as it contains the private key for
$ b/ k/ y( l3 r9 I) F1 M8 l: S8 hyour instance.
" B r; v' J. l/ iThis file is a self contained file and can be copied and used 'as is'
+ ~1 Q* J5 w! TFor each Elastic product that you wish to configure, you should copy+ F+ a1 w$ Y: G( j; k
this '.p12' file to the relevant configuration directory% L$ } _8 }/ u: x. Z5 j
and then follow the SSL configuration instructions in the product guide.0 C1 t5 Z. h6 H0 k5 n3 {$ K
% B3 w. M9 J$ L" f
For client applications, you may only need to copy the CA certificate and
, |3 p9 x$ _* v8 econfigure the client to trust this certificate.5 [3 F _7 h+ X6 I, C! M) _/ W
. S5 R7 ]+ N L6 Z7 w' N
5 S# h- m# S1 |# X* u& n1 }! x" A/ f' l此操作中间需要输入刚才设置的密码就直接输入即可,需要输入路劲的地方可以不输入,直接回车就会生成一个文件在当前目录下:# C4 F* K9 g$ S3 v
elastic-certificates.p12 + |2 g6 L0 c1 m# x$ M9 O+ D
4 D# q0 v% A- w9 B& A" S# r/ D+ L' H. e7 B# @
3、将凭证移至相应的目录即可:% _/ e4 S$ |* C9 a
0 a+ {' L, G! h/ `- r! R% g) R/ I& E; O5 s
##将凭证迁移到指定的目录:
* `( d9 M5 o6 ?" }) k' ]# k创建目录:
6 w- Q5 s) q% t% J! Cmkdir -p ./config/certificates/
* m8 e5 C/ l- ?8 c2 j7 x9 s0 }移动凭证到指定目录下:! u1 T. Z. _; p( ~' g; v2 {
! b# A' N, K6 q$ i( C: U& e: H O[es@it-elassearch elasticsearch-8.15.0]$ mv elastic-certificates.p12 elastic-stack-ca.p12 ./config/certificates/( X1 U, R2 z- s9 @) G, x0 _$ C
$ [) i8 O# Y0 v( ^. i
5 W5 U4 T; x* T4、复制凭证到每个节点上:(使用scp或者rsync方式即可)
- E: Z+ r7 I7 ]* n6 H9 F+ w+ T[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 60028' config/certificates/ es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/
1 _) e ~$ |3 D i1 \) u( Z. les@172.24.110.126's password: ^& l4 M8 T9 i
sending incremental file list# g! ]) f' J; p. m
./9 Q: c& z. P. t
elastic-certificates.p12
: @- O! y' G9 H/ G9 i1 h" Q: J; ` 3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=1/3)
7 z2 A1 J* ?! d5 ^$ N( _) w. E! Aelastic-stack-ca.p12
, a- |. Y$ J, L 2,672 100% 2.55MB/s 0:00:00 (xfr#2, to-chk=0/3)6 o5 b7 r$ E2 ]; H% o( ~+ ^- ?
$ }" h2 L9 S5 D# M# E x J6 v: f$ J" y' J ?
sent 6,314 bytes received 57 bytes 1,415.78 bytes/sec" x1 w1 T) u4 t! u$ s
total size is 6,268 speedup is 0.98) s) X0 L. _0 L' j& r6 L2 C" d
' x( S! q. m1 c) E6 e( N+ Q/ Q1 z% B: }3 h7 W
% X8 x6 j, L8 T9 S" l5、修改配置文件:; z# @- x% E% c) [! g9 b, P+ [ {
http.cors.enabled: true
! d: E/ M1 u, g) s9 @5 @& Fhttp.cors.allow-origin: "*"( B/ S/ v/ t2 E/ P& |
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
, p. _" R/ |" Qxpack.security.enabled: true
/ W: |; i& q" f#xpack.security.authc.accept_default_password: true3 o; q! J8 b- X
xpack.security.transport.ssl.enabled: true
' v& g9 W/ d) Zxpack.security.transport.ssl.verification_mode: certificate
! J& F# F0 _; W1 T" L1 \4 u- Qxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
7 ^8 `: [* R9 u, q8 \xpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12) T; U& v8 ^4 l$ a
4 D$ o; S* Z, q, L- X5 B$ ?) \. n' k2 s2 Z3 ^, ~+ _
加权一样需要切换到es账号:9 r, a% A( y) b6 j- m
, d: e- Q# X, i5 H3 @: }$ N; o8 _ W8 k' G4 [& {& U
在各个节点上添加密码:
a7 f, g1 F2 a6 a" k+ p A/ f. a
* y l- X: |7 B" e4 l
" y" w& I" U2 \
/ c* W; v# B, k! @# ?; H[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password. }2 M& J- T7 \+ H, D( T! s7 O& m) j$ X
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
- r6 @# ~9 E8 \% D4 hEnter value for xpack.security.transport.ssl.keystore.secure_password:
8 K3 g O* f: H$ O2 T, n+ X: n- p, a! r" }* S
2 {5 C j7 S! R5 o/ ^输入密码:第一次输入密码上面配置的
. |# a3 L5 Y. u1 T7 M- t0 J
4 z% ]- G. K8 i; M( a7 Q- p* D" K. u3 x9 T# {6 O! L
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
# _& C" j$ V* wEnter value for xpack.security.transport.ssl.truststore.secure_password:% S6 w6 r( D( f% Y8 q
6 u' ]9 A4 j+ v. D( s
输入密码: 第二次输入上面的密码:
5 H* G% X+ J, I* }8 n) n
! g4 F0 E2 t- L, Q接下来和没有做鉴权的一样,逐个启动集群:7 g3 v8 ]. O6 V3 i" d
: L, P3 a$ A( f& { C3 w+ n
: Q4 I: l8 u( t% n: {' A切换到其它用户,root用户不能启动ES:su es: {! V$ r; g+ L- e* c$ c& U! t
. T# Q, j; r" K! ^' `1 X% R$ `) O; T. D B: _4 E1 J! l. H
[es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d
; q6 h8 C7 K( F$ R" E, k7 {/ P/ @.......
1 z* M9 y5 `$ M3 sOct 24, 2024 5:33:34 PM sun.util.locale.provider.LocaleProviderAdapter <clinit> Q) ^) I1 ^3 X% c6 ^6 F! s
[2024-10-24T17:33:40,246][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using native vector library; to disable start with -Dorg.elasticsearch.nativeaccess.enableVectorLibrary=false) V$ R6 V$ F& [4 E
[2024-10-24T17:33:40,727][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using [jdk] native provider and native methods for [Linux]
, |) u4 E$ ^" H( Y" c% \0 U8 {4 w[2024-10-24T17:33:41,119][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [it-elassearch] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only# A3 O) S0 {0 \
[2024-10-24T17:33:42,185][INFO ][o.e.n.Node ] [it-elassearch] version[8.15.0], pid[8520], build[tar/1a77947f34deddb41af25e6f0ddb8e830159c179/2024-08-05T10:05:34.233336849Z], OS[Linux/3.10.0-1160.24.1.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/22.0.1/22.0.1+8-16]) o! w% T: P3 N" ~' z8 p
.......7 n( O; [1 j8 W- U$ i' U" D) m! F; T2 U
[2024-10-24T17:34:27,594][WARN ][o.e.c.c.ClusterFormationFailureHelper] [it-elassearch] master not discovered yet, this node has not previously joined a bootstrapped cluster, and this node must discover master-eligible nodes [it-elassearch, it-elassearch-2] to bootstrap a cluster: have discovered [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}]; discovery will continue using [172.24.110.126:9300] from hosts providers and [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}] from last-known cluster state; node term 0, last-accepted version 0 in term 0; for troubleshooting guidance, see https://www.elastic.co/guide/en/ ... roubleshooting.html
0 I( \9 o7 @: e Z7 s[2024-10-24T17:34:27,609][INFO ][o.e.h.AbstractHttpServerTransport] [it-elassearch] publish_address {172.24.110.125:9200}, bound_addresses {[::]:9200}
/ u8 D6 t* T: S- S& R( n[2024-10-24T17:34:27,637][INFO ][o.e.n.Node ] [it-elassearch] started {it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}{ml.max_jvm_size=4294967296, ml.config_version=12.0.0, xpack.installed=true, transform.config_version=10.0.0, ml.machine_memory=8200949760, ml.allocated_processors=4, ml.allocated_processors_double=4.0}, c. ~/ F" X4 l! Z4 Y ?
( p5 M7 v2 C- Y- E5 ]9 N
7 F8 f0 c. u: ~9 P( N+ `3 X# y2 Z7 ^6 }6 _& c1 a7 D
, s; M3 G9 l) I8 _
; u+ A* p q4 w( M5 p9 X# M1 K
; ~+ D, u# j7 X U[es@it-elassearch elasticsearch-8.15.0]$ netstat -ntlp
) D5 a; D/ t; W( Y \(Not all processes could be identified, non-owned process info5 c& `3 _3 [) S- u+ w1 o! w
will not be shown, you would have to be root to see it all.)
8 b7 ]" O. z9 s/ V7 DActive Internet connections (only servers)0 H8 {& W0 j& U+ e# W" k, z
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name c# _, Q0 P4 P J$ J, c, C
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
9 o8 Y) T+ u9 |/ Y9 Atcp 0 0 0.0.0.0:60028 0.0.0.0:* LISTEN - ) g m) d/ I5 L n- j6 r' w
tcp6 0 0 :::9300 :::* LISTEN 8520/java
% n( q( ^4 a9 F1 |" ]& }. Utcp6 0 0 ::1:25 :::* LISTEN - : }8 ]3 F! b) b, Q
tcp6 0 0 :::60028 :::* LISTEN - / i1 }& o5 J. [5 [
tcp6 0 0 :::9200 :::* LISTEN 8520/java
6 ~0 @" ]% N2 v0 s1 L, w$ i
, x7 A' D4 S* i* R% @( P7 N5 L
( l. Z2 a2 w' n8 V( ` P7 [# D8 T2 o, }, }" b L
2 V! Z* p; }7 ? x7 n# ^& o' ?
1 D# P1 R% k5 P9 l[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana
, f) Z! P5 l2 K+ Z
0 n, v2 Q. |$ x" W. b( TERROR: [xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token, with exit code 78
5 }3 @9 l$ G" M. V# p
0 C" X3 `" F4 x6 {+ A0 Y
6 i3 }5 t, X4 u5 Y. y) U在elasticsearch-8.15.0/config/elasticsearch.yml 添加 配置:
! ]1 J) @! _+ ?# r8 ^# G/ m/ {+ k( R4 K8 x
[es@it-elassearch-1 elastic-cluster1]$ vim elasticsearch-8.15.0/config/elasticsearch.yml
+ v5 J: B: W d, H& u5 [ x6 ^4 ~ ]( Z. n, \$ U
xpack.security.enrollment.enabled: true9 P6 s# `/ [1 `4 t- s
4 [0 g& R s, }7 m+ ?8 I0 ~% f$ k7 V/ [
保存再次执行:1 M" B) q! H5 x! W
Q" ?7 i+ O! U5 ~+ E
& \# W n6 k7 C* K* w0 y) F$ l: H
8 j: G( C' b4 U5 D; o
' L4 a+ F, ]9 @+ ?0 {6 ~[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana3 N- }5 V) N8 J. y4 p1 b. v
Unable to create enrollment token for scope [kibana]6 @; @1 x3 p. A; @' G7 K0 L
% D' ^. T( n% ]! Y/ @4 T& DERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73
3 L0 U$ h7 L2 v# Z4 o9 M' a' w0 R
& d7 w4 W- E. N/ |# v2 x* M如果你的kibana不在同一台主机上就需要加上http或https的访问路径生成,用""扩起来
9 ?! {. D2 ~, t1 N# I) y0 V: R+ D0 Y# P) J* q
7 m' S$ U6 R/ Z9 {$ W* S2 S/ n
Z7 _( O1 F/ L! M' r- ^) m' J- o. a2 L1 p
: c% s" c$ b) D2 b3 f
) w6 j7 w. {$ V' c& T
|
|
发表于 2024-10-31 15:53:27