- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
g4 r- C& `4 S. `
% A7 t- i+ \9 q% s- B
elasticsearch8版本安装详细步骤
' m5 g, y9 S# b3 w4 W1 S1 y4 ~1 Z" c% `6 `$ I9 O; C/ C/ Y* p
3 r9 Y* y; u7 _& `1、设置虚拟内存
" ?7 b0 H s2 P) o6 j3 Bsysctl -w vm.max_map_count=262144; `- g* B- b+ N( P6 u
echo "vm.max_map_count=262144" >> /etc/sysctl.conf,
1 h+ d4 K. e; r' decho "vm.max_map_count = 262144" >> /etc/sysctl.conf$ s- b2 @; I& T+ \7 g$ d" o6 `
/ K0 T9 w2 \# m/ @" K
* F7 y. m! v2 c0 r7 w# O# l) h: f# k4 R7 U4 `1 h
`8 E1 C6 G) D8 n$ _
加入:vm.max_map_count=262144
1 P4 ^3 k' b) R2 k5 ~使配置生效:sysctl -p
$ C/ i. g1 S2 {. a3 O) S% a' }/ O; t
' A& @: |8 C7 I( ?- c
2、设置文件打开数:4 k( ?- d/ c9 _0 H( [4 b0 L( z
cat >>/etc/security/limits.conf<<EOF( X# t3 e: M+ U6 d' f
* soft nofile 65535( E% B" ~2 x; K2 b4 R5 l# U
* hard nofile 655352 G( f- x% i7 G
* soft nproc 65535
6 [ K2 ]( E3 f4 Y N a+ X* hard nproc 65535: z h! E. \) j) z) N1 O
EOF
3 j2 E2 R+ ~6 }# P( c9 ]/ i) x, X3 q& ^1 S0 t
" W. L: [+ }/ |; ?6 Q5 T( p, h$ S S+ A( N* a" P
; u# X2 }; P( x6 a! s
设置pam配置:
5 R% Z. P* O0 u( Uecho "session required pam_limits.so" >> /etc/pam.d/login
: K1 f2 ~, Y6 J; `
6 `# A) j5 P* E) {0 ^% o* O" t" s# S5 h1 b6 `/ a0 L3 P9 R
& ~$ e& \: O. Y9 R& p: M3 q- P
! }3 g% ?5 J, J* Z1 a& R3 L
3、禁用swap交换分区
; ]1 g/ N& X+ j* Pswapoff -a #临时禁用+ ?6 ^0 y' b! w- a5 g
vi /etc/fstab #永久禁用! D; H7 v! c* }, J) r n
找到swap这一行前面使用#符号禁用掉
7 Z+ F, W: `' f: v7 v
, C+ [+ i: {; F1 i
# r8 G$ ^- ^2 P, x% r+ `4、设置TCP重传超时
7 p) C2 \* J2 `$ _; Bsysctl -w net.ipv4.tcp_retries2=5
) Q5 ?+ |7 h, m* A1 s9 h! d编辑配置文件:echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf
/ j5 Y% U! A! Z) V2 y5 y0 y n( X6 f, y
, c; B* q' S2 I& V: C" A0 q) `
5、创建一个用户+ w* O; I: k1 n4 ~! D1 q8 q
useradd es' C# Y/ h5 Y; A6 A, j% [2 p4 R
6 ]6 y1 U! B+ C1 ]0 C, s6 y
8 m* q* i9 ^, S& t# \
6、创建安装目录3 q1 s% H3 J1 p
mkdir /data/elasticsearch/
: f+ J7 Y2 B3 L; E: h }mkdir /data/elasticsearch/elastic-cluster1/ t: J8 Y6 z% }5 u% |
" M5 o" j6 ^8 M" `* ?5 {7 r& O5 {, ?" P' q% a7 e
mkdir /data/elasticsearch/elastic-cluster2- Y' w# R3 l# W0 `
3 R5 P; U' d! L: |& @( n5 H( V, ?# T5 ^
- c7 C: Q2 u. m5 J+ w' t2 v0 Y( v- u" t# \7 L2 q6 ~3 Z+ g" [
9 G$ U" \0 X/ l0 @# t/ @" e
0 {& k6 ]) _! k1 K
[root@it-elassearch ~]# ls -p /data/elasticsearch
, q) h& O# ~' Y( Nelastic-cluster1/ elastic-cluster2/
. D3 V" i5 e: @7 R' h; }) u+ ~) y) w# J( j
Z+ c7 k) I; o% j$ S( J
6 [3 V6 U7 ?5 {: A+ M7 ?5 ^, T
; @$ d2 ?$ G! f( a" o e; I) [' F* ]7 {# z' I* X. e) c" k
6 F% B( g b" x r2 B* f( h
7、下载官网安装包
6 v) L4 b1 U) \官网下载地址,选择对应版本的elasticsearch和kibana:https://www.elastic.co/cn/downloads/past-releases#elasticsearch) p1 c0 h3 J# ^3 }0 S& c/ J) e
https://www.elastic.co/cn/downloads/past-releases#elasticsearch: `1 R0 m0 L: i, z
8 W2 W. ]2 R( l% G' f; G' M
5 }, x( }9 R1 H& r' Q- x[root@it-elassearch-2 ~]# chown es:es elasticsearch-8.15.0-linux-x86_64.tar.gz 3 m4 X! b' ^* h9 d5 w/ e) F* W
[root@it-elassearch-2 ~]# mv elasticsearch-8.15.0-linux-x86_64.tar.gz /data/elasticsearch/
9 o! b5 s3 }3 K; n4 Z: z5 c2 \/ w' `( u$ g! |# C# a) F
: ^# m8 h) l4 [* W/ l切换到es账号:
# R. M1 g- `6 ^4 r$ |! V
4 \6 w+ R- X- h P' e b$ H- E$ u9 L- W% ]; w
7.1 解压:我的安装包下载到了目录下,解压到/elasticsearch/elastic-cluster1/目录下6 p7 @4 w( g" h$ R$ L, y
( M# M# l7 x- [7 k' S+ {) R! Z2 K* D# e4 a& U3 c5 p7 B- S
cd /data/elasticsearch/elastic-cluster1$ }- H2 Q/ j. }' A( b$ Q# R
[es@it-elassearch elastic-cluster1]$ ls, ^/ }& C9 a7 n' K! \
- b2 o. p& R9 ]% S3 Uelasticsearch-8.15.0-linux-x86_64.tar.gz0 Q, N1 \+ Z" L+ l ^' t" I- r: K
9 s- g( A; r, b$ B1 Z8 j5 l/ ~& c4 a7 t9 C5 G6 h2 h
/data/elasticsearch/elastic-cluster2, {& Q1 \9 X8 }- J% L+ A
[es@it-elassearch-2 elastic-cluster2]$ ls+ S. d5 T' C9 \: C3 _" @
elasticsearch-8.15.0-linux-x86_64.tar.gz
+ i( r7 l/ O4 O8 P
7 n8 k1 T" P" T: i! M
: m; L: q# j) f. N \解压:
^2 Z# R; ^' z, x' j) O- ?
$ j# H1 ^& R! u9 o/ G7 s. @. E[es@it-elassearch elastic-cluster1]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz
) {9 d" Z. ]4 s$ j3 }5 ?' }: w3 @' m- m# Z3 }# U4 S
( z6 {/ ?* s( N! l7 ^$ B
1 d* N2 F# [/ j+ A+ s5 s& y1 x% q) N, V1 x- _' w1 j
[es@it-elassearch-2 elastic-cluster2]$ tar -zxvf elasticsearch-8.15.0-linux-x86_64.tar.gz
# c! L0 k6 D* M$ i7 Y/ i4 b) b9 f* K9 X) d3 L+ g
( `, s2 |: Z; n: k" e; ^5 \, Q" O/ F9 {进入对应目录下:cd /elasticsearch/elastic-cluster1
. |3 p7 H Q; n" U, f
0 C# M: K# a# h9 g+ m2 B" ?* n. H' b9 ]0 G. A
配置es参数文件:
- \% s* q" a5 G0 _6 e# z
$ p$ t6 X8 o1 x$ f9 d2 B- e/ Y, Y( s, v8 z9 ?; z) ^9 \; K
节点一配置:: x( p* O& t) y5 a+ N8 g- w9 \
#vim elasticsearch-8.15.0/config/elasticsearch.yml
2 K" ], H: m0 @
9 ]* b0 K% o8 s
) c6 X! Q9 v7 C8 { {$ c9 scluster.name: essearch
8 m( O5 Q3 V& J/ ]" z4 ?. ?1 Y- |node.name: it-elassearch
! h& G9 S i$ ]" i2 T* R9 a j7 Bpath.data: ./elasticsearch-8.15.0/data% H, s6 M B1 i' ?: P) e% m. u4 Z
path.logs: ./elasticsearch-8.15.0/logs
# N' z: U! Z. N* p% t ~$ Knetwork.host: 0.0.0.0
/ _' B9 S1 O. F# o0 d) m* ?http.port: 92006 P- ?6 R! G/ E+ `! C; a7 }4 k3 @
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
1 i! o/ v( U$ U3 acluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
! B& L4 i* d9 A7 b3 z n2 p& r#node.master: true7 f% v* c5 B- Y$ a" \
#node.data: true
6 C' B, d ?% L% E3 n% ?2 s% q
! \% G. F0 R4 J8 V- K/ w, Q& R
; y4 J' d- @; w& d4 U3 m d" Txpack.security.transport.ssl.enabled: false
5 M8 V9 n# g( ~xpack.security.enabled: false
2 y2 ^7 V: ?3 ?4 [9 K; A4 g4 {0 L2 e/ r6 v0 W
6 D3 ], u6 r1 n5 `: T' w下面是加鉴权的配置:
* @) P2 M5 _) acluster.name: essearch1 P# ?5 k+ r+ u1 `
node.name: it-elassearch
, y6 `+ a6 u1 R( X3 d( hpath.data: ./elasticsearch-8.15.0/data
1 e/ Z D! {' B) G5 w# apath.logs: ./elasticsearch-8.15.0/logs6 R# Y f+ c$ f
network.host: 0.0.0.0
! [7 i0 a( O0 h: dhttp.port: 9200% _% O- p# y7 U- I
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
b* {3 p+ z+ }8 dcluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
/ L9 p" q% e0 o0 E6 ~2 `- I9 C* Hhttp.cors.enabled: true2 m% R! m- x! W: |4 |6 K+ K
http.cors.allow-origin: "*"
1 z5 G( p5 ]4 R7 C, F% d; b6 Uhttp.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
! b. G! m& D5 X9 Xxpack.security.enabled: true6 I: L% H# z+ q4 y6 T$ a: N
#xpack.security.authc.accept_default_password: true
9 M: u3 l) M% v8 qxpack.security.transport.ssl.enabled: true
n7 Q; \. C; K3 S- q$ Uxpack.security.transport.ssl.verification_mode: certificate* e) j. z& {* R, J8 k: p. B1 r
xpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
4 _! ^- r$ _8 }! N; z
" A( c" f- f; I3 X. Dxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
3 G5 L3 F* y% F6 x, \( ~& r
7 W5 z1 ]- w! S- J8 O5 W. ~& f! T$ @5 I2 B" F' l% h! Q6 H
0 D2 ?, \3 Q1 W
! s# F0 A* }! m* P F+ o节点二配置
3 y( }' _, S/ P/ d# c* U#vim elasticsearch-8.15.0/config/elasticsearch.yml) ^3 X4 |7 P) g( O) k) n
5 | `) e; A# d- b" c
$ V5 G; O) f- j8 p) kcluster.name: essearch# V; _/ k) ~2 g) S% r
node.name: it-elassearch-2$ N- c8 c$ J" L: q0 W8 o/ k
path.data: ./elasticsearch-8.15.0/data) t4 L' j" u$ y5 c* A6 G
path.logs: ./elasticsearch-8.15.0/logs9 k" \ N8 m" W& i. u2 j* P
network.host: 0.0.0.0
+ a" q0 ?* R2 J# e3 Rhttp.port: 92009 [& `7 G; q8 R i+ p; D9 {) X7 ]
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]3 I4 @; {/ K' O: A# T! H
cluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]' u6 \# T9 Y% P5 y. X
#node.master: true/ z1 p5 @9 I6 P; ^7 M `
#node.data: true, B2 O( \$ p3 a m# m; f
3 k9 `' U2 `* T6 h) s# v" O
: p5 e. e+ Y3 k3 a" o7 z6 D
xpack.security.transport.ssl.enabled: false
% Y. b2 _5 G6 g$ l! oxpack.security.enabled: false
, h6 L& o- Y# K. S& U9 l8 ~& s d" {( W5 r& _
: \8 |# Q& ~+ F7 P
下面是鉴权的配置:0 z3 H( r& Y7 K% @4 Z. M# W
cluster.name: essearch
3 Q0 Q: d( p6 N- U1 q7 E3 A6 t8 @node.name: it-elassearch-2
% l3 g$ T- M" f* Tpath.data: ./elasticsearch-8.15.0/data
- V) V! D* g8 ]4 Ppath.logs: ./elasticsearch-8.15.0/logs
; E+ h! Z/ D1 ?4 [network.host: 0.0.0.03 R7 @, N+ J6 H p/ b
http.port: 9200( v9 s! W I! L& F- l8 x
discovery.seed_hosts: ["172.24.110.125", "172.24.110.126"]
1 q, e1 n: q/ Y6 R$ a/ I8 `' Xcluster.initial_master_nodes: ["it-elassearch", "it-elassearch-2"]
# _& p) z$ ~ q! chttp.cors.enabled: true% I) Z, S# [4 ]3 U% A, G9 b( Y
http.cors.allow-origin: "*"& E' s$ s9 O3 [* z+ F/ K
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length I( Y# g1 G; `8 M0 u! N' U5 h
xpack.security.enabled: true6 d! g! G& k+ b# b: R
#xpack.security.authc.accept_default_password: true
7 m# n. ]4 b& n0 b2 e6 C# Hxpack.security.transport.ssl.enabled: true
9 g( z& A! e3 T& r, [xpack.security.transport.ssl.verification_mode: certificate
. G \3 h7 K) ?9 g% H# a7 hxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
/ ^' b7 G( i, \/ ?3 {
% P5 b) P5 e9 [. m# Txpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12! E \: {, ~2 }
3 u% f' V& ]0 @0 H8 q! r% |, p
% f$ d( }; ~. \: W, K) ^! U( X0 j, f3 ]1 `6 t; ]& P) T ~
8 |' s& `6 v1 O4 x) q/ n5 K
[color=rgba(0, 0, 0, 0.75)]JVM堆内存大小设置# g, ]4 L4 R2 v5 ?% O; x
设置内存大小:9 s7 |% d9 \6 b' M! H
l6 w2 `' _( Z+ a, {) a! x1 K) E" \! v- s- C( N% q1 }3 Z
7 H: x) X8 u/ H# z4 i+ e; A* ] i! C# T2 G- E- Y
+ ^. ~) Y) M/ G) r# w( `3 W/ P0 k3 rvim elasticsearch-8.15.0/config/jvm.options. f9 X9 h. C3 [, o" K# T" [
" L, I9 o$ H& L% a' F5 C
; q) q7 h' p' h+ }
* [$ C, F9 }" d& l$ o6 t! A3 E E$ s" ?( U D3 t# u+ E
-Xms4g1 D, }: }9 x* \( f6 y4 j
-Xmx4g% E) X# k8 `, z; N% }4 O- Y* \( e
2 t3 `# `0 v8 l6 `/ U, K! i
, x) h5 Q4 {9 F* K5 E* @
# w, @7 q* h; g$ s, h2 ^) |3 K
7 _9 M. |4 H+ g" r: u2 i实际业务线上环境,建议所有Elasticsearch节点都是独立节点,不要部署其他程序、其他后台进程,以提高性能。如果内存足够大,比如:128GB、256GB,单节点是浪费,建议通过虚拟化方式切分开。
% F: @; d' U# E: t/ J) l* e/ ]) M: _$ c" Z& @, O& v: ~
' L0 Q0 W# n- F6 }9 i" d2 t% c# ]3 d& f
" w0 b8 [0 R4 O- n1 U# e& n- q% I2 S( V" w# A$ d
; V, \, s; j! [
解释:
6 h" r" [/ I; t& [* G# ?. d+ V, ]+ l2 d' ~; D
! ]' f5 I" S1 M% n目录结构. \ c" p' x5 n' c) M1 [) ]; {" _
Type Description Default Location Setting
% _+ G2 H7 Y- I! ^2 {1 t' Ohome Elasticsearch 主目录或 $ES_HOME Directory created by unpacking the archive 8 u/ i _! Q; L) V
bin 二进制脚本,包括用于启动节点的 elasticsearch 和用于安装插件的 elasticsearch-plugin $ES_HOME/bin
- A6 u' f2 A. B; j) Nconf 配置文件,包括但不限于elasticsearch.yml $ES_HOME/config ES_PATH_CONF, o% O6 @9 R$ G7 A. f! M6 d
conf 为传输层和 HTTP 层生成 TLS 密钥和证书 $ES_HOME/config/certs & z3 J0 e, P; j
data 节点上分配的每个索引/分片的数据文件的位置 $ES_HOME/data path.data
; Y. ^5 V" M9 g' T6 Ulogs 日志文件位置 $ES_HOME/logs path.logs' R* J3 I* m" c
plugins 插件文件位置。每个插件将包含在一个子目录中 $ES_HOME/plugins 0 W( G* `: A5 Q/ i+ K# V
repo 共享文件系统存储库位置。可以容纳多个位置。文件系统存储库可以放置在此处指定的任何目录的任何子目录中 Not configured path.repo7 D3 L6 l6 {+ x5 u9 S
& \2 o) E) V. S7 V/ W8 e: U/ U. n
集群名称设置:cluster.name:8 v. A$ ~) e! p/ ?. j, P9 S
节点名称:node.name:6 |+ d# _9 j! Z& u v( x4 D
网络主机设置:network.host:
' N* a0 i3 M( t7 P" w7 G发现形成集群:discovery.seed_hosts:% g0 W, _7 R H7 M1 o
选举主节点master资格的节点:cluster.initial_master_nodes:
0 H9 a! p) q6 P设置集群间通信端口:transport.port:
& e& {' E: n" m. d设置数据存放位置:path.data:
" f: R0 l- k8 u( h( X设置日志存放位置:path.logs:
5 R0 Q9 Y$ [7 s, x6 v+ n5 H: \' q6 e; t4 w0 c( R( U8 E# W
cluster.name: CollectorDBCluster6 i. r* }. b/ {# F- {
path.data:/data/elasticsearch/data P y9 G0 V" h# D2 V' H
path.logs: /data/cusc-logs
, `- e0 ?# }8 J- A7 pnetwork.host: 10.153.61.71) x4 p9 b$ a: p7 R5 L4 l9 ], T
http.pち中o砗rt: 9200% u( q; i( G: j# o& I
node.name:node-11 B& o& ]6 z0 L8 ~- e: `
cluster.initial master nodes: ["node-1”1
: x# ]7 V2 `" h; L7 g, R$ v各配置项含义:
+ {( ] E+ |. T, Pcluster.name 集群名称,各节点配成相同的集群名称。
9 O; f, V' h8 ]% B! Gnode.name 节点名称,各节点配置不同。
+ D) O m# c8 m/ y6 u- j% |node.master 指示某个节点是否符合成为主节点的条件。
! ]1 Z5 u7 l1 L; b" Dnode.data 指示节点是否为数据节点。数据节点包含并管理索引的一部分,9 Z: r7 V9 J- K; q
path.data 数据存储目录。
6 L4 G( M Y( k1 }* g" ?( s) y5 mpath.logs 日志存储目录。) y( N0 V8 T8 ~" N- e$ [5 E
bootstrap.memory lock 内存锁定,是否禁用交换
, r! {! r; V7 A) p1 b9 U! e. j' Ubootstrap.system call filter 系统调用过滤器。
9 [# b- ?/ n. m6 C9 Ynetwork.host 绑定节点IP。 G) s* q4 i% k- F, a$ z: n/ B: D
http.port 端囗。 i" F1 X- h' ]
6 F2 o; e9 N$ \
启动集群:# r* f- F% l1 M+ H% T2 @
5 w0 X& |2 ?2 Q! Q$ D, Z
q3 ?% B0 B: p
! X- X+ @ ~* h
' n) R- i7 e; p6 o& x- _2 q. U# F3 _) X配置文件属组权限,并启动
7 G: M5 r( R6 m' z# p6 ^" Z[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/9 t; `3 B4 T: _' }. P0 h- J; n
[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/
% ]- x Q1 d+ g# \0 U
% K4 n4 p4 s, b) G& u9 s0 a/ m4 t! H0 n: a% i
如果直接用es账号配置的,可以不做上面的操作:+ P' ^$ F, i( B& }# A
$ ]+ S: D( ~7 _9 [
: _# f p9 q; D K: h
6 q& K1 Y0 _7 B R' ~2 _! s$ d5 e" A2 h% P, x; }( k
如果添加鉴权配置请按照此处配置,不配置即可略过:
1 u' E8 W$ s- L5 C6 d. ?
' J5 L0 y$ c2 K A# i5 o1 M+ L" n7 x' O4 x! Y2 D# u0 D
es开启认证详细步骤:) s& N6 r* }& i
$ h9 c9 G8 e) p5 b( q: ~& r
9 }+ i" {0 G+ \6 M* X1、生成证书:& I; w3 n. f9 l/ h7 m
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca# K4 h* w2 n2 m" f
This tool assists you in the generation of X.509 certificates and certificate
. Z' B9 r/ |" jsigning requests for use with SSL/TLS in the Elastic stack.
w' @7 B+ z( \/ l1 z/ J" Z1 a, a* R# h* O; _& g
: y7 G) v/ C/ J K2 k7 c
The 'ca' mode generates a new 'certificate authority'
8 W6 G! y9 a! Y; H3 LThis will create a new X.509 certificate and private key that can be used
% k. ~( T4 K5 F5 S' D7 a# H- @to sign certificate when running in 'cert' mode.
; b. B! @8 f2 ^) y4 a7 {4 F9 N+ v! h) Q$ S
3 W( k; G0 d9 r- G
Use the 'ca-dn' option if you wish to configure the 'distinguished name'3 p, J$ o; D$ C! d
of the certificate authority
[, K J' q, G2 f$ ~) ~
0 d Z& {+ g A. z& j8 u5 F3 X9 p! x
6 e7 P8 J( d5 o$ r$ z: vBy default the 'ca' mode produces a single PKCS#12 output file which holds:
+ n/ d! m, K8 A6 x. Z& i5 I * The CA certificate
% r1 _+ O7 g& z% q' k, q3 e * The CA's private key/ ?/ S7 e# F2 B2 x
* [8 D$ Y/ G: D% _" }
+ z6 U$ ~) ]9 hIf you elect to generate PEM format certificates (the -pem option), then the output will
# n, n h, b& Q) `4 t3 f# bbe a zip file containing individual files for the CA certificate and private key7 ~ [7 C: ` |
! Z% m9 h4 `2 u. y+ Z; D
; i% q" e( W. E; ~: ?6 C- `) q
Please enter the desired output file [elastic-stack-ca.p12]: 【直接回车】6 c& l: G- A. B' F! ~0 B
Enter password for elastic-stack-ca.p12 : 【输入密码】
0 @8 B- `, a1 j9 A, a/ y
# b8 b' ~8 m' O% j
/ K( o) M H& v2 H* }) C7 o完成后会生成elastic-stack-ca.p12 文件 C( _: D) `2 f/ ]% V
) v7 F, w/ r$ o1 E* s7 }0 e) t$ u4 e% Q& X
/ e+ E" n0 O& V8 Q2 l: N2 q
, V; ]! S& w, r4 s. W' K3 A" P, K2、生成密匙:9 q/ k$ t. D7 ^3 p
: u Z0 P) z& ?% @9 E x" y8 Q3 P! T7 d
. T9 t6 |( I5 s- }: }+ U, I[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
( @- D+ \3 y- O& D& i0 ]This tool assists you in the generation of X.509 certificates and certificate
3 U" ?1 j- _+ o: J) l" j% x rsigning requests for use with SSL/TLS in the Elastic stack.8 ^5 k2 w, S# C; C
7 Y1 d' V+ f' J, |0 c# ~The 'cert' mode generates X.509 certificate and private keys.7 l6 Y9 l5 ^5 G4 g ^
* By default, this generates a single certificate and key for use# G8 k) A y" Z. O* U+ z
on a single instance.2 I% {5 `; X! |1 H2 a! s) n' \ i
* The '-multiple' option will prompt you to enter details for multiple
1 [; l- P1 I. E9 ], b. x! i0 M instances and will generate a certificate and key for each one
/ v. y4 s) E6 T- s: q! o * The '-in' option allows for the certificate generation to be automated by describing' |$ V% O4 x: \0 F( O+ S
the details of each instance in a YAML file0 x* f+ v2 S9 Z. C9 t4 x' }) n
& Q0 v4 P+ o& k
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
' l5 t1 O' U4 D& o! X Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats! y z* R0 I0 N1 @ ~4 |
may all require a certificate and private key.
# L" R4 @$ V. c * The minimum required value for each instance is a name. This can simply be the
5 i/ B% {' d: i$ q% R hostname, which will be used as the Common Name of the certificate. A full
% u# L9 s: v& D# e# f4 z distinguished name may also be used.
; r4 d" |: V0 G- s5 o8 D X8 i * A filename value may be required for each instance. This is necessary when the
0 f0 G3 ^# I0 w/ }2 V' w/ y8 z' u name would result in an invalid file or directory name. The name provided here' z. v. D9 H1 M+ S$ Z8 K$ V) N
is used as the directory name (within the zip) and the prefix for the key and( O3 g7 f: P; m |& E H
certificate files. The filename is required if you are prompted and the name
- `% u% W! i: b is not displayed in the prompt.( V; T/ J* X2 l7 t5 m6 J6 n0 X
* IP addresses and DNS names are optional. Multiple values can be specified as a
2 W' w( }' | O- _- A( o0 K comma separated string. If no IP addresses or DNS names are provided, you may" a( \/ d7 b; x! K1 m: z' N
disable hostname verification in your SSL configuration.8 S! ^, T$ l( b2 \: k7 N& _8 ~' q
" q, e. \7 F1 d _+ ~8 H( U5 @' s: N0 ?+ J1 z; K
* All certificates generated by this tool will be signed by a certificate authority (CA)% z, }" T3 O1 T. B2 X( V: M
unless the --self-signed command line option is specified.
4 v5 Z# a, n6 Q8 g1 C The tool can automatically generate a new CA for you, or you can provide your own with
. I' f) `& W$ R0 _ z. o the --ca or --ca-cert command line options.
6 o" j$ y( q2 W0 b' j5 ]4 K1 S; X+ ]
* N1 m; i O3 g7 Z
0 x# z# u7 b4 o! x! L5 p& L, T0 @By default the 'cert' mode produces a single PKCS#12 output file which holds:: q/ k' y; E# [: z) e9 j6 W } g
* The instance certificate+ s. {3 B# V% C# r+ `/ t! j! ^
* The private key for the instance certificate' A' v% d$ z% O: {7 ]0 _
* The CA certificate1 B/ F w3 T; [5 n f
7 p) V7 y& _6 |) B, kIf you specify any of the following options:
: S1 r% f9 f# g) ?$ C * -pem (PEM formatted output)+ V, v0 k0 N+ D7 u6 u
* -multiple (generate multiple certificates); B. w" [+ ]9 R6 i3 |) ^% g, J* R8 V
* -in (generate certificates from an input file)
* a5 @6 S1 G' V9 j* W4 hthen the output will be be a zip file containing individual certificate/key files
4 k( V2 t; p& J6 ^6 x0 J3 G7 z/ [3 U0 C. J! V! v
Enter password for CA (elastic-stack-ca.p12) : 【输入密码】: m2 ~+ J7 d" L! o4 {
Please enter the desired output file [elastic-certificates.p12]: 【直接回车】
# i4 |3 ~6 H6 [9 ^% h j: w. IEnter password for elastic-certificates.p12 : 【输入密码】3 @% g9 ]# H% f! ^' y' u
' }' n" f5 @# @/ X4 RCertificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p127 R* N3 c l! Z7 t% u9 M a, M, v
: U9 W5 s. Y" R% B" y9 V7 D) b" P
This file should be properly secured as it contains the private key for \) ^# z& |0 e: C7 V4 e8 J
your instance.! X2 }. ~" @3 k& H: [7 s
This file is a self contained file and can be copied and used 'as is'4 w' p; d) |- M
For each Elastic product that you wish to configure, you should copy
1 l Q* i% Z6 q, bthis '.p12' file to the relevant configuration directory
1 K2 j4 H* Z) M- s# O. Sand then follow the SSL configuration instructions in the product guide.
5 S2 `& c+ X; `: v* j! Q7 P- a& f: n3 p
For client applications, you may only need to copy the CA certificate and
8 R+ ?" B0 Q. l9 r3 Q* gconfigure the client to trust this certificate.
: d& Y, n4 f4 B/ p4 G4 s6 ?' s9 {" }% E+ t9 S& l/ N: Q: E5 ?
7 l6 z; }- ]! E# d9 k0 v5 c7 d此操作中间需要输入刚才设置的密码就直接输入即可,需要输入路劲的地方可以不输入,直接回车就会生成一个文件在当前目录下:
" A: s* i5 h: A/ u8 }0 ~elastic-certificates.p12
; h. \/ M( m* r3 K. J( K- u8 M' P$ v
5 n3 r) h, n4 J4 ^. ~( c3、将凭证移至相应的目录即可:
! Z9 a `9 s4 M% P4 U1 a
' G7 R$ Y, q) T5 B+ s; W
' a3 ]4 @7 m5 c, s##将凭证迁移到指定的目录:
) K- m! K) j9 m1 d8 o* `1 i创建目录:2 _1 R' |4 N5 K u
mkdir -p ./config/certificates/3 D( r/ f5 R, [7 `- }% ^
移动凭证到指定目录下:0 j# G6 R: H; R9 i* j6 X1 J$ A5 Q
/ p3 Q1 w5 h/ v2 U- x, E
[es@it-elassearch elasticsearch-8.15.0]$ mv elastic-certificates.p12 elastic-stack-ca.p12 ./config/certificates/- I5 A0 m N) N( A: x% d. b
4 z' I. B. K1 d9 ~& X: U4 ]; D8 [0 z. n* J8 U
4、复制凭证到每个节点上:(使用scp或者rsync方式即可)
5 J5 J0 L$ d- p6 z0 p* L8 c[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 60028' config/certificates/ es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/) ^. i+ U6 P; m9 i6 u6 ]
es@172.24.110.126's password: 5 u ~+ u* e) j6 @) Q- X) ]
sending incremental file list6 s' K; T; A% w# A5 }
./
1 G( S# t: ?& Helastic-certificates.p12
\' L; Z5 u4 [* y* ] 3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=1/3)5 \: F5 L$ G6 S( b( M1 @; q% K) \
elastic-stack-ca.p12
* c7 o2 `4 v+ x# w7 O# s 2,672 100% 2.55MB/s 0:00:00 (xfr#2, to-chk=0/3)5 `3 D1 c6 @8 R
2 w! N+ t; x$ j2 ^( n
1 f" ]3 \4 Z, O3 n# I
sent 6,314 bytes received 57 bytes 1,415.78 bytes/sec+ `1 P5 c8 D' F( Q
total size is 6,268 speedup is 0.98
' B9 d" n' |4 F+ V2 i( R. j2 S+ R. m( |5 a
' u: ~: Z2 k9 W+ S4 b
- c I8 `) o, s3 e+ y1 b# @5、修改配置文件:/ B8 [3 a- }+ a" y, Y: O: i
http.cors.enabled: true
9 V8 U3 Y+ _& Rhttp.cors.allow-origin: "*", Y6 b5 P) O9 Y! ^# a. L
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length5 U$ {5 i, T4 {; s! z
xpack.security.enabled: true
" ~: v; E: c9 W. b& T. k, X#xpack.security.authc.accept_default_password: true
. k/ E+ b& P6 y6 U# Lxpack.security.transport.ssl.enabled: true
( N( G3 q4 u% s" t. |/ G4 Wxpack.security.transport.ssl.verification_mode: certificate
( k' L% C% G. y/ Rxpack.security.transport.ssl.keystore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
" b8 q! e- K P+ H! e3 Z& M. h1 C) Cxpack.security.transport.ssl.truststore.path: /data/elasticsearch/elastic-cluster/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
+ i" O6 o1 o- o/ \) Z; m% b, a% U! Y" ^8 \1 A' G2 e
7 ]7 G# C& b ?) [# c7 N: W3 Q
加权一样需要切换到es账号: J- B. @: Y& k* e \
) M8 g. I. i3 p# k/ ]6 ]
4 p6 J% U- k! S
在各个节点上添加密码:7 i$ V' `1 M ~
2 v& @) _/ G0 K* S8 e* C/ Q0 s" g/ ~* o# X! A& b* E3 Y& b
& ~ T, U! H3 o( m* F[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password' @1 r/ A& U8 F* [9 @: I/ K- X) B; |/ }
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y% {& N; H5 e5 G/ Q: A
Enter value for xpack.security.transport.ssl.keystore.secure_password: " n& |5 g/ Y+ s. c0 c
2 j# @9 J5 k; o7 [8 K8 | S3 c# U% b7 N* m/ J6 z9 H# w
输入密码:第一次输入密码上面配置的( d) q" m+ T3 ~1 y c# Y+ f2 l
, Z$ I/ L4 I) w+ ` D# P& m/ c
( r0 [# X7 y" @( f U! D# N. ]7 Q[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password2 U' d$ i# T' R+ o
Enter value for xpack.security.transport.ssl.truststore.secure_password:3 g J/ q, W6 ?2 K
0 D9 O+ p* W* B! ~6 R/ s, h8 u
输入密码: 第二次输入上面的密码:
; @% ~; A' W. M, C, V& y- S6 R6 j0 j" k5 B9 E
接下来和没有做鉴权的一样,逐个启动集群:
2 {8 q) h9 m& ^8 x( i0 A$ u3 \0 W
$ _0 X$ j, D1 s+ p# `% k( v
4 v, M' y. Z. _. e' ?6 C' x- K& h切换到其它用户,root用户不能启动ES:su es/ `& R% m: u: s
: ]! U/ v% | z1 J W2 T
2 l& D6 S7 n9 u% K% f+ q3 d5 F; N[es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d
+ {7 J' I D3 b.......2 N u2 b+ w! X! x7 d9 h, O
Oct 24, 2024 5:33:34 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>% x6 N3 N( _% |9 _$ I
[2024-10-24T17:33:40,246][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using native vector library; to disable start with -Dorg.elasticsearch.nativeaccess.enableVectorLibrary=false
9 j1 R2 v, \; }2 Y6 h: G( U5 I[2024-10-24T17:33:40,727][INFO ][o.e.n.NativeAccess ] [it-elassearch] Using [jdk] native provider and native methods for [Linux]
`* T i. K7 u, P: E3 C/ F3 Y0 t' ?3 `[2024-10-24T17:33:41,119][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [it-elassearch] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only2 F$ R$ i$ b) k" ]
[2024-10-24T17:33:42,185][INFO ][o.e.n.Node ] [it-elassearch] version[8.15.0], pid[8520], build[tar/1a77947f34deddb41af25e6f0ddb8e830159c179/2024-08-05T10:05:34.233336849Z], OS[Linux/3.10.0-1160.24.1.el7.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/22.0.1/22.0.1+8-16]0 o6 s2 R/ T7 k: r4 C' e
.......
* K; ~8 R5 b* ~# ?& p# ^1 G& j[2024-10-24T17:34:27,594][WARN ][o.e.c.c.ClusterFormationFailureHelper] [it-elassearch] master not discovered yet, this node has not previously joined a bootstrapped cluster, and this node must discover master-eligible nodes [it-elassearch, it-elassearch-2] to bootstrap a cluster: have discovered [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}]; discovery will continue using [172.24.110.126:9300] from hosts providers and [{it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}] from last-known cluster state; node term 0, last-accepted version 0 in term 0; for troubleshooting guidance, see https://www.elastic.co/guide/en/ ... roubleshooting.html: i6 F3 E9 s* s* s1 e3 j9 f
[2024-10-24T17:34:27,609][INFO ][o.e.h.AbstractHttpServerTransport] [it-elassearch] publish_address {172.24.110.125:9200}, bound_addresses {[::]:9200}
2 e0 Z+ w `. G( }[2024-10-24T17:34:27,637][INFO ][o.e.n.Node ] [it-elassearch] started {it-elassearch}{1TZ7_AjMQBm4NUw73Dr9eQ}{wrEeokvZTM-NfqrlNd_FSQ}{it-elassearch}{172.24.110.125}{172.24.110.125:9300}{cdfhilmrstw}{8.15.0}{7000099-8512000}{ml.max_jvm_size=4294967296, ml.config_version=12.0.0, xpack.installed=true, transform.config_version=10.0.0, ml.machine_memory=8200949760, ml.allocated_processors=4, ml.allocated_processors_double=4.0}
5 g7 j6 d+ ^* K) l$ `* _* G/ @, X9 o( c
' M( s* j; B {% `. Y
: o; I# q3 [" m* ]- V8 \9 S3 T& F9 H
4 p' O. i. K1 m5 b$ k' i. {- Q+ M
8 }8 ]4 _' s" ^/ ~: g; v0 L8 Y
- R' f# o% |. d3 X[es@it-elassearch elasticsearch-8.15.0]$ netstat -ntlp) c. [ k3 n9 s7 G; L6 @$ Z
(Not all processes could be identified, non-owned process info6 s) l6 u1 s# R6 c M
will not be shown, you would have to be root to see it all.)
; R1 X$ r# p; {+ G% G/ w C! LActive Internet connections (only servers)0 K# X/ E# G9 o0 t! c( B& ~
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 5 \9 V; W. G1 `4 v- [
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
6 L0 j/ s _- L+ l& ^9 utcp 0 0 0.0.0.0:60028 0.0.0.0:* LISTEN -
9 R8 S' p1 t: Wtcp6 0 0 :::9300 :::* LISTEN 8520/java
( I0 Y2 R! i8 o+ q- E/ s1 n' O& rtcp6 0 0 ::1:25 :::* LISTEN - 1 ~3 k* Z. _) N
tcp6 0 0 :::60028 :::* LISTEN - * j3 ?; D* v# M3 u; `# B& `
tcp6 0 0 :::9200 :::* LISTEN 8520/java - Y) U! ], L' _" n- N5 B# B) \
) s: h) T2 T# r. G( D% @7 g
( C" s- I0 ?; M8 C4 F' B
7 b% f, ?1 M- M; g6 T. ` D% W7 U& Q8 U* M% k5 T
, t/ g' t2 n) I7 a9 i[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana3 g/ [8 I/ ^# @+ \8 j- C
1 s1 k- K- k; b k3 _5 h
ERROR: [xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token, with exit code 785 ]4 H+ p( F) C0 V
& [/ w* h6 D7 C" r7 O: F* \
4 @: T; q- |, ~! h在elasticsearch-8.15.0/config/elasticsearch.yml 添加 配置:# k7 H' C: i( h% |! l" P+ d
; Q# Y6 M% F3 F0 P: q[es@it-elassearch-1 elastic-cluster1]$ vim elasticsearch-8.15.0/config/elasticsearch.yml9 ^' |0 y: J% J, H+ H. f
9 \4 a* C* c/ D) l7 _/ D# Dxpack.security.enrollment.enabled: true0 z, m" \4 ?% ?6 I- b
' T3 i) ~5 q0 a) n4 o
* v# T" z; `& S保存再次执行:
3 {- |2 v; K, V
/ E: L% {+ } B/ A& w% k% n$ T, B9 X0 l+ O; p: S! o
. e: _: y+ t# V* t$ ~: d$ N* P( n( N6 v
5 t( Y& ` h+ t+ ^: H# p; g$ }. T0 I4 o% c
[es@it-elassearch-1 elastic-cluster1]$ ./elasticsearch-8.15.0/bin/elasticsearch-create-enrollment-token -s kibana/ `( S% b( Y& d) w
Unable to create enrollment token for scope [kibana]
# l. }0 T6 ~. l
1 ~ I" c/ P( j2 n; z7 [. _! @ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore, with exit code 73' y8 H1 t( S. H3 V7 s# W
# V& q5 P0 k$ b+ I; F如果你的kibana不在同一台主机上就需要加上http或https的访问路径生成,用""扩起来( U( z" ], w( ?* l- k1 O) y7 ?
4 Y0 I/ A5 o+ C8 T G" T3 I$ ~
4 Q) Q! h" @2 r* E9 ~) d5 W' L6 M) H! B) l1 V& u: k! |3 u5 A
( c$ L7 e1 \% B+ C1 O/ m
, d% E' f$ }8 _& `; l' |7 P$ ^
4 H8 k1 |+ `5 ?
|
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2024-10-31 15:53:27
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主