es8.15集群部署(tsl认证)
环境:
192.168.1.102
192.168.1.103
192.168.1.105
--------------------------------------------基础安装-----------------------------------
系统配置
每个机器上都要执行
1.系统参数配置
修改limits.conf配置文件
vi /etc/security/limits.conf
root用户下添加如下2两项,然后退出使用elasticsearch用户登陆,使其生效
* hard nofile 65536
* soft nofile 65536
2.修改sysctl.conf文件
vi /etc/sysctl.conf
vm.max_map_count=262144
然后执行如下命令:
[root@localhost ~]# sysctl -p
3.关闭防火墙
systemctl status firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
4.安装java(已经不需要,es7之后使用自动的java了)
安装连接:https://www.cnblogs.com/hxlasky/p/14775706.html
确保java版本在1.8以上
[root@rac01 soft]# java -version
java version "1.8.0_291"
Java(TM) SE Runtime Environment (build 1.8.0_291-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.291-b10, mixed mode)
5.下载需要的安装版本
我这里下载的是elasticsearch-8.15.1-linux-x86_64.tar.gz
下载地址:
https://www.elastic.co/cn/downloads/past-releases#elasticsearch
6.创建中间件安装目录和数据文件、日志文件目录
每台机器上都要执行
[root@es soft]# mkdir -p /usr/local/services
[root@es soft]# mkdir -p /home/middle/elasticsearch/data
[root@es soft]# mkdir -p /home/middle/elasticsearch/logs
7.创建用户和用户组
每台机器上都要执行
groupadd -g 1500 elasticsearch
useradd -u 1500 -g elasticsearch elasticsearch
passwd elasticsearch
8.上传到服务器
每台机器上都要执行
解压缩并创建数据目录
[root@rac01 soft]# cd /soft
[root@rac01 soft]# tar -xvf elasticsearch-8.15.1-linux-x86_64.tar.gz
[root@rac01 soft]# mv elasticsearch-8.15.1 /usr/local/services/elasticsearch
9.将elasticsearch目录权限修改为elasticsearch
每台机器上都要执行
[root@es config]# cd /usr/local/services
[root@es services]# chown -R elasticsearch.elasticsearch ./elasticsearch
同时修改数据文件和日志文件目录给到elasticsearch
[root@es services]# cd /home/middle
[root@es middle]#chown -R elasticsearch.elasticsearch ./elasticsearch
10.创建备份目录
每台机器上都要执行
[root@rac01 home]#mkdir -p /home/middle/esbak
[root@rac01 home]#cd /home/middle
[root@rac01 home]#chown -R elasticsearch.elasticsearch ./esbak
11.修改配置文件
每台机器上都要执行
[root@rac01 middle]# su - elasticsearch
[elasticsearch@rac01 ~]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@es config]$ vi elasticsearch.yml
cluster.name: escluster_ysd
node.name: node01
path.data: /home/middle/elasticsearch/data
path.logs: /home/middle/elasticsearch/logs
network.host: 192.168.1.102
http.port: 19200
##discovery.zen.minimum_master_nodes: 2 ##去掉该参数,es8中没有该参数了的
discovery.seed_hosts: ["192.168.1.102", "192.168.1.103","192.168.1.105"]
cluster.initial_master_nodes: ["node01", "node02","node03"]
path.repo: /home/middle/esbak
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: false ##这里先禁用安全认证,后面再启用
其他机器的配置文件:
将配置文件scp到另外的机器,然后相应修改红色部分
node.name分别修改为 node02 和 node03
network.host分别修改为对应机器的ip地址
12.修改jvm参数( /usr/local/services/elasticsearch/config/jvm.options )
每台机器上都要执行
[root@master ~]# more /usr/local/services/elasticsearch/config/jvm.options
################################################################
##
## JVM configuration
##
################################################################
##
## WARNING: DO NOT EDIT THIS FILE. If you want to override the
## JVM options in this file, or set any additional options, you
## should create one or more files in the jvm.options.d
## directory containing your adjustments.
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/8.15/jvm-options.html
## for more information.
##
################################################################
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## The heap size is automatically configured by Elasticsearch
## based on the available memory in your system and the roles
## each node is configured to fulfill. If specifying heap is
## required, it should be done through a file in jvm.options.d,
## which should be named with .options suffix, and the min and
## max should be set to the same value. For example, to set the
## heap to 4 GB, create a new file in the jvm.options.d
## directory containing these lines:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/8.15/heap-size.html
## for more information
##
################################################################
-Xms3g
-Xmx3g
################################################################
## Expert settings
################################################################
##
## All settings below here are considered expert settings. Do
## not adjust them unless you understand what you are doing. Do
## not edit them in this file; instead, create a new file in the
## jvm.options.d directory containing your adjustments.
##
################################################################
-XX:+UseG1GC
## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}
# Leverages accelerated vector hardware instructions; removing this may
# result in less optimal vector performance
20-:--add-modules=jdk.incubator.vector
## heap dumps
# generate a heap dump when an allocation from the Java heap fails; heap dumps
# are created in the working directory of the JVM unless an alternative path is
# specified
-XX:+HeapDumpOnOutOfMemoryError
# exit right after heap dump on out of memory error
-XX:+ExitOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log
## GC logging
-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,level,pid,tags:filecount=32,filesize=64m
13.启动
每个节点上都要执行,这里确保每台机器都能启动
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
14.这个时候查看集群情况
这个时候是没有配置密码认证的
[elasticsearch@master bin]$ curl http://192.168.1.102:19200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.102 14 97 12 0.51 0.88 0.84 cdfhilmrstw - node01
192.168.1.103 15 96 22 0.97 1.00 0.48 cdfhilmrstw * node02
192.168.1.105 10 97 13 2.67 1.68 0.77 cdfhilmrstw - node03
[elasticsearch@master bin]$ curl -X GET "192.168.1.102:19200/_cat/indices?v"
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size dataset.size
[elasticsearch@master bin]$ curl http://192.168.1.102:19200/?pretty
{
"name" : "node01",
"cluster_name" : "escluster_hxl",
"cluster_uuid" : "Z9owd8vWT0qa_w9Gx8JPKA",
"version" : {
"number" : "8.15.1",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "253e8544a65ad44581194068936f2a5d57c2c051",
"build_date" : "2024-09-02T22:04:47.310170297Z",
"build_snapshot" : false,
"lucene_version" : "9.11.1",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
----------------------------配置安全认证--------------------------------
1.生成证书
1.执行命令创建ca 执行:
su - elasticsearch
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@master bin]$ ./elasticsearch-certutil ca
warning: ignoring JAVA_HOME=/usr/local/java/jdk1.8.0_351; using bundled JDK
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: ##直接回车
Enter password for elastic-stack-ca.p12 : ##直接回车
这个时候会生成elastic-stack-ca.p12文件
[elasticsearch@master elasticsearch]$ pwd
/usr/local/services/elasticsearch
[elasticsearch@master elasticsearch]$ ls -1
bin
config
elastic-stack-ca.p12
jdk
lib
LICENSE.txt
logs
modules
NOTICE.txt
plugins
README.asciidoc
然后按照提示输入Please enter the desired output file [elastic-stack-ca.p12] 此时提示输入文件名默认为:elastic-stack-ca.p12,输入完敲回车,或者直接回车默认。
接下来会提示输入Enter password for elastic-stack-ca.p12 :密码可以为空 直接回车 此时ca 创建OK 文件会在执行目录的根目录
2.根据elastic-stack-ca.p12文件 生成elastic-certificates.p12
执行命令为:elasticsearch-certutil cert --ca elastic-stack-ca.p12
一路回车即可
[elasticsearch@rac01 bin]$./elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
接下来会提示 输入Enter password for CA (elastic-stack-ca.p12) :上一个ca 文件的密码 如果没有则直接回车即可,
接下来会提示Please enter the desired output file [elastic-certificates.p12]:给当前生成的文件取名默认为elastic-certificates.p12
接下来会提示给当前文件设置密码Enter password for elastic-certificates.p12 : 设置完成后回车。
至此我们有了elastic-stack-ca.p12和elastic-certificates.p12两个文件
将这两个文件拷贝到config目录下面
[elasticsearch@rac01 elasticsearch7]$ cd /usr/local/services/elasticsearch
[elasticsearch@rac01 elasticsearch7]$ mv elastic-certificates.p12 ./config/
[elasticsearch@rac01 elasticsearch7]$ mv elastic-stack-ca.p12 ./config/
3.将节点1上的两个文件拷贝到另外的节点
[elasticsearch@rac01 elasticsearch7]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@rac01 elasticsearch7]$ scp elastic-certificates.p12 192.168.1.103:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 elasticsearch7]$ scp elastic-stack-ca.p12 192.168.1.103:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 elasticsearch7]$ scp elastic-certificates.p12 192.168.1.105:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 elasticsearch7]$ scp elastic-stack-ca.p12 192.168.1.105:/usr/local/services/elasticsearch/config/
4.修改配置文件
每台机器上的配置文件在最后面添加如下内容:
[root@rac01 middle]# su - elasticsearch
vi /usr/local/services/elasticsearch/config/elasticsearch.yml
添加如下配置项
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
原来的如下项目可以去掉:
xpack.security.enabled: false
5.重新启动
将原来的进程杀掉后重新启动
kill 进程号
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
这个时候使用就需要密码访问了
curl 'http://192.168.1.102:19200/_cat/nodes?pretty'
6.设置密码
在其中一台机器上执行,我这里在 192.168.1.102 这台机器上执行,我这里密码全部设置为 elastic
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
7.验证
curl -u elastic:elastic 'http://192.168.1.102:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.102:19200/_cat/health?v'
8.数据验证
查看索引:
curl -u elastic:elastic -X GET 'http://192.168.1.102:19200/_cat/indices?v'
在节点1上创建索引和写入数据
es7之后以及没有type的概念,所有的type都是_doc表示,
curl -u elastic:elastic -XPUT 'http://192.168.1.102:19200/db_customer'
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT 'http://192.168.1.102:19200/db_customer/_doc/1' -d '{"name": "huangxueliang"}'
查看数据
curl -u elastic:elastic -XGET 'http://192.168.1.102:19200/db_customer/_doc/1?pretty'
在其他的节点上查看该数据
curl -u elastic:elastic -XGET 'http://192.168.1.102:19200/db_customer/tb_test/1?pretty'
curl -u elastic:elastic -XGET 'http://192.168.1.102:19200/db_customer/tb_test/1?pretty'
######################部署kibana#################################
参考连接:
https://www.cnblogs.com/hxlasky/p/16541304.html
在其中一个节点安装即可,我这里是在节点1上安装