安装elasticsearch集群开启认证
## 节点:
172.30.1.101
172.30.1.131
172.30.1.102
## 下载rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.12.0-x86_64.rpm
# 安装elasticsearch
## 设置环境
rpm -ivh elasticsearch-7.12.0-x86_64.rpm
## 禁用swap
swapoff -a
sed -ri 's/.*swap.*/##&/' /etc/fstab
## 最大文件数设置
cat > /etc/security/limits.d/elasticsearch.conf <<EOF
elasticsearch - nofile 65535
elasticsearch - nproc 4096
EOF
echo "net.ipv4.tcp_retries2=5" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_time = 600" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_intvl = 60" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_probes = 20" >> /etc/sysctl.conf
## 创建数据存储目录 ## 创建日志存储目录 ## 创建jvm转储目录
mkdir -p /data/elasticsearch/es-data
mkdir -p /data/elasticsearch/logs
mkdir -p /data/elasticsearch/jvm
## 设置目录权限
chown -R elasticsearch:elasticsearch /data/elasticsearch
# 分别配置3个节点配置信息
## 修改/etc/elasticsearch/jvm.options
vim /etc/elasticsearch/jvm.options
## 根据自己的服务器资源配置修改jvm内存
-Xms8g
-Xmx8g
## 修改jvm数据路径
-XX:HeapDumpPath=/data/elasticsearch/jvm
## 修改jvm日志路径
-XX:ErrorFile=/data/elasticsearch/logs/hs_err_pid%p.log
8:-Xloggc:/data/elasticsearch/logs/elasticsearch/gc.log
## 修改jvm日志路径
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/data/elasticsearch/logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
# 以下配置只需在172.30.1.101节点上执行
## 安全认证配置
cd /usr/share/elasticsearch
## 生成证书:
pass参数当前不设置密码,如设置密码那么需要在每个节点上执行 bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password 导入密码
## 创建ca
/usr/share/elasticsearch/bin/elasticsearch-certutil ca -out /etc/elasticsearch/elastic-ca.p12 --days 36000 -pass ""
## 生成签名证书:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-ca.p12 -out /etc/elasticsearch/elastic-certificates.p12 --days 36000 -pass ""
## scp拷贝到另外两台服务器/etc/elasticsearch/目录内
chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12
chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-ca.p12
## 修改权限
chmod 777 /etc/elasticsearch/elastic-certificates.p12
chmod 777 /etc/elasticsearch/elastic-ca.p12
scp /etc/elasticsearch/elastic-ca.p12 root@172.30.1.131:/etc/elasticsearch/
scp /etc/elasticsearch/elastic-ca.p12 root@172.30.1.102:/etc/elasticsearch/
scp /etc/elasticsearch/elastic-certificates.p12 root@172.30.1.131:/etc/elasticsearch/
scp /etc/elasticsearch/elastic-certificates.p12 root@172.30.1.102:/etc/elasticsearch/
##--------------------------------------------------------------------------
## 在安装Elasticsearch的目录中,运行Elasticsearch HTTP证书工具以生成证书签名请求(CSR)。
cd /usr/share/elasticsearch/
./bin/elasticsearch-certutil http
bin/elasticsearch-certutil http --pem -ca /etc/elasticsearch/elastic-ca.p12 --dns 172.30.1.101,172.30.1.102,172.30.1.131 --ip 172.30.1.101,172.30.1.102,172.30.1.131
该命令生成一个.zip文件,其中包含要与Elasticsearch和Kibana一起使用的证书和密钥。每个文件夹都包含有关README.txt 如何使用这些文件的说明。
当询问您是否要生成CSR时,输入n。 N
当系统询问您是否要使用现有的CA时,请输入y。Y
输入您的CA的路径。这是elastic-stack-ca.p12为群集生成的文件的绝对路径。 /etc/elasticsearch/elastic-ca.p12
输入您的CA的密码。
输入证书的过期值。您可以输入年,月或日的有效期。例如,输入90D90天。 99y
当询问您是否要为每个节点生成一个证书时,输入y。 N 输入N跳过下一条
每个证书将具有其自己的私钥,并将针对特定的主机名或IP地址颁发。 ····
出现提示时,输入集群中第一个节点的名称。使用与生成节点证书时使用的节点名称相同的名称。 k8s-master01
输入用于连接到第一个节点的所有主机名。这些主机名将作为DNS名称添加到证书的“使用者备用名称(SAN)”字段中。 172.30.1.131
列出用于通过HTTPS连接到群集的每个主机名和变体。172.30.1.131
输入客户端可用于连接到您的节点的IP地址。 172.30.1.131
对集群中的每个其他节点重复这些步骤。
## 生成elasticsearch-ssl-http.zip 解压http.p12到/elasticsearch /kibana
/elasticsearch
|_ README.txt
|_ http.p12
|_ sample-elasticsearch.yml
/kibana
|_ README.txt
|_ elasticsearch-ca.pem
|_ sample-kibana.yml
## 解压elasticsearch-ssl-http.zip
unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip
## 解压到
mv /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch
## 将elasticsearch-ca.pem传送到所有metricbeat节点上/etc/metricbeat目录
mv /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/metricbeat
#scp /etc/metricbeat/elasticsearch-ca.pem root@{hostname}:/root/
# 修改三个节点/etc/elasticsearch/elasticsearch.yml
vim /etc/elasticsearch/elasticsearch.yml
#配置es的集群名称,同一个集群中的多个节点使用相同的标识 如果在同一网段下有多个集群,就可以用这个属性来区分不同的集群。
cluster.name: nc-es-cluster
#节点名称分别配置不同节点名称
node.name: master01
#是不是有资格竞选主节点
node.master: true
#是否存储数据
node.data: true
#最大集群节点数
node.max_local_storage_nodes: 3
#数据存储路径
path.data: /data/elasticsearch/es-data
#日志存储路径
path.logs: /data/elasticsearch/logs
#节点所绑定的IP地址,并且该节点会被通知到集群中的其他节点 通过指定相同网段的其他节点会加入该集群中 0.0.0.0任意IP都可以访问elasticsearch
network.host: 172.30.1.101
#对外提供服务的http端口,默认为10092
http.port: 10092
#内部节点之间沟通端口
transport.tcp.port: 10093
#写入候选主节点的设备地址,在开启服务后可以被选为主节点
discovery.seed_hosts: ["172.30.1.101:10093", "172.30.1.131:10093", "172.30.1.102:10093"]
#初始化一个新的集群时需要此配置来选举master
cluster.initial_master_nodes: ["master01", "master02","master03"]
#head相关的跨域问题
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
#开启证书认证配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
#修改elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/metricbeat/http.p12
#如有设置证书密码则需要添加到Elasticsearch中的安全设置中。
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
##---------------------------------------------------------
## 启动所有节点elasticsearch
systemctl start elasticsearch
systemctl enable elasticsearch
cd /usr/share/elasticsearch
## 设置密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
密码:YunLi@2021
项目el密码:YunLizh!77el@2021
## 查看状态
curl -u elastic:YunLi@2021 -XGET 'https://172.30.1.101:10092/_cat/nodes?v'
##查看es的状态
curl -u elastic:YunLi@2021 -XGET 'https://172.30.1.101:10092/_cluster/health?pretty'
https://es.yunlizhihui.com:10092
# 安装kibana
yum install kibana-7.12.0-x86_64.rpm
## 启动kibana
systemctl start kibana
systemctl enable kibana
## kibana和浏览器的https设置
##为Kibana生成服务器证书和私钥
./bin/elasticsearch-certutil csr -name kibana-server -dns 域名
### 生成csr-bundle.zip
### 解压缩csr-bundle.zip文件以获得kibana-server.csr未签名的安全证书和kibana-server.key未加密的私钥。
### 将kibana-server.csr证书签名请求发送到您的内部CA或受信任的CA进行签名以获得签名的证书。签名文件可以在不同的格式,比如.crt像文件kibana-server.crt。
### 打开kibana.yml并添加以下行,以配置Kibana访问服务器证书和未加密的私钥
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server.key
## 使用本地ca证书签名证书
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-ca.p12 -name kibana-server --days 36000 --pem
## 从/usr/share/elasticsearch目录移动kibana证书到/etc/kibana目录
mv /usr/share/elasticsearch/kibana-server/kibana-server.crt /etc/kibana/
mv /usr/share/elasticsearch/kibana-server/kibana-server.key /etc/kibana/
## 修改配置
vi /etc/kibana/kibana.yml
server.port: 10056
server.host: "172.30.1.101"
elasticsearch.hosts: ["https://172.30.1.101:10092", "https://172.30.1.131:10092", "https://172.30.1.102:10092"]
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/metricbeat/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: certificate
## 存储用户名
/usr/share/kibana/bin/kibana-keystore add elasticsearch.username
## 存储密码
/usr/share/kibana/bin/kibana-keystore add elasticsearch.password
elasticsearch.username: "kibana_system"
elasticsearch.password: "YunLi@2021"
## 访问地址
https://172.30.1.101:10056
账号:elastic
密码:YunLi@2021
# 安装监控metricbeat
## 启动模块
metricbeat modules enable mysql
## 配置metricbeat模板
cd /etc/elasticsearch/
/usr/share/metricbeat/bin/metricbeat export template > ./metricbeat.template.json
## 导入密码
## 创建秘钥库存储elasticsearch,metricbeat的账号密码
metricbeat keystore create
## 添加账号密码 YunLi@2021
metricbeat keystore add elastic
## metricbeat keystore add kibana
## 查看秘钥库
metricbeat keystore list
## 配置metricbeat
## 修改/etc/elasticsearch/metricbeat.yml文件以下内容
##--------------------------------------------------------------------------------------------------------------
setup.kibana:
host: "https://172.30.1.101:10056"
ssl:
certificate_authorities: ["/etc/metricbeat/elasticsearch-ca.pem"]
verification_mode: "certificate"
http.enabled: true
http.port: 10057
output.elasticsearch:
##Array of hosts to connect to.
hosts: ["172.30.1.131:10092", "172.30.1.101:10092", "172.30.1.102:10092"]
index: ali-dev-%{+yyyy.MM.dd}
##Protocol - either `http` (default) or `https`.
protocol: "https"
##Authentication credentials - either API key or username/password.
username: "elastic"
password: "${elastic}"
ssl:
certificate_authorities: ["/etc/metricbeat/elasticsearch-ca.pem"]
verification_mode: "certificate"
## 启动
systemctl start metricbeat
systemctl enable metricbeat
grafana
yunli@123gr
setup.dashboards.index
logstash创建秘钥
cd /etc/logstash
/usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
