CentOS7 Elasticsearch 7.8 集群 x-spack 安全验证 及 集群内部TLS加密传输
简介
常规部署 Elasticsearch 集群时,不管是集群之间的数据传输,或者是 Client 访问Elasticsearch 集群时 均不需要相关验证,可通过对外提供的http接口,直接访问到ES的内部数据
这情况下,相对来说安全度没有保障,那么本次部署一套 基于 x-spack 安全验证的安全认证
其实不光是 对外提供服务的 9200 端口需要验证,集群内服务端口 9300 之间数据通信,也需要安全机制,本次使用自签
PKCS#12
证书,用于集群内部加密通信
说明: x-spack 组件是收费的,但好的是基础安全验证是其中的免费的,不用担心商用问题;
环境准备
系统版本 | 主机名 | IP | ES 版本 | ES 用户端口 | ES 集群端口 |
---|---|---|---|---|---|
CentOS 7.5 | node02 | 10.0.20.22 | 7.8 | 9200 | 9300 |
CentOS 7.5 | node03 | 10.0.20.23 | 7.8 | 9200 | 9300 |
CentOS 7.5 | node04 | 10.0.20.24 | 7.8 | 9200 | 9300 |
安装
现在下载的 elasticsearch 安装包中,自带 jdk ,无需像以前老版本一样,还要需要安装jdk环境,方便很多。
官方下载地址:https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz
需要优化文件描述符
cat >> /etc/security/limits.conf <<EOF
* hard nofile 65536
* soft nofile 65536
* hard nproc 5000
* soft nproc 5000
EOF
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -p
配置 hostname 解析
所有节点配置好 hostname 解析
cat >> /etc/hosts <<EOF
10.0.20.22 node02
10.0.20.23 node03
10.0.20.24 node04
EOF
安装
useradd -s /sbin/nologin -M elasticsearch
cd /opt/
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz
tar xf elasticsearch-7.8.0-linux-x86_64.tar.gz
ln -s /opt/elasticsearch-7.8.0 /opt/elasticsearch
ll /opt/
# total 0
# lrwxrwxrwx 1 root root 24 Jul 7 23:52 elasticsearch -> /opt/elasticsearch-7.8.0
# drwxr-xr-x 9 root root 155 Jun 15 03:38 elasticsearch-7.8.0
创建数据目录 和 日志目录
mkdir /opt/elasticsearch/{data,logs} -p
systemd 脚本
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/opt/elasticsearch
Environment=ES_PATH_CONF=${path.conf}
Environment=PID_DIR=/opt/elasticsearch
EnvironmentFile=-/opt/elasticsearch/config/elasticsearch
WorkingDirectory=/opt/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/opt/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
# Built for ${project.name}-${project.version} (${project.name})
生成PKCS#12
证书
证书签发在node02上操作即可
通过查看官网集群证书的创建方式分为两种:
- 通过
elasticsearch-certutil
命令逐一创建证书 - 使用
elasticsearch-certutil
的Silent Mode
创建
这里使用简约的 Silent Mode
创建;
进入到 ES 的目录:
cd /opt/elasticsearch
创建证书所需的 instances.yml
文件,具体格式请查看官网:官网集群证书
cat >instances.yml<<EOF
instances:
- name: "node02"
ip:
- "10.0.20.22"
- name: "node03"
ip:
- "10.0.20.23"
- name: "node04"
ip:
- "10.0.20.24"
EOF
注解: name
为实例名
然后执行
bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
注意: --pass
后面跟的为PKCS#12
证书的密码,之后在集群配置需要用到,请牢记;
上面的命令执行完成后,会在 /opt/elasticsearch/
目录下生成一个 test1.zip
的压缩包,解压后如下:
[root@node02 elasticsearch]# ls test1.zip
test1.zip
[root@node02 elasticsearch]# unzip test1.zip
Archive: test1.zip
creating: node02/
inflating: node02/node02.p12
creating: node03/
inflating: node03/node03.p12
creating: node04/
inflating: node04/node04.p12
然后把对应的 目录 拷贝到对应的服务器,并做如下操作:
mv node02 config/certs
[root@node02 elasticsearch]# rsync -avz node03 10.0.20.23:/opt/elasticsearch/config/certs
root@10.0.20.23's password:
sending incremental file list
created directory /opt/elasticsearch/config/certs
node03/
node03/node03.p12
sent 3,556 bytes received 93 bytes 1,459.60 bytes/sec
total size is 3,455 speedup is 0.95
[root@node02 elasticsearch]# rsync -avz node04 10.0.20.24:/opt/elasticsearch/config/certs
root@10.0.20.24's password:
sending incremental file list
created directory /opt/elasticsearch/config/certs
node04/
node04/node04.p12
sent 3,565 bytes received 93 bytes 1,463.20 bytes/sec
total size is 3,455 speedup is 0.94
配置
node02 配置:
cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node02
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.22
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
#discovery.seed_hosts: ["10.0.20.22"]
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 2
# 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node02.p12
xpack.security.transport.ssl.truststore.path: certs/node02.p12
EOF
echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch
node03 配置:
cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node03
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.23
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 1
## 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node03.p12
xpack.security.transport.ssl.truststore.path: certs/node03.p12
EOF
echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch
node04 配置:
cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node04
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.24
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 1
# 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node04.p12
xpack.security.transport.ssl.truststore.path: certs/node04.p12
EOF
echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch
ARM 架构配置区别
注意: 如果是环境为 ARM
kylin v4
系统,则需要增加两项配置:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
所有节点存入 PKCS#12
秘钥的密码
所有节点都需要运行下面的命令,
生成 keystore 文件
./bin/elasticsearch-keystore create
下面两个命令,均需要 输入 在 生成 PKCS#12
秘钥 时的密码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
给所有 ES 配置相同的用户密码
使用命令: ./bin/elasticsearch-users useradd username -p password -r superuser
-r
表示角色,superuser 是超级用户
./bin/elasticsearch-users useradd test -p password123 -r superuser
启动查看
启动所有节点的 elasticsearch ;
systemctl start elasticsearch
查看
[root@node03 elasticsearch]# curl -utest:password123 10.0.20.23:9200
{
"name" : "node03",
"cluster_name" : "es-cluster",
"cluster_uuid" : "e6TnuPWdQ8Wct5HMH-GAsg",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[root@node02 elasticsearch]# curl -utest:password123 10.0.20.22:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.20.22 42 92 1 0.00 0.04 0.12 dilmrt * node02
10.0.20.23 63 89 1 0.10 0.16 0.19 dilmrt - node03
10.0.20.24 39 89 20 0.52 0.61 0.28 dilmrt - node04