centos8.2 elasticsearch7.11.1 kibana安装 失败
1. 下载elasticsearch
curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.11.1-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.11.1-linux-x86_64.tar.gz cd elasticsearch-7.11.1 ./bin/elasticsearch
2.启动elasticsearch
2.1 创建专用用户组和用户,root无法启动
groupadd es useradd esuser -g es passwd esuser
2.2更改文件夹及内部文件的所属用户及组
chown -R esuser:es /usr/local/elasticsearch-7.11.1
2.3 切换用户 到esuser
su esuser
2.4 elasticsearch 配置
vim /usr/local/elasticsearch-7.11.1/config/elasticsearch.yml
添加两行,注意:冒号后面要带一个空格
network.host: 0.0.0.0
cluster.initial_master_nodes: ["node-1"]
2.5 设置elasticsearch用户拥有的内存权限,至少需要262144
su root
vim /etc/sysctl.conf
末尾添加一行:
vm.max_map_count=262144
/sbin/sysctl -p
2.6 jvm内存调小一些
vim /usr/local/elasticsearch-7.11.1/config/jvm.options
新增两行,将内存调整至512m
-Xms512m
-Xmx512m
2.7 自定义管理脚本
vim /etc/init.d/elasticsearch在其中输入下方的脚本代码
#chkconfig: 2345 80 90
#description:elasticsearch
export ES_HOME=/usr/local/elasticsearch-7.11.1
case $1 in
start)
su esuser<<!
cd $ES_HOME
./bin/elasticsearch -d -p pid
exit
!
echo "elasticsearch is started"
;;
stop)
pid=`cat $ES_HOME/pid`
kill -9 $pid
echo "elasticsearch is stopped"
;;
restart)
pid=`cat $ES_HOME/pid`
kill -9 $pid
echo "elasticsearch is stopped"
sleep 1
su esuser<<!
cd $ES_HOME
./bin/elasticsearch -d -p pid
exit
!
echo "elasticsearch is started"
;;
*)
echo "start|stop|restart"
;;
esac
exit 0
#在命令行执行下面命令,赋予脚本执行权限
chmod +x elasticsearch
命令:
#启动 /etc/init.d/elasticsearch start #停止 /etc/init.d/elasticsearch stop #重启 /etc/init.d/elasticsearch restart
启动后,命令行输入curl -XGET http://localhost:9200,得到以下响应说明启动成功
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
{ "name" : "localhost.localdomain", "cluster_name" : "elasticsearch", "cluster_uuid" : "_na_", "version" : { "number" : "7.11.1", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "ff17057114c2199c9c1bbecc727003a907c0db7a", "build_date" : "2021-02-15T13:44:09.394032Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search"} |
4、kibana安装
curl -L -O https://artifacts.elastic.co/downloads/kibana/kibana-7.11.1-linux-x86_64.tar.gz tar xzvf kibana-7.11.1-linux-x86_64.tar.gz cd kibana-7.11.1-linux-x86_64/ ./bin/kibana
都是开箱即用,建议手动移动目录到/usr/local/下
启动kibana
4.1 创建专用用户组和用户,root无法启动
Kibana should not be run as root. Use --allow-root to continue.
useradd kibana -g es passwd kibana
4.2更改文件夹及内部文件的所属用户及组
chown -R esuser:es /usr/local/kibana-7.11.1-linux-x86_64
仿照搞一个kibana的启动脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | #!/bin/bash#chkconfig: 2345 80 90#description:kibanaexport KB_HOME=/usr/local/kibana-7.11.1-linux-x86_64case $1 in start) su kibana<<! cd $KB_HOME nohup ./bin/kibana & exit! echo "kibana is started" ;; stop) pid=`cat $KB_HOME/pid` kill -9 $pid echo "kibana is stopped" ;; restart) pid=`cat $KB_HOME/pid` kill -9 $pid echo "kibana is stopped" sleep 1 su kibana<<! cd $KB_HOME nohup ./bin/kibana & exit! echo "kibana is started" ;; *) echo "start|stop|restart" ;;esacexit 0 |
赋予权限:
#在命令行执行下面命令,赋予脚本执行权限
chmod +x elasticsearch
脚本启动命令
#启动
/etc/init.d/kibana start
#停止
/etc/init.d/kibana stop
#重启
/etc/init.d/kibana restart
此处停止、重启命令都不好使,需要使用查找进程、杀死进程的方法,不然运行停止、重启命令不好使还找不到哪里的问题!!
至此,本可以通过/etc/init.d/kibana运行,但是报错,所以修改上面脚本中的启动命令为:
1 | nohup ./bin/kibana & |
至此,可以启动kibana了 ,然后需要开放5601端口
1 2 3 4 5 6 7 | 在浏览器中输入ip:5601显示无法打开,应该是端口没开放的原因,查看端口状态命令:firewall-cmd --query-port=5601/tcp开启端口命令:firewall-cmd --zone=public --add-port=5601/tcp --permanent重新加载防火墙:firewall-cmd --reload再输入地址端口号,可以正确显示页面 |
5
Setting built-in user passwords
You must set the passwords for all built-in users.
The elasticsearch-setup-passwords tool is the simplest method to set the built-in users' passwords for the first time. It uses the elastic user’s bootstrap password to run user management API requests. For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the elastic, kibana_system, logstash_system, beats_system, apm_system, and remote_monitoring_user users:
elasticsearch-setup-passwords tool 命令只能输入一次,设置过密码再次输入会报错,Alternatively, you can set the initial passwords for the built-in users by using the Management > Users page in Kibana or the Change Password API. These methods are more complex. You must supply the elastic user and its bootstrap password to log into Kibana or run the API. This requirement means that you cannot use the default bootstrap password that is derived from the keystore.seed setting. Instead, you must explicitly set a bootstrap.password setting in the keystore before you start Elasticsearch. For example, the following command prompts you to enter a new bootstrap password:
我们刚刚部署的Kibana是不需要密码就可以登录的,这样谁都可以kibana访问并且更改索引数据,在生产环境中为了保证数据的安全,我们必须得给kibana加上密码,保证用户登录后可进行操作。
主要是利用elasticsearch自带的xpack作为权限验证功能。操作步骤如下:
5.1. 修改ES配置开启 X-PACK
修改ElasticSearch的配置文件,/app/elasticsearch/elasticsearch-7.13.4/config/elasticsearch.yml,开启x-pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
5.2. 重启ElasticSearch
./bin/elasticsearch -d
5.3. 初始化用户密码
cd /app/elasticsearch/elasticsearch-7.13.4/bin
./elasticsearch-setup-passwords interactive
执行后会出现下面的内容,让你设置对应的密码,输入 y 继续
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
...
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
5.4. 设置证书
启用x-pack后ElasticSearch的启动日志会报Caused by: javax.net.ssl.SSLHandshakeException: No available authentication scheme的异常,原因是因为缺少CA证书,所以我们需要给其生成一个。
./bin/elasticsearch-certutil ca
看到提示后直接回车即可,不用设置密码
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: # 直接回车
Enter password for elastic-stack-ca.p12 : # 直接回车
之后我们在ElasticSearch的安装目录下会看到这个证书文件elastic-stack-ca.p12
elastic-stack-ca.p12
现在我们借助生成的这个证书文件生成p12秘钥
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
看到提示后还是直接回车,不设置密码
Enter password for CA (elastic-stack-ca.p12) : # 直接回车
Please enter the desired output file [elastic-certificates.p12]: # 回车
Enter password for elastic-certificates.p12 : # 回车
# 文件路径
Certificates written to /app/elasticserach/elasticsearch-7.13.4/elastic-certificates.p12
此时文件如下:在config目录下创建certs目录,并将生成的秘钥文件拷贝进去
mkdir certs
cp ../elastic-certificates.p12 certs/elastic-certificates.p12
再次修改ElasticSearch的配置文件elasticsearch.yml中xpack相关配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
接着再次重启ElasticSearch,报错
1 2 3 | uncaught exception in thread [main]ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager<br> - not permitted to read truststore file [/usr/local/elasticsearch-7.11.1/config/certs/elastic-certificates.p12]]; nested: AccessDeniedException<br>[/usr/local/elasticsearch-7.11.1/config/certs/elastic-certificates.p12];Likely root cause: java.nio.file.AccessDeniedException: /usr/local/elasticsearch-7.11.1/config/certs/elastic-certificates.p12 |
给该文件授权 chmod 777 /usr/local/elasticsearch-7.11.1/config/certs/elastic-certificates.p12
再次重启elasticsearch,不再报错。
但是登陆时候登不上,报错,登陆命令curl -u esuser http://localhost:9200/
报错信息:
Enter host password for user 'esuser':
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [esuser] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"unable to authenticate user [esuser] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@localhost bin]# curl -u esuser http://localhost:9200/
查看日志报错信息如下:】
[2022-02-25T08:14:11,003][WARN ][o.e.t.TcpTransport ] [localhost.localdomain] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/0:0:0:0:0:0:0:1:43658}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme
搞不定了,去官网再看看
Getting started with the Elastic Stack | Getting Started [7.11] | Elastic
Security overview | Elasticsearch Guide [7.11] | Elastic
文档讲有默认内置用户,elastic就是,那就用elastic用户来登陆试试,这个地方的密码就是上面interactive命令设置的密码,居然成功了,说明自己添加的esuser用户没有权限啊,看看怎么扩大权限。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | curl -u elastic localhost:9200Enter host password for user 'elastic':{ "name" : "node-1", "cluster_name" : "elk-application", "cluster_uuid" : "xsAt7B-HQC29uS4bgcSw8Q", "version" : { "number" : "7.11.1", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "ff17057114c2199c9c1bbecc727003a907c0db7a", "build_date" : "2021-02-15T13:44:09.394032Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search"} |
重新来一遍吧!!!!!!!!!!!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
2016-03-15 leach-matlab
2016-03-15 leach协议matlab仿真代码