Elasticsearch集群安装

Elasticsearch集群安装

1 先决条件

1.1 JDK

Elasticsearch由Java构建,其内置JDK,官方推荐使用内置JDK来运行Elasticsearch。如果没有安装JDK,那么无需另行安装,启动时会自动使用内置JDK;如果已经安装JDK且试图使用已安装的JDK来运行Elasticsearch,那么需要删除内置JDK目录,然后配置JAVA_HOME环境变量即可。

1.2 下载

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.1-linux-x86_64.tar.gz
tar -xzvf elasticsearch-7.9.1-linux-x86_64.tar.gz

解压后目录结构如下:

  • bin
  • config
  • lib
  • modules
  • plugins
  • jdk

1.3 vm.max_map_count配置

sudo sysctl -w vm.max_map_count=262144

1.4 Elasticsearch Head安装

在Chrome应用市场搜索elasticsearch-head插件,点击安装即可。

1.5 创建用户

因为Elasticsearch只能以非root用户启动,所以你应该新建相关的用户与用户组。

2 CA与CE证书

本环节旨在实现Elasticsearch集群各节点加密通信,首先要确保xpack.security.enabled=true

2.1 CA证书

CA(Certificate Authority),即证书颁发机构,该机构会有一个private key用来对CE证书进行签名。Elasticsearch要想成为一个证书颁发机构,那么就要有一张自己的CA证书。

./bin/elasticsearch-certutil ca

紧接着输入private key后,在config目录下就生成了一个CA证书文件elastic-stack-ca.p12

2.2 CE证书

CE(Certificate),CE证书也有一个private key,CE证书每个节点保留一份。

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

紧接着输入CA证书private key,然后输入CE证书private key,那么此时在config目录下CE证书elastic-certificates.p12就生成了(CA证书与CE证书秘钥可以一致)。

2.3 CA与CE证书配置

首先,在config目录下新增certs目录,将CA与CE证书移动到该目录下,然后在elasticsearch.yml配置文件中新增以下配置项:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 

你也许已经注意到了,在生成CE证书的时候,并没有将证书与特定主机IP绑定,也就是说这张CE证书elastic-certificates.p12在Elasticsearch集群中具有通用性,那么我们只需要将这张证书传到所有节点指定目录下就行了。而至于CA证书和CA证书签名秘钥做好备份后删除。

3 Elasticsearch配置

3.1 jvm.options

# Xms represents the initial size of total heap space
-Xms4g
# Xmx represents the maximum size of total heap space
-Xmx4g

3.2 elasticsearch.yml

# a.b.c.d节点
# ---------------------------------- Cluster -----------------------------------
cluster.name: elaticsearch-cluster
# ------------------------------------ Node ------------------------------------
node.name: node-1
node.roles [ "data", "master" ]
# ----------------------------------- Paths ------------------------------------
path.data: /apps/elk/elasticsearch-7.9.1/data
path.logs: /apps/elk/elasticsearch-7.9.1/logs
# ---------------------------------- Network -----------------------------------
network.host: 0.0.0.0
http.port: 9200
# --------------------------------- Discovery ----------------------------------
discovery.seed_hosts: ["a.b.c.d", "a.b.c.e", "a.b.c.f"]
cluster.initial_master_nodes: ["node-1"]
# ---------------------------------- X-Pack -----------------------------------
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

# a.b.c.e节点
# ---------------------------------- Cluster -----------------------------------
cluster.name: elaticsearch-cluster
# ------------------------------------ Node ------------------------------------
node.name: node-2
node.roles [ "data", "master" ]
# ----------------------------------- Paths ------------------------------------
path.data: /apps/elk/elasticsearch-7.9.1/data
path.logs: /apps/elk/elasticsearch-7.9.1/logs
# ---------------------------------- Network -----------------------------------
network.host: 0.0.0.0
http.port: 9200
# --------------------------------- Discovery ----------------------------------
discovery.seed_hosts: ["a.b.c.d", "a.b.c.e", "a.b.c.f"]
cluster.initial_master_nodes: ["node-1"]
# ---------------------------------- X-Pack -----------------------------------
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

# a.b.c.f节点
# ---------------------------------- Cluster -----------------------------------
cluster.name: elaticsearch-cluster
# ------------------------------------ Node ------------------------------------
node.name: node-3
node.roles [ "data", "master" ]
# ----------------------------------- Paths ------------------------------------
path.data: /apps/elk/elasticsearch-7.9.1/data
path.logs: /apps/elk/elasticsearch-7.9.1/logs
# ---------------------------------- Network -----------------------------------
network.host: 0.0.0.0
http.port: 9200
# --------------------------------- Discovery ----------------------------------
discovery.seed_hosts: ["a.b.c.d", "a.b.c.e", "a.b.c.f"]
cluster.initial_master_nodes: ["node-1"]
# ---------------------------------- X-Pack -----------------------------------
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

4 重置密码

./bin/elasticsearch-setup-passwords interactive

然后输入每个账号的密码即可,建议所有账号密码一致。重置密码之后,ES集群中会新增一个名为.security-7的索引,其内容如下:

_index _type _id password type enabled
.security-7 _doc reserved-user-logstash_system pwd reserved-user true
.security-7 _doc reserved-user-remote_monitoring_user pwd reserved-user true
..security-7 _doc reserved-user-kibana_system pwd reserved-user true
.security-7 _doc reserved-user-beats_system pwd reserved-user true
.security-7 _doc reserved-user-elastic pwd reserved-user true
.security-7 _doc reserved-user-apm_system pwd reserved-user true
.security-7 _doc reserved-user-kibana pwd reserved-user true

5 启动

nohup ./bin/elasticsearch>/dev/null 2>&1 &

原文始发于微信公众号(程序猿杜小头):Elasticsearch集群安装

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/222371.html

(0)
小半的头像小半

相关推荐

发表回复

登录后才能评论
极客之音——专业性很强的中文编程技术网站,欢迎收藏到浏览器,订阅我们!