Elasticsearch 集群部署
- 1.集群部署
-
- [1.1 新增用户](#1.1 新增用户)
- [1.2 优化操作系统](#1.2 优化操作系统)
- [1.3 JDK](#1.3 JDK)
- [1.4 elasticsearch](#1.4 elasticsearch)
- [1.5 开机自启动](#1.5 开机自启动)
- 2.安全认证功能
-
- [2.1 生成CA证书](#2.1 生成CA证书)
- [2.2 生成密钥](#2.2 生成密钥)
- [2.3 上传至其他节点](#2.3 上传至其他节点)
- [2.4 修改属主、属组](#2.4 修改属主、属组)
- [2.5 配置文件添加参数](#2.5 配置文件添加参数)
- [2.6 各节点添加密钥库密码](#2.6 各节点添加密钥库密码)
- [2.7 设置用户密码](#2.7 设置用户密码)
1.集群部署
1.1 新增用户
shell
复制代码
useradd es -m -s /bin/bash
1.2 优化操作系统
shell
复制代码
cat /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
cat /etc/sysctl.conf
vm.max_map_count=262144
sysctl -p
1.3 JDK
shell
复制代码
tar xf jdk-8u441-linux-x64.tar.gz -C /usr/local/
ln -s /usr/local/jdk1.8.0_441 /usr/local/jdk1.8.0
su - es
echo -e 'export JAVA_HOME=/usr/local/jdk1.8.0\nexport CLASSPATH=.:$JAVA_HOME/lib:$JAVA_HOME/jre/lib\nexport PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH' >> ~/.bashrc
1.4 elasticsearch
shell
复制代码
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.1-linux-x86_64.tar.gz
tar xvf elasticsearch-7.6.1-linux-x86_64.tar.gz -C /usr/local/
ln -s /usr/local/elasticsearch-7.6.1 /usr/local/elasticsearch
chown -R es.es /usr/local/elasticsearch
chown -R es.es /usr/local/elasticsearch-7.6.1/
cat > /usr/local/elasticsearch/config/elasticsearch.yml <<EOF
cluster.name: es-cluster
node.name: es-node1
node.master: true
node.data: true
path.data: /home/elasticsearch/data
path.logs: /home/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["172.16.2.8", "172.16.2.9","172.16.2.10"]
cluster.initial_master_nodes: ["172.16.2.8", "172.16.2.9","172.16.2.10"]
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
EOF
mkdir -p /home/elasticsearch/{data,logs}
chown -R es:es /home/elasticsearch
1.5 开机自启动
shell
复制代码
cat > /usr/lib/systemd/system/elasticsearch.service <<EOF
[Unit]
Description=Elasticsearch
Documentation=https://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=es
Group=es
ExecStart=/usr/local/elasticsearch/bin/elasticsearch
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service
2.安全认证功能
2.1 生成CA证书
shell
复制代码
su - es
./bin/elasticsearch-certutil ca --pass "elastic" --out ./
2.2 生成密钥
shell
复制代码
mkdir ./config/certificates
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pass "elastic" --out ./config/certificates/
2.3 上传至其他节点
shell
复制代码
scp -i id_rsa config/certificaties/elastic-certificates.p12 [email protected]:/usr/local/elasticsearch/config/certificaties
scp -i id_rsa config/certificaties/elastic-certificates.p12 [email protected]:/usr/local/elasticsearch/config/certificaties
2.4 修改属主、属组
shell
复制代码
chown -R es:es certificaties/
2.5 配置文件添加参数
复制代码
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch/config/certificates/elastic-certificates.p12
2.6 各节点添加密钥库密码
shell
复制代码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
#输入生成密钥时的密码,例:elastic;如果生成密钥没有设置密码,则不需执行。
systemctl restart elasticsearch
2.7 设置用户密码
shell
复制代码
./bin/elasticsearch-setup-passwords interactive
systemctl restart elasticsearch