Elasticsearch 生产集群部署终极方案

Elasticsearch 集群部署

• 1.集群部署
• • [1.1 新增用户](#1.1 新增用户)
  • [1.2 优化操作系统](#1.2 优化操作系统)
  • [1.3 JDK](#1.3 JDK)
  • [1.4 elasticsearch](#1.4 elasticsearch)
  • [1.5 开机自启动](#1.5 开机自启动)
• 2.安全认证功能
• • [2.1 生成CA证书](#2.1 生成CA证书)
  • [2.2 生成密钥](#2.2 生成密钥)
  • [2.3 上传至其他节点](#2.3 上传至其他节点)
  • [2.4 修改属主、属组](#2.4 修改属主、属组)
  • [2.5 配置文件添加参数](#2.5 配置文件添加参数)
  • [2.6 各节点添加密钥库密码](#2.6 各节点添加密钥库密码)
  • [2.7 设置用户密码](#2.7 设置用户密码)

1.集群部署

1.1 新增用户

useradd es  -m  -s  /bin/bash

1.2 优化操作系统

cat /etc/security/limits.conf
*               soft    nofile          65536
*               hard    nofile          65536

cat /etc/sysctl.conf
vm.max_map_count=262144

sysctl -p

1.3 JDK

tar xf jdk-8u441-linux-x64.tar.gz -C  /usr/local/
ln -s /usr/local/jdk1.8.0_441    /usr/local/jdk1.8.0
su - es
echo -e 'export JAVA_HOME=/usr/local/jdk1.8.0\nexport CLASSPATH=.:$JAVA_HOME/lib:$JAVA_HOME/jre/lib\nexport PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH' >>  ~/.bashrc

1.4 elasticsearch

wget  https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.1-linux-x86_64.tar.gz
tar xvf elasticsearch-7.6.1-linux-x86_64.tar.gz -C /usr/local/
ln -s /usr/local/elasticsearch-7.6.1   /usr/local/elasticsearch
chown -R  es.es  /usr/local/elasticsearch
chown -R  es.es  /usr/local/elasticsearch-7.6.1/
cat > /usr/local/elasticsearch/config/elasticsearch.yml <<EOF
cluster.name: es-cluster
node.name: es-node1
node.master: true
node.data: true
path.data: /home/elasticsearch/data
path.logs: /home/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["172.16.2.8", "172.16.2.9","172.16.2.10"]
cluster.initial_master_nodes: ["172.16.2.8", "172.16.2.9","172.16.2.10"]
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
EOF
mkdir -p /home/elasticsearch/{data,logs}
chown -R es:es /home/elasticsearch 

1.5 开机自启动

cat > /usr/lib/systemd/system/elasticsearch.service <<EOF
[Unit]
Description=Elasticsearch
Documentation=https://www.elastic.co
Wants=network-online.target
After=network-online.target

[Service]
User=es
Group=es
ExecStart=/usr/local/elasticsearch/bin/elasticsearch

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

2.安全认证功能

2.1 生成CA证书

su - es
./bin/elasticsearch-certutil ca --pass "elastic"  --out ./

2.2 生成密钥

mkdir ./config/certificates
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --pass "elastic" --out ./config/certificates/

2.3 上传至其他节点

scp -i id_rsa config/certificaties/elastic-certificates.p12 root@172.16.2.9:/usr/local/elasticsearch/config/certificaties
scp -i id_rsa config/certificaties/elastic-certificates.p12 root@172.16.2.10:/usr/local/elasticsearch/config/certificaties

2.4 修改属主、属组

chown -R es:es certificaties/

2.5 配置文件添加参数

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch/config/certificates/elastic-certificates.p12

2.6 各节点添加密钥库密码

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
#输入生成密钥时的密码，例：elastic；如果生成密钥没有设置密码，则不需执行。
systemctl restart elasticsearch

2.7 设置用户密码

./bin/elasticsearch-setup-passwords  interactive

systemctl restart elasticsearch