Elasticsearch 9.2.0 三节点集群配置

本文记录Elasticsearch 9.x 两种集群部署方式

一、描述

Elasticsearch 9.x基于Lucene 10.1.0构建，这一底层架构的升级意义非凡。

Lucene 10.1.0在索引机制上更加智能，能够根据数据的特性和访问模式动态调整索引策略，从而提高数据检索效率。

Elasticsearch 9.2.0是Elasticsearch平台的最新版本，于2025年10月25日正式发布

主要新增了Agent Builder、DiskBBQ、Streams、Significant Events等功能，并进一步优化了语义搜索和向量处理能力。

核心新增功能

‌Agent Builder‌：AI驱动的工具，帮助开发者直接与Elasticsearch数据交互，简化自定义AI智能体的开发，提升准确性与效率 。 ‌

‌DiskBBQ‌：向量存储方法，支持从磁盘分区搜索紧凑簇，减少内存占用（基准测试显示100MB内存下延迟低于20毫秒） 。 ‌

‌Streams‌：AI驱动的Observability功能，自动解析日志等非结构化数据，提取洞察以加速问题解决 。

‌

语义搜索优化

‌1.semantic_text字段类型‌：自动处理文本向量化，支持与传统BM25查询混合使用 。 ‌

‌2.查询方式扩展‌：新增semantic查询、knn查询及sparse_vector查询，兼容match查询 。 ‌

‌3.性能提升‌：基于Lucene 10，引入BBQ二进制量化技术（比OpenSearch快5倍）、硬件加速（向量计算提速30%）等优化 。 ‌

其他改进

1.分布式特性：自动管理分片分配、负载均衡及故障转移，支持无缝扩容 。 ‌

2.Serverless版本：部分功能已集成至Elastic Cloud Serverless，无需版本管理

官方文档（Elastic 9.x / 8.x 的 "Production cluster setup" 部分）明确说明：

生产环境建议使用自建 CA（通过 elasticsearch-certutil）为各节点签发独立证书。

Enrollment token 机制是为开发或测试环境准备的，不推荐生产使用。

1.1、集群规划

节点	                  IP	                名称	   角色
opst-test-024	192.168.2.24	es-1	master,data
opst-test-025	192.168.2.25	es-2	master,data
opst-test-026	192.168.2.26	es-3	master,data

1.2、系统环境

系统:buntu 24.04.3 LTS

JDK:jdk-17.0.12

1.3、系统优化脚本

需要在三台 ES 服务器执行

01_sys_tuning.sh
#!/bin/bash
echo ">>> Setting OS kernel parameters"

cat >> /etc/security/limits.conf <<EOF
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
elasticsearch soft nproc 65536
elasticsearch hard nproc 65536
EOF

cat >> /etc/sysctl.conf <<EOF
vm.max_map_count=262144
vm.swappiness=1
fs.file-max=6553560
EOF

sysctl -p

echo ">>> System tuning completed."

执行：

chmod +x 01_sys_tuning.sh
./01_sys_tuning.sh

1.4、下载：

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.2.0-linux-x86_64.tar.gz

二、创建独立用户和组

groupadd elasticsearch
useradd elasticsearch -g elasticsearch -s /bin/bash -d /home/elasticsearch

修改目录权限

chown -R elasticsearch:elasticsearch /apps/elasticsearch-9.2.0

方案一：手动证书 + discovery.seed_hosts 模式（生产环境推荐）

三、创建CA证书

步骤 1：在第一个节点生成 CA

cd /apps/elasticsearch-9.2.0
./bin/elasticsearch-certutil ca
# 输出：elastic-stack-ca.p12
# 建议设置一个 CA 密码

步骤 2：为每个节点生成证书（带 SAN）
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --multiple

然后依次输入：

Name for this node: ops-test-024
IP Addresses: 192.168.2.24
DNS names: ops-test-024

Name for this node: ops-test-025
IP Addresses: 192.168.2.25
DNS names: ops-test-025

Name for this node: ops-test-026
IP Addresses: 192.168.2.26
DNS names: ops-test-026

执行步骤记录

elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --multiple
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.


    * All certificates generated by this tool will be signed by a certificate authority (CA)
      unless the --self-signed command line option is specified.
      The tool can automatically generate a new CA for you, or you can provide your own with
      the --ca or --ca-cert command line options.


By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) : 
Enter instance name: ops-test-024
Enter name for directories and files of ops-test-024 [ops-test-024]: 
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.2.24
Enter DNS names for instance (comma-separated if more than one) []: ops-test-024
Would you like to specify another instance? Press 'y' to continue entering instance information: y
Enter instance name: ops-test-025
Enter name for directories and files of ops-test-025 [ops-test-025]: 
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.2.25
Enter DNS names for instance (comma-separated if more than one) []: ops-test-025
Would you like to specify another instance? Press 'y' to continue entering instance information: y
Enter instance name: ops-test-026
Enter name for directories and files of ops-test-026 [ops-test-026]: 
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.2.26
Enter DNS names for instance (comma-separated if more than one) []: ops-test-026
Would you like to specify another instance? Press 'y' to continue entering instance information: 
Please enter the desired output file [certificate-bundle.zip]: 
Enter password for ops-test-026/ops-test-026.p12 : 
Enter password for ops-test-025/ops-test-025.p12 : 
Enter password for ops-test-024/ops-test-024.p12 : 

Certificates written to /apps/elasticsearch-9.2.0/certificate-bundle.zip

This file should be properly secured as it contains the private keys for 
all instances
After unzipping the file, there will be a directory for each instance.
Each instance has a single PKCS#12 (.p12) file containing the instance
certificate, instance private key and the CA certificate
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ ls
LICENSE.txt  NOTICE.txt  README.asciidoc  bin  certificate-bundle.zip  config  data  elastic-stack-ca.p12  jdk  lib  logs  modules  plugins
elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ 

生成 certificate-bundle.zip，解压如下：

elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ unzip certificate-bundle.zip
Archive:  certificate-bundle.zip
   creating: ops-test-026/
  inflating: ops-test-026/ops-test-026.p12  
   creating: ops-test-025/
  inflating: ops-test-025/ops-test-025.p12  
   creating: ops-test-024/
  inflating: ops-test-024/ops-test-024.p12  

步骤 3：分发证书

将对应文件复制到每个节点的 config/ 下：

024 节点放 ops-test-024.p12

025 节点放 ops-test-025.p12

026 节点放 ops-test-026.p12

另外，每个节点都要有相同的 elastic-stack-ca.p12。

步骤 4：配置文件模板（所有节点）

以第一节点ops-test-024 配置为例

cluster.name: elasticsearch-nierdayede
node.name: ops-test-024

path.data: /apps/elasticsearch-9.2.0/data
path.logs: /apps/elasticsearch-9.2.0/logs

network.host: 192.168.2.24
http.port: 9200

discovery.seed_hosts: ["192.168.2.24", "192.168.2.25", "192.168.2.26"]
cluster.initial_master_nodes: ["ops-test-024"]

xpack.security.enabled: true

# Transport 层必须开启 SSL
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ops-test-024.p12
xpack.security.transport.ssl.truststore.path: ops-test-024.p12

# HTTP 层可选（建议生产开启）
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ops-test-024.p12
xpack.security.http.ssl.truststore.path: ops-test-024.p12

# 可选：磁盘水位
cluster.routing.allocation.disk.watermark.low: "75%"
cluster.routing.allocation.disk.watermark.high: "85%"
cluster.routing.allocation.disk.watermark.flood_stage: "95%"

# 第一次启动可留空，启动完可删掉此项
xpack.security.enrollment.enabled: false

其它节点ops-test-025、026 只需要改 node.name、network.host、keystore 文件名即可。

步骤 5：启动集群

先启动主节点（ops-test-024）

主节点配置如下：

root@ops-test-024:/apps/elasticsearch-9.2.0/config# grep -v '^#' elasticsearch.yml
cluster.name: elasticsearch-nierdayede
node.name: ops-test-024
path.data: /apps/elasticsearch-9.2.0/data
path.logs: /apps/elasticsearch-9.2.0/logs
network.host: 192.168.2.24
http.port: 9200
discovery.seed_hosts: ["ops-test-024", "ops-test-025","ops-test-026"]
cluster.initial_master_nodes: ["ops-test-024"]
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ops-test-024.p12
xpack.security.transport.ssl.truststore.path: ops-test-024.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ops-test-024.p12
xpack.security.http.ssl.truststore.path: ops-test-024.p12

cluster.routing.allocation.disk.watermark.low: "75%"
cluster.routing.allocation.disk.watermark.high: "85%"
cluster.routing.allocation.disk.watermark.flood_stage: "95%"

xpack.security.enrollment.enabled: false

切换账户到elasticsearch

sudo su - elasticsearch

启动

/apps/elasticsearch-9.2.0/bin/elasticsearch -d

等第一节点完全启动后，再启动 025、026节点

启动第二节点（ops-test-025）

查看第二节点配置

root@ops-test-025:/apps/elasticsearch-9.2.0/config# grep -v '^#' elasticsearch.yml
cluster.name: elasticsearch-nierdayede
node.name: ops-test-025
path.data: /apps/elasticsearch-9.2.0/data
path.logs: /apps/elasticsearch-9.2.0/logs
network.host: 192.168.2.25
http.port: 9200
discovery.seed_hosts: ["ops-test-024", "ops-test-025","ops-test-026"]
xpack.security.enabled: true


xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ops-test-025.p12
xpack.security.transport.ssl.truststore.path: ops-test-025.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ops-test-025.p12
xpack.security.http.ssl.truststore.path: ops-test-025.p12

cluster.routing.allocation.disk.watermark.low: "75%"
cluster.routing.allocation.disk.watermark.high: "85%"
cluster.routing.allocation.disk.watermark.flood_stage: "95%"

xpack.security.enrollment.enabled: false

切换账户到elasticsearch

sudo su - elasticsearch

启动

/apps/elasticsearch-9.2.0/bin/elasticsearch -d

启动第三节点（ops-test-026）

查看第三节点配置

root@ops-test-026:/apps/elasticsearch-9.2.0/config# grep -v '^#' elasticsearch.yml
cluster.name: elasticsearch-nierdayede
node.name: ops-test-026
path.data: /apps/elasticsearch-9.2.0/data
path.logs: /apps/elasticsearch-9.2.0/logs
network.host: 192.168.2.26
http.port: 9200
discovery.seed_hosts: ["ops-test-024", "ops-test-025","ops-test-026"]
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ops-test-026.p12
xpack.security.transport.ssl.truststore.path: ops-test-026.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ops-test-026.p12
xpack.security.http.ssl.truststore.path: ops-test-026.p12

cluster.routing.allocation.disk.watermark.low: "75%"
cluster.routing.allocation.disk.watermark.high: "85%"
cluster.routing.allocation.disk.watermark.flood_stage: "95%"

xpack.security.enrollment.enabled: false

切换账户到elasticsearch

sudo su - elasticsearch

启动

/apps/elasticsearch-9.2.0/bin/elasticsearch -d

---

查看日志出现：

elected-as-master

node-join: ops-test-025

node-join: ops-test-026

等字样，表示集群加入正常

elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0/logs$ grep "elected-as-master" elasticsearch-nierdayede.log
[2025-11-06T11:10:56,255][INFO ][o.e.c.s.MasterService    ] [ops-test-024] elected-as-master ([1] nodes joined in term 1)[_FINISH_ELECTION_, {ops-test-024}{uS3Cngc6S1ay0wW4c_XwXQ}{s3ZMf_PBQraEM_3WeFR9hA}{ops-test-024}{192.168.2.24}{192.168.2.24:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001} completing election], term: 1, version: 1, delta: master node changed {previous [], current [{ops-test-024}{uS3Cngc6S1ay0wW4c_XwXQ}{s3ZMf_PBQraEM_3WeFR9hA}{ops-test-024}{192.168.2.24}{192.168.2.24:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001}]}
elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0/logs$ grep "node-join" elasticsearch-nierdayede.log
[2025-11-06T11:10:56,378][INFO ][o.e.c.c.NodeJoinExecutor ] [ops-test-024] node-join: [{ops-test-024}{uS3Cngc6S1ay0wW4c_XwXQ}{s3ZMf_PBQraEM_3WeFR9hA}{ops-test-024}{192.168.2.24}{192.168.2.24:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001}] with reason [completing election]
[2025-11-06T11:16:52,899][INFO ][o.e.c.s.MasterService    ] [ops-test-024] node-join[{ops-test-025}{8eszi29SSw2ZqO8mLaiS8w}{XOcL-TIUT5ip3r0vdU9Efg}{ops-test-025}{192.168.2.25}{192.168.2.25:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001} joining], term: 1, version: 34, delta: added {{ops-test-025}{8eszi29SSw2ZqO8mLaiS8w}{XOcL-TIUT5ip3r0vdU9Efg}{ops-test-025}{192.168.2.25}{192.168.2.25:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001}}
[2025-11-06T11:16:53,687][INFO ][o.e.c.c.NodeJoinExecutor ] [ops-test-024] node-join: [{ops-test-025}{8eszi29SSw2ZqO8mLaiS8w}{XOcL-TIUT5ip3r0vdU9Efg}{ops-test-025}{192.168.2.25}{192.168.2.25:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001}] with reason [joining]
[2025-11-06T13:56:42,500][INFO ][o.e.c.s.MasterService    ] [ops-test-024] node-join[{ops-test-026}{PHdTQhfkT9yIWgReBgubYg}{1_TabHWiRfusJzO8Xd6N0g}{ops-test-026}{192.168.2.26}{192.168.2.26:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001} joining], term: 1, version: 83, delta: added {{ops-test-026}{PHdTQhfkT9yIWgReBgubYg}{1_TabHWiRfusJzO8Xd6N0g}{ops-test-026}{192.168.2.26}{192.168.2.26:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001}}
[2025-11-06T13:56:43,862][INFO ][o.e.c.c.NodeJoinExecutor ] [ops-test-024] node-join: [{ops-test-026}{PHdTQhfkT9yIWgReBgubYg}{1_TabHWiRfusJzO8Xd6N0g}{ops-test-026}{192.168.2.26}{192.168.2.26:9300}{cdfhilmrstw}{9.2.0}{8000099-9039001}] with reason [joining]
elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0/logs$ 

步骤 6：设置 elastic 用户密码

在第一个节点执行：

./bin/elasticsearch-reset-password -u elastic

elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ ./bin/elasticsearch-reset-password -u elastic
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y


Password for the [elastic] user successfully reset.
New value: bYQcVSS2klw1PzUkEp=I
elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ 

记下如上生成的密码。

步骤 7：查看集群状态

curl -u elastic:<密码> --cacert config/elastic-stack-ca.p12 https://192.168.2.24:9200/_cluster/health?pretty

curl -u elastic:bYQcVSS2klw1PzUkEp=I --cacert config/elastic-stack-ca.p12 https://192.168.2.24:9200/_cluster/health?pretty

有报错：

elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ curl -u elastic:bYQcVSS2klw1PzUkEp=I --cacert /apps/elasticsearch-9.2.0/config/elastic-stack-ca.p12

https://192.168.2.24:9200/_cluster/health?pretty

curl: (77) error setting certificate file: /apps/elasticsearch-9.2.0/config/elastic-stack-ca.p12

解决办法

原因：elastic-stack-ca.p12 是 PKCS#12 格式（包含私钥和证书），而 curl --cacert 只接受 PEM 格式的 CA 根证书。

解决方法：

将 PKCS#12 提取成 PEM：
# 提取 CA 证书
openssl pkcs12 -in elastic-stack-ca.p12 -nokeys -out elastic-stack-ca.pem

再次查看集群状态

elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ curl -u elastic:bYQcVSS2klw1PzUkEp=I --cacert elastic-stack-ca.pem \
https://192.168.2.24:9200/_cluster/health?pretty
{
  "cluster_name" : "elasticsearch-nierdayede",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 3,
  "active_shards" : 6,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "unassigned_primary_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
elasticsearch@ops-test-024:/apps/elasticsearch-9.2.0$ 

至此方案一，完成配置

方案二：enrollment token（快速搭建 / 测试环境）

特点：

自动生成证书

自动节点信任

适合临时测试或 PoC，不推荐生产

步骤 1：第一个节点配置并启动

cluster.name: elasticsearch-nierdayede
node.name: ops-test-024
network.host: 192.168.2.24

xpack.security.enabled: true
xpack.security.enrollment.enabled: true

注意：不要配置 discovery.seed_hosts、cluster.initial_master_nodes，ES 会自动生成。

切换账户到elasticsearch

sudo su - elasticsearch

启动

/apps/elasticsearch-9.2.0/bin/elasticsearch -d

步骤 2：生成节点 enrollment token

./bin/elasticsearch-create-enrollment-token -s node

记录输出的 token。

步骤 3：在第二节点执行

./bin/elasticsearch --enrollment-token <粘贴上面的token>

重复为第三节点执行。

步骤 4：集群形成后（可选）

关闭自动注册功能：

xpack.security.enrollment.enabled: false

步骤 5：设置密码

./bin/elasticsearch-reset-password -u elastic

<完>