CentOS7 Elasticsearch 7.8 集群 x-spack 安全驗證 及 集群內部TLS加密傳輸

目錄

• 簡介
• 環境准備
• 安裝
  • 配置 hostname 解析
  • 安裝
  • systemd 腳本
• 生成PKCS#12證書
• 配置
  • ARM 架構配置區別
• 所有節點存入 PKCS#12 秘鑰的密碼
• 給所有 ES 配置相同的用戶密碼
• 啟動查看

簡介

常規部署 Elasticsearch 集群時，不管是集群之間的數據傳輸，或者是 Client 訪問Elasticsearch 集群時 均不需要相關驗證，可通過對外提供的http接口，直接訪問到ES的內部數據

這情況下，相對來說安全度沒有保障，那么本次部署一套 基於 x-spack 安全驗證的安全認證

其實不光是 對外提供服務的 9200 端口需要驗證，集群內服務端口 9300 之間數據通信，也需要安全機制，本次使用自簽PKCS#12 證書，用於集群內部加密通信

說明： x-spack 組件是收費的，但好的是基礎安全驗證是其中的免費的，不用擔心商用問題；

環境准備

系統版本	主機名	IP	ES 版本	ES 用戶端口	ES 集群端口
CentOS 7.5	node02	10.0.20.22	7.8	9200	9300
CentOS 7.5	node03	10.0.20.23	7.8	9200	9300
CentOS 7.5	node04	10.0.20.24	7.8	9200	9300

安裝

現在下載的 elasticsearch 安裝包中，自帶 jdk ，無需像以前老版本一樣，還要需要安裝jdk環境，方便很多。

官方下載地址：https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz

需要優化文件描述符

cat >> /etc/security/limits.conf <<EOF
*   hard    nofile  65536
*   soft    nofile  65536
*   hard    nproc   5000
*   soft    nproc   5000
EOF

echo 'vm.max_map_count=262144' >>  /etc/sysctl.conf
sysctl -p

配置 hostname 解析

所有節點配置好 hostname 解析

cat >> /etc/hosts <<EOF

10.0.20.22 node02
10.0.20.23 node03
10.0.20.24 node04
EOF

安裝

useradd -s /sbin/nologin -M elasticsearch
cd /opt/
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz
tar xf elasticsearch-7.8.0-linux-x86_64.tar.gz
ln -s /opt/elasticsearch-7.8.0 /opt/elasticsearch
ll /opt/

# total 0
# lrwxrwxrwx 1 root root  24 Jul  7 23:52 elasticsearch -> /opt/elasticsearch-7.8.0
# drwxr-xr-x 9 root root 155 Jun 15 03:38 elasticsearch-7.8.0

創建數據目錄 和 日志目錄

mkdir /opt/elasticsearch/{data,logs} -p

systemd 腳本

[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target

[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/opt/elasticsearch
Environment=ES_PATH_CONF=${path.conf}
Environment=PID_DIR=/opt/elasticsearch
EnvironmentFile=-/opt/elasticsearch/config/elasticsearch

WorkingDirectory=/opt/elasticsearch

User=elasticsearch
Group=elasticsearch

ExecStart=/opt/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet

# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})

生成PKCS#12證書

證書簽發在node02上操作即可

通過查看官網集群證書的創建方式分為兩種：

1. 通過 elasticsearch-certutil 命令逐一創建證書
2. 使用 elasticsearch-certutil 的 Silent Mode 創建

這里使用簡約的 Silent Mode 創建；

進入到 ES 的目錄：

cd /opt/elasticsearch

創建證書所需的 instances.yml 文件，具體格式請查看官網：官網集群證書

cat >instances.yml<<EOF
instances:
  - name: "node02" 
    ip: 
      - "10.0.20.22"
  - name: "node03"
    ip:
      - "10.0.20.23"
  - name: "node04"
    ip:
      - "10.0.20.24"
EOF

注解: name 為實例名

然后執行

bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword

注意: --pass 后面跟的為PKCS#12證書的密碼，之后在集群配置需要用到，請牢記；

上面的命令執行完成后，會在 /opt/elasticsearch/ 目錄下生成一個 test1.zip 的壓縮包，解壓后如下：

[root@node02 elasticsearch]# ls test1.zip 
test1.zip
[root@node02 elasticsearch]# unzip test1.zip 
Archive:  test1.zip
   creating: node02/
  inflating: node02/node02.p12       
   creating: node03/
  inflating: node03/node03.p12       
   creating: node04/
  inflating: node04/node04.p12

然后把對應的 目錄 拷貝到對應的服務器，並做如下操作：

mv node02 config/certs

[root@node02 elasticsearch]# rsync -avz node03 10.0.20.23:/opt/elasticsearch/config/certs
root@10.0.20.23's password: 
sending incremental file list
created directory /opt/elasticsearch/config/certs
node03/
node03/node03.p12

sent 3,556 bytes  received 93 bytes  1,459.60 bytes/sec
total size is 3,455  speedup is 0.95
[root@node02 elasticsearch]# rsync -avz node04 10.0.20.24:/opt/elasticsearch/config/certs
root@10.0.20.24's password: 
sending incremental file list
created directory /opt/elasticsearch/config/certs
node04/
node04/node04.p12

sent 3,565 bytes  received 93 bytes  1,463.20 bytes/sec
total size is 3,455  speedup is 0.94

配置

node02 配置:

cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node02
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.22
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
#discovery.seed_hosts: ["10.0.20.22"]
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 2

# 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node02.p12
xpack.security.transport.ssl.truststore.path: certs/node02.p12
EOF

echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch

node03 配置：

cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node03
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.23
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 1

## 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node03.p12
xpack.security.transport.ssl.truststore.path: certs/node03.p12
EOF

echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch

node04 配置：

cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node04
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.24
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 1

# 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node04.p12
xpack.security.transport.ssl.truststore.path: certs/node04.p12
EOF

echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch

ARM 架構配置區別

注意: 如果是環境為 ARM kylin v4系統，則需要增加兩項配置:

bootstrap.memory_lock: false
bootstrap.system_call_filter: false

所有節點存入 PKCS#12 秘鑰的密碼

所有節點都需要運行下面的命令，

生成 keystore 文件

./bin/elasticsearch-keystore create

下面兩個命令，均需要 輸入 在 生成 PKCS#12 秘鑰 時的密碼

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

給所有 ES 配置相同的用戶密碼

使用命令: ./bin/elasticsearch-users useradd username -p password -r superuser

-r 表示角色，superuser 是超級用戶

./bin/elasticsearch-users useradd test -p password123 -r superuser

啟動查看

啟動所有節點的 elasticsearch ；

systemctl start elasticsearch

查看

[root@node03 elasticsearch]# curl -utest:password123 10.0.20.23:9200
{
  "name" : "node03",
  "cluster_name" : "es-cluster",
  "cluster_uuid" : "e6TnuPWdQ8Wct5HMH-GAsg",
  "version" : {
    "number" : "7.8.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
    "build_date" : "2020-06-14T19:35:50.234439Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
[root@node02 elasticsearch]# curl -utest:password123 10.0.20.22:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.20.22           42          92   1    0.00    0.04     0.12 dilmrt    *      node02
10.0.20.23           63          89   1    0.10    0.16     0.19 dilmrt    -      node03
10.0.20.24           39          89  20    0.52    0.61     0.28 dilmrt    -      node04