安裝步驟(6.8.5使用x-pack ssl方式)
1.1 環境部署
數據庫部署
| 節點 |
ip |
角色 |
| Host01 |
192.168.1.134 |
|
| Host02 |
192.168.1.135 |
|
| Host03 |
192.168.1.85 |
|
1.2 安裝java
安裝java,確保版本在1.8以上
[root@localhost ~]# java -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)
安裝部署省略
每台機器上都需要安裝
1.3 創建非root用戶
因為es不能在root用戶下啟動,所以需要創建非root用戶,我這里創建crate用戶
#useradd yeemiao
1.4 配置非root用戶(yeemiao)環境變量
[crate@localhost ~]$ more .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
JAVA_HOME=/usr/local/jdk1.8.0_151
PATH=$JAVA_HOME/bin:$PATH:$HOME/bin
export PATH
[crate@local
1.5 /etc/security/limits.conf修改和sysctl修改
在該文件最后面添加如下兩項,然后退出重新登錄
* hard nofile 65536
* soft nofile 65536
[root@localhost /]# sysctl -w vm.max_map_count=262144
1.6 下載安裝介質
下載地址:https://www.elastic.co/downloads/elasticsearch,我這里下載的是 elasticsearch-6.8.5.tar.gz
1.7 解壓安裝
每台機器都要進行安裝
[root@localhost soft]# tar -xvf elasticsearch-6.8.5.tar.gz [root@localhost soft]# mv elasticsearch-6.8.5 /home/yeemiao/elasticsearch685_jq
[root@localhost soft]# cd /home/yeemiao
[root@localhost yeemiao]# chown -R yeemiao.yeemiao ./elasticsearch685_jq
1.8 創建相關目錄
每台機器上都要執行
[root@localhost yeemiao]# su - yeemiao
[yeemiao@localhost ~]$ cd elasticsearch685_jq
[yeemiao@localhost elasticsearch685_jq]$ mkdir data
該目錄用於存放數據文件
1.9 修改配置文件
vi /home/yeemiao/elasticsearch685_jq/config/elasticsearch.yml
| cluster.name: jq685 node.name: node-135 path.data: /home/yeemiao/elasticsearch685_jq/data path.logs: /home/yeemiao/elasticsearch685_jq/logs network.host: 192.168.1.135 http.port: 29200 discovery.zen.ping.unicast.hosts: ["192.168.1.134", "192.168.1.135","192.168.1.85"] discovery.zen.minimum_master_nodes: 2 |
將配置文件scp到另外的機器,然后相應修改紅色部分
node.name分別修改為node-134和node-85
network.host分別修改為對應機器的ip地址
1.10 JVM配置
每台機器都要設置
由於Elasticsearch是Java開發的,所以可以通過/etc/elasticsearch/jvm.options配置文件來設定JVM的相關設定。如果沒有特殊需求按默認即可。
不過其中還是有兩項最重要的-Xmx1g與-Xms1gJVM的最大最小內存。如果太小會導致Elasticsearch剛剛啟動就立刻停止。太大會拖慢系統本身
1.11 設置內存大小
每台機器都要設置
vi /home/yeemiao/elasticsearch/bin/elasticsearch
export ES_HEAP_SIZE=4g
同時在配置文件elasticsearch.yml中添加如下項目:
bootstrap.mlockall: true
1.12 啟動
每台機器都要啟動
[root@localhost opt]# su - yeemiao
[yeemiao@localhost bin]$ cd /home/yeemiao/elasticsearch685_jq/bin
[yeemiao@localhost bin]$./elasticsearch –d
1.13 x-pack設置elasticsearch安全訪問
es6.8已經可以免費使用xpack了,所以不需要進行破解即可使用了
1.13.1 在任意一台機器上執行elasticsearch-certgen
我這里在192.168.1.134這台機器上執行
| [yeemiao@localhost bin]$ ./elasticsearch-certgen Please enter the desired output file [certificate-bundle.zip]: cert.zip Enter instance name: jq685 Enter name for directories and files [jq685]: elasticsearch Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.1.134,192.168.1.135,192.168.1.85 Enter DNS names for instance (comma-separated if more than one) []: node-134,node-135,node-85 Would you like to specify another instance? Press 'y' to continue entering instance information: Certificates written to /home/yeemiao/elasticsearch685_jq/bin/cert.zip
This file should be properly secured as it contains the private keys for all instances and the certificate authority.
After unzipping the file, there will be a directory for each instance containing the certificate and private key. Copy the certificate, key, and CA certificate to the configuration directory of the Elastic product that they will be used for and follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and configure the client to trust this certificate. |
Enter instance name: jq685 ##這里的實例名稱可以自定義設置
Enter name for directories and files [jq685]: elasticsearch ##這個是ssl相應文件的目錄,可以自定義指定
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.1.134,192.168.1.135,192.168.1.85 ##每個節點的ip
Enter DNS names for instance (comma-separated if more than one) []: node-134,node-135,node-85 ##節點名稱,配置文件里的node-name定義的值
1.13.2 將壓縮文件cert.zip分別拷貝到三台機器
將壓縮文件cert.zip分別拷貝紙三台機器的 /home/yeemiao/elasticsearch685_jq文件夾下並解壓,生成ca和elasticsearch並修改配置文件elasticsearch.yml
[yeemiao@localhost config]$ scp cert.zip yeemiao@192.168.1.135:/home/yeemiao/elasticsearch685_jq/config/
[yeemiao@localhost config]$ scp cert.zip yeemiao@192.168.1.85:/home/yeemiao/elasticsearch685_jq/config/
解壓
bash-4.2$ cd /home/yeemiao/elasticsearch685_jq/config/
bash-4.2$ unzip cert.zip
1.13.3 修改配置文件
每台機器上的配置文件在最后面添加如下內容:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
1.13.4 重新啟動
1.13.5 設置密碼
在其中一台機器上執行,我這里在192.168.1.134這台機器上執行,我這里密碼全部設置為elastic
[yeemiao@localhost bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
1.14 驗證
curl -u elastic:elastic 'http://192.168.1.134:29200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.135:29200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.85:29200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.134:29200/_cat/health?v'