链接:https://cloud.tencent.com/developer/article/1612794
es.yml
cluster.name: es-cluster
node.name: es-node
network.bind_host: 0.0.0.0
network.host: 172.18.8.118
network.publish_host: 172.18.8.118
http.port: 9201
transport.tcp.port: 9301
transport.port: 9301
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
discovery.zen.ping.unicast.hosts: ["172.18.8.118:9300","172.18.8.118:9301"]
discovery.zen.minimum_master_nodes: 2
cluster.initial_master_nodes: master
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true
关于证书elastic-certificates.p12
es提供了生成证书的工具
elasticsearch-certutil
,我们可以在docker实例中生成它,然后复制出来,后面统一使用。首先运行es实例
sudo docker run -dit --name=es elasticsearch:7.6.2 /bin/bash
进入实例内部
sudo docker exec -it es /bin/bash
生成ca: elastic-stack-ca.p12
[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil ca This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key Please enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12 :
再生成cert: elastic-certificates.p12
[root@25dee1848942 elasticsearch]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'cert' mode generates X.509 certificate and private keys.
这个生成elastic-certificates.p12 就是我们需要使用的。
复制出证书, ctrl+d退出容器内部
sudo docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 . # 关闭这个容器 sudo docker kill es sudo docker rm es
如此获取了证书。
切记:elastic-certificates.p12 要使用 sudo chmod 777 elastic-certificates.p12 授权
启动脚本start.sh
mkdir data1
mkdir data2
# 开启777权限
chmod 777 data1 data2
VOLUME1='-v /var/nlp/ES/config/es1.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /var/nlp/ES/data1:/usr/share/elasticsearch/data -v /var/nlp/ES/plugins:/usr/share/elasticsearch/plugins -v /var/nlp/ES/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12'
VOLUME2='-v /var/nlp/ES/config/es2.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /var/nlp/ES/data2:/usr/share/elasticsearch/data -v /var/nlp/ES/plugins:/usr/share/elasticsearch/plugins -v /var/nlp/ES/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12'
docker run -e ES_JAVA_OPTS="-Xms1g -Xmx1g" -d -p 9200:9200 -p 9300:9300 $VOLUME1 --name ES_0 elasticsearch:7.8.1
docker run -e ES_JAVA_OPTS="-Xms1g -Xmx1g" -d -p 9201:9201 -p 9301:9301 $VOLUME2 --name ES_1 elasticsearch:7.8.1
生成密码
我们首先要启动es集群,去里面生成密码。
sudo docker-compose up
然后进入其中一台
sudo docker exec -it es01 /bin/bash
生成密码用auto, 自己设置用
interactive
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h Sets the passwords for reserved users Commands -------- auto - Uses randomly generated passwords interactive - Uses passwords entered by a user Non-option arguments: command Option Description ------ ----------- -E <KeyValuePair> Configure a setting -h, --help Show help -s, --silent Show minimal output -v, --verbose Show verbose output [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y Changed password for user apm_system PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws Changed password for user kibana PASSWORD kibana = 8NnThbj0N02iDaTGhidU Changed password for user logstash_system PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj Changed password for user beats_system PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D Changed password for user elastic PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ
使用密码
浏览器访问localhost:9200/9201/9202 需要输入账号
输入对应的elastic/password就好
浏览器访问localhost:5601
python连接
”缺少身份验证令牌“表示与该Elasticsearch实例进行对话之前需要进行身份验证。url中包含用户名和密码:http: // user: password @ hostname:post
host=["http://elastic:r9tjP4A9wOhBmOmCQFVX@172.18.8.8:9200","http://elastic:r9tjP4A9wOhBmOmCQFVX@172.18.8.8:9201"]ESUtility(hosts=eval(hsot), index=index)