1.ElasticSearch系列之集群部署及权限认证

一、集群部署

第一步:安装JDK

JDK要求jdk1.8+,不安装也可以,ES自带JDK

第二步:系统配置

2.1 禁用交换区

    sudo swapoff -a

2.2 开最大文件数的限制

    编辑文件 /etc/security/limits.conf把nofile设置为65536
    或者执行
    echo  "* soft nofile 65536" >> /etc/security/limits.conf
    echo  "* hard nofile 65536" >> /etc/security/limits.conf
    echo  "elasticsearch soft memlock unlimited" >> /etc/security/limits.conf
    echo  "elasticsearch hard memlock unlimited" >> /etc/security/limits.conf

2.3 设置虚拟内存

    临时生效 sysctl -w vm.max_map_count=262144
    永久生效 编辑/etc/sysctl.conf vm.max_map_count
    验证命令 sysctl vm.max_map_count

2.4 线程数量

    root用户执行 ulimit -u 4096
    或者
    编辑/etc/security/limits.conf把nproc设置为4096
    echo  "* soft nproc 4096" >> /etc/security/limits.conf
    echo  "* hard nproc 4096" >> /etc/security/limits.conf

第三步:创建用户并设置密码

    useradd elasticsearch
    passwd elasticsearch

第四步:安装目录介绍

4.1 创建安装包目录

mkdir -p home/software

4.2 上传压缩包并解压

tar zxvf ES安装包.tar.gz
tar xf elasticsearch-7.6.2-linux-x86_64.tar.gz -C /usr/local
tar xf kibana-7.6.2-linux-x86_64.tar.gz -C /usr/local

4.3 数据日志位置介绍及创建

  • ES安装目录 /usr/local
  • ES_HOME /usr/local/elasticsearch-7.6.2
  • 数据目录 /home/elasticsearch/data
  • 日志目录 /home/elasticsearch/logs
  • 配置目录 /home/elasticsearch/config
mkdir /home/elasticsearch/data /home/elasticsearch/logs /home/elasticsearch/config

4.4 拷贝config目录

cp /usr/local/elasticsearch-7.6.2/config/* /home/elasticsearch/config

第五步:修改ES基本配置

5.1 进入elasticsearch.yml

vi /usr/local/elasticsearch-7.6.2/config/elasticsearch.yml

5.2 修改elasticsearch.yml配置

# 集群名称
cluster.name: shenjian
# 配置数据目录
path.data: /home/elasticsearch/data
# 配置日志目录
path.logs: /home/elasticsearch/logs
# 启动时是否锁定内存
bootstrap.memory_lock: true
# 节点启动时要加入的集群机器列表,可配置所有节点
discovery.seed_hosts: ["192.168.0.6","192.168.0.7", "192.168.0.8"]
# 初始化可成为主节点的列表
cluster.initial_master_nodes: ["192.168.0.6","192.168.0.7", "192.168.0.8"]

5.3 修改jvm.options配置

-Xms20g
-Xmx20g

# JAVA8 9 GC LOG路径
8:-Xloggc:/home/elasticsearch/logs/gc.log
file=/home/elasticsearch/logs/gc.log

第六步:创建启动脚本

start_elasticsearch.sh

###指定ES的安装目录
ES_HOME="/usr/local/elasticsearch-7.6.2"
###指定ES配置文件的目录
export ES_PATH_CONF="/home/elasticsearch/config"
pid=`ps ax | grep elasticsearch | grep java | head -1 | awk '{print $1}'`
kill -9 $pid
echo "kill -9 $pid success"
ulimit -u 4096
#IP=`ifconfig | grep "inet addr:" |grep 192.168.0| sed '/127/d' | awk '{print $2}' | awk -F : '{print $2}'`
#echo $IP
IP=192.168.0.6
$ES_HOME/bin/elasticsearch -d -Enode.name=HOST${IP} -Enetwork.host=${IP}

第七步:授权并启动

chown -R elasticsearch:ealsticsearch /home/elasticsearch
chmod -x /home/elasticsearch/start_elasticsearch.sh
./start_elasticsearch.sh

第八步:验证集群启动情况

curl http://192.168.0.8:9200/_cat/nodes?pretty

可以看到打印信息
192.168.0.7 10 78  0 0.11 0.05 0.06 dilm * HOST192.168.0.7
192.168.0.8 17 79  1 0.02 0.02 0.05 dilm - HOST192.168.0.8
192.168.0.6 16 87 29 0.77 0.38 0.18 dilm - HOST192.168.0.6

遇到的问题

低版本的Centos抛出的警告

java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
	at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:341) ~[elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:616) ~[elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:258) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:113) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:110) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:172) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.4.jar:6.2.4]
	at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.4.jar:6.2.4]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.4.jar:6.2.4]
	
	解决方案:
	
	修改elasticsearch.yml 添加一下内容
    bootstrap.memory_lock: false
    bootstrap.system_call_filter: false

java.io.IOException: No route to host

Caused by: java.io.IOException: No route to host
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[?:?]
	at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:715) ~[?:?]
	at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:330) ~[netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:334) ~[netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:688) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:600) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:554) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514) ~[?:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1050) ~[?:?]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_281]
	
	192.168.0.6机器出现该问题,查看防火墙,发现与其他两台不一致
	firewall-cmd --state # 查看防火墙状态
    systemctl stop firewalld.service # 关闭防火墙
    systemctl disable firewalld.service # 禁止开机自启动
    ok,解决

二、权限认证

1. 在master节点上创建秘钥库

export ES_PATH_CONF="/home/elasticsearch/config" &&   /usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore create

2. 在所有节点中开启ssl认证

2.1 生成elastic-stack-ca.p12

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-certutil ca --days 36500

## 出现Please enter the desired output file [elastic-stack-ca.p12]:输入全路径  
/home/elasticsearch/config/certs/elastic-stack-ca.p12

2.2 生成证书:elastic-certificates.p12

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-certutil cert --days 36500 --ca /home/elasticsearch/config/certs/elastic-stack-ca.p12

## 出现 Enter password for CA (/home/elasticsearch/config/certs/elastic-stack-ca.p12) : 数据刚才设置的证书密码
后出现Please enter the desired output file [elastic-certificates.p12]:,输入全路径
 /home/elasticsearch/config/certs/elastic-certificates.p12

2.3 将elasticsearch节点密码添加至elasticsearch-keystore

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

2.4 将两个证书一个密码文件等拷贝至集群其他节点

scp -r /home/elasticsearch/config/certs elasticsearch@192.168.0.8:/home/elasticsearch/config/
scp /home/elasticsearch/config/elasticsearch.keystore elasticsearch@192.168.0.8:/home/elasticsearch/config/

2.5 在所有节点elasticsearch.yml中新增配置

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path:  certs/elastic-certificates.p12

3. 在master节点上设置密码

export ES_PATH_CONF="/home/elasticsearch/config"  &&  IP="192.168.0.7" && name="HOST192.168.0.7" && /usr/local/elasticsearch-7.6.2/bin/elasticsearch-setup-passwords interactive  -Enode.name="HOST192.168.0.7" -Enetwork.host="192.168.0.7"

注意:1.此操作会对elasticsearch、logstash、kibana分别设置登录密码(默认es用户名为elastic,
logstash用户名为logstash_system,kibana用户名为kibana).

2.这些内置用户存储在.security由X-Pack安全性管理的特殊索引中。如果更改了密码或禁用了用户,则该更改将自动反映在群集中的每个节点上。这也意味着如果您的.security索引被删除或从快照恢复,那么您应用的任何更改都将丢失。

4. 验证权限

4.1 未输入用户

请求:curl http://192.168.0.8:9200/_cat/nodes?pretty
响应:{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication credentials for REST request [/_cat/nodes?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication credentials for REST request [/_cat/nodes?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

4.2 输入用户及密码

curl -u elastic http://192.168.0.8:9200/_cat/nodes?pretty
Enter host password for user 'elastic':
192.168.0.7 10 78 6 0.02 0.13 0.13 dilm * HOST192.168.0.7
192.168.0.8  9 77 4 0.00 0.08 0.10 dilm - HOST192.168.0.8

4.3 证书有效期查看

http://IP:9200/_ssl/certificates?pretty
在这里插入图片描述

OK,到此权限配置成功

欢迎关注公众号算法小生或沈健的技术博客shenjian.online

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

算法小生Đ

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值