OpenSearch2.17集群部署

fanchael_kui

已于 2024-12-13 09:03:19 修改

阅读量1.3k

点赞数 23

文章标签： linux 运维服务器大数据 opensearch

于 2024-11-20 17:52:29 首次发布

本文链接：https://blog.csdn.net/fanshukui/article/details/143916873

版权

一、下载并解压 OpenSearch 的压缩包

1、下载 OpenSearch

wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.17.1/opensearch-2.17.1-linux-x64.tar.gz

2、解压压缩包

tar -zxvf opensearch-2.17.1-linux-x64.tar.gz

3、进入 OpenSearch 目录

cd opensearch-2.17.1

二、OpenSearch环境配置

1、配置jdk环境变量（可忽略）

系统未配置环境变量的话，默认使用opensearch-2.17.1下自带的jdk，版本为21.0.4

OpenSearch已经在所有兼容的Java版本上进行了测试，2.17最小版本为11：

参考官方：Installing OpenSearch - OpenSearch Documentation

OpenSearch Version	Compatible Java Versions	Bundled Java Version
1.0–1.2.x	11, 15	15.0.1+9
1.3.x	8, 11, 14	11.0.24+8
2.0.0–2.11.x	11, 17	17.0.2+8
2.12.0+	11, 17, 21	21.0.4+7

echo 'export JAVA_HOME=/data/opensearch/opensearch-2.17.1/jdk' | sudo tee -a /etc/profile
echo 'export PATH=$PATH:$JAVA_HOME/bin' | sudo tee -a /etc/profile
echo 'export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar' | sudo tee -a /etc/profile
#生效环境变量
source /etc/profile

也可只设置OPENSEARCH_JAVA_HOME：

export OPENSEARCH_JAVA_HOME=/path/to/opensearch-2.18.0/jdk

2、新增opensearch用户

使用root用户，是不允许启动服务的，java.lang.RuntimeException: can not run opensearch as root，所以需要新增一个用户

adduser opensearch

3、安装openssl

OpenSearch是自带opensearch-security插件，需要配置TLS certificates证书，生成证书需要用到openssl。

sudo yum install openssl

windows下安装，请参考：Windows下载及安装OpenSSL_openssl下载windows版-CSDN博客

三、修改OpenSearch配置文件

配置文件位于 config/ 目录下

1、修改jvm.options配置

修改此文件主要是调整-Xms和-Xmx的大小，默认为1g，建议设置为机器内存大小的一半，不要超过32g。

2、通过openssl生成TLS证书

证书在config/目录下生成，方便后续配置使用。

参考官方文档：Generating self-signed certificates - OpenSearch Documentation

#!/bin/sh
# Root CA
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=root.dns.a-record" -out root-ca.pem -days 730
# Admin cert（在初始化securityadmin时用到）
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
# Node cert 1（配置到opensearch.yml文件中）
openssl genrsa -out node1-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr
echo 'subjectAltName=DNS:node1.dns.a-record' > node1.ext
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

# Cleanup
rm admin-key-temp.pem
rm admin.csr
rm node1-key-temp.pem
rm node1.csr
rm node1.ext

根据部署的node节点个数，生成对应个数的证书，如node1.pem。需要注意的是，多个node节点的证书要使用同一个Root CA的相关文件。

3、修改opensearch.yml配置文件

# Use a descriptive name for your cluster:
cluster.name: YonSearch-Test
# Use a descriptive name for the node:
node.name: node01
#node.roles: [cluster_manager ,data, ingest]
# Path to directory where to store the data (separate multiple locations by comma):
path.data: /data/opensearch/data
# Path to log files:
path.logs: /data/opensearch/logs
# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 172.20.37.242
# Set a custom port for HTTP:
#http.port: 9200
# Set a custom port for transport:
transport.port: 9300
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
discovery.seed_hosts: ["172.20.37.86:9300", "172.20.37.242:9300", "172.20.36.14:9300"]
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
cluster.initial_cluster_manager_nodes: ["node03", "node01", "node02"]
# Configuring TLS certificates
# Transport layer TLS
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
# REST layer TLS
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

#  You need an admin certificate to change the Security plugin configuration using plugins/opensearch-security/tools/securityadmin.sh or the REST 
#  API. Super admin certificates are configured in opensearch.yml by stating their DN(s):
plugins.security.authcz.admin_dn:
  - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

# OpenSearch Security needs to identify requests between the nodes in the cluster.
# All DNs must be included in opensearch.yml on all nodes
plugins.security.nodes_dn_dynamic_config_enabled: false
plugins.security.nodes_dn:
  - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node3.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

# internal_opensearch, external_opensearch, debug, webhook
plugins.security.audit.type: debug 
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

依次修改每个节点的opensearch.yml文件。

注：

plugins.security.authcz.admin_dn和plugins.security.nodes_dn需要配置正确，可通过opensearch-security-2.17.1.jar中的方法获取证书的dn，java代码示例：

import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

public class TestMain {
    public static void main(String[] args) throws Exception {
        String cert = "D:\\opensearch\\certFiles\\admin.pem";
        FileInputStream fileInputStream = new FileInputStream(cert);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
        PrincipalExtractor principalExtractor = new DefaultPrincipalExtractor();
        String s = principalExtractor.extractPrincipal(certificate, PrincipalExtractor.Type.TRANSPORT);
        System.out.println(s);
    }
}

四、启动服务

# 临时启动服务
./bin/opensearch
# nohup启动服务
nohup ./bin/opensearch 1>/dev/null 2>&1 &

五、初始化OpenSearch Security

每个节点启动成功后，此时OpenSearch集群服务还不能正常连接，会报下面错误信息：

 Not yet initialized (you may need to run securityadmin),

这个是安全配置未初始化，进入opensearch-2.17.1/plugins/opensearch-security/tools 目录，执行以下命令：

sh securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv \
   -cacert ../../../config/root-ca.pem \
   -cert ../../../config/admin.pem \
   -key ../../../config/admin-key.pem

注意：需要保证opensearch.yml文件中配置了plugins.security.ssl.http.enabled: true

到此，集群就可以正常使用了！！！如果不需要https访问，在初始化OpenSearch Security后，可以将配置文件中的plugins.security.ssl.http.enabled: false置为false，然后重启服务。默认账号密码admin/admin。

六、扩展功能

1、修改账号密码

账号密码的配置，在opensearch-2.17.1/config/opensearch-security/目录下的internal_users.yml文件中，如下图：

修改admin账号的密码，只需修改admin.hash的值。

获取新密码的hash值：进入opensearch-2.17.1/plugins/opensearch-security/tools 目录，通过hash.sh进行获取。将老hash值替换为新生成的hash值。

[opensearch@private-172-20-36-154 tools]$ sh hash.sh 
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
[Password:]
$2y$12$oWe.0JNVtIAoes49jPiXYu940eMcSL3Xs0idhkhIpBwGqjcpSNQQ.

hash: "$2y$12$sbRJPkNTBkr7aXsm3XuiIuxto/dlKprfDaDAulv9NunK4VONMKeeK"

替换为：

hash: "$2y$12$oWe.0JNVtIAoes49jPiXYu940eMcSL3Xs0idhkhIpBwGqjcpSNQQ."

密码修改完成后，需要重新执行securityadmin.sh命令使新密码生效。

sh securityadmin.sh -f ../../../config/opensearch-security/internal_users.yml \
  -t internalusers \
  -icl \
  -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/admin.pem \
  -key ../../../config/admin-key.pem

2、安装分词插件

安装analysis-ik和analysis-pinyin，可从这里下载打包的插件：Index of:

下载完成后，可通过下面的命令安装插件

./bin/opensearch-plugin install file:///data/opensearch/plugins-zip/opensearch-analysis-ik-2.17.1.zip
./bin/opensearch-plugin install file:///data/opensearch/plugins-zip/opensearch-analysis-pinyin-2.17.1.zip