elasticsearch+kibana部署

elasticsearch集群部署

系统参数调整

以下操作都需在209.123，209.124，209.125三台机器上都执行一遍：

修改vi /etc/sysctl.conf，添加以下内容

vm.max_map_count=262144

$ sysctl -p

修改vi /etc/security/limits.d/20-nproc.conf

rms       soft    nproc     65536
rms       hard    nproc     65536
rms       soft    nofile    655360
rms       hard    nofile    655360

添加主机名

vi /etc/hosts

209.123  es-node-01

209.124  es-node-02

209.125  es-node-03

解压安装包

$ tar zxvf elasticsearch-8.1.0-x.tar.gz

获取集群通信密钥

仅在集群的第一台服务器es-node-01执行

签发ca证书 ENTER表示回车

bin/elasticsearch-certutil ca
【ENTER】
【ENTER】

用ca证书签发节点证书

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
【ENTER】
【ENTER】
【ENTER】

将证书放到certs目录

mv elastic-certificates.p12 elastic-stack-ca.p12 config/certs

获取https证书

签发https证书

bin/elasticsearch-certutil http

根据下列指引【】为本文档的输入

1. When asked if you want to generate a CSR.
	是否生成CSR，输入`【n】`
2. When asked if you want to use an existing CA.
	是否使用已经存在的CA证书，输入`【y】`
3. Enter the path to your CA. This is the absolute path to the elastic-stack-ca.p12 file that you generated for your cluster.
	输入刚才生成的CA证书elastic-stack-ca.p12所在路径 `【certs/elastic-stack-ca.p12】`
4. Enter the password for your CA.
	为证书输入密码，不用密码`【ENTER】`
5. Enter an expiration value for your certificate. You can enter the validity period in years, months, or days. For example, enter 90D for 90 days.
	输入证书过期时间，输入10年`【10y】`
6. When asked if you want to generate one certificate per node.
	是否为每个节点单独生成证书,输入`【n】`
   Each certificate will have its own private key, and will be issued for a specific hostname or IP address.
   	每个证书有自己的私钥，针对特定主机名或ip颁发

7. Enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate.
	输入用于连接到第一个节点的所有主机名。这些主机名将作为DNS名称添加到证书的SAN字段中
	`【es-node-01】`
	`【es-node-02】`
	`【es-node-03】`
	`【ENTER】`
   List every hostname and variant used to connect to your cluster over HTTPS.
	列出用于通过HTTPS连接到集群的每个主机名`【y】`
8. Enter the IP addresses that clients can use to connect to your node.
	输入连接到你节点的客户端的ip
	`【209.123】`
	`【209.124】`
	`【209.125】`
	`【ENTER】`
	列出ip地址再次确认`【y】`
	
9. Do you wish to change any of these options? [y/N]
	是否希望改变证书选项`【n】`
10. Provide a password for the "http.p12" file
	不给证书加密`【ENTER】`
11. What filename should be used for the output zip file?
	不修改输出文件名`【ENTER】`

解压生成的zip包

unzip elasticsearch-ssl-http.zip

zip包解压后的内容

/elasticsearch
|_ README.txt
|_ http.p12
|_ sample-elasticsearch.yml

/kibana
|_ README.txt
|_ elasticsearch-ca.pem
|_ sample-kibana.yml

将证书文件转移到certs目录,其中kibana中的证书是提供给kibana通信使用的，具体配置查看目录中的README.txt

mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs
修改配置文件

修改配置文件：config/elasticsearch.yml

network.host: 0.0.0.0
cluster.name: apm
http.port: 27000
http.cors.enabled: true
http.cors.allow-origin: "*"
node.name: es-node-01
node.roles: [ master, data,ingest ]
path.data:  /aio/rms/elasticsearch-8.1.0/data
ingest.geoip.downloader.enabled: false
transport.port: 27002

discovery.seed_hosts:
  - 209.123
  - 209.124
  - 209.125
cluster.initial_master_nodes:
  - es-node-01
  - es-node-02
  - es-node-03

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.keystore.path: /aio/rms/elasticsearch-8.1.0/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /aio/rms/elasticsearch-8.1.0/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path:  /aio/rms/elasticsearch-8.1.0/config/certs/http.p12
xpack.security.http.ssl.truststore.path: /aio/rms/elasticsearch-8.1.0/config/certs/http.p12

启动

执行命令

$ export ES_JAVA_HOME=./jdk
 
$ nohup bin/elasticsearch >std.log 2>&1 &

启动时会自动生成证书配置及token，查看std.log

配置剩余节点

将整个elasticsearch文件夹使用

scp -r elasticsearch-8.1.0/  rms@209.124:/aio/rms/ 

scp -r elasticsearch-8.1.0/  rms@209.125:/aio/rms/

然后修改elasticsearch.yml中两项，分别为：

network.host: 209.124

node.name: es-node-02

network.host: 209.125

node.name: es-node-03

然后直接启动即可。

修改密码

bin/elasticsearch-reset-password -i -u elastic

修改登录elasticserach的密码，只需要在一台机器上执行即可

验证

浏览器访问 https://209.123:27000，输入上述的密码即可进入控制台。

出现即是成功

kibana部署

解压

解压：tar -zxvf kibana-8.1.0-linux-x86_64.tar.gz

生成kibna证书

进入ES的安装目录，在ES服务器中生成证书，注意不是Kinbana：

cd /aio/rms/elasticsearch-8.1.0

证书名称为kibana ：

bin/elasticsearch-certutil csr -name kibana

生成压缩包csr-bundle.zip

解压缩：unzip csr-bundle.zip

移动压缩文件：

mv kibana.csr kibana.k6ey config/

进入kibana安装目录，生成crt证书：

cd /aio/rms/kibana-8.1.0/config

openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt

修改配置文件

cd /var/elk/package/kibana-8.1.0/config/kibana.yml

server.port: 27007
server.host: 0.0.0.0
server.publicBaseUrl: “https://209.123”
elasticsearch.hosts: [“https://208.123:27000”,“https://208.124:27000”,“https://208.125:27000”]
elasticsearch.username: “kibana”
elasticsearch.password: “mS+ld5-+wJ37XVEjzg1e”
elasticsearch.ssl.certificateAuthorities: [“/aio/rms/elasticsearch-8.1.0/config/certs/elasticsearch-ca.pem”]
server.ssl.enabled: true
server.ssl.certificate: /aio/rms/kibana-8.1.0/config/kibana.crt
server.ssl.key: /aio/rms/kibana-8.1.0/config/kibana.key

启动kibana

vi startup.sh，文件内容如下：

#!/bin/bash

ES_JAVA_HOME=./jdk
nohup bin/kibana >std.log 2>&1 &