elasticsearch 8.11.0 install

最新推荐文章于 2024-05-31 11:08:21 发布

m0_61584203

最新推荐文章于 2024-05-31 11:08:21 发布

阅读量381

点赞数 3

文章标签： elasticsearch jenkins 大数据搜索引擎全文检索

本文链接：https://blog.csdn.net/m0_61584203/article/details/137278048

版权

本文详细介绍了如何从官网下载并安装ES和Kibana，配置JDK环境，设置ES分析器，安装步骤包括解压、环境变量设置、证书生成与管理，以及Elasticsearch和Kibana的配置，确保了HTTPS安全连接。

摘要由CSDN通过智能技术生成

1.到官网下载ES和kibana

官网

ES下载地址

Kibana下载地址

2.分词器

ik分词器下载地址

注意：下载的ES、Kibana、ik这个版本需要一致

3.配置ES JDK环境变量新增ES_JAVA_HOME

JDK使用17或以上版本均可。

4.ES安装

#将软件放置到目录/usr/local
#elasticsearch-8.11.0-linux-x86_64.tar.gz
#elasticsearch-analysis-ik-8.11.0.zip
#kibana-8.11.0-linux-x86_64.tar.gz

#解压ES
tar -vxzf elasticsearch-8.11.0-linux-x86_64.tar.gz
#解压Kibana
tar -vxzf kibana-8.11.0-linux-x86_64.tar.gz

#创建分词器存放文件夹
mkdir /usr/local/elasticsearch-8.11.0/plugins/elasticsearch-analysis-ik-8.11.0
#将分词器解压到目录
uznip elasticsearch-analysis-ik-8.11.0.zip -d /usr/local/elasticsearch-8.11.0/plugins/elasticsearch-analysis-ik-8.11.0

#创建ES数据目录
mkdir /data/es_data

#创建ES用户
useradd es

#修改文件拥有者
chown -R es:es /usr/local/elasticsearch-8.11.0
chown -R es:es /usr/local/kibana-8.11.0
chown -R es:es /data/es_data

#切换es用户
su es

#签发ca证书,过程中需按两次回车键
cd /usr/local/elasticsearch-8.11.0
./bin/elasticsearch-certutil ca

# 用 ca证书签发节点证书，过程中需按三次回车键
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

# 将生成的证书文件移动到 /usr/local/elasticsearch-8.11.0/config/certs目录中
mkdir /usr/local/elasticsearch-8.11.0/config/certs
mv elastic-stack-ca.p12 elastic-certificates.p12 config/certs

# 签发 Https证书
./bin/elasticsearch-certutil http

## Do you wish to generate a Certificate Signing Request (CSR)?

A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you do not have
access to the keys for that CA). 

If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.

If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

#输入
Generate a CSR? [y/N]N 

## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

#输入
Use an existing CA? [y/N]y 

## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /usr/local/elasticsearch9201/elastic-stack-ca.p12 
Reading a PKCS12 keystore requires a password.
It is possible for the keystore is password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12: 
#输入
/usr/local/elasticsearch-8.11.0/config/certs/elastic-stack-ca.p12


## How long should your certificates be valid?

Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.

Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

#有效时间
For how long should your certificate be valid? [5y] 20Y 


#是否针对特定的主机名或 IP 地址颁发选择否
## Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]n


## What is the name of node #1?

This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.

You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.

#输入主机名称
VM-128-16


## Which hostnames will be used to connect to node-1?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

node-1.es.example.com 

You entered the following hostnames.

 - node-1.es.example.com      

Is this correct [Y/n]Y 



## Which IP addresses will be used to connect to node-1?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

#输入IP地址
127.0.0.1 


You entered the following IP addresses.

 - 127.0.0.1

Is this correct [Y/n]Y


#密码为空直接回车
## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none] 


#
## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/usr/local/elasticsearch-8.11.0/elasticsearch-ssl-http.zip]   

Zip file written to /usr/local/elasticsearch-8.11.0/elasticsearch-ssl-http.zip




# 解压文件
unzip elasticsearch-ssl-http.zip

#将解压后的证书文件移动到 config/certs 目录中
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs





#修改ES配置文件

# 设置 ES集群名称
cluster.name: es-cluster
# 设置集群中当前节点名称
node.name: es-node-1
# 设置数据，日志文件路径
path.data: /data/es_data
path.logs: /usr/local/elasticsearch-8.11.0/log
# 设置网络访问节点
network.host: VM-128-16
# 设置网络访问端口
http.port: 9200
# 初始节点
discovery.seed_hosts: ["VM-128-16"]
# 安全认证
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
    enabled: true
    keystore.path: /usr/local/elasticsearch-8.11.0/config/certs/http.p12
    truststore.path: /usr/local/elasticsearch-8.11.0/config/certs/http.p12
xpack.security.transport.ssl:
    enabled: true
    verification_mode: certificate
    keystore.path: /usr/local/elasticsearch-8.11.0/config/certs/elastic-certificates.p12
    truststore.path: /usr/local/elasticsearch-8.11.0/config/certs/elastic-certificates.p12
# 此处需注意，es-node-1为上面配置的节点名称
cluster.initial_master_nodes: ["es-node-1"]
http.host: [_local_, _site_]
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none



# 启动 ES软件
bin/elasticsearch


#记录下下面elastic账号密码

✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
  gN5rmptI=Rd_Q-FdiS1L



❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.

ℹ️  Configure other nodes to join this cluster:
• On this node:
  ⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
  ⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
  ⁃ Restart Elasticsearch.
• On other nodes:
  ⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
  
  
 #接下来就可以访问ES
 https://ip:9200
 
 输入账号和密码就可以了
elastic
gN5rmptI=Rd_Q-FdiS1L


#后台启动
/usr/local/elasticsearch-8.11.0/bin/elasticsearch -d 

#配置Kibana
#生成证书，输入回车即可
./bin/elasticsearch-certutil csr -name kibana -dns VM-128-16


# 解压文件
unzip csr-bundle.zip
# 将解压后的文件移动到 kibana的 config目录中
mv kibana.csr kibana.key /usr/local/kibana-8.1.0/config/
# 生成 crt文件
cd /usr/local/kibana-8.1.0/config/
openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt


#生成kibana账号密码
cd /usr/local/elasticsearch-8.11.0
./bin/elasticsearch-reset-password -u kibana

#将生成的密码写入Kibana配置文件
#cW296RLMfb

#修改Kibana配置文件
cd /usr/local/kibana-8.1.0/config
vim kibana.yml

xpack.reporting.roles.enabled: false
# 服务端口
server.port: 5601
# 服务主机名
server.host: "0.0.0.0"
# 国际化 - 中文
i18n.locale: "zh-CN"
# ES服务主机地址
elasticsearch.hosts: ["https://VM-128-16:9200"]
# 访问 ES服务的账号密码
elasticsearch.username: kibana
elasticsearch.password: cW296RLMfb
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: [ "/usr/local/elasticsearch-8.11.0/config/certs/elasticsearch-ca.pem" ]
server.ssl.enabled: true
server.ssl.certificate: /usr/local/kibana-8.11.0/config/kibana.crt
server.ssl.key: /usr/local/kibana-8.11.0/config/kibana.key
# 注意：参数值至少32位，否则启动会报错提示
xpack.encryptedSavedObjects.encryptionKey: encryptedSavedObjects12345678909876543210
xpack.security.encryptionKey: encryptionKeysecurity12345678909876543210
xpack.reporting.encryptionKey: encryptionKeyreporting12345678909876543210

xpack.screenshotting.browser.chromium.disableSandbox: true


#后台启动kibana
nohup /usr/local/kibana-8.11.0/bin/kibana > kibana.log 2>&1 &