本文介绍如何在CentOS系统上安装和配置Elasticsearch 7.14.0集群,并启用X-Pack安全功能进行证书和密码设置。
1. 新建Elasticsearch普通用户
为了避免因用户权限问题导致的启动错误,创建一个普通用户elsearch,并使用该用户进行Elasticsearch相关操作。
# 创建用户
useradd elsearch
# 设置/home/elsearch目录的所有者为elsearch
chown -R elsearch:elsearch /home/elsearch/
# 切换到/home/elsearch目录
cd /home/elsearch/
# 解压Elasticsearch安装包
tar -zxvf elasticsearch-7.14.0-linux-x86_64.tar.gz
2. 修改核心配置文件elasticsearch.yml
分别为集群中的每个节点配置elasticsearch.yml
文件。
节点1(192.168.10.200)
cluster.name: application
node.name: es-1
path.data: /home/elsearch/elasticsearch-7.14.0/data
path.logs: /home/elsearch/elasticsearch-7.14.0/logs
network.host: 192.168.10.200
http.port: 9200
discovery.seed_hosts: ["192.168.10.200:9300", "192.168.10.201:9300", "192.168.10.202:9300"]
cluster.initial_master_nodes: ["es-1"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
节点2(192.168.10.201)
cluster.name: application
node.name: es-2
path.data: /home/elsearch/elasticsearch-7.14.0/data
path.logs: /home/elsearch/elasticsearch-7.14.0/logs
network.host: 192.168.10.201
http.port: 9200
discovery.seed_hosts: ["192.168.10.200:9300", "192.168.10.201:9300", "192.168.10.202:9300"]
cluster.initial_master_nodes: ["es-1"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
节点3(192.168.10.202)
cluster.name: application
node.name: es-3
path.data: /home/elsearch/elasticsearch-7.14.0/data
path.logs: /home/elsearch/elasticsearch-7.14.0/logs
network.host: 192.168.10.202
http.port: 9200
discovery.seed_hosts: ["192.168.10.200:9300", "192.168.10.201:9300", "192.168.10.202:9300"]
cluster.initial_master_nodes: ["es-1"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
3. 开放端口9200和9300
# 开放指定端口
firewall-cmd --zone=public --add-port=9200/tcp --permanent
firewall-cmd --zone=public --add-port=9300/tcp --permanent
# 重新加载防火墙
firewall-cmd --reload
# 重启防火墙
systemctl restart firewalld.service
4. 启动服务
# 切换到elsearch用户
su - elsearch
# 切换到Elasticsearch安装目录
cd /home/elsearch/elasticsearch-7.14.0/bin/
# 启动Elasticsearch
./elasticsearch -d
5. 设置密码和生成证书
生成证书
# 启用X-Pack安全功能
xpack.security.enabled: true
# 切换到Elasticsearch安装目录
cd /home/elsearch/elasticsearch-7.14.0
# 生成证书
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
# 证书生成路径
# /home/elsearch/elasticsearch-7.14.0/config/elastic-certificates.p12
将生成的elastic-certificates.p12
文件复制到其他节点的config
目录下,并修改其他节点的elasticsearch.yml
文件,添加以下配置:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
重启Elasticsearch服务
# 在每个节点重启Elasticsearch
./elasticsearch -d
设置密码
# 设置密码
sh /home/elsearch/elasticsearch-7.14.0/bin/elasticsearch-setup-passwords interactive
总结
通过本文的步骤,我们在CentOS上成功安装并配置了Elasticsearch 7.14.0集群,启用了X-Pack安全功能,并进行了证书和密码设置。这样可以确保Elasticsearch集群在安全的环境中运行。