centos7使用rpm安装Elasticsearch集群部署并开启基础认证

未标记（集群内任意一台机器执行）的步骤则是集群内所有机器执行

1. 开启防火墙端口或关闭防火墙

# 查看防火墙状态
firewall-cmd --state

# 启动防火墙
systemctl start firewalld.service

# 关闭防火墙
systemctl disable firewalld.service

# 添加防火墙端口（防火墙启动状态下）
firewall-cmd --zone=public --add-port=9200/tcp --add-port=9300/tcp --permanent
firewall-cmd --reload

# 删除防火墙端口（防火墙启动状态下）
firewall-cmd --zone=public --remove-port=????/tcp --permanent
firewall-cmd --reload

# 查看所有打开的端口（防火墙启动状态下）
firewall-cmd --zone=public --list-ports

2. 修改OS参数

• 修改OS：/etc/sysctl.conf参数

cat >> /etc/sysctl.conf << EOF
vm.max_map_count=262144
EOF

# 使修改参数生效
sysctl -p

• 修改OS：/etc/security/limits.conf参数

cat >> /etc/security/limits.conf << EOF
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536
* soft memlock unlimited
* hard memlock unlimited
EOF

# 重启使修改参数生效
shutdown -r now

# 检查修改参数是否生效，默认为1024(-n是可以打开最大文件描述符的数量。 -u是用户最大可用的进程数)
ulimit -n
ulimit -u

3. 下载rpm & 安装rpm

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.10-x86_64.rpm
rpm -ivh elasticsearch-7.17.10-x86_64.rpm

4. 根据自己服务器创建ES相关目录

# 创建ES数据目录
mkdir -p /data/elasticsearch/data

# 创建ES日志目录
mkdir -p /data/elasticsearch/logs

5. 修改ES配置文件

cat > /etc/elasticsearch/elasticsearch.yml << EOF
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
# 每个节点一致（集群名称）
cluster.name: clusterName
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
# 每个节点不同（节点名称）
node.name: nodeName
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
# 自定义数据目录（此目录也需要给elasticsearch用户授权）
path.data: /data/elasticsearch/data
#
# Path to log files:
# 自定义日志目录（此目录也需要给elasticsearch用户授权）
path.logs: /data/elasticsearch/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["192.168.1.1", "192.168.1.2", "192.168.1.3"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["nodeName1", "nodeName2", "nodeName3"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# ---------------------------------- Security ----------------------------------
#
#                                 *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
# 
# To protect your data, we strongly encourage you to enable the Elasticsearch security features. 
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
# 安全配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
EOF

6. 配置JVM参数

cat > /etc/elasticsearch/jvm.options << EOF
################################################################
##
## JVM configuration
##
################################################################
##
## WARNING: DO NOT EDIT THIS FILE. If you want to override the
## JVM options in this file, or set any additional options, you
## should create one or more files in the jvm.options.d
## directory containing your adjustments.
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/jvm-options.html
## for more information.
##
################################################################

################################################################
## IMPORTANT: JVM heap size
################################################################
##
## The heap size is automatically configured by Elasticsearch
## based on the available memory in your system and the roles
## each node is configured to fulfill. If specifying heap is
## required, it should be done through a file in jvm.options.d,
## and the min and max should be set to the same value. For
## example, to set the heap to 4 GB, create a new file in the
## jvm.options.d directory containing these lines:
## Xmx,Xms推荐设置为服务器内存的一半
-Xms32g
-Xmx32g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/heap-size.html
## for more information
##
################################################################

################################################################
## Expert settings
################################################################
##
## All settings below here are considered expert settings. Do
## not adjust them unless you understand what you are doing. Do
## not edit them in this file; instead, create a new file in the
## jvm.options.d directory containing your adjustments.
##
################################################################

## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly

## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC

## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}

## heap dumps

# generate a heap dump when an allocation from the Java heap fails; heap dumps
# are created in the working directory of the JVM unless an alternative path is
# specified
-XX:+HeapDumpOnOutOfMemoryError

# exit right after heap dump on out of memory error. Recommended to also use
# on java 8 for supported versions (8u92+).
9-:-XX:+ExitOnOutOfMemoryError

# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch

# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log

## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/elasticsearch/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m

# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
EOF

7. 生成CA证书（集群内任意一台机器执行）

# 使用 elasticsearch-certutil 工具为您的集群生成 CA
# 1.出现第一次提示时，接受默认文件名，即 elastic-stack-ca.p12。此文件包含 CA 的公共证书和用于为每个节点签署证书的私钥。
# 2.出现第二次提示时，输入 CA 的密码。如果不部署到生产环境，您可以选择将密码留空。
/usr/share/elasticsearch/bin/elasticsearch-certutil ca

8. 生成证书和私钥（集群内任意一台机器执行）

# 为集群中的节点生成证书和私钥，包括在上一步中生成的 elastic-stack-ca.p12 输出文件。
# 证书生成后在“/usr/share/elasticsearch” 目录
# 1.出现第一次提示时，输入您的 CA 的密码，或者如果您在上一步中没有配置密码，请按 Enter。
# 2.出现第二次提示时，接受默认文件名，即 elastic-certificates.p12 的密钥库。此文件包含节点证书、节点密钥和 CA 证书。
# 3.出现第三次提示时，直接回车“Enter”，否则启动时会出现报错（具体情况未研究）。
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

9. 复制证书到集群所有机器

# 证书生成后在“/usr/share/elasticsearch” 目录
# 复制 elastic-certificates.p12 到集群所有机器$ES_PATH_CONF，默认（/etc/elasticsearch） 目录

10. 为ES启动用户授予相关文件夹权限

chown -R elasticsearch:elasticsearch /etc/sysconfig/elasticsearch /etc/rc.d/init.d/elasticsearch /etc/elasticsearch /data/elasticsearch /usr/share/elasticsearch

11. ES服务相关命令

# 启动服务并设置为开机启动
systemctl enable --now elasticsearch

# 启动服务
systemctl start elasticsearch

# 重启服务
systemctl restart elasticsearch

# 停止服务
systemctl stop elasticsearch

# 查看服务状态
systemctl status elasticsearch

# 查看服务实时日志
journalctl  -f -u elasticsearch.service

12. 为内置用户编辑创建随机密码（集群内任意一台机器执行）

# 检查ES服务启动完成后执行
cd /usr/share/elasticsearch/bin
./elasticsearch-setup-passwords auto

# 出现如下提示时输入y，回车确认
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]

# 回车确认后会把相关账户密码输出到console