docker部署ES集群
1、测试环境说明
操作系统:CentOS7,服务节点:10.10.14.16,该服务器会启动三个节点,分别是es-001、es-002、es-003,elasticsearch版本为7.8.0,docker环境需要自己安装一下。
2、将生产环境包拉到本地
docker save es.tar.gz elasticsearch:7.8.0
3、从本地上传到测试环境
# 上传之后进行加在到镜像
docker load -i es.tar.gz
4、创建容器
根据自己的实际情况进行创建
# es-001
docker run -d \
--name es-001 \
-e "http.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xms4g -Xmx4g" \
--privileged \
-v /etc/localtime:/etc/localtime \
-v /home/elasticsearch-101/data:/usr/share/elasticsearch/data \
-v /home/elasticsearch-101/plugins:/usr/share/elasticsearch/plugins \
-p 9201:9200 \
-p 9301:9300 \
elasticsearch:7.8.0
# es-002
docker run -d \
--name es-002 \
-e "http.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xms4g -Xmx4g" \
--privileged \
-v /etc/localtime:/etc/localtime \
-v /home/elasticsearch-102/data:/usr/share/elasticsearch/data \
-v /home/elasticsearch-102/plugins:/usr/share/elasticsearch/plugins \
-p 9202:9200 \
-p 9302:9300 \
elasticsearch:7.8.0
# es-003
docker run -d \
--name es-003 \
-e "http.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xms4g -Xmx4g" \
--privileged \
-v /etc/localtime:/etc/localtime \
-v /home/elasticsearch-103/data:/usr/share/elasticsearch/data \
-v /home/elasticsearch-103/plugins:/usr/share/elasticsearch/plugins \
-p 9203:9200 \
-p 9303:9300 \
elasticsearch:7.8.0
# 查看容器状态
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
c5741dde1bd4 elasticsearch:7.8.0 "/tini -- /usr/local…" 17 hours ago Up 23 minutes 0.0.0.0:9203->9200/tcp, :::9203->9200/tcp, 0.0.0.0:9303->9300/tcp, :::9303-
972407660fa6 elasticsearch:7.8.0 "/tini -- /usr/local…" 17 hours ago Up 23 minutes 0.0.0.0:9202->9200/tcp, :::9202->9200/tcp, 0.0.0.0:9302->9300/tcp, :::9302-
544ce000ae3e elasticsearch:7.8.0 "/tini -- /usr/local…" 17 hours ago Up 24 minutes 0.0.0.0:9201->9200/tcp, :::9201->9200/tcp, 0.0.0.0:9301->9300/tcp, :::9301
5、生成证书
#证书生成在master(es-001)节点容器内执行,进入容器
[root@localhost ~]# docker exec -it es-001 /bin/bash
# 执行bin/elasticsearch-certutil 生成elastic-stack-ca.p12,一路回车,不输入密码
[root@544ce000ae3e elasticsearch]# bin/elasticsearch-certutil ca
# 生成
elastic-stack-ca.p12
# 执行 bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12生成elastic-certificates.p12,一路回车,不输入密码
[root@544ce000ae3e elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# 生成
elastic-certificates.p12
[root@544ce000ae3e elasticsearch]# ll
total 592
-rw-r--r-- 1 elasticsearch root 13675 Jun 15 2020 LICENSE.txt
-rw-r--r-- 1 elasticsearch root 544318 Jun 15 2020 NOTICE.txt
-rw-r--r-- 1 elasticsearch root 8165 Jun 15 2020 README.asciidoc
drwxr-xr-x 2 elasticsearch root 4096 Jun 15 2020 bin
drwxrwxr-x 1 elasticsearch root 4096 Jul 26 09:49 config
drwxrwxrwx 3 elasticsearch elasticsearch 4096 Jul 23 17:39 data
-rw------- 1 elasticsearch elasticsearch 3451 Jul 26 09:19 elastic-certificates.p12
-rw------- 1 root root 2527 Jul 26 09:17 elastic-stack-ca.p12
drwxr-xr-x 1 elasticsearch root 4096 Jun 15 2020 jdk
drwxr-xr-x 3 elasticsearch root 4096 Jun 15 2020 lib
drwxrwxr-x 1 elasticsearch root 4096 Jul 26 09:30 logs
drwxr-xr-x 47 elasticsearch root 4096 Jun 15 2020 modules
drwxrwxrwx 2 elasticsearch elasticsearch 4096 Jul 19 17:03 plugins
6、修改证书权限,使用chown改属主
# 上述证书是在容器内生成,需要将证书拷贝到宿主机上,修改权限,让后在传输到各节点
[root@localhost ~]# pwd
root
[root@localhost ~]# docker cp es-001:/usr/share/elasticsearch/config/elastic-certificates.p12 ./
# 修改属主为elasticsearch
[root@localhost ~]# chown elasticsearch:elasticsearch elastic-certificates.p12
7、传输到各个节点
# 传输到各容器节点
[root@localhost ~]# docker cp elastic-certificates.p12 es-001:/usr/share/elasticsearch/config
8、重启各个服务器
[root@localhost ~]# docker restart es-001
[root@localhost ~]# docker restart es-002
[root@localhost ~]# docker restart es-003
9、配置文件开启xpack
# 进入容器
[root@localhost ~]# docker exec -it es-001 /bin/bash
[root@544ce000ae3e elasticsearch]# pwd
/usr/share/elasticsearch
[root@544ce000ae3e elasticsearch]# cd config
# 添加最后一段(xpack)
[root@544ce000ae3e config]# vi elasticsearch.yml
cluster.name: "my-cluster-001"
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.name: es-001
node.master: true
node.data: true
index.store.type: niofs
node.store.allow_mmap: false
indices.queries.cache.size: 5%
indices.fielddata.cache.size: 5%
indices.breaker.fielddata.limit: 70%
indices.breaker.request.limit: 60%
indices.breaker.total.limit: 90%
#indices.breaker.total.use_real_memory: true
#bootstrap.memory_lock: true
http.max_content_length: 200m
discovery.zen.ping_timeout: 10s
discovery.zen.fd.ping_timeout: 10000s
discovery.zen.fd.ping_retries: 10
discovery.zen.minimum_master_nodes: 3
discovery.zen.ping.unicast.hosts: ["10.10.14.16:9301","10.10.14.16:9302","10.10.14.16:9303"]
cluster.initial_master_nodes: ["es-001"]
# 添加xpack证书配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
10、重启各个节点
[root@localhost ~]# docker restart es-001
[root@localhost ~]# docker restart es-002
[root@localhost ~]# docker restart es-003
11、在master上为各组件设置密码
[root@localhost ~]# docker exec -it es-001 /bin/bash
[root@544ce000ae3e elasticsearch]# bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
12、查看各节点状态
# master节点端口是9201端口,green是正常的集群状态,yellow是有副切片丢失,red是有主切片丢失
[root@localhost ~]# curl -u elastic:1qaz@WSX -X GET "http://10.10.14.16:9201/_cluster/health?pretty"
{
"cluster_name" : "my-cluster-001",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 1,
"active_shards" : 2,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
13、检查每个节点状态
# master列带*的为master节点
[root@localhost ~]# curl -u elastic:1qaz@WSX -X GET "http://10.10.14.16:9201/_cat/nodes?v"
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
172.17.0.4 44 25 0 0.00 0.02 0.05 dilrt - es-003
172.17.0.3 54 25 0 0.00 0.02 0.05 dilrt - es-002
172.17.0.2 65 25 0 0.00 0.02 0.05 dilmrt * es-001
14、添加静态路由
如果es集群节点分布在多台服务器上,正常情况下如果无法加入集群,那么需要两台服务器新增静态路由,15节点的docker网段是172.15.0.0/24,16节点的docker网段是172.17.0.0/24。
15节点添加静态路由:
# 15-->16
ip route add 172.17.0.0/24 via 10.10.14.16 dev eth0
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.0.0 10.10.14.16 255.255.255.0 UG 0 0 0 eth0
16节点添加静态路由:
ip route add 172.15.0.0/24 via 10.10.14.15 dev eth0
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.15.0.0 10.10.14.15 255.255.255.0 UG 0 0 0 eth0
15、生产环境案例
[root@d3497a20a092 config]# cat elasticsearch.yml
cluster.name: "gy-cluster" #设置集群的名称。所有节点必须使用相同的集群名称才能成为同一集群的一部分。
network.host: 0.0.0.0 # 设置Elasticsearch绑定的网络接口。0.0.0.0表示所有网络接口
http.port: 9200 # 设置HTTP服务监听的端口。默认为9200,用于接收HTTP请求。
transport.tcp.port: 9300 # 设置节点间通信的端口。默认为9300,用于节点间的数据传输。
http.cors.enabled: true # 启用跨域资源共享(CORS),允许跨域HTTP请求。开启支持跨域访问
http.cors.allow-origin: "*" # 设置允许的CORS来源。"*"表示允许所有来源。
node.name: es-node-101 # 设置节点的名称。这有助于识别和管理集群中的各个节点。这里节点名称为“es-node-101”。
node.master: false # 表明该节点是否可以参与master选举,即是否可以成为master节点。设置为false意味着该节点不能成为master节点。
node.data: true # 指定节点是否存储数据。设置为true意味着该节点将存储索引数据。
index.store.type: niofs # 设置索引存储类型,niofs是一种高性能的文件系统存储方式。
node.store.allow_mmap: false # 控制是否允许使用内存映射文件。设置为false禁用了mmap,可能是因为硬件或操作系统限制。
# 以下五项是设置控制了各种缓存和断路器的大小,用于优化查询性能和防止内存溢出。
indices.queries.cache.size: 5%
indices.fielddata.cache.size: 5%
indices.breaker.fielddata.limit: 70%
indices.breaker.request.limit: 60%
indices.breaker.total.limit: 90%
#indices.breaker.total.use_real_memory: true
#bootstrap.memory_lock: true
http.max_content_length: 200mb # 设置HTTP请求的最大内容长度。
# discovery.zen.*: 这些设置控制了Elasticsearch的Zen Discovery模块的行为,包括ping超时、重试次数和master节点的最小数量。
discovery.zen.ping_timeout: 10s
discovery.zen.fd.ping_timeout: 10000s
discovery.zen.fd.ping_retries: 10
discovery.zen.minimum_master_nodes: 3
# 设置了节点发现的单播ping目标列表,用于在集群中发现其他节点。
discovery.zen.ping.unicast.hosts:["10.10.14.36:9300","10.10.14.36:9301","10.10.14.36:9302","10.10.14.36:9303","10.10.14.49:9300","10.10.14.49:9301","10.10.14.49:9302"]
cluster.initial_master_nodes: ["es-node-106"]
# xpack.security.*: 这些设置用于启用和配置Elastic Stack的安全特性,包括SSL/TLS加密和证书验证。
# xpack.security.transport.ssl.*: 设置了节点间通信的SSL/TLS配置,包括密钥库和信任库路径,以及客户端认证要求。
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
751
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
