elasticsearch集群搭建

elasticsearch.yml

1 先把无安全集群搭建出来

1.1

其中一个节点配置为

cluster.name: technical-support-sit
node.name: sit-node-128-75
path.data: /data/elastic/es/data
path.logs: /data/elastic/es/log
network.host: 10.201.128.75 # 本机IP
discovery.seed_hosts: ["sit-201-128-10-12-20-03", "sit-201-128-10-12-20-04", "sit-201-128-10-12-20-05"] # hostname
cluster.initial_master_nodes: ["node129-6","node129-5"] #  Bootstrap the cluster using an initial set of master-eligible nodes. node名字

1.2 kibana 配置

server.host: "10.201.128.75"
# The Kibana server's name.  This is used for display purposes.
server.name: "sit-128-75"
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://sit-201-128-10-12-20-03:9200"]

分别启动后,访问http://10.201.128.75:5601/,右下角点

了解完,需要先配置最低安全配置,最后再一层一层累加.
这里注意到

集群模式一定要先配置TLS再做如下操作.

配置完启动集群,执行

 ./bin/elasticsearch-setup-passwords auto

配置kibana

elasticsearch.username: "kibana_system"

执行

./bin/kibana-keystore create
./bin/kibana-keystore add elasticsearch.password
./bin/kibana

此时日志会一直INFO打印

...
[2021-12-29T20:16:24,494][INFO ][o.e.x.s.a.RealmsAuthenticator] [sit-node-128-77] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2021-12-29T20:16:34,503][INFO ][o.e.x.s.a.RealmsAuthenticator] [sit-node-128-77] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2021-12-29T20:16:44,471][INFO ][o.e.x.s.a.RealmsAuthenticator] [sit-node-128-77] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2021-12-29T20:16:54,518][INFO ][o.e.x.s.a.RealmsAuthenticator] [sit-node-128-77] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
...

Set up basic security for the Elastic Stack plus secured HTTPS trafficedit

配置完之后INFO会一直打印

...
[2021-12-29T20:45:14,479][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-77] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.77:9200, remoteAddress=/10.201.128.77:47767}
[2021-12-29T20:45:18,142][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-77] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.77:9200, remoteAddress=/10.201.128.75:22507}
[2021-12-29T20:45:18,367][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-77] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.77:9200, remoteAddress=/10.201.128.76:49091}
...

7.16.2版本ES对证书支持正则,在生成证书时也说也可以用正则,而Kibana组件所有的证书不支持,
在执行

./bin/elasticsearch-certutil http

This command generates a .zip file that contains certificates and keys to use with Elasticsearch and Kibana. Each folder contains a README.txt explaining how to use these files.

1. When asked if you want to generate a CSR, enter n.

2. When asked if you want to use an existing CA, enter y.

3. Enter the path to your CA. This is the absolute path to the elastic-stack-ca.p12 file that you generated for your cluster.

4. Enter the password for your CA.

5. Enter an expiration value for your certificate. You can enter the validity period in years, months, or days. For example, enter 90D for 90 days.

6. When asked if you want to generate one certificate per node, enter y.

    Each certificate will have its own private key, and will be issued for a specific hostname or IP address.
   

7. When prompted, enter the name of the first node in your cluster. Use the same node name that you used when generating node certificates.

8. Enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate.

    List every hostname and variant used to connect to your cluster over HTTPS.
   

9. Enter the IP addresses that clients can use to connect to your node.

10. Repeat these steps for each additional node in your cluster.

也就是在6 中,不要看命令提示说可以输入通配符,这里一定不要输入,ES中是可以通过通配符访问,但到kibana中认证时就不支持了

elastic@SIT-201-128-10-12-20-03 es]$ ./bin/elasticsearch-certutil http

## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.

This tool will ask you a number of questions in order to generate the right
set of files for your needs.

## Do you wish to generate a Certificate Signing Request (CSR)?

A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA). 

If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.

If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR? [y/N]N

## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]y

## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /opt/elastic/es/es/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

## How long should your certificates be valid?

Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.

Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 10Y

## Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]y

## What is the name of node #1?

This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.

You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.

node #1 name: sit-node-128-75

## Which hostnames will be used to connect to sit-node-128-75?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

sit-201-128-10-12-20-03
sit-201-128-10-12-20-04
sit-201-128-10-12-20-05

You entered the following hostnames.

 - sit-201-128-10-12-20-03
 - sit-201-128-10-12-20-04
 - sit-201-128-10-12-20-05

Is this correct [Y/n]Y

## Which IP addresses will be used to connect to sit-node-128-75?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.


You did not enter any IP addresses.

Is this correct [Y/n]Y

## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: sit-node-128-75
Subject DN: CN=sit-node-128-75
Key Size: 2048

Do you wish to change any of these options? [y/N]N
Generate additional certificates? [Y/n]Y

## What is the name of node #2?

This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.

You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.

node #2 name: sit-node-128-76

## Which hostnames will be used to connect to sit-node-128-76?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

sit-201-128-10-12-20-03
sit-201-128-10-12-20-04
sit-201-128-10-12-20-05

You entered the following hostnames.

 - sit-201-128-10-12-20-03
 - sit-201-128-10-12-20-04
 - sit-201-128-10-12-20-05

Is this correct [Y/n]Y

## Which IP addresses will be used to connect to sit-node-128-76?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.


You did not enter any IP addresses.

Is this correct [Y/n]Y

## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: sit-node-128-76
Subject DN: CN=sit-node-128-76
Key Size: 2048

Do you wish to change any of these options? [y/N]N
Generate additional certificates? [Y/n]Y

## What is the name of node #3?

This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.

You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.

node #3 name: sit-node-128-77

## Which hostnames will be used to connect to sit-node-128-77?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

sit-201-128-10-12-20-03
sit-201-128-10-12-20-04
sit-201-128-10-12-20-05

You entered the following hostnames.

 - sit-201-128-10-12-20-03
 - sit-201-128-10-12-20-04
 - sit-201-128-10-12-20-05

Is this correct [Y/n]Y

## Which IP addresses will be used to connect to sit-node-128-77?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.


You did not enter any IP addresses.

Is this correct [Y/n]Y

## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: sit-node-128-77
Subject DN: CN=sit-node-128-77
Key Size: 2048

Do you wish to change any of these options? [y/N]N
Generate additional certificates? [Y/n]N

## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]
Repeat password to confirm: 

## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/opt/elastic/es/elasticsearch-7.16.2/elasticsearch-ssl-http.zip] 

Zip file written to /opt/elastic/es/elasticsearch-7.16.2/elasticsearch-ssl-http.zip

这样操作完之后,日志仍会不断输出INFO

...
[2021-12-30T15:26:26,823][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-75] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.75:9200, remoteAddress=/10.201.128.77:42414}
[2021-12-30T15:26:35,077][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-75] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.75:9200, remoteAddress=/10.201.128.75:33978}
[2021-12-30T15:27:06,154][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-75] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.75:9200, remoteAddress=/10.201.128.76:64747}
[2021-12-30T15:27:06,955][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [sit-node-128-75] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.201.128.75:9200, remoteAddress=/10.201.128.75:33984}
...

# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
# discovery.seed_hosts: ["host1", "host2"]
discovery.seed_hosts: ["10.201.128.75","10.201.128.76","10.201.128.77"] # 需要IP

#
 Bootstrap the cluster using an initial set of master-eligible nodes:
cluster.initial_master_nodes:
        - 10.201.128.75
#        - 10.201.128.76
#        - 10.201.128.77
# 注意:只在初启动群集时有用,如果配置3个node,那么初始化时一定要都启动.

discovery.seed_hosts 也可通过如下做配置

# discovery.seed_hosts: ["10.201.128.75","10.201.128.76","10.201.128.77"]
discovery.seed_providers: file

然后在创建文件 $ES_PATH_CONF/unicast_hosts.txt. 只要unicast_hosts.txt改变,就会传到ES.
unicast_hosts.txt

10.10.10.5
10.10.10.6:9305
10.10.10.5:10005
# an IPv6 address
[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:9301

这时host name是可以代替IP,被 DNS解析. 这时列出所有可以选举master表节点,但要注意如何三个节点,项链宕2个master,则第三个可能不能转换为master.