Elasticsearch 8.2.2集群安装

Elasticsearch 8.2.2集群安装

1 集群环境

名称	ip地址
node-01	192.168.85.136
node-02	192.168.85.137
node-03	192.168.85.138

2 环境准备

2.1 安装包准备

• 下载地址

  wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.2.2-linux-x86_64.tar.gz
  
  wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.2.2-linux-x86_64.tar.gz.sha512
  
  shasum -a 512 -c elasticsearch-8.2.2-linux-x86_64.tar.gz.sha512 
  

2.2 创建admin用户

• 命令

  # 处于安全考虑，默认不能用root启动
  useradd admin
  

2.3 admin授管理员权限

• 说明：在root用户下执行

  $ su root
  $ chmod +w /etc/sudoers
  $ vi /etc/sudoers
  
  # 在文件最后添加如下内容：
  admin  ALL=(ALL) ALL
  
  $ chmod -w /etc/sudoers
  

2.4 修改服务器进程数

• 添加用户级别句柄和进程

  $ sudo vi /etc/security/limits.conf
  *   soft noproc   65535
  *   hard noproc   65535
  *   soft nofile   1000000
  *   hard nofile   1000000
  
  说明：
  * 		代表针对所有用户
  noproc 	是代表最大进程数
  nofile 	是代表最大文件打开数
  
  系统级别句柄
  sysctl -w fs.file-max =65536
  
  
  

2.5 设置用户最大进程数

• 设置各linux 用户的最大进程数，下面把某linux用户的最大进程数设为10000个

  $ vi /etc/profile
  ulimit -u 10000  (添加这行)
  
  # 使修改免重启并生效
  $ source  /etc/profile
  
  

2.6 调整进程最大虚拟内存区域数量

• 命令

  echo “vm.max_map_count=262144” >> /etc/sysctl.conf
  
  sysctl -p
  

2.7 关闭防火墙

• 关闭防火墙

3.1 修改yam配置文件

• node-01

  # 群集名称设置
  cluster.name: Hadoop
  
  # 节点名称设置
  node.name: node-1
  
  # data路径设置
  path.data: /usr/local/elasticsearch-8.2.2/data
  
  # logs路径设置
  path.logs: /usr/local/elasticsearch-8.2.2/logs
  
  # 网络主机设置
  network.host: 0.0.0.0
  
  #端口
  http.port: 9200
  
  # 发现
  discovery.seed_hosts: ["192.168.85.136", "192.168.85.137", "192.168.85.138"]
  # 使用 TLS 加密节点通信
  xpack.security.transport.ssl.enabled: true
  xpack.security.transport.ssl.verification_mode: certificate  
  xpack.security.transport.ssl.client_authentication: required
  xpack.security.transport.ssl.keystore.path: elastic-certificates.p12   
  xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
  

• node -02

  cluster.name: Hadoop
  node.name: node-2
  path.data: /usr/local/elasticsearch-8.2.2/data
  path.logs: /usr/local/elasticsearch-8.2.2/logs
  network.host: 0.0.0.0
  http.port: 9200
  discovery.seed_hosts: ["192.168.85.136", "192.168.85.137", "192.168.85.138"]
  cluster.initial_master_nodes: ["node-1", "node-2", "node-3"]
  xpack.security.transport.ssl.enabled: true
  xpack.security.transport.ssl.verification_mode: certificate  
  xpack.security.transport.ssl.client_authentication: required
  xpack.security.transport.ssl.keystore.path: elastic-certificates.p12   
  xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
  

• node -03

  cluster.name: Hadoop
  node.name: node-3
  path.data: /usr/local/elasticsearch-8.2.2/data
  path.logs: /usr/local/elasticsearch-8.2.2/logs
  network.host: 0.0.0.0
  http.port: 9200
  discovery.seed_hosts: ["192.168.85.136", "192.168.85.137", "192.168.85.138"]
  cluster.initial_master_nodes: ["node-1", "node-2", "node-3"]
  xpack.security.transport.ssl.enabled: true
  xpack.security.transport.ssl.verification_mode: certificate  
  xpack.security.transport.ssl.client_authentication: required
  xpack.security.transport.ssl.keystore.path: elastic-certificates.p12   
  xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
  

• 1

4.1 基础安全配置

4.1.1 TLS配置

• 生成证书颁发机构 ，在node1节点创建即可

  ./bin/elasticsearch-certutil ca
  
  a.出现提示时，接受默认文件名，即 。此文件包含 CA 的公共证书和用于对每个节点的证书进行签名的私钥。elastic-stack-ca.p12
  输入 CA 的密码。
  b.如果未部署到生产环境，则可以选择将密码留空。
  

• 为群集中的节点生成证书和私钥，在node1节点执行即可

  ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
  

• 在群集中的每个节点上，将文件复制到config目录下

• 如果您在创建节点证书时输入了密码，请运行以下命令将密码存储在 Elasticsearch 密钥库中

  ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
  
  ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
  

4.2 启动elasticseearch

• 三个节点均启动

  # 后台启动
  ./bin/elasticsearch -d
  

4.3 内置用户密码修改

• 注意：您必须为所有内置用户设置密码，且集群启动正常

  [admin@hadoop01 bin]$ ./elasticsearch-setup-passwords interactive
  ******************************************************************************
  Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This       command will be removed in a future release.
  ******************************************************************************
  
  Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
  You will be prompted to enter passwords as the process progresses.
  Please confirm that you would like to continue [y/N]y
  
  
  Enter password for [elastic]: 
  passwords must be at least [6] characters long
  Try again.
  Enter password for [elastic]: 
  Reenter password for [elastic]: 
  Passwords do not match.
  Try again.
  Enter password for [elastic]: 
  Reenter password for [elastic]: 
  Enter password for [apm_system]: 
  Reenter password for [apm_system]: 
  Enter password for [kibana_system]: 
  Reenter password for [kibana_system]: 
  Enter password for [logstash_system]: 
  Reenter password for [logstash_system]: 
  Enter password for [beats_system]: 
  Reenter password for [beats_system]: 
  Enter password for [remote_monitoring_user]: 
  Reenter password for [remote_monitoring_user]: 
  Changed password for user [apm_system]
  Changed password for user [kibana_system]
  Changed password for user [kibana]
  Changed password for user [logstash_system]
  Changed password for user [beats_system]
  Changed password for user [remote_monitoring_user]
  Changed password for user [elastic]
  

• 重新启动各集群节点

5 使用ES-head访问ES

• 打开地址

  

• 输入你的用户名、密码

  默认用户名：elastic
  密码：你自己设置的密码
  

• 登录成功