Elasticsearch 集群搭建实战与踩坑指南(包括Elasticsearch安装、开启认证、开启SSL安全连接、集群通信配置)

Elasticsearch 集群搭建实战与踩坑指南

  • 产品:Elasticsearch
  • 版本:7.14.0
  • 环境:Centos7

前期准备

版本选择

  • Elasticsearch v7.14.0

主机规划

主机名主机IP角色部署路径
esmaster1100.253.1.49master/xswork
esnode1100.253.232.24data/xswork

安装包下载

# 进入工作目录
cd /work
# 拉取安装包
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.14.0-linux-x86_64.tar.gz

服务器配置

  • /etc/hosts

说明:配置后可用主机名代替IP地址,方便后续的配置与维护

# 最后一行添加
100.253.1.49 esmaster1
100.253.232.24 esnode1
  • /etc/security/limits.conf

说明:
1.启动elasticsearch nofile 最少需要 65536
2.memlock 过小会导致 elasticsearch 锁定内存失败,导致无法启动

# 修改最大打开文件数
* soft nofile 65536
* hard nofile 65536

# 修改最大锁定内存地址空间
* soft memlock unlimited
* hard memlock unlimited
- **/etc/sysctl.conf**

说明:最大虚拟内存大小默认为65530,elasticsearch 启动需要 262144

vm.max_map_count=786432

配置启动

解压

# 进入工作目录
cd /work
# 解压
tar -zxvf elasticsearch-7.14.0-linux-x86_64.tar.gz

生成 Elastic 安全证书

在主节点执行如下语句生成证书

cd elasticsearch-7.14.0
./bin/elasticsearch-certutil ca

This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]:  # 回车即可
Enter password for elastic-stack-ca.p12 :                     # 回车即可

在上面我们接受缺省的文件名,并输入一个自己熟悉的密码(针对我的情况,我接受空)。我们在 Elasticsearch 的安装目录下,我们可以看见一个生产的证书文件:elastic-stack-ca.p12

drwxr-xr-x.  2 elk elk   4096 730 04:52 bin
drwxr-xr-x.  3 elk elk    260 831 17:36 config
drwxrwxr-x.  4 elk elk     30 825 18:51 data
-rw-------.  1 elk elk   2672 91 14:21 elastic-stack-ca.p12
drwxr-xr-x.  9 elk elk    107 730 04:52 jdk
drwxr-xr-x.  3 elk elk   4096 730 04:52 lib
-rw-r--r--.  1 elk elk   3860 730 04:47 LICENSE.txt
drwxr-xr-x.  2 elk elk   4096 831 19:09 logs
drwxr-xr-x. 59 elk elk   4096 730 04:53 modules
-rw-rw-r--.  1 elk elk   1414 826 09:33 newfile.crt.pem
-rw-r--r--.  1 elk elk 615722 730 04:51 NOTICE.txt
drwxr-xr-x.  2 elk elk      6 730 04:51 plugins
-rw-r--r--.  1 elk elk   2710 730 04:47 README.asciidoc

我们接着运行如下的命令来生成一个证书:

    ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Enter password for CA (elastic-stack-ca.p12) :                    # 回车即可
Please enter the desired output file [elastic-certificates.p12]:  # 回车即可
Enter password for elastic-certificates.p12 :                     # 使用生成elastic-stack-ca.p12时设置的密码

上面的命令将使用我们的 CA 来生成一个证书:elastic-certificates.p12

drwxr-xr-x.  2 elk elk   4096 730 04:52 bin
drwxr-xr-x.  3 elk elk    260 831 17:36 config
drwxrwxr-x.  4 elk elk     30 825 18:51 data
-rw-------.  1 elk elk   3596 91 14:25 elastic-certificates.p12
-rw-------.  1 elk elk   2672 91 14:21 elastic-stack-ca.p12
drwxr-xr-x.  9 elk elk    107 730 04:52 jdk
drwxr-xr-x.  3 elk elk   4096 730 04:52 lib
-rw-r--r--.  1 elk elk   3860 730 04:47 LICENSE.txt
drwxr-xr-x.  2 elk elk   4096 831 19:09 logs
drwxr-xr-x. 59 elk elk   4096 730 04:53 modules
-rw-rw-r--.  1 elk elk   1414 826 09:33 newfile.crt.pem
-rw-r--r--.  1 elk elk 615722 730 04:51 NOTICE.txt
drwxr-xr-x.  2 elk elk      6 730 04:51 plugins
-rw-r--r--.  1 elk elk   2710 730 04:47 README.asciidoc

把上面的 elastic-certificates.p12 证书分别拷入到主、数据节点 Elasticsearch 安装目录下的 config 子目录。

创建.pem 密钥,供kibana、Beta使用

openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys

创建用户

修改主节点配置文件

vi ./config/elasticsearch.yml
#esmaster
cluster.name: ITcls
node.name: esmaster1

network.host: 0.0.0.0

discovery.seed_hosts: ["esmaster1", "esnode1"]
cluster.initial_master_nodes: ["esmaster1"]

path.data: /xswork/elasticsearch-7.14.0/data/data
path.logs: /xswork/elasticsearch-7.14.0/data/logs

node.master: true
node.data: true
node.ingest: true
node.ml: true
cluster.remote.connect: false

http.port: 29210
transport.tcp.port: 29310

http.cors.enabled: true
http.cors.allow-origin: "*" 

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
# 使用 elastic-agent时开启
# xpack.security.authc.api_key.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

临时启动主节点

# 创建 data 目录
mkdir data
./bin/elasticsearch

在使用之前,我们必须为它们设置密码。在主节点 Elasticsearch 的目录里安装打入如下的命令,按照提示设置内置用户密码,在这个过程中选择你喜欢的密码来设置:

./bin/elasticsearch-setup-passwords interactive

如果你喜欢一个随机的密码,那么你可以使用如下的方式来创建你自己密码:

./bin/elasticsearch-setup-passwords auto

通过设置密码后,就可以使用内置用户登录 Elasticsearch ,内置用户列表如下:

elastic :A built-in superuser. See Built-in roles. 
kibana  :The user Kibana uses to connect and communicate with Elasticsearch. 
logstash_system :The user Logstash uses when storing monitoring information in Elasticsearch. 
beats_system :The user the Beats use when storing monitoring information in Elasticsearch. 
apm_system :The user the APM server uses when storing monitoring information in Elasticsearch. 
remote_monitoring_user:The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch. It has the remote_monitoring_agent and remote_monitoring_collector built-in roles. 

创建用户成功之后测试登录成功后关闭主节点,进行下一步。

修改配置文件

主节点

vi ./config/elasticsearch.yml
#esmaster
cluster.name: ITcls
node.name: esmaster1

network.host: 0.0.0.0

discovery.seed_hosts: ["esmaster1", "esnode1"]
cluster.initial_master_nodes: ["esmaster1"]

path.data: /xswork/elasticsearch-7.14.0/data/data
path.logs: /xswork/elasticsearch-7.14.0/data/logs

node.master: true
node.data: true
node.ingest: true
node.ml: true
cluster.remote.connect: false

http.port: 29210
transport.tcp.port: 29310

http.cors.enabled: true
http.cors.allow-origin: "*" 

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
# 使用 elastic-agent时开启
# xpack.security.authc.api_key.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

数据节点

cluster.name: ITcls
node.name: esnode1

network.host: 0.0.0.0

discovery.seed_hosts: ["esmaster1", "esnode1"]
cluster.initial_master_nodes: ["esmaster1"]

path.data: /xswork/elasticsearch-7.14.0/data/data
path.logs: /xswork/elasticsearch-7.14.0/data/logs

node.master: false
node.data: true
node.ingest: true
node.ml: true
cluster.remote.connect: false

http.port: 29210
transport.tcp.port: 29310

http.cors.enabled: true
http.cors.allow-origin: "*" 

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

启动主节点

./bin/elasticsearch -d

我们已经在配置文件中配置https模式,在访问时需使用https,例如:https://100.253.1.49:29210。

启动数据节点

# 创建 data 目录
mkdir data
./bin/elasticsearch -d

检查集群状态

curl --user youruser:yourpasswd -XGET 'https://100.253.1.49:29210/_cluster/health?pretty' -k

{
  "cluster_name" : "ITcls",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "active_primary_shards" : 31,
  "active_shards" : 61,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

图形化界面cerebro安装

拉取压缩文件

wget https://github.com/lmenezes/cerebro/releases/download/v0.9.2/cerebro‐0.9.2.tgz

解压

tar ‐zxvf cerebro‐0.9.2.tgz

修改配置

# 将端口修改为自定义端口
vi cerebro-0.9.4/conf/application.conf 
play {
  # Cerebro port, by default it's 9000 (play's default)
  server.http.port = 29220
}

启动

nohup ./cerebro &

浏览器访问 http://ip地址:端口 测试,例如 http://100.253.1.49:29220

附录A:启动失败解决目录

#错误汇总以及对应的解决方法,生产环境下参数按实际情况而定
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
解决:修改文件描述符大小
vi /etc/security/limits.conf 文件后面加上 esuser为用户,也可以使用*
# 任何用户可以打开的最大的文件描述符数量,默认1024,这里的数值会限制tcp连接
# soft是一个警告值,而hard则是一个真正意义的阀值,超过就会报错
# soft的限制不能比hard限制高
* soft nofile 65536
* hard nofile 65536

[2]: memory locking requested for elasticsearch process but memory is not locked
解决:锁定内存失败
vi /etc/security/limits.conf 文件后面加上 *表示系统下的所有用户
#最大锁定内存地址空间,单位(KB)
* soft memlock unlimited
* hard memlock unlimited

[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
解决:最大虚拟内存太小
vi /etc/sysctl.conf 添加
vm.max_map_count=888888
最后执行命令 sysctl ‐p

[4]: max ERROR: bootstrap checks failed
修改elasticsearch.yml配置文件,允许外网访问。
vim config/elasticsearch.yml
增加 network.host: 0.0.0.0

[5]: other 启动用户不能是root用户,且关闭机器节点间的防火墙
防火墙关闭方式:
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
firewall‐cmd ‐‐state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)

关注公众号,学习更多运维实战案例!

微信扫码关注公众号,学习更多运维实战案例

  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

醒狮运维

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值