1、简介
在前文中我们介绍了Elasticsearch单节点安装,这是对于我们在开发学习测试阶段常常能用到的,但是对于生产环境,我们为了保证高可用和高可靠性,采用集群部署,本文介绍在开启Security的情况下集群搭建。
2、集群规划
| 服务器节点名称 | ES节点名称 | 节点ip | 路径 | 集群名称 |
| node-1 | es-node-1 | 192.168.0.88 | /opt/elasticsearch-8.3.3 | my-es |
| node-2 | es-node-2 | 192.168.0.89 | /opt/elasticsearch-8.3.3 | my-es |
| node-3 | es-node-3 | 192.168.0.90 | /opt/elasticsearch-8.3.3 | my-es |
集群中机器的初始环境按照博客问题记录中的方式进行配置:Elasticsearch 单节点部署教程,以及踩坑记录-CSDN博客
3、签发证书
3.1、签发 ca 证书
# 1、签发 ca 证书(两次回车,会在当前路径下生成 elastic-stack-ca.p12 文件)
bin/elasticsearch-certutil ca
# 2、用 ca 证书签发节点证书(三次回车,会在当前路径下生成 elastic-certificates.p12 文件)
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# 3、将上面生成的两个文件移动到config/certs中
mkdir -p config/certs
mv elastic-stack-ca.p12 elastic-certificates.p12 config/certs/3.2、在第一台服务器节点 es-node-1 设置集群多节点 HTTP 证书
# 1、生成http证书
bin/elasticsearch-certutil http
# 依次进行如下步骤:
# 1)、Generate a CSR? [y/N] n
# 2)、Use an existing CA? [y/N] y
# 3)、CA Path: certs/elastic-stack-ca.p12 # 注:路径需要输入
# 4)、Password for elastic-stack-ca.p12: # 回车
# 5)、For how long should your certificate be valid? [5y] 100y # 指定生效时间,默认5年,设置为100年
# 6)、Generate a certificate per node? [y/N] n
# 7)、输入集群主机名:Enter all the hostnames that you need, one per line. When you are done, press <ENTER> once more to move on to the next step.
node-1
node-2
node-3
# 8)、输入集群ip:Enter all the IP addresses that you need, one per line. When you are done, press <ENTER> once more to move on to the next step.
192.168.0.88
192.168.0.89
192.168.0.90
# 9)、不改变证书选项配置:Do you wish to change any of these options? [y/N] n
# 10)、If you wish to use a blank password, simply press <enter> at the prompt below. Provide a password for the "http.p12" file: [<ENTER> for none] # 回车
# 11)、不改变生成文件名称:What filename should be used for the output zip file? [/opt/elasticsearch-8.3.3/elasticsearch-ssl-http.zip] # 回车
# 2、解压生成的压缩文件(elasticsearch-ssl-http.zip)
unzip elasticsearch-ssl-http.zip
# 3、移动http证书到config/certs目录下
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs3.3、将生成的证书同步到其他节点
# 使用远程命令拷贝证书
scp config/certs/* node-2:/opt/elasticsearch-8.3.3/config/certs/ # node-3 同理4、配置文件
4.1、节点1配置文件
# ---------------------------------- Cluster -----------------------------------
# Use a descriptive name for your cluster:
cluster.name: my-es
# ------------------------------------ Node ------------------------------------
# Use a descriptive name for the node:
node.name: es-node-1
# Add custom attributes to the node:
#node.attr.rack: r1
# ----------------------------------- Paths ------------------------------------
# Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
# Path to log files:
#path.logs: /path/to/logs
# ----------------------------------- Memory -----------------------------------
# Lock the memory on startup:
#bootstrap.memory_lock: true
# ---------------------------------- Network -----------------------------------
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
network.host: node-1
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
http.port: 9200
# For more information, consult the network module documentation.
# --------------------------------- Discovery ----------------------------------
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
discovery.seed_hosts: ["node-1","node-2","node-3"]
# Bootstrap the cluster using an initial set of master-eligible nodes:
#cluster.initial_master_nodes: ["node-1", "node-2"]
# For more information, consult the discovery and cluster formation module documentation.
# --------------------------------- Readiness ----------------------------------
# Enable an unauthenticated TCP readiness endpoint on localhost
#readiness.port: 9399
# ---------------------------------- Various -----------------------------------
# Allow wildcard deletion of indices:
#action.destructive_requires_name: false
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
## Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
## Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12 # 填写生成的http证书
truststore.path: certs/http.p12
client_authentication: none
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/elastic-certificates.p12 # 填写生成的ca证书
truststore.path: certs/elastic-certificates.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["es-node-1"]
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
ingest.geoip.downloader.enabled: false
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
4.2、节点2配置文件
只要修改以下两项,其他都保持一致。
# 1、节点名称
node.name: es-node-2
# 2、节点主机名称
network.host: node-2
4.3、节点3配置文件
只要修改以下两项,其他都保持一致。
# 1、节点名称
node.name: es-node-3
# 2、节点主机名称
network.host: node-3
5、启动
# 1、按照顺序启动(三个节点依次执行)
bin/elasticsearch -d集群验证(启动两台为例)
6、问题记录
6.1、节点加入不了集群
原因:其他节点文件都是从第一个节点拷贝过去的,包含data目录。
解决:清除新节点data目录再启动。
7、总结
本文详细介绍了Elasticsearch集群搭建,相比单机版配置要复杂些,按照本文步骤,完全可以顺利完成集群搭建。
本人是一个从小白自学计算机技术,对运维、后端、各种中间件技术、大数据等有一定的学习心得,想获取自学总结资料(pdf版本)或者希望共同学习,关注微信公众号:it自学社团。后台回复相应技术名称/技术点即可获得。(本人学习宗旨:学会了就要免费分享)
3381
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
