安装步骤(6.8.5使用x-pack ssl方式)
1.1 环境部署
数据库部署
|
节点 |
ip |
角色 |
|
Host01 |
192.168.1.134 |
|
|
Host02 |
192.168.1.135 |
|
|
Host03 |
192.168.1.85 |
|
1.2 安装java
安装java,确保版本在1.8以上
[root@localhost ~]# java -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)
安装部署省略
每台机器上都需要安装
1.3 创建非root用户
因为es不能在root用户下启动,所以需要创建非root用户,我这里创建crate用户
#useradd yeemiao
1.4 配置非root用户(yeemiao)环境变量
[crate@localhost ~]$ more .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
JAVA_HOME=/usr/local/jdk1.8.0_151
PATH=$JAVA_HOME/bin:$PATH:$HOME/bin
export PATH
[crate@local
1.5 /etc/security/limits.conf修改和sysctl修改
在该文件最后面添加如下两项,然后退出重新登录
* hard nofile 65536
* soft nofile 65536
[root@localhost /]# sysctl -w vm.max_map_count=262144
1.6 下载安装介质
下载地址:https://www.elastic.co/downloads/elasticsearch,我这里下载的是 elasticsearch-6.8.5.tar.gz
1.7 解压安装
每台机器都要进行安装
[root@localhost soft]# tar -xvf elasticsearch-6.8.5.tar.gz [root@localhost soft]# mv elasticsearch-6.8.5 /home/yeemiao/elasticsearch685_jq
[root@localhost soft]# cd /home/yeemiao
[root@localhost yeemiao]# chown -R yeemiao.yeemiao ./elasticsearch685_jq
1.8 创建相关目录
每台机器上都要执行
[root@localhost yeemiao]# su - yeemiao
[yeemiao@localhost ~]$ cd elasticsearch685_jq
[yeemiao@localhost elasticsearch685_jq]$ mkdir data
该目录用于存放数据文件
1.9 修改配置文件
vi /home/yeemiao/elasticsearch685_jq/config/elasticsearch.yml
|
cluster.name: jq685 node.name: node-135 path.data: /home/yeemiao/elasticsearch685_jq/data path.logs: /home/yeemiao/elasticsearch685_jq/logs network.host: 192.168.1.135 http.port: 29200 discovery.zen.ping.unicast.hosts: ["192.168.1.134", "192.168.1.135","192.168.1.85"] discovery.zen.minimum_master_nodes: 2 |
将配置文件scp到另外的机器,然后相应修改红色部分
node.name分别修改为node-134和node-85
network.host分别修改为对应机器的ip地址
1.10 JVM配置
每台机器都要设置
由于Elasticsearch是Java开发的,所以可以通过/etc/elasticsearch/jvm.options配置文件来设定JVM的相关设定。如果没有特殊需求按默认即可。
不过其中还是有两项最重要的-Xmx1g与-Xms1gJVM的最大最小内存。如果太小会导致Elasticsearch刚刚启动就立刻停止。太大会拖慢系统本身
1.11 设置内存大小
每台机器都要设置
vi /home/yeemiao/elasticsearch/bin/elasticsearch
export ES_HEAP_SIZE=4g
同时在配置文件elasticsearch.yml中添加如下项目:
bootstrap.mlockall: true
1.12 启动
每台机器都要启动
[root@localhost opt]# su - yeemiao
[yeemiao@localhost bin]$ cd /home/yeemiao/elasticsearch685_jq/bin
[yeemiao@localhost bin]$./elasticsearch –d
1.13 x-pack设置elasticsearch安全访问
es6.8已经可以免费使用xpack了,所以不需要进行破解即可使用了
1.13.1 在任意一台机器上执行elasticsearch-certgen
我这里在192.168.1.134这台机器上执行
|
[yeemiao@localhost bin]$ ./elasticsearch-certgen Please enter the desired output file [certificate-bundle.zip]: cert.zip Enter instance name: jq685 Enter name for directories and files [jq685]: elasticsearch Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.1.134,192.168.1.135,192.168.1.85 Enter DNS names for instance (comma-separated if more than one) []: node-134,node-135,node-85 Would you like to specify another instance? Press 'y' to continue entering instance information: Certificates written to /home/yeemiao/elasticsearch685_jq/bin/cert.zip
This file should be properly secured as it contains the private keys for all instances and the certificate authority.
After unzipping the file, there will be a directory for each instance containing the certificate and private key. Copy the certificate, key, and CA certificate to the configuration directory of the Elastic product that they will be used for and follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and configure the client to trust this certificate. |
Enter instance name: jq685 ##这里的实例名称可以自定义设置
Enter name for directories and files [jq685]: elasticsearch ##这个是ssl相应文件的目录,可以自定义指定
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.1.134,192.168.1.135,192.168.1.85 ##每个节点的ip
Enter DNS names for instance (comma-separated if more than one) []: node-134,node-135,node-85 ##节点名称,配置文件里的node-name定义的值
1.13.2 将压缩文件cert.zip分别拷贝到三台机器
将压缩文件cert.zip分别拷贝纸三台机器的 /home/yeemiao/elasticsearch685_jq文件夹下并解压,生成ca和elasticsearch并修改配置文件elasticsearch.yml
[yeemiao@localhost config]$ scp cert.zip yeemiao@192.168.1.135:/home/yeemiao/elasticsearch685_jq/config/
[yeemiao@localhost config]$ scp cert.zip yeemiao@192.168.1.85:/home/yeemiao/elasticsearch685_jq/config/
解压
bash-4.2$ cd /home/yeemiao/elasticsearch685_jq/config/
bash-4.2$ unzip cert.zip
1.13.3 修改配置文件
每台机器上的配置文件在最后面添加如下内容:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
1.13.4 重新启动
1.13.5 设置密码
在其中一台机器上执行,我这里在192.168.1.134这台机器上执行,我这里密码全部设置为elastic
[yeemiao@localhost bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
1.14 验证
curl -u elastic:elastic 'http://192.168.1.134:29200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.135:29200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.85:29200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.134:29200/_cat/health?v'