es6.8.5集群部署(tsl认证)

环境:
OS:Centos 7
es:6.8.5

节点1:192.168.1.101
节点2:192.168.1.104
节点3:192.168.1.105

######################################每个节点安装es#####################
1.创建中间件安装目录和数据文件、日志文件目录
[root@es soft]# mkdir -p /usr/local/services
[root@es soft]# mkdir -p /home/middle/elasticsearch/data
[root@es soft]# mkdir -p /home/middle/elasticsearch/logs

2.创建用户和用户组
groupadd -g 1500 elasticsearch
useradd -u 1500 -g elasticsearch elasticsearch
passwd elasticsearch

3.上传安装包到服务器并解压安装
解压缩并创建数据目录
[root@rac01 soft]# cd /soft
[root@rac01 soft]# tar -xvf elasticsearch-6.8.5.tar.gz
[root@rac01 soft]# mv elasticsearch-6.8.5 /usr/local/services/elasticsearch

4.将elasticsearch目录权限修改为elasticsearch
[root@es config]# cd /usr/local/services
[root@es services]# chown -R elasticsearch.elasticsearch ./elasticsearch

同时修改数据文件和日志文件目录给到elasticsearch
[root@es services]# cd /home/middle
[root@es middle]#chown -R elasticsearch.elasticsearch ./elasticsearch

5.创建备份目录
[root@rac01 home]#mkdir -p /home/middle/esbak
[root@rac01 home]#cd /home/middle
[root@rac01 home]#chown -R elasticsearch.elasticsearch ./esbak

6.修改配置文件
[root@rac01 middle]# su - elasticsearch
[elasticsearch@rac01 ~]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@es config]$ vi elasticsearch.yml

cluster.name: escluster_hxl
node.name: node-101
path.data: /home/middle/elasticsearch/data
path.logs: /home/middle/elasticsearch/logs
network.host: 192.168.1.101
http.port: 19200
discovery.zen.ping.unicast.hosts: ["192.168.1.101", "192.168.1.104","192.168.1.105"]
discovery.zen.minimum_master_nodes: 2
path.repo: /home/middle/esbak
http.cors.enabled: true
http.cors.allow-origin: "*"

另外2个节点的配置文件只需要修改node.name和network.host
节点2:
node.name: node-104
network.host: 192.168.1.104

节点3:
node.name: node-105
network.host: 192.168.1.105

7.修改jvm参数(/usr/local/services/elasticsearch/config/jvm.options)
-Xms8g
-Xmx8g

9.修改/usr/local/services/elasticsearch/bin/elasticsearch
# ES_JAVA_OPTS="-Xms8g -Xmx8g" ./bin/elasticsearch
export ES_HEAP_SIZE=8g

10.系统参数设置
每个节点上都要执行,这里确保每台机器都能启动
[root@rac01 middle]# su - elasticsearch
[elasticsearch@rac01 ~]$ ulimit -Hn
65536

检查是否是65536,不是的话修改修改
/etc/security/limits.conf,该文件最后加入

* soft nofile 65536
* hard nofile 65536

报错的话:
[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
在 /etc/sysctl.conf 文件最后添加一行
[root@localhost ~]#vm.max_map_count=262144
[root@localhost ~]#sysctl -p

11.关闭防火墙
systemctl status firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service

12.安装java 1.8,否则启动的时候报错误
参考连接:
https://www.cnblogs.com/hxlasky/p/14775706.html

13.启动
3个节点都配置完成后再启动
每个节点上都要执行,这里确保每台机器都能启动
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d

14.检查启动情况
curl 'http://192.168.1.101:19200/_cat/nodes?v'
curl http://192.168.1.104:19200/?pretty
curl http://192.168.1.105:19200/?pretty
curl -X GET 'http://192.168.1.101:19200/_cat/indices?v'

#####################################生成证书###############################

在其中一个节点上操作,我这里上在节点1上操作
1.执行命令创建ca 执行:

su - elasticsearch
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: ##直接回车
Enter password for elastic-stack-ca.p12 : ##直接回车

su - elasticsearch
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: ##直接回车
Enter password for elastic-stack-ca.p12 : ##直接回车

2.根据elastic-stack-ca.p12文件 生成elastic-certificates.p12
执行命令为:elasticsearch-certutil cert --ca elastic-stack-ca.p12

[elasticsearch@rac01 bin]$./elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : ##直接回车
Please enter the desired output file [elastic-certificates.p12]: ##直接回车
Enter password for elastic-certificates.p12 : ##直接回车

将这两个文件拷贝到config目录下面
[elasticsearch@rac01 bin]$ mv elastic-stack-ca.p12 ../config/
[elasticsearch@rac01 bin]$ mv elastic-certificates.p12 ../config/

3.将节点1上的两个文件拷贝到另外的节点
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@rac01 config]$ scp elastic-certificates.p12 192.168.1.104:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 config]$ scp elastic-stack-ca.p12 192.168.1.104:/usr/local/services/elasticsearch/config/

[elasticsearch@rac01 config]$ scp elastic-certificates.p12 192.168.1.105:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 config]$ scp elastic-stack-ca.p12 192.168.1.105:/usr/local/services/elasticsearch/config/

4.修改配置文件
每台机器上的配置文件在最后面添加如下内容:

[root@rac01 middle]# su - elasticsearch
vi /usr/local/services/elasticsearch/config/elasticsearch.yml
添加如下配置项
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

5.杀掉每个节点的es进程
kill -9 进程id

6.重新启动每个节点
su - elasticsearch
/usr/local/services/elasticsearch/bin/elasticsearch -d

这个时候使用就需要密码访问了

[elasticsearch@localhost config]$ curl 'http://192.168.1.101:19200/_cat/nodes?pretty'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication token for REST request [/_cat/nodes?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication token for REST request [/_cat/nodes?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

7.设置密码

在其中一台机器上执行,我这里在节点1上执行 这台机器上执行,我这里密码全部设置为 elastic
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

7.验证
curl -u elastic:elastic 'http://192.168.1.101:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.104:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.105:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.101:19200/_cat/health?v'

8.数据验证
查看索引:
curl -u elastic:elastic -X GET 'http://192.168.1.101:19200/_cat/indices?v'

在节点1上创建索引和写入数据
curl -u elastic:elastic -XPUT 'http://192.168.1.101:19200/db_customer'
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT 'http://192.168.1.101:19200/db_customer/tb_test/1' -d '{"name": "huangxueliang"}'

查看数据
curl -u elastic:elastic -XGET 'http://192.168.1.101:19200/db_customer/tb_test/1?pretty'

在其他的节点上查看该数据
curl -u elastic:elastic -XGET 'http://10.7.81.131:19200/db_customer/tb_test/1?pretty'
curl -u elastic:elastic -XGET 'http://10.7.81.132:19200/db_customer/tb_test/1?pretty'

删除索引
curl -u elastic:elastic -XDELETE 'http://10.7.81.131:19200/db_customer?pretty'

################################角色验证###########################

1.没有特殊指定,如下两个参数默认都是true
node.master: true
node.data: true

2.验证
节点1
node.master: true
node.data: false

重启该节点
kill 进程号
/usr/local/services/elasticsearch/bin/elasticsearch -d

尝试写入数据(发现是可以写入数据的):
curl -u elastic:elastic -XPUT 'http://192.168.1.101:19200/db_customer'
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT 'http://192.168.1.101:19200/db_customer/tb_test/1' -d '{"name": "huangxueliang"}'

查看index
curl -u elastic:elastic -X GET 'http://192.168.1.101:19200/_cat/indices?v'
curl -u elastic:elastic -X GET 'http://192.168.1.104:19200/_cat/indices?v'
curl -u elastic:elastic -X GET 'http://192.168.1.105:19200/_cat/indices?v'

结论:该节点还是会接收数据增删改查的请求,但是不存储实际的数据.
netstat -an |grep 'ESTABLISHED' |grep -i '19200' |wc -l
curl -u elastic:elastic -X GET "http://192.168.1.101:19200/_tasks?pretty"
curl -u elastic:elastic -X GET "http://192.168.1.104:19200/_tasks?pretty"
curl -u elastic:elastic -X GET "http://192.168.1.105:19200/_tasks?pretty"

curl -u elastic:elastic -X GET "192.168.1.101:19200/_tasks/6m66YCRmTheTzR8CFyHVvg:9475?pretty"

########################配置备份####################################
--------服务端安装----------------
1.在做备份的机器上安装nfs 服务端
[root@rac01 ios]# yum install -y nfs-utils

2.配置输出
$ more /etc/exports
/home/middle/esbak 10.7.81.131(insecure,rw,no_root_squash,sync,anonuid=1500,anongid=1500)
/home/middle/esbak 10.7.81.132(insecure,rw,no_root_squash,sync,anonuid=1500,anongid=1500)

3.启动服务
先为rpcbind和nfs做开机启动：(必须先启动rpcbind服务)
[root@rac01 ios]# systemctl enable rpcbind.service
[root@rac01 ios]# systemctl enable nfs-server.service
然后分别启动rpcbind和nfs服务：
systemctl start rpcbind.service
systemctl start nfs-server.service

systemctl restart rpcbind.service
systemctl restart nfs-server.service

4.检查是否生效
配置生效
exportfs -r
exportfs

---------客户端安装---------
首先是安裝nfs，同上，然后启动rpcbind服务
[root@rac02 ios]# yum install -y nfs-utils

先为rpcbind做开机启动：
[root@rac02 ios]# systemctl enable rpcbind.service

然后启动rpcbind服务：
[root@rac02 ios]# systemctl start rpcbind.service
注意:客户端不需要启动nfs服务

检查 NFS 服务器端是否有目录共享：showmount -e nfs服务器的IP
showmount -e 192.168.1.101
Export list for 192.168.56.111:
/home/middle/esbak 192.168.56.113,192.168.56.112

mount到指定的目录
另外的2个节点执行如下命令:
mount -t nfs -o proto=tcp -o nolock 192.168.1.101:/home/middle/esbak /home/middle/esbak

使用 elasticsearch 用户看是否可以写入数据
[root@rac02 ios]# su - elasticsearch
[elasticsearch@rac02 esbak]$ cd /home/middle/esbak
[elasticsearch@rac02 esbak]$ echo "112">aa.txt

另外一台客户端
[elasticsearch@rac02 esbak]$ echo "113">bb.txt

这个时候在任何一个节点都会看到上面创建的两个文件,同时也可以进行编辑

开始备份,备份其中一个节点(在nfs服务那台机器上)执行即可

[root@rac01 ios]# su - elasticsearch

curl -u elastic:elastic -H "Content-Type: application/json" -XPUT http://192.168.1.101:19200/_snapshot/esbackup -d'{
"type": "fs",
"settings": {
"location": "/home/middle/esbak"
}
}'

##备份
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT http://192.168.1.101:19200/_snapshot/esbackup/snapshot_20210520

查看备份设置
curl -u elastic:elastic -X GET "192.168.1.101:19200/_snapshot/esbackup?pretty"
查看所有的备份
curl -u elastic:elastic -X GET "192.168.1.101:19200/_snapshot/esbackup/_all?pretty"
curl -u elastic:elastic -X GET "192.168.1.101:19200/_snapshot/esbackup/_all?pretty"

删除快照
curl -u elastic:elastic -X DELETE "192.168.1.101:19200/_snapshot/esbackup/snapshot_20210520"

备份脚本
[yeemiao@yeemiao-elasticsearch-c099aef-prd ~]$ more /home/yeemiao/script/es_backup.sh
#!/bin/sh
now_date=`date "+%Y%m%d"`
delete_date=`date +%Y%m%d -d "1 days ago"`

##删除之前的备份
curl -H "Content-Type: application/json" -XDELETE "http://192.168.1.101:19200/_snapshot/esbackup/snapshot_$delete_date"

##创建备份仓库目录
curl -H "Content-Type: application/json" -XPUT http://192.168.1.101:19200/_snapshot/esbackup -d'{
"type": "fs",
"settings": {
"location": "/home/middle/esbak"
}
}'

##备份
curl -H "Content-Type: application/json" -XPUT http://192.168.1.101:19200/_snapshot/esbackup/snapshot_$now_date

[root@dbslave-010007081120 script]# more es_backup_tar.sh
#!/bin/bash
now_date=`date "+%Y%m%d"`
delete_date=`date +%Y%m%d -d "3 days ago"`

tar_file=/home/middle/esbak_tar/esbak_${now_date}.tar.gz
cd /home/middle

tar -czvf ${tar_file} ./esbak

##删除本地备份文件
delete_tar_file=/home/middle/esbak_tar/esbak_${delete_date}.tar.gz

##删除本地文件
if [ -f "${delete_tar_file}" ];then
rm ${delete_tar_file}
fi