环境:
192.168.1.102
192.168.1.103
192.168.1.105
--------------------------------------------基础安装-----------------------------------
系统配置
每个机器上都要执行
1.系统参数配置
修改limits.conf配置文件
vi /etc/security/limits.conf
root用户下添加如下2两项,然后退出使用elasticsearch用户登陆,使其生效
* hard nofile 65536
* soft nofile 65536
2.修改sysctl.conf文件
vi /etc/sysctl.conf
vm.max_map_count=262144
然后执行如下命令:
[root@localhost ~]# sysctl -p
3.关闭防火墙
systemctl status firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
4.安装java(已经不需要,es7之后使用自动的java了)
安装连接:https://www.cnblogs.com/hxlasky/p/14775706.html
确保java版本在1.8以上
[root@rac01 soft]# java -version
java version "1.8.0_291"
Java(TM) SE Runtime Environment (build 1.8.0_291-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.291-b10, mixed mode)
5.下载需要的安装版本
我这里下载的是elasticsearch-8.15.1-linux-x86_64.tar.gz
下载地址:
https://www.elastic.co/cn/downloads/past-releases#elasticsearch
6.创建中间件安装目录和数据文件、日志文件目录
每台机器上都要执行
[root@es soft]# mkdir -p /usr/local/services
[root@es soft]# mkdir -p /home/middle/elasticsearch/data
[root@es soft]# mkdir -p /home/middle/elasticsearch/logs
7.创建用户和用户组
每台机器上都要执行
groupadd -g 1500 elasticsearch
useradd -u 1500 -g elasticsearch elasticsearch
passwd elasticsearch
8.上传到服务器
每台机器上都要执行
解压缩并创建数据目录
[root@rac01 soft]# cd /soft
[root@rac01 soft]# tar -xvf elasticsearch-8.15.1-linux-x86_64.tar.gz
[root@rac01 soft]# mv elasticsearch-8.15.1 /usr/local/services/elasticsearch
9.将elasticsearch目录权限修改为elasticsearch
每台机器上都要执行
[root@es config]# cd /usr/local/services
[root@es services]# chown -R elasticsearch.elasticsearch ./elasticsearch
同时修改数据文件和日志文件目录给到elasticsearch
[root@es services]# cd /home/middle
[root@es middle]#chown -R elasticsearch.elasticsearch ./elasticsearch
10.创建备份目录
每台机器上都要执行
[root@rac01 home]#mkdir -p /home/middle/esbak
[root@rac01 home]#cd /home/middle
[root@rac01 home]#chown -R elasticsearch.elasticsearch ./esbak
11.修改配置文件
每台机器上都要执行
[root@rac01 middle]# su - elasticsearch [elasticsearch@rac01 ~]$ cd /usr/local/services/elasticsearch/config [elasticsearch@es config]$ vi elasticsearch.yml cluster.name: escluster_ysd node.name: node01 path.data: /home/middle/elasticsearch/data path.logs: /home/middle/elasticsearch/logs network.host: 192.168.1.102 http.port: 19200 ##discovery.zen.minimum_master_nodes: 2 ##去掉该参数,es8中没有该参数了的 discovery.seed_hosts: ["192.168.1.102", "192.168.1.103","192.168.1.105"] cluster.initial_master_nodes: ["node01", "node02","node03"] path.repo: /home/middle/esbak http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: false ##这里先禁用安全认证,后面再启用
其他机器的配置文件:
将配置文件scp到另外的机器,然后相应修改红色部分
node.name分别修改为 node02 和 node03
network.host分别修改为对应机器的ip地址
12.修改jvm参数( /usr/local/services/elasticsearch/config/jvm.options )
每台机器上都要执行
[root@master ~]# more /usr/local/services/elasticsearch/config/jvm.options ################################################################ ## ## JVM configuration ## ################################################################ ## ## WARNING: DO NOT EDIT THIS FILE. If you want to override the ## JVM options in this file, or set any additional options, you ## should create one or more files in the jvm.options.d ## directory containing your adjustments. ## ## See https://www.elastic.co/guide/en/elasticsearch/reference/8.15/jvm-options.html ## for more information. ## ################################################################ ################################################################ ## IMPORTANT: JVM heap size ################################################################ ## ## The heap size is automatically configured by Elasticsearch ## based on the available memory in your system and the roles ## each node is configured to fulfill. If specifying heap is ## required, it should be done through a file in jvm.options.d, ## which should be named with .options suffix, and the min and ## max should be set to the same value. For example, to set the ## heap to 4 GB, create a new file in the jvm.options.d ## directory containing these lines: ## ## -Xms4g ## -Xmx4g ## ## See https://www.elastic.co/guide/en/elasticsearch/reference/8.15/heap-size.html ## for more information ## ################################################################ -Xms3g -Xmx3g ################################################################ ## Expert settings ################################################################ ## ## All settings below here are considered expert settings. Do ## not adjust them unless you understand what you are doing. Do ## not edit them in this file; instead, create a new file in the ## jvm.options.d directory containing your adjustments. ## ################################################################ -XX:+UseG1GC ## JVM temporary directory -Djava.io.tmpdir=${ES_TMPDIR} # Leverages accelerated vector hardware instructions; removing this may # result in less optimal vector performance 20-:--add-modules=jdk.incubator.vector ## heap dumps # generate a heap dump when an allocation from the Java heap fails; heap dumps # are created in the working directory of the JVM unless an alternative path is # specified -XX:+HeapDumpOnOutOfMemoryError # exit right after heap dump on out of memory error -XX:+ExitOnOutOfMemoryError # specify an alternative path for heap dumps; ensure the directory exists and # has sufficient space -XX:HeapDumpPath=data # specify an alternative path for JVM fatal error logs -XX:ErrorFile=logs/hs_err_pid%p.log ## GC logging -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,level,pid,tags:filecount=32,filesize=64m
13.启动
每个节点上都要执行,这里确保每台机器都能启动
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
14.这个时候查看集群情况
这个时候是没有配置密码认证的
[elasticsearch@master bin]$ curl http://192.168.1.102:19200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.102 14 97 12 0.51 0.88 0.84 cdfhilmrstw - node01
192.168.1.103 15 96 22 0.97 1.00 0.48 cdfhilmrstw * node02
192.168.1.105 10 97 13 2.67 1.68 0.77 cdfhilmrstw - node03
[elasticsearch@master bin]$ curl -X GET "192.168.1.102:19200/_cat/indices?v" health status index uuid pri rep docs.count docs.deleted store.size pri.store.size dataset.size [elasticsearch@master bin]$ curl http://192.168.1.102:19200/?pretty { "name" : "node01", "cluster_name" : "escluster_hxl", "cluster_uuid" : "Z9owd8vWT0qa_w9Gx8JPKA", "version" : { "number" : "8.15.1", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "253e8544a65ad44581194068936f2a5d57c2c051", "build_date" : "2024-09-02T22:04:47.310170297Z", "build_snapshot" : false, "lucene_version" : "9.11.1", "minimum_wire_compatibility_version" : "7.17.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "You Know, for Search" }
----------------------------配置安全认证--------------------------------
1.生成证书
1.执行命令创建ca 执行:
su - elasticsearch [elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin [elasticsearch@master bin]$ ./elasticsearch-certutil ca warning: ignoring JAVA_HOME=/usr/local/java/jdk1.8.0_351; using bundled JDK This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key Please enter the desired output file [elastic-stack-ca.p12]: ##直接回车 Enter password for elastic-stack-ca.p12 : ##直接回车 这个时候会生成elastic-stack-ca.p12文件 [elasticsearch@master elasticsearch]$ pwd /usr/local/services/elasticsearch [elasticsearch@master elasticsearch]$ ls -1 bin config elastic-stack-ca.p12 jdk lib LICENSE.txt logs modules NOTICE.txt plugins README.asciidoc
然后按照提示输入Please enter the desired output file [elastic-stack-ca.p12] 此时提示输入文件名默认为:elastic-stack-ca.p12,输入完敲回车,或者直接回车默认。
接下来会提示输入Enter password for elastic-stack-ca.p12 :密码可以为空 直接回车 此时ca 创建OK 文件会在执行目录的根目录
2.根据elastic-stack-ca.p12文件 生成elastic-certificates.p12
执行命令为:elasticsearch-certutil cert --ca elastic-stack-ca.p12
一路回车即可
[elasticsearch@rac01 bin]$./elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
接下来会提示 输入Enter password for CA (elastic-stack-ca.p12) :上一个ca 文件的密码 如果没有则直接回车即可,
接下来会提示Please enter the desired output file [elastic-certificates.p12]:给当前生成的文件取名默认为elastic-certificates.p12
接下来会提示给当前文件设置密码Enter password for elastic-certificates.p12 : 设置完成后回车。
至此我们有了elastic-stack-ca.p12和elastic-certificates.p12两个文件
将这两个文件拷贝到config目录下面
[elasticsearch@rac01 elasticsearch7]$ cd /usr/local/services/elasticsearch
[elasticsearch@rac01 elasticsearch7]$ mv elastic-certificates.p12 ./config/
[elasticsearch@rac01 elasticsearch7]$ mv elastic-stack-ca.p12 ./config/
3.将节点1上的两个文件拷贝到另外的节点
[elasticsearch@rac01 elasticsearch7]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@rac01 elasticsearch7]$ scp elastic-certificates.p12 192.168.1.103:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 elasticsearch7]$ scp elastic-stack-ca.p12 192.168.1.103:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 elasticsearch7]$ scp elastic-certificates.p12 192.168.1.105:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 elasticsearch7]$ scp elastic-stack-ca.p12 192.168.1.105:/usr/local/services/elasticsearch/config/
4.修改配置文件
每台机器上的配置文件在最后面添加如下内容:
[root@rac01 middle]# su - elasticsearch
vi /usr/local/services/elasticsearch/config/elasticsearch.yml
添加如下配置项
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
原来的如下项目可以去掉:
xpack.security.enabled: false
5.重新启动
将原来的进程杀掉后重新启动
kill 进程号
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
这个时候使用就需要密码访问了
curl 'http://192.168.1.102:19200/_cat/nodes?pretty'
6.设置密码
在其中一台机器上执行,我这里在 192.168.1.102 这台机器上执行,我这里密码全部设置为 elastic
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
7.验证
curl -u elastic:elastic 'http://192.168.1.102:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.102:19200/_cat/health?v'
8.数据验证
查看索引:
curl -u elastic:elastic -X GET 'http://192.168.1.102:19200/_cat/indices?v'
在节点1上创建索引和写入数据
es7之后以及没有type的概念,所有的type都是_doc表示,
curl -u elastic:elastic -XPUT 'http://192.168.1.102:19200/db_customer'
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT 'http://192.168.1.102:19200/db_customer/_doc/1' -d '{"name": "huangxueliang"}'
查看数据
curl -u elastic:elastic -XGET 'http://192.168.1.102:19200/db_customer/_doc/1?pretty'
在其他的节点上查看该数据
curl -u elastic:elastic -XGET 'http://192.168.1.102:19200/db_customer/tb_test/1?pretty'
curl -u elastic:elastic -XGET 'http://192.168.1.102:19200/db_customer/tb_test/1?pretty'
######################部署kibana#################################
参考连接:
https://www.cnblogs.com/hxlasky/p/16541304.html
在其中一个节点安装即可,我这里是在节点1上安装
标签:tsl,elastic,##,ca,rac01,p12,elasticsearch,集群,es8.15 From: https://www.cnblogs.com/hxlasky/p/18413885