标签：01 ca es8 certs elasticsearch 分片集群 rpm es

系统配置

ulimit 设置

echo "*  soft  nofile  65535" >> /etc/security/limits.conf
echo "*  hard  nofile  65535" >> /etc/security/limits.conf

ubuntu 系统

vim /etc/pam.d/su

session    required   pam_limits.so

elasticsearch.service

sed -i -e '/ExecStart/a LimitMEMLOCK=infinity' /lib/systemd/system/elasticsearch.service

sysctl

echo "vm.max_map_count=655360" >> /etc/sysctl.conf
echo "net.ipv4.tcp_retries2=5" >> /etc/sysctl.conf
echo "vm.swappiness=1" >> /etc/sysctl.conf 
sysctl -p

集群规划

节点	hostname
192.168.174.100	es-01
192.168.174.101	es-02
192.168.174.102	es-03

安装 elasticsearch

export ELASTIC_PASSWORD="py7Ki=JiW=WCxnDrKV4-"

yum -y install elasticsearch

Dependencies resolved.
=======================================================================================================================================================================
 Package                                   Architecture                       Version                              Repository                                     Size
=======================================================================================================================================================================
Installing:
 elasticsearch                             x86_64                             8.17.0-1                             elasticsearch-8.x                             607 M

Transaction Summary
=======================================================================================================================================================================
Install  1 Package

Total download size: 607 M
Installed size: 1.1 G
Downloading Packages:
elasticsearch-8.17.0-x86_64.rpm                                                                                                         55 MB/s | 607 MB     00:10    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                   55 MB/s | 607 MB     00:10     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                               1/1 
  Running scriptlet: elasticsearch-8.17.0-1.x86_64                                                                                                                 1/1 
Creating elasticsearch group... OK
Creating elasticsearch user... OK

  Installing       : elasticsearch-8.17.0-1.x86_64                                                                                                                 1/1 
  Running scriptlet: elasticsearch-8.17.0-1.x86_64                                                                                                                 1/1 
--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : py7Ki=JiW=WCxnDrKV4-

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with 
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with 
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with 
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

  Verifying        : elasticsearch-8.17.0-1.x86_64                                                                                                                 1/1 

Installed:
  elasticsearch-8.17.0-1.x86_64                                                                                                                                        

Complete!

生成集群证书

证书路径

/usr/share/elasticsearch

instances.yml

echo >> /usr/share/elasticsearch/config/certs/instances.yml <<EOF
instances:
  - name: "es-01" 
    ip: 
      - "192.168.174.100"
      - "172.16.174.100"
      - "127.0.0.1"
    dns: 
      - "es-01"
      - "localhost"
  - name: "es-02"
    ip:
      - "192.168.174.101"
      - "172.16.174.101"
      - "127.0.0.1"
    dns: 
      - "es-02"
      - "localhost"
  - name: "es-03"
    ip:
      - "192.168.174.102"
      - "172.16.174.102"
      - "127.0.0.1"
    dns: 
      - "es-03"
      - "localhost"
EOF

生成 ca

cd /usr/share/elasticsearch
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip
unzip config/certs/ca.zip -d config/certs

生成证书

cd /usr/share/elasticsearch
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key
unzip config/certs/certs.zip -d config/certs

查看证书文件

tree config/certs

config/certs
├── ca
│   ├── ca.crt
│   └── ca.key
├── ca.zip
├── certs.zip
├── instances.yml
├── es-01
│   ├── es-01.crt
│   └── es-01.key
├── es-02
│   ├── es-02.crt
│   └── es-02.key
└── es-03
    ├── es-03.crt
    └── es-03.key

复制证书到各个节点

scp /usr/share/elasticsearch/config/certs/* 192.168.174.100:/etc/elasticsearch/certs
scp /usr/share/elasticsearch/config/certs/* 192.168.174.101:/etc/elasticsearch/certs
scp /usr/share/elasticsearch/config/certs/* 192.168.174.102:/etc/elasticsearch/certs

配置 elasticsearch

修改配置文件

sed -i -e 's@#cluster.name: my-application@cluster.name: es-cluster@' -e 's@#node.name: node-1@node.name: es-03@' -e 's@#http.port: 9200@http.port: 19200@' -e '/#discovery.seed_hosts/a discovery.seed_hosts: ["es-01", "es-02", "es-03"]' -e '/#cluster.initial_master_nodes/a cluster.initial_master_nodes: ["es-01", "es-02", "es-03"]' -e 's@#transport.host: 0.0.0.0@transport.host: 0.0.0.0@' /etc/elasticsearch/elasticsearch.yml

查看配置文件

egrep -v '^$|^#' /etc/elasticsearch/elasticsearch.yml

cluster.name: es-cluster
node.name: es-01
path.data: /data/disk1/elasticsearch/data
path.logs: /data/disk1/elasticsearch/logs
http.port: 19200
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
discovery.seed_hosts: ["es-01", "es-02", "es-03"]
cluster.initial_master_nodes: ["es-01", "es-02", "es-03"]
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  key: certs/es-01/es-01.key
  certificate: certs/es-01/es-01.crt
  certificate_authorities: certs/ca/ca.crt
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: certs/es-01/es-01.key
  certificate: certs/es-01/es-01.crt
  certificate_authorities: certs/ca/ca.crt
http.host: 0.0.0.0
transport.host: 0.0.0.0

运行 elasticsearch

 systemctl start elasticsearch --now

重置内置超级用户密码

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

This tool will reset the password of the [elastic] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:       # 输入密码
Re-enter password for [elastic]:    # 确认密码
Password for the [elastic] user successfully reset.

验证集群状态

curl --cacert /etc/elasticsearch/certs/ca.crt -u elastic https://192.168.174.100:19200/_cluster/health?pretty

{
  "cluster_name" : "es-cluster",
  "status" : "green",      # 
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 3,
  "active_shards" : 6,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "unassigned_primary_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

cluster_name: 集群的名称，这里是 "es-cluster"。
status: 集群的状态，这里是 "green"，表示集群健康且所有主要索引都已分配。
timed_out: 是否超时。如果为 true，则表示在获取集群状态时遇到了超时。这里为 false 表示没有超时。
number_of_nodes: 集群中的节点总数，这里是 3。
number_of_data_nodes: 集群中的数据节点数，这里是 3。在Elasticsearch中，数据节点存储索引数据并参与到集群的搜索和查询操作。
active_primary_shards: 活跃的主要分片数，这里是 3。一个分片可以是主分片或副本分片，主分片是存储文档数据的分片。
active_shards: 活跃的分片总数，因为每个主分片通常有一个或多个副本分片，所以这里的数量通常是主分片的两倍加一起（如果不考虑故障转移等情况）。这里是 6。
relocating_shards: 正在迁移的分片数。当节点出现故障或发生其他变更时，分片可能会从一个节点迁移到另一个节点。这里为 0 表示没有正在迁移的分片。
initializing_shards: 正在初始化的分片数。新加入的分片可能需要初始化。这里为 0 表示没有正在初始化的分片。
unassigned_shards: 未分配的分片数。如果一个分片不能被分配到任何节点，则它处于未分配状态。这里为 0 表示所有分片都已分配。
unassigned_primary_shards: 未分配的主要分片数。这里为 0 表示所有的主要分片都已分配。
delayed_unassigned_shards: 延迟未分配的分片数。这里为 0 表示没有延迟未分配的分片。
number_of_pending_tasks: 待处理的任务数。这些任务通常与分片的分配或移动有关。这里为 0 表示没有待处理的任务。
number_of_in_flight_fetch: 正在执行中的获取任务数，通常与分片的移动有关。这里为 0 表示没有正在执行中的获取任务。
task_max_waiting_in_queue_millis: 任务在队列中等待的最大时间（毫秒）。这里为 0 表示没有任务在等待队列中。
active_shards_percent_as_number: 活跃分片的百分比，以数字形式表示。因为所有分片都是活跃的（从上面的字段可以看出），所以这里是 100.0%。

参考文档

https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html

标签：01,ca,es8,certs,elasticsearch,分片,集群,rpm,es
From： https://www.cnblogs.com/wangguishe/p/18683507

es8 通过 rpm 部署集群