我们这里做一个三台服务器的集群,配置这样一个场景:
- JVM内存配置为2G
- 禁用批量删除索引
- 配置SSL和开启账号密码
- 集群配置
- 动态添加集群节点
安装Elasticsearch
首先,从官网下载Elasticsearch安装包,然后将安装包 elasticsearch-7.5.1-x86_64.rpm 上传服务器。
然后,在各个服务器分别执行
[admin@iZbp150aqw850jwlm06qhcZ mnt]$ sudo yum install -y elasticsearch-7.5.1-x86_64.rpm
修改基础配置
- 配置ES的JVM内存
[admin@iZbp13d7te8727w5phtisjZ ~]$ sudo sed -i /-Xms1g/c-Xms2g /etc/elasticsearch/jvm.options
[admin@iZbp13d7te8727w5phtisjZ ~]$ sudo sed -i /-Xmx1g/c-Xmx2g /etc/elasticsearch/jvm.options
优化建议:
预留足够的内存空间给page cache。假设一台32GB内存的机器,配置16GB内存给ES进程使用,另外16GB给page cache,而不是将 xmx 设置成32GB。
禁用内存交换(/proc/sys/vm/swappiness)
[admin@iZbp150aqw850jwlm06qhcZ ~]$ echo 0 > /proc/sys/vm/swappiness
[admin@iZbp150aqw850jwlm06qhcZ ~]$ cat /etc/sysctl.conf
vm.swappiness = 0
- 配置JVM参数:-XX:+AlwaysPreTouch 减少新生代晋升到老年代时停顿。在启动时就把参数里说好了的内存全部都分配了,会使得启动慢上一点,但后面访问时会更流畅,比如页面会连续分配,比如不会在晋升新生代到老生代时才去访问页面,导致GC停顿时间加长
- 禁用批量删除索引
[admin@iZbp150aqw850jwlm06qhcZ ~]$ sudo sed 's/#action.destructive_requires_name/action.destructive_requires_name/' /etc/elasticsearch/elasticsearch.yml
- 集群相关修改
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ sudo cat /etc/elasticsearch/elasticserach.yml
# 略过...
cluster.name: elasticsearch
node.name: node-1
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["node-1"]
# 略过...
- 启动elasticsearch服务
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ sudo systemctl start elasticsearch
动态添加集群节点
- 集群至少需要3个节点组成
修改配置,并将配置复制到其他2台机器。启动集群。
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ cat /etc/elasticsearch/elasticsearch.yml | egrep "discovery.seed_hosts|cluster.initial_master_nodes"
discovery.seed_hosts: ["172.16.9.51","172.16.9.52","172.16.8.51"]
cluster.initial_master_nodes: ["node-1","node-2","node-3"]
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ sudo systemctl start elasticsearch
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ curl http://localhost:9200/_nodes/process?pretty
{
"_nodes" : {
"total" : 3,
"successful" : 3,
"failed" : 0
},
...
- 动态添加节点,只需将配置复制到第4台机器,启动即可加入集群。
ES安全加固
- 配置TLS
生成ca证书和密钥
[admin@iZbp150aqw850jwlm06qhcZ bin]$ sudo /usr/share/elasticsearch/bin/elasticsearch-certutil ca
[admin@iZbp150aqw850jwlm06qhcZ bin]$ sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[admin@iZbp150aqw850jwlm06qhcZ bin]$ cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch
[admin@iZbp150aqw850jwlm06qhcZ bin]$ cd /etc/elasticsearch
[admin@iZbp150aqw850jwlm06qhcZ bin]$ sudo chmod 666 elastic-certificates.p12
配置SSL认证
[admin@iZbp13d7te8727w5phtisjZ elasticsearch]$ sudo cat elasticsearch.yml | grep xpack
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate # 证书认证级别
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
- 开启账号密码
[admin@iZbp13d7te8727w5phtisjZ elasticsearch]$ sudo cat elasticsearch.yml | grep security
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
- 重启es
[admin@iZbp13d7te8727w5phtisjZ etc]$ sudo systemctl restart elasticsearch
- 设置密码
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
- 查看效果
[admin@iZbp150aqw850jwlm06qhcZ elasticsearch]$ curl -u elastic http://localhost:9200
Enter host password for user 'elastic':
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "DibbE_FdSgC4641FOfRq6A",
"version" : {
"number" : "7.5.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "3ae9ac9a93c95bd0cdc054951cf95d88e1e18d96",
"build_date" : "2019-12-16T22:57:37.835892Z",
"build_snapshot" : false,
"lucene_version" : "8.3.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
- 将 elastic-certificates.p12 复制到另外两台服务器,然后重复从配置SSL认证开始的步骤,即可搭建一个安全的集群环境。
The End !
参考文章:
Elasticsearch 安全加固
Install Elasticsearch with RPM
elasticsearch-.yml(中文配置详解)
配置节点证书