1 es 8
groupadd:无法打开 /etc/group
chattr: 没有那个文件或目录 当尝试对group进行stat调用时
chattr -i /etc/group
chattr -i /etc/passwd
chattr -i /etc/shadow
chattr -i /etc/gshadow
groupadd es
useradd -g es es
passwd es
chattr +i /etc/group
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/gshadow
chown -R es:es elasticsearch
chown -R es:es elasticsearch-8.0.0
# 关闭所有交换分区
swapoff -a
# vim /etc/security/limits.conf
添加以下内容:
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
在以下配置文件中添加参数:
# vim /etc/sysctl.conf
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
vm.max_map_count=655360
# 开启宿主机的ipv4转发功能
net.ipv4.ip_forward=1
# sysctl -p
调整文件打开数限制:
# ulimit -HSn 65535
mkdir -p /appdata/es/data
mkdir -p /appdata/es/logs
chown -R es:es /appdata/es
# 配置内存
cd /appdata/elasticsearch/config
cp jvm.options jvm.options.bak
vi jvm.options
-Xms16g
-Xmx16g
ElasticSearch8集群的安装部署
配置ca证书
cd /appdata/elasticsearch/bin
# 签发ca证书
# ./elasticsearch-certutil ca
`【ENTER】` 什么也不用输入直接回车
`【ENTER】` 什么也不用输入直接回车
# 用ca证书签发节点证书
# ./elasticsearch-certutil cert --ca elastic-stack-ca.p12
`【ENTER】` 什么也不用输入直接回车
`【ENTER】` 什么也不用输入直接回车
`【ENTER】` 什么也不用输入直接回车
# 将证书放到certs目录(手动创建)
mkdir -p /appdata/elasticsearch/config/certs
cd /appdata/elasticsearch
mv elastic-certificates.p12 elastic-stack-ca.p12 config/certs
# 修改hosts
vi hosts
192.168.0.105 bs105.testcom.cn bs105
192.168.0.8 bs8.testcom.cn bs8
192.168.0.6 bs6.testcom.cn bs6
# 让hosts生效
service network restart
配置elasticsearch.yml
# 注意冒号后面要有空格,要符合yml格式规范
cluster.name: testcom8
node.name: bs8.testcom.cn
node.roles: [master,data]
path.data: /appdata/es/data
path.logs: /appdata/es/logs
network.host: 0.0.0.0
# 如果是docker环境,即是es不是通过容器化安装的,network.publish_host这个配置也不能少,否则就会报错无法找到节点ip,这个节点ip
# 配置内容为当前宿主机ip
network.publish_host: 192.168.0.8
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
cluster.initial_master_nodes: ["bs8.testcom.cn", "bs6.testcom.cn", "bs105.testcom.cn"]
# 禁止使用通配符或_all删除索引
action.destructive_requires_name: true
discovery.seed_hosts: ["192.168.0.8:9300", "192.168.0.6:9300", "192.168.0.105:9300"]
reindex.remote.whitelist: ["192.168.0.180:9200","192.168.0.181:9200","192.168.0.182:9200"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /appdata/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /appdata/elasticsearch/config/certs/elastic-certificates.p12
ingest.geoip.downloader.enabled: false
安装ik分词,analysis-ik,根据es的版本进行匹配
安装pinyin分词,analysis-pinyin,根据es的版本进行匹配
# 将文件复制过去
cd /appdata/elasticsearch/plugins
unzip -d analysis-ik/ elasticsearch-analysis-ik-8.0.0.zip
unzip -d analysis-pinyin/ elasticsearch-analysis-pinyin-8.0.0.zip
rm -f elasticsearch-analysis-ik-8.0.0.zip
rm -f elasticsearch-analysis-pinyin-8.0.0.zip
cd /appdata/elasticsearch/bin
./elasticsearch -d
# 防火墙
firewall-cmd --state
firewall-cmd --zone=public --add-port=9200/tcp --permanent
firewall-cmd --zone=public --add-port=9300/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-ports
curl -k --user elastic:Bs@#654123 -XGET http://192.168.0.8:9200/_cat/nodes?v
# 在es集群中任意节点中执行即可
cd /appdata/elasticsearch/bin
# 设置密码
./elasticsearch-setup-passwords interactive
./elasticsearch-reset-password -u elastic
./elasticsearch-setup-passwords interactive
Failed to determine the health of the cluster running at http://172.17.0.1:9200
Unexpected response code [503] from calling GET http://172.17.0.1:9200/_cluster/health?pretty
Cause: master_not_discovered_exception
http://192.168.0.8:9200/_cat/nodes?pretty
cd /etc/init.d
vi elasticsearch
#!/bin/sh
# chkconfig: - 85 15
#description: elasticsearch
export ES_HOME=/appdata/elasticsearch
case "$1" in
start)
su es<
# 安装kibana
elasticsearch.username: "kibana"
elasticsearch.password: "xxx"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.0.8:9200","http://192.168.0.6:9200","http://192.168.0.105:9200"]
elasticsearch.requestTimeout: 30000
cd /appdata/kibana/bin
nohup /appdata/kibana/bin/kibana > kibana.out 2>&1 &
firewall-cmd --zone=public --add-port=5601/tcp --permanent
firewall-cmd --reload
配置证书,参考Elasticsearch - Elasticsearch 8.X;Elasticsearch 8.X集群(十)
bin/elasticsearch-certutil http
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
Generate a CSR? [y/N]n
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /appdata/elasticsearch/config/certs/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press at the prompt
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
For how long should your certificate be valid? [5y]
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
Generate a certificate per node? [y/N]n
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press once more to move on to the next step.
bs8.testcom.cn
bs6.testcom.cn
bs105.testcom.cn
You entered the following hostnames.
- bs8.testcom.cn
- bs6.testcom.cn
- bs105.testcom.cn
Is this correct [Y/n]y
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press once more to move on to the next step.
192.168.0.8
192.168.0.6
192.168.0.105
You entered the following IP addresses.
- 192.168.0.8
- 192.168.0.6
- 192.168.0.105
Is this correct [Y/n]y
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: bs8.testcom.cn
Subject DN: CN=bs8, DC=testcom, DC=cn
Key Size: 2048
Do you wish to change any of these options? [y/N]n
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press at the prompt below.
Provide a password for the "http.p12" file: [ for none]
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/appdata/elasticsearch-8.0.0/elasticsearch-ssl-http.zip]
Zip file written to /appdata/elasticsearch-8.0.0/elasticsearch-ssl-http.zip
# 将elasticsearch-ssl-http.zip解压后的两个文件复制到certs目录
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem /appdata/elasticsearch/config/certs/
# 其他的机器也复制一份
scp -r elastic-certificates.p12 http.p12 [email protected]:/appdata/elasticsearch/config/certs/
进入到elasticsearch.yml
中,添加如下配置,然后重启elasticsearch即可
xpack.security.enrollment.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /appdata/elasticsearch/config/certs/http.p12
xpack.security.http.ssl.truststore.path: /appdata/elasticsearch/config/certs/http.p12
http.host: [_local_, _site_]
xpack.security.http.ssl.client_authentication: none
但这时kibana就无法访问了,因此需要更改配置
2 es7.4.2
windows下运行elasticsearch7.4.2出现了一些问题,修改elasticsearch-env.bat
,elasticsearch7.x依赖jdk11,我们现在主流
使用的还是jdk1.8
future versions of Elasticsearch will require Java 11; your Java version from [D:\Program Files\Java\jdk1.8.0_51\jre] does not meet this requirement
最终的方案如下:
set JAVA_HOME=D:\Program Files\Java\jdk1.8.0_51
if defined JAVA_HOME (
@REM set JAVA="%JAVA_HOME%\bin\java.exe"
set JAVA="D:\elasticsearch-7.4.2\jdk\bin\java.exe"
) else (
@REM set JAVA="%ES_HOME%\jdk\bin\java.exe"
@REM set JAVA_HOME="%ES_HOME%\jdk"
set JAVA="D:\elasticsearch-7.4.2\jdk\bin\java.exe"
set JAVA_HOME="D:\elasticsearch-7.4.2\jdk"
)
elasticsearch证书的问题
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:475) ~[netty-codec-4.1.38.Final.jar:4.1.38.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283) ~[netty-codec-4.1.38.Final.jar:4.1.38.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) [netty-transport-4.1.38.Final.jar:4.1.38.Final]
解决方案
# 中间过程需要设置密码,本地开发可以不设,但是生产环境就需要设置了
.\elasticsearch-certutil ca
# 中间过程输入的密码,就是elasticsearch-certutil ca中的密码,这个密码如果为空,则这里可以不用输入
.\elasticsearch-certutil cert --ca elastic-stack-ca.p12
# 生成了两个文件elastic-certificates.p12和elastic-stack-ca.p12在elasticsearch目录下
# 在config中创建文件夹certs,将elastic-certificates.p12和elastic-stack-ca.p12复制过来
# 修改config目录下的elasticsearch.yml,增加下面的内容
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
# 重启es,运行成功
.\elasticsearch
.\elasticsearch-setup-passwords interactive
修改密码的时候,提示了这个错误
Cluster state has not been recovered yet, cannot write to the [null] index
因为是单机的,还是得定义一下主节点,在elasticsearch.yml
中做下面的设置后,再执行.\elasticsearch-setup-passwords interactive
node.name: node-1
cluster.initial_master_nodes: ["node-1"]
从启动日志可以看到elasticsearch中包含9200和9300两个端口,9200是es节点与外部通讯使用的端口,
9300是es节点之间通讯使用的端口
接下来是windows下对应的kibana7.4.2,执行命令.\kibana
即可
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
xpack.security.enabled: true
安装分词插件
cd D:\elasticsearch-7.4.2\bin
.\elasticsearch-plugin install "file:///D://es-plugins//elasticsearch-analysis-pinyin-7.4.2.zip"
.\elasticsearch-plugin install "file:///D://es-plugins//elasticsearch-analysis-ik-7.4.2.zip"