ElasticSearch(以下简称 ES) 作为一个搜索引擎,能存储海量数据并且可以在非常短的时间内查询到应用系统想要的信息,且组件开源,因而使用比较广泛。
| 主机名 | IP地址 | 角色 |
| node-1 | 192.168.2.3 | 主节点 |
| node-2 | 192.168.2.4 | 从节点 |
| node-3 | 192.168.2.5 | 从节点 |
ES集群部署
修改/etc/security/limits.conf
vi /etc/security/limits.conf?添加如下几行
| * soft nofile 65536 * hard nofile 131072 * soft nproc 2048 * hard nproc 4096 * hard memlock unlimited * soft memlock unlimited |
vi /etc/sysctl.conf 添加一行
| vm.max_map_count=262145 |
修改完后执行sysctl -p命令
修改/etc/security/limits.d/20-nproc.conf??
添加如下2行?
| * ?????????soft ???nproc ????4096 root ??????soft ???nproc ????unlimited |
es软件包可在官方网站下载:Download Elasticsearch | Elastic
最新版本为elasticsearch-7.10.0-linux-x86_64.tar.gz,因为最新版本集成了jdk11,java环境就不用单独安装了。
在三台主机上分别执行:
将es软件包上传到/home/forp1/es目录下并解压
tar -zxvf?elasticsearch-7.10.0-linux-x86_64.tar.gz
因为es不能使用root用户启动,创建用户,将es目录权限转移给新建用户
| useradd forp1 chown -R forp1:forp1?elasticsearch-7.10.0 |
切换到forp1用户
su - forp1
vim /home/forp1/elasticsearch-7.10.0/config/elasticsearch.yml
| cluster.name: my-es node.name: node-1 path.data: /home/forp1/elasticsearch-7.10.0/data path.logs: /home/forp1/elasticsearch-7.10.0/logs bootstrap.memory_lock: true network.host: 0.0.0.0 http.port: 9200 discovery.seed_hosts: ["192.168.2.3", "192.168.2.4", "192.168.2.5"] cluster.initial_master_nodes: ["node-1", "node-2", "node-3"] gateway.recover_after_nodes: 3 |
使用ES自带的JDK服务
系统上安装的JDK与elasticsearch-7.10.0版本不匹配,需要使用elasticsearch-7.10.0自带的JDK服务,修改elasticsearch-7.10.0脚本即可。
vi /home/forp1/elasticsearch-7.10.0/bin/ elasticsearch
| export JAVA_HOME=/forp/elasticsearch-7.10.0/jdk export PATH=$PATH:$JAVA_HOME/bin |
启动ES?集群
注:若生产环境没有关闭防火墙,则需要放行9200和9300端口,9200为对外访问端口,9300为集群内部通信端口。
在三个节点上分别执行:
cd ?/home/forp/es/elasticsearch-7.10.0
bin/elasticsearch -d ??????????在后台启动
在命令行输入:curl localhost:9200 可以看到如下信息,表示节点启动成功
| { ??"name" : "node-1", ??"cluster_name" : "my-es", ??"cluster_uuid" : "60tiVLitSTarvpUCRnwBaA", ??"version" : { ????"number" : "7.10.0", ????"build_flavor" : "default", ????"build_type" : "tar", ????"build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96", ????"build_date" : "2020-11-09T21:30:33.964949Z", ????"build_snapshot" : false, ????"lucene_version" : "8.7.0", ????"minimum_wire_compatibility_version" : "6.8.0", ????"minimum_index_compatibility_version" : "6.0.0-beta1" ??}, ??"tagline" : "You Know, for Search" } |
也可以在浏览器输入IP:9200进行测试,显示和命令行相同的信息。
集群健康检查
?curl ?localhost:9200/_cat/nodes?pretty
| 192.168.2.5 93 93 3 0.42 0.65 0.34 cdhilmrstw - node-3 192.168.2.3 87 94 5 0.51 0.60 0.37 cdhilmrstw - node-1 192.168.2.4 85 93 6 0.69 0.45 0.25 cdhilmrstw * node-2 |
可以看到三个节点 ?*代表主节点
http://192.168.100.37:9200/_cluster/health?pretty
| { ??"cluster_name" : "my-es", ??"status" : "green", ??"timed_out" : false, ??"number_of_nodes" : 3, ??"number_of_data_nodes" : 3, ??"active_primary_shards" : 18, ??"active_shards" : 36, ??"relocating_shards" : 0, ??"initializing_shards" : 0, ??"unassigned_shards" : 0, ??"delayed_unassigned_shards" : 0, ??"number_of_pending_tasks" : 0, ??"number_of_in_flight_fetch" : 0, ??"task_max_waiting_in_queue_millis" : 0, ??"active_shards_percent_as_number" : 100.0 } |
切换到 elasticsearch 安装文件目录 bin 下,使用elasticsearch-certutil命令生成证书:
?./elasticsearch-certutil ca --out config/elastic-certificates.p12?
| This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: ????* The CA certificate ????* The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key Enter password for elastic-certificates.p12? : |
需要创建文件使用的密码
生成后的证书保存在安装目录的config目录下
|
|
需要将生成的证书拷贝给集群中的其它两个节点的config目录下
每个集群节点都需要设置
vi /forp/elasticsearch-7.14.1/config/elasticsearch.yml
| xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /forp/elasticsearch-7.14.1/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /forp/elasticsearch-7.14.1/config/elastic-certificates.p12 |
重启生效,需要启动所有集群节点,再统一设置密码
设置密码只需要在主节点执行即可。
切换到 elasticsearch 安装文件目录 bin 下,执行设置用户名和密码的命令,内置了部分用户。
./elasticsearch-setup-passwords?interactive
|
|
分别为多个用户设置密码例如:elastic, kibana, logstash_system,beats_system
再次无密码访问 elasticsearch,发现提示安全认证错误。
|
|
需要输入账号密码才能访问
| [forp1@cluster elasticsearch-7.10.0]$ curl --user elastic:12345678 http://192.168.100.35:9200 { ??"name" : "node-1", ??"cluster_name" : "my-es", ??"cluster_uuid" : "n75jDm9oRKqoBIhxtlVt-A", ??"version" : { ????"number" : "7.10.0", ????"build_flavor" : "default", ????"build_type" : "tar", ????"build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96", ????"build_date" : "2020-11-09T21:30:33.964949Z", ????"build_snapshot" : false, ????"lucene_version" : "8.7.0", ????"minimum_wire_compatibility_version" : "6.8.0", ????"minimum_index_compatibility_version" : "6.0.0-beta1" ??}, ??"tagline" : "You Know, for Search" |
上述访问方式为明文密码输入,不推荐,可以改为如下方式访问
| [forp1@cluster elasticsearch-7.10.0]$ curl --user elastic http://192.168.100.35:9200 Enter host password for user 'elastic': { ??"name" : "node-1", ??"cluster_name" : "my-es", ??"cluster_uuid" : "n75jDm9oRKqoBIhxtlVt-A", ??"version" : { ????"number" : "7.10.0", ????"build_flavor" : "default", ????"build_type" : "tar", ????"build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96", ????"build_date" : "2020-11-09T21:30:33.964949Z", ????"build_snapshot" : false, ????"lucene_version" : "8.7.0", ????"minimum_wire_compatibility_version" : "6.8.0", ????"minimum_index_compatibility_version" : "6.0.0-beta1" ??}, ??"tagline" : "You Know, for Search" } |
