Elasticsearch 麒麟V10下单机部署Elasticsearch8及Kibana

忿惺噱 · 前天 10:00

实践环境

elasticsearch-8.16.4-linux-x86_64.tar.gz
https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.16.4-linux-x86_64.tar.gz
kibana-8.16.4-linux-x86_64.tar.gz
https://artifacts.elastic.co/downloads/kibana/kibana-8.16.4-linux-x86_64.tar.gz
麒麟V10
新建运行用户

# groupadd -g 505 elastic
# useradd -u 505 -g 505 elastic

复制代码

修改系统参数配置

# vi /etc/sysctl.conf
vm.overcommit_memory=1
vm.max_map_count=262144
# sysctl -p
# 查看语言配置
# locale
LANG=zh_CN.UTF-8
LC_CTYPE="zh_CN.UTF-8"
...
# swapoff -a
# vi /etc/security/limits.conf
# End of file
elastic soft memlock unlimited
elastic hard memlock unlimited
# ulimit -l unlimited

复制代码

说明：如果locale命令输出和上述不一样，修改locale.conf配置，设置LANG=zh_CN.UTF-8

# vi /etc/locale.conf
...
LANG=zh_CN.UTF-8

复制代码

bootstrap.memory_lock相关配置
禁用swap

# swapoff -a

复制代码

永久配置

# vi /etc/fstab

复制代码

去掉swap所在行

#
# /etc/fstab
# Created by anaconda on Wed Jul 5 22:21:55 2023
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/klas-root / xfs defaults 0 0
UUID=59b10633-de57-4a13-83c5-49ea947edefc /boot xfs defaults 0 0
/dev/mapper/klas-opt_data /opt/data xfs defaults 0 0
/dev/mapper/klas-opt_log /opt/log xfs defaults 0 0
#/dev/mapper/klas-swap swap swap defaults 0 0

复制代码

# vi /etc/security/limits.conf

复制代码

添加以下配置：

# End of file
elastic soft memlock unlimited
elastic hard memlock unlimited

复制代码

# ulimit -l unlimited

复制代码

注意：如果不执行上述这行命令，启动时会报错：

bootstrap check failure [1] of [2]: memory locking requested for elasticsearch process but memory is not locked;

复制代码

参考连接：
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/setup-configuration-memory.html#bootstrap-memory_lock
停止防火墙

# systemctl disable firewalld
# systemctl stop firewalld

复制代码

elasticsearch

提前创建elasticsearch.yml、jvm.options配置相关目录，否则运行ES时会报错

# mkdir /opt/data/esdata
# mkdir -p /opt/data/eslogs/jvm/logs
# mkdir -p /opt/data/eslogs/jvm/tmpdir
# mkdir -p /opt/data/eslogs/jvm/data

复制代码

解压压缩包

# cd /opt/data/
# tar -xvf elasticsearch-8.16.4-linux-x86_64.tar.gz

复制代码

修改elasticsearch.yml

修改配置

# vi /opt/data/elasticsearch-8.16.4/config/elasticsearch.yml

复制代码

关键配置项如下

# 集群名称
cluster.name: es001db
# 节点名称
node.name: node1
# 监听IP地址(本机地址)
network.host: 192.168.34.51
# 监听端口地址
http.port: 19200
# 增加内部通讯端口
transport.port: 19300
# 节点发现过程中的种子，默认为 ["127.0.0.1", "[::1]"]
# 这里因为是单机，所以保持配置不变
#discovery.seed_hosts: ["host1", "host2"]
# 初始有master资格的节点列表，只在集群第一次启动有效
cluster.initial_master_nodes: ["node1"]
#数据存储目录路径
path.data: /opt/data/esdata
# 日志存储目录路径
path.logs: /opt/data/eslogs
# 在数据库层面金庸swap,同时设置会场参数memlock值为unlimited
bootstrap.memory_lock: true

复制代码

修改jvm.options

修改配置

# vi /opt/data/elasticsearch-8.16.4/config/jvm.options

复制代码

关键配置项如下

# 编码设置
-Dfile.encoding=zh_CU.UTF-8
# JVM内存配置
-Xms16g
-Xmx16g
## JVM 临时目录
-Djava.io.tmpdir=/opt/data/eslogs/jvm/tmpdir
# dump日志路径
-XX:HeapDumpPath=/opt/data/eslogs/jvm/data
# fatal日志配路径
# 注意：/opt/data/eslogs/jvm/logs目录必须提前创建，如果不存在的话
-XX:ErrorFile=/opt/data/eslogs/jvm/logs/hs_err_pid%p.log
# gc 日志
-Xlog:gc*,gc+age=trace,safepoint:file=/opt/data/eslogs/jvm/logs/gc.log:utctime,level,pid,tags:filecount=32,filesize=64m

复制代码

修改log4j2.properties(可选)

# vi /opt/data/elasticsearch-8.16.4/config/log4j2.properties

复制代码

关键配置默认如下，无须修改

logger.index_indexing_slowlog.level = trace

复制代码

基础安全设置

首次启动Elasticsearch时，会为elastic用户生成密码，并自动配置TLS。如果在启动Elasticsearch节点之前手动配置了安全性，则自动配置过程将遵循自定义安全配置。可以随时调整TLS配置，例如更新节点证书。
如果集群有多个节点，那么必须在节点之间配置TLS。如果不启用TLS，生产模式集群将无法启动。
传输层依赖于双向TLS来对节点进行加密和身份验证。正确应用TLS可确保恶意节点无法加入集群并与其他节点交换数据。虽然在HTTP层实现用户名和密码身份验证对于保护本地集群很有用，但节点之间的通信安全需要使用TLS。
在节点之间配置TLS是基本的安全设置，可防止未经授权的节点访问集群。

理解传输上下文
传输层安全（TLS）是一项行业标准协议的名称，用于对网络通信实施安全控制（如加密）。TLS是过去称为安全套接字层（SSL）的现代名称。Elasticsearch文档中可互换使用TLS和SSL这两个术语。
传输协议是Elasticsearch节点之间用于通信的协议名称。此名称特定于Elasticsearch，用于区分传输端口（默认9300）和HTTP端口（默认9200）。节点之间使用传输端口进行通信，而REST客户端则使用HTTP端口与Elasticsearch进行通信。
尽管“transport”一词在两种情境下都有出现，但它们的含义却不同。可以将TLS应用于Elasticsearch的传输端口和HTTP端口。这些重叠的术语可能会造成混淆，因此为了澄清，在此场景下我们将TLS应用于Elasticsearch的传输端口。在下一场景中，我们将把TLS应用于Elasticsearch的HTTP端口。

生成证书颁发机构(certificate authority)

在集群中，可以根据需要添加任意数量的节点，但这些节点必须能够相互通信。集群中节点之间的通信由传输模块处理。为了保护集群，必须确保节点间的通信是加密且经过验证的，这可以通过双向TLS来实现。
在安全的集群中，Elasticsearch节点在与其他节点通信时使用证书来标识自己。
集群必须验证这些证书的真实性。推荐的做法是信任特定的证书颁发机构（certificate authority，CA）。当向集群中添加节点时，这些节点必须使用由同一CA签发的证书。
对于传输层，建议使用一个单独的专用证书颁发机构（CA），而不是现有的、可能为共享的CA，以便严格控制节点成员资格。使用elasticsearch-certutil工具为集群生成一个CA。

在启动Elasticsearch之前，在任何单个节点上使用elasticsearch-certutil工具为您的集群生成一个证书颁发机构（CA）。
1. # cd /opt/data/elasticsearch-8.16.4
2. # ./bin/elasticsearch-certutil ca
3. This tool assists you in the generation of X.509 certificates and certificate
4. signing requests for use with SSL/TLS in the Elastic stack.
6. The 'ca' mode generates a new 'certificate authority'
7. This will create a new X.509 certificate and private key that can be used
8. to sign certificate when running in 'cert' mode.
10. Use the 'ca-dn' option if you wish to configure the 'distinguished name'
11. of the certificate authority
13. By default the 'ca' mode produces a single PKCS#12 output file which holds:
14. * The CA certificate
15. * The CA's private key
17. If you elect to generate PEM format certificates (the -pem option), then the output will
18. be a zip file containing individual files for the CA certificate and private key
20. Please enter the desired output file [elastic-stack-ca.p12]:#说明：此处直接回车(使用默认文件名称elastic-stack-ca.p12)
21. Enter password for elastic-stack-ca.p12 :#说明：此处直接回车,即不设置密码
复制代码
- elastic-stack-ca.p12文件包含此文件包含的证书颁发机构（CA）的公钥证书以及用于为每个节点签署证书的私钥。
- 如果计划部署到生产环境，需要为CA输入一个密码，否则可以选择将密码留空。
在任一单个节点上，为集群中的节点生成证书和私钥。需要包含在上一步中生成的elastic-stack-ca.p12输出文件。
1. # ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
2. This tool assists you in the generation of X.509 certificates and certificate
3. signing requests for use with SSL/TLS in the Elastic stack.
5. The 'cert' mode generates X.509 certificate and private keys.
6. * By default, this generates a single certificate and key for use
7. on a single instance.
8. * The '-multiple' option will prompt you to enter details for multiple
9. instances and will generate a certificate and key for each one
10. * The '-in' option allows for the certificate generation to be automated by describing
11. the details of each instance in a YAML file
13. * An instance is any piece of the Elastic Stack that requires an SSL certificate.
14. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
15. may all require a certificate and private key.
16. * The minimum required value for each instance is a name. This can simply be the
17. hostname, which will be used as the Common Name of the certificate. A full
18. distinguished name may also be used.
19. * A filename value may be required for each instance. This is necessary when the
20. name would result in an invalid file or directory name. The name provided here
21. is used as the directory name (within the zip) and the prefix for the key and
22. certificate files. The filename is required if you are prompted and the name
23. is not displayed in the prompt.
24. * IP addresses and DNS names are optional. Multiple values can be specified as a
25. comma separated string. If no IP addresses or DNS names are provided, you may
26. disable hostname verification in your SSL configuration.
29. * All certificates generated by this tool will be signed by a certificate authority (CA)
30. unless the --self-signed command line option is specified.
31. The tool can automatically generate a new CA for you, or you can provide your own with
32. the --ca or --ca-cert command line options.
35. By default the 'cert' mode produces a single PKCS#12 output file which holds:
36. * The instance certificate
37. * The private key for the instance certificate
38. * The CA certificate
40. If you specify any of the following options:
41. * -pem (PEM formatted output)
42. * -multiple (generate multiple certificates)
43. * -in (generate certificates from an input file)
44. then the output will be be a zip file containing individual certificate/key files
46. Enter password for CA (elastic-stack-ca.p12) : #说明：此处直接回车
47. Please enter the desired output file [elastic-certificates.p12]:#说明：此处直接回车（使用默认名称）
48. Enter password for elastic-certificates.p12 :#说明：此处输入密码后回车，密码设置：elastic*123
50. Certificates written to /opt/data/elasticsearch-8.16.4/elastic-certificates.p12
52. This file should be properly secured as it contains the private key for
53. your instance.
54. This file is a self contained file and can be copied and used 'as is'
55. For each Elastic product that you wish to configure, you should copy
56. this '.p12' file to the relevant configuration directory
57. and then follow the SSL configuration instructions in the product guide.
59. For client applications, you may only need to copy the CA certificate and
60. configure the client to trust this certificate.
复制代码
- --ca
  用于签署证书的CA文件的名称。来自elasticsearch-certutil工具的默认文件名为elastic-stack-ca.p12。
  - Enter password for CA (elastic-stack-ca.p12) : : 次处等待输入CA密码，如果在上一步中未配置密码，可直接按回车键。
  - Please enter the desired output file [elastic-certificates.p12]: 使用默认输出文件 -- 一个名为elastic-certificates.p12的密钥库。此文件包含节点证书、节点密钥和CA证书。
  - Enter password for elastic-certificates.p12 : 为证书创建一个密码。
集群中的每个节点上，拷贝 elastic-certificates.p12 文件到集群中每个节点上 $ES_PATH_CONF 目录下（本文中为）。
1. # pwd
2. /opt/data/elasticsearch-8.16.4/config
3. # ls
4. bin config elastic-certificates.p12 elastic-stack-ca.p12 jdk lib LICENSE.txt logs modules NOTICE.txt plugins README.asciidoc
5. # cp elastic-certificates.p12 config/
复制代码

使用TLS加密节点间通信

传输网络层用于集群中节点间的内部通信。启用安全功能后，必须使用TLS来确保节点间的通信是加密的。
Elasticsearch会监控所有配置为TLS相关节点设置值的文件，如证书、密钥、密钥库或信任库。如果更新了这些文件中的任何一个，例如当您的主机名更改或证书即将过期时，Elasticsearch会重新加载它们。Elasticsearch会以全局Elasticsearch resource.reload.interval.high设置确定的频率轮询这些文件是否有更改，该设置默认为5秒。
为集群中的每个节点完成以下步骤。若要加入同一集群，所有节点必须共享相同的cluster.name值。

打开 $ES_PATH_CONF/elasticsearch.yml（例中为vi /opt/data/elasticsearch-8.16.4/config/elasticsearch.yml）文件，并进行以下修改：
- 添加 cluster.name 配置并为集群设置一个名字，例如:
  1. cluster.name: es001db
  复制代码
- 添加node.name 配置并设置节点名称（节点名称默认为机器的主机名）
  1. node.name: node1
  复制代码
- 添加以下设置以启用节点间通信，并提供对节点证书的访问。
  由于集群中的每个节点上使用相同的elastic-certificates.p12文件，所以将验证模式设置为证书.
  1. xpack.security.transport.ssl.enabled: true
  2. xpack.security.transport.ssl.verification_mode: certificate
  3. xpack.security.transport.ssl.client_authentication: required
  4. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
  5. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
  复制代码
  如果想使用主机名验证，请将验证模式设置为完全验证。应为每个与DNS或IP地址匹配的主机生成不同的证书。请参阅TLS 设置中的xpack.security.transport.ssl.verification_mode参数。
如果在创建节点证书时输入了密码，请运行以下命令以将密码存储在Elasticsearch密钥库中:
1. # cd /opt/data/elasticsearch-8.16.4
2. # ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
3. The elasticsearch keystore does not exist. Do you want to create it? [y/N]y #说明：此处输入y后回车
4. Enter value for xpack.security.transport.ssl.keystore.secure_password:#说明：此处输入密码后回车，密码设置：elastic*123
5. # ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
6. Enter value for xpack.security.transport.ssl.truststore.secure_password:#说明：此处输入密码后回车，密码：elastic*123
复制代码
为集群中的其它节点完成以上步骤。
在集群中的每个节点上，启动Elasticsearch。启动和停止Elasticsearch的方法因安装方式而异。
例如，如果你使用归档分发版（tar.gz或.zip）安装了Elasticsearch，可以在命令行中输入Ctrl+C来停止Elasticsearch。

必须执行完整的集群重启。配置为使用TLS进行传输的节点无法与使用未加密传输连接的节点进行通信（反之亦然）
1. # cd /opt/data/
2. # chown -R elastic:elastic esdata
3. # chown -R elastic:elastic eslogs
4. # chown -R elastic:elastic elasticsearch-8.16.4
5. # cd elasticsearch-8.16.4
6. # su elastic
7. $ ./bin/elasticsearch
复制代码
备注：如果希望es以后台服务的方式运行，可以这样
1. $ ./bin/elasticsearch -d -p pid
复制代码

参考连接

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/security-basic-setup.html
https://www.elastic.co/docs/deploy-manage/maintenance/start-stop-services/start-stop-elasticsearch
修改内置用户密码

另外新开一个窗口，修改内置elastic， kibana_system用户

# su elastic
$ cd /opt/data/elasticsearch-8.16.4/
$ ./bin/elasticsearch-reset-password -i -u elastic
This tool will reset the password of the [elastic] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y # 说明：此处输入y后回车
Enter password for [elastic]:# 说明：此处输入密码后回车，密码：elastic*123
Re-enter password for [elastic]:# 说明：此处输入密码后回车，密码：elastic*123
Password for the [elastic] user successfully reset.
$ ./bin/elasticsearch-reset-password -i -u kibana_system
This tool will reset the password of the [kibana_system] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y # 说明：此处输入y后回车
Enter password for [kibana_system]:# 说明：此处输入密码后回车，密码：kibana*123
Re-enter password for [kibana_system]:# 说明：此处输入密码后回车，密码：kibana*123
Password for the [kibana_system] user successfully reset.

复制代码

用户访问验证

# curl -I http://192.168.34.51:19200
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="security", charset="UTF-8"
WWW-Authenticate: ApiKey
content-type: application/json
content-length: 405
# curl -u elastic:elastic*123 -X GET "http://192.168.34.51:19200/_cat/health?v"
epoch timestamp cluster status node.total node.data shards pri relo init unassign unassign.pri pending_tasks max_task_wait_time active_shards_percent
1761727114 08:38:34 es001db green 1 1 33 33 0 0 0 0 0 - 100.0%

复制代码

参考链接

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/security-minimal-setup.html
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/built-in-users.html
kibana(可选)

解压安装包

# tar -xvf kibana-8.16.4-linux-x86_64.tar.gz
# cd kibana-8.16.4/
# ls
bin config data LICENSE.txt logs node node_modules NOTICE.txt package.json packages plugins README.txt src x-pack
# cd cd config/
# ls
kibana.yml node.options

复制代码

修改kibana.yal配置文件

# vi kibana.yml

复制代码

关键配置项如下：

# 设置访问es的账户和密码
elasticsearch.username: "kibana_system"
elasticsearch.password: "kibana*123"
# 设置es访问地址
elasticsearch.hosts: ["http://192.168.34.51:19200"]
# 设置kibana自身服务监听端口和IP地址
server.port: 5601
server.host: "192.168.34.51"

复制代码

Kibana密码连接ES其它相关配置

# cd /opt/data/kibana-8.16.4/
# ./bin/kibana-keystore create
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.16/production.html#openssl-legacy-provider
Created Kibana keystore in /opt/data/kibana-8.16.4/config/kibana.keystore
# ./bin/kibana-keystore add elasticsearch.password
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.16/production.html#openssl-legacy-provider
Enter value for elasticsearch.password: **********# 说明，这里输入上述为kibana_system用户设置的密码(kibana*123)后回传

复制代码

运行kibana

# ./bin/kibana --allow-root

复制代码

或者

# cd /opt/data
# chown -R elastic:elastic kibana-8.16.4
# su elastic
$ cd kibana-8.16.4/
$ ./bin/kibana

复制代码

访问Kibana

说明：此处输入上文es内置用户elastic及密码(本文中为elastic*123)后点击 Log in
ES 访问验证：点击左侧三线按钮，展开抽屉栏中点击 Management -> Dev Tools

参考链接

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/security-minimal-setup.html
https://www.elastic.co/guide/en/kibana/8.16/targz.html

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

账号		自动登录	找回密码
密码			立即注册

Elasticsearch 麒麟V10下单机部署Elasticsearch8及Kibana

相关帖子

签约作者

Elasticsearch 麒麟V10下单机部署Elasticsearch8及Kibana

相关帖子

相关推荐

签约作者