当前环境:
docker-compose安装的分机多节点 elasticsearch 7.15.0
node1 | 192.168.1.194 |
node2 | 192.168.1.195 |
node3 | 192.168.1.198 |
因业务需要,需要升级到8.10.4
8.X 高版本的安全加固已成必须,想不做安全都变得很困难。
8.X 高版本会在7.X版本上做的升级,低版本已知bug都已修复,理论上性能也更优。
8.X 的新特性、新 feature,只有升级才能使用。其中包括矢量搜索、近似最近邻 (ANN) 搜索、现代 NLP 和简化的 Stack 安全性等诸多亮点流程
两步骤策略如下:
第一步:7.15.0 版本升级到 7.17.0 版本。
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/rolling-upgrades.html
第二步:7.17.5 版本升级到 8.1.0 版本。
https://www.elastic.co/guide/en/elastic-stack/8.1/upgrading-elastic-stack.html#prepare-to-upgrade
1、8.0版本的elastic和7.0版本的elastic在参数配置写法有一些不同
2、8.0版本的elastic弃用掉了一些7.0版本的插件
3、elasticsearch不支持版本回滚
4、elasticsearch 8.0开始 默认不允许kibana通过elastic账户登录
https://www.elastic.co/guide/en/elasticsearch/reference/8.10/modules-discovery-settings.html
步骤:
1、拉取镜像
docker pull docker.elastic.co/elasticsearch/elasticsearch:8.10.4
docker pull docker.elastic.co/kibana/kibana:8.10.4
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.0
docker pull docker.elastic.co/kibana/kibana:7.17.02、docker方式安装的elasticsearch无法滚动升级,只能全部停止全部所有节点上的容器
3、7.17版本yml文件
node1
version: '3.4'
services:
elasticsearch_node1:
network_mode: host
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.0
container_name: elasticsearch_node1
restart: always
privileged: true
environment:
- cluster.name=elasticsearch-cluster
- node.name=node1
- node.master=true
- node.data=true
- http.port:9200
- transport.tcp.port:9300
- TZ=Asia/Shanghai
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.audit.enabled=true
- search.max_buckets=100000000
- http.cors.enabled=true
- http.cors.allow-origin=*
- cluster.initial_master_nodes=node1
- "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
####### #如果是单台服务器
##### #- "discovery.zen.ping.unicast.hosts=elasticsearch_n0,elasticsearch_n1,elasticsearch_n2"
- discovery.zen.ping.unicast.hosts=192.168.1.194,192.168.1.195,192.168.1.198
- "discovery.zen.minimum_master_nodes=2"
- discovery.zen.ping_timeout=120s
- client.transport.ping_timeout=60s
# 如果是拆分版,这条配置必须加上,指定当前节点访问的ip
- network.publish_host=192.168.1.194
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /data/elasticsearch/data/node1:/usr/share/elasticsearch/data
- /data/elasticsearch/logs/node1:/usr/share/elasticsearch/logs
- /data/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
- 9300:9300
kibana:
network_mode: host
image: docker.elastic.co/kibana/kibana:7.17.0
container_name: kibana
restart: always
ports:
- 5601:5601
volumes:
- /etc/localtime:/etc/localtime
- /opt/kibana.yml:/usr/share/kibana/config/kibana.yml:rw
depends_on:
- elasticsearch_node1
node2
version: '3.4'
services:
elasticsearch_node2:
network_mode: host
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.0
container_name: elasticsearch_node2
restart: always
privileged: true
environment:
- cluster.name=elasticsearch-cluster
- node.name=node2
- node.master=true
- node.data=true
- http.port:9200
- transport.tcp.port:9300
- TZ=Asia/Shanghai
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.audit.enabled=true
- search.max_buckets=100000000
- http.cors.enabled=true
- http.cors.allow-origin=*
- cluster.initial_master_nodes=node1
- "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
####### #如果是单台服务器
##### #- "discovery.zen.ping.unicast.hosts=elasticsearch_n0,elasticsearch_n1,elasticsearch_n2"
- discovery.zen.ping.unicast.hosts=192.168.1.194,192.168.1.195,192.168.1.198
- "discovery.zen.minimum_master_nodes=2"
- discovery.zen.ping_timeout=120s
- client.transport.ping_timeout=60s
# 如果是拆分版,这条配置必须加上,指定当前节点访问的ip
- network.publish_host=192.168.1.195
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /data/elasticsearch/data/node1:/usr/share/elasticsearch/data
- /data/elasticsearch/logs/node1:/usr/share/elasticsearch/logs
- /data/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
- 9300:9300
node3
version: '3.4'
services:
elasticsearch_node3:
network_mode: host
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.0
container_name: elasticsearch_node3
restart: always
privileged: true
environment:
- cluster.name=elasticsearch-cluster
- node.name=node3
- node.master=true
- node.data=true
- http.port:9200
- transport.tcp.port:9300
- TZ=Asia/Shanghai
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.audit.enabled=true
- search.max_buckets=100000000
- http.cors.enabled=true
- http.cors.allow-origin=*
- cluster.initial_master_nodes=node1
- "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
####### #如果是单台服务器
##### #- "discovery.zen.ping.unicast.hosts=elasticsearch_n0,elasticsearch_n1,elasticsearch_n2"
- discovery.zen.ping.unicast.hosts=192.168.1.194,192.168.1.195,192.168.1.198
- "discovery.zen.minimum_master_nodes=2"
- discovery.zen.ping_timeout=120s
- client.transport.ping_timeout=60s
# 如果是拆分版,这条配置必须加上,指定当前节点访问的ip
- network.publish_host=192.168.1.198
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /data/elasticsearch/data/node1:/usr/share/elasticsearch/data
- /data/elasticsearch/logs/node1:/usr/share/elasticsearch/logs
- /data/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
- 9300:9300kibana.yml不变
先停止所有节点容器,再更新到7.17.0
4、8.10.4配置yml文件
node1
version: '3.4'
services:
elasticsearch_node1:
network_mode: host
image: docker.elastic.co/elasticsearch/elasticsearch:8.10.4
container_name: elasticsearch_node1
restart: always
privileged: true
environment:
- cluster.name=elasticsearch-cluster
- node.name=node1
# - node.master=true
# - node.data=true
- node.roles:[master, data]
- http.port:9200
- transport.tcp.port:9300
- TZ=Asia/Shanghai
- bootstrap.memory_lock=true
- xpack.security.enabled:true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.audit.enabled=true
- search.max_buckets=100000000
- http.cors.enabled=true
- http.cors.allow-origin= "*"
- cluster.initial_master_nodes=node1,node2,node3
- "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
####### #如果是单台服务器
##### #- "discovery.zen.ping.unicast.hosts=elasticsearch_n0,elasticsearch_n1,elasticsearch_n2"
- discovery.seed_hosts=192.168.1.194,192.168.1.195,192.168.1.198
- discovery.zen.minimum_master_nodes:2
- discovery.zen.ping_timeout:120s
#- client.transport.ping_timeout=60s
# 如果是拆分版,这条配置必须加上,指定当前节点访问的ip
- network.publish_host=192.168.1.194
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /data/elasticsearch/data/node1:/usr/share/elasticsearch/data
- /data/elasticsearch/logs/node1:/usr/share/elasticsearch/logs
- /data/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
- 9300:9300
kibana:
network_mode: host
image: docker.elastic.co/kibana/kibana:8.10.4
container_name: kibana
restart: always
ports:
- 5601:5601
volumes:
- /etc/localtime:/etc/localtime
- /opt/kibana_8.10.4.yml:/usr/share/kibana/config/kibana.yml:rw
depends_on:
- elasticsearch_node1node2
version: '3.4'
services:
elasticsearch_node2:
network_mode: host
image: docker.elastic.co/elasticsearch/elasticsearch:8.10.4
container_name: elasticsearch_node2
restart: always
privileged: true
environment:
- cluster.name=elasticsearch-cluster
- node.name=node2
# - node.master=true
# - node.data=true
- node.roles:[master, data]
- http.port:9200
- transport.tcp.port:9300
- TZ=Asia/Shanghai
- bootstrap.memory_lock=true
- xpack.security.enabled:true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.audit.enabled=true
- search.max_buckets=100000000
- http.cors.enabled=true
- http.cors.allow-origin= "*"
- cluster.initial_master_nodes=node1,node2,node3
- "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
####### #如果是单台服务器
##### #- "discovery.zen.ping.unicast.hosts=elasticsearch_n0,elasticsearch_n1,elasticsearch_n2"
- discovery.seed_hosts=192.168.1.194,192.168.1.195,192.168.1.198
- discovery.zen.minimum_master_nodes:2
- discovery.zen.ping_timeout:120s
#- client.transport.ping_timeout=60s
# 如果是拆分版,这条配置必须加上,指定当前节点访问的ip
- network.publish_host=192.168.1.195
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /data/elasticsearch/data/node1:/usr/share/elasticsearch/data
- /data/elasticsearch/logs/node1:/usr/share/elasticsearch/logs
- /data/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
- 9300:9300node3
version: '3.4'
services:
elasticsearch_node3:
network_mode: host
image: docker.elastic.co/elasticsearch/elasticsearch:8.10.4
container_name: elasticsearch_node3
restart: always
privileged: true
environment:
- cluster.name=elasticsearch-cluster
- node.name=node3
# - node.master=true
# - node.data=true
- node.roles:[master, data]
- http.port:9200
- transport.tcp.port:9300
- TZ=Asia/Shanghai
- bootstrap.memory_lock=true
- xpack.security.enabled:true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.audit.enabled=true
- search.max_buckets=100000000
- http.cors.enabled=true
- http.cors.allow-origin= "*"
- cluster.initial_master_nodes=node1,node2,node3
- "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
####### #如果是单台服务器
##### #- "discovery.zen.ping.unicast.hosts=elasticsearch_n0,elasticsearch_n1,elasticsearch_n2"
- discovery.seed_hosts=192.168.1.194,192.168.1.195,192.168.1.198
- discovery.zen.minimum_master_nodes:2
- discovery.zen.ping_timeout:120s
#- client.transport.ping_timeout=60s
# 如果是拆分版,这条配置必须加上,指定当前节点访问的ip
- network.publish_host=192.168.1.198
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /data/elasticsearch/data/node1:/usr/share/elasticsearch/data
- /data/elasticsearch/logs/node1:/usr/share/elasticsearch/logs
- /data/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- 9200:9200
- 9300:9300kibana.yml
#
## ** THIS IS AN AUTO-GENERATED FILE **
##
#
# # Default Kibana configuration for docker target
server.name: kibana
server.host: "0.0.0.0"
#这里写你的es第一个node的地址
elasticsearch.hosts: [ "http://192.168.1.194:9200"]
xpack.monitoring.ui.container.elasticsearch.enabled: false
xpack.security.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxxfeN"
i18n.locale: zh-CN4、启动所有节点上的容器
至少需要启动成功两个节点,整个集群才能正常启动
http://192.168.1.194:9200/_cat/nodes?v
elasticsearch修改用户密码./bin/elasticsearch-reset-password -u kibana -i
./bin/elasticsearch-reset-password -u elastic -i
常见报错:
value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to function. Use a service account token instead. Learn more: https://www.elastic.co/guide/en/elasticsearch/reference/8.0/service-accounts.html
elasticsearch 8.0开始 默认不允许kibana通过elastic账户登录
修改kibana.yml中的user和密码为 kibana 的账户和密码
remove discovery.zen.ping.unicast.hosts setting on esMajorVersion > 7
8版本开始一些插件不支持
https://www.elastic.co/guide/en/elasticsearch/reference/8.10/modules-discovery-settings.html
{"@timestamp":"2023-11-01T09:53:10.400Z", "log.level": "INFO", "message":"Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[node1][transp
ort_worker][T#4]","log.logger":"org.elasticsearch.xpack.security.authc.RealmsAuthenticator","elasticsearch.node.name":"node1","elasticsearch.cluster.name":"elasticsearch-cluster"}{"@timestamp":"2023-11-01T09:53:10.400Z", "log.level": "INFO", "message":"Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[node1][generi
c][T#1]","log.logger":"org.elasticsearch.xpack.security.authc.RealmsAuthenticator","elasticsearch.node.name":"node1","elasticsearch.cluster.name":"elasticsearch-cluster"}{"type":"audit", "timestamp":"2023-11-01T17:53:10,400+0800", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"192.168.1.61:49012", "url.path":"/nc-tag/_update_by_query", "url.query":"slices=1&requests_per_second=-1&ignore_unavailable=false&
expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&timeout=1m", "request.method":"POST", "request.id":"9yPU54kIS-GBv8Nz2B3d7g", "x_forwarded_for":"122.226.100.204"}{"type":"audit", "timestamp":"2023-11-01T17:53:10,401+0800", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"61.164.52.202:64821", "url.path":"/", "request.method":"GET", "request.id":"ljHLHc9PRa2CurO7eZmPLg"}集群没有正式启动,根据配置文件,整个集群至少需要2个节点活跃
参考:
https://www.elastic.co/guide/en/elastic-stack/8.10/upgrading-elastic-stack.html#prepare-to-upgrade
https://www.elastic.co/guide/en/elastic-stack/8.1/upgrading-elastic-stack.html
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
