elasticsearch 集群搭建 + kibana配置
- 一、elasticsearch 集群搭建
- 1、下载并解压elasticsearch
- 2、ES集群搭建
- 2.1 打开防火墙9200,9300端口
- 2.2 在每个节点中设置证书密码
- 2.3 配置elasticsearch登录密码
- 2.4 配置HTTP层TLS/SSL加密传输
- 3、kibana安装
一、elasticsearch 集群搭建
1、下载并解压elasticsearch
选择合适的elasticsearch版本下载,这里我们选择elasticsearch7.10.2,下载链接:elasticsearch下载地址
2、ES集群搭建
vi elasticsearch/config/elasticsearch.yml
配置如下,这里开启security验证
cluster.name: arkham-cluster
node.name: node-192.168.3.252
cluster.initial_master_nodes: node-192.168.3.252
network.host: 192.168.3.252
http.port: 9200
path.data: /home/arkham/elk/elasticsearch/data
path.logs: /home/arkham/elk/elasticsearch/logs
discovery.zen.ping.unicast.hosts: ["192.168.3.252:9300", "192.168.3.253:9300", "192.168.3.3:9300"]
discovery.zen.minimum_master_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
bootstrap.system_call_filter: false
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
2.1 打开防火墙9200,9300端口
sudo firewall-cmd --zone=public --add-port=9200/tcp --permanent #####9200根据实际情况,修改成应用端口,或者要开启的端口
sudo firewall-cmd --zone=public --add-port=9300/tcp --permanent #####9200根据实际情况,修改成应用端口,或者要开启的端口
sudo firewall-cmd --reload #######重启防火墙
此时启动会报错:
Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
需要配置传输层TLS/SSL加密传输,传输协议用于Elasticsearch节点之间的内部通信
elasticsearch解压后bin目录下已经附带了一个名为elasticsearch-certutil的程序,可以直接用于生成加密Elasticsearch集群内部通信的自签名证书,具体操作如下:
./bin/elasticsearch-certutil ca
按下enter后输入密码
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns 192.168.3.252,192.168.3.12 --ip 192.168.3.252,192.168.3.12
输入上方的密码
创建es证书证书一定要加--dns 和--ip否则后期通信会报错
最后会生产两个文件:elastic-stack-ca.p12和elastic-certificates.p12,去config目录下新建certs目录,将两个文件拷贝至certs目录下,修改elasticsearch.yml配置文件
cluster.name: arkham-cluster
node.name: node-192.168.3.252
cluster.initial_master_nodes: node-192.168.3.252
network.host: 192.168.3.252
http.port: 9200
path.data: /home/arkham/elk/elasticsearch/data
path.logs: /home/arkham/elk/elasticsearch/logs
discovery.zen.ping.unicast.hosts: ["192.168.3.252:9300", "192.168.3.253:9300", "192.168.3.3:9300"]
discovery.zen.minimum_master_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
bootstrap.system_call_filter: false
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
将配置好之后的elasticsearch整个包复制到另外两台机器上,并修改node.name,host改为各自的ip
elastic-stack-ca.p12拷贝到es2,es3并重新依次生成带有dns和ip的elastic-certificates.p12证书
2.2 在每个节点中设置证书密码
# 对应的证书密码: xpack.security.transport.ssl.keystore.path
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
# 对应的证书密码: xpack.security.transport.ssl.truststore.path
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
2.3 配置elasticsearch登录密码
bin/elasticsearch-setup-passwords interactive
// 如果想自动生产密码可以用以下指令
bin/elasticsearch-setup-passwords auto
配置完之后访问elasticsearch需要登录才行
2.4 配置HTTP层TLS/SSL加密传输
继续使用 PKCS#12 格式的证书,对于HTTP层通信,Elasticsearch节点仅用作服务器,因此可以使用服务器证书,即TLS/SSL证书不需要启用客户端身份验证。而用于加密HTTP通信的证书可以与传输通信不同的证书,与上面一样执行elasticsearch-certutil,生成两个文件这里我们重新命名为http-client.p12和http.p12 ,elasticsearch.yml文件中配置如下:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12
xpack.security.http.ssl.truststore.path: certs/http.p12
设置证书密码
# 对应的证书密码: xpack.security.http.ssl.keystore.path
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
# 对应的证书密码: xpack.security.http.ssl.truststore.path
bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
此时用chrome自带的elasticsearch-head插件连接elasticsearch(elasticsearch-head插件安装自行百度安装)
3、kibana安装
elasticsearch已经使用了自签名CA,所以我们必须还使用之前的elastic-stack-ca.p12CA来签署HTTP客户端证书,即http.p12的文件,其中包含对我们的Elasticsearch集群进行PKI身份验证所需的所有信息。 这里我们需要将其分解为其私钥,公共证书和CA证书
// Private Key 私钥
openssl pkcs12 -in http.p12 -nocerts -nodes > client.key
// Public Certificate 公共证书
openssl pkcs12 -in http.p12 -clcerts -nokeys > client.cer
// CA Certificate 签署公共证书的CA
openssl pkcs12 -in http.p12 -cacerts -nokeys -chain > client-ca.cer
在Kibana根目录创建config/certs目录,并将上面生成的客户端证书复制到目录中,并配置kibana.yml
server.port: 5601
elasticsearch.username: "kibana_system"
elasticsearch.password: ""
kibana.index: ".kibana"
elasticsearch.ssl.certificate: config/certs/client.cer
elasticsearch.ssl.key: config/certs/client.key
elasticsearch.ssl.certificateAuthorities: [ "config/certs/client-ca.cer" ]
elasticsearch.ssl.verificationMode: certificate
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.certificate: config/certs/client
xpack.security.encryptionKey: "something_at_least_32_characters"
xpack.reporting.encryptionKey: "a_random_string"
如果不配置秘钥启动kibana时则会出现以下错误
记得打开5601端口防火墙
sudo firewall-cmd --zone=public --add-port=5601/tcp --permanent #####9200根据实际情况,修改成应用端口,或者要开启的端口
sudo firewall-cmd --reload #######重启防火墙
至此访问https://192.168.3.252:5601/查看节点状态