Elasticsearch集群验证(4): Elasticsearch 8.x的集群化(支持HTTPS)

2 年 ago
科, 颖
4 minutes
[Elasticsearch验证系列:集群化Elasticsearch 8.x(不支持HTTPS)]

首先

上次我搭建了一个不支持HTTPS的3节点Elasticsearch集群。
这次我将从头开始搭建一个支持HTTPS的3节点Elasticsearch集群。

    • node1: AlmaLinux8-1

node2: AlmaLinux8-2

node3: AlmaLinux8-3

在node1上执行以下操作(管理员权限)

防火墙设置

    ノード間通信を可能にするため、ポート9200、9300へのアクセス許可
# firewall-cmd --add-port={9200,9300}/tcp --zone=public --permanent
# firewall-cmd --reload
# firewall-cmd --list-port
9200/tcp 9300/tcp

在/etc/hosts文件中添加3个节点的IP地址。

172.21.192.11 node1
172.21.192.12 node2
172.21.192.13 node3

删除Elasticsearch

为了从零开始安装Elasticsearch,先停止然后删除Elasticsearch。

# systemctl stop elasticsearch
# dnf remove elasticsearch --enablerepo=elasticsearch -y
# rm -rf /var/lib/elasticsearch
# rm -rf /etc/elasticsearch
# rm -rf /usr/share/elasticsearch

安装Elasticsearch。

    EslasticsearchリポジトリのGPG keyをインポート
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    rpm repositoryを登録
[elasticsearch]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
    RPMパッケージをインストール
# dnf check-update --enablerepo=elasticsearch
# dnf install elasticsearch --enablerepo=elasticsearch -y

将Elasticsearch作为服务激活

# systemctl enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.

编辑Elasticsearch的配置文件。

在/etc/elasticsearch/elasticsearch.yml中,设置并保存下列项目。

    • クラスタ名

cluster.name: mycluster

クラスタ参加ノード

discovery.seed_hosts: [“node1”, “node2”, “node3”]

Elasticsearchサービスに他のノードからアクセス可能に

network.host: 0.0.0.0

index自動作成設定を最終行に追加

action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*

启动Elasticsearch并重置elastic用户的密码。

    Elasticsearchを起動
# systemctl start elasticsearch
    elasticユーザーのパスワードをリセット
# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i
This tool will reset the password of the [elastic] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Re-enter password for [elastic]:
Password for the [elastic] user successfully reset.
    Elasticsearchにhttpsアクセスし、ステータス確認
# curl -k -u elastic https://localhost:9200
Enter host password for user 'elastic':
{
  "name" : "node1",
  "cluster_name" : "mycluster",
  "cluster_uuid" : "FyfnAcg5TI-OGB6VWfUysg",
  "version" : {
    "number" : "8.3.3",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56",
    "build_date" : "2022-07-23T19:30:09.227964828Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

创建一个用于将其他节点注册到只包含node1的集群的令牌。

# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
eyJ2ZXI...(中略)...cifQ==

保留已生成的注册令牌。

在node2上,进行以下操作(管理员权限)。

防火墙设置 ( )

    ノード間通信を可能にするため、ポート9200、9300へのアクセス許可
# firewall-cmd --add-port={9200,9300}/tcp --zone=public --permanent
# firewall-cmd --reload
# firewall-cmd --list-port
9200/tcp 9300/tcp

在/etc/hosts文件中添加3个节点的IP地址。

172.21.192.11 node1
172.21.192.12 node2
172.21.192.13 node3

删除 Elasticsearch

为了从头开始安装Elasticsearch,首先停止并删除当前的Elasticsearch。

※ 已经启动的节点无法在集群中进行注册。在注册时会出现以下错误。

ERROR: Skipping security auto configuration because it appears that the node is not starting up for the first time. The node might already be part of a cluster and this auto setup utility is designed to configure Security for new clusters only.

# systemctl stop elasticsearch
# dnf remove elasticsearch --enablerepo=elasticsearch -y
# rm -rf /var/lib/elasticsearch
# rm -rf /etc/elasticsearch
# rm -rf /usr/share/elasticsearch

安装Elasticsearch

    EslasticsearchリポジトリのGPG keyをインポート
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    rpm repositoryを登録
[elasticsearch]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
    RPMパッケージをインストール
# dnf check-update --enablerepo=elasticsearch
# dnf install elasticsearch --enablerepo=elasticsearch -y

将Elasticsearch作为服务启用

# systemctl enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.

使用node1创建的注册令牌将node2注册到集群中。

# /usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token eyJ2ZXI...(中略)...cifQ==

This node will be reconfigured to join an existing cluster, using the enrollment token that you provided.
This operation will overwrite the existing configuration. Specifically:
  - Security auto configuration will be removed from elasticsearch.yml
  - The [certs] config directory will be removed
  - Security auto configuration related secure settings will be removed from the elasticsearch.keystore
Do you want to continue with the reconfiguration process [y/N]y

编辑Elasticsearch的配置文件。

将以下项目设置并保存到/etc/elasticsearch/elasticsearch.yml。

    • クラスタ名

cluster.name: mycluster

Elasticsearchサービスに他のノードからアクセス可能に

network.host: 0.0.0.0

index自動作成設定を最終行に追加

action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*

启动Elasticsearch

# systemctl start elasticsearch
    Elasticsearchへhttpsアクセスし、ステータス確認
# curl -k -u elastic https://localhost:9200
Enter host password for user 'elastic':
{
  "name" : "node2",
  "cluster_name" : "mycluster",
  "cluster_uuid" : "FyfnAcg5TI-OGB6VWfUysg",
  "version" : {
    "number" : "8.3.3",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56",
    "build_date" : "2022-07-23T19:30:09.227964828Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

以管理员权限在node3上执行与node2相同的步骤。

把下列内容用汉语进行本地化改写,只需提供一种选项:
(省略)

在任意一个节点上,检查集群的状态。


# curl -k -u elastic https://localhost:9200/_cat/nodes?v
Enter host password for user 'elastic':
ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
172.21.192.12           19          95   0    0.15    0.09     0.07 cdfhilmrstw -      node2
172.21.192.13           40          95   1    0.37    0.19     0.07 cdfhilmrstw -      node3
172.21.192.11           44          91   1    0.00    0.00     0.00 cdfhilmrstw *      node1

在集群中存在三个节点,其中节点1成为了主节点。

最后

我已经构建了一个支持HTTPS的3节点Elasticsearch集群。请继续关注,敬请期待。

[下一次] Elasticsearch集群验证(5): Elasticsearch系统配置的基础
bannerAds