Centos安装OpenSearch
- 下载并安装OpenSearch
- 下载OpenSearch RPM包
- 导入公共GNU Privacy Guard(GPG)密钥。此密钥验证您的OpenSearch实例是否已签名
- 安装RPM包
- 安装完设置开机自启动OpenSearch
- 启动OpenSearch
- 验证OpenSearch是否正确启动
- 测试OpenSearch
- 向服务器发送请求以验证OpenSearch是否正在运行
- 向端口9200发送请求
- 查询插件端点
- 设置OpenSearch可远程连接
- 将OpenSearch绑定到主机上的IP或网络接口
- 打开opensearch.yml
- 添加以下行
- 保存更改并关闭文件
- 设置初始和最大JVM堆大小
- 配置TLS
- 导航到将存储证书的目录
- 删除演示证书
- 生成根证书,这将用于签署其他证书
- 创建管理员证书,此证书用于获得执行与安全插件相关的管理任务的提升权限
- 为正在配置的节点创建证书
- 删除不再需要的临时文件
- 确保其余证书归opensearch用户所有
- 按照生成证书中的说明将这些证书添加到opensearch.yml,推荐选择使用脚本进行设置
- 新建shell脚本文件 append-setting.sh
- 执行append-setting.sh
- 为自签名根证书添加信任(可选)
- 配置用户
- 导航到安全插件工具目录
- 运行hash.sh生成新密码
- 打开internal_users.yml
- 删除除admin之外的所有演示用户,并将哈希替换为上一步中hash.sh提供的输出。
- 应用更改
- 必须运行OpenSearch,securityadmin.sh才能应用更改,如果您对opensearch.yml进行了更改,请重新启动opensearch
- 打开与主机的单独终端会话,并导航到包含securityadmin.sh的目录
- 调用securityadmin.sh脚本
- 验证服务是否正在运行
- 总结
下载并安装OpenSearch
下载OpenSearch RPM包
X64系统
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-x64.rpm
ARM64系统
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-arm64.rpm
导入公共GNU Privacy Guard(GPG)密钥。此密钥验证您的OpenSearch实例是否已签名
sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp
安装RPM包
## Install the x64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-x64.rpm
## Install the arm64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-arm64.rpm
安装完设置开机自启动OpenSearch
sudo systemctl enable opensearch
启动OpenSearch
sudo systemctl start opensearch
验证OpenSearch是否正确启动
sudo systemctl status opensearch
测试OpenSearch
向服务器发送请求以验证OpenSearch是否正在运行
向端口9200发送请求
curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure
响应:
{
"name":"hostname",
"cluster_name":"opensearch",
"cluster_uuid":"QqgpHCbnSRKcPAizqjvoOw",
"version":{
"distribution":"opensearch",
"number":<version>,
"build_type":<build-type>,
"build_hash":<build-hash>,
"build_date":<build-date>,
"build_snapshot":false,
"lucene_version":<lucene-version>,
"minimum_wire_compatibility_version":"7.10.0",
"minimum_index_compatibility_version":"7.0.0"
},
"tagline":"The OpenSearch Project: https://opensearch.org/"
}
查询插件端点
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure
响应:
name component version
hostname opensearch-alerting 2.15.0
hostname opensearch-anomaly-detection 2.15.0
hostname opensearch-asynchronous-search 2.15.0
hostname opensearch-cross-cluster-replication 2.15.0
hostname opensearch-geospatial 2.15.0
hostname opensearch-index-management 2.15.0
hostname opensearch-job-scheduler 2.15.0
hostname opensearch-knn 2.15.0
hostname opensearch-ml 2.15.0
hostname opensearch-neural-search 2.15.0
hostname opensearch-notifications 2.15.0
hostname opensearch-notifications-core 2.15.0
hostname opensearch-observability 2.15.0
hostname opensearch-performance-analyzer 2.15.0
hostname opensearch-reports-scheduler 2.15.0
hostname opensearch-security 2.15.0
hostname opensearch-security-analytics 2.15.0
hostname opensearch-sql 2.15.0
设置OpenSearch可远程连接
默认情况下,OpenSearch不绑定到网络接口,外部主机无法访问。此外,安全设置由默认用户名和密码填充。以下建议将使用户能够将OpenSearch绑定到网络接口,创建和签署TLS证书,以及配置基本身份验证
将OpenSearch绑定到主机上的IP或网络接口
打开opensearch.yml
sudo vi /etc/opensearch/opensearch.yml
添加以下行
# Bind OpenSearch to the correct network interface. Use 0.0.0.0
# to include all available interfaces or specify an IP address
# assigned to a specific interface.
network.host: 0.0.0.0
# Unless you have already configured a cluster, you should set
# discovery.type to single-node, or the bootstrap checks will
# fail when you try to start the service.
discovery.type: single-node
# If you previously disabled the Security plugin in opensearch.yml,
# be sure to re-enable it. Otherwise you can skip this setting.
plugins.security.disabled: false
保存更改并关闭文件
:wq
设置初始和最大JVM堆大小
vi /etc/opensearch/jvm.options
修改初始堆大小和最大堆大小的值。作为起点,您应该将这些值设置为可用系统内存的一半。对于专用主机,可以根据您的工作流程要求增加此值。
例如,如果主机有8GB的内存,那么您可能希望将初始堆大小和最大堆大小设置为4GB:
-Xms4g
-Xmx4g
配置TLS
导航到将存储证书的目录
cd /etc/opensearch
删除演示证书
sudo rm -f *pem
生成根证书,这将用于签署其他证书
# Create a private key for the root certificate
sudo openssl genrsa -out root-ca-key.pem 2048
# Use the private key to create a self-signed root certificate. Be sure to
# replace the arguments passed to -subj so they reflect your specific host.
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730
创建管理员证书,此证书用于获得执行与安全插件相关的管理任务的提升权限
# Create a private key for the admin certificate.
sudo openssl genrsa -out admin-key-temp.pem 2048
# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
# Create the certficiate signing request (CSR). A common name (CN) of "A" is acceptable because this certificate is
# used for authenticating elevated access and is not tied to a host.
sudo openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr
# Sign the admin certificate with the root certificate and private key you created earlier.
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
为正在配置的节点创建证书
# Create a private key for the node certificate.
sudo openssl genrsa -out node1-key-temp.pem 2048
# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
# Create the CSR and replace the arguments passed to -subj so they reflect your specific host.
# The CN should match a DNS A record for the host-do not use the hostname.
sudo openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr
# Create an extension file that defines a SAN DNS name for the host. This
# should match the DNS A record of the host.
sudo sh -c 'echo subjectAltName=DNS:node1.dns.a-record > node1.ext'
# Sign the node certificate with the root certificate and private key that you created earlier.
sudo openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext
删除不再需要的临时文件
sudo rm -f *temp.pem *csr *ext
确保其余证书归opensearch用户所有
sudo chown opensearch:opensearch admin-key.pem admin.pem node1-key.pem node1.pem root-ca-key.pem root-ca.pem root-ca.srl
按照生成证书中的说明将这些证书添加到opensearch.yml,推荐选择使用脚本进行设置
新建shell脚本文件 append-setting.sh
vi aplpend-seeting.sh
#! /bin/bash
# Before running this script, make sure to replace the CN in the
# node's distinguished name with a real DNS A record.
echo "plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.enabled: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.allow_default_init_securityindex: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.authcz.admin_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo " - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.nodes_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo " - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.audit.type: internal_opensearch" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.enable_snapshot_restore_privilege: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.check_snapshot_restore_write_privileges: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.restapi.roles_enabled: [\"all_access\", \"security_rest_api_access\"]" | sudo tee -a /etc/opensearch/opensearch.yml
执行append-setting.sh
sh append-setting.sh
为自签名根证书添加信任(可选)
# Copy the root certificate to the correct directory
sudo cp /etc/opensearch/root-ca.pem /etc/pki/ca-trust/source/anchors/
# Add trust
sudo update-ca-trust
配置用户
导航到安全插件工具目录
cd /usr/share/opensearch/plugins/opensearch-security/tools
运行hash.sh生成新密码
如果未定义JDK的路径,则hash.sh脚本将失败。
# Example output if a JDK isn't found...
$ ./hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
which: no java in (/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user/.local/bin:/home/user/bin)
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use
./hash.sh: line 35: java: command not found
在调用脚本时声明环境变量以避免问题
OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./hash.sh
在提示下输入所需的密码,并记下输出哈希值。
打开internal_users.yml
sudo vi /etc/opensearch/opensearch-security/internal_users.yml
删除除admin之外的所有演示用户,并将哈希替换为上一步中hash.sh提供的输出。
该文件应类似于以下示例:
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
admin:
hash: "$2y$1EXAMPLEQqwS8TUcoEXAMPLEeZ3lEHvkEXAMPLERqjyh1icEXAMPLE."
reserved: true
backend_roles:
- "admin"
description: "Admin user"
应用更改
现在安装了TLS证书,并删除了演示用户或为其分配了新密码,最后一步是应用配置更改。最后一个配置步骤需要在主机上运行OpenSearch时调用securityadmin.sh
必须运行OpenSearch,securityadmin.sh才能应用更改,如果您对opensearch.yml进行了更改,请重新启动opensearch
sudo systemctl restart opensearch
打开与主机的单独终端会话,并导航到包含securityadmin.sh的目录
# Change to the correct directory
cd /usr/share/opensearch/plugins/opensearch-security/tools
调用securityadmin.sh脚本
# You can omit the environment variable if you declared this in your $PATH.
OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv
验证服务是否正在运行
$ curl https://your.host.address:9200 -u admin:yournewpassword -k
{
"name" : "hostname-here",
"cluster_name" : "opensearch",
"cluster_uuid" : "efC0ANNMQlGQ5TbhNflVPg",
"version" : {
"distribution" : "opensearch",
"number" : <version>,
"build_type" : <build-type>,
"build_hash" : <build-hash>,
"build_date" : <build-date>,
"build_snapshot" : false,
"lucene_version" : <lucene-version>,
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
总结
至此OpenSearch安装完成并配置可远程连接
Ubuntu安装OpenSearch请参考Ubuntu安装OpenSearch
