es8.8 集群安装笔记

- 配置集群
- - 第一步修改配置文件

本次安装使用centos8
3节点安装：
192.168.182.142
192.168.182.143
192.168.182.144

官网可以查看详细的安装，安装步骤比较简单
https://www.elastic.co/guide/en/elasticsearch/reference/8.8/rpm.html#rpm-repo

直接安装，需要配置仓库
 cd  /etc/yum.repos.d/
 vielasticsearch.repo

[elasticsearch]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md

sudo yum install --enablerepo=elasticsearch elasticsearch  -y

开机启动
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
启动/停止
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service
查看状态
sudo systemctl status elasticsearch.service

journalctl --unit elasticsearch

修改系统最大文件句柄数（修改后需要重启系统才能生效）
# vi /etc/security/limits.conf
*       soft    nproc   65535
*       hard    nproc   65535
*       soft    nofile  65535
*       hard    nofile  65535

reboot

修改最大虚拟内存
 vi /etc/sysctl.conf
vm.max_map_count=655360

访问需要用https https://127.0.0.1:9200/
默认用户 elastic
密码就是安装的时候打印到屏幕上的密码

配置集群

8.8 使用创建token 这一招，没有奏效，于是乎在官网各种爬。

第一步修改配置文件

node1

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: es
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 192.168.182.143
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["192.168.182.142", "192.168.182.143","192.168.182.144"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["node1", "node2", "node3"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 01-07-2023 14:38:29
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.autoconfiguration.enabled : true
xpack.security.enabled: true


xpack.security.enrollment.enabled: true
xpack.security.transport.ssl.verification_mode: none

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
#cluster.initial_master_nodes: ["localhost.localdomain"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
transport.host: 0.0.0.0
transport.port: 9300

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
node.roles: [master,data]

主要修改点：
····
cluster.name: es
node.name: node1
network.host: 192.168.182.143
添加如下两个节点启动之后不会自动创建集群
discovery.seed_hosts: [“192.168.182.142”, “192.168.182.143”,“192.168.182.144”]
cluster.initial_master_nodes: [“node1”, “node2”, “node3”]
transport.host: 0.0.0.0
transport.port: 9300
node.roles: [master,data]

····

配置文件修改完成之后，启动节点。报错如下：

[2023-07-08T00:24:27,553][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node2] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/192.168.182.143:9300, remoteAddress=/192.168.182.144:36500, profile=default}
[2023-07-08T00:24:28,420][WARN ][o.e.d.PeerFinder         ] [node2] address [192.168.182.142:9300], node [null], requesting [false] discovery result: [][192.168.182.142:9300] connect_exception: Failed execution:

原因是因为没有配置通信证书。

找到一篇安全配置的文章
es安全配置

生成证书：
生成集群节点证书：

生成ca证书
./bin/elasticsearch-certutil ca
使用ca证书生成集群通信证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

把证书复制到其他节点/etc/elasticsearch/certs 目录中

把证书密钥添加至本地密钥库

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password


./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

节点更新完成之后重启各个节点，查看节点状态，集群创建成功。
在这里插入图片描述
状态查询
curl -XGET"http://localhost:9200/_cluster/health?pretty=true"
查询Elasticsearch运行状态
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
查询集群节点信息
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/_cluster/health?pretty=true

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200/_cat/nodes

142 qvKpUo1_T1yqgkpn_KMk

生成token
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node

/usr/share/elasticsearch/bin/elasticsearch-certutil cert

/usr/share/elasticsearch/bin/elasticsearch --enrollment-token eyJ2ZXIiOiI4LjguMiIsImFkciI6WyIxOTIuMTY4LjE4Mi4xNDI6OTIwMCJdLCJmZ3IiOiIxNDdjOWE5NGMwZDUwNTk2NWMwYWE0MmEyNDg3YzVkMjUyMWYzNjc5Y2QxZmMxOTBmYTg5ZDUxOTJlOTM1NjE4Iiwia2V5IjoibTkzMUZJa0JtRy1SVjJfNjZfYzk6M0hZN0Mxam5Uak9LWEVJQTJpN3BjUSJ9

常见问题汇总：

1.ERROR: Skipping security auto configuration because it appears that the node is not starting up for the first time. The node might already be part of a cluster and this auto setup utility is designed to configure Security for new clusters only

这个是因为安装好之后启动过一次，之后注册节点没成功。

2.Skipping security auto configuration because this node is configured to bootstrap or to join a multi-node cluster, which is not supported

不能删除安全项配置，

xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

ERROR: Skipping security auto configuration because it appears that security is already configured

安装好之后配置了集群但是注册失败，具体原因还得继续排除
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

这种问题是开启了安全模式，各个节点没有配置证书的原因导致