节点规划
要求9200 外部访问端口 9300通信端口
主机名解析
es集群部署到master节点 etcd也是部署到了3个master节点
172.31.7.101 master01 k8s-master1.magedu.net es-node1 kibna01
172.31.7.102 master02 k8s-master2.magedu.net es-node2
172.31.7.103 master03 k8s-master3.magedu.net es-node3
部署文件准备好 上传到/apps中
内核参数优化:
echo vm.max_map_count=262144 >> /etc/sysctl.conf
cat /etc/sysctl.conf |grep max_map_count
## vm.max_map_count=262144
资源limit优化
vim /etc/security/limits.conf
root soft core unlimited
root hard core unlimited
root soft nproc 1000000
root hard nproc 1000000
root soft nofile 1000000
root hard nofile 1000000
root soft memlock 32000
root hard memlock 32000
root soft msgqueue 8192000
root hard msgqueue 8192000
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
创建普通⽤户运⾏环境
## 创建用户
groupadd -g 2888 elasticsearch
useradd -u 2888 -g 2888 -r -m -s /bin/bash elasticsearch
## 配置密码
passwd elasticsearch
## 创建目录
mkdir /data/esdata /data/eslogs /apps -pv
chown -R elasticsearch.elasticsearch /data /apps/
部署elasticsearch集群
cd /apps/elkinstall;
tar xvf elasticsearch-8.5.1-linux-x86_64.tar.gz
ln -sv /apps/elasticsearch-8.5.1 /apps/elasticsearch
# reboot
xpack认证签发环境
su - elasticsearch
cd /apps/elasticsearch
自定义 /apps/elasticsearch/instances.yml
vim /apps/elasticsearch/instances.yml
instances:
- name: "k8s-master1.magedu.net"
ip:
- "172.31.7.101"
- name: "k8s-master2.magedu.net"
ip:
- "172.31.7.102"
- name: "k8s-master3.magedu.net"
ip:
- "172.31.7.103"
⽣成CA私钥,默认名字为elastic-stack-ca.p12
cd /apps/elasticsearch; bin/elasticsearch-certutil ca
⽣产CA公钥,默认名称为elastic-certificates.p12
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
签发elasticsearch集群主机证书
bin/elasticsearch-certutil cert --silent --in instances.yml --out certs.zip --pass rootroot --ca elastic-stack-ca.p12
# 指定证书密码为 rootroot
# CA私钥如果没有密码就直接按回⻋确认
本机(master01节点 发到其他的两个master02 master03节点)证书 证书分发
三台节点都创建目录
su elasticsearch;
mkdir /apps/elasticsearch/config/certs -p
master01节点操作
cd /apps/elasticsearch;
unzip certs.zip
cp -rp k8s-master1.magedu.net /apps/elasticsearch/config/certs/
## master02节点的证书
scp -r /apps/elasticsearch/k8s-master2.magedu.net elasticsearch@k8s-master2.magedu.net:/apps/elasticsearch/config/certs/
## master03节点的证书
scp -r /apps/elasticsearch/k8s-master3.magedu.net elasticsearch@k8s-master3.magedu.net:/apps/elasticsearch/config/certs/
node2证书:
elasticsearch@es2:/apps/elasticsearch$ mkdir config/certs
elasticsearch@es1:/apps/elasticsearch$ scp -rp es2.example.com
172.31.2.102:/apps/elasticsearch/config/certs/
node3证书:
elasticsearch@es3:/apps/elasticsearch$ mkdir config/certs
elasticsearch@es1:/apps/elasticsearch$ scp -rp es3.example.com
172.31.2.103:/apps/elasticsearch/config/certs/
master01节点操作 ⽣成 keystore ⽂件(keystore是保存了证书密码的认证⽂件 rootroot)
# 创建keystore⽂件
cd /apps/elasticsearch; ./bin/elasticsearch-keystore create
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
cp /apps/elasticsearch/config/certs/k8s-master1.magedu.net/k8s-master1.magedu.net.p12 /apps/elasticsearch/config/certs/
scp -rp k8s-master2.magedu.net/k8s-master2.magedu.net.p12 k8s-master2.magedu.net:/apps/elasticsearch/config/certs/
scp -rp k8s-master3.magedu.net/k8s-master3.magedu.net.p12 k8s-master3.magedu.net:/apps/elasticsearch/config/certs/
编辑配置⽂件
master01节点 vim /apps/elasticsearch/config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: master01
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["master01", "master02", "master03"]
cluster.initial_master_nodes: ["master01", "master02", "master03"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/k8s-master1.magedu.net.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/k8s-master1.magedu.net.p12
master02节点 vim /apps/elasticsearch/config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: master02
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["master01", "master02", "master03"]
cluster.initial_master_nodes: ["master01", "master02", "master03"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/k8s-master2.magedu.net.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/k8s-master2.magedu.net.p12
master03节点 vim /apps/elasticsearch/config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: master03
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["master01", "master02", "master03"]
cluster.initial_master_nodes: ["master01", "master02", "master03"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/k8s-master3.magedu.net.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/k8s-master3.magedu.net.p12
或者 不启用证书认证 vim /apps/elasticsearch/config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: master01
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.31.7.101", "172.31.7.102", "172.31.7.103"]
cluster.initial_master_nodes: ["172.31.7.101", "172.31.7.102", "172.31.7.103"]
action.destructive_requires_name: true
xpack.security.enabled: false
xpack.security.transport.ssl.enabled: false
配置 /lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/apps/elasticsearch
Environment=ES_PATH_CONF=/apps/elasticsearch/config
Environment=PID_DIR=/apps/elasticsearch
WorkingDirectory=/apps/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/apps/elasticsearch/bin/elasticsearch --quiet
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
scp /lib/systemd/system/elasticsearch.service master02:/lib/systemd/system/
scp /lib/systemd/system/elasticsearch.service master03:/lib/systemd/system/
systemctl daemon-reload
systemctl start elasticsearch.service
systemctl enable elasticsearch.service
systemctl status elasticsearch.service
⽤户管理
批量修改默认账户密码(配置了X-Pack security才可以用)
cd /apps/elasticsearch; bin/elasticsearch-setup-passwords interactive
创建超级管理员账户
./bin/elasticsearch-users useradd magedu -p rootroot -r superuser
curl -u superuser:rootroot http://172.31.7.101:9200
装elasticsearch head插件
kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.5.1-amd64.deb
dpkg -i kibana-8.5.1-amd64.deb
vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://172.31.7.101:9200"]
elasticsearch.username: "superuser"
elasticsearch.password: "rootroot"
i18n.locale: "zh-CN"
systemctl start kibana.service
systemctl enable kibana.service
访问http://172.31.7.101:5601/app/home#/
