https://www.elastic.co/downloads/elasticsearch
https://www.elastic.co/downloads/past-releases/elasticsearch-8-19-3
https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.19.3-linux-x86_64.tar.gz
| 类型 | 描述 | 默认位置 | 设置 |
|---|---|---|---|
| home | es安装主目录 | path.home | |
| bin | 二进制脚本包含启动节点的elasticsearch | {path.home}/bin | |
| conf | 配置文件包含elasticsearch.yml | {path.home}/config | path.conf |
| data | 在节点上申请的每个index/shard的数据文件的位置。可容纳多个位置 | {path.home}/data | path.data |
| logs | 日志文件位置 | {path.home}/logs | path.logs |
| plugins | 插件文件位置。每个插件将包含在一个子目录中。 | {path.home}/plugins | path.plugins |
| repo | 共享文件系统库位置。可以容纳多个位置。文件系统库可以放在这里指定的任何目录的任何子目录中。 | 没有配置 | path.repo |
| script | 脚本文件的位置 | {path.conf}/scripts | path.scripts |
sudo mkdir /usr/local/elasticsearch-cluster
cd /usr/local/elasticsearch-cluster
sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.19.3-linux-x86_64.tar.gz
sudo tar -zxvf elasticsearch-8.19.3-linux-x86_64.tar.gz
sudo mv elasticsearch-8.19.3 elasticsearch
sudo chown -R ubuntu:ubuntu /usr/local/elasticsearch-cluster
cd elasticsearch
./bin/elasticsearch --version
ElasticSearch Singleton
单节点证书生成
生成集群 CA
./bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Directory /usr/local/elasticsearch-cluster/elasticsearch/config/certs does not exist. Do you want to create it? [Y/n]
Enter password for elastic-stack-ca.p12 :
生成 Transport 用于集群节点间通信
./bin/elasticsearch-certutil cert --ca config/certs/elastic-stack-ca.p12 --dns localhost --ip 127.0.0.1 --out config/certs/transport.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA)
unless the --self-signed command line option is specified.
The tool can automatically generate a new CA for you, or you can provide your own with
the --ca or --ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (config/certs/elastic-stack-ca.p12) :
Enter password for transport.p12 :
Certificates written to /usr/local/elasticsearch-cluster/elasticsearch/config/certs/transport.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
生成 HTTP 证书用于客户端与服务端通信
./bin/elasticsearch-certutil http
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
Generate a CSR? [y/N]
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: certs/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
For how long should your certificate be valid? [5y]
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
Generate a certificate per node? [y/N]
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
ECS-HN-3121563685
localhost
You entered the following hostnames.
- ECS-HN-3121563685
- localhost
Is this correct [Y/n]
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
110.42.60.147
127.0.0.1
You entered the following IP addresses.
- 110.42.60.147
- 127.0.0.1
Is this correct [Y/n]
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: ECS-HN-3121563685
Subject DN: CN=ECS-HN-3121563685
Key Size: 2048
Key Usage: digitalSignature,keyEncipherment
Do you wish to change any of these options? [y/N]
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none]
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/usr/local/elasticsearch-cluster/elasticsearch/elasticsearch-ssl-http.zip] /usr/local/elasticsearch-cluster/elasticsearch/config/certs/elasticsearch-ssl-http.zip
unzip ./config/certs/elasticsearch-ssl-http.zip -d ./config/certs/http
配置文件
修改 elasticsearch.yml
cluster.name: dev-es
node.name: elasticsearch
path.data: /usr/local/elasticsearch-cluster/elasticsearch/data
path.logs: /usr/local/elasticsearch-cluster/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
cluster.initial_master_nodes: ["elasticsearch"]
# 是否启用安全功能,启用后需要身份认证
xpack.security.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http/elasticsearch/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
修改 jvm.options
vi /usr/local/elasticsearch-cluster/elasticsearch/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
/usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch-reset-password -i -u elastic --url https://localhost:9200
启动
bin/elasticsearch -Des.path.conf=config/instance1 -d -p /tmp/elasticsearch_1.pid
ES_PATH_CONF=/path/to/my/config ./bin/elasticsearch
# ==========================================
# Elasticsearch 8.19.3 systemd 单元文件
# 文件路径: /etc/systemd/system/elasticsearch.service
# 安装后执行: systemctl daemon-reload
# systemctl enable --now elasticsearch
# ==========================================
[Unit]
# 人类可读描述,status 时可见
Description=Elasticsearch 8.19.3
# 弱依赖网络,网络未就绪不会强制失败本服务
Wants=network-online.target
# 严格等待网络就绪后再启动 ES,避免绑定地址失败
After=network-online.target
[Service]
# notify 类型:ES 启动后会调用 sd_notify() 告诉 systemd「我初始化完成」
Type=notify
# 运行用户/组
User=ubuntu
Group=ubuntu
# 启动命令;假设 ES 解压到 /opt/es
ExecStart=/opt/es/bin/elasticsearch
# reload 命令:给主进程发 HUP,让 ES 重读可热加载的配置
ExecReload=/bin/kill -HUP $MAINPID
# 杀进程策略:先杀主进程,再杀剩余子进程
KillMode=mixed
# 先礼貌 SIGTERM,超时后 SIGKILL
KillSignal=SIGTERM
# 仅当异常退出(非 0 且非正常信号)才自动重启
Restart=on-failure
# 最大重启间隔,防止无限快速重启
RestartSec=10s
# 文件句柄 / 进程数限制(生产可再加大)
LimitNOFILE=65536
LimitNPROC=4096
# 禁用交互式确认,适合无人值守
StandardInput=null
# 输出直接进 journal,可用 journalctl -u elasticsearch 查看
StandardOutput=journal
StandardError=journal
[Install]
# 加入 multi-user.target,systemctl enable 时会创建软链实现开机自启
WantedBy=multi-user.target
状态
Green - everything is good (cluster is fully functional),即最佳状态
Yellow - all data is available but some replicas are not yet allocated (cluster is fully functional),即数据和集群可用,但是集群的备份有的是坏的
Red - some data is not available for whatever reason (cluster is partially functional),即数据和集群都不可用
ElasticSearch Cluster
集群证书生成
CA(Certificate Authority,证书颁发机构)
就是一把“公信力的私钥” + 对应公钥证书。
它的证书默认被操作系统/浏览器/JDK 装进“信任库”(truststore)。
职责:用自己的私钥给别人“盖章”,证明“这份公钥确实属于这个域名/这个组织”。
CA 签名(CA Signature)
盖章动作 = 把申请者的公钥 + 域名 + 有效期等信息做一次哈希,再用 CA 的私钥加密这段哈希,得到一段“签名”。
这段签名写进最终证书里的 signature 字段。
任何人都能用 CA 的公钥解开签名并比对哈希,一致就说明证书没被篡改,且确实由该 CA 签发 → 建立信任链。
信任链怎么到终端
浏览器/ES 拿到服务器证书 → 用本地 truststore 里的 CA 公钥验证签名 → 验证通过 → 继续 TLS 握手。
如果找不到能验证的 CA → 报 “unknown certificate authority”/“PKIX path building failed”。
CA 链
公钥证书
(Certificate / CRT / CERT)—— 含公钥 + 持有者信息 + CA 签名,可公开
| 盒子名 | 常见后缀 | 装什么 | 是否含私钥 | 特 性 | ES 能用吗 |
|---|---|---|---|---|---|
| PEM | .pem .crt .key .cer | Base64 文本,以 -----BEGIN xxx----- 开头 |
可选(.key) | 人眼可读,可追加多证书 | ✅ 8.4+ 原生支持 |
| PKCS#7 | .p7b .p7c | 仅证书/链 | ❌ | Windows 喜欢拿来发链 | ❌ 需转 |
| PKCS#8 | .pk8 | 仅私钥(文本或二进制) | ✅ | 私钥标准格式,常和 PEM 搭配 | ✅ 作私钥输入 |
| PKCS#12 | .p12 .pfx | 证书 + 私钥 + 链,一锅端 | ✅ | 单文件,可设密码 | ✅ 全版本 |
| JKS | .jks | Java 专用仓库,证书/私钥/链 | ✅ | JDK 工具直接读 | ✅ 全版本 |
| DER | .der .cer | 二进制版 PEM | 可选 | 体积更小,不可读 | ❌ 需转 |
集群证书
集群根 CA 证书生成
./bin/elasticsearch-certutil ca --silent --pem -out ./config/certs/ca.zip
# ca/ca.crt ca/ca.key
unzip ./config/certs/ca.zip -d ./config/certs
集群信息准备
cat > ./config/certs/instances.yml <<EOF
instances:
- name: node1
dns: ["i-2ze5i06i17ae02j36zqh.cn-beijing.ecs.internal", "localhost"]
ip: ["10.0.1.113","127.0.0.1"]
- name: node2
dns: ["i-2ze5i06i17ae02j36zqh.cn-beijing.ecs.internal", "localhost"]
ip: ["10.0.1.113","127.0.0.1"]
- name: node3
dns: ["i-2ze5i06i17ae02j36zqh.cn-beijing.ecs.internal", "localhost"]
ip: ["10.0.1.113","127.0.0.1"]
EOF
transport 证书生成
./bin/elasticsearch-certutil cert --silent --pem --in ./config/certs/instances.yml --out ./config/certs/transport.zip --ca-cert ./config/certs/ca/ca.crt --ca-key ./config/certs/ca/ca.key
unzip ./config/certs/transport.zip -d ./config/certs/transport
http 证书生成
./bin/elasticsearch-certutil http
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
Generate a CSR? [y/N]
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: certs/ca/ca.crt
## What is the path to your CA key?
/usr/local/elasticsearch-cluster/elasticsearch/config/certs/ca/ca.crt appears to be a PEM formatted certificate file.
In order to use it for signing we also need access to the private key
that corresponds to that certificate.
CA Key: certs/ca/ca.key
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
For how long should your certificate be valid? [5y]
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
Generate a certificate per node? [y/N]
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
i-2ze5i06i17ae02j36zqh.cn-beijing.ecs.internal
localhost
You entered the following hostnames.
- i-2ze5i06i17ae02j36zqh.cn-beijing.ecs.internal
- localhost
Is this correct [Y/n]
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
10.0.1.113
127.0.0.1
You entered the following IP addresses.
- 10.0.1.113
- 127.0.0.1
Is this correct [Y/n]
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: i-2ze5i06i17ae02j36zqh.cn-beijing.ecs.internal
Subject DN: CN=i-2ze5i06i17ae02j36zqh, DC=cn-beijing, DC=ecs, DC=internal
Key Size: 2048
Key Usage: digitalSignature,keyEncipherment
Do you wish to change any of these options? [y/N]
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none]
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/usr/local/elasticsearch-cluster/elasticsearch/elasticsearch-ssl-http.zip] /usr/local/elasticsearch-cluster/elasticsearch/config/certs/elasticsearch-ssl-http.zip
unzip ./config/certs/elasticsearch-ssl-http.zip -d ./config/certs/http
单体多实例共享bin
建立目录
mkdir -p /usr/local/elasticsearch-cluster/node1/config
mkdir -p /usr/local/elasticsearch-cluster/node1/data
mkdir -p /usr/local/elasticsearch-cluster/node1/logs
mkdir -p /usr/local/elasticsearch-cluster/node2/config
mkdir -p /usr/local/elasticsearch-cluster/node2/data
mkdir -p /usr/local/elasticsearch-cluster/node2/logs
mkdir -p /usr/local/elasticsearch-cluster/node3/config
mkdir -p /usr/local/elasticsearch-cluster/node3/data
mkdir -p /usr/local/elasticsearch-cluster/node3/logs
配置文件
https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/
node1
复制一份原始配置文件夹
cp -rf /usr/local/elasticsearch-cluster/elasticsearch/config/* /usr/local/elasticsearch-cluster/node1/config
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node1
path.data: /usr/local/elasticsearch-cluster/node1/data
path.logs: /usr/local/elasticsearch-cluster/node1/logs
network.host: 0.0.0.0
http.port: 9201
transport.port: 9301
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node1/node1.key
certificate: certs/transport/node1/node1.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/node1/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
node2
复制一份原始配置文件夹
cp -rf /usr/local/elasticsearch-cluster/elasticsearch/config/* /usr/local/elasticsearch-cluster/node2/config
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node2
path.data: /usr/local/elasticsearch-cluster/node2/data
path.logs: /usr/local/elasticsearch-cluster/node2/logs
network.host: 0.0.0.0
http.port: 9202
transport.port: 9302
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node2/node2.key
certificate: certs/transport/node2/node2.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/node1/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
node3
复制一份原始配置文件夹
cp -rf /usr/local/elasticsearch-cluster/elasticsearch/config/* /usr/local/elasticsearch-cluster/node3/config
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node3
path.data: /usr/local/elasticsearch-cluster/node3/data
path.logs: /usr/local/elasticsearch-cluster/node3/logs
network.host: 0.0.0.0
http.port: 9203
transport.port: 9303
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node3/node3.key
certificate: certs/transport/node3/node3.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/node1/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
启动每个节点
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node1/config /usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/node1/node1.pid
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node2/config /usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/node2/node2.pid
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node3/config /usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/node3/node3.pid
重置密码
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node1/config /usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch-reset-password -i -u elastic --url https://localhost:9201
单体多实例独享bin
建立目录
mkdir -p /usr/local/elasticsearch-cluster/node1/config
mkdir -p /usr/local/elasticsearch-cluster/node1/data
mkdir -p /usr/local/elasticsearch-cluster/node1/logs
mkdir -p /usr/local/elasticsearch-cluster/node2/config
mkdir -p /usr/local/elasticsearch-cluster/node2/data
mkdir -p /usr/local/elasticsearch-cluster/node2/logs
mkdir -p /usr/local/elasticsearch-cluster/node3/config
mkdir -p /usr/local/elasticsearch-cluster/node3/data
mkdir -p /usr/local/elasticsearch-cluster/node3/logs
配置文件
https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/
node1
复制一份原始文件夹
cp -rf /usr/local/elasticsearch-cluster/elasticsearch/* /usr/local/elasticsearch-cluster/node1
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node1
path.data: /usr/local/elasticsearch-cluster/node1/data
path.logs: /usr/local/elasticsearch-cluster/node1/logs
network.host: 0.0.0.0
http.port: 9201
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node1/node1.key
certificate: certs/transport/node1/node1.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/node1/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
node2
复制一份原始文件夹
cp -rf /usr/local/elasticsearch-cluster/elasticsearch/* /usr/local/elasticsearch-cluster/node2
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node2
path.data: /usr/local/elasticsearch-cluster/node2/data
path.logs: /usr/local/elasticsearch-cluster/node2/logs
network.host: 0.0.0.0
http.port: 9202
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node2/node2.key
certificate: certs/transport/node2/node2.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/node1/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
node3
复制一份原始文件夹
cp -rf /usr/local/elasticsearch-cluster/elasticsearch/* /usr/local/elasticsearch-cluster/node3
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node3
path.data: /usr/local/elasticsearch-cluster/node3/data
path.logs: /usr/local/elasticsearch-cluster/node3/logs
network.host: 0.0.0.0
http.port: 9203
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node3/node3.key
certificate: certs/transport/node3/node3.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/elasticsearch/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
启动每个节点
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node1/config
/usr/local/elasticsearch-cluster/node1/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/node1/node1.pid
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node2/config
/usr/local/elasticsearch-cluster/node2/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/node2/node2.pid
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node3/config
/usr/local/elasticsearch-cluster/node3/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/node3/node3.pid
重置密码
ES_PATH_CONF=/usr/local/elasticsearch-cluster/node1/config /usr/local/elasticsearch-cluster/node1/bin/elasticsearch-reset-password -i -u elastic --url https://localhost:9201
分布式实例
建立目录
在某一节点生成证书后,将整个目录 scp 到其他节点完成基本目录建立。
配置文件
https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/
node1
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node1
path.data: /usr/local/elasticsearch-cluster/elasticsearch/data
path.logs: /usr/local/elasticsearch-cluster/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.1.112:9300", "10.0.1.113:9300", "10.0.1.114:9300"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node1/node1.key
certificate: certs/transport/node1/node1.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/elasticsearch/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
node2
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node2
path.data: /usr/local/elasticsearch-cluster/elasticsearch/data
path.logs: /usr/local/elasticsearch-cluster/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.1.112:9300", "10.0.1.113:9300", "10.0.1.114:9300"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node2/node2.key
certificate: certs/transport/node2/node2.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/elasticsearch/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
node3
修改 elasticsearch.yml
cluster.name: dev-es
node.name: node3
path.data: /usr/local/elasticsearch-cluster/elasticsearch/data
path.logs: /usr/local/elasticsearch-cluster/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.1.112:9300", "10.0.1.113:9300", "10.0.1.114:9300"]
cluster.initial_master_nodes: ["node1", "node2", "node3"]
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
verification_mode: full
# PKCS#12 files
keystore.path: certs/http/elasticsearch/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
# PEM encoded files
key: certs/transport/node3/node3.key
certificate: certs/transport/node3/node3.crt
certificate_authorities: [ "certs/ca/ca.crt" ]
修改 jvm.options
vi /usr/local/elasticsearch-cluster/elasticsearch/config/jvm.options.d/default.options
-Xms1g
-Xmx1g
启动每个节点
ES_PATH_CONF=/usr/local/elasticsearch-cluster/elasticsearch/config
/usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/elasticsearch/elasticsearch.pid
ES_PATH_CONF=/usr/local/elasticsearch-cluster/elasticsearch/config
/usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/elasticsearch/elasticsearch.pid
ES_PATH_CONF=/usr/local/elasticsearch-cluster/elasticsearch/config
/usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch -d -p /usr/local/elasticsearch-cluster/elasticsearch/elasticsearch.pid
重置密码
ES_PATH_CONF=/usr/local/elasticsearch-cluster/elasticsearch/config /usr/local/elasticsearch-cluster/elasticsearch/bin/elasticsearch-reset-password -i -u elastic --url https://localhost:9200