Elasticsearch群集部署
es群集部署
本次部署使用docker进行部署。
★准备工作★
使用镜像版本: elasticsearch:7.17.24
1.安装好docker环境
2.拉取所需镜像
docker pull elasticsearch:7.17.24
开始部署es群集
1.编写docker compose文件
services:
es-1:
image: elasticsearch:7.17.24
container_name: elasticsearch-1
restart: unless-stopped
privileged: true
environment:
- node.name=es-1
- cluster.name=es-cluster
- discovery.seed_hosts=es-2,es-3
- cluster.initial_master_nodes=es-1,es-2,es-3
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=false
- http.cors.enabled=true
- http.cors.allow-origin=*
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- TZ=Asia/Shanghai
ulimits:
memlock:
soft: -1
hard: -1
ports:
- "9200:9200"
volumes:
- ./data/es-1:/usr/share/elasticsearch/data
es-2:
image: elasticsearch:7.17.24
container_name: elasticsearch-2
restart: unless-stopped
privileged: true
environment:
- node.name=es-2
- cluster.name=es-cluster
- discovery.seed_hosts=es-1,es-3
- cluster.initial_master_nodes=es-1,es-2,es-3
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=false
- http.cors.enabled=true
- http.cors.allow-origin=*
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- TZ=Asia/Shanghai
ulimits:
memlock:
soft: -1
hard: -1
ports:
- "9201:9200"
volumes:
- ./data/es-2:/usr/share/elasticsearch/data
es-3:
image: elasticsearch:7.17.24
container_name: elasticsearch-3
restart: unless-stopped
privileged: true
environment:
- node.name=es-3
- cluster.name=es-cluster
- discovery.seed_hosts=es-1,es-2
- cluster.initial_master_nodes=es-1,es-2,es-3
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=false
- http.cors.enabled=true
- http.cors.allow-origin=*
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- TZ=Asia/Shanghai
ulimits:
memlock:
soft: -1
hard: -1
ports:
- "9202:9200"
volumes:
- ./data/es-3:/usr/share/elasticsearch/data
kibana:
image: kibana:7.17.24
container_name: kibana
ports:
- 5601:5601
environment:
- ELASTICSEARCH_HOSTS=http://es-1:9200
- I18N_LOCALE=zh-CN
networks:
default:
name: es
external: true
2.创建es网络
docker network create -d bridge es
3.启动服务并给data目录添加权限
docker compose up -d
chown -R 1000:1000 data/*
测试阶段
我们可以访问ip地址+5601端口通过kibana工具查看我们部署的集群信息(如下所示)
集群状态信息:
节点状态信息:
这样我们的es集群就搭建成功了!!!
es群集开启用户认证
如果需要es群集配置开启用户认证方式,那么必须要配置证书模块才能开启,内部es集群之间通信不配置ssl则会报错。
客户端使用http通信
生成证书
首先我们要创建一个instances.yml文件来配置证书需要对应的DNS和IP信息,创建证书命令工具直接读取该文件。
instances:
- name: es-1
dns: [ "es-1", "es.mydomain.com" ]
ip: [ "172.16.10.15" ]
- name: es-2
dns: [ "es-2", "es.mydomain.com" ]
ip: [ "172.16.10.15" ]
- name: es-3
dns: [ "es-3", "es.mydomain.com" ]
ip: [ "172.16.10.15" ]
这里使用es自带的工具elasticsearch-certutil来生成。
# 生成ca证书
docker run --rm -v $(pwd):/certs -w /certs elasticsearch:7.17.24 \
elasticsearch-certutil ca --pem --out /certs/ca.zip
unzip ca.zip
# 使用新配置生成节点证书
docker run --rm -v $(pwd):/certs -w /certs elasticsearch:7.17.24 \
elasticsearch-certutil cert --ca-cert /certs/ca/ca.crt --ca-key /certs/ca/ca.key --pem --in /certs/instances.yml --out /certs/certs.zip
unzip certs.zip
mv ca certs/
rm -rf ca.zip certs.zip
最后生成的证书文件如下:
elasticsearch@root# tree certs
certs
├── ca
│ ├── ca.crt
│ └── ca.key
├── es-1
│ ├── es-1.crt
│ └── es-1.key
├── es-2
│ ├── es-2.crt
│ └── es-2.key
└── es-3
├── es-3.crt
└── es-3.key
配置证书部署集群
我们需要开启安全设置以及证书和账号密码的相关配置项,但是不开启客户端必须https访问集群。
以es-1为例:
environment:
......
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/es-1/es-1.key
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/es-1/es-1.crt
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/es-1/es-1.key
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/es-1/es-1.crt
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- ELASTIC_USERNAME=elastic
- ELASTIC_PASSWORD=elastic123456
......
完整的docker-compose文件如下:
services:
es-1:
image: elasticsearch:7.17.24
container_name: elasticsearch-1
restart: unless-stopped
privileged: true
environment:
- node.name=es-1
- cluster.name=es-cluster
- discovery.seed_hosts=es-2,es-3
- cluster.initial_master_nodes=es-1,es-2,es-3
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/es-1/es-1.key
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/es-1/es-1.crt
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/es-1/es-1.key
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/es-1/es-1.crt
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- ELASTIC_USERNAME=elastic
- ELASTIC_PASSWORD=elastic123456
- http.cors.enabled=true
- http.cors.allow-origin=*
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- TZ=Asia/Shanghai
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 19200:9200
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
- ./data/es-1:/usr/share/elasticsearch/data
es-2:
image: elasticsearch:7.17.24
container_name: elasticsearch-2
restart: unless-stopped
privileged: true
environment:
- node.name=es-2
- cluster.name=es-cluster
- discovery.seed_hosts=es-1,es-3
- cluster.initial_master_nodes=es-1,es-2,es-3
- ELASTIC_USERNAME=elastic
- ELASTIC_PASSWORD=elastic123456
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/es-2/es-2.key
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/es-2/es-2.crt
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/es-2/es-2.key
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/es-2/es-2.crt
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- http.cors.enabled=true
- http.cors.allow-origin=*
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- TZ=Asia/Shanghai
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 19201:9200
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
- ./data/es-2:/usr/share/elasticsearch/data
es-3:
image: elasticsearch:7.17.24
container_name: elasticsearch-3
restart: unless-stopped
privileged: true
environment:
- node.name=es-3
- cluster.name=es-cluster
- discovery.seed_hosts=es-1,es-2
- cluster.initial_master_nodes=es-1,es-2,es-3
- ELASTIC_USERNAME=elastic
- ELASTIC_PASSWORD=elastic123456
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/es-3/es-3.key
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/es-3/es-3.crt
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/es-3/es-3.key
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/es-3/es-3.crt
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- http.cors.enabled=true
- http.cors.allow-origin=*
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- TZ=Asia/Shanghai
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 19202:9200
volumes:
- ./certs:/usr/share/elasticsearch/config/certs
- ./data/es-3:/usr/share/elasticsearch/data
kibana:
image: kibana:7.17.24
container_name: kibana
ports:
- 5601:5601
environment:
- ELASTICSEARCH_HOSTS=http://es-1:9200
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=elastic123456
- I18N_LOCALE=zh-CN
networks:
default:
name: es
external: true
测试阶段
我们去访问es查看节点信息
# 不使用用户密码进行访问
curl -l http://172.16.10.15:19200/_cat/nodes
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
# 使用用户密码进行访问
curl -u "elastic:elastic123456" -l http://172.16.10.15:19200/_cat/nodes
172.18.0.23 64 98 0 0.54 0.53 0.69 cdfhilmrstw - es-3
172.18.0.22 70 98 0 0.54 0.53 0.69 cdfhilmrstw * es-1
172.18.0.44 39 98 0 0.54 0.53 0.69 cdfhilmrstw - es-2
说明我们用户认证配置成功,可以使用http方式进行访问。
客户端通信必须使用https
只需要配置xpack.security.http.ssl.enabled为true就可以使客户端必须使用https方式访问es通信了。
docker-compose文件修改:
environment:
......
- xpack.security.http.ssl.enabled=true
......
配置文件:
xpack.security.http.ssl.enabled: true
测试阶段
我们配置好了之后先使用http的方式进行访问,发现报错,无法访问。
curl -u "elastic:elastic123456" -l http://172.16.10.15:19200/_cat/nodes
curl: (52) Empty reply from server
我们再使用https的方式进行访问,记住这里必须指向ca证书,因为我们是自己使用工具生成的ca证书,否则会不被信任。
curl -u "elastic:elastic123456" --cacert certs/ca/ca.crt -l https://172.16.10.15:19200/_cat/nodes
172.18.0.44 65 98 0 0.53 0.88 0.81 cdfhilmrstw - es-3
172.18.0.23 41 98 0 0.53 0.88 0.81 cdfhilmrstw * es-2
172.18.0.22 76 98 0 0.53 0.88 0.81 cdfhilmrstw - es-1
说明配置了之后确实只能用https方式进行访问了。