elasticsearch cluster 开启用户名+密码

Posted 2021-09-16 衣舞晨风

当前目录：/home/es/elasticsearch-7.13.4

docker-compose.yml

---
version: '2.2'
services:
  elasticsearch:
    restart: always
    image: elasticsearch:7.13.4
    container_name: es-node1
    network_mode: host
    volumes:
      - /data/es/data:/usr/share/elasticsearch/data
      - /home/es/elasticsearch-7.13.4/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /home/es/elasticsearch-7.13.4/config/jvm.options:/usr/share/elasticsearch/config/jvm.options
      - /home/es/elasticsearch-7.13.4/config/es.pem:/usr/share/elasticsearch/config/es.pem 
      - /home/es/elasticsearch-7.13.4/config/es-key.pem:/usr/share/elasticsearch/config/es-key.pem
    environment:
      bootstrap.memory_lock: "true"
    ulimits:
      memlock:
        soft: -1
        hard: -1

elasticsearch.yml

cluster.name: jiankunking-log
node.name: 10.163.16.188
http.port: 9200
transport.tcp.port: 8100
discovery.seed_hosts: ["10.163.16.188","10.163.16.190","10.163.16.191"]
cluster.initial_master_nodes: ["10.163.16.188","10.163.16.190","10.163.16.191"]
network.bind_host: 10.163.16.188
network.publish_host: 10.163.16.188
path:
  data:
  - /usr/share/elasticsearch/data
xpack.monitoring.collection.enabled: true

xpack.security.enabled: true

xpack.security.http.ssl.enabled: false
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/es-key.pem
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/es.pem
xpack.security.http.ssl.certificate_authorities: ["/usr/share/elasticsearch/config/es.pem"]

xpack.security.transport.ssl.enabled: true
# 这里也可以指定为证书 
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/es-key.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/es.pem
xpack.security.transport.ssl.certificate_authorities: ["/usr/share/elasticsearch/config/es.pem"]

jvm.options

################################################################
##
## JVM configuration
##
################################################################
##
## WARNING: DO NOT EDIT THIS FILE. If you want to override the
## JVM options in this file, or set any additional options, you
## should create one or more files in the jvm.options.d
## directory containing your adjustments.
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/jvm-options.html
## for more information.
##
################################################################



################################################################
## IMPORTANT: JVM heap size
################################################################
##
## The heap size is automatically configured by Elasticsearch
## based on the available memory in your system and the roles
## each node is configured to fulfill. If specifying heap is
## required, it should be done through a file in jvm.options.d,
## and the min and max should be set to the same value. For
## example, to set the heap to 4 GB, create a new file in the
## jvm.options.d directory containing these lines:

-Xms31g
-Xmx31g

## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################


################################################################
## Expert settings
################################################################
##
## All settings below here are considered expert settings. Do
## not adjust them unless you understand what you are doing. Do
## not edit them in this file; instead, create a new file in the
## jvm.options.d directory containing your adjustments.
##
################################################################

## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly

## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC

## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}

## heap dumps

# generate a heap dump when an allocation from the Java heap fails; heap dumps
# are created in the working directory of the JVM unless an alternative path is
# specified
-XX:+HeapDumpOnOutOfMemoryError

# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data

# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log

## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:logs/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m

# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m

证书

es-key.pem 自签名的私钥
es.pem 自签名的证书

证书有效时间，尽量长一些
如果该集群后面要加入remote cluster的话，证书的签名CA要一样。

重启

关掉集群 分片 自动分配设置

PUT /_cluster/settings
{
  "transient": {
    "cluster.routing.allocation.enable": "none"
  }
}

修改配置重启所有节点

docker-compose stop
docker-compose up -d --build

等最后一个节点起来后，进入容器执行

./bin/elasticsearch-setup-passwords interactive

设置对应账号名的密码即可。

重新开启集群 分片 自动分配

PUT /_cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}