Linux 安装部署 Elasticsearch 8.5.0

原创

是条鱼呀

发布于 2024-03-16 22:21:51

2680

发布于 2024-03-16 22:21:51

Elasticsearch单节点部署

(1) root用户下进行操作,或者用sudo命令操作

下载安装包，解压

 tar -xzf elasticsearch-8.5.0-linux-x86_64.tar.gz
 cd elasticsearch-8.5.0/

新建用户：ES为了安全考虑，不允许在root用户下启动ES程序，因此需要新建一个名为elastic的用户（可以起别的名字）

 groupadd elastic
 useradd -g elastic elastic
 # 密码设置为elastic
 passwd elastic

为新用户赋予文件夹权限

 chown -R elastic:elastic elasticsearch-8.5.0
 chmod -R 777 elasticsearch-8.5.0

新用户添加至 sudoerslist，也可以不添加

 sudo cd elasticsearch-8.5.0
 visudo
 添加 elastic ALL=(ALL) ALL

配置JVM内存大小

进入config/jvm.options.d 目录，新建 jvm.options 文件, 添加以下内容

 -Xms2g
 -Xmx2g

安装IK分词器（如果有中文搜索分词需求）

上传ik压缩包到 elasticsearch 目录，解压到 /plugins/ik 文件夹中

 cd /elasticsearch-8.5.0/plugins/
 mkdir ik
 cd ik
 cp /tmp/elasticsearch-analysis-ik-8.5.0.zip .
 unzip elasticsearch-analysis-ik-8.5.0.zip

更改优化服务器配置

修改 /etc/security/limits.conf 配置文件，添加以下内容并保存。

 *       soft    nofile  65536
 *       hard    nofile  131072
 *       soft    nproc   2048
 *       hard    nproc   4096

修改 /etc/sysctl.conf 配置文件，添加以下内容并保存，

 vm.max_map_count=655360

用 sysctl -p命令使修改生效。

 sysctl -p

调整文件打开数限制

 ulimit -HSn 65535

配置安全证书

执行以下命令（提示输入文件名时回车跳过，会使用默认文件名，提示输入密码时输入elastic或者其他字符串作为密码）

 # 签发ca证书
 cd /elasticsearch-8.5.0/bin
 ./elasticsearch-certutil ca
 
 # 用ca证书签发节点证书
 cd /elasticsearch-8.5.0/bin
 ./elasticsearch-certutil cert --ca elastic-stack-ca.p12  
 
 # 证书默认在elasticsearch-8.5.0目录生成，将证书放到certs目录（config目录下手动创建certs目录）
 cd /elasticsearch-8.5.0
 mv elastic-certificates.p12  elastic-stack-ca.p12 config/certs

修改配置文件

进入config 目录，编辑 elasticsearch.yml 文件, 修改或添加以下内容

 # ---------------------------------- Cluster -----------------------------------
 #
 # Use a descriptive name for your cluster:
 # 集群名称
 cluster.name: ES
 #
 # ------------------------------------ Node ------------------------------------
 #
 # Use a descriptive name for the node:
 #
 # 具体节点的名称
 node.name: node1
 #
 # Add custom attributes to the node:
 #
 #node.attr.rack: r1
 #
 # ---------------------------------- Network -----------------------------------
 #
 # By default Elasticsearch is only accessible on localhost. Set a different
 # address here to expose this node on the network:
 #
 # 节点IP地址（主机的IP地址）
 network.host: xxx.xx.xx.xx
 #
 # By default Elasticsearch listens for HTTP traffic on the first free port it
 # finds starting at 9200. Set a specific HTTP port here:
 #
 http.port: 9200
 #
 # 配置跨域
 http.cors.enabled: true
 http.cors.allow-origin: "*"
 http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
 # For more information, consult the network module documentation.
 #
 # --------------------------------- Discovery ----------------------------------
 #
 # Pass an initial list of hosts to perform discovery when this node is started:
 # The default list of hosts is ["127.0.0.1", "[::1]"]
 #
 #
 # Bootstrap the cluster using an initial set of master-eligible nodes:
 #
 #
 # For more information, consult the discovery and cluster formation module documentation.
 #
 #----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
 #
 # The following settings, TLS certificates, and keys have been automatically      
 # generated to configure Elasticsearch security features on 12-12-2023 00:39:26
 #
 # --------------------------------------------------------------------------------
 
 # Enable security features
 xpack.security.enabled: true
 
 xpack.security.enrollment.enabled: true
 
 # Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
 xpack.security.http.ssl:
   enabled: true
   keystore.path: certs/elastic-stack-ca.p12
 
 # Enable encryption and mutual authentication between cluster nodes
 xpack.security.transport.ssl:
   enabled: true
   verification_mode: certificate
   keystore.path: certs/elastic-certificates.p12
   truststore.path: certs/elastic-certificates.p12
 # Create a new cluster with the current node only
 # Additional nodes can still join the cluster later
 # 节点的ip地址, 首次启动完成后删除或注释此配置项
 cluster.initial_master_nodes: ["xxx.xx.xx.xx"]
 
 #----------------------- END SECURITY AUTO CONFIGURATION -------------------------
 
 # Allow other nodes to join the cluster from anywhere
 # Connections are encrypted and mutually authenticated
 transport.host: 0.0.0.0
 
 ingest.geoip.downloader.enabled: false

再次分配文件夹权限（保证新用户权限覆盖文件夹中所有新生成的文件）

 chown -R elastic:elastic elasticsearch-8.5.0
 chmod -R 777 elasticsearch-8.5.0

(2) 新用户下进行

执行以下命令，提示输入密码时输入elastic,即生成安全证书时设置的密码

 ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
 ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
 ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
 ./bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

启动节点

 # 切换新用户
 su elastic
 cd elasticsearch-8.5.0/bin
 ./elasticsearch

启动成功后，节点启动页面会打印如下信息，分别是系统为 elastic 用户生成的密码，CA证书指纹，用于连接 kibana 的 token , 用于给集群添加新节点的 token。建议保存下来，两个 token 有 30min 有效时间，可以不保存，需要时再用下面的命令重新生成

 ✅ Elasticsearch security features have been automatically configured!
 ✅ Authentication is enabled and cluster connections are encrypted.
 
 ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
   *_LNlFhqK5ULjbCyEYee
 
 ℹ️  HTTP CA certificate SHA-256 fingerprint:
   6aea402bdf44d4f64d77b9c01ac87904264c07943a4087af0492e84247f9ab86
 
 ℹ️  Configure Kibana to use this cluster:
 • Run Kibana and click the configuration link in the terminal when Kibana starts.
 • Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
   eyJ2ZXIiOiI4LjUuMCIsImFkciI6WyIxMC40MC4wLjA6OTIwMCJdLCJmZ3IiOiI2YWVhNDAyYmRmNDRkNGY2NGQ3N2I5YzAxYWM4NzkwNDI2NGMwNzk0M2E0MDg3YWYwNDkyZTg0MjQ3ZjlhYjg2Iiwia2V5IjoiOE5RU1hJd0JkcGJWLTFXV3ZKdVY6VkRPYTJIOWdTNjIxdGVWbkFjTFRDQSJ9
 
 ℹ️ Configure other nodes to join this cluster:
 • Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token <token>` (valid for the next 30 minutes):
   eyJ2ZXIiOiI4LjUuMCIsImFkciI6WyIxMC40MC4wLjA6OTIwMCJdLCJmZ3IiOiI2YWVhNDAyYmRmNDRkNGY2NGQ3N2I5YzAxYWM4NzkwNDI2NGMwNzk0M2E0MDg3YWYwNDkyZTg0MjQ3ZjlhYjg2Iiwia2V5IjoiOHRRU1hJd0JkcGJWLTFXV3ZKdXU6SXJObjMtVUxSanlSek4wdzRPOGtoUSJ9

生成kibana连接token的命令

 ./bin/elasticsearch-create-enrollment-token -f --scope kibana -E xpack.security.http.ssl.verification_mode=certificate

生成用于添加新节点的token的命令

 ./bin/elasticsearch-create-enrollment-token -f --scope node -E xpack.security.http.ssl.verification_mode=certificate

关闭节点

 # 如果没有以守护进程的方式启动，直接ctrl+c就可以关闭程序
 # 如果以守护进程的方式启动则需要查询进程PID再杀死进程关闭程序
 ps -ef | grep elasticsearch
 kill -9 <进程PID>

节点配置成systemd服务

 su root 
 cd /lib/systemd/system/      ###配置服务的目录
 vim /lib/systemd/system/elasticsearch.service     ###写入如下内容

 [Unit]
 Description=elasticsearch
 After=network.target
 
 [Service]
 Type=simple
 User=elastic
 # elasticsearch安装目录
 ExecStart=/opt/elasticsearch-8.5.0/bin/elasticsearch
 PrivateTmp=true
 # 指定此进程可以打开的最大文件数
 LimitNOFILE=65535
 # 指定此进程可以打开的最大进程数
 LimitNPROC=65535
 # 最大虚拟内存
 LimitAS=infinity
 # 最大文件大小
 LimitFSIZE=infinity
 Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target

配置开机自启，并启动节点

 # 更新systemd配置文件
 systemctl daemon-reload
 # 使服务生效
 systemctl enable elasticsearch
 # 启动服务
 systemctl start elasticsearch
 # 查看服务状态
 systemctl status elasticsearch

进入 https://xxx.xx.xx.xxx:9200/ 查看节点是否启动成功

原创声明：本文系作者授权腾讯云开发者社区发表，未经许可，不得转载。

如有侵权，请联系 cloudcommunity@tencent.com 删除。

elasticsearch