es集群部署
环境:
192.168.56.111
192.168.56.112
192.168.56.113
--------------------------------------------基础安装-----------------------------------
1.安装java
安装连接:https://www.cnblogs.com/hxlasky/p/14775706.html
确保java版本在1.8以上
[root@rac01 soft]# java -version
java version "1.8.0_291"
Java(TM) SE Runtime Environment (build 1.8.0_291-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.291-b10, mixed mode)
2.下载需要的安装版本
我这里下载的是6.8.5,elasticsearch-6.8.5.tar.gz
下载地址:
https://www.elastic.co/cn/downloads/past-releases#elasticsearch
3.创建中间件安装目录和数据文件、日志文件目录
[root@es soft]# mkdir -p /usr/local/services
[root@es soft]# mkdir -p /home/middle/elasticsearch/data
[root@es soft]# mkdir -p /home/middle/elasticsearch/logs
3.创建用户和用户组
groupadd -g 1500 elasticsearch
useradd -u 1500 -g elasticsearch elasticsearch
passwd elasticsearch
4.上传到服务器
解压缩并创建数据目录
[root@rac01 soft]# cd /soft
[root@rac01 soft]# tar -xvf elasticsearch-6.8.5.tar.gz
[root@rac01 soft]# mv elasticsearch-6.8.5 /usr/local/services/elasticsearch
5.将elasticsearch目录权限修改为elasticsearch
[root@es config]# cd /usr/local/services
[root@es services]# chown -R elasticsearch.elasticsearch ./elasticsearch
同时修改数据文件和日志文件目录给到elasticsearch
[root@es services]# cd /home/middle
[root@es middle]#chown -R elasticsearch.elasticsearch ./elasticsearch
6.创建备份目录
[root@rac01 home]#mkdir -p /home/middle/esbak
[root@rac01 home]#cd /home/middle
[root@rac01 home]#chown -R elasticsearch.elasticsearch ./esbak
7.修改配置文件
[root@rac01 middle]# su - elasticsearch
[elasticsearch@rac01 ~]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@es config]$ vi elasticsearch.yml
cluster.name: escluster_ysd
node.name: node-111
path.data: /home/middle/elasticsearch/data
path.logs: /home/middle/elasticsearch/logs
network.host: 192.168.1.111
http.port: 19200
discovery.zen.ping.unicast.hosts: ["192.168.56.111", "192.168.56.112","192.168.56.113"]
discovery.zen.minimum_master_nodes: 2
path.repo: /home/middle/esbak
http.cors.enabled: true
http.cors.allow-origin: "*"
其他机器的配置文件:
将配置文件scp到另外的机器,然后相应修改红色部分
node.name分别修改为node_112和node_113
network.host分别修改为对应机器的ip地址
8.修改jvm参数(/usr/local/services/elasticsearch/config/jvm.options)
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms4g
-Xmx4g
9.修改/usr/local/services/elasticsearch/bin/elasticsearch
# ES_JAVA_OPTS="-Xms8g -Xmx8g" ./bin/elasticsearch
export ES_HEAP_SIZE=4g
10.启动
每个节点上都要执行,这里确保每台机器都能启动
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
curl 'http://192.168.56.111:19200/_cat/nodes?v'
curl http://192.168.56.111:19200/?pretty
curl http://192.168.56.112:19200/?pretty
curl -X GET 'http://192.168.56.111:19200/_cat/indices?v'
----------------------------配置集群内部通信--------------------------------
建议采用tsl方式的认证方式,参考链接:https://www.cnblogs.com/hxlasky/p/14784423.html
elasticsearch-certgen方式的后续版本会废弃掉
11. x-pack设置elasticsearch安全访问
es6.8已经可以免费使用xpack了,所以不需要进行破解即可使用了
12.在任意一台机器上执行elasticsearch-certgen
我这里在192.168.56.111这台机器上执行
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-certgen
******************************************************************************
Note: The 'elasticsearch-certgen' tool has been deprecated in favour of the
'elasticsearch-certutil' tool. This command will be removed in a future
release.
******************************************************************************
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL in the Elastic stack. Depending on the command
line option specified, you may be prompted for the following:
* The path to the output file
* The output file is a zip file containing the signed certificates and
private keys for each instance. If a Certificate Authority was generated,
the certificate and private key will also be included in the output file.
* Information about each instance
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* Certificate Authority private key password
* The password may be left empty if desired.
Let's get started...
Please enter the desired output file [certificate-bundle.zip]: cert.zip
Enter instance name: escluster_ysd
Enter name for directories and files [escluster_ysd]: elasticsearch
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.56.111,192.168.56.112,192.168.56.113
Enter DNS names for instance (comma-separated if more than one) []: node-111,node-112,node-113
Would you like to specify another instance? Press 'y' to continue entering instance information: ##这里直接回车
Certificates written to /usr/local/services/elasticsearch/bin/cert.zip
This file should be properly secured as it contains the private keys for all
instances and the certificate authority.
After unzipping the file, there will be a directory for each instance containing
the certificate and private key. Copy the certificate, key, and CA certificate
to the configuration directory of the Elastic product that they will be used for
and follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
Enter instance name: escluster_ysd ##这里的实例名称可以自定义设置
Enter name for directories and files [escluster_ysd]: elasticsearch ##这个是ssl相应文件的目录,可以自定义指定
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.56.111,192.168.56.112,192.168.56.113 ##每个节点的ip
Enter DNS names for instance (comma-separated if more than one) []: node-111,node-112,node-113 ##节点名称,配置文件里的node-name定义的值
13. 将压缩文件cert.zip分别拷贝到三台机器
将压缩文件cert.zip分别拷贝纸三台机器的 /usr/local/services/elasticsearch/config 文件夹下并解压,生成ca和elasticsearch并修改配置文件elasticsearch.yml
当前节点:
[root@rac01 middle]# su - elasticsearch
[elasticsearch@rac01 ~]$ cd /usr/local/services/elasticsearch/bin/
[elasticsearch@rac01 bin]$ cp cert.zip /usr/local/services/elasticsearch/config/
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/config/
[elasticsearch@rac01 config]$ unzip cert.zip
Archive: cert.zip
creating: ca/
inflating: ca/ca.crt
inflating: ca/ca.key
creating: elasticsearch/
inflating: elasticsearch/elasticsearch.crt
inflating: elasticsearch/elasticsearch.key
将cert.zip拷贝到另外的机器上,做同样的操作
[yeemiao@localhost config]$ scp cert.zip elasticsearch@192.168.56.112:/usr/local/services/elasticsearch/config/
[yeemiao@localhost config]$ scp cert.zip elasticsearch@192.168.56.113:/usr/local/services/elasticsearch/config/
解压
[root@rac02 middle]# su - elasticsearch
[elasticsearch@rac02 ~]$ cd /usr/local/services/elasticsearch/config/
[elasticsearch@rac02 config]$ unzip cert.zip
14.修改配置文件
每台机器上的配置文件在最后面添加如下内容:
[root@rac01 middle]# su - elasticsearch
vi /usr/local/services/elasticsearch/config/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
15.重新启动
将原来的进程杀掉后重新启动
kill -9 进程号
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
这个时候使用就需要密码访问了
curl 'http://192.168.56.111:19200/_cat/nodes?pretty'
[elasticsearch@rac01 bin]$ curl 'http://192.168.56.111:19200/_cat/nodes?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/nodes?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/nodes?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
},
"status" : 401
}
下面进行密码设置
16.设置密码
在其中一台机器上执行,我这里在 192.168.56.111 这台机器上执行,我这里密码全部设置为elastic
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
[elasticsearch@rac01 bin]$
17.验证
curl -u elastic:elastic 'http://192.168.56.111:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.56.112:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.56.113:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.56.111:19200/_cat/health?v'
18.数据验证
查看索引:
curl -u elastic:elastic -X GET 'http://192.168.56.111:19200/_cat/indices?v'
在节点1上创建索引和
curl -u elastic:elastic -XPUT 'http://192.168.56.111:19200/db_customer'
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT 'http://192.168.56.111:19200/db_customer/tb_test/1' -d '{"name": "huangxueliang"}'
查看数据
curl -u elastic:elastic -XGET 'http://192.168.56.111:19200/db_customer/tb_test/1?pretty'
在其他的节点上查看该数据
curl -u elastic:elastic -XGET 'http://192.168.56.112:19200/db_customer/tb_test/1?pretty'
curl -u elastic:elastic -XGET 'http://192.168.56.113:19200/db_customer/tb_test/1?pretty'
------------------------配置备份-------------------------------------------------------
--------服务端安装----------------
1.在做备份的机器上安装nfs 服务端
[root@rac01 ios]# yum install -y nfs-utils
2.配置输出
$ more /etc/exports
/home/middle/esbak 192.168.56.112(insecure,rw,no_root_squash,sync,anonuid=1500,anongid=1500)
/home/middle/esbak 192.168.56.113(insecure,rw,no_root_squash,sync,anonuid=1500,anongid=1500)
3.启动服务
先为rpcbind和nfs做开机启动:(必须先启动rpcbind服务)
[root@rac01 ios]# systemctl enable rpcbind.service
[root@rac01 ios]# systemctl enable nfs-server.service
然后分别启动rpcbind和nfs服务:
systemctl start rpcbind.service
systemctl start nfs-server.service
systemctl restart rpcbind.service
systemctl restart nfs-server.service
4.检查是否生效
配置生效
exportfs -r
exportfs
---------客户端安装---------
首先是安裝nfs,同上,然后启动rpcbind服务
[root@rac02 ios]# yum install -y nfs-utils
先为rpcbind做开机启动:
[root@rac02 ios]# systemctl enable rpcbind.service
然后启动rpcbind服务:
[root@rac02 ios]# systemctl start rpcbind.service
注意:客户端不需要启动nfs服务
检查 NFS 服务器端是否有目录共享:showmount -e nfs服务器的IP
showmount -e 192.168.56.111
Export list for 192.168.56.111:
/home/middle/esbak 192.168.56.113,192.168.56.112
mount到指定的目录
另外的2个节点执行如下命令:
mount -t nfs -o proto=tcp -o nolock 192.168.56.111:/home/middle/esbak /home/middle/esbak
使用 elasticsearch 用户看是否可以写入数据
[root@rac02 ios]# su - elasticsearch
[elasticsearch@rac02 esbak]$ cd /home/middle/esbak
[elasticsearch@rac02 esbak]$ echo "112">aa.txt
另外一台客户端
[elasticsearch@rac02 esbak]$ echo "113">bb.txt
这个时候在任何一个节点都会看到上面创建的两个文件,同时也可以进行编辑
开始备份,备份其中一个节点(在nfs服务那台机器上)执行即可
[root@rac01 ios]# su - elasticsearch
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT http://192.168.56.111:19200/_snapshot/esbackup -d'{
"type": "fs",
"settings": {
"location": "/home/middle/esbak"
}
}'
##备份
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT http://192.168.56.111:19200/_snapshot/esbackup/snapshot_20210517
查看备份设置
curl -u elastic:elastic -X GET "192.168.56.111:19200/_snapshot/esbackup?pretty"
查看所有的备份
curl -u elastic:elastic -X GET "192.168.56.111:19200/_snapshot/esbackup/_all?pretty"
curl -u elastic:elastic -X GET "192.168.56.112:19200/_snapshot/esbackup/_all?pretty"
删除快照
curl -u elastic:elastic -X DELETE "192.168.56.111:19200/_snapshot/esbackup/snapshot_20210517"
5.nfs设置开机自启动
vi /etc/fstab
192.168.56.111:/home/middle/esbak /home/middle/esbak nfs defaults,_rnetdev 1 1
加上_rnetdev后无法自动挂载,去掉后可以挂载,但是要是服务器无法启动的话,客户端也无法启动