elastic学习-elasticsearch8.5单机集群安装步骤

[toc]

1. win10命令行乱码

1.1 elasticsearch命令行中文乱码

win10命令行启动elasticsearch时,命令行字符乱码,需要修改编码格式:
有两种, 一种是临时, 一种是永久修改注册表:

1.2 临时修改

输入【win+r】->chcp 65001->确定

1.3 修改注册表

1. 打开注册表: 输入【win+r】，regedit 确定;
2. 路径【HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor】
3. 【新建->字符串值】名称=autorun, 值=chcp 65001

2. es生成证书

2.1 签发CA证书

./bin/elasticsearch-certutil ca

一路回车, 目录下生成: elastic-stack-ca.p12

2.2 用CA证书生成节点证书

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

一路回车不要密码, 会生成: elastic-certificates.p12

2.3 将CA证书和节点证书mv到config/certs下

mv *.p12 config/certs/

2.4 签发HTTP证书

交互过程如下: (centos7)

./bin/elasticsearch-certutil http
# 不需要csr, 输入n
Generate a CSR? [y/N]n
# 使用生成的CA整肃, 输入y
Use an existing CA? [y/N]y
# 输入CA路径: 从certs开始
CA Path: certs/elastic-stack-ca.p12
# 没有CA密码,直接回车
Password for elastic-stack-ca.p12:
# 设置5年,默认,输入:5y
For how long should your certificate be valid? [5y] 5y
# 是否需要每个节点都生成证书:输入n
Generate a certificate per node? [y/N]n
# 输入node名称: hostname, 输入后y确认
ZB-PF2P9LED
# 输入ip: , 输入后y确认
192.168.0.102
# 刚才这些配置还需要修改吗? 输入n
Do you wish to change any of these options? [y/N]n
# 不用密码, 回车
Provide a password for the "http.p12" file:  [<ENTER> for none]
# 问要不要给http证书改名, 直接回车
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最后:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip

2.5 证书放到certs目录下

unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其余的文件删掉即可

3. 配置elasticsearch.yml

cluster.name: es-cluster
node.name: es-node-1
path.data: D:/devs/elastic-safe/es8.5.2/data
path.logs: D:/devs/elastic-safe/es8.5.2/logs
# 设置网络访问节点
network.host: ZB-PF2P9LED
# 设置网络访问端口
http.port: 9200
# 初始种子节点
#discovery.seed_hosts: ["ZB-PF2P9LED"]
# 安全认证
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# http的认证
xpack.security.http.ssl: 
  enabled: true
  keystore.path: D:/devs/elastic-safe/es8.5.2/config/certs/http.p12
  truststore.path: D:/devs/elastic-safe/es8.5.2/config/certs/http.p12
# 传输认证
xpack.security.transport.ssl: 
  enabled: true
  verification_mode: certificate
  keystore.path: D:/devs/elastic-safe/es8.5.2/config/certs/elastic-certificates.p12
  truststore.path: D:/devs/elastic-safe/es8.5.2/config/certs/elastic-certificates.p12
# 此处注意, es-node-1是上面配置的节点名称
cluster.initial_master_nodes: ["es-node-1"]
http.host: [_local_, _site_]
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none

然后启动, 即可!

3.2 额外配置(阿里云)

max_map_count文件包含限制一个进程可以拥有的VMA(虚拟内存区域)的数量 
 处理办法:    #切换到root用户修改
vim /etc/sysctl.conf    # 在最后面追加下面内容
vm.max_map_count=655360
执行  sysctl -p

4. kibana证书

4.1 kibana证书安装

# 1. 直接回车,生成: csr-bundle.zip 
./bin/elasticsearch-certutil csr -name kibana -dns niewj
# 2. 解压缩 kibana.csr kibana.key mv到kibana/config下
# 3. cd到kibana/config下生成crt文件
openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt 

4.2 kibana核心配置

server.port: 5601
server.host: "niewj"
i18n.locale: "zh-CN"
# es主服务器地址
elasticsearch.hosts: ["https://niewj:9200"]
# es访问账密
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxx"

elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/xxx/es-8.5.2/config/certs/elasticsearch-ca.pem"]
server.ssl.enabled: true
server.ssl.certificate: /xxx/kibana-8.5.2/config/kibana.crt
server.ssl.key: /xxx/kibana-8.5.2/config/kibana.key