es 开启账号密码必须要开启https吗?

装了一个 elk ,来做日志系统 (自建的)

因为 kibana 需要公网开放,kibana 又不能设置账号密码,就只能给 Elasticsearch 设置账号密码了

设置账号密码后已经跑了一个多月了,但是最近几天突然不能用了。(部署在 k8s 中,现象是起不来,一直不停的 restart)看了一下日志,关键日志如下:

ERROR: [1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch.
bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
ERROR: Elasticsearch did not exit normally - check the logs at /usr/share/elasticsearch/logs/k8s-logs.log

完整日志

{"type": "server", "timestamp": "2022-09-13T06:21:57,000Z", "level": "INFO", "component": "o.e.x.s.a.s.FileRolesStore", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "parsed [0] roles from file [/usr/share/elasticsearch/config/roles.yml]" }
{"type": "server", "timestamp": "2022-09-13T06:21:59,520Z", "level": "INFO", "component": "o.e.i.g.ConfigDatabases", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "initialized default databases [[GeoLite2-Country.mmdb, GeoLite2-City.mmdb, GeoLite2-ASN.mmdb]], config databases [[]] and watching [/usr/share/elasticsearch/config/ingest-geoip] for changes" }
{"type": "server", "timestamp": "2022-09-13T06:21:59,524Z", "level": "INFO", "component": "o.e.i.g.DatabaseNodeService", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "initialized database registry, using geoip-databases directory [/tmp/elasticsearch-13072611735141131709/geoip-databases/Ot2R90xBSfqxqRIOMZw2OA]" }
{"type": "server", "timestamp": "2022-09-13T06:22:01,820Z", "level": "INFO", "component": "o.e.t.NettyAllocator", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "creating NettyAllocator with the following configs: [name=unpooled, suggested_max_allocation_size=1mb, factors={es.unsafe.use_unpooled_allocator=null, g1gc_enabled=true, g1gc_region_size=4mb, heap_size=512mb}]" }
{"type": "server", "timestamp": "2022-09-13T06:22:01,973Z", "level": "INFO", "component": "o.e.i.r.RecoverySettings", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "using rate limit [40mb] with [default=40mb, read=0b, write=0b, max=0b]" }
{"type": "server", "timestamp": "2022-09-13T06:22:02,110Z", "level": "INFO", "component": "o.e.d.DiscoveryModule", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "using discovery type [zen] and seed hosts providers [settings]" }
{"type": "server", "timestamp": "2022-09-13T06:22:04,183Z", "level": "INFO", "component": "o.e.g.DanglingIndicesState", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually" }
{"type": "server", "timestamp": "2022-09-13T06:22:06,385Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "initialized" }
{"type": "server", "timestamp": "2022-09-13T06:22:06,387Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "starting ..." }
{"type": "server", "timestamp": "2022-09-13T06:22:06,435Z", "level": "INFO", "component": "o.e.x.s.c.f.PersistentCache", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "persistent cache index loaded" }
{"type": "server", "timestamp": "2022-09-13T06:22:06,436Z", "level": "INFO", "component": "o.e.x.d.l.DeprecationIndexingComponent", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "deprecation component started" }
{"type": "server", "timestamp": "2022-09-13T06:22:06,768Z", "level": "INFO", "component": "o.e.t.TransportService", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "publish_address {10.8.91.69:9300}, bound_addresses {0.0.0.0:9300}" }
{"type": "server", "timestamp": "2022-09-13T06:22:11,632Z", "level": "INFO", "component": "o.e.b.BootstrapChecks", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "bound or publishing to a non-loopback address, enforcing bootstrap checks" }

ERROR: [1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch.
bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
ERROR: Elasticsearch did not exit normally - check the logs at /usr/share/elasticsearch/logs/k8s-logs.log
{"type": "server", "timestamp": "2022-09-13T06:22:11,711Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "stopping ..." }
{"type": "server", "timestamp": "2022-09-13T06:22:11,787Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "stopped" }
{"type": "server", "timestamp": "2022-09-13T06:22:11,788Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "closing ..." }
{"type": "server", "timestamp": "2022-09-13T06:22:11,826Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "closed" }
{"type": "server", "timestamp": "2022-09-13T06:22:11,829Z", "level": "INFO", "component": "o.e.x.m.p.NativeController", "cluster.name": "k8s-logs", "node.name": "es-cluster-0", "message": "Native controller process has stopped - no new native processes can be started" }

我希望是 Elasticsearch 有账号密码,并且不需要 ssl(不想要 https,只要 http

不想 https 是因为还要去搞 ssl 证书啥的

我该怎么做?


使用的 es 版本是 7.17.5


出事之前只根据这个教程:记录一个 es license 过期的解决方案改过许可证。

一开始用的是 trial 许可证,现在是 basic

阅读 4.6k
3 个回答
Transport SSL must be enabled if security is enabled on a [basic] license

看起来 basic 许可必须用 ssl ,即用 https 。

参考:

先看看 elk 的 pod

─➤  kbp logging                                                   
NAME                      READY   STATUS             RESTARTS   AGE
es-cluster-0              1/1     Running            0          95m
es-cluster-1              1/1     Running            0          94m
es-cluster-2              1/1     Running            0          94m
kibana-5865776c69-hmc9q   0/1     CrashLoopBackOff   7          38m

随意登录一个节点

kubectl exec -n logging -it es-cluster-0 -- bash 

root@es-cluster-0:/usr/share/elasticsearch# pwd
/usr/share/elasticsearch
root@es-cluster-0:/usr/share/elasticsearch# ls -alh
total 700K
drwxrwxr-x  1 root          root          4.0K Sep 13 07:18 .
drwxr-xr-x  1 root          root          4.0K Jun 24 02:04 ..
-rw-r--r--  1 root          root           220 Jun 24 02:04 .bash_logout
-rw-r--r--  1 root          root          3.7K Jun 24 02:04 .bashrc
drwxrwxr-x  3 elasticsearch root          4.0K Sep 13 07:18 .cache
-rw-r--r--  1 root          root           807 Jun 24 02:04 .profile
-r--r--r--  1 root          root          3.8K Jun 23 21:55 LICENSE.txt
-r--r--r--  1 root          root          626K Jun 23 21:59 NOTICE.txt
-r--r--r--  1 root          root          2.7K Jun 23 21:55 README.asciidoc
drwxrwxr-x  1 elasticsearch root          4.0K Jun 24 02:03 bin
drwxrwxr-x  1 elasticsearch root          4.0K Sep 13 07:18 config
drwxr-xr-x  4 elasticsearch elasticsearch 4.0K Jul 22 01:00 data
dr-xr-xr-x  1 root          root          4.0K Jun 23 22:02 jdk
dr-xr-xr-x  3 root          root          4.0K Jun 23 22:02 lib
drwxrwxr-x  1 elasticsearch root          4.0K Sep 13 07:18 logs
dr-xr-xr-x 61 root          root          4.0K Jun 23 22:03 modules
drwxrwxr-x  1 elasticsearch root          4.0K Jun 23 21:59 plugins

生成CA证书

bin/elasticsearch-certutil ca

此时可以看到多了一个 elastic-stack-ca.p12

root@es-cluster-0:/usr/share/elasticsearch# ls -alh
total 704K
drwxrwxr-x  1 root          root          4.0K Sep 13 09:55 .
drwxr-xr-x  1 root          root          4.0K Jun 24 02:04 ..
-rw-r--r--  1 root          root           220 Jun 24 02:04 .bash_logout
-rw-r--r--  1 root          root          3.7K Jun 24 02:04 .bashrc
drwxrwxr-x  3 elasticsearch root          4.0K Sep 13 07:18 .cache
-rw-r--r--  1 root          root           807 Jun 24 02:04 .profile
-r--r--r--  1 root          root          3.8K Jun 23 21:55 LICENSE.txt
-r--r--r--  1 root          root          626K Jun 23 21:59 NOTICE.txt
-r--r--r--  1 root          root          2.7K Jun 23 21:55 README.asciidoc
drwxrwxr-x  1 elasticsearch root          4.0K Jun 24 02:03 bin
drwxrwxr-x  1 elasticsearch root          4.0K Sep 13 07:18 config
drwxr-xr-x  4 elasticsearch elasticsearch 4.0K Jul 22 01:00 data
-rw-------  1 root          root          2.7K Sep 13 09:55 elastic-stack-ca.p12
dr-xr-xr-x  1 root          root          4.0K Jun 23 22:02 jdk
dr-xr-xr-x  3 root          root          4.0K Jun 23 22:02 lib
drwxrwxr-x  1 elasticsearch root          4.0K Sep 13 07:18 logs
dr-xr-xr-x 61 root          root          4.0K Jun 23 22:03 modules
drwxrwxr-x  1 elasticsearch root          4.0K Jun 23 21:59 plugins

产生p12密钥

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

此时可以看到多了一个 elastic-certificates.p12

root@es-cluster-0:/usr/share/elasticsearch# ls -alh
total 708K
drwxrwxr-x  1 root          root          4.0K Sep 13 09:58 .
drwxr-xr-x  1 root          root          4.0K Jun 24 02:04 ..
-rw-r--r--  1 root          root           220 Jun 24 02:04 .bash_logout
-rw-r--r--  1 root          root          3.7K Jun 24 02:04 .bashrc
drwxrwxr-x  3 elasticsearch root          4.0K Sep 13 07:18 .cache
-rw-r--r--  1 root          root           807 Jun 24 02:04 .profile
-r--r--r--  1 root          root          3.8K Jun 23 21:55 LICENSE.txt
-r--r--r--  1 root          root          626K Jun 23 21:59 NOTICE.txt
-r--r--r--  1 root          root          2.7K Jun 23 21:55 README.asciidoc
drwxrwxr-x  1 elasticsearch root          4.0K Jun 24 02:03 bin
drwxrwxr-x  1 elasticsearch root          4.0K Sep 13 07:18 config
drwxr-xr-x  4 elasticsearch elasticsearch 4.0K Jul 22 01:00 data
-rw-------  1 root          root          3.6K Sep 13 09:58 elastic-certificates.p12
-rw-------  1 root          root          2.7K Sep 13 09:55 elastic-stack-ca.p12
dr-xr-xr-x  1 root          root          4.0K Jun 23 22:02 jdk
dr-xr-xr-x  3 root          root          4.0K Jun 23 22:02 lib
drwxrwxr-x  1 elasticsearch root          4.0K Sep 13 07:18 logs
dr-xr-xr-x 61 root          root          4.0K Jun 23 22:03 modules
drwxrwxr-x  1 elasticsearch root          4.0K Jun 23 21:59 plugins

好了,我们已经获取 elastic-certificates.p12 文件了,这个就是我们需要的东西(也只需要这个东西)

那这个要放哪里?

对于 docker 那个 es,『当前路径』是 /usr/share/elasticsearch/, 我们需要在 /usr/share/elasticsearch/ 的 config 文件夹下面创建一个 certs 文件夹,把 elastic-certificates.p12/usr/share/elasticsearch/config/certs

路径不对会报错

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - access to read truststore file [/usr/share/elasticsearch/certs/elastic-certificates.p12] is blocked; SSL resources should be placed in the [/usr/share/elasticsearch/config] directory]; nested: AccessControlException[access denied ("java.io.FilePermission" "/usr/share/elasticsearch/certs/elastic-certificates.p12" "read")]

还有一个问题就是这个文件的访问权限也要改一下

错了,是必须要启用TLS,不是HTTPS。HTTPS是针对通过HTTP REST 客户端访问,非必须。但是集群节点之间的TLS要启用,所以要生成证书。

撰写回答
你尚未登录,登录后可以
  • 和开发者交流问题的细节
  • 关注并接收问题和回答的更新提醒
  • 参与内容的编辑和改进,让解决方法与时俱进
宣传栏