关于 es 的加入集群 token 中的 ip 地址不正确的问题?

es 配置文件部分如下

# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------


#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 08-06-2023 05:49:38
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["dev01"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

使用 官方的命令生成 token

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node

在新的节点安装并按照提示使用生成的 token 加入

[root@dev02 ~]# /usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token eyJ2ZXIiOiI4LjguMCIsImFkciI6WyIxNzIuMTcuMC4xOjkyMDAiXSwiZmdyIjoiMWNhYTZhZDFlNDRiNTc1NjQwZjBkZGQzMTA3MjY4ZDNmN2NkMWU4M2ZiZWI3MzNlZDg1Zjk1ZjRlYWJlY2RiMyIsImtleSI6IjF3bFFtb2dCZ0o1TldtVkNjSG5HOjJ5cXl5RUt5UVl1R2JKZXZ6SnV2MWcifQ==
warning: ignoring JAVA_HOME=/root/env/zulu8.70.0.23; using bundled JDK

This node will be reconfigured to join an existing cluster, using the enrollment token that you provided.
This operation will overwrite the existing configuration. Specifically: 
  - Security auto configuration will be removed from elasticsearch.yml
  - The [certs] config directory will be removed
  - Security auto configuration related secure settings will be removed from the elasticsearch.keystore
Do you want to continue with the reconfiguration process [y/N]y
Unable to communicate with the node on https://172.17.0.1:9200/_security/enroll/node. Error was Connection refused
ERROR: Aborting enrolling to cluster. Could not communicate with the node on any of the addresses from the enrollment token. All of [172.17.0.1:9200] were attempted.
[root@dev02 ~]# 

这里的地址是 172.17.0.1:9200 是错误的,以下是 第一个节点的 ip 地址信息

[root@dev01 elasticsearch]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:68ff:fed3:2864  prefixlen 64  scopeid 0x20<link>
        ether 02:42:68:d3:28:64  txqueuelen 0  (Ethernet)
        RX packets 42898  bytes 32258634 (30.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61595  bytes 9578680 (9.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.220  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::20c:29ff:fef1:ce7c  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:f1:ce:7c  txqueuelen 1000  (Ethernet)
        RX packets 10941141  bytes 5562339556 (5.1 GiB)
        RX errors 0  dropped 294  overruns 0  frame 0
        TX packets 2141017  bytes 223001264 (212.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 11693530  bytes 1546289852 (1.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11693530  bytes 1546289852 (1.4 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

不知道为什么 生成的 token 使用的是 docker0 的地址 不是我的 ens192 的地址。

尝试修改配置文件中的 transport.host 和 network.host 都无法改变 token 的地址。

感谢大佬的回答

阅读 3.2k
2 个回答

1.临时禁用 Docker 网络接口,然后再生成 enrollment token。:
`
sudo ip link set docker0 down

`
然后再生成 enrollment token。完成后,重新启用 Docker 网络接口:

`
sudo ip link set docker0 up
`
在 Elasticsearch 的配置文件:


network.host: 192.168.0.220
transport.host: 192.168.0.220

然后重启 Elasticsearch 并再次生成 enrollment token。

试试base64解码一下token

{"ver":"8.8.0","adr":["172.17.0.1:9200"],"fgr":"1caa6ad1e44b575640f0ddd3107268d3f7cd1e83fbeb733ed85f95f4eabecdb3","key":"1wlQmogBgJ5NWmVCcHnG:2yqyyEKyQYuGbJevzJuv1g"}

然后修改这里的IP为node的IP,再base64编码一下,最后用新的base64结果作为token添加加入。

撰写回答
你尚未登录,登录后可以
  • 和开发者交流问题的细节
  • 关注并接收问题和回答的更新提醒
  • 参与内容的编辑和改进,让解决方法与时俱进
宣传栏