一、配置环境互信:
1、环境变量:
useradd es
sudo su - es
export ES_JAVA_HOME=/data/es8/cluster1/node1/jdk
PATH=$ES_JAVA_HOME/bin:$PATH:$HOME/.local/bin:$HOME/bin
unset CLASSPATH
2、修改配置文件集群名称:
cluster.name=leader-cluster
3、.启动节点
/bin/elasticsearch
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
8EeBYsu*c2 mgBy CG*D
ℹ️ HTTP CA certificate SHA-256 fingerprint:
832e6c80679f78688840d340bd88b475aab7363f052df8c70bfed13f27a647d9
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuODMuMTQ0LjM2OjkyMDAiXSwiZmdyIjoiODMyZTZjODA2NzlmNzg2ODg4NDBkMzQwYmQ4OGI0NzVhYWI3MzYzZjA1MmRmOGM3MGJmZWQxM2YyN2E2NDdkOSIsImtleSI6InpRZlFWNUFCOERrYVF6NnBpXzNsOkxEeTVzekRIUTNhRnR0R08zLXlQOVEifQ==
ℹ️ Configure other nodes to join this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4、查看存储证书的密码
[es@test-erp-dba01 node1]$ ./bin/elasticsearch-keystore list
warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
[es@test-erp-dba01 node1]$ ./bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME
JKVda7jhTOqYOqoGfy6KjQ
5、确认是否能正常查看证书内容
[es@test-erp-dba01 certs]$ keytool -list -keystore transport.p12 -storepass JKVda7jhTOqYOqoGfy6KjQ
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
transport, Jun 27, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 9A:12:D2:BF:6C:59:59:E4:8C:6C:CB:5F:E6:8A:18:E6:4F:E9:96:5E:9D:5D:72:8C:A6:99:83:B2:76:6B:8A:FF
transport_ca, Jun 27, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): E4:74:79:D2:BD:2D:23:0A:47:31:41:4F:E0:59:2B:51:76:5E:6B:91:A0:8B:2F:FA:15:31:CA:EF:6F:B1:CF:69
6、导出节点证书内容(非CA证书)
[es@test-erp-dba01 certs]$ openssl pkcs12 -clcerts -nokeys -in transport.p12 -out leader.crt
Enter Import Password:
MAC verified OK
[es@test-erp-dba01 certs]$ ll
total 28
-rw-rw---- 1 es es 1915 Jun 27 11:49 http_ca.crt
-rw-rw---- 1 es es 10013 Jun 27 11:49 http.p12
-rw-rw-r-- 1 es es 2048 Jun 27 14:26 leader.crt
-rw-rw---- 1 es es 5822 Jun 27 11:49 transport.p12
7、启动kibana并导入证书
如果证书过期了,默认30分钟,如果重新生成enrollment过程中出现以下错误,表示elasticsearch未启动
[es@test-erp-dba01 node1]$ ./bin/elasticsearch-create-enrollment-token -s kibana
warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME
ERROR: Failed to determine the health of the cluster. , with exit code 69
启动:[es@test-erp-dba01 node1]$ ./bin/elasticsearch -d
再试一次
[es@test-erp-dba01 node1]$ ./bin/elasticsearch-create-enrollment-token -s kibana
warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuODMuMTQ0LjM2OjkyMDAiXSwiZmdyIjoiODMyZTZjODA2NzlmNzg2ODg4NDBkMzQwYmQ4OGI0NzVhYWI3MzYzZjA1MmRmOGM3MGJmZWQxM2YyN2E2NDdkOSIsImtleSI6ImUzWnJXSkFCOGhDX2JKay1KcUsyOldvTFFTSDRTUVlpallFNzZ4Y1BiSFEifQ==
二、在第二个节点操作
1、确认环境变量:
[es@test-erp-dba02 config]$ echo $ES_JAVA_HOME
/data/es8/cluster1/node1/jdk
[es@test-erp-dba02 config]$ which java
/data/es8/cluster1/node1/jdk/bin/java
[es@test-erp-dba02 config]$ which keytool
/data/es8/cluster1/node1/jdk/bin/keytool
unset CLASSPATH
[es@test-erp-dba02 config]$ cat elasticsearch.yml |grep -v '#'
cluster.name: follower-cluster
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
ki IGlsa4rx5w wt=8qY
ℹ️ HTTP CA certificate SHA-256 fingerprint:
d47556c46cefe3920802b310390cc07de4bd3eb85031ce198959ebabfd0e6aed
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuODMuMTQ0LjM3OjkyMDAiXSwiZmdyIjoiZDQ3NTU2YzQ2Y2VmZTM5MjA4MDJiMzEwMzkwY2MwN2RlNGJkM2ViODUwMzFjZTE5ODk1OWViYWJmZDBlNmFlZCIsImtleSI6IkxsWm1XSkFCLXhUNXJyQ0RTQWdXOnN2dHQ1aWZEUWtLeHFBUTRYUXp0cWcifQ==
ℹ️ Configure other nodes to join this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[es@test-erp-dba02 node1]$ ./bin/elasticsearch
2、启动kibana
3、导出节点证书
[es@test-erp-dba02 node1]$ ./bin/elasticsearch-keystore list
warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
[es@test-erp-dba02 node1]$ ./bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME
J8cA3CA5SHOlCTIpGsiGmg
[es@test-erp-dba02 certs]$ openssl pkcs12 -in transport.p12 -clcerts -nokeys -out follower.crt
Enter Import Password:
MAC verified OK
[es@test-erp-dba02 certs]$ ll
total 28
-rw-rw-r-- 1 es es 2064 Jun 27 14:47 follower.crt
-rw-rw---- 1 es es 1915 Jun 27 14:33 http_ca.crt
-rw-rw---- 1 es es 10013 Jun 27 14:33 http.p12
-rw-rw---- 1 es es 5822 Jun 27 14:33 transport.p12
三、证书互相导入
1、scp证书
在主节点操作
[es@test-erp-dba01 certs]$ scp leader.crt ip_follower:/data/es8/cluster1/node1/config/certs/
leader.crt
在从节点操作
[es@test-erp-dba02 certs]$ scp follower.crt ip_leader:/data/es8/cluster1/node1/config/certs/
follower.crt
2、证书导入
在主节点操作
[es@test-erp-dba01 certs]$ keytool -importcert -trustcacerts -noprompt -alias "follower-cert" -keystore transport.p12 -storepass JKVda7jhTOqYOqoGfy6KjQ -file follower.crt
Certificate was added to keystore
在从节点操作
[es@test-erp-dba02 certs]$ keytool -importcert -trustcacerts -noprompt -keystore transport.p12 -storepass J8cA3CA5SHOlCTIpGsiGmg -alias "leader-cert" -file ./leader.crt
Certificate was added to keystore
四、配置文件修改
1、一定要修改elasticsearch.yml文件的transport.host: 0.0.0.0,然后重新启动
2、在Stack Management--->Remote Clusters配置远程对象
五、配置CCS
在follower节点创建索引
PUT /twiter/_doc/1
{
"msg":"hello world"
}
在主节点查询数据
GET /_remote/info
PUT /_cluster/settings
{
"persistent": {
"cluster.remote": {
"remote_cluster": {
"seeds": [
"10.83.144.37:9300"
]
}
}
}
}
GET remote_cluster:twiter/_search
GET _cat/indices
PUT myindex-ccr
PUT myindex-ccr/_settings
{
"number_of_replicas": 0
}
POST myindex-ccr/_doc/1
{
"msg":"hello myindex-ccr"
}
在在Stack Management--->Cross-Cluster Replication配置对象
