赞
踩
echo 1 > /proc/sys/vm/swappiness
echo "vm.swappiness=1" >> /etc/sysctl.conf
sysctl -p
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf && sysctl -p
vim /etc/security/limits.conf
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
elasticsearch soft nproc 65536
elasticsearch hard nproc 65536
ln -s `which java` /usr/local/bin/java
yum install -y nfs-utils rpcbind
systemctl start rpcbind
systemctl start nfs
systemctl enable rpcbind ; systemctl enable nfs-server.service
systemctl stop firewalld.service
systemctl disable firewalld.service
setenforce 0
vi /etc/selinux/config
SELINUX=disabled
group -g 1004 elastcisearch
useradd -u 1004 -g 1004 elasticsearch -s /sbin/nologin
mkdir -p /appdata/elasticsearch /applog/elasticsearch /backup/elasticsearch
官网下载地址:
https://www.elastic.co/cn/downloads/past-releases/elasticsearch-6-8-5
cd /usr/local/
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.5.tar.gz
tar -zxvf elasticsearch-6.8.5.tar.gz
ln -s /usr/local/elasticsearch-6.8.5 /usr/local/elasticsearch
chown -R elasticsearch:elasticsearch /appdata/elasticsearch /applog/elasticsearch /backup/elasticsearch /usr/local/elasticsearch-6.8.5 /usr/local/elasticsearch
vim /usr/local/elasticsearch/config/elasticsearch.yml
参考配置文件(6.8.5)
cluster.name: ${sysname}_es node.name: ${HOSTNAME} #5个节点内不进行master和data分离 node.master: true node.data: true #max_master/2+1 discovery.zen.minimum_master_nodes: 2 path.data: /appdata/elasticsearch path.logs: /applog/elasticsearch network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 #用于节点节点间投票 discovery.zen.ping.unicast.hosts: ["192.168.0.1:9300","192.168.0.2:9300","192.168.0.3:9300"] http.cors.enabled: true bootstrap.system_call_filter: true gateway.recover_after_nodes: 1 action.auto_create_index: true action.destructive_requires_name: true ##防止同一台机器有相同的shard cluster.routing.allocation.same_shard.host:true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization,Content-Type path.repo: ["/backup/elasticsearch"] bootstrap.memory_lock: true indices.memory.index_buffer_size: 30% thread_pool.search.queue_size: 1000 thread_pool.bulk.queue_size: 1000 thread_pool.index.queue_size: 1000 #thread_pool.index.size: 56 thread_pool.search.size: 56 #xpack配置 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
jvm设置(原则上小于32G,最好设置为30G)
vim /usr/local/elasticsearch/config/jvm.options
-Xms30g
-Xmx30g
ES插件主要包括:安全加密工具x-pack的配置,辅助工具cerebro以及Head的安装
Elasticsearch的x-pack功能在6.8和7.1默认提供安全认证功能。在介绍安全认证功能前,我们先看看完整的官方插件有哪些功能。官方的 X-Pack 提供安全保护比较全面,包括:
本文就不在详细解答以上原理,具体可以查看官当
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-security.html
x-pack安装主要包括以下三步
/usr/local/elasticsearch-6.8.5/bin/elasticsearch-certutil ca
/usr/local/elasticsearch-6.8.5/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch-6.8.5/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch-6.8.5/config/elastic-certificates.p12
/usr/local/elasticsearch-6.8.5/bin/elasticsearch-setup-passwords interactive/auto
interactive: 为给用户手动输入密码
auto: 为给用户随机生成密码
该功能主要包括:
[root@elasticsearch-zxb1 config]# curl -XGET -uelastic:"paic1234A" http://192.168.248.231:9201/_xpack?pretty { "build" : { "hash" : "78990e9", "date" : "2019-11-13T20:04:24.100411Z" }, "license" : { "uid" : "7145fe99-a050-4671-ad2c-5c1f1aa850db", "type" : "basic", "mode" : "basic", "status" : "active" }, "features" : { "ccr" : { "description" : "Cross Cluster Replication", "available" : false, "enabled" : true }, "graph" : { "description" : "Graph Data Exploration for the Elastic Stack", "available" : false, "enabled" : true }, "ilm" : { "description" : "Index lifecycle management for the Elastic Stack", "available" : true, "enabled" : true }, "logstash" : { "description" : "Logstash management component for X-Pack", "available" : false, "enabled" : true }, "ml" : { "description" : "Machine Learning for the Elastic Stack", "available" : false, "enabled" : true, "native_code_info" : { "version" : "6.8.5", "build_hash" : "b07c2d9433ee6d" } }, "monitoring" : { "description" : "Monitoring for the Elastic Stack", "available" : true, "enabled" : true }, "rollup" : { "description" : "Time series pre-aggregation and rollup", "available" : true, "enabled" : true }, "security" : { "description" : "Security for the Elastic Stack", "available" : true, "enabled" : true }, "sql" : { "description" : "SQL access to Elasticsearch", "available" : true, "enabled" : true }, "watcher" : { "description" : "Alerting, Notification and Automation for the Elastic Stack", "available" : false, "enabled" : true } }, "tagline" : "You know, for X" }
curl -u apm_system:"mdTtqZgfOJ5bu8Gl2bMo" http://192.168.248.231:9201/_xpack/security/_authenticate?pretty
curl -u elastic:"A0c3OhCqMRcUXj3OMvFf" http://192.168.248.231:9201/_xpack/security/_authenticate?pretty
curl -u elastic:"A0c3OhCqMRcUXj3OMvFf" -H "Content-Type: application/json" -XPOST http://192.168.248.231:9201/_xpack/security/user/apm_system/_password -d '{"password" : "paic1234A"}'
curl -u elastic:"A0c3OhCqMRcUXj3OMvFf" -H "Content-Type: application/json" -XPOST http://192.168.248.231:9201/_xpack/security/user/elastic/_password -d '{"password" : "paic1234A"}'
主要语法:
POST /_xpack/security/role_mapping/
PUT /_xpack/security/role_mapping/
描述:
role mappings定义了每个用户对应那种角色,每一个mapping有对应的规则来辨别用户和授予用户的一系列角色
curl -X POST "localhost:9200/_xpack/security/role_mapping/mapping1?pretty" -H 'Content-Type: application/json' -d'
{
"roles": [ "user"],
"enabled": true,
"rules": {
"field" : { "username" : "*" }
},
"metadata" : {
"version" : 1
}
}'
curl -X POST "localhost:9200/_xpack/security/role_mapping/mapping2?pretty" -H 'Content-Type: application/json' -d'
{
"roles": [ "user", "admin" ],
"enabled": true,
"rules": {
"field" : { "username" : [ "esadmin01", "esadmin02" ] }
}
}'
curl -X POST "localhost:9200/_xpack/security/role_mapping/mapping3?pretty" -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "any": [ { "field": { "username": "esadmin" } }, { "field": { "groups": "cn=admins,dc=example,dc=com" } } ] } }'
curl -X POST "localhost:9200/_xpack/security/role_mapping/mapping4?pretty" -H 'Content-Type: application/json' -d'
{
"roles": [ "ldap-user" ],
"enabled": true,
"rules": {
"field" : { "realm.name" : "ldap1" }
}
}'
curl -uelastic:"paic1234A" -XGET http://localhost:9201/_xpack/security/role?pretty
curl -uelastic:"paic1234A" -X POST "localhost:9201/_xpack/security/role/my_admin_role?pretty" -H 'Content-Type: application/json' -d' { "cluster": ["all"], "indices": [ { "names": [ "bank", "logstash*" ], "privileges": ["all"] } ], "applications": [ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], "run_as": [ "other_user" ], // optional "metadata" : { // optional "version" : 1 } }' { "role" : { "created" : true } }
白金版支持:
curl -X POST "localhost:9200/_xpack/security/role/my_admin_role?pretty" -H 'Content-Type: application/json' -d' { "cluster": ["all"], "indices": [ { "names": [ "index1", "index2" ], "privileges": ["all"], "field_security" : { // optional "grant" : [ "title", "body" ] }, "query": "{\"match\": {\"title\": \"foo\"}}" // optional } ], "applications": [ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], "run_as": [ "other_user" ], // optional "metadata" : { // optional "version" : 1 } }'
DELETE /_xpack/security/role/my_admin_role
curl -uelastic:"paic1234A" -XGET http://localhost:9201/_xpack/security/user?pretty
curl -uelastic:"paic1234A" -X POST "localhost:9201/_xpack/security/user/zxb?pretty" -H 'Content-Type: application/json' -d'
{
"password" : "paic1234A",
"roles" : [ "admin", "my_admin_role" ],
"full_name" : "Jack Nicholson",
"email" : "jacknich@example.com",
"metadata" : {
"intelligence" : 7
}
}'
curl -X DELETE "localhost:9200/_xpack/security/user/zxb?pretty"
curl -X PUT "localhost:9200/_xpack/security/user/zxb/_disable?pretty"
cerebro是一个使用Scala,Play Framework,AngularJS和Bootstrap构建的开源(MIT许可)elasticsearch web管理工具
安装环境需求
需要Java 1.8或更高版本才能运行。
下载解压
https://github.com/lmenezes/cerebro/releases
cd /usr/local
wget https://github.com/lmenezes/cerebro/releases/download/v0.8.1/cerebro-0.8.1.tgz
tar -xzf cerebro-0.8.1.tgz
ln -s /usr/local/cerebro-0.8.1 cerebro
指定端口启动
/usr/local/cerebro/bin/cerebro -Dhttp.port=8080 &
可以指定登录用户名密码以及集群名字
hosts = [
#{
# host = "http://192.168.248.231:9200"
#name = "es_zxb"
#},
# Example of host with authentication
{
host = "http://192.168.248.231:9200"
name = "es_zxb"
auth = {
username = "admin"
password = "admin"
}
}
]
创建用户
useradd -s /sbin/nologin cerebro
解压安装文件
cd /tmp/;wget https://github.com/lmenezes/cerebro/releases/download/v0.8.1/cerebro-0.8.1.tgz;tar xf /tmp/cerebro-0.8.1.tgz -C /usr/local/;ln -s /usr/local/cerebro-0.8.1 /usr/local/cerebro;chown -R cerebro. /usr/local/{cerebro-0.8.1, cerebro}
更改配置
auth.settings:访问Cerebro的用户名及密码
hosts:要监控的Elasticsearch集群,host:节点访问地址,name:标识,一般用ES的cluster_name
tee /usr/local/cerebro/conf/application.conf << 'EOF' secret="ki:s:[[@=Ag?QI`W2jMwkY:eqvrJ]JqoJyi2axj3ZvOv^/KavOT4ViJSv?6YY4[N" basePath="/" pidfile.path="/usr/local/cerebro/cerebro.pid" data.path="/appdata/cerebro/data/cerebro.db" es={ gzip=true } auth={ type: basic settings: { username="admin" password="Admin_2018" } } hosts=[ { host="http://192.168.1.141:9200" name="es_log" } ] EOF
创建服务
tee /etc/systemd/system/cerebro.service << 'EOF' [Unit] Description=Cerebro After=network.target [Service] Type=folking PIDFile=/usr/local/cerebro/cerebro.pid User=cerebro Group=cerebro LimitNOFILE=65535 ExecStart=/usr/local/cerebro/bin/cerebro -Dconfig.file=/usr/local/cerebro/conf/application.conf -Dhttp.port=8080 Restart=on-failure WorkingDirectory=/usr/local/cerebro [Install] WantedBy=multi-user.target EOF
启动
ln -s /usr/local/jdk/jdk1.8.0_211/bin/java /usr/bin/java
systemctl daemon-reload;
一键式安装脚本
#!/bin/bash #author zxb #version 1.0 #date 2020/04/06 user=$1 pwd=$2 es_name=$3 es_ip=$4 es_port=$5 #Create directory echo "Start to create directory" useradd -s /sbin/nologin cerebro; cd /tmp/; wget https://github.com/lmenezes/cerebro/releases/download/v0.8.1/cerebro-0.8.1.tgz; tar xf /tmp/cerebro-0.8.1.tgz -C /usr/local/; ln -s /usr/local/cerebro-0.8.1 /usr/local/cerebro; chown -R cerebro. /usr/local/{cerebro-0.8.1, cerebro}; if [ !-d /appdata/cerebro ];then mkdir -p /appdata/cerebro/data; chown -R cerebro. /appdata/cerebro; fi if [ $? -eq 0 ];then echo "Create dir Success!" else echo "Create dir Failed!" exit 1; fi #配置应用文件 echo "Start to configure application.conf" tee /usr/local/cerebro/conf/application.conf << 'EOF' secret="ki:s:[[@=Ag?QI`W2jMwkY:eqvrJ]JqoJyi2axj3ZvOv^/KavOT4ViJSv?6YY4[N" basePath="/" pidfile.path="/usr/local/cerebro/cerebro.pid" data.path="/appdata/cerebro/data/cerebro.db" es={ gzip=true } auth={ type: basic settings: { username="${user}" password="${pwd}" } } hosts=[ { host="http://${es_ip}:${es_port}" name="${es_name}" } ] EOF if [ $? -eq 0 ];then echo "configure application.conf Success!" else echo "configure application.conf Failed!" exit 1; fi #配置服务,并设置开机自启动 echo "Start to create cerebro.service!" tee /etc/systemd/system/cerebro.service << 'EOF' [Unit] Description=Cerebro After=network.target [Service] Type=folking PIDFile=/usr/local/cerebro/cerebro.pid User=cerebro Group=cerebro LimitNOFILE=65535 ExecStart=/usr/local/cerebro/bin/cerebro -Dconfig.file=/usr/local/cerebro/conf/application.conf -Dhttp.port=8080 Restart=on-failure WorkingDirectory=/usr/local/cerebro [Install] WantedBy=multi-user.target EOF if [ $? -eq 0 ];then echo "Create cerebro.service Success!" else echo "Create cerebro.service Failed!" exit 1; fi echo "Begin to start the service" ln -s /usr/local/jdk/jdk1.8.0_211/bin/java /usr/bin/java systemctl daemon-reload; systemctl enable cerebro; systemctl start cerebro; systemctl status cerebro if [ $? -eq 0 ];then echo "Start cerebro.service Success!" else echo "Start cerebro.service Failed!" exit 1; fi
使用方法
sh cerebro_install.sh admin "admin" es_zxb 192.168.248.231 9200
节点信息
接口信息
其他功能
参考:https://github.com/mobz/elasticsearch-head
git clone git://github.com/mobz/elasticsearch-head.git
cd elasticsearch-head
#安装node.js
curl --silent --location https://rpm.nodesource.com/setup_10.x | bash
yum install -y nodejs
npm install
npm run start
vim /usr/local/elasticsearch/config/elasticsearch.yml
http.cors.enabled: true
http.cors.allow-origin: "*"
访问地址:http://192.168.248.231:9100/?auth_user=elastic&auth_password=xxxx
参考文献
Elasticsearch
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-security.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/xpack-api.html
cerebro
https://cerebroapp.com
https://github.com/KELiON/cerebro
Head
https://github.com/mobz/elasticsearch-head
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。