背景:

    生产环境大量使用 elasticsearch 集群,不同的业务使用不同版本的elasticsearch

    es经常曝出一些大的漏洞,需要进行版本升级,并且使用x-pack的基本验证功能,避免用户数据泄露

x-pack免费版本特征:

基本的TLS 功能,可对通信进行加密

文件和原生 Realm,可用于创建和管理用户

基于角色的访问控制,可用于控制用户对集群 API 和索引的访问权限;

通过针对 Kibana Spaces 的安全功能,还可允许在 Kibana 中实现多租户。

升级的两种策略:

.滚动性升级,即不中断业务服务,一台一台进行升级

.全新部署新版本,然后将数据迁移到新版本的es集群中

这两种方式都需要将数据恢复到新版本的es集群中,可以先进行快照备份

.升级前先备份低版本的elasticserch的数据:快照方式

原理:即将老版本的es数据打个快照备份出来写入到 /opt/esback 目录中并进行nfs挂载到某台服务器中(作为nfs服务端的机器要有足够量的磁盘空间,最好磁盘性能比较好),新、旧两个es集群的配置文件中都引用配置 path.repo: ["/opt/esback/"],

这样新的集群也能对这个目录进行操作了,等待新集群搭建好后,直接把 /opt/esback 目录中的文件恢复到新集群的 索引 index 中即可

使用Mount nfs进行挂载共享(所有的es集群节点都可以访问):

目标:将本地es备份出来的数据目录/opt/esback 目录挂载到nfs的共享目录 /opt/es_snapshot,这样恢复的时候就都可以访问这个共享目录进行恢复了

// 在10.10.18.92上创建共享目录

创建共享目录,即作为nfs的共享目录

mkdir /opt/es_snapshot

创建本地备份出来的目录

/opt/esback

# 在集群所有节点中创建 /opt/esback 目录,即将es数据备份出来的目标目录

# 将其中一台es客户端作为nfs服务端

#nfs服务端的操作

# vim /etc/exports

# 注意此处的anonuid和gid要和运行es程序的用户保持一致

# 添加指定 uid 和 gid 的用户

groupadd -g  elastic

useradd -u  -g elastic elastic

# 修改 gid和 uid为500 命令示例:

usermod -u  es

groupmod -g  es

/opt/es_snapshot *(insecure,rw,no_root_squash,sync,anonuid=,anongid=)

// 查看共享文件夹

yum install -y exportfs

exportfs -rv

// nfs服务端修改nfs配置

 vim /etc/sysconfig/nfs

修改如下:

RPCNFSDARGS="-N 2 -N 3"

        ----->启用

# Turn off v4 protocol support

RPCNFSDARGS="-N 4"     ---->启用

重启生效

systemctl restart nfs

// 客户端操作

yum install -y nfs-utils

// 重启启动新集群机器的NFS服务

systemctl restart nfs

//每一台es节点服务器上进行Mount挂载

mount -t nfs 10.10.18.90:/opt/es_snapshot /opt/esback -o proto=tcp -o nolock

列出nfs服务端共享的目录:

[root@sz_kp_wanghong_dev02_18_93:/home/wanxing]# showmount -e 10.10.18.90

Export list for 10.10.18.92:

/opt/es_snapshot *

// 在旧机器上将共享目录的权限付给ES的运行用户

chown elastic:elastic -R /opt/esback

.创建ES仓库my_backup

修改配置文件:

vim elasticsearch.yml

# 添加如下配置(需要在旧集群的每个节点上添加),重新启动集群

path.repo: ["/opt/esback"]

创建快照仓库 my_backup 命令:

curl -H "Content-Type: application/json" -v -XPUT http://10.10.18.90:9200/_snapshot/my_backup -d '

{

    "type": "fs",

    "settings": {

        "location": "/opt/esback",

    "compress": true

    }

}

'

# 返回值

{"acknowledged":true}

# 报错的处理

'RemoteTransportException[[ictr_node1][10.10.18.93:9300][internal:admin/repository/verify]]

# 权限不够

chown -R es.es /opt/es_snapshot/

chown -R es.es /opt/esback_20191104/

# 创建所有索引的备份

# curl -H "Content-Type: application/json" -v -XPUT http://10.10.18.90:9200/_snapshot/my_backup/snapshot20191107

{"accepted":true}

查看备份

[elastic@szyyelk01t slave02]$ curl -XGET http://10.10.18.90:9200/_snapshot/my_backup/snapshot20191107?pretty

{

  "snapshots" : [

    {

      "snapshot" : "snapshot20191107",

      "uuid" : "0_4SOntVS1GH-7irHjKBMQ",

      "version_id" : ,

      "version" : "6.3.2",

      "indices" : [

        "support_faq_categorys",

        "ticket_list",

        "templates_search",

        "site_page_search",

        "support",

        "templates_page_search",

        "support_new_articles",

        "article_version",

        "blocks_version",

        "search",

        "version",

        "article_search",

        "templates",

        "learn",

        "templates_version",

        "blocks_search",

        "templates_page_version"

      ],

      "include_global_state" : true,

      "state" : "SUCCESS",

      "start_time" : "2019-11-07T01:35:00.811Z",

      "start_time_in_millis" : ,

      "end_time" : "2019-11-07T01:35:03.702Z",

      "end_time_in_millis" : ,

      "duration_in_millis" : ,

      "failures" : [ ],

      "shards" : {

        "total" : ,

        "failed" : ,

        "successful" :

      }

    }

  ]

}

升级方式1:滚动升级 elasticsearch5.6.16 --> elasticsearch6.8.4

.备份数据,避免出现问题后回滚

.先升级到新版本,然后安装x-pack,此时再要求开发同事修改代码适配

a.先下载新版本的6.8.4

①关闭自动分片

curl -v -XPUT http://10.10.18.92:9200/_cluster/settings -d '{

  "persistent": {

    "cluster.routing.allocation.enable": "none"

  }

}'

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.]# curl -v -XPUT http://10.10.18.92:9200/_cluster/settings -d '{

>   "persistent": {

>     "cluster.routing.allocation.enable": "none"

>   }

> }'

* Hostname was NOT found in DNS cache

*   Trying 10.10.18.92...

* Connected to 10.10.18.92 (10.10.18.92) port  (#)

> PUT /_cluster/settings HTTP/1.1

> User-Agent: curl/7.36.

> Host: 10.10.18.92:

> Accept: */*

> Content-Length: 73

> Content-Type: application/x-www-form-urlencoded

>

* upload completely sent off: 73 out of 73 bytes

< HTTP/1.1 200 OK

< Warning: 299 Elasticsearch-5.6.15-fe7575a "Content type detection for rest requests is deprecated. Specify the content type using the [Content-Type] header." "Tue, 05 Nov 2019 08:14:44 GMT"

< content-type: application/json; charset=UTF-8

< content-length: 106

<

* Connection #0 to host 10.10.18.92 left intact

{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"none"}}}},"transient":{}}

②暂时禁用非必要的索引并执行同步刷新

curl -XPOST http://10.10.18.92:9200/_flush/synced

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.4]# curl -XPOST http://10.10.18.92:9200/_flush/synced

{"_shards":{"total":28,"successful":28,"failed":0},"channel_rel":{"total":4,"successful":4,"failed":0},".kibana":{"total":2,"successful":2,"failed":0},"channel":{"total":6,"successful":6,"failed":0},"video":{"total":4,"successful":4,"failed":0},"channel_list":{"total":6,"successful":6,"failed":0},"influecer":{"total":6,"successful":6,"failed":0}}

注意: 如果是从6.3之前的版本升级上来的,需要注意提前要移除X-Pack插件,然后再去升级版本。执行bin/elasticsearch-plugin remove x-pack

a. 备份原来的elasticsearch目录,然后解压新版的elasticsearch。

b. 如果使用外部的配置路径,配置ES_PATH_CONF环境变量到那个位置。如果没有的话,拷贝老的配置目录过来新的elasticsearch目录就可以了。

c. 检查path.data是否指向正确的数据目录

d. 检查path.log是否指向正确的日志目录

新集群的配置文件

[es@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.4]$ more config/elasticsearch.yml

cluster.name: kp-dev-application

node.name: ictr_node2

node.master: true

node.attr.rack: r1

node.max_local_storage_nodes: 3

network.host: 10.10.18.92

http.port: 9200

transport.tcp.port: 9300

path.repo: ["/opt/esback_20191104"]

discovery.zen.minimum_master_nodes: 1

http.cors.enabled: true

http.cors.allow-origin: "*"

# 新集群的数据还是指向老版本 es5.6.15 的数据存储目录

path.data: /opt/es-node/elasticsearch-5.6.15/data

path.logs: /opt/es-node/elasticsearch-5.6.15/logs

# 启用安全认证

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

③关闭节点

④重新启动节点,注意要切换到es用户,不能使用root用户

chown -R es.es elasticsearch-6.8.4

[es@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.4]$ bin/elasticsearch -d

在其他节点重复以上过程

启动升级后的节点,并通过查看日志和使用下面命令来检查节点是否正确加入到集群

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-5.6.15]# curl http://10.10.18.92:9200/_cat/nodes

10.10.18.93 16 98 56 1.22 0.50 0.29 di  - ictr_node1

10.10.18.92 16 88  8 0.08 0.26 0.31 mdi * ictr_node2

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-5.6.15]# curl http://10.10.18.92:9200/_cat/indices

yellow open channel      vRFQoIhmT8WmSbDCfph0ag 3 1   53374      0  44.2mb  44.2mb

yellow open channel_rel  ZeeBbkogT5KtxzziUYtu_Q 2 1  459528      0 168.8mb 168.8mb

yellow open channel_list 1dk8uH8bTeikez0lFR2mJg 3 1 5509390  78630     7gb     7gb

yellow open video        HNhyt9ioSEayAotGVXRCVg 2 1  798369 228155   1.6gb   1.6gb

yellow open .kibana      lY82G_-XSniyd_bnMOLuQg 1 1      15      1 146.3kb 146.3kb

yellow open influecer    RQtQWXKIRE2UYyZlCvv7bA 3 1  148526  48641 272.8mb 272.8mb

节点加入集群后,删除cluster.routing.allocation.enable设置以启用分片分配并开始使用节点:

curl -H "Content-Type: application/json" -v -XPUT http://10.10.18.92:9200/_cluster/settings -d '{

  "persistent": {

    "cluster.routing.allocation.enable": "all"

  }

}'

重新打开分片报错:

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-5.6.15]# curl -v -XPUT http://10.10.18.92:9200/_cluster/settings -d '{

>   "persistent": {

>     "cluster.routing.allocation.enable": "true"

>   }

> }'

* Hostname was NOT found in DNS cache

*   Trying 10.10.18.92...

* Connected to 10.10.18.92 (10.10.18.92) port 9200 (#0)

> PUT /_cluster/settings HTTP/1.1

> User-Agent: curl/7.36.0

> Host: 10.10.18.92:9200

> Accept: */*

> Content-Length:

> Content-Type: application/x-www-form-urlencoded

>

* upload completely sent off:  out of  bytes

< HTTP/1.1  Not Acceptable

< content-type: application/json; charset=UTF-

< content-length:

<

* Connection # to host 10.10.18.92 left intact

{"error":"Content-Type header [application/x-www-form-urlencoded] is not supported","status":}

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-5.6.]# curl http://10.10.18.92:9200/_cluster/health?pretty

{

  "cluster_name" : "kp-dev-application",

  "status" : "green",

  "timed_out" : false,

  "number_of_nodes" : ,

  "number_of_data_nodes" : ,

  "active_primary_shards" : ,

  "active_shards" : ,

  "relocating_shards" : ,

  "initializing_shards" : ,

  "unassigned_shards" : ,

  "delayed_unassigned_shards" : ,

  "number_of_pending_tasks" : ,

  "number_of_in_flight_fetch" : ,

  "task_max_waiting_in_queue_millis" : ,

  "active_shards_percent_as_number" : 100.0

}

安装新版本中文分词插件

https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v6.8.4/elasticsearch-analysis-ik-6.8.4.zip

# 解压在plugin目录重新启动elasticsearch即可

cd /opt/es-node/elasticsearch-6.8./plugins

unzip -d elasticsearch-analysis-ik elasticsearch-analysis-ik-6.8..zip

ot@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8./plugins]# curl http://10.10.18.92:9200/_xpack?pretty

{

  "build" : {

    "hash" : "bca0c8d",

    "date" : "2019-10-16T06:19:49.319352Z"

  },

  "license" : {

    "uid" : "4de9d1c1-59f6-4dfd-8d48-baefd0a583d0",

    "type" : "basic",

    "mode" : "basic",

    "status" : "active"

  },

  "features" : {

    "ccr" : {

      "description" : "Cross Cluster Replication",

      "available" : false,

      "enabled" : true

    },

    "graph" : {

      "description" : "Graph Data Exploration for the Elastic Stack",

      "available" : false,

      "enabled" : true

    },

    "ilm" : {

      "description" : "Index lifecycle management for the Elastic Stack",

      "available" : true,

      "enabled" : true

    },

    "logstash" : {

      "description" : "Logstash management component for X-Pack",

      "available" : false,

      "enabled" : true

    },

    "ml" : {

      "description" : "Machine Learning for the Elastic Stack",

      "available" : false,

      "enabled" : true,

      "native_code_info" : {

        "version" : "6.8.4",

        "build_hash" : "93ad89b02ff490"

      }

    },

    "monitoring" : {

      "description" : "Monitoring for the Elastic Stack",

      "available" : true,

      "enabled" : true

    },

    "rollup" : {

      "description" : "Time series pre-aggregation and rollup",

      "available" : true,

      "enabled" : true

    },

    "security" : {

      "description" : "Security for the Elastic Stack",

      "available" : true,

      "enabled" : false

    },

    "sql" : {

      "description" : "SQL access to Elasticsearch",

      "available" : true,

      "enabled" : true

    },

    "watcher" : {

      "description" : "Alerting, Notification and Automation for the Elastic Stack",

      "available" : false,

      "enabled" : true

    }

  },

  "tagline" : "You know, for X"

}

.启用x-pack的密码验证

# 生成证书

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.]# bin/elasticsearch-certutil ca

This tool assists you in the generation of X. certificates and certificate

signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'

This will create a new X. certificate and private key that can be used

to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'

of the certificate authority

By default the 'ca' mode produces a single PKCS# output file which holds:

    * The CA certificate

    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will

be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]:

Enter password for elastic-stack-ca.p12 :

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.]# ls

bin  config  elastic-stack-ca.p12  lib  LICENSE.txt  logs  modules  NOTICE.txt  plugins  README.textile

[root@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

This tool assists you in the generation of X. certificates and certificate

signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X. certificate and private keys.

    * By default, this generates a single certificate and key for use

       on a single instance.

    * The '-multiple' option will prompt you to enter details for multiple

       instances and will generate a certificate and key for each one

    * The '-in' option allows for the certificate generation to be automated by describing

       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.

      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats

      may all require a certificate and private key.

    * The minimum required value for each instance is a name. This can simply be the

      hostname, which will be used as the Common Name of the certificate. A full

      distinguished name may also be used.

    * A filename value may be required for each instance. This is necessary when the

      name would result in an invalid file or directory name. The name provided here

      is used as the directory name (within the zip) and the prefix for the key and

      certificate files. The filename is required if you are prompted and the name

      is not displayed in the prompt.

    * IP addresses and DNS names are optional. Multiple values can be specified as a

      comma separated string. If no IP addresses or DNS names are provided, you may

      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).

    * The tool can automatically generate a new CA for you, or you can provide your own with the

         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS# output file which holds:

    * The instance certificate

    * The private key for the instance certificate

    * The CA certificate

If you specify any of the following options:

    * -pem (PEM formatted output)

    * -keep-ca-key (retain generated CA key)

    * -multiple (generate multiple certificates)

    * -in (generate certificates from an input file)

then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) :

Please enter the desired output file [elastic-certificates.p12]:

Enter password for elastic-certificates.p12 : 

Certificates written to /opt/es-node/elasticsearch-6.8./elastic-certificates.p12

This file should be properly secured as it contains the private key for

your instance.

This file is a self contained file and can be copied and used 'as is'

For each Elastic product that you wish to configure, you should copy

this '.p12' file to the relevant configuration directory

and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and

configure the client to trust this certificate.

# 修改config/elasticsearch.yml配置

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch/config/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch/config/elastic-certificates.p12

# 配置密码

[es@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.]$ bin/elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana]:

Reenter password for [kibana]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

Changed password for user [apm_system]

Changed password for user [kibana]

Changed password for user [logstash_system]

Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]

Changed password for user [elastic]

密码:espass

[es@sz_kp_wanghong_dev01_18_92:/opt/es-node/elasticsearch-6.8.]$ curl --user elastic:espass -XGET 'http://10.10.18.92:9200/_cat/indices'

green open channel_rel  ZeeBbkogT5KtxzziUYtu_Q           .7mb .8mb

green open .security-  iQHndFBqRe2Ss2o7KMxyFg                 .3kb  .1kb

green open .kibana      lY82G_-XSniyd_bnMOLuQg               .6kb .3kb

green open influecer    RQtQWXKIRE2UYyZlCvv7bA       .6mb .8mb

green open channel      vRFQoIhmT8WmSbDCfph0ag             .4mb  .2mb

green open channel_list 1dk8uH8bTeikez0lFR2mJg         14gb     7gb

green open video        HNhyt9ioSEayAotGVXRCVg        .3gb   .6gb

升级方式2:完全重启集群升级

即配置好全新的elasticsearch7..2集群,然后把数据恢复到新集群中

下载地址:wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-linux-x86_64.tar.gz

老版本的配置

# cms elasticsearch

[root@szyyelk01t opt]# egrep -v '^#|^$' elk-master/config/elasticsearch.yml

cluster.name: cms-uat-elastic

node.name: master

path.data: /opt/elk-master/data/data01,/opt/elk-master/data/data02

path.logs: /opt/elk-master/logs

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 10.10.18.90

http.port:

http.cors.enabled: true

http.cors.allow-origin: "*"

[root@szyyelk01t elk-slave]# egrep -v '^$|^#' slave01/config/elasticsearch.yml

cluster.name: cms-uat-elastic

node.name: slave01

path.data: /opt/elk-slave/slave01/data/data01,/opt/elk-slave/slave01/data/data02

path.logs: /opt/elk-slave/slave01/logs

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 10.10.18.90

http.port:

discovery.zen.ping.unicast.hosts: ["10.10.18.90"]

http.cors.enabled: true

http.cors.allow-origin: "*"

[root@szyyelk01t elk-slave]# egrep -v '^$|^#' slave02/config/elasticsearch.yml

cluster.name: cms-uat-elastic

node.name: slave02

path.data: /opt/elk-slave/slave02/data/data01,/opt/elk-slave/slave02/data/data02

path.logs: /opt/elk-slave/slave02/logs

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 10.10.18.90

http.port:

discovery.zen.ping.unicast.hosts: ["10.10.18.90"]

http.cors.enabled: true

http.cors.allow-origin: "*"

# 已经升级的线上配置参考:

[root@eus_filmora_db01:/usr/local/elasticsearch-7.4.]# egrep -v '^$|^#' config/elasticsearch.yml

cluster.name: UOS_CLUSTER_ES

node.name: uos_node_1

path.data: /data/elasticsearch_data/data

path.logs: /data/elasticsearch_data/logs

bootstrap.memory_lock: true

network.host: 172.20.103.199

http.port:

transport.tcp.port:

node.master: true

node.data: true

discovery.seed_hosts: ["172.20.103.199:9300", "172.20.73.200:9300", "172.20.73.212:9300"]

cluster.initial_master_nodes: ["172.20.103.199", "172.20.73.200", "172.20.73.212"]

gateway.recover_after_nodes:

transport.tcp.compress: true

path.repo: ["/data/bak_es"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch/config/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch/config/elastic-certificates.p12

############## cms 系统的 elasticsearch 6升级7.4.2

整体策略:

.升级cms测试环境的es到7.4.2,然后做适配性的开发,再次升级内网的生产环境 --> cms海外环境(找海外业务不繁忙的时候操作,先和开发协商好)

测试环境其他人依赖进行测试,所以升级需要两套并存,新版本的es7..2使用自带的openjdk13.

.配置新版本的elasticsearch使用指定的jdk环境

# vim bin/elasticsear

export JAVA_HOME=/opt/elk7_onenode/elasticsearch-7.4./jdk

export PATH=$JAVA_HOME/bin:$PATH

mkdir /opt/elk7_onenode/elasticsearch-7.4./data

# 主节点配置

[elastic@szyyelk01t elasticsearch-7.4.]$ more config/elasticsearch.yml

cluster.name: cms-uat-elastic7

node.name: cms_node01

node.master: true

node.data: true

discovery.seed_hosts: ["10.10.18.90:19300", "10.10.18.117:19300"]

cluster.initial_master_nodes: ["10.10.18.90"]

path.data: /opt/cms_elk7/elasticsearch-7.4./data

path.logs: /opt/cms_elk7/elasticsearch-7.4./logs

discovery.zen.minimum_master_nodes:

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 10.10.18.90

http.cors.enabled: true

http.cors.allow-origin: "*"

transport.tcp.compress: true

path.repo: ["/opt/esback/"]

gateway.recover_after_nodes: 

# 增加新的参数head插件可以访问es

http.port:

transport.tcp.port: 

gateway.recover_after_time: 8m

# 以下配置可以减少当es节点短时间宕机或重启时shards重新分布带来的磁盘io读写浪费

discovery.zen.fd.ping_timeout: 300s

discovery.zen.fd.ping_retries:

discovery.zen.fd.ping_interval: 30s

discovery.zen.ping_timeout: 180s

# 启用安全认证

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

# 第二个节点配置

[elastic@cms-test:/opt/cms_elk7/elasticsearch-7.4.]$ more config/elasticsearch.yml

cluster.name: cms-uat-elastic7

node.name: cms_node02

node.master: false

node.data: true

discovery.seed_hosts: ["10.10.18.90:19300", "10.10.18.117:19300"]

cluster.initial_master_nodes: ["10.10.18.90"]

path.data: /opt/cms_elk7/elasticsearch-7.4./data

path.logs: /opt/cms_elk7/elasticsearch-7.4./logs

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 10.10.18.117

http.cors.enabled: true

http.cors.allow-origin: "*"

transport.tcp.compress: true

path.repo: ["/opt/esback/"]

gateway.recover_after_nodes: 

# 增加新的参数head插件可以访问es

http.port:

transport.tcp.port: 

gateway.recover_after_time: 8m

# 以下配置可以减少当es节点短时间宕机或重启时shards重新分布带来的磁盘io读写浪费

discovery.zen.fd.ping_timeout: 300s

discovery.zen.fd.ping_retries:

discovery.zen.fd.ping_interval: 30s

discovery.zen.ping_timeout: 180s

# 启用安全认证

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

# 设置密码

# 启用安全认证,只添加这个选项

xpack.security.enabled: true

#xpack.security.transport.ssl.enabled: true

#xpack.security.transport.ssl.verification_mode: certificate

#xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

#xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

elastic密码:

espass

在集群上配置TLS:

如果你在操作单节点ES则可以跳过本内容。

.生成CA证书 :

bin/elasticsearch-certutil ca

将产生新文件 elastic-stack-ca.p12。该 elasticsearch-certutil 命令还会提示你输入密码以保护文件和密钥,请保留该文件的副本并记住其密码,此处我们设置为空

.为集群中的每个节点生成证书和私钥

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

将产生新文件 elastic-certificates.p12。系统还会提示你输入密码,你可以输入证书和密钥的密码,也可以按Enter键将密码留空。默认情况下 elasticsearch-certutil 生成没有主机名信息的证书,这意味着你可以将证书用于集群中的每个节点,另外要关闭主机名验证。

将 elastic-certificates.p12 文件复制到每个节点上Elasticsearch配置目录中

无需将 elastic-stack-ca.p12 文件复制到此目录。

mkdir config/certs

mv elastic-certificates.p12 config/certs/

配置集群中的每个节点以使用其签名证书标识自身并在传输层上启用TLS

启用TLS并指定访问节点证书所需的信息,将以下信息添加到每个节点的 elasticsearch.yml 文件中:

xpack.security.enabled: true

.设置密码

# 报错

[elastic@szyyelk01t elasticsearch-7.4.]$ bin/elasticsearch-setup-passwords interactive

Failed to determine the health of the cluster running at http://10.10.18.90:19200

Unexpected response code [] from calling GET http://10.10.18.90:19200/_cluster/health?pretty

Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.

It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]y

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

Please confirm that you would like to continue [y/N]y               

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana]:

Reenter password for [kibana]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]: 

Unexpected response code [] from calling PUT http://10.10.18.90:19200/_security/user/apm_system/_password?pretty

Cause: Cluster state has not been recovered yet, cannot write to the [null] index

Possible next steps:

* Try running this tool again.

* Try running with the --verbose parameter for additional messages.

* Check the elasticsearch logs for additional error details.

* Use the change password API manually. 

ERROR: Failed to set password for user [apm_system].

[elastic@szyyelk01t elasticsearch-7.4.]$  bin/elasticsearch-setup-passwords interactive

Connection failure to: http://10.10.18.90:19200/_security/_authenticate?pretty failed: Connection refused

ERROR: Failed to connect to elasticsearch at http://10.10.18.90:19200/_security/_authenticate?pretty. Is the URL correct and elasticsearch running?

[elastic@szyyelk01t elasticsearch-7.4.]$  bin/elasticsearch-setup-passwords interactive

Failed to determine the health of the cluster running at http://10.10.18.90:19200

Unexpected response code [] from calling GET http://10.10.18.90:19200/_cluster/health?pretty

Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.

It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]^C[elastic@szyyelk01t elasticsearch-7.4.]$  bin/elasticsearch-setup-passwords interactive

Failed to determine the health of the cluster running at http://10.10.18.90:19200

Unexpected response code [] from calling GET http://10.10.18.90:19200/_cluster/health?pretty

Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.

It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]

解决办法:只配置一个主节点:cluster.initial_master_nodes: ["10.10.18.90"]

# 错误2处理

[--07T16::,][INFO ][o.e.c.c.JoinHelper       ] [cms_node02] failed to join {cms_node01}{765pAegcS8S0Y3OrE9taMA}{Up16Gw9pQlyXg3n1wCHE8g}{10.10.18.90}{10.10.18.90:}{dilm}{ml.machine_memory=, ml.max_open_jobs=, xpack.installed=true} with JoinRequest{sourceNode={cms_node02}{765pAegcS8S0Y3OrE9taMA}{ki1VVW27TnakEEFagCoDlg}{10.10.18.117}{10.10.18.117:}{dil}{ml.machine_memory=, xpack.installed=true, ml.max_open_jobs=}, optionalJoin=Optional[Join{term=, lastAcceptedTerm=, lastAcceptedVersion=, sourceNode={cms_node02}{765pAegcS8S0Y3OrE9taMA}{ki1VVW27TnakEEFagCoDlg}{10.10.18.117}{10.10.18.117:}{dil}{ml.machine_memory=, xpack.installed=true, ml.max_open_jobs=}, targetNode={cms_node01}{765pAegcS8S0Y3OrE9taMA}{Up16Gw9pQlyXg3n1wCHE8g}{10.10.18.90}{10.10.18.90:}{dilm}{ml.machine_memory=, ml.max_open_jobs=, xpack.installed=true}}]}

org.elasticsearch.transport.RemoteTransportException: [cms_node01][10.10.18.90:][internal:cluster/coordination/join]

Caused by: java.lang.IllegalArgumentException: can't add node {cms_node02}{765pAegcS8S0Y3OrE9taMA}{ki1VVW27TnakEEFagCoDlg}{10.10.18.117}{10.10.18.117:19300}{dil}{ml.machine_memory=16853446656, ml.max_open_jobs=20, xpack.installed=true}, found existing node {cms_node01}{765pAegcS8S0Y3OrE9taMA}{Up16Gw9pQlyXg3n1wCHE8g}{10.10.18.90}{10.10.18.90:19300}{dilm}{ml.machine_memory=8362151936, xpack.installed=true, ml.max_open_jobs=20} with the same id but is a different node instance

    at org.elasticsearch.cluster.node.DiscoveryNodes$Builder.add(DiscoveryNodes.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.coordination.JoinTaskExecutor.execute(JoinTaskExecutor.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.coordination.JoinHelper$.execute(JoinHelper.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.MasterService.executeTasks(MasterService.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.MasterService.calculateTaskOutputs(MasterService.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.MasterService.runTasks(MasterService.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.MasterService.access$(MasterService.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.MasterService$Batcher.run(MasterService.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:) ~[elasticsearch-7.4..jar:7.4.]

    at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:) ~[elasticsearch-7.4..jar:7.4.]

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:) ~[?:?]

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:) ~[?:?]

# 拷贝连着目录 都拷贝,删除 data 下面的所有文件重启即可

# 最终密码配置成功

[elastic@szyyelk01t elasticsearch-7.4.]$ bin/elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana]:

Reenter password for [kibana]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

Changed password for user [apm_system]

Changed password for user [kibana]

Changed password for user [logstash_system]

Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]

Changed password for user [elastic]

# 查看集群状态

[elastic@szyyelk01t elasticsearch-7.4.]$ curl -H "Content-Type: application/json" -u elastic:espass http://10.10.18.90:19200/_cluster/health?pretty

{

  "cluster_name" : "cms-uat-elastic7",

  "status" : "green",

  "timed_out" : false,

  "number_of_nodes" : ,

  "number_of_data_nodes" : ,

  "active_primary_shards" : ,

  "active_shards" : ,

  "relocating_shards" : ,

  "initializing_shards" : ,

  "unassigned_shards" : ,

  "delayed_unassigned_shards" : ,

  "number_of_pending_tasks" : ,

  "number_of_in_flight_fetch" : ,

  "task_max_waiting_in_queue_millis" : ,

  "active_shards_percent_as_number" : 100.0

}

# 查看刚才创建所有索引的备份

# curl -H "Content-Type: application/json" -v -XPUT http://10.10.18.90:9200/_snapshot/my_backup/snapshot20191107

{"accepted":true}

# 恢复全索引快照

#保证elasticsearch用户拥有快照目录的权限

chown -R elastic.elastic /opt/esback

#创建仓库

curl -H "Content-Type: application/json" -XPUT -u elastic:espass http://10.10.18.90:19200/_snapshot/backup -d '

{

"type":"fs",

"settings":{"location":"/opt/esback"}

}'

#查询全索引快照备份

$ curl -XGET -u elastic:espass "http://10.10.18.90:19200/_snapshot/backup/_all" | python -m json.tool

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

                    160k       --:--:-- --:--:-- --:--:--  170k

{

    "snapshots": [

        {

            "duration_in_millis": ,

            "end_time": "2019-11-07T01:35:03.702Z",

            "end_time_in_millis": ,

            "failures": [],

            "include_global_state": true,

            "indices": [

                "support_faq_categorys",

                "ticket_list",

                "templates_search",

                "site_page_search",

                "support",

                "templates_page_search",

                "support_new_articles",

                "article_version",

                "blocks_version",

                "search",

                "version",

                "article_search",

                "templates",

                "learn",

                "templates_version",

                "blocks_search",

                "templates_page_version"

            ],

            "shards": {

                "failed": ,

                "successful": ,

                "total":

            },

            "snapshot": "snapshot20191107",

            "start_time": "2019-11-07T01:35:00.811Z",

            "start_time_in_millis": ,

            "state": "SUCCESS",

            "uuid": "0_4SOntVS1GH-7irHjKBMQ",

            "version": "6.3.2",

            "version_id":

        }

    ]

}

#恢复全索引快照

[elastic@szyyelk01t elasticsearch-7.4.]$ curl -XPOST -u elastic:espass 'http://10.10.18.90:19200/_snapshot/backup/snapshot20191107/_restore'?wait_for_completion=true

{"snapshot":{"snapshot":"snapshot20191107","indices":["templates_page_search","article_search","blocks_version","learn","templates_page_version","templates","version","site_page_search","support_new_articles","support_faq_categorys","search","templates_search","blocks_search","ticket_list","article_version","support","templates_version"],"shards":{"total":,"failed":,"successful":}}}

# 查看已经恢复成功

[elastic@szyyelk01t elasticsearch-7.4.]$ curl -H "Content-Type: application/json" -u elastic:espass http://10.10.18.90:19200/_cat/indices

green open templates_page_search  tUKh1vaHRla6QamphIByLQ       .3kb .6kb

green open article_search         _LE5n_-KRSGVH6Z3I1YLNQ           .5mb .8kb

green open blocks_version         VRmv8fyESY6iclBYkhKJ_w          .5kb  .7kb

green open learn                  W4RyJnkrStaRJwQgS4MAug         .6kb .8kb

green open templates_page_version _hHckKOfRuCPEojviySxVw          .5mb   777kb

green open templates              7iJqDoBwTbOEHcyEzPLHbA            2mb     1mb

green open version                mLbfHoA7SAu4RWHSHM3vtw           .9kb  .9kb

green open support_new_articles   HvGe-CklRU-iua-_T1pLNA        12mb     6mb

green open site_page_search       xxk8IetTSr2HF2tEe2Vc1w          .5mb .2kb

green open .security-            xdRnCeykQGGPcqM3-_WFCw           .5kb  .8kb

green open search                 fOteaZd0QfaU_2fKBaWPdA            .5kb    783b

green open support_faq_categorys  h61nZp5bSQqV1UGVyHL7WA            .5kb    783b

green open templates_search       ru8oFeQDTtKovOmkjP6A0w          .5mb .8kb

green open blocks_search          8vMOY6ebTs-4iJIwM2VG0Q            .5kb   .2kb

green open article_version        qcF3Nft6QMezKqtPHyYLlA            5mb   .5mb

green open ticket_list            xpvXuhlqRFq5Y_zugq0qKw          .1mb     1mb

green open support                LypmJq0pRDy428-TKOy6Yg            .5kb    783b

green open templates_version      gI28sYWJT3GVgfBeyJhSLg          .2mb   .1mb

centos7.5系统elasticsearch使用滚动和全新安装升级到最新的elasticsearch7.4.2版本的更多相关文章

  1. discuz全新安装升级,导入旧数据过程,顺便gbk转utf8

    由于discuz官方已经不更新了,现在又只有现成的utf8版本,没有gbk版本.我们原来使用的是gbk编码的,最近想改版,顺便升级一下,就索性把gbk也换成utf8吧,这样以后也方便,国际化嘛! 第一 ...

  2. linux系统下,安装centos7.0系统,配置网卡出现的问题(与centos5.x、centos6.x版本,有差异)

    1.新建虚拟机时,自己下载的是centos64系统,选择系统时,默认选择centos,而未选择centos64位,导致犯了一个低级错误,导致后面网卡安装一直有问题 2.查看ip命令与centos5.x ...

  3. kickstart 实现批量安装centos7.x系统

    1.1 安装系统的方法 l  光盘(ISO文件,光盘的镜像文件)===>>每一台物理机都得给一个光驱,如果用外置光驱的话,是不是每台机器都需要插一下 l  U盘:ISO镜像刻录到U盘==& ...

  4. kickstart模式实现批量安装centos7.x系统

    1.1 安装系统的方法 l  光盘(ISO文件,光盘的镜像文件)===>>每一台物理机都得给一个光驱,如果用外置光驱的话,是不是每台机器都需要插一下 l  U盘:ISO镜像刻录到U盘==& ...

  5. 29张截图-全新安装CentOS7.5-超详细!

    目录 全新安装CentOS7.5 配置虚拟机 调整网卡名称 配置时区,分区,关闭安全工具 配置网络参数 配置root账户密码 参考链接 全新安装CentOS7.5 可以到这里下载镜像https://m ...

  6. 005-(已测试成功的方案)kickstart模式实现批量安装centos7.x系统

    1.1 安装系统的方法 l  光盘(ISO文件,光盘的镜像文件)===>>每一台物理机都得给一个光驱,如果用外置光驱的话,是不是每台机器都需要插一下 l  U盘:ISO镜像刻录到U盘==& ...

  7. 在Linux(Centos7)系统上对进行Hadoop分布式配置以及运行Hadoop伪分布式实例

    在Linux(Centos7)系统上对进行Hadoop分布式配置以及运行Hadoop伪分布式实例                                                     ...

  8. Centos7.5系统 SSH升级到7.9

    SSH7.9安装 #!/bin/bash#删除旧版ssh包 危险操作,不删除也可以安装,建议跳过此操作.#rpm -e `rpm -qa | grep openssh` #安装zlib依赖包wget ...

  9. centos7修改系统语言为简体中文

    centos7修改系统语言为简体中文 说明 自己装系统时一般都可以自定义选择系统语言.可是云端服务器一般都是安装好的镜像,默认系统语言为英文,对于初学者可能还会有搞不懂的计算机词汇.这里简单说一下ce ...

随机推荐

  1. 【爬虫】随机获取UA

    使用模块  fake-useragent https://github.com/hellysmile/fake-useragent 1.安装模块 2.配置 # settings.py '''下载器中间 ...

  2. linux常见依赖

    1. 搭建LNMP环境用到的依赖包 yum -y install gcc gcc-c++ libxml2 libxml2-devel openssl openssl-devel curl libcur ...

  3. manjaro手动安装Redis

    以前都是用的Windows系统,最近有被win10搞得有点烦,就入了manjaro的坑,windows下部分软件在manjaro安装记录,留个记录. 我的系统信息 下面开始正式干活. 一.准备步骤 下 ...

  4. reset.css文件下载及剖析

    @charset "utf-8"; /* http://meyerweb.com/eric/tools/css/reset/ v2.0-modified | 20110126 Li ...

  5. 云打印 对 追光的人 的Beta产品测试报告

    云打印 对追光的人的Beta产品测试报告 课程名称:软件工程1916|W(福州大学) 团队名称: 云打印 作业要求: 项目Beta冲刺(团队) 作业目标:作业集合 团队队员 队员学号 队员姓名 个人博 ...

  6. appuploader 使用

    mac 使用 Jar Lanucher.app 打开 解压后的 appuploader.jar 文件,即可启动 appuploader. 内容 网址 官方网站 http://www.appupload ...

  7. 教你如何解决WIN 10系统睡眠无法唤醒

    1.右击“开始菜单”,选择“电源选项”.   2.选择“更改计算机睡眠时间”. 3.选择“更改高级电源设置”.   4.选择“还原计划默认值”.   5.在弹出的对话框中选择“是 ”.   6.最后选 ...

  8. Redux的图文模型

    Also these are really nice (from http://slides.com/jenyaterpil/redux-from-twitter-hype-to-production ...

  9. python--面向对象编程之学生选课系统练习

    1.系统目录结构 文件夹注解: bin--系统管理员和学生的主程序代码 config--系统的配置文件 db--系统的数据文件 admin--管理员的数据文件 student--学生的数据文件 lib ...

  10. C和C++的不同点

    一.返回值 C中:如果函数未指定返回值类型,则默认为int c++中:如果一个函数没有返回值,返回值类型必须指定为void 二.参数列表 C中:如果函数没有指定参数列表,则默认可以接受任意多个参数 C ...