|
搭建最新版本的elasticsearch7.5 集群 环境 服务器 配置 服务 系统 es版本 10.100.12.144 16G 8core 500G磁盘 node.master/node.data CentOS 7.4 es7.5 10.100.12.145 16G 8core 500G磁盘 node.master/node.data CentOS 7.4 es7.5 10.100.12.146 16G 8core 500G磁盘 node.master/node.data CentOS 7.4 es7.5 10.100.12.147 16G 8core 500G磁盘 node.data CentOS 7.4 es7.5 10.100.12.148 16G 8core 500G磁盘 node.data CentOS 7.4 es7.5 服务器基础优化 文件句柄 Linux中,每个进程默认打开的最大文件句柄数是1000,对于服务器进程来说,显然太小,通过修改/etc/security/limits.conf来增大打开最大句柄数和/etc/security/limits.d/20-nproc.conf 配置 $ vi /etc/security/limits.conf * soft nproc 1024000 * hard nproc 1024000 $ vi /etc/security/limits.d/20-nproc.conf * soft nproc 65535 内核优化 $ cat /etc/sysctl.conf #CTCDN系统优化参数 #关闭ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 #决定检查过期多久邻居条目 net.ipv4.neigh.default.gc_stale_time=120 #使用arp_announce / arp_ignore解决ARP映射问题 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.all.arp_announce=2 net.ipv4.conf.lo.arp_announce=2 # 避免放大攻击 net.ipv4.icmp_echo_ignore_broadcasts = 1 # 开启恶意icmp错误消息保护 net.ipv4.icmp_ignore_bogus_error_responses = 1 #关闭路由转发 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 #开启反向路径过滤 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #处理无源路由的包 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 #关闭sysrq功能 kernel.sysrq = 0 #core文件名中添加pid作为扩展名 kernel.core_uses_pid = 1 # 开启SYN洪水攻击保护 net.ipv4.tcp_syncookies = 1 #修改消息队列长度 kernel.msgmnb = 65536 kernel.msgmax = 65536 #设置最大内存共享段大小bytes kernel.shmmax = 68719476736 kernel.shmall = 4294967296 #timewait的数量,默认180000 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 #每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目 net.core.netdev_max_backlog = 262144 #限制仅仅是为了防止简单的DoS 攻击 net.ipv4.tcp_max_orphans = 3276800 #未收到客户端确认信息的连接请求的最大值 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 #内核放弃建立连接之前发送SYNACK 包的数量 net.ipv4.tcp_synack_retries = 1 #内核放弃建立连接之前发送SYN 包的数量 net.ipv4.tcp_syn_retries = 1 #启用timewait 快速回收 net.ipv4.tcp_tw_recycle = 1 #开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 #当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时 net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 #允许系统打开的端口范围 net.ipv4.ip_local_port_range = 1024 65000 #修改防火墙表大小,默认65536 net.netfilter.nf_conntrack_max=655350 net.netfilter.nf_conntrack_tcp_timeout_established=1200 # 确保无人能修改路由表 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 fs.nr_open = 10000000 fs.file-max = 11000000 安装es 下载软件 $ cd /usr/local/src $ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.5.0-x86_64.rpm $ wget https://artifacts.elastic.co/downloads/kibana/kibana-7.5.0-x86_64.rpm ## JDK建议13版本 $ https://www.oracle.com/technetwork/java/javase/downloads/jdk13-downloads-5672538.html 分发软件到其他机器 $ for i in 10.100.12.145 10.100.12.146 10.100.12.147 10.100.12.148 ;do scp /usr/local/src/jdk-13.0.1_linux-x64_bin.rpm $i:/usr/local/src/ ;done $ for i in 10.100.12.145 10.100.12.146 10.100.12.147 10.100.12.148 ;do scp /usr/local/src/elasticsearch-7.5.0-x86_64.rpm $i:/usr/local/src/ ;done 安装jdk和es 各个节点安装 $ yum localinstall -y /usr/local/src/jdk-13.0.1_linux-x64_bin.rpm $ yum localinstall -y /usr/local/src/elasticsearch-7.5.0-x86_64.rpm 验证jdk $ java -version java version "13.0.1" 2019-10-15 Java(TM) SE Runtime Environment (build 13.0.1+9) Java HotSpot(TM) 64-Bit Server VM (build 13.0.1+9, mixed mode, sharing) 配置es (使用SSL) ## master节点生成证书 $ mkdir -p/usr/share/elasticsearch/certs/ $ cd /usr/share/elasticsearch/certs/ $ ./bin/elasticsearch-certutil ca ## 保存elastic-stack-ca.p12路径并输入密码(123456) $./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 保存elastic-certificates.p12路径并输入密码(123456) 将elastic-stack-ca.p12 拷贝到各个节点的/etc/elasticsearch/下(必须在此目录下的任意一层目录) $ for i in 10.100.12.145 10.100.12.146 10.100.12.147 10.100.12.148 ;do scp /usr/share/elasticsearch/certs/elastic-certificates.p12 $i:/etc/elasticsearch/;done 配置用户密码 $./bin/elasticsearch-setup-passwords interactive elasticsearch.yml中增加配置 $ egrep -v '^#' /etc/elasticsearch/elasticsearch.yml xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12 所有elasticsearch节点将密码添加至elasticsearch-keystore(密码123456) $ bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password $ bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password 最终3个master节点配置如下(3个节点不同在于node.name) cluster.name: cluster-7.5.0 node.name: node-1 node.master: true node.data: true path.data: /home/work/elasticsearch/data path.logs: /home/work/elasticsearch/logs http.port: 9200 network.host: 0.0.0.0 discovery.seed_hosts: ["10.100.12.144", "10.100.12.145", "10.100.12.146"] cluster.initial_master_nodes: ["10.100.12.144"] discovery.zen.minimum_master_nodes: 2 discovery.zen.ping_timeout: 60s # 心跳超时时间 discovery.zen.fd.ping_interval: 120s # 节点检测时间 discovery.zen.fd.ping_timeout: 120s #ping 超时时间 discovery.zen.fd.ping_retries: 3 # 心跳重试次数 gateway.recover_after_nodes: 4 gateway.recover_after_time: 10m gateway.expected_nodes: 5 bootstrap.system_call_filter: false http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12 2个数据节点(因为是数据节点不参与选举master,去掉node.master: true配置项,注意更改node.name) $ egrep -v '^#' /etc/elasticsearch/elasticsearch.yml cluster.name: cluster-7.5.0 node.name: node-4 ##注意更改 node.data: true path.data: /home/work/elasticsearch/data path.logs: /home/work/elasticsearch/logs http.port: 9200 network.host: 0.0.0.0 discovery.seed_hosts: ["10.100.12.144", "10.100.12.145", "10.100.12.146"] cluster.initial_master_nodes: ["10.100.12.144"] discovery.zen.minimum_master_nodes: 2 discovery.zen.ping_timeout: 60s # 心跳超时时间 discovery.zen.fd.ping_interval: 120s # 节点检测时间 discovery.zen.fd.ping_timeout: 120s #ping 超时时间 discovery.zen.fd.ping_retries: 3 # 心跳重试次数 gateway.recover_after_nodes: 4 gateway.recover_after_time: 10m gateway.expected_nodes: 5 bootstrap.system_call_filter: false http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true ## 开启x-pack xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12 启动es不可使用root权限,需创建普通用户,安装es时候系统已经默认新增了elasticsearch组和用户,但是 是nologin的,还需要手动创建普通用户。 ##创建数据目录 # mkdir mkdir /home/work/elasticsearch/{data,logs} -p ## 创建普通账户 # useradd elastic -G elasticsearch # echo elastic |passwd elastic --stdin ## 授权 # chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ # chown -R elasticsearch:elasticsearch /etc/elasticsearch/ # chown -R elasticsearch:elasticsearch /home/work/elasticsearch/ 所有节点启动es $ systemctl enable elasticsearch.service $ systemctl start elasticsearch.service 稍等一会 选举出master $ curl --user elastic:xx 'localhost:9200/_cat/master?v' id host ip node pMpl1On4TAmRlxUjm6IKcA 10.100.12.145 10.100.12.145 node-2 $ curl --user elastic:xx 'localhost:9200/_cat/nodes?v' ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 10.100.12.147 49 98 14 1.39 1.53 1.31 dilm - node-4 10.100.12.144 66 98 20 3.26 2.19 1.69 dilm - node-1 10.100.12.146 38 98 11 2.83 2.06 1.71 dilm - node-3 10.100.12.148 29 98 18 1.27 1.23 1.23 dilm - node-5 10.100.12.145 68 98 23 2.11 2.22 2.06 dilm * node-2 通过以上步骤es集群安装完成。 es7版本已经自带x-pack,无需自行安装,通过配置xpack.security.enabled: true 来开启x-pack ,kibana来展示x-pack安全组件,下一章节安装kibana。 (责任编辑:IT) |