Elasticsearch8.9
安装源通官网添加
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
apt update && apt install elasticsearch -y
SSL相关配置
基本连接的SSL
# 创建ca证书,默认会创建一个叫elastic-stack-ca.p12的证书
./bin/elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
Certificates written to /usr/share/elasticsearch/elastic-certificates.p12
# 如果有密码就输入密码,没密码就直接 y 回车
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
vi /etc/elasticsearch/elasticsearch.yml
....
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
HTTP连接SSL
./bin/elasticsearch-certutil http
## Elasticsearch HTTP Certificate Utility
# 是否生成CSR,n
Generate a CSR? [y/N] n
# 是否用现有的CA证书,y
Use an existing CA? [y/N]y
# CA路径,绝对或相比
CA Path: /etc/elasticsearch/certs/elastic-stack-ca.p12
# CA证书密码,如果没有直接回车
Password for elastic-stack-ca.p12:
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
# 证书有效时间,尽量设置长一点,这里为99年
For how long should your certificate be valid? [5y] 99y
# 是否为每个节点都生成,如果有集群,则选y,单节点选N
Generate a certificate per node? [y/N]
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
# 域名或名称,用于证书绑定,只有通过绑定的域名或名称才能使用证书访问
172-25-0-52
You entered the following hostnames.
- 172-25-0-52
# 确认
Is this correct [Y/n]y
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
# 如果没有域名则要在这里输入IP
172.25.0.52
You entered the following IP addresses.
- 172.25.0.52
# 确认
Is this correct [Y/n]y
## Other certificate options
Key Name: 172.25.0.52
Subject DN: CN=172, DC=25, DC=0, DC=52
Key Size: 2048
# 是否修改其它选项,n
Do you wish to change any of these options? [y/N]n
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none] #默认为空即可
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
# 证书保存路径
Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
# 如果有密码就输入密码,没密码就直接 y 回车
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password压缩包中的elasticsearch目录下的http.p12,就是elasticsearch的xpack组件的证书,放到指定位置在elasticsearch.yml中引用即可
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: /etc/elasticsearch/certs/http.p12启动elasticsearch
systemctl start elasticsearch
elastic密码管理,
cd /usr/share/elasticsearch
./bin/elasticsearch-reset-password -u elastic
./bin/elasticsearch-reset-password -u kibana_system压缩包中的kibana目录下的elasticsearch-ca.pem文件就可以用来在Kibana中连接时验证
elasticsearch-ca.pem文件就可以用来在Kibana中连接时验证vi /etc/kibana/kibana.yml
server.port: 5601
server.host: "172.25.0.52"
server.publicBaseUrl: "http://172.25.0.52:5601"
server.ssl.enabled: false
elasticsearch.hosts: ["https://172.25.0.52:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "+J6E_*B"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
i18n.locale: "zh-CN"
xpack.security.encryptionKey: "ddc36056634195bd634c756b4afc576e"
xpack.encryptedSavedObjects.encryptionKey: "ddc36056634195bd634c756b4afc576e"
xpack.reporting.encryptionKey: "your_secret_encryption_key_here"filebeat
通过为每个服务绑定一个filebeat组件来进行日志收集
示例
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: kube-system
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
filebeat.inputs:
- type: filestream
paths:
- /usr/local/nginx/logs/*
# 单个日志消息的最大字节数,超出部分丢弃(10M)
max_bytes: 10485760
# 排除文件
exclude_files: ['\.gz$']
multiline.type: pattern
multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
# 否定模式,true:没有匹配的行作为事件行的连贯行;false:匹配的行作为事件行的连贯行。默认false。
multiline.negate: false
# 连贯行组合事件行之前(before)还是之后(after)
multiline.match: after
# processors:
# - add_kubernetes_metadata:
# host: ${NODE_NAME}
# matchers:
# - logs_path:
# logs_path: "/var/log/containers/"
# 如果是java日志,可以把下面四行取消注释,处理多行日志不被分割
# multiline.pattern: '^[[:space:]]+'
# multiline.negate: false
# multiline.match: after
# multiline.max_lines: 500
setup.template.name: "jp-ad-web"
setup.template.pattern: "jp-ad-web-*"
output.elasticsearch.index: "jp-ad-web-%{+yyyy.MM}"
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
protocol: ${ELASTICSEARCH_PROTOCOL}
ssl.certificate_authorities: ["/etc/es_ca.pem"]
es_ca.pem: |
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUK51yLkjRheefMmUQ8XffyoWuo6AwDQYJKoZIhvcNAQEL
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
cmF0ZWQgQ0EwHhcNMjMwODEwMDY0OTMyWhcNMjYwODA5MDY0OTMyWjA0MTIwMAYD
VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMXEa0z5hWQoKYvuAQUCHRY
WVQE0nx8hpw8j3BSUcSSiYoaJn0usfyi4MUCs8chFcS1yX6beKurDlQ72Jepk27/
qkkImdHLjIGyrQ+dyixDfLOYHnWD36RzKRucGavHAUwyvNI1Fius3yZ32ZmWwbrk
xvnog0KJIc0eflmAhMZ/lZ9AHbDBlXEiP7nTdsBTofME1KmnV9E0WJyV/TWY5hNz
FRlZqufaiXzu2BXHi7AcsRC1MK7ayQhvwQVwdefC1EG63h0ASi/0GmnLe4p1nD3W
W8+1aBraDyyHzhbrT53ppNCROen+mIyQs8GbTiVBzGTTJlWo5wwquQ2pVbKLD28C
AwEAAaNTMFEwHQYDVR0OBBYEFGwfNCkdJndFwcDcUv7yi32QBRPeMB8GA1UdIwQY
MBaAFGwfNCkdJndFwcDcUv7yi32QBRPeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBADNXyroqQ7jiJZLiQCIQo5kE3tmiqV9l4jGntzv6w1mXC/1T
9UR+KMnjhoGHB1HmJGC2HABvZBtrn8XcnQcis79Ctnyx6ce9fxevUsFzXpfSsbJl
pxiC53vQn3rh4eLPPYNrlqXxKE0ZNZ+5jkbs8TC6btJiP1DopPu+n85kYepvxtd5
NudmgHbDX5sJnYZMK7hZDzoeLe+1zruIViESC9drD4ogzCgQn5x8Ez8lsZGvYItu
Y1/2XM9Mzr7Jq9ONtDi6b08s3+HVcdWRTjfmG0uRYE59AurplFKtzmoDFAw9SEZe
P+IcF7tMMLW+sXhgwbcS0XYtH2pJMADDTxNA5bs=
-----END CERTIFICATE-----
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jp-ad-web
namespace: kube-system
spec:
selector:
matchLabels:
app: jp-ad-web
replicas: 3
template:
metadata:
labels:
app: jp-ad-web
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: jp-ad-web
containers:
- name: jp-ad-web
image: 172.25.0.50/k8s/nginxfpm_bj_php8m
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
failureThreshold: 3
periodSeconds: 20
timeoutSeconds: 20
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
failureThreshold: 3
periodSeconds: 10
timeoutSeconds: 5
resources:
requests:
memory: "512Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "500m"
volumeMounts:
- name: nginxlog
mountPath: /var/log/nginx
- name: nginxweb
mountPath: /jpdata/www
- name: nginxconf
mountPath: /etc/nginx/conf.d
ports:
- containerPort: 80
- name: jp-ad-web-filebeat
image: 172.25.0.50/k8s/filebeat:8.9.0
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: ELASTICSEARCH_HOST
value: 172.25.0.52
- name: ELASTICSEARCH_PORT
value: "9200"
- name: ELASTICSEARCH_USERNAME
value: "elastic"
- name: ELASTICSEARCH_PASSWORD
value: "MOvrq7uV1Thv3yLz1gQO"
- name: ELASTICSEARCH_PROTOCOL
value: "https"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: config
mountPath: /etc/es_ca.pem
subPath: es_ca.pem
- name: nginxlog
mountPath: /usr/local/nginx/logs
readOnly: true
volumes:
- name: nginxlog
nfs:
server: 172.25.0.51
path: "/jpdata/kubernetes/logs/unl/jp-ad-web/logs"
- name: nginxweb
nfs:
server: 172.25.0.51
path: "/jpdata/kubernetes/unl/jp-ad-web/nginx/www"
- name: nginxconf
nfs:
server: 172.25.0.51
path: "/jpdata/kubernetes/unl/jp-ad-web/nginx/conf.d"
- name: config
configMap:
defaultMode: 0640
name: filebeat-config
---
apiVersion: v1
kind: Service
metadata:
name: jp-ad-web
namespace: kube-system
labels:
app: jp-ad-web
spec:
clusterIP: 172.24.11.73
ports:
- name: web-1
port: 80
targetPort: 80
- name: web-2
port: 81
targetPort: 81
selector:
app: jp-ad-web
java版
fluent-bit
fluent-biy.conf配置示例,使用ssl连接es
[SERVICE]
flush 1
daemon Off
log_file /var/log/fluent-bit.log
log_level info
parsers_file parsers.conf
plugins_file plugins.conf
http_server on
http_listen 0.0.0.0
http_port 2020
storage.metrics on
[INPUT]
Name tail
Path /var/log/*
Tag test.*
Mem_Buf_Limit 5MB
[OUTPUT]
Name es
Match test.*
Host 172.25.0.52
Port 9200
http_user elastic
http_passwd MOvrq7u
Index fluentbit-%Y.%m
Type flb_type
Suppress_Type_Name On
tls on
tls.verify Offfluent-bit k8s yaml文件示例
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: kube-system
labels:
k8s-app: fluent-bit
data:
fluent-bit.conf: |
[SERVICE]
flush 1
daemon Off
log_file /var/log/fluent-bit.log
log_level info
parsers_file parsers.conf
plugins_file plugins.conf
http_server on
http_listen 0.0.0.0
http_port 2020
storage.metrics on
[INPUT]
Name tail
Path /usr/local/nginx/logs/*
Tag test.*
Mem_Buf_Limit 5MB
[OUTPUT]
Name es
Match test.*
Host 172.25.0.52
Port 9200
http_user elastic
http_passwd MOvrq7uV1Thv3yLz1gQO
Index fluentbit-ad-web-%Y.%m
Type flb_type
Suppress_Type_Name On
tls on
tls.verify Off
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jp-ad-web
namespace: kube-system
spec:
selector:
matchLabels:
app: jp-ad-web
replicas: 3
template:
metadata:
labels:
app: jp-ad-web
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: jp-ad-web
containers:
- name: jp-ad-web
image: 172.25.0.50/k8s/nginxfpm_bj_php8m
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
failureThreshold: 3
periodSeconds: 20
timeoutSeconds: 20
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
failureThreshold: 3
periodSeconds: 10
timeoutSeconds: 5
resources:
requests:
memory: "512Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "500m"
volumeMounts:
- name: nginxlog
mountPath: /var/log/nginx
- name: nginxweb
mountPath: /jpdata/www
- name: nginxconf
mountPath: /etc/nginx/conf.d
ports:
- containerPort: 80
- name: jp-ad-web-fluent-bit
image: 172.25.0.50/k8s/fluent-bit:2.1.8-amd64
args: [
"-c", "/fluent-bit/etc/fluent-bit.conf"
]
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: ELASTICSEARCH_HOST
value: 172.25.0.52
- name: ELASTICSEARCH_PORT
value: "9200"
- name: ELASTICSEARCH_USERNAME
value: "elastic"
- name: ELASTICSEARCH_PASSWORD
value: "MOvrq7uV1Thv3yLz1gQO"
- name: ELASTICSEARCH_PROTOCOL
value: "https"
volumeMounts:
- name: config
mountPath: /fluent-bit/etc/fluent-bit.conf
readOnly: true
subPath: fluent-bit.conf
- name: nginxlog
mountPath: /usr/local/nginx/logs
readOnly: true
volumes:
- name: nginxlog
nfs:
server: 172.25.0.51
path: "/jpdata/kubernetes/logs/unl/jp-ad-web/ngin-xfpm"
- name: nginxweb
nfs:
server: 172.25.0.51
path: "/jpdata/kubernetes/unl/jp-ad-web/nginx/www"
- name: nginxconf
nfs:
server: 172.25.0.51
path: "/jpdata/kubernetes/unl/jp-ad-web/nginx/conf.d"
- name: config
configMap:
defaultMode: 0640
name: fluent-bit-config
---
apiVersion: v1
kind: Service
metadata:
name: jp-ad-web
namespace: kube-system
labels:
app: jp-ad-web
spec:
clusterIP: 172.24.11.73
ports:
- name: web-1
port: 80
targetPort: 80
- name: web-2
port: 81
targetPort: 81
selector:
app: jp-ad-webkibana
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
apt update && apt install kibana -y
错误处理
集群模式未预先将密码存入密钥库中,导至如下错误
[2023-09-22T06:56:07,484][ERROR][o.e.b.Elasticsearch ] [test-es-02] fatal exception while booting Elasticsearch
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:618) ~[?:?]
at java.util.HashMap.forEach(HashMap.java:1429) ~[?:?]
at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:614) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:159) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:502) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:342) ~[?:?]
at org.elasticsearch.node.Node.lambda$new$16(Node.java:738) ~[elasticsearch-8.10.2.jar:?]
at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:261) ~[elasticsearch-8.10.2.jar:?]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
at org.elasticsearch.node.Node.<init>(Node.java:754) ~[elasticsearch-8.10.2.jar:?]
at org.elasticsearch.node.Node.<init>(Node.java:338) ~[elasticsearch-8.10.2.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:234) ~[elasticsearch-8.10.2.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:234) ~[elasticsearch-8.10.2.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:72) ~[elasticsearch-8.10.2.jar:?]
Caused by: org.elasticsearch.common.ssl.SslConfigException: cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
at org.elasticsearch.common.ssl.SslFileUtil.ioException(SslFileUtil.java:56) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:98) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:477) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:616) ~[?:?]
... 23 more
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1500) ~[?:?]
at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:477) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:616) ~[?:?]
... 23 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: Not the correct tag
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1500) ~[?:?]
at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:477) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:616) ~[?:?]
... 23 more
如果生成证书的过程中有配置密码,就在以下操作中输入密码,否则在y之后直接回车
cd /usr/share/elasticsearch
# transport 集群节点之间的证书密码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
# ssl http证书的密码
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
elasticsearch.yml中关于xpack的verification_mode配置full导致如下错误
elasticsearch.yml中关于xpack的verification_mode配置full导致如下错误[2023-09-22T17:12:44,947][WARN ][o.e.t.TcpTransport ] [test-es-01] exception caught on transport layer [Netty4TcpChannel{localAddress=/172.23.100.51:58696, remoteAddress=/172.23.100.52:9300, profile=default}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[?:?]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
at java.lang.Thread.run(Thread.java:1623) ~[?:?]
将elasticsearch.yml中关于xpack的verification_mode配置改成certificate
xpack.security.transport.ssl:
enabled: true
verification_mode: certificateelasticsearch的hprof文件占用磁盘空间
在/var/lib/elasticsearch/目录下会有很多类似java_pid12589.hprof的hprof后缀文件
通常用于捕获JVM(Java 虚拟机)在特定时间的内存使用情况,帮助诊断内存泄漏、查看对象分配情况、分析堆中对象的分布等。
文件名说明:java_pid12589 表示该文件是由进程 ID 为 12589 的 Java 应用程序生成的。 生成原因:通常是 JVM 遇到 OutOfMemoryError错误时自动生成,或者是手动执行 jmap -dump 命令生成。 用途:.hprof 文件可以用 Java 的分析工具(如 VisualVM、Eclipse MAT、JProfiler 等)来分析堆内存的具体情况,帮助开发人员发现内存泄漏、性能瓶颈等问题。 如果你不需要进行内存分析,且文件占用空间较大,可以删除该文件
多节点
root@jp:/usr/share/elasticsearch# ./bin/elasticsearch-certutil http
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
Generate a CSR? [y/N]
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
For how long should your certificate be valid? [5y] 99y
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
Generate a certificate per node? [y/N]y
## What is the name of node #1?
This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.
You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.
node #1 name: test-es-01
## Which hostnames will be used to connect to test-es-01?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
test-es-01
You entered the following hostnames.
- test-es-01
Is this correct [Y/n]
## Which IP addresses will be used to connect to test-es-01?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
172.23.100.51
You entered the following IP addresses.
- 172.23.100.51
Is this correct [Y/n]
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: test-es-01
Subject DN: CN=test-es-01
Key Size: 2048
Do you wish to change any of these options? [y/N]
Generate additional certificates? [Y/n]
## What is the name of node #2?
This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.
You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.
node #2 name: test-es-02
## Which hostnames will be used to connect to test-es-02?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
test-es-02
You entered the following hostnames.
- test-es-02
Is this correct [Y/n]
## Which IP addresses will be used to connect to test-es-02?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
172.23.100.52
You entered the following IP addresses.
- 172.23.100.52
Is this correct [Y/n]
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: test-es-02
Subject DN: CN=test-es-02
Key Size: 2048
Do you wish to change any of these options? [y/N]
Generate additional certificates? [Y/n]
## What is the name of node #3?
This name will be used as part of the certificate file name, and as a
descriptive name within the certificate.
You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.
node #3 name: test-es-03
## Which hostnames will be used to connect to test-es-03?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
test-es-03
You entered the following hostnames.
- test-es-03
Is this correct [Y/n]
## Which IP addresses will be used to connect to test-es-03?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
172.23.100.53
You entered the following IP addresses.
- 172.23.100.53
Is this correct [Y/n]
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: test-es-03
Subject DN: CN=test-es-03
Key Size: 2048
Do you wish to change any of these options? [y/N]
Generate additional certificates? [Y/n]n
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none]
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
最后更新于