ElasticSearch+SearchGuardクラスタ構築
16848 ワード
背景紹介
業務元の
ソリューション である. 履歴データを新しいクラスタ にインポートする.業務サービスは2セットの を実現する.
の2セットのクラスタデータが一致した後、 の切り替えに協力した. ElasticSearchクラスタ
の準備を Search Guard
クラスタ構成
システムちょうせい
取付
取付
証明書の生成
構成
ユーザー権限およびパスワード
サービス管理スクリプトの追加
ユーザーの変更
サービスの開始
sguard初期化パスワード
クラスタのステータスの表示
Kibana配備
Dockerfile
内部ウェアハウス・ミラー・ベースの構築
ミラーの構築+コンテナの生成
kibanaへのログイン
初期化の設定
証明書の交換
新しく生成された証明書ファイル
転載先:https://juejin.im/post/5d4d37e8e51d453b7779d504
業務元の
ESクラスタは証明書の期限切れのため、証明書交換操作を行う必要がある.証明書の更新後にクラスタ全体を再起動する必要があり、ビジネス感度が高いため、クラスタ全体の対外サービス停止は許容できません.ソリューション
OPは新しいESクラスタの配置を担当し、バージョン構成は元のクラスタと一致するRD開発プログラム担当ESクラスタ機能OPとRDは業務流量OP既存クラスタ更新証明書の準備を
ESバージョン5.5.1 JAVAバージョンjdk 1.8.0_161 クラスタ構成
3 Master Node (56 /128G/3.7T )
10.90.104.133
10.90.105.133
10.90.106.133
5 Data Node (56 /128G/3.7T )
10.90.107.132
10.90.108.132
10.90.109.133
10.90.110.133
10.90.111.133
: 9201/9301
システムちょうせい
$ sudo sysctl -w vm.max_map_count=262144
$ grep vm.max_map_count /etc/sysctl.conf
$ echo vm.max_map_count=262144 >> /etc/sysctl.conf
or
$ vi /etc/sysctl.conf
vm.max_map_count=262144
取付
JAVA jdk1.8.0_161( 404, )
$ wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u161-b12/2f38c3b165be4555a1fa6e98c45e0808/jdk-8u161-linux-x64.tar.gz
,
$ mkdir -p /usr/local/java/jdk1.8.0_161/
$ cp jdk-8u161-linux-x64.tar.gz /usr/local/java/jdk1.8.0_161/
$ cd /usr/local/java/jdk1.8.0_161/
$ tar zxf jdk-8u161-linux-x64.tar.gz && rm -rf jdk-8u161-linux-x64.tar.gz
java, alternatives java (command --install )
$ alternatives --install /usr/bin/java java $JAVA_18_161/bin/java 2
$ alternatives --config java
There are 4 programs which provide 'java'.
Selection Command
-----------------------------------------------
1 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64/jre/bin/java
*+ 2 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/bin/java
3 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
4 /usr/local/java/jdk1.8.0_161/bin/java
Enter to keep the current selection[+], or type selection number: 4
jar , javac
alternatives --install /usr/bin/jar jar /usr/local/java/jdk1.8.0_161/bin/jar 2
alternatives --install /usr/bin/javac javac /usr/local/java/jdk1.8.0_161/bin/javac 2
alternatives --set jar /usr/local/java/jdk1.8.0_161/bin/jar
alternatives --set javac /usr/local/java/jdk1.8.0_161/bin/javac
$ vim /etc/bashrc
export JAVA_HOME=/usr/local/java/jdk1.8.0_161
export JRE_HOME=/usr/local/java/jdk1.8.0_161/jre
export PATH=/root/perl5/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/local/java/jdk1.8.0_161/bin:/usr/local/java/jdk1.8.0_161/jre/bin
java
$ java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
取付
ElasticSearch
$ adduser -U -s /sbin/nologin elasticsearch
$ mkdir -p /usr/local/elasticsearch
$ mkdir -p /data/elasticsearch/my-project
$ mkdir -p /data/logs/elasticsearch/my-project/{log,pid}
es 5.5.1
$ cd /usr/local/elasticsearch
$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.1.tar.gz
$ tar zxf elasticsearch-5.5.1.tar.gz && rm -rf elasticsearch-5.5.1.tar.gz
$ mv elasticsearch-5.5.1 my-project-es
Search Guardプラグインのインストール
$ cd {PROJECT_NAME}
$ wget http://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-5/5.5.1-15/search-guard-5-5.5.1-15.zip
$ bin/elasticsearch-plugin install search-guard-5-5.5.1-15.zip
証明書の生成
( )
$ git clone https://github.com/floragunncom/search-guard-ssl.git
$ cd search-guard-ssl/example-pki-scripts/
$ ./clean.sh
$ ./gen_root_ca.sh kubernetes- kubernetes- # COMMAND
$ ./gen_node_cert.sh k8s-es-node kubernetes- kubernetes- # COMMAND
$ ./gen_client_node_cert.sh sgadmin kubernetes- kubernetes- # COMMAND
config
$ cp *jks /usr/local/elasticsearch/my-project/config/
構成
ElasticSearch
$ cd /usr/local/elasticsearch/my-project/config/
$ mv elasticsearch.yml{,bak}
Node Master ( master ):
: , http
$ vim elasticsearch.yml
cluster.name: my-project-es
node.name: 10.90.104.133
node.master: true
node.data: false
node.ingest: false
path:
data:
- /data/elasticsearch/my-project
logs: /data/logs/elasticsearch/my-project/log
thread_pool.index.queue_size: 1000
thread_pool.bulk.queue_size: 1000
bootstrap.memory_lock: true
network.host: 10.90.104.133
http.port: 9201
transport.tcp.port: 9301
http:
enabled: false
compression: true
cors:
enabled: true
allow-origin: "*"
allow-headers: Authorization
discovery.zen.ping.unicast.hosts: [10.90.104.133:9301,10.90.105.133:9301,10.90.106.133:9301]
discovery.zen.minimum_master_nodes: 2
searchguard.ssl.transport.keystore_filepath: node-k8s-es-node-keystore.jks
searchguard.ssl.transport.keystore_password: kubernetes-
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: kubernetes-
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:
- CN=sgadmin,OU=client,O=client,L=test,C=DE
:
$ vim jvm.options
...
Xms20g
Xmx20g
...
Node Data ( 5 ):
: http
$ vim elasticsearch.yml
cluster.name: my-project-es
node.name: 10.90.107.132
node.master: false
node.data: true
node.ingest: true
path:
data:
- /data/elasticsearch/my-project
logs: /data/logs/elasticsearch/my-project/log
thread_pool.index.queue_size: 1000
thread_pool.bulk.queue_size: 1000
bootstrap.memory_lock: true
network.host: 10.90.107.132
http.port: 9201
transport.tcp.port: 9301
http:
enabled: true
compression: true
cors:
enabled: true
allow-origin: "*"
allow-headers: Authorization
discovery.zen.ping.unicast.hosts: [10.90.104.133:9301,10.90.105.133:9301,10.90.106.133:9301]
discovery.zen.minimum_master_nodes: 2
searchguard.ssl.transport.keystore_filepath: node-k8s-es-node-keystore.jks
searchguard.ssl.transport.keystore_password: kubernetes-
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: kubernetes-
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:
- CN=sgadmin,OU=client,O=client,L=test,C=DE
:
$ vim jvm.options
...
Xms63g
Xmx63g
...
ユーザー権限およびパスワード
$ cd /usr/local/elasticsearch/my-project/plugins/search-guard-5
$ sh tools/hash.sh -p ICdsy1B3j68Tr4w2
$2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
, myuser
$ vim sgconfig/sg_internal_users.yml
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
admin:
hash: $2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
#password is: ICdsy1B3j68Tr4w2
logstash:
hash: $2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
#password is: ICdsy1B3j68Tr4w2
kibanaserver:
hash: $2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
#password is: ICdsy1B3j68Tr4w2
kibanaro:
hash: $2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
#password is: ICdsy1B3j68Tr4w2
roles:
- kibanarole
readall:
hash: $2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
#password is: ICdsy1B3j68Tr4w2
myuser:
hash: $2a$12$BrsaHcr6q0SawxbJtjN46ORVcYsdLH1hQSwVTW4vbUAOwUckpWCbe
# password is: ICdsy1B3j68Tr4w2
( admin )
$ vim sgconfig/sg_roles_mapping.yml
...
# ,
sg_all_access:
users:
- admin
- myuser
...
サービス管理スクリプトの追加
$ vim /usr/lib/systemd/system/es-my-project.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
Environment=ES_HOME=/usr/local/elasticsearch/my-project
Environment=CONF_DIR=/usr/local/elasticsearch/my-project/config
Environment=PID_DIR=/data/logs/elasticsearch/my-project/pid
WorkingDirectory=/usr/local/elasticsearch/my-project
User=elasticsearch
Group=elasticsearch
ExecStartPre=/usr/local/elasticsearch/my-project/bin/elasticsearch-systemd-pre-exec
ExecStart=/usr/local/elasticsearch/my-project/bin/elasticsearch \
-p \${PID_DIR}/elasticsearch.pid \
-Edefault.path.conf=\${CONF_DIR}
StandardOutput=journal
StandardError=inherit
LimitNOFILE=65536
LimitNPROC=2048
LimitMEMLOCK=infinity
TimeoutStopSec=0
KillSignal=SIGTERM
KillMode=process
SendSIGKILL=no
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
ユーザーの変更
chown -R elasticsearch:elasticsearch /usr/local/elasticsearch
chown -R elasticsearch:elasticsearch /data/logs/elasticsearch
chown -R elasticsearch:elasticsearch /data/elasticsearch
chown -R elasticsearch:elasticsearch /usr/lib/systemd/system/es-my-project.service
サービスの開始
sudo systemctl daemon-reload
sudo systemctl enable es-my-project.service
sudo systemctl start es-my-project
sguard初期化パスワード
sguard , ( master )
sgconfig , ES 。
$ cd /usr/local/elasticsearch/my-project/plugins/search-guard-5/tools
$ ./sgadmin.sh --hostname 10.90.104.133 --port 9301 \
-cd ../sgconfig/ \
-ks /usr/local/elasticsearch/my-project/config/sgadmin-keystore.jks \
-kspass kubernetes- \
-ts ./usr/local/elasticsearch/my-project/config/truststore.jks \
-tspass kubernetes- \
-nhnv --diagnose -cn my-project-es
クラスタのステータスの表示
$ curl -u myuser:ICdsy1B3j68Tr4w2 -XGET http://10.90.107.132:9201/_cluster/health?pretty
{
"cluster_name" : "my-project-es",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 4,
"active_shards" : 9,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Kibana配備
Dockerfile
FROM docker.xxx.com/library/kibana-searchguard:5.5.1
ENV CLUSTER_NAME=my-project-es \
SERVER_BASEPATH= \
ELASTICSEARCH_URL="http://10.90.107.132:9201" \
XPACK_SECURITY_ENABLED=false \
XPACK_GRAPH_ENABLED=false \
XPACK_ML_ENABLED=false \
ELASTICSEARCH_USERNAME=kibanaserver \
ELASTICSEARCH_PASSWORD=ICdsy1B3j68Tr4w2
# port is 5601
内部ウェアハウス・ミラー・ベースの構築
ミラーの構築+コンテナの生成
$ docker build -t my-project-kibana .
$ docker run -d my-project-kibana
kibanaへのログイン
初期化の設定
証明書の交換
新しく生成された証明書ファイル
*.jksは、元のクラスタconfigの下にコピーされ、ESクラスタとsearch guardを再起動すればよい.転載先:https://juejin.im/post/5d4d37e8e51d453b7779d504