环境准备
主机要求
-
至少3台主机(推荐奇数个节点)
-
Docker和Docker Compose已安装
-
主机间网络互通
-
每台主机至少4GB内存
主机信息示例
-
主机1: 192.168.1.10 (es-node-1)
-
主机2: 192.168.1.11 (es-node-2)
-
主机3: 192.168.1.12 (es-node-3)
第一步:准备工作
1. 在每台主机上创建目录结构
1
2
3
|
mkdir -p /opt/elasticsearch/{data,logs,config,certs}
chmod 777 /opt/elasticsearch/data
chmod 777 /opt/elasticsearch/logs
|
2. 设置系统参数
1
2
3
4
5
6
|
# 设置虚拟内存
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -p
# 设置文件描述符限制
echo '* soft nofile 65536' >> /etc/security/limits.conf
echo '* hard nofile 65536' >> /etc/security/limits.conf
|
3. 创建Docker网络(每台主机)
1
|
docker network create elasticsearch-net
|
第二步:生成SSL证书
在第一台主机上生成证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# 首先设置正确的目录权限
sudo chown -R 1000:1000 /opt/elasticsearch/certs
sudo chmod 755 /opt/elasticsearch/certs
# 方法一:使用临时容器生成证书(推荐)
# 1. 生成CA证书
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil ca --out /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 --pass ''
# 2. 为每个节点生成证书
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--name es-node-1 \
--dns es-node-1,localhost \
--ip 192.168.1.10,127.0.0.1 \
--ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
--ca-pass '' \
--out /usr/share/elasticsearch/config/certs/es-node-1.p12 \
--pass ''
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--name es-node-2 \
--dns es-node-2,localhost \
--ip 192.168.1.11,127.0.0.1 \
--ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
--ca-pass '' \
--out /usr/share/elasticsearch/config/certs/es-node-2.p12 \
--pass ''
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--name es-node-3 \
--dns es-node-3,localhost \
--ip 192.168.1.12,127.0.0.1 \
--ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
--ca-pass '' \
--out /usr/share/elasticsearch/config/certs/es-node-3.p12 \
--pass ''
# 3. 验证证书生成是否成功
ls -la /opt/elasticsearch/certs/
# 方法二:如果方法一有问题,使用配置文件方式(需要先有CA证书)
# 确保先生成了CA证书后再执行以下步骤:
cat > /opt/elasticsearch/certs/instances.yml << EOF
instances:
- name: es-node-1
dns:
- es-node-1
- localhost
ip:
- 192.168.1.10
- 127.0.0.1
- name: es-node-2
dns:
- es-node-2
- localhost
ip:
- 192.168.1.11
- 127.0.0.1
- name: es-node-3
dns:
- es-node-3
- localhost
ip:
- 192.168.1.12
- 127.0.0.1
EOF
# 使用配置文件和CA证书生成节点证书
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--silent \
--ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
--ca-pass '' \
--in /usr/share/elasticsearch/config/certs/instances.yml \
--out /usr/share/elasticsearch/config/certs/bundle.zip \
--pass ''
# 解压证书包
cd /opt/elasticsearch/certs
unzip bundle.zip
# 方法三:最简单的自签名证书方式(如果上述方法都有问题)
# 为每个节点生成自签名证书
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--self-signed \
--name es-node-1 \
--dns es-node-1,localhost \
--ip 192.168.1.10,127.0.0.1 \
--out /usr/share/elasticsearch/config/certs/es-node-1.p12 \
--pass ''
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--self-signed \
--name es-node-2 \
--dns es-node-2,localhost \
--ip 192.168.1.11,127.0.0.1 \
--out /usr/share/elasticsearch/config/certs/es-node-2.p12 \
--pass ''
docker run --rm --user 1000:1000 \
-v /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
docker.elastic.co/elasticsearch/elasticsearch:8.19.3 \
elasticsearch-certutil cert \
--self-signed \
--name es-node-3 \
--dns es-node-3,localhost \
--ip 192.168.1.12,127.0.0.1 \
--out /usr/share/elasticsearch/config/certs/es-node-3.p12 \
--pass ''
|
将证书复制到其他主机
1
2
3
|
# 从主机1复制证书到主机2和主机3
scp -r /opt/elasticsearch/certs root@192.168.1.11:/opt/elasticsearch/
scp -r /opt/elasticsearch/certs root@192.168.1.12:/opt/elasticsearch/
|
去其他机器修改证书属主,不然起不来!
1
|
chown -R 1000:1000 /opt/elasticsearch/certs
|
第三步:创建配置文件
主机1 (192.168.1.10)
/opt/elasticsearch/docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
services:
es-node-1:
image: docker.elastic.co/elasticsearch/elasticsearch:8.19.3
container_name: es-node-1
environment:
- node.name=es-node-1
- cluster.name=my-es-cluster
- discovery.seed_hosts=172.19.3.49:9300,172.19.3.84:9300,172.19.3.117:9300
- cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
- network.host=0.0.0.0
- network.publish_host=172.19.3.49
- transport.host=0.0.0.0
- http.host=0.0.0.0
- transport.port=9300
- transport.publish_host=172.19.3.49
- http.port=9200
# XPack Security配置
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-1.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/certs/es-node-1.p12
- xpack.security.transport.ssl.verification_mode=none
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-1.p12
- xpack.license.self_generated.type=basic
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /opt/elasticsearch/data:/usr/share/elasticsearch/data
- /opt/elasticsearch/logs:/usr/share/elasticsearch/logs
- /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs
ports:
- "9200:9200"
- "9300:9300"
networks:
- elasticsearch-net
restart: unless-stopped
networks:
elasticsearch-net:
external: true
|
主机1 (192.168.1.10)
/opt/elasticsearch/docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
services:
es-node-2:
image: docker.elastic.co/elasticsearch/elasticsearch:8.19.3
container_name: es-node-2
environment:
- node.name=es-node-2
- cluster.name=my-es-cluster
- discovery.seed_hosts=172.19.3.49:9300,172.19.3.84:9300,172.19.3.117:9300
- cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
- network.host=0.0.0.0
- network.publish_host=172.19.3.84
- transport.host=0.0.0.0
- http.host=0.0.0.0
- transport.port=9300
- transport.publish_host=172.19.3.84
- http.port=9200
# XPack Security配置
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-2.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/certs/es-node-2.p12
- xpack.security.transport.ssl.verification_mode=none
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-2.p12
- xpack.license.self_generated.type=basic
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /opt/elasticsearch/data:/usr/share/elasticsearch/data
- /opt/elasticsearch/logs:/usr/share/elasticsearch/logs
- /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs
ports:
- "9200:9200"
- "9300:9300"
networks:
- elasticsearch-net
restart: unless-stopped
networks:
elasticsearch-net:
external: true
|
主机1 (192.168.1.10)
/opt/elasticsearch/docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
services:
es-node-3:
image: docker.elastic.co/elasticsearch/elasticsearch:8.19.3
container_name: es-node-3
environment:
- node.name=es-node-3
- cluster.name=my-es-cluster
- discovery.seed_hosts=172.19.3.49:9300,172.19.3.84:9300,172.19.3.117:9300
- cluster.initial_master_nodes=es-node-1,es-node-2,es-node-3
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
- network.host=0.0.0.0
- network.publish_host=172.19.3.117
- transport.host=0.0.0.0
- http.host=0.0.0.0
- transport.port=9300
- transport.publish_host=172.19.3.117
- http.port=9200
# XPack Security配置
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-3.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/certs/es-node-3.p12
- xpack.security.transport.ssl.verification_mode=none
- xpack.security.http.ssl.enabled=false
- xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/certs/es-node-3.p12
- xpack.license.self_generated.type=basic
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /opt/elasticsearch/data:/usr/share/elasticsearch/data
- /opt/elasticsearch/logs:/usr/share/elasticsearch/logs
- /opt/elasticsearch/certs:/usr/share/elasticsearch/config/certs
ports:
- "9200:9200"
- "9300:9300"
networks:
- elasticsearch-net
restart: unless-stopped
networks:
elasticsearch-net:
external: true
|
第四步:启动集群
1. 依次启动节点
1
2
3
|
# 在主机1上启动
cd /opt/elasticsearch
docker-compose up -d
|
1
2
3
|
# 等待30秒后在主机2上启动
cd /opt/elasticsearch
docker-compose up -d
|
1
2
3
|
# 等待30秒后在主机3上启动
cd /opt/elasticsearch
docker-compose up -d
|
2. 查看启动日志
1
|
docker logs -f es-node-1
|
第五步:设置密码
在任意一台主机上执行
1
2
|
# 设置内置用户密码
docker exec -it es-node-1 /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
|
按提示设置以下用户的密码:
- elastic (超级管理员)
- kibana_system
- logstash_system
- beats_system
- apm_system
- remote_monitoring_user
第六步:验证集群状态
1. 检查集群健康状态
1
|
curl -k -u elastic:your_password "https://192.168.1.10:9200/_cluster/health?pretty"
|
2. 查看集群节点
1
|
curl -k -u elastic:your_password "https://192.168.1.10:9200/_cat/nodes?v"
|
3. 查看集群信息
1
|
curl -k -u elastic:your_password "https://192.168.1.10:9200/_cluster/stats?pretty"
|