目录
一、背景:
二、部署elasticsearch集群:
1、部署elasticsearch集群:
2、验证elasticsearch集群是否正常:
三、部署elasticsearch集群并设置用户密码
1、生产elastic集群所需的证书:
2、重新建构elasticsearch镜像:
3、部署elasticsearch集群:
4、设置elasticsearch集群的密码:
5、测试验证elasticsearch集群的认证:
总结:
一、背景:
在paas云平台运维维护过程中有遇见项目需要部署一套elasticsearch集群,用于业务系统的使用。根据业务需求,在k8s集群环境中部署一套elasticsearch集群,操作记录参考改文章!!!
二、部署elasticsearch集群:
默认的elasticsearch集群是没有密码的。
1、部署elasticsearch集群:
apiVersion: v1
kind: Service
metadata:name: elasticsearchnamespace: sit
spec:selector:app: elasticsearchtype: ClusterIPports:- port: 9200name: es-9200targetPort: 9200- port: 9300name: es-9300targetPort: 9300
---
apiVersion: apps/v1
kind: StatefulSet
metadata:name: es7-clusternamespace: sit
spec:serviceName: elasticsearchreplicas: 3selector:matchLabels:app: elasticsearchtemplate:metadata:labels:app: elasticsearchspec:containers:- name: elasticsearchimage: dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3resources:limits:cpu: 1000mrequests:cpu: 100mports:- containerPort: 9200name: restprotocol: TCP- containerPort: 9300name: inter-nodeprotocol: TCPvolumeMounts:- name: datamountPath: /usr/share/elasticsearch/dataenv:- name: cluster.namevalue: k8s-logs- name: node.namevalueFrom:fieldRef:fieldPath: metadata.name- name: discovery.zen.minimum_master_nodesvalue: "2"- name: discovery.seed_hostsvalue: "es7-cluster-0.elasticsearch,es7-cluster-1.elasticsearch,es7-cluster-2.elasticsearch"- name: cluster.initial_master_nodesvalue: "es7-cluster-0,es7-cluster-1,es7-cluster-2"- name: ES_JAVA_OPTSvalue: "-Xms1g -Xmx1g"initContainers:- name: fix-permissionsimage: dockerhub.jiang.com/system_containers/busybox:latestcommand: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]securityContext:privileged: truevolumeMounts:- name: datamountPath: /usr/share/elasticsearch/data- name: increase-vm-max-mapimage: dockerhub.jiang.com/system_containers/busybox:latestcommand: ["sysctl", "-w", "vm.max_map_count=262144"]securityContext:privileged: true- name: increase-fd-ulimitimage: dockerhub.jiang.com/system_containers/busybox:latestcommand: ["sh", "-c", "ulimit -n 65536"]volumeClaimTemplates:- metadata:name: dataspec:accessModes: [ "ReadWriteOnce" ]storageClassName: "huawei-san" #根据实际情况而定resources:requests:storage: 1Gi
执行yaml文件:
[root@master-01 xhj]# kubectl apply -f elasticsearch.yaml
service/elasticsearch created
statefulset.apps/es7-cluster created
验证结果:
[root@master-01 xhj]# k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 172.44.255.234 <none> 9200/TCP,9300/TCP 43s
mysql ClusterIP None <none> 3306/TCP,9125/TCP 48d
[root@master-01 xhj]# k get sts
NAME READY AGE
es7-cluster 1/3 47s
[root@master-01 xhj]# k get sts
NAME READY AGE
es7-cluster 3/3 2m12s
2、验证elasticsearch集群是否正常:
[root@master-01 xhj]# curl http://172.44.255.234:9200/
{"name" : "es7-cluster-2","cluster_name" : "k8s-logs","cluster_uuid" : "VeyRUKdwTHu5lySgV3XJVw","version" : {"number" : "7.9.3","build_flavor" : "default","build_type" : "docker","build_hash" : "c4138e51121ef06a6404866cddc601906fe5c868","build_date" : "2020-10-16T10:36:16.141335Z","build_snapshot" : false,"lucene_version" : "8.6.2","minimum_wire_compatibility_version" : "6.8.0","minimum_index_compatibility_version" : "6.0.0-beta1"},"tagline" : "You Know, for Search"
}
到此就部署好了一个elasticsearch集群服务!!!!
三、部署elasticsearch集群并设置用户密码
1、生产elastic集群所需的证书:
使用docker 运行elasticsearch容器
[root@master-01 ~]# docker run -it -d --name es-tls dockerhub.jiang.com/jxstjh-public/elasticsearch:7.9.3 /bin/bash
3dff79f1de6f7e3ba83db4b1af2d079e20589d57b028156473cba1b3346f6bbb
进入容器内生成证书
[root@master-01 ~]# docker exec -it es-tls /bin/bash
[root@3dff79f1de6f elasticsearch]# pwd
/usr/share/elasticsearch
[root@3dff79f1de6f elasticsearch]# ./bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""执行结果显示如下:
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires an SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA).* The tool can automatically generate a new CA for you, or you can provide your own with the-ca or -ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds:* The instance certificate* The private key for the instance certificate* The CA certificateIf you specify any of the following options:* -pem (PEM formatted output)* -keep-ca-key (retain generated CA key)* -multiple (generate multiple certificates)* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key filesCertificates written to /usr/share/elasticsearch/config/elastic-certificates.p12This file should be properly secured as it contains the private key for
your instance.This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.将证书文件复制到本地:
[root@master-01 ~]# docker cp es-tls:/usr/share/elasticsearch/config/elastic-certificates.p12 /xhj/elastic-certificates.p122、重新建构elasticsearch镜像:
使用证书通过
Dockerfile重新封装镜像
FROM dockerhub.jiang.com/jxstjh-public/elasticsearch:7.9.3
MAINTAINER jiang
LABEL maintainer="jiang"
COPY elastic-certificates.p12 /usr/share/elasticsearch/config/
RUN chown 1000:0 /usr/share/elasticsearch/config/elastic-certificates.p12
EXPOSE 9200 9300
CMD ["eswrapper"]编译镜像
[root@master-01 xhj]# docker build -t dockerhub.jiang.com/jxstjh-public/elasticsearch:7.9.3-p12 .
Sending build context to Docker daemon 127.5MB
Step 1/7 : FROM dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3---> 1ab13f928dc8
Step 2/7 : MAINTAINER jiang---> Running in beba0ca606a4
Removing intermediate container beba0ca606a4---> 4a4003bf74c9
Step 3/7 : LABEL maintainer="jiang"---> Running in b1e0c1168982
Removing intermediate container b1e0c1168982---> c5eba7158904
Step 4/7 : COPY elastic-certificates.p12 /usr/share/elasticsearch/config/---> 7b4dab67c080
Step 5/7 : RUN chown 1000:0 /usr/share/elasticsearch/config/elastic-certificates.p12---> Running in cb8f9383fa70
Removing intermediate container cb8f9383fa70---> 071eb2ce173e
Step 6/7 : EXPOSE 9200 9300---> Running in 5ca429e2b39e
Removing intermediate container 5ca429e2b39e---> cfc9b0b05386
Step 7/7 : CMD ["eswrapper"]---> Running in abbf96c90588
Removing intermediate container abbf96c90588---> 9b6304124b9b
Successfully built 9b6304124b9b
Successfully tagged dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3-p123、部署elasticsearch集群:
在k8s上部署elasticsearch集群,使用了statefulset控制器部署的。yaml文件参考如下:
apiVersion: v1
kind: Service
metadata:name: elastic-svc #这里根据名称而定namespace: sit #根据所在命名空间labels:app: elastic-cluster
spec:selector:app: elastic-clustertype: ClusterIPports:- name: rest-apiport: 9200protocol: TCPtargetPort: 9200- name: inter-nodeport: 9300protocol: TCPtargetPort: 9300
---
apiVersion: apps/v1
kind: StatefulSet
metadata:name: elastic-cluster #根据实际情况调整namespace: sit #根据所在命名空间labels:app: elastic-cluster
spec:serviceName: elastic-svc #要跟上吗的service的名称对齐replicas: 3selector:matchLabels:app: elastic-clusterkubernetes.io/cluster-service: "true"template:metadata:labels:app: elastic-clusterkubernetes.io/cluster-service: "true"spec:initContainers:- name: fix-permissionsimage: dockerhub.jiang.com/system_containers/busybox:latest #根据镜像所在位置进行调整imagePullPolicy: IfNotPresentcommand: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]securityContext:privileged: truevolumeMounts:- name: datamountPath: /usr/share/elasticsearch/data- name: localtimereadOnly: truemountPath: /etc/localtime- name: increase-vm-max-mapimage: dockerhub.jiang.com/system_containers/busybox:latest #根据镜像所在位置进行调整imagePullPolicy: IfNotPresentcommand: ["sysctl", "-w", "vm.max_map_count=262144"]securityContext:privileged: true- name: increase-fd-ulimitimage: dockerhub.jiang.com/system_containers/busybox:latest #根据镜像所在位置进行调整imagePullPolicy: IfNotPresentcommand: ["sh", "-c", "ulimit -n 65536"]volumes:- name: localtimehostPath:path: /etc/localtimetype: ''containers:- name: elasticsearchimage: dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3-p12 #根据镜像所在位置进行调整imagePullPolicy: IfNotPresentports:- containerPort: 9200name: rest-apiprotocol: TCP- containerPort: 9300name: inter-nodeprotocol: TCPvolumeMounts:- name: datamountPath: /usr/share/elasticsearch/data- name: localtimereadOnly: truemountPath: /etc/localtimeenv:- name: node.namevalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.name- name: discovery.zen.minimum_master_nodesvalue: "2"- name: discovery.seed_hostsvalue: "elastic-svc" #要跟上吗的service名称对齐- name: cluster.initial_master_nodesvalue: "elastic-cluster-0,elastic-cluster-1,elastic-cluster-2" #根据集群名称进行调整- name: ES_JAVA_OPTSvalue: "-Xms1024m -Xmx1024m" #这里根据业务需求而定,要求是要一样的配置大小- name: xpack.security.enabledvalue: "true"- name: xpack.security.transport.ssl.enabledvalue: "true"- name: xpack.security.transport.ssl.verification_modevalue: "certificate"- name: xpack.security.transport.ssl.keystore.pathvalue: "elastic-certificates.p12"- name: xpack.security.transport.ssl.truststore.pathvalue: "elastic-certificates.p12"volumeClaimTemplates: - metadata:name: dataspec:accessModes: [ "ReadWriteOnce" ]storageClassName: "huawei-san" #根据实际情况调整resources:requests:storage: 2Gi
部署Elasticsearch集群
[root@master-01 xhj]# kubectl apply -f elasticsearch-p12.yaml service/elastic-svc created statefulset.apps/elastic-cluster created
验证elasticsearch集群运行情况:
[root@master-01 xhj]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE elastic-svc ClusterIP 172.41.9.197 <none> 9200/TCP,9300/TCP 36s mysql ClusterIP None <none> 3306/TCP,9125/TCP 48d
[root@master-01 xhj]# kubectl get sts NAME READY AGE elastic-cluster 3/3 4m6s
4、设置elasticsearch集群的密码:
进入到任意pod容器操作如下:
# kubectl exec -it -n sit pods/elastic-cluster-0 -- /bin/bash执行如下的命令
./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y #输入yesEnter password for [elastic]: #输入密码,这里选择的elasticsearch Reenter password for [elastic]: #再次输入密码,这里选择的elasticsearch Enter password for [apm_system]: #输入密码,这里选择的elasticsearch Reenter password for [apm_system]: #再次输入密码,这里选择的elasticsearch Enter password for [kibana_system]: #输入密码,这里选择的elasticsearch Reenter password for [kibana_system]: #再次输入密码,这里选择的elasticsearch Enter password for [logstash_system]: #输入密码,这里选择的elasticsearch Reenter password for [logstash_system]: #再次输入密码,这里选择的elasticsearch Enter password for [beats_system]: #输入密码,这里选择的elasticsearch Reenter password for [beats_system]: #再次输入密码,这里选择的elasticsearch Enter password for [remote_monitoring_user]: #输入密码,这里选择的elasticsearch Reenter password for [remote_monitoring_user]: #再次输入密码,这里选择的elasticsearch Changed password for user [apm_system] Changed password for user [kibana_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
5、测试验证elasticsearch集群的认证:
[root@master-01 ~]# k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elastic-svc ClusterIP 172.34.44.86 <none> 9200/TCP,9300/TCP 16m
mysql ClusterIP None <none> 3306/TCP,9125/TCP 48d
[root@master-01 ~]# curl http://172.34.44.86:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@stcs-master-01 ~]#发现通过无密码的方式访问提示报错,需要进行密码认证。
[root@master-01 ~]# curl --user elastic http://172.34.44.86:9200/
Enter host password for user 'elastic':
{"name" : "elastic-cluster-1","cluster_name" : "docker-cluster","cluster_uuid" : "O-M9L7gfQBagxQxIBMjXIQ","version" : {"number" : "7.9.3","build_flavor" : "default","build_type" : "docker","build_hash" : "c4138e51121ef06a6404866cddc601906fe5c868","build_date" : "2020-10-16T10:36:16.141335Z","build_snapshot" : false,"lucene_version" : "8.6.2","minimum_wire_compatibility_version" : "6.8.0","minimum_index_compatibility_version" : "6.0.0-beta1"},"tagline" : "You Know, for Search"
}
通过密码认证的方式,就可以正常访问elasticsearch集群。
总结:
在paas云平台的运维维护中,需要经常自定义部署elasticsearch集群的,要求不高的,基本以无密码的elasticsearch集群为准,要求高的,都是以密码认证的elasticsearch集群为准的。希望可以帮助到大家!!!
)
