• CentOS7 Elasticsearch 7.8 集群 x-spack 安全验证 及 集群内部TLS加密传输


    简介

    常规部署 Elasticsearch 集群时,不管是集群之间的数据传输,或者是 Client 访问Elasticsearch 集群时 均不需要相关验证,可通过对外提供的http接口,直接访问到ES的内部数据

    这情况下,相对来说安全度没有保障,那么本次部署一套 基于 x-spack 安全验证的安全认证

    其实不光是 对外提供服务的 9200 端口需要验证,集群内服务端口 9300 之间数据通信,也需要安全机制,本次使用自签PKCS#12 证书,用于集群内部加密通信

    说明: x-spack 组件是收费的,但好的是基础安全验证是其中的免费的,不用担心商用问题;

    环境准备

    系统版本 主机名 IP ES 版本 ES 用户端口 ES 集群端口
    CentOS 7.5 node02 10.0.20.22 7.8 9200 9300
    CentOS 7.5 node03 10.0.20.23 7.8 9200 9300
    CentOS 7.5 node04 10.0.20.24 7.8 9200 9300

    安装

    现在下载的 elasticsearch 安装包中,自带 jdk ,无需像以前老版本一样,还要需要安装jdk环境,方便很多。

    官方下载地址:https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz

    需要优化文件描述符

    cat >> /etc/security/limits.conf <<EOF
    *   hard    nofile  65536
    *   soft    nofile  65536
    *   hard    nproc   5000
    *   soft    nproc   5000
    EOF
    
    echo 'vm.max_map_count=262144' >>  /etc/sysctl.conf
    sysctl -p
    

    配置 hostname 解析

    所有节点配置好 hostname 解析

    cat >> /etc/hosts <<EOF
    
    10.0.20.22 node02
    10.0.20.23 node03
    10.0.20.24 node04
    EOF
    

    安装

    useradd -s /sbin/nologin -M elasticsearch
    cd /opt/
    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz
    tar xf elasticsearch-7.8.0-linux-x86_64.tar.gz
    ln -s /opt/elasticsearch-7.8.0 /opt/elasticsearch
    ll /opt/
    
    # total 0
    # lrwxrwxrwx 1 root root  24 Jul  7 23:52 elasticsearch -> /opt/elasticsearch-7.8.0
    # drwxr-xr-x 9 root root 155 Jun 15 03:38 elasticsearch-7.8.0
    

    创建数据目录 和 日志目录

    mkdir /opt/elasticsearch/{data,logs} -p
    

    systemd 脚本

    [Unit]
    Description=Elasticsearch
    Documentation=http://www.elastic.co
    Wants=network-online.target
    After=network-online.target
    
    [Service]
    RuntimeDirectory=elasticsearch
    Environment=ES_HOME=/opt/elasticsearch
    Environment=ES_PATH_CONF=${path.conf}
    Environment=PID_DIR=/opt/elasticsearch
    EnvironmentFile=-/opt/elasticsearch/config/elasticsearch
    
    WorkingDirectory=/opt/elasticsearch
    
    User=elasticsearch
    Group=elasticsearch
    
    ExecStart=/opt/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet
    
    # StandardOutput is configured to redirect to journalctl since
    # some error messages may be logged in standard output before
    # elasticsearch logging system is initialized. Elasticsearch
    # stores its logs in /var/log/elasticsearch and does not use
    # journalctl by default. If you also want to enable journalctl
    # logging, you can simply remove the "quiet" option from ExecStart.
    StandardOutput=journal
    StandardError=inherit
    
    # Specifies the maximum file descriptor number that can be opened by this process
    LimitNOFILE=65536
    
    # Specifies the maximum number of processes
    LimitNPROC=4096
    
    # Specifies the maximum size of virtual memory
    LimitAS=infinity
    
    # Specifies the maximum file size
    LimitFSIZE=infinity
    
    # Disable timeout logic and wait until process is stopped
    TimeoutStopSec=0
    
    # SIGTERM signal is used to stop the Java process
    KillSignal=SIGTERM
    
    # Send the signal only to the JVM rather than its control group
    KillMode=process
    
    # Java process is never killed
    SendSIGKILL=no
    
    # When a JVM receives a SIGTERM signal it exits with code 143
    SuccessExitStatus=143
    
    [Install]
    WantedBy=multi-user.target
    
    # Built for ${project.name}-${project.version} (${project.name})
    

    生成PKCS#12证书

    证书签发在node02上操作即可

    通过查看官网集群证书的创建方式分为两种:

    1. 通过 elasticsearch-certutil 命令逐一创建证书
    2. 使用 elasticsearch-certutilSilent Mode 创建

    这里使用简约的 Silent Mode 创建;

    进入到 ES 的目录:

    cd /opt/elasticsearch
    

    创建证书所需的 instances.yml 文件,具体格式请查看官网:官网集群证书

    cat >instances.yml<<EOF
    instances:
      - name: "node02" 
        ip: 
          - "10.0.20.22"
      - name: "node03"
        ip:
          - "10.0.20.23"
      - name: "node04"
        ip:
          - "10.0.20.24"
    EOF
    

    注解: name 为实例名

    然后执行

    bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
    

    注意: --pass 后面跟的为PKCS#12证书的密码,之后在集群配置需要用到,请牢记;

    上面的命令执行完成后,会在 /opt/elasticsearch/ 目录下生成一个 test1.zip 的压缩包,解压后如下:

    [root@node02 elasticsearch]# ls test1.zip 
    test1.zip
    [root@node02 elasticsearch]# unzip test1.zip 
    Archive:  test1.zip
       creating: node02/
      inflating: node02/node02.p12       
       creating: node03/
      inflating: node03/node03.p12       
       creating: node04/
      inflating: node04/node04.p12
    

    然后把对应的 目录 拷贝到对应的服务器,并做如下操作:

    mv node02 config/certs
    
    [root@node02 elasticsearch]# rsync -avz node03 10.0.20.23:/opt/elasticsearch/config/certs
    root@10.0.20.23's password: 
    sending incremental file list
    created directory /opt/elasticsearch/config/certs
    node03/
    node03/node03.p12
    
    sent 3,556 bytes  received 93 bytes  1,459.60 bytes/sec
    total size is 3,455  speedup is 0.95
    [root@node02 elasticsearch]# rsync -avz node04 10.0.20.24:/opt/elasticsearch/config/certs
    root@10.0.20.24's password: 
    sending incremental file list
    created directory /opt/elasticsearch/config/certs
    node04/
    node04/node04.p12
    
    sent 3,565 bytes  received 93 bytes  1,463.20 bytes/sec
    total size is 3,455  speedup is 0.94
    

    配置

    node02 配置:

    cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
    cluster.name: es-cluster
    node.name: node02
    path.data: /opt/elasticsearch/data
    path.logs: /opt/elasticsearch/logs
    node.master: true
    network.host: _bond0_
    transport.host: _bond0_
    network.publish_host: 10.0.20.22
    http.port: 9200
    transport.tcp.port: 9300
    transport.tcp.compress: true
    #discovery.seed_hosts: ["10.0.20.22"]
    discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
    cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
    discovery.zen.minimum_master_nodes: 2
    
    # 配置X-Pack
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.keystore.path: certs/node02.p12
    xpack.security.transport.ssl.truststore.path: certs/node02.p12
    EOF
    
    echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch
    

    node03 配置:

    cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
    cluster.name: es-cluster
    node.name: node03
    path.data: /opt/elasticsearch/data
    path.logs: /opt/elasticsearch/logs
    node.master: true
    network.host: _bond0_
    transport.host: _bond0_
    network.publish_host: 10.0.20.23
    http.port: 9200
    transport.tcp.port: 9300
    transport.tcp.compress: true
    discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
    cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
    discovery.zen.minimum_master_nodes: 1
    
    ## 配置X-Pack
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.keystore.path: certs/node03.p12
    xpack.security.transport.ssl.truststore.path: certs/node03.p12
    EOF
    
    echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch
    

    node04 配置:

    cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
    cluster.name: es-cluster
    node.name: node04
    path.data: /opt/elasticsearch/data
    path.logs: /opt/elasticsearch/logs
    node.master: true
    network.host: _bond0_
    transport.host: _bond0_
    network.publish_host: 10.0.20.24
    http.port: 9200
    transport.tcp.port: 9300
    transport.tcp.compress: true
    discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
    cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
    discovery.zen.minimum_master_nodes: 1
    
    # 配置X-Pack
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.keystore.path: certs/node04.p12
    xpack.security.transport.ssl.truststore.path: certs/node04.p12
    EOF
    
    echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch
    

    ARM 架构配置区别

    注意: 如果是环境为 ARM kylin v4系统,则需要增加两项配置:

    bootstrap.memory_lock: false
    bootstrap.system_call_filter: false
    

    所有节点存入 PKCS#12 秘钥的密码

    所有节点都需要运行下面的命令,

    生成 keystore 文件

    ./bin/elasticsearch-keystore create
    

    下面两个命令,均需要 输入 在 生成 PKCS#12 秘钥 时的密码

    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
    

    给所有 ES 配置相同的用户密码

    使用命令: ./bin/elasticsearch-users useradd username -p password -r superuser

    -r 表示角色,superuser 是超级用户

    ./bin/elasticsearch-users useradd test -p password123 -r superuser
    

    启动查看

    启动所有节点的 elasticsearch ;

    systemctl start elasticsearch
    

    查看

    [root@node03 elasticsearch]# curl -utest:password123 10.0.20.23:9200
    {
      "name" : "node03",
      "cluster_name" : "es-cluster",
      "cluster_uuid" : "e6TnuPWdQ8Wct5HMH-GAsg",
      "version" : {
        "number" : "7.8.0",
        "build_flavor" : "default",
        "build_type" : "tar",
        "build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
        "build_date" : "2020-06-14T19:35:50.234439Z",
        "build_snapshot" : false,
        "lucene_version" : "8.5.1",
        "minimum_wire_compatibility_version" : "6.8.0",
        "minimum_index_compatibility_version" : "6.0.0-beta1"
      },
      "tagline" : "You Know, for Search"
    }
    [root@node02 elasticsearch]# curl -utest:password123 10.0.20.22:9200/_cat/nodes?v
    ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
    10.0.20.22           42          92   1    0.00    0.04     0.12 dilmrt    *      node02
    10.0.20.23           63          89   1    0.10    0.16     0.19 dilmrt    -      node03
    10.0.20.24           39          89  20    0.52    0.61     0.28 dilmrt    -      node04
    
  • 相关阅读:
    Less-21
    Less-22
    Less-21
    Less-20
    ssrf redis gopher
    Less19
    Less18
    Arm 系统查看、修改系统时间
    通过 grpc 请求标头发送自定义数据
    gRpc 空参数
  • 原文地址:https://www.cnblogs.com/winstom/p/13304559.html
Copyright © 2020-2023  润新知