CentOS7 Elasticsearch 7.8 集群 x-spack 安全验证 及 集群内部TLS加密传输

目录

• 简介
• 环境准备
• 安装
  • 配置 hostname 解析
  • 安装
  • systemd 脚本
• 生成PKCS#12证书
• 配置
  • ARM 架构配置区别
• 所有节点存入 PKCS#12 秘钥的密码
• 给所有 ES 配置相同的用户密码
• 启动查看

简介

常规部署 Elasticsearch 集群时，不管是集群之间的数据传输，或者是 Client 访问Elasticsearch 集群时 均不需要相关验证，可通过对外提供的http接口，直接访问到ES的内部数据

这情况下，相对来说安全度没有保障，那么本次部署一套 基于 x-spack 安全验证的安全认证

其实不光是 对外提供服务的 9200 端口需要验证，集群内服务端口 9300 之间数据通信，也需要安全机制，本次使用自签PKCS#12 证书，用于集群内部加密通信

说明： x-spack 组件是收费的，但好的是基础安全验证是其中的免费的，不用担心商用问题；

环境准备

系统版本	主机名	IP	ES 版本	ES 用户端口	ES 集群端口
CentOS 7.5	node02	10.0.20.22	7.8	9200	9300
CentOS 7.5	node03	10.0.20.23	7.8	9200	9300
CentOS 7.5	node04	10.0.20.24	7.8	9200	9300

安装

现在下载的 elasticsearch 安装包中，自带 jdk ，无需像以前老版本一样，还要需要安装jdk环境，方便很多。

官方下载地址：https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz

需要优化文件描述符

cat >> /etc/security/limits.conf <<EOF
*   hard    nofile  65536
*   soft    nofile  65536
*   hard    nproc   5000
*   soft    nproc   5000
EOF

echo 'vm.max_map_count=262144' >>  /etc/sysctl.conf
sysctl -p

配置 hostname 解析

所有节点配置好 hostname 解析

cat >> /etc/hosts <<EOF

10.0.20.22 node02
10.0.20.23 node03
10.0.20.24 node04
EOF

安装

useradd -s /sbin/nologin -M elasticsearch
cd /opt/
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz
tar xf elasticsearch-7.8.0-linux-x86_64.tar.gz
ln -s /opt/elasticsearch-7.8.0 /opt/elasticsearch
ll /opt/

# total 0
# lrwxrwxrwx 1 root root  24 Jul  7 23:52 elasticsearch -> /opt/elasticsearch-7.8.0
# drwxr-xr-x 9 root root 155 Jun 15 03:38 elasticsearch-7.8.0

创建数据目录 和 日志目录

mkdir /opt/elasticsearch/{data,logs} -p

systemd 脚本

[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target

[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/opt/elasticsearch
Environment=ES_PATH_CONF=${path.conf}
Environment=PID_DIR=/opt/elasticsearch
EnvironmentFile=-/opt/elasticsearch/config/elasticsearch

WorkingDirectory=/opt/elasticsearch

User=elasticsearch
Group=elasticsearch

ExecStart=/opt/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet

# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})

生成PKCS#12证书

证书签发在node02上操作即可

通过查看官网集群证书的创建方式分为两种：

1. 通过 elasticsearch-certutil 命令逐一创建证书
2. 使用 elasticsearch-certutil 的 Silent Mode 创建

这里使用简约的 Silent Mode 创建；

进入到 ES 的目录：

cd /opt/elasticsearch

创建证书所需的 instances.yml 文件，具体格式请查看官网：官网集群证书

cat >instances.yml<<EOF
instances:
  - name: "node02" 
    ip: 
      - "10.0.20.22"
  - name: "node03"
    ip:
      - "10.0.20.23"
  - name: "node04"
    ip:
      - "10.0.20.24"
EOF

注解: name 为实例名

然后执行

bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword

注意: --pass 后面跟的为PKCS#12证书的密码，之后在集群配置需要用到，请牢记；

上面的命令执行完成后，会在 /opt/elasticsearch/ 目录下生成一个 test1.zip 的压缩包，解压后如下：

[root@node02 elasticsearch]# ls test1.zip 
test1.zip
[root@node02 elasticsearch]# unzip test1.zip 
Archive:  test1.zip
   creating: node02/
  inflating: node02/node02.p12       
   creating: node03/
  inflating: node03/node03.p12       
   creating: node04/
  inflating: node04/node04.p12

然后把对应的 目录 拷贝到对应的服务器，并做如下操作：

mv node02 config/certs

[root@node02 elasticsearch]# rsync -avz node03 10.0.20.23:/opt/elasticsearch/config/certs
root@10.0.20.23's password: 
sending incremental file list
created directory /opt/elasticsearch/config/certs
node03/
node03/node03.p12

sent 3,556 bytes  received 93 bytes  1,459.60 bytes/sec
total size is 3,455  speedup is 0.95
[root@node02 elasticsearch]# rsync -avz node04 10.0.20.24:/opt/elasticsearch/config/certs
root@10.0.20.24's password: 
sending incremental file list
created directory /opt/elasticsearch/config/certs
node04/
node04/node04.p12

sent 3,565 bytes  received 93 bytes  1,463.20 bytes/sec
total size is 3,455  speedup is 0.94

配置

node02 配置:

cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node02
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.22
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
#discovery.seed_hosts: ["10.0.20.22"]
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 2

# 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node02.p12
xpack.security.transport.ssl.truststore.path: certs/node02.p12
EOF

echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch

node03 配置：

cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node03
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.23
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 1

## 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node03.p12
xpack.security.transport.ssl.truststore.path: certs/node03.p12
EOF

echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch

node04 配置：

cat > /opt/elasticsearch/config/elasticsearch.yml <EOF
cluster.name: es-cluster
node.name: node04
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
node.master: true
network.host: _bond0_
transport.host: _bond0_
network.publish_host: 10.0.20.24
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
cluster.initial_master_nodes: ["10.0.20.22", "10.0.20.23", "10.0.20.24"]
discovery.zen.minimum_master_nodes: 1

# 配置X-Pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/node04.p12
xpack.security.transport.ssl.truststore.path: certs/node04.p12
EOF

echo 'ES_PATH_CONF=/opt/elasticsearch/config/' > /opt/elasticsearch/config/elasticsearch

ARM 架构配置区别

注意: 如果是环境为 ARM kylin v4系统，则需要增加两项配置:

bootstrap.memory_lock: false
bootstrap.system_call_filter: false

所有节点存入 PKCS#12 秘钥的密码

所有节点都需要运行下面的命令，

生成 keystore 文件

./bin/elasticsearch-keystore create

下面两个命令，均需要 输入 在 生成 PKCS#12 秘钥 时的密码

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

给所有 ES 配置相同的用户密码

使用命令: ./bin/elasticsearch-users useradd username -p password -r superuser

-r 表示角色，superuser 是超级用户

./bin/elasticsearch-users useradd test -p password123 -r superuser

启动查看

启动所有节点的 elasticsearch ；

systemctl start elasticsearch

查看

[root@node03 elasticsearch]# curl -utest:password123 10.0.20.23:9200
{
  "name" : "node03",
  "cluster_name" : "es-cluster",
  "cluster_uuid" : "e6TnuPWdQ8Wct5HMH-GAsg",
  "version" : {
    "number" : "7.8.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
    "build_date" : "2020-06-14T19:35:50.234439Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
[root@node02 elasticsearch]# curl -utest:password123 10.0.20.22:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.20.22           42          92   1    0.00    0.04     0.12 dilmrt    *      node02
10.0.20.23           63          89   1    0.10    0.16     0.19 dilmrt    -      node03
10.0.20.24           39          89  20    0.52    0.61     0.28 dilmrt    -      node04