elasticsearch CCR CCS互信配置

一、配置环境互信：

1、环境变量：

useradd es

sudo su - es

export ES_JAVA_HOME=/data/es8/cluster1/node1/jdk

PATH=$ES_JAVA_HOME/bin:$PATH:$HOME/.local/bin:$HOME/bin

unset CLASSPATH

2、修改配置文件集群名称：

cluster.name=leader-cluster

3、.启动节点

/bin/elasticsearch

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ Elasticsearch security features have been automatically configured!

✅ Authentication is enabled and cluster connections are encrypted.

ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):

8EeBYsu*c2+mgBy+CG*D

ℹ️ HTTP CA certificate SHA-256 fingerprint:

832e6c80679f78688840d340bd88b475aab7363f052df8c70bfed13f27a647d9

ℹ️ Configure Kibana to use this cluster:

• Run Kibana and click the configuration link in the terminal when Kibana starts.

• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):

eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuODMuMTQ0LjM2OjkyMDAiXSwiZmdyIjoiODMyZTZjODA2NzlmNzg2ODg4NDBkMzQwYmQ4OGI0NzVhYWI3MzYzZjA1MmRmOGM3MGJmZWQxM2YyN2E2NDdkOSIsImtleSI6InpRZlFWNUFCOERrYVF6NnBpXzNsOkxEeTVzekRIUTNhRnR0R08zLXlQOVEifQ==

ℹ️ Configure other nodes to join this cluster:

• On this node:

⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.

⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.

⁃ Restart Elasticsearch.

• On other nodes:

⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

4、查看存储证书的密码

[es@test-erp-dba01 node1]$ ./bin/elasticsearch-keystore list

warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME

keystore.seed

xpack.security.http.ssl.keystore.secure_password

xpack.security.transport.ssl.keystore.secure_password

xpack.security.transport.ssl.truststore.secure_password

[es@test-erp-dba01 node1]$ ./bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME

JKVda7jhTOqYOqoGfy6KjQ

5、确认是否能正常查看证书内容

[es@test-erp-dba01 certs]$ keytool -list -keystore transport.p12 -storepass JKVda7jhTOqYOqoGfy6KjQ

Keystore type: PKCS12

Keystore provider: SUN

Your keystore contains 2 entries

transport, Jun 27, 2024, PrivateKeyEntry,

Certificate fingerprint (SHA-256): 9A:12:D2:BF:6C:59:59:E4:8C:6C:CB:5F:E6:8A:18:E6:4F:E9:96:5E:9D:5D:72:8C:A6:99:83:B2:76:6B:8A:FF

transport_ca, Jun 27, 2024, trustedCertEntry,

Certificate fingerprint (SHA-256): E4:74:79:D2:BD:2D:23:0A:47:31:41:4F:E0:59:2B:51:76:5E:6B:91:A0:8B:2F:FA:15:31:CA:EF:6F:B1:CF:69

6、导出节点证书内容(非CA证书)

[es@test-erp-dba01 certs]$ openssl pkcs12 -clcerts -nokeys -in transport.p12 -out leader.crt

Enter Import Password:

MAC verified OK

[es@test-erp-dba01 certs]$ ll

total 28

-rw-rw---- 1 es es 1915 Jun 27 11:49 http_ca.crt

-rw-rw---- 1 es es 10013 Jun 27 11:49 http.p12

-rw-rw-r-- 1 es es 2048 Jun 27 14:26 leader.crt

-rw-rw---- 1 es es 5822 Jun 27 11:49 transport.p12

7、启动kibana并导入证书

如果证书过期了，默认30分钟，如果重新生成enrollment过程中出现以下错误，表示elasticsearch未启动

[es@test-erp-dba01 node1]$ ./bin/elasticsearch-create-enrollment-token -s kibana

warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME

ERROR: Failed to determine the health of the cluster. , with exit code 69

启动：[es@test-erp-dba01 node1]$ ./bin/elasticsearch -d

再试一次

[es@test-erp-dba01 node1]$ ./bin/elasticsearch-create-enrollment-token -s kibana

warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME

eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuODMuMTQ0LjM2OjkyMDAiXSwiZmdyIjoiODMyZTZjODA2NzlmNzg2ODg4NDBkMzQwYmQ4OGI0NzVhYWI3MzYzZjA1MmRmOGM3MGJmZWQxM2YyN2E2NDdkOSIsImtleSI6ImUzWnJXSkFCOGhDX2JKay1KcUsyOldvTFFTSDRTUVlpallFNzZ4Y1BiSFEifQ==

二、在第二个节点操作

1、确认环境变量：

[es@test-erp-dba02 config]$ echo $ES_JAVA_HOME

/data/es8/cluster1/node1/jdk

[es@test-erp-dba02 config]$ which java

/data/es8/cluster1/node1/jdk/bin/java

[es@test-erp-dba02 config]$ which keytool

/data/es8/cluster1/node1/jdk/bin/keytool

unset CLASSPATH

[es@test-erp-dba02 config]$ cat elasticsearch.yml |grep -v '#'

cluster.name: follower-cluster

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ Elasticsearch security features have been automatically configured!

✅ Authentication is enabled and cluster connections are encrypted.

ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):

ki+IGlsa4rx5w+wt=8qY

ℹ️ HTTP CA certificate SHA-256 fingerprint:

d47556c46cefe3920802b310390cc07de4bd3eb85031ce198959ebabfd0e6aed

ℹ️ Configure Kibana to use this cluster:

• Run Kibana and click the configuration link in the terminal when Kibana starts.

• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):

eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuODMuMTQ0LjM3OjkyMDAiXSwiZmdyIjoiZDQ3NTU2YzQ2Y2VmZTM5MjA4MDJiMzEwMzkwY2MwN2RlNGJkM2ViODUwMzFjZTE5ODk1OWViYWJmZDBlNmFlZCIsImtleSI6IkxsWm1XSkFCLXhUNXJyQ0RTQWdXOnN2dHQ1aWZEUWtLeHFBUTRYUXp0cWcifQ==

ℹ️ Configure other nodes to join this cluster:

• On this node:

⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.

⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.

⁃ Restart Elasticsearch.

• On other nodes:

⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[es@test-erp-dba02 node1]$ ./bin/elasticsearch

2、启动kibana

3、导出节点证书

[es@test-erp-dba02 node1]$ ./bin/elasticsearch-keystore list

warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME

keystore.seed

xpack.security.http.ssl.keystore.secure_password

xpack.security.transport.ssl.keystore.secure_password

xpack.security.transport.ssl.truststore.secure_password

[es@test-erp-dba02 node1]$ ./bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

warning: ignoring JAVA_HOME=/usr/java/jdk; using ES_JAVA_HOME

J8cA3CA5SHOlCTIpGsiGmg

[es@test-erp-dba02 certs]$ openssl pkcs12 -in transport.p12 -clcerts -nokeys -out follower.crt

Enter Import Password:

MAC verified OK

[es@test-erp-dba02 certs]$ ll

total 28

-rw-rw-r-- 1 es es 2064 Jun 27 14:47 follower.crt

-rw-rw---- 1 es es 1915 Jun 27 14:33 http_ca.crt

-rw-rw---- 1 es es 10013 Jun 27 14:33 http.p12

-rw-rw---- 1 es es 5822 Jun 27 14:33 transport.p12

三、证书互相导入

1、scp证书

在主节点操作

[es@test-erp-dba01 certs]$ scp leader.crt ip_follower:/data/es8/cluster1/node1/config/certs/

leader.crt

在从节点操作

[es@test-erp-dba02 certs]$ scp follower.crt ip_leader:/data/es8/cluster1/node1/config/certs/

follower.crt

2、证书导入

在主节点操作

[es@test-erp-dba01 certs]$ keytool -importcert -trustcacerts -noprompt -alias "follower-cert" -keystore transport.p12 -storepass JKVda7jhTOqYOqoGfy6KjQ -file follower.crt

Certificate was added to keystore

在从节点操作

[es@test-erp-dba02 certs]$ keytool -importcert -trustcacerts -noprompt -keystore transport.p12 -storepass J8cA3CA5SHOlCTIpGsiGmg -alias "leader-cert" -file ./leader.crt

Certificate was added to keystore

四、配置文件修改

1、一定要修改elasticsearch.yml文件的transport.host: 0.0.0.0，然后重新启动

2、在Stack Management--->Remote Clusters配置远程对象

五、配置CCS

在follower节点创建索引

PUT /twiter/_doc/1

{

"msg":"hello world"

}

在主节点查询数据

GET /_remote/info

PUT /_cluster/settings

{

"persistent": {

"cluster.remote": {

"remote_cluster": {

"seeds": [

"10.83.144.37:9300"

]

}

}

}

}

GET remote_cluster:twiter/_search

GET _cat/indices

PUT myindex-ccr

PUT myindex-ccr/_settings

{

"number_of_replicas": 0

}

POST myindex-ccr/_doc/1

{

"msg":"hello myindex-ccr"

}

在在Stack Management--->Cross-Cluster Replication配置对象