#elasticsearch #elastic-stack
#эластичный поиск #эластичный стек
Вопрос:
Я пытаюсь включить функцию безопасности в узлах Elasticsearch, но всякий раз, когда я включаю «xpack.security.enabled: true», мой Elasticsearch вообще не запускается. Как я могу это решить?
вот моя конфигурация на обоих узлах Elasticsearch: узел 1:
# ======================== Elasticsearch Configuration ========================= # # NOTE: Elasticsearch comes with reasonable defaults for most settings. # Before you set out to tweak and tune the configuration, make sure you # understand what are you trying to accomplish and the consequences. # # The primary way of configuring a node is via this file. This template lists # the most important settings you may want to configure for a production cluster. # # Please consult the documentation for further information on configuration options: # https://www.elastic.co/guide/en/elasticsearch/reference/index.html # # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: "elastic-a" # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # node.name: "elastic-master" node.master: true node.data: true # # Add custom attributes to the node: # #node.attr.rack: r1 # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # path.data: /var/lib/elasticsearch # # Path to log files: # path.logs: /var/log/elasticsearch # # ----------------------------------- Memory ----------------------------------- # # Lock the memory on startup: # #bootstrap.memory_lock: true # # Make sure that the heap size is set to about half the memory available # on the system and that the owner of the process is allowed to use this # limit. # # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 192.168.143.30 #http.host: 0.0.0.0 # # Set a custom port for HTTP: # #http.port: 9200 # # For more information, consult the network module documentation. # # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is ["127.0.0.1", "[::1]"] # discovery.seed_hosts: ["192.168.143.30", "192.168.143.23"] # # Bootstrap the cluster using an initial set of master-eligible nodes: # cluster.initial_master_nodes: ["elastic-master","elastic-slave"] # # For more information, consult the discovery and cluster formation module documentation. # # ---------------------------------- Gateway ----------------------------------- # # Block initial recovery after a full cluster restart until N nodes are started: # #gateway.recover_after_nodes: 3 # # For more information, consult the gateway module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml* xpack.security.enabled: true
Узел 2:
# ======================== Elasticsearch Configuration ========================= # # NOTE: Elasticsearch comes with reasonable defaults for most settings. # Before you set out to tweak and tune the configuration, make sure you # understand what are you trying to accomplish and the consequences. # # The primary way of configuring a node is via this file. This template lists # the most important settings you may want to configure for a production cluster. # # Please consult the documentation for further information on configuration options: # https://www.elastic.co/guide/en/elasticsearch/reference/index.html # # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: "elastic-a" # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # node.name: "elastic-slave" node.master: true node.data: true # # Add custom attributes to the node: # #node.attr.rack: r1 # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # path.data: /var/lib/elasticsearch # # Path to log files: # path.logs: /var/log/elasticsearch # # ----------------------------------- Memory ----------------------------------- # # Lock the memory on startup: # #bootstrap.memory_lock: true # # Make sure that the heap size is set to about half the memory available # on the system and that the owner of the process is allowed to use this # limit. # # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 192.168.143.23 #http.host: 0.0.0.0 # # Set a custom port for HTTP: # #http.port: 9200 # # For more information, consult the network module documentation. # # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is ["127.0.0.1", "[::1]"] # discovery.seed_hosts: ["192.168.143.30", "192.168.143.23"] # # Bootstrap the cluster using an initial set of master-eligible nodes: # cluster.initial_master_nodes: ["elastic-master","elastic-slave"] # # For more information, consult the discovery and cluster formation module documentation. # # ---------------------------------- Gateway ----------------------------------- # # Block initial recovery after a full cluster restart until N nodes are started: # #gateway.recover_after_nodes: 3 # # For more information, consult the gateway module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml* xpack.security.enabled: true
Я могу включить функцию безопасности без настройки узлов (один узел), но она не работает после настройки узлов.
журналы sudo journalctl -f:
Oct 21 12:24:51 elastic-master systemd[1]: Starting Elasticsearch...
Oct 21 12:24:52 elastic-master elasticsearch[18296]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","elasticsearch","admin"],"pid":781,"message":"Unable to revive connection: http://192.168.143.30:9200/"}
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","elasticsearch","admin"],"pid":781,"message":"No living connections"}
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","elasticsearch","admin"],"pid":781,"message":"Unable to revive connection: http://192.168.143.30:9200/"}
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","elasticsearch","admin"],"pid":781,"message":"No living connections"}
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","elasticsearch","data"],"pid":781,"message":"Unable to revive connection: http://192.168.143.30:9200/"}
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","elasticsearch","data"],"pid":781,"message":"No living connections"}
Oct 21 12:24:53 elastic-master kibana[781]: {"type":"log","@timestamp":"2020-10-21T08:54:53Z","tags":["warning","plugins","licensing"],"pid":781,"message":"License information could not be obtained from Elasticsearch for the [data] cluster. Error: No Living connections"}
Oct 21 12:24:54 elastic-master elasticsearch[18296]: [2020-10-21T12:24:54,557][INFO ][o.e.e.NodeEnvironment ] [elastic-master] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [32.3gb], net total_space [43.9gb], types [rootfs]
Oct 21 12:24:54 elastic-master elasticsearch[18296]: [2020-10-21T12:24:54,561][INFO ][o.e.e.NodeEnvironment ] [elastic-master] heap size [989.8mb], compressed ordinary object pointers [true]
Oct 21 12:24:54 elastic-master elasticsearch[18296]: [2020-10-21T12:24:54,612][INFO ][o.e.n.Node ] [elastic-master] node name [elastic-master], node ID [1lAXp_eJRL--r0o2Uq4P1Q], cluster name [elastic-a]
Oct 21 12:24:54 elastic-master elasticsearch[18296]: [2020-10-21T12:24:54,613][INFO ][o.e.n.Node ] [elastic-master] version[7.5.0], pid[18296], build[default/rpm/e9ccaed468e2fac2275a3761849cbee64b39519f/2019-11-26T01:06:52.518245Z], OS[Linux/3.10.0-1127.19.1.el7.x86_64/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/13.0.1/13.0.1 9]
Oct 21 12:24:54 elastic-master elasticsearch[18296]: [2020-10-21T12:24:54,613][INFO ][o.e.n.Node ] [elastic-master] JVM home [/usr/share/elasticsearch/jdk]
Oct 21 12:24:54 elastic-master elasticsearch[18296]: [2020-10-21T12:24:54,613][INFO ][o.e.n.Node ] [elastic-master] JVM arguments [-Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX: AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=COMPAT, -Xms1g, -Xmx1g, -XX: UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX: UseCMSInitiatingOccupancyOnly, -Djava.io.tmpdir=/tmp/elasticsearch-1946051170077590643, -XX: HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=536870912, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch, -Des.distribution.flavor=default, -Des.distribution.type=rpm, -Des.bundled_jdk=true]
elastic-master elasticsearch[18296]: [2020-10-21T12:24:55,042][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [elastic-master] uncaught exception in thread [main]
elastic-master elasticsearch[18296]: org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) ~[elasticsearch-cli-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: Caused by: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:614) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:253) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: ... 6 more
elastic-master elasticsearch[18296]: Caused by: java.lang.reflect.InvocationTargetException
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:253) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: ... 6 more
elastic-master elasticsearch[18296]: Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:449) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:121) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:142) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:253) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: ... 6 more
elastic-master elasticsearch[18296]: Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/certs/elastic-certificates.p12]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.TrustConfig.unreadableTrustConfigFile(TrustConfig.java:121) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:70) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:384) ~[?:?]
elastic-master elasticsearch[18296]: at java.util.HashMap.computeIfAbsent(HashMap.java:1138) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:446) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:121) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:142) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:253) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: ... 6 more
elastic-master elasticsearch[18296]: Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/certs/elastic-certificates.p12
elastic-master elasticsearch[18296]: at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
elastic-master elasticsearch[18296]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
elastic-master elasticsearch[18296]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]
elastic-master elasticsearch[18296]: at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219) ~[?:?]
elastic-master elasticsearch[18296]: at java.nio.file.Files.newByteChannel(Files.java:374) ~[?:?]
elastic-master elasticsearch[18296]: at java.nio.file.Files.newByteChannel(Files.java:425) ~[?:?]
elastic-master elasticsearch[18296]: at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
elastic-master elasticsearch[18296]: at java.nio.file.Files.newInputStream(Files.java:159) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:95) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:65) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:384) ~[?:?]
elastic-master elasticsearch[18296]: at java.util.HashMap.computeIfAbsent(HashMap.java:1138) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:446) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:121) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:142) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
elastic-master elasticsearch[18296]: at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
elastic-master elasticsearch[18296]: at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.node.Node.<init>(Node.java:253) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.5.0.jar:7.5.0]
elastic-master elasticsearch[18296]: ... 6 more
elastic-master systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILURE
elastic-master systemd[1]: Failed to start Elasticsearch.
elastic-master systemd[1]: Unit elasticsearch.service entered failed state.
elastic-master systemd[1]: elasticsearch.service failed.
elastic-master polkitd[814]: Unregistered Authentication Agent for unix-process:18290:7813320 (system bus name :1.429, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Ответ №1:
Если вы включаете безопасность, обязательно, чтобы узлы взаимодействовали друг с другом через SSL, т. Е. Вам нужно настроить свои узлы для шифрования сообщений между ними. Итак, вам нужно выполнить несколько шагов:
Шаг 1. Создайте сертификат узла
На этом шаге есть два варианта:
A. Если у вас нет какого-либо корневого центра сертификации для подписи вашего сертификата, вы можете создать его с помощью bin/elasticsearch-certutil ca (следуйте инструкциям, описанным здесь). Вы получите сертификат, закодированный в PKCS # 12, который содержит сертификат корневого центра сертификации, сертификат узла и закрытый ключ.
B. Если в вашей организации есть корневой центр сертификации (Digicert и т. Д.), Вы можете создать CSR (запрос на подписание сертификата) для отправки в ваш корневой центр сертификации. Обычно вы получаете сертификат, закодированный в PKCS # 7. PS: Сообщите нам, если вы выбрали этот путь, потому что для преобразования его в PKCS # 12 требуется еще несколько шагов.
Обратите внимание, что для целей тестирования вы определенно можете использовать один и тот же сертификат на обоих узлах, т. Е. Вам не нужно генерировать один сертификат на узел.
Шаг 2. Измените конфигурацию
Получив сертификат узла (с помощью опции A или B), вы можете изменить конфигурацию на обоих узлах, добавив в свои elasticsearch.yml файлы следующее:
# enable security
xpack.security.enabled: true
# make sure the nodes talk in SSL to each other
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/mynode.p12
xpack.security.transport.ssl.truststore.path: certs/mynode.p12
После этого вы можете перезапустить свой кластер, поскольку теперь они могут взаимодействовать друг с другом по протоколу SSL.
Комментарии:
1. Какую версию ES вы используете?
ossодин илиbasic? В первом случае у него нет подключаемого модуля безопасности.2. Можете ли вы также поделиться тем, что есть в журнале?
sudo journalctl -f? Смотрите здесь, как это настроить: elastic.co/guide/en/elasticsearch/reference/7.5 /…3. Что бы я хотел, это содержимое журнала при запуске ES, потому что сейчас мы просто видим, как Kibana жалуется, что не может найти ES.
4. Хорошо, так что это именно та проблема, о которой я упоминал:
AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12Вы уверены, что файл находится там и имеет надлежащие права? Обратите внимание, что вместо этого вам нужно сохранить его здесь/etc/elasticsearch/config/certs/elastic-certificates.p12, т. Е. Создатьcertsпапку в той же папке, что и вашelasticsearch.ymlфайл5. Да,
rootэто не будет сокращено, вам нужно установить его наelasticsearch