有3个master节点,5个data节点

提前ES集群保持正常(此时没有密码直接可以打开下面地址就可以访问到节点信息)

在无密码启动时所有节点配置一下cluster.initial_master_nodes,不然启动会报:

{ "error" : { "root_cause" : [ { "type" : "master_not_discovered_exception", "reason" : null } ], "type" : "master_not_discovered_exception", "reason" : null }, "status" : 503 }

正常启动后,http://xxx:9200/_cat/nodes如下:

10.0.4.170  3 60 8 0.20 0.23 0.14 di - es-data-2
10.0.3.175  2 61 1 0.25 0.12 0.08 di - es-data-1
10.0.4.45   5 60 2 0.31 0.25 0.17 di - es-data-4
10.0.5.49   2 60 0 0.09 0.13 0.09 di - es-data-3
10.0.2.218 11 65 1 0.02 0.08 0.07 m  - es-master-1
10.0.2.123 14 43 2 0.18 0.18 0.16 m  * es-master-0
10.0.3.103 12 68 1 0.07 0.16 0.16 m  - es-master-2
10.0.5.170  4 60 2 0.15 0.14 0.13 di - es-data-0

第一步生成elastic-certificates.p12文件(如果已经生成过elastic-certificates.p12文件则可以跳过这步)

近入k8s里的宿主机然后加入master节点里,则行如下命令

bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""

可得到config文件里的elastic-certificates.p12文件,把文件拷贝出来,同时也可以把elasticsearch.keystore(此文件启动es后应该就会有)文件也考出来

第二步  拷贝文件后把所有节点停掉

找一个master节点,把刚刚拷贝出来的elastic-certificates.p12和elasticsearch.keystore拷入config文件夹,并且修改elasticsearch.yml 文件配置,重启这个节点。

# 安全认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

第三步 把elasticsearch.yml 文件复制到所有节点后再一次启动所有节点

----启动master节点后(刚刚说到的master节点)

然后运行命令“bin/elasticsearch-setup-passwords interactive” 会报错如下

Connection failure to: http://10.0.2.123:9200/_security/_authenticate?pretty failed: Connection refused (Connection refused)

ERROR: Failed to connect to elasticsearch at http://10.0.2.123:9200/_security/_authenticate?pretty. Is the URL correct and elasticsearch running?

此时9200不可能有访问得到东西,所以得起所有节点

----启动所有节点(3个master,5个data)在启动所有节点前把刚刚拷贝出来的elastic-certificates.p12和elasticsearch.keystore拷入config文件夹,并且修改elasticsearch.yml 文件(保证配置里开启了安全认证)

在其他节点启动过程中如果执行命令(在操作的master节点上)“ bin/elasticsearch-setup-passwords interactive”会出现如下警告

Your cluster health is currently RED.
This means that some cluster data is unavailable and your cluster is not fully functional.

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]

此时选择”N“,不能执行,一要保证所有节点都已开启并且正常运行。中间你可以不停打命令“ bin/elasticsearch-setup-passwords interactive”直到不出现警告如下

然后就用成功设置密码

说明:过程中data不需要清除,如果当前在生产环境不会影响已有的data数据

        

Logo

华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。

更多推荐