[toc]
1. win10 命令行乱码
1.1 elasticsearch 命令行中文乱码
win10 命令行启动 elasticsearch 时, 命令行字符乱码, 须要批改编码格局:
有两种, 一种是长期, 一种是永恒批改注册表:
1.2 长期批改
输出【win+r】->chcp 65001-> 确定
1.3 批改注册表
1. 关上注册表: 输出【win+r】,regedit 确定;
2. 门路【HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor】3.【新建 -> 字符串值】名称 =autorun, 值 =chcp 65001
2. es 生成证书
2.1 签发 CA 证书
./bin/elasticsearch-certutil ca
一路回车, 目录下生成: elastic-stack-ca.p12
2.2 用 CA 证书生成节点证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
一路回车不要明码, 会生成: elastic-certificates.p12
2.3 将 CA 证书和节点证书 mv 到 config/certs 下
mv *.p12 config/certs/
2.4 签发 HTTP 证书
交互过程如下: (centos7)
./bin/elasticsearch-certutil http
# 不须要 csr, 输出 n
Generate a CSR? [y/N]n
# 应用生成的 CA 整肃, 输出 y
Use an existing CA? [y/N]y
# 输出 CA 门路: 从 certs 开始
CA Path: certs/elastic-stack-ca.p12
# 没有 CA 明码, 间接回车
Password for elastic-stack-ca.p12:
# 设置 5 年, 默认, 输出:5y
For how long should your certificate be valid? [5y] 5y
# 是否须要每个节点都生成证书: 输出 n
Generate a certificate per node? [y/N]n
# 输出 node 名称: hostname, 输出后 y 确认
ZB-PF2P9LED
# 输出 ip: , 输出后 y 确认
192.168.0.102
# 方才这些配置还须要批改吗? 输出 n
Do you wish to change any of these options? [y/N]n
# 不必明码, 回车
Provide a password for the "http.p12" file: [<ENTER> for none]
# 问要不要给 http 证书改名, 间接回车
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最初:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip
2.5 证书放到 certs 目录下
unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其余的文件删掉即可
3. 配置 elasticsearch.yml
cluster.name: es-cluster
node.name: es-node-1
path.data: D:/devs/elastic-safe/es8.5.2/data
path.logs: D:/devs/elastic-safe/es8.5.2/logs
# 设置网络拜访节点
network.host: ZB-PF2P9LED
# 设置网络拜访端口
http.port: 9200
# 初始种子节点
#discovery.seed_hosts: ["ZB-PF2P9LED"]
# 平安认证
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# http 的认证
xpack.security.http.ssl:
enabled: true
keystore.path: D:/devs/elastic-safe/es8.5.2/config/certs/http.p12
truststore.path: D:/devs/elastic-safe/es8.5.2/config/certs/http.p12
# 传输认证
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: D:/devs/elastic-safe/es8.5.2/config/certs/elastic-certificates.p12
truststore.path: D:/devs/elastic-safe/es8.5.2/config/certs/elastic-certificates.p12
# 此处留神, es-node- 1 是下面配置的节点名称
cluster.initial_master_nodes: ["es-node-1"]
http.host: [_local_, _site_]
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none
而后启动, 即可!
3.2 额定配置 (阿里云)
max_map_count 文件蕴含限度一个过程能够领有的 VMA(虚拟内存区域) 的数量
解决方法: #切换到 root 用户批改
vim /etc/sysctl.conf # 在最初面追加上面内容
vm.max_map_count=655360
执行 sysctl -p
4. kibana 证书
4.1 kibana 证书装置
# 1. 间接回车, 生成: csr-bundle.zip
./bin/elasticsearch-certutil csr -name kibana -dns niewj
# 2. 解压缩 kibana.csr kibana.key mv 到 kibana/config 下
# 3. cd 到 kibana/config 下生成 crt 文件
openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt
4.2 kibana 外围配置
server.port: 5601
server.host: "niewj"
i18n.locale: "zh-CN"
# es 主服务器地址
elasticsearch.hosts: ["https://niewj:9200"]
# es 拜访账密
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxx"
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/xxx/es-8.5.2/config/certs/elasticsearch-ca.pem"]
server.ssl.enabled: true
server.ssl.certificate: /xxx/kibana-8.5.2/config/kibana.crt
server.ssl.key: /xxx/kibana-8.5.2/config/kibana.key