Es6.4升级7.6

# 切换到envuser用户

su - envuser

cd /home/envuser

# 下载Es6.8.8安装包

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.8.zip

# 下载Es7.6.2安装包

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-linux-x86_64.tar.gz

curl -XPUT "http://ES_ADDRESS:9200/_cluster/settings" -H 'Content-Type: application/json' -d'

{

  "persistent": {

    "cluster.routing.allocation.enable": "primaries"

  }

}'

# 切换到envuser用户

su - envuser

cd /home/envuser

# 下载安装包

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.8.zip

# 解压安装包

unzip elasticsearch-6.8.8.zip

# 将原目录下的配置文件copy至新版本

cp elasticsearch-6.4.2/config/elasticsearch.yml elasticsearch-6.8.8/config/

cp elasticsearch-6.4.2/config/jvm.options elasticsearch-6.8.8/config/

# 创建软连接

ln -sfn elasticsearch-6.8.8 elasticsearch-release

# 启动Es服务

cd elasticsearch-release/

./bin/elasticsearch -d

curl -XGET "http://ES_ADDRESS:9200/_cat/nodes?h=ip,name,version&v"

curl -XPUT "http://ES_ADDRESS:9200/_cluster/settings" -H 'Content-Type: application/json' -d'

{

  "persistent": {

    "cluster.routing.allocation.enable": null

  }

}'

curl -XGET "http://ES_ADDRESS:9200/_cluster/allocation/explain?pretty"

# 如下API显示所有节点的版本均为6.8.8表示集群升级到6.8.8成功

curl -XGET "http://ES_ADDRESS:9200/_cat/nodes?h=ip,name,version&v"

curl -XPUT "http://ES_ADDRESS:9200/_cluster/settings" -H 'Content-Type: application/json' -d'

{

  "persistent": {

    "cluster.routing.allocation.enable": "primaries"

  }

}'

# 切换到envuser用户

su - envuser

cd /home/envuser

# 下载安装包

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-linux-x86_64.tar.gz

# 解压安装包

tar -xzf elasticsearch-7.6.2-linux-x86_64.tar.gz

# 创建软连接

ln -sfn elasticsearch-7.6.2 elasticsearch-release

# cluster.name node.name network.host discovery.seed_hosts cluster.initial_master_nodes需根据每个环境具体情况填写

cluster.name: es-cluster

node.name: elk8001

node.master: true

node.data: true

path.data: /data1/elasticsearch/data

path.logs: /data1/elasticsearch/logs

bootstrap.memory_lock: true

network.host: 10.27.22.223

discovery.seed_hosts: ["10.27.22.223"]

cluster.initial_master_nodes: ["10.27.22.223"]

action.destructive_requires_name: true

xpack.security.enabled: true

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.keystore.path: http.p12

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

# 设置为VM总内存大小的一半

-Xms16g

-Xmx16g

-XX:+UseG1GC

-XX:G1ReservePercent=25

-XX:InitiatingHeapOccupancyPercent=30

-Djava.io.tmpdir=${ES_TMPDIR}

-XX:+HeapDumpOnOutOfMemoryError

-XX:HeapDumpPath=/data1/elasticsearch/data

-XX:ErrorFile=/data1/elasticsearch/logs/hs_err_pid%p.log

cd elasticsearch-release

./bin/elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.6.2/elasticsearch-analysis-ik-7.6.2.zip

# 出现如下提示代表安装成功

-> Installed analysis-ik

# # # # # # # # # 1.进入Es目录 # # # # # # # # #

cd elasticsearch-release

# # # # # # # 2.为集群创建认证机构 # # # # # # # #

# 依次输入回车（文件使用默认名），密码，并记住该密码

bin/elasticsearch-certutil ca

# # # # # # # # 3.为节点颁发证书 # # # # # # # # #

# 遇提示依次输入步骤2的密码/回车/步骤2的密码

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

# 输入第一步输入的密码

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

# 输入第一步输入的密码

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

# # # # # # # # 4.http加密设置 # # # # # # # # #

# 执行加密指令

bin/elasticsearch-certutil http

# 后续操作请参考如下

## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates

for use on the HTTP (Rest) interface for Elasticsearch.

This tool will ask you a number of questions in order to generate the right

set of files for your needs.

## Do you wish to generate a Certificate Signing Request (CSR)?

A CSR is used when you want your certificate to be created by an existing

Certificate Authority (CA) that you do not control (that is, you don't have

access to the keys for that CA).

If you are in a corporate environment with a central security team, then you

may have an existing Corporate CA that can generate your certificate for you.

Infrastructure within your organisation may already be configured to trust this

CA, so it may be easier for clients to connect to Elasticsearch if you use a

CSR and send that request to the team that controls your CA.

If you choose not to generate a CSR, this tool will generate a new certificate

for you. That certificate will be signed by a CA under your control. This is a

quick and easy way to secure your cluster with TLS, but you will need to

configure all your clients to trust that custom CA.

# pkcs模式，这里选择N

Generate a CSR? [y/N]N

## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to

sign your new http certificate. This allows you to use the same CA across

multiple Elasticsearch clusters which can make it easier to configure clients,

and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

# 选择y

Use an existing CA? [y/N]y

## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to

use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS

(.jks) or PEM (.crt, .key, .pem) format.

# 输入步骤3产生的证书路径

CA Path: /home/envuser/elasticsearch-release/elastic-stack-ca.p12

Reading a PKCS12 keystore requires a password.

It is possible for the keystore's password to be blank,

in which case you can simply press <ENTER> at the prompt

# 输入步骤2使用的密码

Password for elastic-stack-ca.p12:

## How long should your certificates be valid?

Every certificate has an expiry date. When the expiry date is reached clients

will stop trusting your certificate and TLS connections will fail.

Best practice suggests that you should either:

(a) set this to a short duration (90 - 120 days) and have automatic processes

to generate a new certificate before the old one expires, or

(b) set it to a longer duration (3 - 5 years) and then perform a manual update

a few months before it expires.

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

# 回车，默认5年有效期

For how long should your certificate be valid? [5y]

## Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a

separate certificate for each of these nodes. Each certificate will have its

own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid

across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain

(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it

simpler to generate one certificate with a wildcard hostname (*.es.example.com)

and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add

additional nodes to your cluster in the future, then you should generate a

certificate per node so that you can more easily generate new certificates when

you provision new nodes.

# 选择N

Generate a certificate per node? [y/N]N

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"

(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to

your cluster over http.

Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you

can enter that here.

Enter all the hostnames that you need, one per line.

When you are done, press <ENTER> once more to move on to the next step.

# 依次输入节点的hostName，每个hostName占一行，输出完成后输入回车结束输入

elk-data6001

elk-data6002

elk-data6003

You entered the following hostnames.

# 依次输入节点的ip，每个ip占一行，输出完成后输入回车结束输入

 - elk-data6001

 - elk-data6002

 - elk-data6003

# 输入Y

Is this correct [Y/n]Y

## Which IP addresses will be used to connect to your nodes?

If your clients will ever connect to your nodes by numeric IP address, then you

can list these as valid IP "Subject Alternative Name" (SAN) fields in your

certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access

to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.

When you are done, press <ENTER> once more to move on to the next step.

10.27.20.245

10.27.20.246

10.27.21.137

You entered the following IP addresses.

 - 10.27.20.245

 - 10.27.20.246

 - 10.27.21.137

# 输入Y

Is this correct [Y/n]Y

## Other certificate options

The generated certificate will have the following additional configuration

values. These values have been selected based on a combination of the

information you have provided above and secure defaults. You should not need to

change these values unless you have specific requirements.

Key Name: elk-data6001

Subject DN: CN=elk-data6001

Key Size: 2048

# 输入N

Do you wish to change any of these options? [y/N]N

## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".

This type of keystore is always password protected, but it is possible to use a

blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.

Provide a password for the "http.p12" file:  [<ENTER> for none]

# 输入回车

## Where should we save the generated files?

A number of files will be generated including your private key(s),

public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

# 输入回车

What filename should be used for the output zip file? [/home/envuser/elasticsearch-7.6.2/elasticsearch-ssl-http.zip]

Zip file written to /home/envuser/elasticsearch-7.6.2/elasticsearch-ssl-http.zip

# # # # # # # # 5.多节点配置 # # # # # # # # #

# 解压证书

unzip elasticsearch-ssl-http.zip -d ssl

# 为证书添加访问权限

chmod 644 elastic-certificates.p12

chmod 644 elastic-stack-ca.p12

# 将证书移动到config目录

mv ssl/elasticsearch/http.p12 config

mv elastic-certificates.p12 config

mv elastic-stack-ca.p12 config

# 将证书和keystore文件scp到其他节点的Es config目录下

scp ssl/elasticsearch/http.p12 config/elastic-certificates.p12 config/elastic-stack-ca.p12 config/elasticsearch.keystore envuser@IP:/home/envuser/elasticsearch-7.6.2/config

cd elasticsearch-release

./bin/elasticsearch -d

# 进入Es目录

cd elasticsearch-release

# 设置访问密码（密码设置见下表）

./bin/elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

# 输入y

Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana]:

Reenter password for [kibana]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

# 出现如下提示代表设置成功

Changed password for user [apm_system]

Changed password for user [kibana]

Changed password for user [logstash_system]

Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]

Changed password for user [elastic]

elastic

elastic@WSX

apm_system

apm@WSX

kibana

kibana@WSX

logstash_system

logstash@WSX

beats_system

beats@WSX

remote_monitoring_user

remote@WSX

# user后的账号密码替换为该集群对应的账号密码

curl --insecure --user elastic:elastic@WSX -XPUT "https://ES_ADDRESS:9200/_cluster/settings" -H 'Content-Type: application/json' -d'

{

  "persistent": {

    "cluster.routing.allocation.enable": null

  }

}'

######## 1.安装Kibana ########

# 进入用户目录

cd /home/envuser

# 下载安装包并解压

curl -O https://artifacts.elastic.co/downloads/kibana/kibana-7.6.2-linux-x86_64.tar.gz

tar -xzf kibana-7.6.2-linux-x86_64.tar.gz

# 创建软链

ln -sfn kibana-7.6.2-linux-x86_64 kibana-release

# 进入Kibana目录

cd kibana-release/

######## 2.配置Kibana访问密码 ########

# 创建keystore

./bin/kibana-keystore create

# 设置kibana访问Es的用户名（用户名输入kibana）

./bin/kibana-keystore add elasticsearch.username

# 设置kibana访问Es的密码（输入kibana对应的密码，见前文的密码表）

./bin/kibana-keystore add elasticsearch.password

server.port: 5601

server.host: "10.27.22.223"

server.name: "elk8001"

elasticsearch.hosts: ["https://10.27.22.223:9200"]

i18n.locale: "en"

xpack.security.encryptionKey: "Hz*9yFFaPejHvCkhT*ddNx%WsBgxVSCQ"

elasticsearch.ssl.certificateAuthorities: ["/home/envuser/elasticsearch-release/ssl/kibana/elasticsearch-ca.pem"]

cd kibana-release/

nohup ./bin/kibana >> /dev/null &