Centos安装OpenSearch
Centos安装OpenSearch
- 下载并安装OpenSearch
- 下载OpenSearch RPM包
- 导入公共GNU Privacy Guard(GPG)密钥。此密钥验证您的OpenSearch实例是否已签名
- 安装RPM包
- 安装完设置开机自启动OpenSearch
- 启动OpenSearch
- 验证OpenSearch是否正确启动
- 测试OpenSearch
- 向服务器发送请求以验证OpenSearch是否正在运行
- 向端口9200发送请求
- 查询插件端点
- 设置OpenSearch可远程连接
- 将OpenSearch绑定到主机上的IP或网络接口
- 打开opensearch.yml
- 添加以下行
- 保存更改并关闭文件
- 设置初始和最大JVM堆大小
- 配置TLS
- 导航到将存储证书的目录
- 删除演示证书
- 生成根证书,这将用于签署其他证书
- 创建管理员证书,此证书用于获得执行与安全插件相关的管理任务的提升权限
- 为正在配置的节点创建证书
- 删除不再需要的临时文件
- 确保其余证书归opensearch用户所有
- 按照生成证书中的说明将这些证书添加到opensearch.yml,推荐选择使用脚本进行设置
- 新建shell脚本文件 append-setting.sh
- 执行append-setting.sh
- 为自签名根证书添加信任(可选)
下载并安装OpenSearch
下载OpenSearch RPM包
X64系统
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-x64.rpm
ARM64系统
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-arm64.rpm
导入公共GNU Privacy Guard(GPG)密钥。此密钥验证您的OpenSearch实例是否已签名
sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp
安装RPM包
## Install the x64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-x64.rpm
## Install the arm64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-arm64.rpm
安装完设置开机自启动OpenSearch
sudo systemctl enable opensearch
启动OpenSearch
sudo systemctl start opensearch
验证OpenSearch是否正确启动
sudo systemctl status opensearch
测试OpenSearch
向服务器发送请求以验证OpenSearch是否正在运行
向端口9200发送请求
curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure
响应:
{"name":"hostname","cluster_name":"opensearch","cluster_uuid":"QqgpHCbnSRKcPAizqjvoOw","version":{"distribution":"opensearch","number":<version>,"build_type":<build-type>,"build_hash":<build-hash>,"build_date":<build-date>,"build_snapshot":false,"lucene_version":<lucene-version>,"minimum_wire_compatibility_version":"7.10.0","minimum_index_compatibility_version":"7.0.0"},"tagline":"The OpenSearch Project: https://opensearch.org/"}
查询插件端点
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure
响应:
name component versionhostname opensearch-alerting 2.15.0hostname opensearch-anomaly-detection 2.15.0hostname opensearch-asynchronous-search 2.15.0hostname opensearch-cross-cluster-replication 2.15.0hostname opensearch-geospatial 2.15.0hostname opensearch-index-management 2.15.0hostname opensearch-job-scheduler 2.15.0hostname opensearch-knn 2.15.0hostname opensearch-ml 2.15.0hostname opensearch-neural-search 2.15.0hostname opensearch-notifications 2.15.0hostname opensearch-notifications-core 2.15.0hostname opensearch-observability 2.15.0hostname opensearch-performance-analyzer 2.15.0hostname opensearch-reports-scheduler 2.15.0hostname opensearch-security 2.15.0hostname opensearch-security-analytics 2.15.0hostname opensearch-sql 2.15.0
设置OpenSearch可远程连接
默认情况下,OpenSearch不绑定到网络接口,外部主机无法访问。此外,安全设置由默认用户名和密码填充。以下建议将使用户能够将OpenSearch绑定到网络接口,创建和签署TLS证书,以及配置基本身份验证
将OpenSearch绑定到主机上的IP或网络接口
打开opensearch.yml
sudo vi /etc/opensearch/opensearch.yml
添加以下行
# Bind OpenSearch to the correct network interface. Use 0.0.0.0
# to include all available interfaces or specify an IP address
# assigned to a specific interface.
network.host: 0.0.0.0# Unless you have already configured a cluster, you should set
# discovery.type to single-node, or the bootstrap checks will
# fail when you try to start the service.
discovery.type: single-node# If you previously disabled the Security plugin in opensearch.yml,
# be sure to re-enable it. Otherwise you can skip this setting.
plugins.security.disabled: false
保存更改并关闭文件
:wq
设置初始和最大JVM堆大小
vi /etc/opensearch/jvm.options
修改初始堆大小和最大堆大小的值。作为起点,您应该将这些值设置为可用系统内存的一半。对于专用主机,可以根据您的工作流程要求增加此值。
例如,如果主机有8GB的内存,那么您可能希望将初始堆大小和最大堆大小设置为4GB:
-Xms4g
-Xmx4g
配置TLS
导航到将存储证书的目录
cd /etc/opensearch
删除演示证书
sudo rm -f *pem
生成根证书,这将用于签署其他证书
# Create a private key for the root certificate
sudo openssl genrsa -out root-ca-key.pem 2048# Use the private key to create a self-signed root certificate. Be sure to
# replace the arguments passed to -subj so they reflect your specific host.
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730
创建管理员证书,此证书用于获得执行与安全插件相关的管理任务的提升权限
# Create a private key for the admin certificate.
sudo openssl genrsa -out admin-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem# Create the certficiate signing request (CSR). A common name (CN) of "A" is acceptable because this certificate is
# used for authenticating elevated access and is not tied to a host.
sudo openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr# Sign the admin certificate with the root certificate and private key you created earlier.
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
为正在配置的节点创建证书
# Create a private key for the node certificate.
sudo openssl genrsa -out node1-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem# Create the CSR and replace the arguments passed to -subj so they reflect your specific host.
# The CN should match a DNS A record for the host-do not use the hostname.
sudo openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr# Create an extension file that defines a SAN DNS name for the host. This
# should match the DNS A record of the host.
sudo sh -c 'echo subjectAltName=DNS:node1.dns.a-record > node1.ext'# Sign the node certificate with the root certificate and private key that you created earlier.
sudo openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext
删除不再需要的临时文件
sudo rm -f *temp.pem *csr *ext
确保其余证书归opensearch用户所有
sudo chown opensearch:opensearch admin-key.pem admin.pem node1-key.pem node1.pem root-ca-key.pem root-ca.pem root-ca.srl
按照生成证书中的说明将这些证书添加到opensearch.yml,推荐选择使用脚本进行设置
新建shell脚本文件 append-setting.sh
vi aplpend-seeting.sh#! /bin/bash# Before running this script, make sure to replace the CN in the
# node's distinguished name with a real DNS A record.echo "plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.enabled: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.allow_default_init_securityindex: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.authcz.admin_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo " - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.nodes_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo " - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.audit.type: internal_opensearch" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.enable_snapshot_restore_privilege: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.check_snapshot_restore_write_privileges: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.restapi.roles_enabled: [\"all_access\", \"security_rest_api_access\"]" | sudo tee -a /etc/opensearch/opensearch.yml
执行append-setting.sh
sh append-setting.sh
为自签名根证书添加信任(可选)
# Copy the root certificate to the correct directory
sudo cp /etc/opensearch/root-ca.pem /etc/pki/ca-trust/source/anchors/# Add trust
sudo update-ca-trust