es集群系列一、集群搭建（未完）

场景介绍，及docker 镜像拉取

## 主机列表
    cat >>/etch/hosts << "EOF"
192.168.60.35 es-node1
192.168.60.36 es-node2
192.168.60.37 es-node3
EOF

## 拉取镜像
    docker pull elasticsearch:9.1.0

## 官方部署文档
    https://www.elastic.co/docs/deploy-manage/deploy/self-managed/install-elasticsearch-docker-compose
    # 官方docker-compose.yml示例
    https://github.com/elastic/elasticsearch/blob/main/docs/reference/setup/install/docker/docker-compose.yml

生成证书

# 准备目录，及文件
    mkdir /opt/devops/elasticsearch/{certs,data} -p
    cat > /opt/devops/elasticsearch/certs/instances.yml << "EOF"
instances:
  - name: es-node1
    dns: [ "es-node1", "es-node1.local", "192.168.60.35" ]
  - name: es-node2
    dns: [ "es-node2", "es-node2.local", "192.168.60.36" ]
  - name: es-node3
    dns: [ "es-node3", "es-node3.local", "192.168.60.37" ]
EOF

# 生成 PEM 格式的无密码 CA（只需执行一次，注意 docker 使用了root权限 -u 0）
    cd /opt/devops/elasticsearch
    docker run --rm -u 0 -v /opt/devops/elasticsearch/certs:/certs \
      elasticsearch:9.1.0 \
      bash -c "bin/elasticsearch-certutil ca --silent --pem --out /certs/ca.zip && \
             unzip /certs/ca.zip -d /certs/ && \
             rm -f /certs/ca.zip"

# 用该 CA 来签发集群证书
    docker run --rm -u 0 -v /opt/devops/elasticsearch/certs:/certs \
      elasticsearch:9.1.0 \
      bash -c "bin/elasticsearch-certutil cert --silent --pem \
               --in /certs/instances.yml --ca-cert /certs/ca/ca.crt --ca-key /certs/ca/ca.key --out /certs/certs.zip && \
               unzip /certs/certs.zip -d /certs && \
               rm -rf /certs/certs.zip"

## 或者一步到位
    docker run --rm -u 0 -v /opt/devops/elasticsearch/certs:/usr/share/elasticsearch/config/certs \
      elasticsearch:9.1.0 \
      bash -c "bin/elasticsearch-certutil ca --silent --pem --out config/certs/ca.zip && \
             unzip config/certs/ca.zip -d config/certs/ && \
             rm -f config/certs/ca.zip && \
             bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip \
             --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt \
             --ca-key config/certs/ca/ca.key && \
             unzip config/certs/certs.zip -d config/certs/ && \
             rm -rf config/certs/certs.zip"

# 得到结果
    [root@es-node1 elasticsearch]# pwd
    /opt/devops/elasticsearch
    [root@es-node1 elasticsearch]# tree
    ├── certs
    │   ├── ca
    │   │   ├── ca.crt
    │   │   └── ca.key
    │   ├── es-node1
    │   │   ├── es-node1.crt
    │   │   └── es-node1.key
    │   ├── es-node2
    │   │   ├── es-node2.crt
    │   │   └── es-node2.key
    │   ├── es-node3
    │   │   ├── es-node3.crt
    │   │   └── es-node3.key
    │   └── instances.yml
    └── data

开始部署es

## 准备环境变量
    cat > /opt/devops/elasticsearch/.env << "EOOF"
ES_VERSION=9.1.0
NODE_NAME=es-node1
CLUSTER_NAME=es-cluster
ELASTIC_PASSWORD=abcd@1234
EOOF

## 准备docker compose
    cat > /opt/devops/elasticsearch/docker-compose.yml << "EOOF"
services:
  elasticsearch:
    #image: docker.elastic.co/elasticsearch/elasticsearch:9.1.0
    image: elasticsearch:${ES_VERSION}
    container_name: ${NODE_NAME}
    volumes:
      - ./certs:/usr/share/elasticsearch/config/certs
      - ./data:/usr/share/elasticsearch/data
    environment:
      # 集群名称、节点名称、是否可以成为master节点
      - cluster.name=${CLUSTER_NAME}
      - node.name=${NODE_NAME}
      - node.master=true
      # 网络绑定、设置对外服务的http端口、设置节点间交互的tcp端口
      - network.host=0.0.0.0
      - http.port=9200
      - transport.port=9300
      # 集群节点发现、集群初始化时指定master（只需一次）、
      - discovery.seed_hosts=es-node1,es-node2,es-node3
      - cluster.initial_master_nodes=es-node1,es-node2,es-node3
      # 支持跨域访问（安全相关设置，还行进一步研究作用）
      - http.cors.enabled=true
      - http.cors.allow-origin="*"
      - action.destructive_requires_name=false
      # 锁住 Elasticsearch 的内存，防止被操作系统 swap（交换）出去。提高性能，避免 GC 抖动
      - bootstrap.memory_lock=true
      - ES_JAVA_OPTS=-Xms2g -Xmx2g
      # 配置密码
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/${NODE_NAME}/${NODE_NAME}.key
      - xpack.security.http.ssl.certificate=certs/${NODE_NAME}/${NODE_NAME}.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/${NODE_NAME}/${NODE_NAME}.key
      - xpack.security.transport.ssl.certificate=certs/${NODE_NAME}/${NODE_NAME}.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
      - xpack.ml.use_auto_machine_memory_percent=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - "9200:9200"
      - "9300:9300"
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "curl -s --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} https://localhost:9200 | grep -q 'missing authentication credentials'",
        ]
      interval: 10s
      timeout: 10s
      retries: 30
    extra_hosts:
      - "es-node1:192.168.60.35"
      - "es-node2:192.168.60.36"
      - "es-node3:192.168.60.37"
EOOF

## 启动
    chown 1000:1000 /opt/devops/elasticsearch/* -R