ElasticSearch9.2单节点部署
背景
众所周知 es是漏洞重灾区了,每次安全部门下发高危漏洞清单上都有它。可以说是军书十二卷,卷卷有爷名了。趁这次机会记录一下当前最新版本的ES部署的详细步骤。
准备工作
创建es用户,配置系统优化参数和es用户文件句柄数。
1. 创建专用运行用户 # 创建用户组和用户 groupadd elastic useradd -g elastic -m -d /home/elastic elastic # 设置密码(自定义,记好) passwd elastic xxxxxx 2. 关闭防火墙和 SELinux # 临时关闭防火墙 systemctl stop firewalld && systemctl disable firewalld # 临时关闭SELinux setenforce 0 # 永久关闭SELinux(重启生效) sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 3. 配置系统内核参数(ES 强制要求) vi /etc/sysctl.conf # ES内核参数 vm.max_map_count=262144 fs.file-max=6553560 net.ipv4.ip_local_port_range=1024 65535 net.core.somaxconn=32768 # 执行使之生效 sysctl -p 4. 配置用户资源限制(ES 强制要求) vi /etc/security/limits.conf # elastic用户资源限制,文件末尾新增 elastic soft nofile 65535 elastic hard nofile 65535 elastic soft nproc 4096 elastic hard nproc 4096 elastic soft memlock unlimited elastic hard memlock unlimited 重新登录生效 su - elastic exit 5. 创建部署目录 # 创建根目录,授权给elastic用户 mkdir -p /data/elastic/{elasticsearch,kibana,data,logs} chown -R elastic:elastic /data/elastic chmod -R 755 /data/elastic
二、Elasticsearch 9.2.4 安装与配置
1. 上传并解压二进制包 # 切换到临时目录 cd /tmp curl -o elasticsearch-9.2.4-linux-x86_64.tar.gz https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.2.4-linux-x86_64.tar.gz # 解压到ES程序目录(解压后会有elasticsearch-9.2.4子目录) tar -zxvf elasticsearch-9.2.4-linux-x86_64.tar.gz -C /data/elastic/elasticsearch # 创建软链接(方便后续升级,无需修改配置路径) ln -s /data/elastic/elasticsearch/elasticsearch-9.2.4 /data/elastic/elasticsearch/current # 授权目录给elastic用户 chown -R elastic:elastic /data/elastic/elasticsearch 2. 核心配置文件修改 # 切换为elastic用户 su - elastic # 进入配置目录 cd /data/elastic/elasticsearch/current
生成自签名证书
# 使用elasticsearch自带的证书生成工具
[elastic@elk-server current]$ ./bin/elasticsearch-certutil http ## Elasticsearch HTTP Certificate Utility The 'http' command guides you through the process of generating certificates for use on the HTTP (Rest) interface for Elasticsearch. This tool will ask you a number of questions in order to generate the right set of files for your needs. ## Do you wish to generate a Certificate Signing Request (CSR)? A CSR is used when you want your certificate to be created by an existing Certificate Authority (CA) that you do not control (that is, you don't have access to the keys for that CA). If you are in a corporate environment with a central security team, then you may have an existing Corporate CA that can generate your certificate for you. Infrastructure within your organisation may already be configured to trust this CA, so it may be easier for clients to connect to Elasticsearch if you use a CSR and send that request to the team that controls your CA. If you choose not to generate a CSR, this tool will generate a new certificate for you. That certificate will be signed by a CA under your control. This is a quick and easy way to secure your cluster with TLS, but you will need to configure all your clients to trust that custom CA. Generate a CSR? [y/N]N ## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate? If you have an existing CA certificate and key, then you can use that CA to sign your new http certificate. This allows you to use the same CA across multiple Elasticsearch clusters which can make it easier to configure clients, and may be easier for you to manage. If you do not have an existing CA, one will be generated for you. Use an existing CA? [y/N]n A new Certificate Authority will be generated for you ## CA Generation Options The generated certificate authority will have the following configuration values. These values have been selected based on secure defaults. You should not need to change these values unless you have specific requirements. Subject DN: CN=Elasticsearch HTTP CA Validity: 5y Key Size: 2048 Key Usage: keyCertSign,cRLSign Do you wish to change any of these options? [y/N]y ## What should your CA be named? Every client that connects to your Elasticsearch cluster will need to trust this custom Certificate Authority. It is helpful to have a meaningful name for this CA CA Name [CN=Elasticsearch HTTP CA] ## How long should your CA be valid? Every certificate has an expiry date. When the expiry date is reached, clients will stop trusting your Certificate Authority and TLS connections will fail. We recommend that you set this to a long duration (3 - 5 years) and then perform a manual update a few months before it expires. You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D) CA Validity [5y] ## What key size should your CA have? The RSA private key for your Certificate Authority has a fixed 'key size' (in bits). Larger key sizes are generally more secure, but are also slower. We recommend that you use one of 2048, 3072 or 4096 bits for your key. Key Size [2048] ## What key usage should your CA have? The key usage extension defines the purpose of the key contained in the certificate. The usage restriction might be employed when a key, that could be used for more than one operation, is to be restricted. You may enter the key usage as a comma-delimited list of following values: - cRLSign - dataEncipherment - decipherOnly - digitalSignature - encipherOnly - keyAgreement - keyCertSign - keyEncipherment - nonRepudiation Key Usage [keyCertSign,cRLSign] Subject DN: CN=Elasticsearch HTTP CA Validity: 5y Key Size: 2048 Key Usage: keyCertSign,cRLSign Do you wish to change any of these options? [y/N]n ## CA password We recommend that you protect your CA private key with a strong password. If your key does not have a password (or the password can be easily guessed) then anyone who gets a copy of the key file will be able to generate new certificates and impersonate your Elasticsearch cluster. IT IS IMPORTANT THAT YOU REMEMBER THIS PASSWORD AND KEEP IT SECURE CA password: [<ENTER> for none] ## How long should your certificates be valid? Every certificate has an expiry date. When the expiry date is reached clients will stop trusting your certificate and TLS connections will fail. Best practice suggests that you should either: (a) set this to a short duration (90 - 120 days) and have automatic processes to generate a new certificate before the old one expires, or (b) set it to a longer duration (3 - 5 years) and then perform a manual update a few months before it expires. You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D) For how long should your certificate be valid? [5y] ## Do you wish to generate one certificate per node? If you have multiple nodes in your cluster, then you may choose to generate a separate certificate for each of these nodes. Each certificate will have its own private key, and will be issued for a specific hostname or IP address. Alternatively, you may wish to generate a single certificate that is valid across all the hostnames or addresses in your cluster. If all of your nodes will be accessed through a single domain (e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it simpler to generate one certificate with a wildcard hostname (*.es.example.com) and use that across all of your nodes. However, if you do not have a common domain name, and you expect to add additional nodes to your cluster in the future, then you should generate a certificate per node so that you can more easily generate new certificates when you provision new nodes. Generate a certificate per node? [y/N]y ## What is the name of node #1? This name will be used as part of the certificate file name, and as a descriptive name within the certificate. You can use any descriptive name that you like, but we recommend using the name of the Elasticsearch node. node #1 name: es001 ## Which hostnames will be used to connect to es001? These hostnames will be added as "DNS" names in the "Subject Alternative Name" (SAN) field in your certificate. You should list every hostname and variant that people will use to connect to your cluster over http. Do not list IP addresses here, you will be asked to enter them later. If you wish to use a wildcard certificate (for example *.es.example.com) you can enter that here. Enter all the hostnames that you need, one per line. When you are done, press <ENTER> once more to move on to the next step. abc.es.com You entered the following hostnames. - abc.es.com Is this correct [Y/n]y ## Which IP addresses will be used to connect to es001? If your clients will ever connect to your nodes by numeric IP address, then you can list these as valid IP "Subject Alternative Name" (SAN) fields in your certificate. If you do not have fixed IP addresses, or not wish to support direct IP access to your cluster then you can just press <ENTER> to skip this step. Enter all the IP addresses that you need, one per line. When you are done, press <ENTER> once more to move on to the next step. 192.168.0.45 You entered the following IP addresses. - 192.168.0.45 Is this correct [Y/n]Y ## Other certificate options The generated certificate will have the following additional configuration values. These values have been selected based on a combination of the information you have provided above and secure defaults. You should not need to change these values unless you have specific requirements. Key Name: es001 Subject DN: CN=es001 Key Size: 2048 Key Usage: digitalSignature,keyEncipherment Do you wish to change any of these options? [y/N]n Generate additional certificates? [Y/n]n ## What password do you want for your private key(s)? Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12". This type of keystore is always password protected, but it is possible to use a blank password. If you wish to use a blank password, simply press <enter> at the prompt below. Provide a password for the "http.p12" file: [<ENTER> for none] ## Where should we save the generated files? A number of files will be generated including your private key(s), public certificate(s), and sample configuration options for Elastic Stack products. These files will be included in a single zip archive. What filename should be used for the output zip file? [/data/elastic/elasticsearch/elasticsearch-9.2.4/elasticsearch-ssl-http.zip] /data/elastic/elasticsearch/current/certs/elasticsearch-ssl-http.zip Zip file written to /data/elastic/elasticsearch/current/certs/elasticsearch-ssl-http.zip
解压证书压缩目录
[root@elk-server current]# cd certs/ [root@elk-server certs]# ls elasticsearch-ssl-http.zip [root@elk-server certs]# unzip elasticsearch-ssl-http.zip Archive: elasticsearch-ssl-http.zip creating: elasticsearch/ inflating: elasticsearch/README.txt inflating: elasticsearch/http.p12 # 这个就是我们需要的证书文件 inflating: elasticsearch/sample-elasticsearch.yml creating: ca/ inflating: ca/README.txt inflating: ca/ca.p12 creating: kibana/ inflating: kibana/README.txt inflating: kibana/elasticsearch-ca.pem inflating: kibana/sample-kibana.yml [root@elk-server certs]#
备份默认配置文件并修改
[root@elk-server certs]# cd ../config/ [root@elk-server config]# cp elasticsearch.yml elasticsearch_bak.yml [root@elk-server config]# vim elasticsearch.yml # ======================== 基础配置 ========================= # 1. 节点名称(必须配置,且要和下面的 initial_master_nodes 对应) node.name: es01 # 2. 集群名称(默认 elasticsearch,建议修改防止误连) cluster.name: my-es-cluster # ======================== 网络配置 ========================= # 3. 允许外部访问 network.host: 192.168.0.45 http.port: 9200 # ======================== 集群发现(解决报错的关键) =========== # 4. 单节点模式下,这里填写上面配置的 node.name # 意思是:启动时,我自己就是带头大哥,不需要等别人 cluster.initial_master_nodes: ["es01"] # 5. 种子节点,单机配回环即可,防止它去局域网乱找 discovery.seed_hosts: ["127.0.0.1"] # ======================== 安全配置 (Security) ================= # 6. 开启安全功能 xpack.security.enabled: true # 7. 之前报错提到的机器学习,先禁用 xpack.ml.enabled: false # ---------------- HTTP SSL (浏览器访问 ES 的加密) ---------------- xpack.security.http.ssl: enabled: true keystore.path: /data/elastic/elasticsearch/current/certs/http.p12 # 如果你生成证书时没有设密码,这行不需要 # keystore.password: "你的证书密码" # ---------------- Transport SSL (节点间通信加密 - 生产模式必须开启) ---- # 注意:即使是单节点,ES 9.x 只要绑定了非 localhost IP,就必须开启这个 # 为了省事,这里直接复用 http.p12 证书(单节点这样没问题) xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/http.p12 truststore.path: certs/http.p12
配置ES为系统服务
# 切换到root用户 vim /usr/lib/systemd/system/elasticsearch.service [Unit] Description=Elasticsearch Documentation=https://www.elastic.co Wants=network-online.target After=network-online.target [Service] # 服务类型 Type=simple # 指定你创建的用户和组 User=elastic Group=elastic # 【重要】这里修改为你的实际安装路径 WorkingDirectory=/data/elastic/elasticsearch/current Environment=ES_HOME=/data/elastic/elasticsearch/current Environment=ES_PATH_CONF=/data/elastic/elasticsearch/current/config # 启动命令 (不要加 -d,systemd 需要前台运行) ExecStart=/data/elastic/elasticsearch/current/bin/elasticsearch #这是 ES 必须的系统资源限制配置,Systemd 会忽略 /etc/security/limits.conf,必须写在这里 # 最大文件句柄数 LimitNOFILE=65535 # 最大进程/线程数 LimitNPROC=4096 # 最大虚拟内存 LimitAS=infinity # 最大文件大小 LimitFSIZE=infinity # 启动和停止的超时设置 TimeoutStopSec=0 KillSignal=SIGTERM SendSIGKILL=no SuccessExitStatus=143 # 如果服务挂了,自动重启 Restart=on-failure [Install] WantedBy=multi-user.target
重新加载并启动ES
systemctl daemon-reload
systemctl start elasticsearch
查看状态
[root@elk-server config]# systemctl status elasticsearch ● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2026-01-29 16:21:38 CST; 21h ago Docs: https://www.elastic.co Main PID: 37821 (java) Tasks: 116 Memory: 8.4G CGroup: /system.slice/elasticsearch.service ├─37821 /data/elastic/elasticsearch/current/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.... └─37910 /data/elastic/elasticsearch/elasticsearch-9.2.4/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networ... Jan 30 13:26:08 elk-server elasticsearch[37821]: [2026-01-30T13:26:08,921][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...4314} Jan 30 13:26:27 elk-server elasticsearch[37821]: [2026-01-30T13:26:27,248][WARN ][o.e.c.c.Coordinator ] [es01] Thi...ng. F Jan 30 13:26:31 elk-server elasticsearch[37821]: [2026-01-30T13:26:31,295][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...1817} Jan 30 13:26:34 elk-server elasticsearch[37821]: [2026-01-30T13:26:34,342][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...2006} Jan 30 13:26:41 elk-server elasticsearch[37821]: [2026-01-30T13:26:41,265][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...1210} Jan 30 13:26:43 elk-server elasticsearch[37821]: [2026-01-30T13:26:43,464][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...6746} Jan 30 13:26:47 elk-server elasticsearch[37821]: [2026-01-30T13:26:47,049][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...9683} Jan 30 13:26:57 elk-server elasticsearch[37821]: [2026-01-30T13:26:57,248][WARN ][o.e.c.c.Coordinator ] [es01] Thi...ng. F Jan 30 13:27:01 elk-server elasticsearch[37821]: [2026-01-30T13:27:01,670][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...2956} Jan 30 13:27:02 elk-server elasticsearch[37821]: [2026-01-30T13:27:02,700][WARN ][o.e.h.n.Netty4HttpServerTransport] [e...4781} Hint: Some lines were ellipsized, use -l to show in full.
重置elastic用户密码
[root@elk-server current]# ./bin/elasticsearch-reset-password elastic
# 会提示是否重置密码,将会打印到命令行终端
使用我们刚刚得到的密码来验证一下es集群的情况
[root@elk-server current]# curl -u elastic:sesxxxxxjpW_a2AFcslC -k https://192.168.0.46:9200 { "name" : "es01", "cluster_name" : "my-es-cluster", "cluster_uuid" : "VFEn9cEGRfq3sEn83JkANw", "version" : { "number" : "9.2.4", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "dfc5c38614c29a598e132c035b66160d3d350894", "build_date" : "2026-01-08T22:07:25.170027027Z", "build_snapshot" : false, "lucene_version" : "10.3.2", "minimum_wire_compatibility_version" : "8.19.0", "minimum_index_compatibility_version" : "8.0.0" }, "tagline" : "You Know, for Search" }
三、kibana9.2.4配置安装
es安装好了,我们把与之配套的kibana也安装一下
# 下载文件 curl -o kibana-9.2.4-linux-x86_64.tar.gz https://artifacts.elastic.co/downloads/kibana/kibana-9.2.4-linux-x86_64.tar.gz # 解压到目标目录 tar xf kibana-9.2.4-linux-x86_64.tar.gz -C /data/elastic/kibana # 创建软链接(方便后续升级,无需修改配置路径) ln -s /data/elastic/kibana/kibana-9.2.4 /data/elastic/kibana/current
# 授权目录给elastic用户
chown -R elastic:elastic /data/elastic/kibana
接下来我们需要准备三步骤才能开始编辑kibana的配置文件
第一步:准备证书文件 这个文件在elasticsearch那里就已经生成了,可以拿来直接用 cp /data/elastic/elasticsearch/current/certs/kibana/elasticsearch-ca.pem /data/elastic/kibana/current/config 第二步:准备 Kibana 专用账号 Kibana 不能用超级管理员 elastic 账号运行,它有专用的内置账号叫 kibana_system。我们需要给它设置一个密码。 # 自动重置密码并显示在终端 cd /data/elastic/elasticsearch/current ./bin/elasticsearch-reset-password -u kibana_system 第三步:生成加密密钥(9.x 必须步骤) 从 8.x 开始,Kibana 要求必须配置加密密钥(用于加密保存的对象、报告等),否则启动会警告甚至报错。 cd /data/elastic/kibana/current ./bin/kibana-encryption-keys generate 它会输出一段 YAML 配置(包含 xpack.encryptedSavedObjects.encryptionKey 等 3 项)。复制这段内容,一会要填到配置文件里。
三要素都集齐了,我们下面配置kibana
cd /data/elastic/kibana/current/config
cp kibana.yml kibana_bak.yml
vim kibana.yml
# =================== 基础配置 =================== server.port: 5601 # 允许外部浏览器访问 server.host: "0.0.0.0" # =================== 连接 Elasticsearch =================== # 重点1:必须是 HTTPS # 重点2:IP 必须是你 ES 证书里绑定的 IP (你之前填的 192.168.0.45) elasticsearch.hosts: ["https://192.168.0.45:9200"] # 重点3:账号配置 (使用第二步生成的密码) elasticsearch.username: "kibana_system" elasticsearch.password: "PASSWORD_KIBANA" # =================== 证书信任配置 =================== # 重点4:指定刚才放进去的 CA 证书路径 elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ] # =================== 界面汉化 (可选) =================== i18n.locale: "zh-CN" # =================== 加密密钥 (必须) =================== # 粘贴第三步生成的 3 行 key 配置,格式如下: xpack.encryptedSavedObjects.encryptionKey: "随机字符串..." xpack.reporting.encryptionKey: "随机字符串..." xpack.security.encryptionKey: "随机字符串..."
配置 Systemd 服务
[Unit] Description=Kibana Documentation=https://www.elastic.co Wants=network-online.target After=network-online.target [Service] Type=simple User=elastic Group=elastic # 环境变量 (如果有需要) # Environment=NODE_OPTIONS="--max-old-space-size=2048" # 运行路径 WorkingDirectory=/data/elastic/kibana/current ExecStart=/data/elastic/kibana/current/bin/kibana # 重启策略 Restart=on-failure RestartSec=3 # 资源限制 (Kibana 只需要标准限制即可) LimitNOFILE=65535 [Install] WantedBy=multi-user.target
重载配置并且启动
sudo systemctl daemon-reload sudo systemctl enable kibana sudo systemctl start kibana
浙公网安备 33010602011771号