做一个好的网站需要什么,网站商城模板,徐州百姓网招聘信息网,自适应网站建设都找全网天下Centos安装OpenSearch 下载并安装OpenSearch下载OpenSearch RPM包导入公共GNU Privacy Guard#xff08;GPG#xff09;密钥。此密钥验证您的OpenSearch实例是否已签名安装RPM包安装完设置开机自启动OpenSearch启动OpenSearch验证OpenSearch是否正确启动 测试OpenSearch向服务… Centos安装OpenSearch 下载并安装OpenSearch下载OpenSearch RPM包导入公共GNU Privacy GuardGPG密钥。此密钥验证您的OpenSearch实例是否已签名安装RPM包安装完设置开机自启动OpenSearch启动OpenSearch验证OpenSearch是否正确启动 测试OpenSearch向服务器发送请求以验证OpenSearch是否正在运行向端口9200发送请求查询插件端点 设置OpenSearch可远程连接将OpenSearch绑定到主机上的IP或网络接口打开opensearch.yml添加以下行保存更改并关闭文件 设置初始和最大JVM堆大小配置TLS导航到将存储证书的目录删除演示证书生成根证书这将用于签署其他证书创建管理员证书此证书用于获得执行与安全插件相关的管理任务的提升权限为正在配置的节点创建证书删除不再需要的临时文件确保其余证书归opensearch用户所有按照生成证书中的说明将这些证书添加到opensearch.yml推荐选择使用脚本进行设置新建shell脚本文件 append-setting.sh执行append-setting.sh 为自签名根证书添加信任(可选) 下载并安装OpenSearch
下载OpenSearch RPM包
X64系统
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-x64.rpmARM64系统
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-arm64.rpm导入公共GNU Privacy GuardGPG密钥。此密钥验证您的OpenSearch实例是否已签名
sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp安装RPM包
## Install the x64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORDcustom-admin-password rpm -ivh opensearch-2.16.0-linux-x64.rpm
## Install the arm64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORDcustom-admin-password rpm -ivh opensearch-2.16.0-linux-arm64.rpm安装完设置开机自启动OpenSearch
sudo systemctl enable opensearch启动OpenSearch
sudo systemctl start opensearch验证OpenSearch是否正确启动
sudo systemctl status opensearch测试OpenSearch
向服务器发送请求以验证OpenSearch是否正在运行
向端口9200发送请求
curl -X GET https://localhost:9200 -u admin:custom-admin-password --insecure响应
{name:hostname,cluster_name:opensearch,cluster_uuid:QqgpHCbnSRKcPAizqjvoOw,version:{distribution:opensearch,number:version,build_type:build-type,build_hash:build-hash,build_date:build-date,build_snapshot:false,lucene_version:lucene-version,minimum_wire_compatibility_version:7.10.0,minimum_index_compatibility_version:7.0.0},tagline:The OpenSearch Project: https://opensearch.org/}查询插件端点
curl -X GET https://localhost:9200/_cat/plugins?v -u admin:custom-admin-password --insecure响应
name component versionhostname opensearch-alerting 2.15.0hostname opensearch-anomaly-detection 2.15.0hostname opensearch-asynchronous-search 2.15.0hostname opensearch-cross-cluster-replication 2.15.0hostname opensearch-geospatial 2.15.0hostname opensearch-index-management 2.15.0hostname opensearch-job-scheduler 2.15.0hostname opensearch-knn 2.15.0hostname opensearch-ml 2.15.0hostname opensearch-neural-search 2.15.0hostname opensearch-notifications 2.15.0hostname opensearch-notifications-core 2.15.0hostname opensearch-observability 2.15.0hostname opensearch-performance-analyzer 2.15.0hostname opensearch-reports-scheduler 2.15.0hostname opensearch-security 2.15.0hostname opensearch-security-analytics 2.15.0hostname opensearch-sql 2.15.0设置OpenSearch可远程连接
默认情况下OpenSearch不绑定到网络接口外部主机无法访问。此外安全设置由默认用户名和密码填充。以下建议将使用户能够将OpenSearch绑定到网络接口创建和签署TLS证书以及配置基本身份验证
将OpenSearch绑定到主机上的IP或网络接口
打开opensearch.yml
sudo vi /etc/opensearch/opensearch.yml添加以下行
# Bind OpenSearch to the correct network interface. Use 0.0.0.0
# to include all available interfaces or specify an IP address
# assigned to a specific interface.
network.host: 0.0.0.0# Unless you have already configured a cluster, you should set
# discovery.type to single-node, or the bootstrap checks will
# fail when you try to start the service.
discovery.type: single-node# If you previously disabled the Security plugin in opensearch.yml,
# be sure to re-enable it. Otherwise you can skip this setting.
plugins.security.disabled: false保存更改并关闭文件
:wq设置初始和最大JVM堆大小
vi /etc/opensearch/jvm.options修改初始堆大小和最大堆大小的值。作为起点您应该将这些值设置为可用系统内存的一半。对于专用主机可以根据您的工作流程要求增加此值。 例如如果主机有8GB的内存那么您可能希望将初始堆大小和最大堆大小设置为4GB
-Xms4g
-Xmx4g配置TLS
导航到将存储证书的目录
cd /etc/opensearch删除演示证书
sudo rm -f *pem生成根证书这将用于签署其他证书
# Create a private key for the root certificate
sudo openssl genrsa -out root-ca-key.pem 2048# Use the private key to create a self-signed root certificate. Be sure to
# replace the arguments passed to -subj so they reflect your specific host.
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj /CCA/STONTARIO/LTORONTO/OORG/OUUNIT/CNROOT -out root-ca.pem -days 730创建管理员证书此证书用于获得执行与安全插件相关的管理任务的提升权限
# Create a private key for the admin certificate.
sudo openssl genrsa -out admin-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem# Create the certficiate signing request (CSR). A common name (CN) of A is acceptable because this certificate is
# used for authenticating elevated access and is not tied to a host.
sudo openssl req -new -key admin-key.pem -subj /CCA/STONTARIO/LTORONTO/OORG/OUUNIT/CNA -out admin.csr# Sign the admin certificate with the root certificate and private key you created earlier.
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730为正在配置的节点创建证书
# Create a private key for the node certificate.
sudo openssl genrsa -out node1-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem# Create the CSR and replace the arguments passed to -subj so they reflect your specific host.
# The CN should match a DNS A record for the host-do not use the hostname.
sudo openssl req -new -key node1-key.pem -subj /CCA/STONTARIO/LTORONTO/OORG/OUUNIT/CNnode1.dns.a-record -out node1.csr# Create an extension file that defines a SAN DNS name for the host. This
# should match the DNS A record of the host.
sudo sh -c echo subjectAltNameDNS:node1.dns.a-record node1.ext# Sign the node certificate with the root certificate and private key that you created earlier.
sudo openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext删除不再需要的临时文件
sudo rm -f *temp.pem *csr *ext确保其余证书归opensearch用户所有
sudo chown opensearch:opensearch admin-key.pem admin.pem node1-key.pem node1.pem root-ca-key.pem root-ca.pem root-ca.srl按照生成证书中的说明将这些证书添加到opensearch.yml推荐选择使用脚本进行设置
新建shell脚本文件 append-setting.sh
vi aplpend-seeting.sh#! /bin/bash# Before running this script, make sure to replace the CN in the
# nodes distinguished name with a real DNS A record.echo plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.ssl.http.enabled: true | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.allow_default_init_securityindex: true | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.authcz.admin_dn: | sudo tee -a /etc/opensearch/opensearch.yml
echo - CNA,OUUNIT,OORG,LTORONTO,STONTARIO,CCA | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.nodes_dn: | sudo tee -a /etc/opensearch/opensearch.yml
echo - CNnode1.dns.a-record,OUUNIT,OORG,LTORONTO,STONTARIO,CCA | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.audit.type: internal_opensearch | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.enable_snapshot_restore_privilege: true | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.check_snapshot_restore_write_privileges: true | sudo tee -a /etc/opensearch/opensearch.yml
echo plugins.security.restapi.roles_enabled: [\all_access\, \security_rest_api_access\] | sudo tee -a /etc/opensearch/opensearch.yml执行append-setting.sh
sh append-setting.sh为自签名根证书添加信任(可选)
# Copy the root certificate to the correct directory
sudo cp /etc/opensearch/root-ca.pem /etc/pki/ca-trust/source/anchors/# Add trust
sudo update-ca-trust
