es版本升级

考虑到 es 7.10.1 的安全漏洞越来越多,为了避免升级 8.x 版本而带来的兼容性风险,这里将其升级到 7.17.22

[TOC]

准备工作

  • 在root用户下,创建用于安装es应用的普通用户(es不可用root账户启动),比如 app
mkdir -p /data
cat /etc/group | grep "app:" || groupadd app
cat /etc/passwd | grep "app:" || useradd app -g app -d /data/app -s /bin/bash
echo 'Admin_147' | passwd app --stdin
cat /etc/sudoers | grep "app ALL" || echo "app ALL=NOPASSWD:ALL" >> /etc/sudoers
  • 在root用户下,根据实际情况修改安装过程要用到的环境参数(示例 192.168.31.101
cat > /opt/.es.config <<EOF
user=app
group=app
workdir=/data/app
arch=`arch`
es1=192.168.31.101
EOF
  • 在root用户下,下载文件到 /opt/es 目录下
mkdir -p /opt/es
curl -sL http://iso.sqlfans.cn/linux/elasticsearch-7.10.1-linux-x86_64.tar.gz -o /opt/es/elasticsearch-7.10.1-linux-x86_64.tar.gz
curl -sL http://iso.sqlfans.cn/linux/elasticsearch-7.10.1-linux-aarch64.tar.gz -o /opt/es/elasticsearch-7.10.1-linux-aarch64.tar.gz
curl -sL http://iso.sqlfans.cn/linux/log4j-api-2.18.0.jar -o /opt/es/log4j-api-2.18.0.jar
curl -sL http://iso.sqlfans.cn/linux/log4j-core-2.18.0.jar -o /opt/es/log4j-core-2.18.0.jar
curl -sL http://iso.sqlfans.cn/linux/owasp-java-html-sanitizer-20211018.2.jar -o /opt/es/owasp-java-html-sanitizer-20211018.2.jar
  • 在root用户下,将配置文件授予应用用户
source /opt/.es.config
chown -R $user.$group /opt/.es.config

安装 elasticsearch 7.10.1

  • 先执行 su - $user 切换到应用账号,再安装 es 7.10.1,注意 es 区分arm或x86架构、部分脚本需要逐行执行
#.1.系统配置,务必设置 max_map_count>65530 否则会启动失败
sudo bash -c "ulimit -n 65536 && exec su $LOGNAME"
sudo cat /etc/rc.d/rc.local | grep ulimit | grep 65536 || sudo bash -c "echo 'ulimit -n 65536' >> /etc/rc.d/rc.local"
sudo cat /etc/sysctl.conf | grep max_map_count || sudo bash -c "echo 'vm.max_map_count=655360' >> /etc/sysctl.conf"
sudo sysctl -p | grep max_map_count

#.2.获取配置文件中的参数
source /opt/.es.config

#.3.解压es安装包,注意区分arm或x86架构
cd /opt/es/
tar -xvf elasticsearch-7.10.1-linux-$arch.tar.gz -C ${workdir} > /dev/null
mv ${workdir}/elasticsearch-7.10.1 ${workdir}/elasticsearch_9200
mkdir -p ${workdir}/elasticsearch_9200/{config/certs,data,snapshot}
rm -f ${workdir}/elasticsearch_9200/config/elasticsearch.yml
cat elasticsearch-standalone.yml > ${workdir}/elasticsearch_9200/config/elasticsearch.yml
sed -i "s?path.data: mypathdata?path.data: ${workdir}/elasticsearch_9200/data?g" ${workdir}/elasticsearch_9200/config/elasticsearch.yml
sed -i "s?path.logs: mypathlogs?path.logs: ${workdir}/elasticsearch_9200/logs?g" ${workdir}/elasticsearch_9200/config/elasticsearch.yml
sed -i "s/192.168.100.101/${es1}/g" ${workdir}/elasticsearch_9200/config/elasticsearch.yml
sed -i "s/mynodename/sam-node-1/g" ${workdir}/elasticsearch_9200/config/elasticsearch.yml
sed -i "s/127.0.0.1/${es1}/g" ${workdir}/elasticsearch_9200/config/elasticsearch.yml
cat ${workdir}/elasticsearch_9200/config/elasticsearch.yml

#.4.配置启停脚本
echo "./bin/elasticsearch -d" > ${workdir}/elasticsearch_9200/start.sh
echo "ps -ef | grep elasticsearch | grep -v grep | awk '{print $2}' | xargs kill -9 2> /dev/null" > ${workdir}/elasticsearch_9200/stop.sh
chmod +x ${workdir}/elasticsearch_9200/start.sh
chmod +x ${workdir}/elasticsearch_9200/stop.sh

#.5.启动es服务,确认端口9200及9300已监听
cd ${workdir}/elasticsearch_9200
./bin/elasticsearch -d
sleep 30 && ps aux | grep elasticsearch_9200

#.6.修改jvm最大内存(测试环境建议4g就够了,生产环境建议16G)
sed -i 's/^-Xms.*$/-Xms4g/g' ${workdir}/elasticsearch_9200/config/jvm.options
sed -i 's/^-Xmx.*$/-Xmx4g/g' ${workdir}/elasticsearch_9200/config/jvm.options
cat ${workdir}/elasticsearch_9200/config/jvm.options | grep -n ^[^#] | egrep "(-Xms|-Xmx)"

#.7.加入开机启动
cat /etc/rc.d/rc.local | grep elasticsearch_9200 || sudo bash -c "echo 'su ${user} -c \"cd ${workdir}/elasticsearch_9200 && sh start.sh\"' >> /etc/rc.d/rc.local"

#.8.生成ca证书,这里需要逐行执行
cd $workdir/elasticsearch_9200
./bin/elasticsearch-certutil ca -s    #.一路回车,不用设置密码
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -s    #.一路回车,不用设置密码
mv ./elastic*.p12 ./config/certs/
chmod 777 ./config/certs/elastic*.p12

#.9.开启x-pack验证(启用密码但不启用ssl)
sed -i '/^xpack/d' $workdir/elasticsearch_9200/config/elasticsearch.yml
echo 'xpack.security.enabled: true' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
echo 'xpack.security.transport.ssl.enabled: true' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
echo 'xpack.license.self_generated.type: basic' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
echo 'xpack.security.transport.ssl.verification_mode: certificate' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
echo 'xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
echo 'xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
# echo 'xpack.security.http.ssl.enabled: true' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
# echo 'xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
# echo 'xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12' >> $workdir/elasticsearch_9200/config/elasticsearch.yml
cat $workdir/elasticsearch_9200/config/elasticsearch.yml | grep xpack

#.10.重启es服务,使x-pack生效
cd $workdir/elasticsearch_9200
sh stop.sh && sh start.sh
sleep 30 && ps aux | grep elasticsearch_9200

#.11.启用密码,比如elastic密码为Admin_147,这里需要逐行执行
cd $workdir/elasticsearch_9200
echo "y" | ./bin/elasticsearch-setup-passwords auto    #.输入y,自动生成的密码不用记录,下面会重置掉
./bin/elasticsearch-users useradd temp -p Admin_147 -r superuser
curl -H "Content-Type:application/json" -XPOST -u temp:Admin_147 'http://127.0.0.1:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "Admin_147" }'
./bin/elasticsearch-users userdel temp

#.12.查看节点状态
curl -X GET http://elastic:Admin_147@localhost:9200/_cat/nodes?pretty
curl -i -XGET http://elastic:Admin_147@localhost:9200/_cluster/health?pretty

#.13.创建测试索引
curl -X PUT "http://elastic:Admin_147@localhost:9200/test_index_2024"
curl http://elastic:Admin_147@localhost:9200/_cat/indices?v
  • 修复log4j2漏洞
cd /opt/es/
ps -ef | grep elasticsearch | grep -v grep | awk '{print $2}' | xargs kill -9 2> /dev/null
rm -f ${workdir}/elasticsearch_9200/lib/{log4j-api-2.11.1.jar,log4j-core-2.11.1.jar}
cp log4j-api-2.18.0.jar ${workdir}/elasticsearch_9200/lib/
cp log4j-core-2.18.0.jar ${workdir}/elasticsearch_9200/lib/
${workdir}/elasticsearch_9200/bin/elasticsearch -d
sleep 20 && ps aux | grep elasticsearch_9200
  • 修复Sanitize输入验证错误漏洞
cd /opt/es/
ps -ef | grep elasticsearch | grep -v grep | awk '{print $2}' | xargs kill -9 2> /dev/null
rm -f ${workdir}/elasticsearch_9200/modules/x-pack-watcher/owasp-java-html-sanitizer-20191001.1.jar
cp owasp-java-html-sanitizer-20211018.2.jar ${workdir}/elasticsearch_9200/modules/x-pack-watcher/
${workdir}/elasticsearch_9200/bin/elasticsearch -d
sleep 20 && ps aux | grep elasticsearch_9200

升级到 elasticsearch 7.17.22

  • 在root用户下,下载文件到 /opt/es 目录下
mkdir -p /opt/es
curl -sL http://iso.sqlfans.cn/linux/elasticsearch-7.17.22-linux-x86_64.tar.gz -o /opt/es/elasticsearch-7.17.22-linux-x86_64.tar.gz
# curl -sL http://iso.sqlfans.cn/linux/elasticsearch-7.17.22-linux-aarch64.tar.gz -o /opt/es/elasticsearch-7.17.22-linux-aarch64.tar.gz
  • 先执行 su - $user 切换到应用账号,再安装 es 7.10.1,注意 es 区分arm或x86架构、部分脚本需要逐行执行
#.1.获取配置文件中的参数
source /opt/.es.config

#.2.禁用es分片分配
echo '{"persistent":{"cluster.routing.allocation.enable":"primaries"}}' > /tmp/disable.json
curl -XPUT "http://elastic:Admin_147@localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d"`cat /tmp/disable.json`"

#.3.关停节点,并备份目录
sh ${workdir}/elasticsearch_9200/stop.sh
mv ${workdir}/elasticsearch_9200 ${workdir}/elasticsearch_old

#.4.安装es新版本
cd /opt/es/
tar -xvf elasticsearch-7.17.22-linux-$arch.tar.gz -C ${workdir} > /dev/null
mv ${workdir}/elasticsearch-7.17.22 ${workdir}/elasticsearch_9200

#.5.复制es数据及配置文件
cp -r $workdir/elasticsearch_old/data $workdir/elasticsearch_9200/
cp $workdir/elasticsearch_old/start.sh $workdir/elasticsearch_9200/
cp $workdir/elasticsearch_old/stop.sh $workdir/elasticsearch_9200/
cp $workdir/elasticsearch_old/config/elasticsearch.yml $workdir/elasticsearch_9200/config/
cp $workdir/elasticsearch_old/config/jvm.options $workdir/elasticsearch_9200/config/

#.6.复制es证书文件
mkdir -p $workdir/elasticsearch_9200/config/certs
cp $workdir/elasticsearch_old/config/certs/elastic*.p12 $workdir/elasticsearch_9200/config/certs/
chmod 777 $workdir/elasticsearch_9200/config/certs/elastic*.p12

#.7.若为es集群的主节点,需要删除配置中的initial_master_nodes
sed -i '/initial_master_nodes/d' ${workdir}/elasticsearch_9200/config/elasticsearch.yml

#.8.启动es节点
cd ${workdir}/elasticsearch_9200
sh start.sh
sleep 15 && curl -X GET "http://elastic:Admin_147@localhost:9200/_cat/nodes?pretty"

#.9.重新开启es分片分配
echo '{"persistent":{"cluster.routing.allocation.enable":null}}' > /tmp/enable.json
curl -XPUT "http://elastic:Admin_147@localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d"`cat /tmp/enable.json`"

#.10.确认索引都在
sleep 10
curl http://elastic:Admin_147@localhost:9200/_cat/indices?v

#.11.确认status值为green则说明已完成
sleep 10
curl -X GET "http://elastic:Admin_147@localhost:9200/_cat/health?v=true&pretty"
  • 注:如果是es集群,可重复以上步骤来升级其他节点,注意需要在主节点的配置文件中添上 initial_master_nodes(附:也有可能不需要,待测...),然后重启所有节点的es进程
Copyright © www.sqlfans.cn 2024 All Right Reserved更新时间: 2024-09-26 13:40:23

results matching ""

    No results matching ""