2. 程式人生 > 實用技巧 >自動生成和配置ES的安全證書

自動生成和配置ES的安全證書

阿新 發佈:2020-08-21

系統工具安裝

1.下載離線的rpm包

yum -y install yum-utils
yumdownloader expect 把rpm包下載到本地
yumdownloader tcl

2.下載原始碼包需要首先編譯安裝 如果沒有gcc的話就會編譯失敗.如果是下載的rpm包則不會出現依賴問題

3.rpm包自動包含了軟體包所有的依賴的其它包

啟動ES設定讀取證書檔案許可權

使用不同的jdk需要設定到對應的策略檔案

自動建立證書

function create_certs()
{
  
 expect <<EOF
   spawn ${ES_INSTALL_DIR}
 
/bin/elasticsearch-certutil cert --ip ${IP} --pem
   expect {
             #"Please enter the desired output file [certificate-bundle.zip]" { send "\n"}
             "Please enter the desired output file" { send "\n"}
          }
   expect eof
EOF
  echo "證書生成完畢${ES_INSTALL_DIR}/certificate-bundle.zip"
 

  rm -fr ${ES_INSTALL_DIR}/ca
  rm -fr ${ES_INSTALL_DIR}/instance
  unzip ${ES_INSTALL_DIR}/certificate-bundle.zip -d ${ES_INSTALL_DIR}
  #unzip ${ES_INSTALL_DIR}/certificate-bundle.zip
  chown -R ${ES_USER}:${ES_USER} ${ES_INSTALL_DIR}
}


function modify_elastichyml()
{
  
  ymlpath=${ES_INSTALL_DIR}/config
  cp ..
 
/../etc/elasticsearch/elasticsearch.yml ${ymlpath}/
  #cp  ../../etc/elasticsearch/elasticsearch.yml  ${ymlpath}/elasticsearch.yml
  sed -i "s#__ip__#${IP}#g" ${ymlpath}/elasticsearch.yml
  sed -i "s#__es_install_dir__#${ES_INSTALL_DIR}#g" ${ymlpath}/elasticsearch.yml

  javafile=${ES_INSTALL_DIR}/jdk/conf/security/java.policy
  javafile2=${INSTALL_DIR}/jdk/jre/lib/security/java.policy
  
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca/ca.crt\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.key\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.crt\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance\", \"read,write\";" ${javafile}   

  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca/ca.crt\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.key\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.crt\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance\", \"read,write\";" ${javafile2}

  sed -i "/# End of file/i * soft nofile 65536" /etc/security/limits.conf
  sed -i "/# End of file/i * hard nofile 65536" /etc/security/limits.conf
  sysctl -w vm.max_map_count=262144
}
建立證書

自動建立密碼

建立密碼的時候必須要等待es服務正常啟動後才能執行 而不能在安裝後立即執行

passwd=123456
expect <<EOF
 spawn /app/chuangfa/taishi/elasticsearch/bin/elasticsearch-setup-passwords  interactive --batch --url https://192.168.19.135:9200
 expect {
             "elastic" { send "$passwd\n";exp_continue}
             "elastic" { send "$passwd\n";exp_continue}
             "apm_system" { send "$passwd\n";exp_continue}
             "apm_system" { send "$passwd\n";exp_continue}
             "kibana_system" { send "$passwd\n";exp_continue}
             "kibana_system" { send "$passwd\n";exp_continue}
             "logstash_system" { send "$passwd\n";exp_continue}
             "logstash_system" { send "$passwd\n";exp_continue}
             "beats_system" { send "$passwd\n";exp_continue}
             "beats_system" { send "$passwd\n";exp_continue}
             "remote_monitoring_user" { send "$passwd\n";exp_continue}
             "remote_monitoring_user" { send "$passwd\n"}
          
        }
 expect eof
EOF
echo "密碼生成完畢"
建立密碼 
function modify_conf()
{
    #ES supervisord啟動配置
    mkdir -p ${INSTALL_DIR}/etc/supervisord
    elasticsearch_ini=${INSTALL_DIR}/etc/supervisord/elasticsearch.ini
    elasticsearch_program=elasticsearch
    
    cp ../../etc/supervisord/elasticsearch.ini ${elasticsearch_ini}
    sed -i "s#__es_install_dir__#${ES_INSTALL_DIR}#g" ${elasticsearch_ini}
    sed -i "s#__install_dir__#${INSTALL_DIR}#g" ${elasticsearch_ini}
    sed -i "s#__program__#${elasticsearch_program}#g" ${elasticsearch_ini}
    if [ ${USER} == "root" ];then
        sed -i "s#__user__#${ES_USER}#g" ${elasticsearch_ini}
        chown -R ${ES_USER}:${ES_USER} ${elasticsearch_ini}
    else
        sed -i "s#__user__#${USER}#g" ${elasticsearch_ini}
        chown -R ${USER}:${USER} ${elasticsearch_ini}
    fi

    #es配置
    mkdir -p ${INSTALL_DIR}/etc
    rm -f ${ES_INSTALL_DIR}/config/elasticsearch.yml
    # cp ../../etc/elasticsearch/elasticsearch.yml ${ES_INSTALL_DIR}/config/
    # sed -i "s#__es_install_dir__#${ES_INSTALL_DIR}#g" ${ES_INSTALL_DIR}/config/elasticsearch.yml
    # cp ../../etc/elasticsearch/jvm.options ${ES_INSTALL_DIR}/config/
    # cp ../../etc/elasticsearch/log4j2.properties ${ES_INSTALL_DIR}/config/
    
    if [ ${USER} == "root" ];then
       # shell中的:號表示pass 什麼也不執行
       chown -R ${ES_USER}:${ES_USER} ${MODE_DIR}
       chown -R ${ES_USER}:${ES_USER} ${ES_INSTALL_DIR}
       # 直接修改目錄的屬主和屬組即可 目錄下的所有檔案都可以被修改掉
       #chown -R ${ES_USER}:${ES_USER} ${ES_INSTALL_DIR}/config/elasticsearch.yml
       #chown -R ${ES_USER}:${ES_USER} ${ES_INSTALL_DIR}/config/jvm.options
       #chown -R ${ES_USER}:${ES_USER} ${ES_INSTALL_DIR}/config/log4j2.properties
    else
        :
    fi
}

function Install()
{
    #獲取ES安裝包
    getPackage=`ls -l ../../src/ | grep "elasticsearch-[0-9]" | awk '{print $9}'`
    echo "Obtain elasticsearch installation package ${getPackage}"

    #解壓es安裝包
    tar zxvf ../../src/${getPackage} -C ../../tmp/ 2>&1 >/dev/null
    #獲取es解壓目錄
    getName=`ls -l ../../tmp/ | grep "elasticsearch" | awk '{print $9}'`
    echo "Get directory ${getName}"
    echo "${ES_INSTALL_DIR}"
    mv ../../tmp/${getName} ${ES_INSTALL_DIR}
}


function main()
{
    #預設es版本呢
    es_version_tmp=`ls -l ../../src/ | grep "elasticsearch-[0-9]" | awk '{print $9}' | grep -oE '[0-9]+\.[0-9\.]+'`
    es_version=${es_version_tmp%?}
    echo "es version ${es_version}"

    Install
    modify_conf
    create_certs
    modify_elastichyml
    create_passwd
}

function create_certs()
{
  
 expect <<EOF
   spawn ${ES_INSTALL_DIR}/bin/elasticsearch-certutil cert --ip ${IP} --pem
   expect {
             #"Please enter the desired output file [certificate-bundle.zip]" { send "\n"}
             "Please enter the desired output file" { send "\n"}
          }
   expect eof
EOF
  echo "證書生成完畢${ES_INSTALL_DIR}/certificate-bundle.zip"
  rm -fr ${ES_INSTALL_DIR}/ca
  rm -fr ${ES_INSTALL_DIR}/instance
  unzip ${ES_INSTALL_DIR}/certificate-bundle.zip -d ${ES_INSTALL_DIR}
  #unzip ${ES_INSTALL_DIR}/certificate-bundle.zip
  chown -R ${ES_USER}:${ES_USER} ${ES_INSTALL_DIR}
}


function modify_elastichyml()
{
  
  ymlpath=${ES_INSTALL_DIR}/config
  cp ../../etc/elasticsearch/elasticsearch.yml ${ymlpath}/
  #cp  ../../etc/elasticsearch/elasticsearch.yml  ${ymlpath}/elasticsearch.yml
  sed -i "s#__ip__#${IP}#g" ${ymlpath}/elasticsearch.yml
  sed -i "s#__es_install_dir__#${ES_INSTALL_DIR}#g" ${ymlpath}/elasticsearch.yml

  javafile=${ES_INSTALL_DIR}/jdk/conf/security/java.policy
  javafile2=${INSTALL_DIR}/jdk/jre/lib/security/java.policy
  
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca/ca.crt\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.key\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.crt\", \"read,write\";" ${javafile}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance\", \"read,write\";" ${javafile}   

  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca/ca.crt\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/ca\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.key\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance/instance.crt\", \"read,write\";" ${javafile2}
  sed -i "/permission java.util.PropertyPermission \"java.vm.name\", \"read\";/a permission java.io.FilePermission  \"${ES_INSTALL_DIR}/instance\", \"read,write\";" ${javafile2}

  sed -i "/# End of file/i * soft nofile 65536" /etc/security/limits.conf
  sed -i "/# End of file/i * hard nofile 65536" /etc/security/limits.conf
  sysctl -w vm.max_map_count=262144
}

function setpasswd()
{
 passwd=${ES_PASSWD}
expect <<EOF
 spawn ${ES_INSTALL_DIR}/bin/elasticsearch-setup-passwords  interactive --batch --url https://${IP}:9200
 expect {
             "elastic" { send "$passwd\n";exp_continue}
             "elastic" { send "$passwd\n";exp_continue}
             "apm_system" { send "$passwd\n";exp_continue}
             "apm_system" { send "$passwd\n";exp_continue}
             "kibana_system" { send "$passwd\n";exp_continue}
             "kibana_system" { send "$passwd\n";exp_continue}
             "logstash_system" { send "$passwd\n";exp_continue}
             "logstash_system" { send "$passwd\n";exp_continue}
             "beats_system" { send "$passwd\n";exp_continue}
             "beats_system" { send "$passwd\n";exp_continue}
             "remote_monitoring_user" { send "$passwd\n";exp_continue}
             "remote_monitoring_user" { send "$passwd\n"}
          
        }
 expect eof
EOF

}

function create_passwd()
{
    su - ${ES_USER} -c  ${ES_INSTALL_DIR}/bin/elasticsearch & > /dev/null 2>&1
    local count=0
    for((i=1;i<=5;i++));
    do 
       count=`netstat -antp | grep 9200  | wc -l`
       sleep 5
       if  [ "$count" -gt 0 ];then
        break
       fi
    done

    if  [ "$count" -gt 0 ];then
       echo "ES success to start. set user passwd" 
       setpasswd
    else
       echo "ES failed to start in 5 minutes."     
    fi
    sleep 3
}




if [ $# -eq 0 ]; then
     __ReadINI ../../conf/.config.ini
    main
else
    __Plugin_Deployment_Before $1
    main 2>&1 | tee -a ../../log/enterprise.log
    __Plugin_Deployment_After
fi
完整流程

登入ES

shell執行幾點區別

su - user -c program
其中user為使用者名稱 program為要執行的程式, 如su - isoa -c /usr/isoa/bin/gtimer.sh

第一行指定解析器的話 啟動執行的需要使用./start-cluster.sh的方式 使用 sh start-cluster.sh的方式可能會出現執行失敗的情況

linux ./a.sh 命令與sh a.sh的區別為:可執行屬性不同、執行方式不同、相容性不同。
一、可執行屬性不同
1、 ./a.sh 命令: ./a.sh 命令的檔案必須具有可執行屬性
2、 sh a.sh命令:sh a.sh命令的檔案不必具有可執行屬性
二、執行方式不同
1、 ./a.sh 命令:./a.sh 命令使用指令碼中第一行所指定的命令來解釋和執行檔案
2、 sh a.sh命令:sh a.sh命令使用shell工具的SH指令碼直接解釋和執行檔案

相關推薦

自動生成配置ES安全證書

系統工具安裝 1.下載離線的rpm包 yum -y install yum-utilsyumdownloader expect把rpm包下載到本地yumdownloader tcl

自動生成安裝requirements.txt依賴

在檢視別人的Python專案時,經常會看到一個requirements.txt檔案,裡面記錄了當前程式的所有依賴包及其精確版本號。這個檔案有點類似與Rails的Gemfile。其作用是用來在另一臺PC上重新構建專案所需要的執行環境依賴。

mybatis_plus程式碼自動生成外掛配置

mybatis-plus程式碼自動生成配置 1、匯入模板引擎依賴 <!--使用程式碼生成器要匯入模板引擎-->

MybatisPlus+SpringBoot 自生成配置

MybatisPlus在SpringBoot中的使用 前一篇[Idea新建簡單的springboot+mysql專案]:https://www.cnblogs.com/sword-js/p/14092758.html

關於雪花ID自動生成Tk.mybatis的問題

技術標籤:javamybatis 考慮到公司後期可能會出現分庫的情況,所以準備改動一下表資料,把主鍵ID改為使用雪花ID。關於雪花ID這裡不多解讀

ARM-Linux Core檔案生成配置

技術標籤:# ARM-Linux程式除錯ARM-Linux corecore_patterncore_uses_pid ARM-Linux Core檔案生成配置

如何配置https安全證書,ssl證書如何配置

伴隨著時期的發展趨勢,計算機網變成人們日常生活必不可少的物品,只是電腦保安也變成了人們所憂慮的物品,那麼人們究竟該如何確保自身的電腦保安呢?有許多人挑選了配置HTTP安全證書,只是人們要是如何配置https安

windows 10配置es安全認證

es 執行命令: elasticsearch-service.bat install1安裝好之後,就可以執行自啟動服務命令了

vue配置檔案自動生成路由選單例項程式碼

目錄寫在前面router.on路由生成選單生成效果總結寫在前面 每次重複寫路由的時候是不是會覺得很煩,特別是專案大的時候,路由會有特別多,看都看不過來,所以這裡我是有了一個router.json的配置檔案來對路由做一些簡

springBoot整合MyBatisMybatis自動生成程式碼GeneratorMapper.xml配置

pom.xml配置 <!--mysql驅動--> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId>

04.Django REST framework - 響應格式請求格式配置,解析器,自動生成路由、action裝飾器

drf 響應格式請求格式配置(瞭解) 配置響應格式 1 在配置檔案中配置 REST_FRAMEWORK = {

idea 自動生成類註釋方法註釋的實現步驟

換電腦重新安裝了idea,記錄下新增自動註釋的方法,以備後續使用 idea版本:2018.3.1

sql server使用公用表表達式CTE通過遞迴方式編寫通用函式自動生成連續數字日期

問題: 在資料庫指令碼開發中,有時需要生成一堆連續數字或者日期,例如yearly report就需要連續數字做年份,例如daily report就需要生成一定時間範圍內的每一天日期。

Mybatis Generator最完整配置詳解[mybatis程式碼自動生成配置]

Mybatis Generator最完整配置詳解[mybatis程式碼自動生成配置] 1)說明 generator配置檔案:

IDEA MyBatis Plugins自動生成實體類mapper.xml

前言 如何下載使用MyBatis Generator 外掛,只說程式碼,不講感情。如果有問題還請多多指點。

postman預處理 自動生成簽名引數及配置access_token

postman預處理 自動生成簽名引數及配置access_token 1、通過預處理,完成引數簽名

mybatis-generator自動生成dao、mapping、bean配置操作

我就廢話不多說了,大家還是直接看程式碼吧~ <?xml version=\"1.0\" encoding=\"UTF-8\"?>

intellij idea隱藏.iml.idea等自動生成檔案的問題

情景是這樣子的:我從公司gitlab上拉取專案程式碼,用intellij idea開啟載入後自動生成了.iml、.idea以及.idea目錄下很多xml格式的檔案,尤其是.idea目錄下的n多xml檔案,一拉程式碼200多個,每次提交新修改的程式碼

poi自動生成Ecxel表格Chart圖表

最近因為業務需求,需要做poi自動匯出Ecxel表格Chart折線圖的功能。 所以我在網上找到了一篇關於poi生成Chart圖表的部落格,程式碼很詳細,但是缺少相關注釋說明。

實訓三筆記 mybatis動態SQLgenerator自動生成程式碼

目錄mybatis動態SQLgenerator自動生成程式碼mybatis動態SQL1. 匯入依賴pom.xml2. 新建介面EmpDao.java4. 新建EmpDao.xml1. 使用where拼接2. 動態批量刪除 delete3. sql片段引入4. 動態sql迴圈遍歷list插入使用my