Centos安装OpenSearch

下载并安装OpenSearch

下载OpenSearch RPM包

X64系统

wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-x64.rpm

ARM64系统

wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-arm64.rpm

导入公共GNU Privacy Guard（GPG）密钥。此密钥验证您的OpenSearch实例是否已签名

sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp

安装RPM包

## Install the x64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-x64.rpm
## Install the arm64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-arm64.rpm

安装完设置开机自启动OpenSearch

sudo systemctl enable opensearch

启动OpenSearch

sudo systemctl start opensearch

验证OpenSearch是否正确启动

sudo systemctl status opensearch

测试OpenSearch

向服务器发送请求以验证OpenSearch是否正在运行

向端口9200发送请求

curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure

响应：

{"name":"hostname","cluster_name":"opensearch","cluster_uuid":"QqgpHCbnSRKcPAizqjvoOw","version":{"distribution":"opensearch","number":<version>,"build_type":<build-type>,"build_hash":<build-hash>,"build_date":<build-date>,"build_snapshot":false,"lucene_version":<lucene-version>,"minimum_wire_compatibility_version":"7.10.0","minimum_index_compatibility_version":"7.0.0"},"tagline":"The OpenSearch Project: https://opensearch.org/"}

查询插件端点

curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure

响应：

name          component                            versionhostname      opensearch-alerting                  2.15.0hostname      opensearch-anomaly-detection         2.15.0hostname      opensearch-asynchronous-search       2.15.0hostname      opensearch-cross-cluster-replication 2.15.0hostname      opensearch-geospatial                2.15.0hostname      opensearch-index-management          2.15.0hostname      opensearch-job-scheduler             2.15.0hostname      opensearch-knn                       2.15.0hostname      opensearch-ml                        2.15.0hostname      opensearch-neural-search             2.15.0hostname      opensearch-notifications             2.15.0hostname      opensearch-notifications-core        2.15.0hostname      opensearch-observability             2.15.0hostname      opensearch-performance-analyzer      2.15.0hostname      opensearch-reports-scheduler         2.15.0hostname      opensearch-security                  2.15.0hostname      opensearch-security-analytics        2.15.0hostname      opensearch-sql                       2.15.0

设置OpenSearch可远程连接

默认情况下，OpenSearch不绑定到网络接口，外部主机无法访问。此外，安全设置由默认用户名和密码填充。以下建议将使用户能够将OpenSearch绑定到网络接口，创建和签署TLS证书，以及配置基本身份验证

将OpenSearch绑定到主机上的IP或网络接口

打开opensearch.yml

sudo vi /etc/opensearch/opensearch.yml

添加以下行

# Bind OpenSearch to the correct network interface. Use 0.0.0.0
# to include all available interfaces or specify an IP address
# assigned to a specific interface.
network.host: 0.0.0.0# Unless you have already configured a cluster, you should set
# discovery.type to single-node, or the bootstrap checks will
# fail when you try to start the service.
discovery.type: single-node# If you previously disabled the Security plugin in opensearch.yml,
# be sure to re-enable it. Otherwise you can skip this setting.
plugins.security.disabled: false

保存更改并关闭文件

:wq

设置初始和最大JVM堆大小

vi /etc/opensearch/jvm.options

修改初始堆大小和最大堆大小的值。作为起点，您应该将这些值设置为可用系统内存的一半。对于专用主机，可以根据您的工作流程要求增加此值。
例如，如果主机有8GB的内存，那么您可能希望将初始堆大小和最大堆大小设置为4GB：

-Xms4g
-Xmx4g

配置TLS

导航到将存储证书的目录

cd /etc/opensearch

删除演示证书

sudo rm -f *pem

生成根证书，这将用于签署其他证书

# Create a private key for the root certificate
sudo openssl genrsa -out root-ca-key.pem 2048# Use the private key to create a self-signed root certificate. Be sure to
# replace the arguments passed to -subj so they reflect your specific host.
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730

创建管理员证书，此证书用于获得执行与安全插件相关的管理任务的提升权限

# Create a private key for the admin certificate.
sudo openssl genrsa -out admin-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem# Create the certficiate signing request (CSR). A common name (CN) of "A" is acceptable because this certificate is
# used for authenticating elevated access and is not tied to a host.
sudo openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr# Sign the admin certificate with the root certificate and private key you created earlier.
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

为正在配置的节点创建证书

# Create a private key for the node certificate.
sudo openssl genrsa -out node1-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem# Create the CSR and replace the arguments passed to -subj so they reflect your specific host.
# The CN should match a DNS A record for the host-do not use the hostname.
sudo openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr# Create an extension file that defines a SAN DNS name for the host. This
# should match the DNS A record of the host.
sudo sh -c 'echo subjectAltName=DNS:node1.dns.a-record > node1.ext'# Sign the node certificate with the root certificate and private key that you created earlier.
sudo openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

删除不再需要的临时文件

sudo rm -f *temp.pem *csr *ext

确保其余证书归opensearch用户所有

sudo chown opensearch:opensearch admin-key.pem admin.pem node1-key.pem node1.pem root-ca-key.pem root-ca.pem root-ca.srl

按照生成证书中的说明将这些证书添加到opensearch.yml，推荐选择使用脚本进行设置

新建shell脚本文件 append-setting.sh

vi aplpend-seeting.sh#! /bin/bash# Before running this script, make sure to replace the CN in the 
# node's distinguished name with a real DNS A record.echo "plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.enabled: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.allow_default_init_securityindex: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.authcz.admin_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo "  - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.nodes_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo "  - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.audit.type: internal_opensearch" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.enable_snapshot_restore_privilege: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.check_snapshot_restore_write_privileges: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.restapi.roles_enabled: [\"all_access\", \"security_rest_api_access\"]" | sudo tee -a /etc/opensearch/opensearch.yml

执行append-setting.sh

sh append-setting.sh

为自签名根证书添加信任(可选)

# Copy the root certificate to the correct directory
sudo cp /etc/opensearch/root-ca.pem /etc/pki/ca-trust/source/anchors/# Add trust
sudo update-ca-trust