当前位置：首页 > news >正文

Centos安装OpenSearch

news 2026/2/9 13:28:42

Centos安装OpenSearch

下载并安装OpenSearch
- 下载OpenSearch RPM包
- 导入公共GNU Privacy Guard（GPG）密钥。此密钥验证您的OpenSearch实例是否已签名
- 安装RPM包
- 安装完设置开机自启动OpenSearch
- 启动OpenSearch
- 验证OpenSearch是否正确启动
测试OpenSearch
- 向服务器发送请求以验证OpenSearch是否正在运行
- - 向端口9200发送请求
  - 查询插件端点
设置OpenSearch可远程连接
- 将OpenSearch绑定到主机上的IP或网络接口
- - 打开opensearch.yml
  - 添加以下行
  - 保存更改并关闭文件
- 设置初始和最大JVM堆大小
- 配置TLS
- - 导航到将存储证书的目录
  - 删除演示证书
  - 生成根证书，这将用于签署其他证书
  - 创建管理员证书，此证书用于获得执行与安全插件相关的管理任务的提升权限
  - 为正在配置的节点创建证书
  - 删除不再需要的临时文件
  - 确保其余证书归opensearch用户所有
  - 按照生成证书中的说明将这些证书添加到opensearch.yml，推荐选择使用脚本进行设置
  - - 新建shell脚本文件 append-setting.sh
    - 执行append-setting.sh
  - 为自签名根证书添加信任(可选)

下载并安装OpenSearch

下载OpenSearch RPM包

X64系统

wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-x64.rpm

ARM64系统

wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.16.0/opensearch-2.16.0-linux-arm64.rpm

导入公共GNU Privacy Guard（GPG）密钥。此密钥验证您的OpenSearch实例是否已签名

sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp

安装RPM包

## Install the x64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-x64.rpm
## Install the arm64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-2.16.0-linux-arm64.rpm

安装完设置开机自启动OpenSearch

sudo systemctl enable opensearch

启动OpenSearch

sudo systemctl start opensearch

验证OpenSearch是否正确启动

sudo systemctl status opensearch

测试OpenSearch

向服务器发送请求以验证OpenSearch是否正在运行

向端口9200发送请求

curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure

响应：

{"name":"hostname","cluster_name":"opensearch","cluster_uuid":"QqgpHCbnSRKcPAizqjvoOw","version":{"distribution":"opensearch","number":<version>,"build_type":<build-type>,"build_hash":<build-hash>,"build_date":<build-date>,"build_snapshot":false,"lucene_version":<lucene-version>,"minimum_wire_compatibility_version":"7.10.0","minimum_index_compatibility_version":"7.0.0"},"tagline":"The OpenSearch Project: https://opensearch.org/"}

查询插件端点

curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure

响应：

name          component                            versionhostname      opensearch-alerting                  2.15.0hostname      opensearch-anomaly-detection         2.15.0hostname      opensearch-asynchronous-search       2.15.0hostname      opensearch-cross-cluster-replication 2.15.0hostname      opensearch-geospatial                2.15.0hostname      opensearch-index-management          2.15.0hostname      opensearch-job-scheduler             2.15.0hostname      opensearch-knn                       2.15.0hostname      opensearch-ml                        2.15.0hostname      opensearch-neural-search             2.15.0hostname      opensearch-notifications             2.15.0hostname      opensearch-notifications-core        2.15.0hostname      opensearch-observability             2.15.0hostname      opensearch-performance-analyzer      2.15.0hostname      opensearch-reports-scheduler         2.15.0hostname      opensearch-security                  2.15.0hostname      opensearch-security-analytics        2.15.0hostname      opensearch-sql                       2.15.0

设置OpenSearch可远程连接

默认情况下，OpenSearch不绑定到网络接口，外部主机无法访问。此外，安全设置由默认用户名和密码填充。以下建议将使用户能够将OpenSearch绑定到网络接口，创建和签署TLS证书，以及配置基本身份验证

将OpenSearch绑定到主机上的IP或网络接口

打开opensearch.yml

sudo vi /etc/opensearch/opensearch.yml

添加以下行

# Bind OpenSearch to the correct network interface. Use 0.0.0.0
# to include all available interfaces or specify an IP address
# assigned to a specific interface.
network.host: 0.0.0.0# Unless you have already configured a cluster, you should set
# discovery.type to single-node, or the bootstrap checks will
# fail when you try to start the service.
discovery.type: single-node# If you previously disabled the Security plugin in opensearch.yml,
# be sure to re-enable it. Otherwise you can skip this setting.
plugins.security.disabled: false

保存更改并关闭文件

:wq

设置初始和最大JVM堆大小

vi /etc/opensearch/jvm.options

修改初始堆大小和最大堆大小的值。作为起点，您应该将这些值设置为可用系统内存的一半。对于专用主机，可以根据您的工作流程要求增加此值。
例如，如果主机有8GB的内存，那么您可能希望将初始堆大小和最大堆大小设置为4GB：

-Xms4g
-Xmx4g

配置TLS

导航到将存储证书的目录

cd /etc/opensearch

删除演示证书

sudo rm -f *pem

生成根证书，这将用于签署其他证书

# Create a private key for the root certificate
sudo openssl genrsa -out root-ca-key.pem 2048# Use the private key to create a self-signed root certificate. Be sure to
# replace the arguments passed to -subj so they reflect your specific host.
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730

创建管理员证书，此证书用于获得执行与安全插件相关的管理任务的提升权限

# Create a private key for the admin certificate.
sudo openssl genrsa -out admin-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem# Create the certficiate signing request (CSR). A common name (CN) of "A" is acceptable because this certificate is
# used for authenticating elevated access and is not tied to a host.
sudo openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr# Sign the admin certificate with the root certificate and private key you created earlier.
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

为正在配置的节点创建证书

# Create a private key for the node certificate.
sudo openssl genrsa -out node1-key-temp.pem 2048# Convert the private key to PKCS#8.
sudo openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem# Create the CSR and replace the arguments passed to -subj so they reflect your specific host.
# The CN should match a DNS A record for the host-do not use the hostname.
sudo openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr# Create an extension file that defines a SAN DNS name for the host. This
# should match the DNS A record of the host.
sudo sh -c 'echo subjectAltName=DNS:node1.dns.a-record > node1.ext'# Sign the node certificate with the root certificate and private key that you created earlier.
sudo openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

删除不再需要的临时文件

sudo rm -f *temp.pem *csr *ext

确保其余证书归opensearch用户所有

sudo chown opensearch:opensearch admin-key.pem admin.pem node1-key.pem node1.pem root-ca-key.pem root-ca.pem root-ca.srl

按照生成证书中的说明将这些证书添加到opensearch.yml，推荐选择使用脚本进行设置

新建shell脚本文件 append-setting.sh

vi aplpend-seeting.sh#! /bin/bash# Before running this script, make sure to replace the CN in the 
# node's distinguished name with a real DNS A record.echo "plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.enabled: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.allow_default_init_securityindex: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.authcz.admin_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo "  - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.nodes_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo "  - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.audit.type: internal_opensearch" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.enable_snapshot_restore_privilege: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.check_snapshot_restore_write_privileges: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.restapi.roles_enabled: [\"all_access\", \"security_rest_api_access\"]" | sudo tee -a /etc/opensearch/opensearch.yml

执行append-setting.sh

sh append-setting.sh

为自签名根证书添加信任(可选)

# Copy the root certificate to the correct directory
sudo cp /etc/opensearch/root-ca.pem /etc/pki/ca-trust/source/anchors/# Add trust
sudo update-ca-trust

Centos安装OpenSearch

下载并安装OpenSearch

下载OpenSearch RPM包

导入公共GNU Privacy Guard（GPG）密钥。此密钥验证您的OpenSearch实例是否已签名

安装RPM包

安装完设置开机自启动OpenSearch

启动OpenSearch

验证OpenSearch是否正确启动

测试OpenSearch

向服务器发送请求以验证OpenSearch是否正在运行

向端口9200发送请求

查询插件端点

设置OpenSearch可远程连接

将OpenSearch绑定到主机上的IP或网络接口

打开opensearch.yml

添加以下行

保存更改并关闭文件

设置初始和最大JVM堆大小

配置TLS

导航到将存储证书的目录

删除演示证书

生成根证书，这将用于签署其他证书

创建管理员证书，此证书用于获得执行与安全插件相关的管理任务的提升权限

为正在配置的节点创建证书

删除不再需要的临时文件

确保其余证书归opensearch用户所有

按照生成证书中的说明将这些证书添加到opensearch.yml，推荐选择使用脚本进行设置

新建shell脚本文件 append-setting.sh

执行append-setting.sh

为自签名根证书添加信任(可选)

相关文章：