Elasticsearch 8 on Ubuntu 20.04

Veröffentlicht am von Gerald

Install Prerequisites

apt install apt-transport-https

Install public key

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Add repo

echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list

Install Packages

apt update
apt install elasticsearch
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Die folgenden NEUEN Pakete werden installiert:
  elasticsearch
0 aktualisiert, 1 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen 526 MB an Archiven heruntergeladen werden.
Nach dieser Operation werden 1.109 MB Plattenplatz zusätzlich benutzt.
Holen:1 https://artifacts.elastic.co/packages/8.x/apt stable/main amd64 elasticsearch amd64 8.2.2 [526 MB]
Es wurden 469 MB in 26 s geholt (17,8 MB/s).                                                                                  
Vormals nicht ausgewähltes Paket elasticsearch wird gewählt.
(Lese Datenbank ... 426682 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../elasticsearch_8.2.2_amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Entpacken von elasticsearch (8.2.2) ...
elasticsearch (8.2.2) wird eingerichtet ...

--------------------------- Security autoconfiguration information ------------------------------
Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : XXXXXXXXXXXXXXXXXXXX

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with 
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with 
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with 
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

Add path to environment

echo "export PATH=/usr/share/elasticsearch/bin/:$PATH" >> /root/.bashrc

Configure daemon

vi /etc/elasticsearch/elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: 127.0.0.1
http.port: 9200

# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["elastics.ear.ch"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

Enable Elasticsearch daemon during startup

systemctl daemon-reload
systemctl enable elasticsearch.service
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.

Start Elasticsearch

service elasticsearch start

Check running ports

netstat -tulpn | grep java
tcp6       0      0 :::9200                 :::*                    LISTEN      108291/java         
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      108291/java

Check status

service elasticsearch status
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-06-01 20:25:44 CEST; 5min ago
       Docs: https://www.elastic.co
   Main PID: 108291 (java)
      Tasks: 72 (limit: 38283)
     Memory: 16.6G
     CGroup: /system.slice/elasticsearch.service
             ├─108291 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -Djava.security.manager=allow -XX:+AlwaysPreTouch -Xss1m -Djava.awt.>
             └─108586 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Jun 01 20:25:28 elastics.ear.ch systemd[1]: Starting Elasticsearch...
Jun 01 20:25:44 elastics.ear.ch systemd[1]: Started Elasticsearch.

Check Java version

java -version
openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)

Send https request to Elasticsearch node

PASSWORD is the bootstrap password which was generated during installation.

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:PASSWORD https://localhost:9200
{
  "name" : "elastics.ear.ch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "ietEhUU1QTKSdJVoYaYugw",
  "version" : {
    "number" : "8.2.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "93769a8ef3c7d5186b44fd3bd4483e0149d2f2420",
    "build_date" : "2022-05-25T15:47:06.259735307Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Add Elasticsearch root CA certificate to trust store

cp /etc/elasticsearch/certs/http_ca.crt \
   /usr/local/share/ca-certificates/elasticsearch_http_ca.crt
update-ca-certificates && updatedb && locate elasticsearch_http_ca
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
/etc/ssl/certs/elasticsearch_http_ca.pem
/usr/local/share/ca-certificates/elasticsearch_http_ca.crt

curl works now without path to CAcert

curl -u elastic:PASSWORD https://localhost:9200 --head -v
*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=elastics.ear.ch
*  start date: Jun  2 21:35:45 2022 GMT
*  expire date: Jun  1 21:35:45 2024 GMT
*  subjectAltName: host "localhost" matched cert's "localhost"
*  issuer: CN=Elasticsearch security auto-configuration HTTP CA
*  SSL certificate verify ok.
* Server auth using Basic with user 'elastic'
> HEAD / HTTP/1.1
> Host: localhost:9200
> Authorization: Basic ZWxhc3RpYzp0SUJJNlE9TmNHRXVNeDdhbTB2Tw==
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
X-elastic-product: Elasticsearch
< content-type: application/json
content-type: application/json
< content-length: 530
content-length: 530

< 
* Connection #0 to host localhost left intact
curl  'https://localhost:9200/_nodes?pretty' -u elastic:PASSWORD

Add bootstrap password

elasticsearch-keystore add "bootstrap.password"
Enter value for bootstrap.password: MY_SECRET_PASSWORD

Install ingest attachment plugin

elasticsearch-plugin install ingest-attachment
-> Installing ingest-attachment
-> Downloading ingest-attachment from elastic
[=================================================] 100%   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.sun.java2d.cmm.kcms
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.security.SecurityPermission createAccessControlContext
See https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
-> Installed ingest-attachment
-> Please restart Elasticsearch to activate any plugins installed
service elasticsearch restart