elasticsearch - 为什么我无法绑定到 3X.XXX.XX:[9300-9400],同时使用 SSL/TLS 保护我的集群
问题描述
我正在关注这个博客来加密我的 Elasticsearch 集群的通信,
当我尝试使用启动 Elasticsearch 时出现以下错误
sudo systemctl 启动弹性搜索
我正在使用具有端口暴露 (9215) 和 (5601) 的 GCP 服务器。
[2020-10-13T02:18:40,800][WARN ][o.e.g.DanglingIndicesState] [myNode1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2020-10-13T02:18:41,272][INFO ][o.e.n.Node ] [myNode1] initialized
[2020-10-13T02:18:41,273][INFO ][o.e.n.Node ] [myNode1] starting ...
[2020-10-13T02:18:41,505][ERROR][o.e.b.Bootstrap ] [myNode1] Exception
org.elasticsearch.transport.BindTransportException: Failed to bind to 3X.XXX.X.X:[9300-9400]
at org.elasticsearch.transport.TcpTransport.bindToPort(TcpTransport.java:408) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.transport.TcpTransport.bindServer(TcpTransport.java:372) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.transport.netty4.Netty4Transport.doStart(Netty4Transport.java:130) ~[?:?]
at org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport.doStart(SecurityNetty4Transport.java:84) ~[?:?]
at org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4ServerTransport.doStart(SecurityNetty4ServerTransport.java:46) ~[?:?]
at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:59) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.transport.TransportService.doStart(TransportService.java:233) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:59) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.node.Node.start(Node.java:778) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:317) ~[elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:402) [elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) [elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) [elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.9.2.jar:7.9.2]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.9.2.jar:7.9.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) [elasticsearch-7.9.2.jar:7.9.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.9.2.jar:7.9.2]
Caused by: java.net.BindException: Cannot assign requested address
at sun.nio.ch.Net.bind0(Native Method) ~[?:?]
at sun.nio.ch.Net.bind(Net.java:550) ~[?:?]
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:249) ~[?:?]
at io.netty.channel.socket.nio.NioServerSocketChannel.doBind(NioServerSocketChannel.java:134) ~[?:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe.bind(AbstractChannel.java:550) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.bind(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeBind(AbstractChannelHandlerContext.java:506) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.bind(AbstractChannelHandlerContext.java:491) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.bind(DefaultChannelPipeline.java:973) ~[?:?]
at io.netty.channel.AbstractChannel.bind(AbstractChannel.java:248) ~[?:?]
at io.netty.bootstrap.AbstractBootstrap$2.run(AbstractBootstrap.java:356) ~[?:?]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[?:?]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
似乎 elasticsearc 正在尝试连接到 [9300-9400] 范围内的端口,但由于这些端口未暴露,因此出现错误。
以下是我的/etc/elasticsearch/elasticsearch.yml文件
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: myCluster1
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: myNode1
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: myNode1.elastic.test.com
#
# Set a custom port for HTTP:
#
http.port: 9215
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["myNode1.elastic.test.com"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["myNode1"]
# ------------------------------Enabling Security ------------------------------
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/myNode1.key
xpack.security.http.ssl.certificate: certs/myNode1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/myNode1.key
xpack.security.transport.ssl.certificate: certs/myNode1.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
解决方案
该9300-9400范围用于 TCPtransport通信,这是节点相互通信的方式,客户端使用HTTP进行通信,它使用范围9200-9299,或者在您的情况下,使用9215.
由于您设置network.host为0.0.0.0,elasticsearch 将尝试将HTTP和TCP端点绑定到您实例中的每个 IP 地址,并且它似乎无法绑定到端点范围内9300-9400的端口。transport
看起来你只有一个节点,所以你可以xpack.security.transport.*从你的配置文件中删除这些行,你需要network.host从你的配置中删除并使用http.host,这将使 elasticsearch 只将HTTP端点绑定到你的3X.*.*.*IP 地址,传输将绑定到环回地址,您还需要拥有discovery.type: single-node.
你elasticsearch.yml应该是这样的:
cluster.name: myCluster1
node.name: myNode1
bootstrap.memory_lock: true
http.host: myNode1.elastic.test.com
http.port: 9215
discovery.type: single-node
cluster.initial_master_nodes: ["myNode1"]
# security
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/myNode1.key
xpack.security.http.ssl.certificate: certs/myNode1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
如果您有多个节点或计划将来添加更多节点,则需要允许另一个端口用于节点间通信。
推荐阅读
- java - 通过 selenium Webdriver 自动登录而不提供密码
- javascript - 以 @ 开头的导入在 Jest 中不起作用
- node.js - 使用 node.js 连接到可用的 SMTP 服务器
- java - 版本更新后删除了 Wicket DropDownChoice onSelectionChanged 方法
- hyperledger-fabric - Docker swarm 部署 Hyperledger Fabric
- html - 为什么输入类型号不接受值'+'?
- excel - SSIS Excel 源无法导入 Excel 文件
- python-3.x - 使用 python 3 在一条线上的最大点数
- javascript - 选中或未选中按钮,javascript
- vue.js - Vuex 状态不重新加载就不会更新