-
Notifications
You must be signed in to change notification settings - Fork 159
instructions for es multinode + kib external access #1022
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 18 commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
d7db52a
instructions for es multinode
shainaraskas b957221
more
shainaraskas 6fca658
Merge branch 'main' into multi-node-context
shainaraskas 792c2ed
bad merge cleanup
shainaraskas ef3bc6d
ports
shainaraskas a86f118
errors
shainaraskas 87f1136
bad links
shainaraskas 900a593
fix links
shainaraskas 483a785
Update deploy-manage/deploy/self-managed/_snippets/ports.md
shainaraskas 89ce36d
some edits"
shainaraskas 05b7daa
t pMerge branch 'multi-node-context' of github.com:elastic/docs-conte…
shainaraskas ca31683
more edits
shainaraskas be294e9
simplify auto security setup
shainaraskas fb91328
link fixes
shainaraskas 86c8f52
0.0.0.0
shainaraskas f1b91f8
Update deploy-manage/deploy/self-managed/_snippets/join-existing-clus…
shainaraskas cd0d861
note
shainaraskas b8ae130
Merge branch 'multi-node-context' of github.com:elastic/docs-content …
shainaraskas affbfa8
edu feedback
shainaraskas 47bb22c
fix link
shainaraskas 1d7738b
new notes
shainaraskas 7adedf1
check connectivity step
shainaraskas 15cfe23
edu feedback
shainaraskas 519b3be
Merge branch 'main' into multi-node-context
shainaraskas File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,14 @@ | ||
If you're deploying the {{stack}} in a self-managed cluster, then install the {{stack}} products you want to use in the following order: | ||
|
||
* {{es}} | ||
* {{kib}} | ||
* [{{es}}](/deploy-manage/deploy/self-managed/installing-elasticsearch.md) | ||
* [{{kib}}](/deploy-manage/deploy/self-managed/install-kibana.md) | ||
* [Logstash](logstash://reference/index.md) | ||
* [{{agent}}](/reference/fleet/index.md) or [Beats](beats://reference/index.md) | ||
* [APM](/solutions/observability/apps/application-performance-monitoring-apm.md) | ||
* [Elasticsearch Hadoop](elasticsearch-hadoop://reference/index.md) | ||
|
||
Installing in this order ensures that the components each product depends on are in place. | ||
Installing in this order ensures that the components each product depends on are in place. | ||
|
||
:::{tip} | ||
If you're deploying a production environment and you plan to use [trusted CA-signed certificates](/deploy-manage/security/self-setup.md#manual-configuration) for {{es}}, then you should do so before you deploy {{fleet}} and {{agent}}. If new security certificates are configured, any {{agent}}s need to be reinstalled, so we recommend that you set up {{fleet}} and {{agent}} with the appropriate certificates in place. | ||
::: |
11 changes: 11 additions & 0 deletions
11
deploy-manage/deploy/self-managed/_snippets/auto-security-config-rpm-deb.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
When you start {{es}} for the first time, it automatically performs the following security setup: | ||
|
||
* Generates [TLS certificates](#stack-security-certificates) for the [transport and HTTP layers](/deploy-manage/security/secure-cluster-communications.md#communication-channels) | ||
* Applies TLS configuration settings to `elasticsearch.yml` | ||
* Creates an enrollment token to securely connect {{kib}} to {{es}} | ||
|
||
You can then start {{kib}} and enter the enrollment token, which is valid for 30 minutes. This token automatically applies the security settings from your {{es}} cluster, authenticates to {{es}} with the built-in `kibana` service account, and writes the security configuration to `kibana.yml`. | ||
|
||
::::{note} | ||
There are [some cases](/deploy-manage/security/self-auto-setup.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled. | ||
:::: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
deploy-manage/deploy/self-managed/_snippets/clean-up-multinode.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
Perform the following steps on each node in the cluster: | ||
|
||
1. Open `elasticsearch.yml` in a text editor. | ||
2. Comment out or remove the `cluster.initial_master_nodes` setting. | ||
3. Update the `discovery.seed_hosts` value so it contains the IP address and port of each of the master-eligible {{es}} nodes in the cluster. | ||
shainaraskas marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
||
If you don't perform these steps, then one or more nodes will fail the [discovery configuration bootstrap check](/deploy-manage/deploy/self-managed/bootstrap-checks.md#bootstrap-checks-discovery-configuration) when they are restarted. | ||
shainaraskas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
For more information, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md). |
7 changes: 7 additions & 0 deletions
7
deploy-manage/deploy/self-managed/_snippets/cluster-formation-brief.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
When {{es}} starts for the first time, the security auto-configuration process binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to `localhost`. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration. | ||
|
||
Before enrolling a new node, additional actions such as binding to an address other than `localhost` or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically. | ||
|
||
Only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need make your instance reachable. | ||
|
||
For more information about the cluster formation process, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md). | ||
shainaraskas marked this conversation as resolved.
Show resolved
Hide resolved
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
Update the {{es}} configuration on this first node so that other hosts are able to connect to it by editing the settings in [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md): | ||
|
||
1. Open `elasticsearch.yml` in a text editor. | ||
|
||
2. In a multi-node {{es}} cluster, all of the {{es}} instances need to have the same name. | ||
|
||
In the configuration file, uncomment the line `#cluster.name: my-application` and give the {{es}} instance any name that you’d like: | ||
|
||
```yaml | ||
cluster.name: elasticsearch-demo | ||
``` | ||
|
||
3. By default, {{es}} runs on `localhost`. For {{es}} instances on other nodes to be able to join the cluster, you need to set up {{es}} to run on a routable, external IP address. | ||
|
||
Uncomment the line `#network.host: 192.168.0.1` and replace the default address with `0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment, you might want to [use a different value](elasticsearch:///reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings). | ||
|
||
```yaml | ||
network.host: 0.0.0.0 | ||
``` | ||
|
||
4. {{es}} needs to be enabled to listen for connections from other, external hosts. | ||
|
||
Uncomment the line `#transport.host: 0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment you might want to restrict this by setting this value to match the value set for `network.host`. | ||
|
||
```yaml | ||
transport.host: 0.0.0.0 | ||
``` | ||
|
||
::::{tip} | ||
You can find details about the `network.host` and `transport.host` settings in the {{es}} [networking settings reference](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md). | ||
:::: | ||
|
||
5. Save your changes and close the editor. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
The default host and port settings configure Kibana to run on localhost:5601. To change this behavior and allow remote users to connect, you need to set up {{kib}} to run on a routable, external IP address. You can do this by editing the settings in [`kibana.yml`](/deploy-manage/deploy/self-managed/configure-kibana.md): | ||
|
||
1. Retrieve the external IP address of your host. You’ll need this value later. | ||
2. Open `kibana.yml` in a text editor. | ||
|
||
3. Uncomment the line `#server.host: localhost` and replace the default address with the value that you retrieved in step one. For example: | ||
|
||
```yaml | ||
server.host: 10.128.0.28 | ||
``` | ||
shainaraskas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
4. Save your changes and close the editor. |
15 changes: 15 additions & 0 deletions
15
deploy-manage/deploy/self-managed/_snippets/node-connectivity.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
% RPM and Debian only | ||
|
||
When {{es}} starts for the first time, the security auto-configuration process binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to `localhost`. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration. | ||
|
||
Before enrolling a new node, additional actions such as binding to an address other than `localhost` or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically. | ||
|
||
Only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need make your instance reachable. | ||
|
||
* If you're installing the first node in a multi-node cluster across multiple hosts, then you need to [configure the node so that other hosts are able to connect to it](#first-node). | ||
|
||
* If you're installing additional nodes for a cluster, then you need to [generate an enrollment token and then reconfigure the new node to join an existing cluster](#existing-cluster). | ||
|
||
If you're running a single-node cluster, then skip to the next step. | ||
|
||
For more information about the cluster formation process, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
This table shows the ports that must be accessible in order to operate an {{es}} cluster. The {{es}} REST and {{kib}} interfaces must be open to external users in order for the cluster to be usable. The transport API must be accessible between {{es}} nodes in the cluster, and to any external clients using the transport API. | ||
|
||
These settings can be overridden in the relevant configuration file. | ||
|
||
| Port | Access type | Purpose | Setting | | ||
| --- | --- | --- | --- | | ||
| 9200-9300 | HTTP (REST) | REST API for Elasticsearch. This is the primary interface used for access to the cluster from external sources, including {{kib}} and {{ls}}. | Elasticsearch [`http.port`](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings) | | ||
| 9300-9400 | TCP | Transport API. Used for intra-cluster communications and client access via the transport API (Java client). | Elasticsearch [`transport.port`](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings) | | ||
| 5601 | HTTP | {{kib}} default access port. | Kibana [`server.port`](kibana://reference/configuration-reference/general-settings.md#server-port) | | ||
shainaraskas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Additional ports might be required for [optional {{stack}} components](/get-started/the-stack.md). Refer to the installation guide for the component that you want to install. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,6 @@ | ||
Before you install {{es}}, do the following: | ||
|
||
* Review the [supported operating systems](https://www.elastic.co/support/matrix). {{es}} is tested on the listed platforms, but it is possible that it will work on other platforms too. | ||
* Review the [supported operating systems](https://www.elastic.co/support/matrix) and prepare virtual or physical hosts where you can install {{es}}. | ||
|
||
{{es}} is tested on the listed platforms, but it is possible that it will work on other platforms too. | ||
* Configure your operating system using the [](/deploy-manage/deploy/self-managed/important-system-configuration.md) guidelines. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletions
5
deploy-manage/deploy/self-managed/_snippets/reset-superuser-rpm-deb.md
shainaraskas marked this conversation as resolved.
Show resolved
Hide resolved
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
Because {{es}} runs with `systemd` and not in a terminal, the `elastic` superuser password is not output when {{es}} starts for the first time. Use the [`elasticsearch-reset-password`](elasticsearch://reference/elasticsearch/command-line-tools/reset-password.md) tool tool to set the password for the user: | ||
|
||
```shell | ||
bin/elasticsearch-reset-password -u elastic | ||
``` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.