|
#!/usr/bin/env bash |
|
set -eo pipefail |
|
|
|
echo "debconf debconf/frontend select Noninteractive" | sudo debconf-set-selections |
|
|
|
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - |
|
sudo apt-get install apt-transport-https |
|
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list |
|
sudo apt-get update && sudo apt-get install -y unzip && sudo apt-get install -y elasticsearch=7.6.2 |
|
sudo mdadm --create /dev/md0 --name md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc |
|
sudo mkfs.ext4 -L md0 /dev/md0 |
|
sudo mount /dev/md0 /var/lib/elasticsearch |
|
sudo bash -c "cat >>/etc/fstab" <<EOF |
|
LABEL=md0 /var/lib/elasticsearch ext4 defaults,nofail 0 1 |
|
EOF |
|
sudo chown -R elasticsearch:elasticsearch /var/lib/elasticsearch |
|
|
|
export CWD="$(pwd)" |
|
mkdir -p $CWD/certificates |
|
cat >$CWD/certificates/ca.crt <<EOF |
|
-----BEGIN CERTIFICATE----- |
|
MIIDnTCCAoWgAwIBAgIUDG8qaJy82FTuJEiL5a7EnYhITHMwDQYJKoZIhvcNAQEL |
|
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l |
|
cmF0ZWQgQ0EwIBcNMTcwNDIxMDgzNzE2WhgPMjI5MTAyMDMwODM3MTZaMDQxMjAw |
|
BgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2VuZXJhdGVkIENB |
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLYZs3QX/fZ4ikxAZhBe |
|
Q1QayqsHfU8A3P9Q2BoEOtP3goPDu9r9Lpaj1yoq2KEy59VW9jYFgbi8mlrL+tWP |
|
3ChdM+skhHxoFku3cIs2+U5qtzBFa717EAvbQcWvSKQyHIkmckTo0InlLk0QS49Z |
|
dyhU6sw7L5jxZTH5t4Ix8STwi9K3x4D2pfrcW3jI4yAd09d9jpf+szR3MimwyX+Q |
|
qHSWdqbSPNFxrd7wEzAj/hcoouqL7tPKq2aLfwL1qSWMfCFHFp+H/X8PxNVjzyHX |
|
9WI0u6nQekPgocCxU/JO/Q0AhHKhz4m0a9InpIop/c2GssS4FEfWvSbbvfrtz47D |
|
2wIDAQABo4GkMIGhMB0GA1UdDgQWBBQEvbcIhMaWXp2HgipoIWFjUrHj5zBvBgNV |
|
HSMEaDBmgBQEvbcIhMaWXp2HgipoIWFjUrHj56E4pDYwNDEyMDAGA1UEAxMpRWxh |
|
c3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0GCFAxvKmicvNhU |
|
7iRIi+WuxJ2ISExzMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB |
|
AAYwh6vNb0ata3HPY2iRmJqLu61p5L7wa/XaEE+pBGLoi/0FWhKYFbL0BhlaTp2O |
|
xJn5irAAA7bVK2aNykhCVKbparJpSb+lSMtkPNSzvSODv7uUGwmU8+KU0pTZDki2 |
|
LVm6zNbrRROAjJcPllghqfKcGLjFEaX1D87XmQJJfzJymaIeHtT/xQMfM7Roi6TE |
|
hB4gXLZTs1pY1fWhcsS6wvrNdTlGTaipABMUPFtf3K/GQnnT87YOS+Ce+dfGN+SI |
|
hVw2jukDZwZxmL3GtddVkPP4fS/OEkUC8l3/QvgL2NEKMAZV3QISnEAbXNHzrLxQ |
|
5yoUeq1gOEyquAzlasQD1/U= |
|
-----END CERTIFICATE----- |
|
EOF |
|
|
|
cat >$CWD/certificates/ca.key <<EOF |
|
-----BEGIN RSA PRIVATE KEY----- |
|
MIIEowIBAAKCAQEAxLYZs3QX/fZ4ikxAZhBeQ1QayqsHfU8A3P9Q2BoEOtP3goPD |
|
u9r9Lpaj1yoq2KEy59VW9jYFgbi8mlrL+tWP3ChdM+skhHxoFku3cIs2+U5qtzBF |
|
a717EAvbQcWvSKQyHIkmckTo0InlLk0QS49ZdyhU6sw7L5jxZTH5t4Ix8STwi9K3 |
|
x4D2pfrcW3jI4yAd09d9jpf+szR3MimwyX+QqHSWdqbSPNFxrd7wEzAj/hcoouqL |
|
7tPKq2aLfwL1qSWMfCFHFp+H/X8PxNVjzyHX9WI0u6nQekPgocCxU/JO/Q0AhHKh |
|
z4m0a9InpIop/c2GssS4FEfWvSbbvfrtz47D2wIDAQABAoIBADlIwnFE9Jurg+za |
|
ScKvL5Qx0N+GMNcoA5tX6qYT5XlwMtraHkz9d89yZOIK0JFnWBi1Qu7OSoo9Twcw |
|
O8ifGpbFVmcBKhA+3lznzdLDZ83wLRmNwBmhA05n9YDQ3busvT8cHYsXUCkyjwAN |
|
xxoJ88bEgv4hXXb99gY/KHZtPrf3Q4nSUn2k+aIZDRrkpg9UcxPTXIsNTrHXbDeT |
|
v9GHOYWo1i2O3xAaowN2P57QV4JsCH23Ub5l2EZDxhh4+NT4bsfD/BiZe8UNceUJ |
|
BMLtCPwDQjjyzCBtoIG4c4Dt6jQjFZSV28TAr7ZcK8OeUfDdlCr3bCTow82LVe4M |
|
y7sa8BECgYEA+GF4JyiCtZBb0z8yZTrG6R5nKZIY7KnuXuf6ukl46MZGo9OvOQlZ |
|
9ovB1NgCm7ENhRs0R9fdOanDisvQ6dIJkkmqqRMenKxG01qyJDIYs6MLG5s84otC |
|
xmz/S2suKT24/ptjVw/oHA6PeKgkYKIlEBZhMqoFYMoppiSuNhzF9uMCgYEAyr7f |
|
MfYRihSo4OWhhb32568I2ZuZFT13ABdtMnEtLd/QWW8HXVYNG+UT9Qc2utjJlvOS |
|
6i5/CqPf3oFWARVRgFFbsqZFUToon4kEYufR1qfjrwj91hufGllVymLPxnuV0ZlI |
|
YDc1QpVN7CskpGoOsEFsNjPveWRwqv16CCsYmKkCgYEAk6nOtuj8nFiQXsxpd4k0 |
|
DA+JIUu8CacVEdM0Wl+nxCtsf6UvvOb0VwDLYXByTIE8GnAL6tJIsSleGTwGnZvD |
|
GPc2wIGfZ2F8UdbPpXkq+lDqH6Vw0vYb4r+WHw4/SUFqo+NZcb8BLPzzCrZbuh9r |
|
jV7gtjAiNmK51A5mi8EbaCUCgYA8nbiJbXJtACRFqSITpGoPdsuEk/q+2POdOWPS |
|
cvf5ATN/qaxgAXxF3MWMuq1oS6xpz0Ubcu9UtQ4Xrj+Sb1dAsBJkZUXQNT00BXkk |
|
QP8B2IxAJsYNn5CABjmaGtTYGNcAJX34Fkl8MLttYrC/312o4MaDph9xAdCVrtcv |
|
XgMqkQKBgF+BpjaU/DqKje3GGuLDv/6uCHxmKYfq4rnQ5YQYPEFbQpPVbKlINY99 |
|
hC8f/Y2qLKPlc9ikotAlvxgfXy+v1dlyrpnRWXtSeMAPxDtNiCsoGByQY5/zrfH7 |
|
upaN3ad/n/X4xGPyx6Ri2D+mbLYzWOXIrDLuPuJVhMxSi1feb9M/ |
|
-----END RSA PRIVATE KEY----- |
|
EOF |
|
|
|
cat >$CWD/certificates/instances.yml <<EOF |
|
--- |
|
instances: |
|
- name: ${ES_NODE_NAME} |
|
ip: ${PRIVATE_IP_ES_NODE} |
|
EOF |
|
|
|
sudo CWD=$CWD su -s /bin/bash -c '/usr/share/elasticsearch/bin/elasticsearch-certutil \ |
|
cert \ |
|
--silent \ |
|
--ca-cert $CWD/certificates/ca.crt \ |
|
--ca-key $CWD/certificates/ca.key \ |
|
--in $CWD/certificates/instances.yml \ |
|
--out /etc/elasticsearch/node-certs.zip \ |
|
--pass ""' |
|
|
|
sudo su -s /bin/bash -c 'cd /etc/elasticsearch; unzip /etc/elasticsearch/node-certs.zip; rm /etc/elasticsearch/node-certs.zip' |
|
sudo chown -R root:elasticsearch /etc/elasticsearch/$(hostname) |
|
|
|
sudo su -s /bin/bash -c " |
|
cd /etc/elasticsearch; |
|
cat >>elasticsearch.yml <<EOF_ES |
|
node.name: ${ES_NODE_NAME} |
|
network.host: $PRIVATE_IP_ES_NODE |
|
cluster.initial_master_nodes: $ES_NODE_PRIVATE_IPS |
|
discovery.seed_hosts: $ES_OTHER_NODE_IPS |
|
xpack.ml.enabled: false |
|
xpack.monitoring.enabled: false |
|
xpack.security.enabled: true |
|
xpack.watcher.enabled: false |
|
xpack.security.transport.ssl.enabled: true |
|
xpack.security.transport.ssl.verification_mode: full |
|
xpack.security.transport.ssl.keystore.path: ${ES_NODE_NAME}/${ES_NODE_NAME}.p12 |
|
xpack.security.transport.ssl.truststore.path: ${ES_NODE_NAME}/${ES_NODE_NAME}.p12 |
|
xpack.security.http.ssl.enabled: true |
|
xpack.security.http.ssl.keystore.path: ${ES_NODE_NAME}/${ES_NODE_NAME}.p12 |
|
xpack.security.authc.accept_default_password: false |
|
xpack.security.authc.token.enabled: false |
|
EOF_ES |
|
cat >>jvm.options <<EOF_ES |
|
-Xms16g |
|
-Xmx16g |
|
EOF_ES |
|
" |
|
|
|
sudo su -s /bin/bash -c " |
|
cd /usr/share/elasticsearch |
|
if [[ ! -f /etc/elasticsearch/elasticsearch.keystore ]]; then |
|
bin/elasticsearch-keystore create |
|
fi |
|
echo 'some-secret-password' | bin/elasticsearch-keystore add -x 'bootstrap.password' |
|
" |
|
|
|
sudo systemctl enable elasticsearch.service |
|
sudo systemctl start elasticsearch.service |