弹性搜索集群在UFW防火墙后面 [英] Elasticsearch clustering behind UFW firewall
问题描述
但是,我无法使用相同的方法获得绿色的弹性搜索群集的健康状况,只能使用黄色。这意味着节点不能彼此连接。
在elasaticsearch.yml(在两台机器上)我已经禁用了多播,并且正在使用单播来连接到液滴的内部IP地址。当我将防火墙设置为接受端口9300上的所有连接(ufw allow 9300)时,这样做很好,集群运行状况报告为绿色。但是,当我将规则限制为仅允许来自实际的IP地址时,就像Mongo DB副本集一样,它不起作用。我已经尝试了公共和私人地址,以及IPv4和IPv6。
我在这里缺少什么?
默认情况下,IPV6是首选项。您可以通过设置 java.net来更改此行为.preferIPv4Stack 系统属性为 true 。
此外,您必须看到,默认情况下,ES绑定到 anyLocalAddress (通常 0.0.0.0 或 :: 0 )。您可以通过使用正确的IP地址设置 network.bind_host 来更改此设置。
更新:
首先,我建议您禁用ipv6在你的SO,你可以按照这些步骤执行:
在 /etc/sysctl.conf :
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
要在正在运行的系统中禁用:
echo 1> / proc / sys / net / ipv6 / conf / all / disable_ipv6
echo 1> / proc / sys / net / ipv6 / conf / default / disable_ipv6
或
sysctl -w net.ipv6.conf.all.disable_ipv6 = 1
sysctl -w net.ipv6.conf.default.disable_ipv6 = 1
之后,您必须更改 elasticsearch.yml 在两个节点中具有各自IP的 network.bind_host 的值
#Elasticsearch默认将自身绑定到0.0.0.0地址,并在端口[9200-9300]上监听
#的HTTP流量,端口[9300-9400]为节点到节点
#通讯。 (范围意味着如果端口正忙,它将自动
#尝试下一个端口)。
#设置绑定地址(IPv4或IPv6):
#
network.bind_host:10.0.0.1
#设置其他节点用于与该节点进行通信的地址。如果不是
#设置,则会自动导出。它必须指向一个实际的IP地址。
#
network.publish_host:10.0.0.1
或设置#
network.host:10.0.0.1
$ b
最后,您必须验证网络适配器的配置,必须使用以前使用的IP进行正确配置。
希望这有助于
I have an Elasticsearch cluster running on two different Digital Ocean droplets. They are both set up for private networking, an I have a Mongo DB replica set running just fine with UFW rules set up to only accept connections on the relevant ports from the droplets' specific (private) IP addresses.
However I am not able to get a green Elasticsearch cluster health using the same method, only yellow. This means that the nodes are not able to connect to each other.
In elasaticsearch.yml (on both machines) I have disabled multicast and am using unicast to connect to the droplet's internal IP addresses. When I set up the firewall to accept all connections on port 9300 (ufw allow 9300) this works just fine, and the cluster health is reported as green. However, when I restrict the rule to allow only from the actual IP addresses, just as with the Mongo DB replica set, it doesn't work. I have tried with both the public and private addresses, and with IPv4 and IPv6.
What am I missing here?
IPV6 is preferred by default. You can change this behavior by setting java.net.preferIPv4Stack system property to true.
Also you have to see, by default ES bind to anyLocalAddress (typically 0.0.0.0 or ::0). You can change this by setting network.bind_host with the correct ip address.
Reference [1.3] » Modules » Network Settings
Update:
First, I recommend you disable the ipv6 in your SO, you can do this following these steps:
In /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
To disable in the running system:
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
or
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
After that, you must change in elasticsearch.yml the value of network.bind_host in both nodes with their respective IP's
# Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens
# on port [9200-9300] for HTTP traffic and on port [9300-9400] for node-to-node
# communication. (the range means that if the port is busy, it will automatically
# try the next port).
# Set the bind address specifically (IPv4 or IPv6):
#
network.bind_host: 10.0.0.1
# Set the address other nodes will use to communicate with this node. If not
# set, it is automatically derived. It must point to an actual IP address.
#
network.publish_host: 10.0.0.1
Or set
# Set both 'bind_host' and 'publish_host':
#
network.host: 10.0.0.1
Finally you must validate the configuration of your network adapters, both must be configured correctly with IP that you used before.
Hope this helps
这篇关于弹性搜索集群在UFW防火墙后面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
