说明: elastic官方在elastic stack 6.4.2版本后就在elasticsearch中内置了X-Pack工具,因此下文破解X-Pack7.6.0的版本也是对应elastic stack7.6.0的版本。而X-Pack内置在elasticsearch包中,以下所有操作都是针对elasticsearch7.6.0包中进行的。
X-Pack是什么
X-pack是elasticsearch的一个扩展包,将安全,警告,监视,图形和报告功能捆绑在一个易于安装的软件包中,虽然x-pack被设计为一个无缝的工作,但是你可以轻松的启用或者关闭一些功能。
我使用的系统是mac os,这里需要使用反编译工具luyten来进行反编译,windows和mac都有这个软件
下载地址:https://github.com/deathmarine/Luyten/releases
elasticsearch下载地址
https://www.elastic.co/cn/downloads/past-releases#elasticsearch
下载安装包elasticsearch-7.6.0-linux-x86_64.tar.gz,使用tar -xf elasticsearch-7.6.0-linux-x86_64.tar.gz解压,找到位于modules/x-pack-core/x-pack-core-7.6.0.jar,使用luyten打开,将org.elasticsearch.license.LicenseVerifier和org.elasticsearch.xpack.core.XPackBuild两个源码文件提取出来,进行编辑
文件LicenseVerifier.java,去掉校验部分,并且返回成功
package org.elasticsearch.license;
import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;
public class LicenseVerifier
{
public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}
}
文件XPackBuild.java,将校验的地方去掉
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild
{
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly")
static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
}
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus);
}
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0109: {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
将源码文件编译成class文件
# 编译LicenseVerifier.java $ /usr/share/elasticsearch/jdk/bin/javac -cp "/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/modules/x-pack-core/*" /opt/LicenseVerifier.java # 编译XPackBuild.java $ /usr/share/elasticsearch/jdk/bin/javac -cp "/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/modules/x-pack-core/*" /opt/XPackBuild.java # 查看编译后的文件 $ ls /data/x-pack | grep .class LicenseVerifier.class XPackBuild.class
替换LicenseVerifier.class和XPackBuild.class并生成新jar包
$ cp /usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.6.0.jar /opt/
$ cd /usr/share/elasticsearch/modules/x-pack/core
# 解压x-pack-core-7.6.0.jar
$ /usr/share/elasticsearch/jdk/bin/jar -xvf x-pack-core-7.6.0.jar
# 替换.class文件
$ cp /opt/XPackBuild.class /opt/x-pack/org/elasticsearch/xpack/core/
$ cp /opt/LicenseVerifier.class /opt/x-pack/org/elasticsearch/license/
#打包生成jar
cd /opt/x-pack/
/usr/share/elasticsearch/jdk/bin/jar -cvf x-pack-core-7.6.0.jar .
#替换生成jar包
cp /opt/x-pack/x-pack-core-7.6.0.jar /usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.6.0.jar申请License
elastic官网申请一个license, [License申请地址](https://license.elastic.co/registration),申请完成后,下载下来的License格式为json格式。并将该License的`type`、`expiry_date_in_millis`、`max_nodes`分别修改成`platinum`、`4544447920099`、`9999`。如下:
```json
{"license":
{
"uid":"537c5c48-c1dd-43ea-ab69-68d209d80c32",
"type":"platinum",
"issue_date_in_millis":1558051200000,
"expiry_date_in_millis":4544447920099,
"max_nodes":9999,
"issued_to":"work",
"issuer":"Web Form",
"signature":"AAAAAwAAAA3fIq7NLN3Blk2olVjbAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCjNd8mwy8B1sm9rGrgTmN2Gjm/lxqfnTEpTc+HOEmAgwQ7Q1Ye/FSGVNIU/enZ5cqSzWS2mY8oZ7FM/7UPKVQ4hkarWn2qye964MW+cux54h7dqxlSB19fG0ZJOJZxxwVxxi8iyJPUSQBa+QN8m7TFkK2kVmP+HnhU7mGUrqXt3zTk5d3pZw3QBQ/Rr3wmSYC5pxV6/o2UHFgu1OPDcX+kEb+UZtMrVNneR+cEwyx7o5Bg3rbKC014T+lMtt69Y080JDI5KfHa7e9Ul0c3rozIL975fP45dU175D4PKZy98cvHJgtsCJF3K8XUZKo2lOcbsWzhK2mZ5kFp0BMXF3Hs",
"start_date_in_millis":1558051200000
}
}
配置elasticsearch安全协议
完成以上所有操作在启动elasticsearch前,我们需要配置elasticsearch的SSL/TLS安全协议,如果不配置的话,需要禁止security才能配置License。当License配置完成后我们需要再开启security,并开启SSL\TLS。
#编辑启动脚本
$ vi /usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=elasticsearch
After=network.target
[Service]
Type=simple
User=elk
Group=elk
LimitNOFILE=100000
LimitNPROC=100000
Restart=no
ExecStart=/usr/share/elasticsearch/bin/elasticsearch
PrivateTmp=true
[Install]
WantedBy=multi-user.target
# 加载License到elasticsearch之前操作
$ echo "xpack.security.enabled: false" >> /usr/share/elasticsearch/config/elasticsearch.yml
$ echo "node.name: node-1" >> /usr/share/elasticsearch/config/elasticsearch.yml
$ echo "cluster.initial_master_nodes: ["node-1"]" >> /usr/share/elasticsearch/config/elasticsearch.yml
$ echo "network.host: 0.0.0.0" >> /usr/share/elasticsearch/config/elasticsearch.yml
# 优化内核
$ echo "vm.max_map_count = 262144" >> /etc/sysctl.conf && sysctl -p
$ systemctl restart elasticsearch
加载License到elasticsearch
$ curl -XPUT -u elastic 'http://127.0.0.1:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
Enter host password for user 'elastic': # 提示输入elastic用户密码,当前无密码,所以直接回车
{"acknowledged":true,"license_status":"valid"} # license写入成功
# 加载License到elasticsearch之后操作
$ echo "xpack.security.transport.ssl.enabled: true" >> /data/elasticsearch-7.6.0/config/elasticsearch.yml
$ sed -i 's/xpack.security.enabled: false/xpack.security.enabled: true/g' /data/elasticsearch-7.6.0/config/elasticsearch.yml
$ systemctl restart elasticsearch # 重启elasticsearch
查看License
$ curl -XGET -u elastic:tWbWZc7NE3wYqS6DvSu4 http://127.0.0.1:9200/_license
{"license":
{
"uid":"537c5c48-c1dd-43ea-ab69-68d209d80c32",
"type":"platinum",
"issue_date_in_millis":1558051200000,
"expiry_date_in_millis":4544447920099,
"max_nodes":9999,
"issued_to":"work",
"issuer":"Web Form",
"start_date_in_millis":1558051200000
}
}
优化小建议
首先先确认集群JVM负载没有长时间超过75%的负载(这个可以看监控得知); 对于日志这种类似场景, 如果使用ES的默认配置(5个分片), 并且使用 Logstash 按天生成索引, 那么 6 个月下来, 拥有的分片数将达到 890 个. 再多的话, ES集群将难以工作,因此日志场景千万不要用默认的设置; 因此,日志场景建议分片大小控制在30G/个,分片的数量建议跟集群节点数的一样或者是倍数,数量设置参考例子:假设es集群有 5 个节点,Index数据量当前大小为 150GB,预期半年后增长 50%。单分片大小控制为 30GB,则大约需要 150GB * (1 + 50%) / 30 ≈ 7个分片,因为是5个节点,这里多出7-5=2个分片会落在5个节点的任意两个上,这两个会多出一些负载,造成数据热点,节点间压力会相对不均匀。因此,分片数量为节点数的倍数,这里调成10个,这样就平均了; 所以总结计算公式为: 当前index数据量总大小 * (1 + 数据预期增长比率)/ 30G(单个分片控制的大小,这个是固定的,最优是30G) 同时日志场景index的数量建议按周或者按月来创建(按天和小时很容易造成索引数变多) 日志数据如果不重要,副本可以不设置或者设置成1即可(number_of_replicas(副本设置)为 1); 如果预算可以,数据量后期也会很多,强烈建议在现有节点上做下横向扩容,增加节点数(这样会大大增加性能)