How to set up 3 dedicate master + 4 data nodes also master elegible

hlcxpl · July 20, 2023, 1:44pm

i need to set up 3 master node dedicate and 4 data node and master elegibles
this is my yml configuration

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true

cluster.name: Cluster-Lab
node.name: master1
node.roles: [ master ]
network.host: ['192.168.100.84']
http.port: 9200

cluster.initial_master_nodes: ['192.168.100.84', '192.168.100.82', '192.168.100.81']
discovery.seed_hosts: ['192.168.100.84', '192.168.100.82', '192.168.100.81']

# security settings
xpack.security.enabled: true
xpack.security.autoconfiguration.enabled: false
# transport ssl
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs/master1/master1.key
xpack.security.transport.ssl.certificate: certs/master1/master1.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca/ca.crt
## http ssl
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/master1/master1.key
xpack.security.http.ssl.certificate: certs/master1/master1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt

rugenl · July 20, 2023, 2:30pm

I'm not sure if there is a way to force one of your dedicated masters to be the active master instead of one of the four data/master eligible nodes.

Try it, tell us what happens.

leandrojmp · July 20, 2023, 3:15pm

Any reason to set the data node as master elegibles? If you have 3 dedicated master nodes I see no reason to also have the master nodes as master elegibles.

You can not choose the master, Elastic will elect one of the master elegibles as the master nodes and the only way to change it is if the node is restarted.

hlcxpl · July 20, 2023, 3:35pm

i have seem this scheme before i just want to replicate into elastic 8.8.2 the reason is, if the 3 dedicates master for no reason shut down one of the 4 data nodes still being the master the continuation of the process will have never shut down in my case.

hlcxpl · July 20, 2023, 3:37pm

also i need help to configure the 3 dedicate master i mean not to receive data to configure only for master

leandrojmp · July 20, 2023, 4:01pm

The elasticsearch.yml you shared is already correct for creating a dedicate master, what issue you are having? What error do you have in the logs? You need to share it.

But in this scenario it makes no sense to have dedicated master nodes.

From the documentation you have this:

It is important for the health of the cluster that the elected master node has the resources it needs to fulfill its responsibilities. If the elected master node is overloaded with other tasks then the cluster will not operate well. The most reliable way to avoid overloading the master with other tasks is to configure all the master-eligible nodes to be dedicated master-eligible nodes which only have the master role, allowing them to focus on managing the cluster.

If you are going to use data nodes as master eligible you may have some cases where the data node acting as master is overload and you may have issues in your cluster.

hlcxpl · July 20, 2023, 6:09pm

Interesting i share this information to my lab team, thanks again for the knowledge, and pretty insterested in know more about elastic 8.8.2

leandrojmp · July 20, 2023, 7:12pm

This didn't change in version 8, it is the same recommendation for the past versions.

Not sure from where you got the configuration to mix up dedicated and non-dedicated master nodes, but I would not recommend it if you can have dedicated master nodes.

hlcxpl · July 20, 2023, 8:57pm

nice i start the cluster with the right implementation

hlcxpl · July 21, 2023, 7:47pm

Hi, is me again if i'm configuring logstash, i have to create a certificate for logstash intance.yml in tmp and the thing is if i have to asigne a password or phrase but i was searching for keystore in logstash but there is not keystore file there how could i, secure configure logstash with the same private phrasse structure ? or i have to generate a single pem certificate for logstash self-signed? or configured one without --pass flag.

leandrojmp · July 21, 2023, 8:37pm

I didn't tested with Logstash and I'm not sure Logstash supports PEM keys with passphrase.

What I use is the CRT file for the CA.

use cacert => "/path/to/the/ca.crt"

If this do not work you will probably need to regenerate all the certificates for your cluster withtout the --pass parameter.

hlcxpl · July 21, 2023, 8:44pm

if i generate all the certificate again that will shutdown my cluster and we are ingesting the cluster with data already. could it be a way todo it in a secure way? also i tried without the --pass flag and gave me an error, if i have to generate all the certificates only will be the ca.crt but i think i will have to create also the pem .crt and .key for the nodes too if i change the main certificatte ca.crt
?

leandrojmp · July 21, 2023, 8:55pm

Yes, if you want to regenerate and change certificates you need a full cluster restart.

But I don't think you need it, you can just use the CRT file of the Certificate Authority you created and used to create the node certificates. Have you tried it?

When you created the CA you have a .key file and .crt file, copy the .crt file to the logstash server and configure the cacert option in the Elasticsearch output, it should work, this is what I use in production.

hlcxpl · July 21, 2023, 9:03pm

but i create a password for that how could i pass the password to logstash?

hlcxpl · July 21, 2023, 9:04pm

i will try like that

hlcxpl · July 25, 2023, 7:05pm

it works with the ca certificate and write the ingest line the node.roles: [ingets] section o one of my data nodes thank and i also have a permision problem with one of my file. the elastic data ingesting works succesfully.

system · August 22, 2023, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.