Install Elasticsearch on Linux

Install Debian with basic function, only add SSH server. Login as root Modify /etc/network/interfaces 

auto enp8s0
iface enp8s0 inet static
  address 10.0.0.12
  netmask 255.255.0.0
  gateway 10.0.0.1
  dns-nameservers 10.0.0.1

Set the name of the machine in /etc/hostname and the IP addresses in /etc/hosts
Register it with your DNS server or add it to /etc/hosts on the host system

Update the system 

apt update && apt upgrade -y
apt autoremove -y

Create another user and set the password 

useradd kenny
passwd kenny

Reboot 

reboot now

Login through ssh 

ssh kenny@deb11-elk-01

Become root 

su -

Install vim, tools for importing the elastic key ring, allow apt to download through https and for mounting SMB (CIFS) shares. Then get the elastic key ring and add the repository 

apt install -y vim gpg apt-transport-https cifs-utils 
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list

Now is a good time to shutdown and clone the VM for the other two nodes.
Remember that the clones will have the name and IP address of the first node. Therefore, start one after the other and adjust /etc/network/interfaces, /etc/hostname and /etc/hosts. Then shut it down.

Start the first node again, login with ssh, change to root and install elasticsearch: 

apt update && apt upgrade -y
apt install elasticsearch -y
root@deb11-elk-01:~# apt install elasticsearch -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  elasticsearch
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 582 MB of archives.
After this operation, 1,195 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/8.x/apt stable/main amd64 elasticsearch amd64 8.6.2 [582 MB]
Fetched 582 MB in 53s (11.0 MB/s)                                                                                                                
Selecting previously unselected package elasticsearch.
(Reading database ... 35064 files and directories currently installed.)
Preparing to unpack .../elasticsearch_8.6.2_amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Unpacking elasticsearch (8.6.2) ...
Setting up elasticsearch (8.6.2) ...
--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : vOzEV_QT*vV-mOuRa-9q

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with 
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with 
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with 
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

DO NOT START IT YET!!

Modify /etc/elasticsearch/elasticsearch.yml:

cluster.name: elastickenny
network.host: 10.68.100.12
cluster.initial_master_nodes: ["deb11-elk-01"]
transport.host: 0.0.0.0

Start the node (deb11-elk-01), install ES as service and start it: 

systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

Check if the start was successful with: 

systemctl status elasticsearch.service

Or check /var/log/elasticsearch/elastickenny.log

Congratulations: the first node is running.

Let's add the backup repository. If you are using a Linux share, just specify the location in /etc/elasticsearch/elasticsearch.yml (see below ).
But, I am using a Windows share. Windows is using the SMB (Simple Message Block) protocol. SMB started as Common Internet File System (CIFS). In Linux the tools required to mount SMB shares are still referring to CIFS: the package is called cifs-utils.
I assume the Windows machine has the IP address 10.0.1.10 and the share name is ES.

Create a file containing the credentials for the share in the root user directory: 

cat > /root/backup.crd
username=kenny
password=kennyspassword
<ctrl-d>

To mount the share for the snapshot repository with the correct permissions for the elasticsearch user, we need to know the user id (uid) of the elasticsearch user: id -u elasticsearch 106

Create the mount directory 

mkdir /mnt/backup

Add the share used for repository in /etc/fstab

//10.0.1.10/ES       /mnt/backup     cifs    vers=3.0,credentials=/root/backup.crd,uid=106   0       0

Mount the share 

mount //10.0.0.10/ES

In /etc/elasticsearch/elasticsearch.yml add 

path.repo: /mnt/backup/ElasticBackup

Restart ES: 

systemctl restart elasticsearch

Note: if the share is not reachable when elasticsearch starts - it will not.

Add the other two nodes to the cluster

The other two nodes have almost all configuration needed.

On the first node generate a node enrollment token 

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
 
eyJ2ZXIiOiI4LjYuMiIsImFkciI6WyIxMC42OC4xMDAuMTI6OTIwMCJdLCJmZ3IiOiI0MzBhMWRiYWFhZGFmMjEzMjBiYzEyZTI5ZWM5NjhlOTNmZWQzMDA4YzgxMGMwYTY3NjMzOGYyZDY5NjE3OTAxIiwia2V5Ijoibm85cnc0WUIwdkRBWFhaMWpZTnA6MnZLbGs3VElTR09RZDRlS1FQV1NGQSJ9

Start the second VM (deb11-elk-02), logon with SSH and change to be root.
Add the mount in /etc/fstab, create the mount point and the credential file and mount the share - like on the first node.

Install elasticsearch: 

apt update && apt upgrade -y
apt install elasticsearch -y

Its needed to remove the default configuration: 

rm -rf /etc/elasticsearch/certs
rm /etc/elasticsearch/elasticsearch.keystore

Generate a new /etc/elasticsearch/elasticsearch.yml: 

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: elastickenny
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# Path to snapshot repository
#
path.repo: /mnt/backup/ElasticBackup
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 10.0.0.13
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# --------------------------------- Readiness ----------------------------------
#
# Enable an unauthenticated TCP readiness endpoint on localhost
#
#readiness.port: 9399
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
#
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
 
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
transport.host: 0.0.0.0

Configure the second node: 

/usr/share/elasticsearch/bin/elasticsearch --enrollment-token eyJ2ZXIiOiI4LjYuMiIsImFkciI6WyIxMC42OC4xMDAuMTI6OTIwMCJdLCJmZ3IiOiI0MzBhMWRiYWFhZGFmMjEzMjBiYzEyZTI5ZWM5NjhlOTNmZWQzMDA4YzgxMGMwYTY3NjMzOGYyZDY5NjE3OTAxIiwia2V5Ijoibm85cnc0WUIwdkRBWFhaMWpZTnA6MnZLbGs3VElTR09RZDRlS1FQV1NGQSJ9

Elasticsearch cannot run as root. Therfore it won't start. However, it configures everything and then complaints about being started as root. We just need to adjust a couple of permissions that were set wrong because we tried to start it as root: 

chown -R elasticsearch:elasticsearch /var/log/elasticsearch
chown -R root:elasticsearch /etc/elasticsearch/

Install ES as service and start it: 

systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

The installation of the third node works like the second - just chage the IP address for network.host in elasticsearch.yml.

Once the cluster is formed (all nodes are running in the same cluster),
adjust discovery.seed_hosts in each nodes elasticsearch.yml:

deb11-elk-01: 

discovery.seed_hosts: ["10.68.100.13:9300", "10.68.100.14:9300"]

deb11-elk-02: 

discovery.seed_hosts: ["10.68.100.12:9300", "10.68.100.14:9300"]

deb11-elk-03: 

discovery.seed_hosts: ["10.68.100.12:9300", "10.68.100.13:9300"]

and on deb11-elk-01 comment-out the line: 

#cluster.initial_master_nodes: ["deb11-elk-01"]

Next: Installation on Linux