BestHub
Sign in
Operations 17 min read

Master Elasticsearch Snapshots and Security: Step‑by‑Step NFS Backup Guide

This guide walks you through configuring Elasticsearch snapshot backups using NFS, installing and using elasticdump for data export, securing the cluster with SSL certificates, setting up user authentication, and managing Kibana access, providing complete commands, configuration snippets, and visual diagrams for each step.

Raymond Ops
Raymond Ops
Raymond Ops
Master Elasticsearch Snapshots and Security: Step‑by‑Step NFS Backup Guide

1. Official Snapshot Backup and Restore

Configure Elasticsearch nodes to share a common NFS directory for snapshot storage.

Environment Requirements

All Elasticsearch nodes must mount the same shared NFS directory.

yum install nfs-utils -y
# create elasticsearch user and group
groupadd elasticsearch -g 996
useradd elasticsearch -g 996 -u 998 -M -s /sbin/nologin

cat > /etc/exports <<'EOF'
/es-nfs-data 10.0.0.0/24(rw,sync,all_squash,anonuid=998,anongid=996)
EOF
systemctl restart nfs
showmount -e 10.0.0.122

Install NFS Client on ES Nodes

cat > nfs-client.sh <<'EOF'
yum install nfs-utils -y
mkdir -p /es-client-data
mount -t nfs 10.0.0.122:/es-nfs-data /es-client-data
EOF
sh nfs-client.sh
# verify mount
df -h | grep es-client-data

Enable Snapshot on ES Nodes

# add to each node's elasticsearch.yml
path.repo: /es-client-data/
cluster.name: yuchao_es
node.name: es-node3
path.data: /var/lib/elasticsearch/
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: true
network.host: 127.0.0.1,10.0.0.20
http.port: 9200
discovery.seed_hosts: ["10.0.0.18","10.0.0.19","10.0.0.20"]
cluster.initial_master_nodes: ["10.0.0.18"]

Verify Restart

Restart the Elasticsearch service and ensure it starts without errors.

Register Snapshot Repository

PUT /_snapshot/my_backup
{
  "type": "fs",
  "settings": {"location": "/es-client-data/my_backup_location", "compress": true}
}
GET /_snapshot/my_backup

Create Snapshots

# Full snapshot
PUT /_snapshot/my_backup/snapshot_1?wait_for_completion=true

# Snapshot of specific indices
PUT /_snapshot/my_backup/snapshot_2?wait_for_completion=true
{
  "indices": "t1,t2",
  "ignore_unavailable": true,
  "include_global_state": false
}

View Snapshot Information

GET /_snapshot
GET /_snapshot/my_backup/
GET /_snapshot/my_backup/snapshot_1
GET /_snapshot/my_backup/snapshot_2

Restore Data

# Delete index t2 then restore it
POST /_snapshot/my_backup/snapshot_2/_restore
{
  "indices": "t2",
  "ignore_unavailable": true,
  "include_global_state": false,
  "rename_pattern": "t(.+)",
  "rename_replacement": "restored_index_$1",
  "include_aliases": false
}

Snapshot Naming with Dates (Not Recommended)

PUT /_snapshot/my_backup/<snapshot-{now/d}>

2. Third‑Party Backup Tools (elasticdump)

Install Node.js

wget https://nodejs.org/dist/v10.16.3/node-v10.16.3-linux-x64.tar.xz
tar -xf node-v10.16.3-linux-x64.tar.xz
ln -s node-v10.16.3-linux-x64/ node
export PATH=/opt/node/bin:$PATH
npm install elasticdump -g
elasticdump --version

Backup Commands

# Export index t1 to JSON
elasticdump \
  --input=http://10.0.0.18:9200/t1 \
  --output=/es-nfs-data/t1.json \
  --type=data

# Export and compress
elasticdump \
  --input=http://10.0.0.18:9200/t2 \
  --output=- | gzip > /es-nfs-data/t2.json.gz

Restore Commands

# Import JSON back into Elasticsearch
elasticdump \
  --input=/es-nfs-data/t2.json \
  --output=http://10.0.0.18:9200/t2 \
  --type=data

Batch Backup Script

#!/bin/bash
indexs=$(curl -s 10.0.0.18:9200/_cat/indices | awk '{print $3}' | grep -v '^\.')
for i in $indexs; do
  elasticdump \
    --input=http://10.0.0.18:9200/$i \
    --output=/es-nfs-data/$i.json \
    --type=data
done

Password‑Protected Elasticsearch

elasticdump \
  --input=http://user:[email protected]:9200/t2 \
  --output=/es-nfs-data/t2.json \
  --type=data

3. Elasticsearch Security Configuration

Create Certificates

# Generate a CA
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
# Generate node certificates using the CA
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Distribute Certificates

scp -r /etc/elasticsearch/certs [email protected]:/etc/elasticsearch/
scp -r /etc/elasticsearch/certs [email protected]:/etc/elasticsearch/

Enable Security in elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-stack-ca.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-stack-ca.p12

Set Built‑in User Passwords

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Configure Kibana to Use the New User

elasticsearch.username: "kibana_system"
elasticsearch.password: "123123"

Create Kibana Space and Role for Limited Access

Define a space (e.g., "dev") and a role that only allows read access to index t2, then assign the role to a new user.

# Create role
PUT /_security/role/dev_role
{
  "indices": [{"names": ["t2"], "privileges": ["read"]}]
}
# Create user and assign role
POST /_security/user/dev_user
{
  "password": "devpass",
  "roles": ["dev_role"]
}

Result

The user can log into Kibana, see only the designated space, and access only the allowed index.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

ElasticsearchBackupsnapshotRestore
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment