Master Elasticsearch Snapshots: NFS Backup, Restore, and Security Setup

1. Official Elasticsearch Snapshot Backup and Restore

Environment Requirements

All Elasticsearch nodes must mount the same shared directory, e.g., via NFS.
# Verify Elasticsearch user
id elasticsearch

Set Up NFS Server

yum install nfs-utils -y
# Create a dedicated user for the mount
groupadd elasticsearch -g 996
useradd elasticsearch -g 996 -u 998 -M -s /sbin/nologin
cat > /etc/exports <<'EOF'
/es-nfs-data 10.0.0.0/24(rw,sync,all_squash,anonuid=998,anongid=996)
EOF
mkdir -p /es-nfs-data
chown -R elasticsearch:elasticsearch /es-nfs-data
systemctl restart nfs
showmount -e 10.0.0.122

Install NFS Client on ES Nodes

cat > nfs-client.sh <<'EOF'
yum install nfs-utils -y
mkdir -p /es-client-data
mount -t nfs 10.0.0.122:/es-nfs-data /es-client-data
EOF
sh nfs-client.sh
# Verify mount
df -h | grep es-client-data

Configure Elasticsearch Nodes for Snapshots

# Add to each node's elasticsearch.yml
path.repo: /es-client-data/
# Example configuration snippet
cluster.name: yuchao_es
node.name: es-node3
path.data: /var/lib/elasticsearch/
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: true
network.host: 127.0.0.1,10.0.0.20
http.port: 9200
discovery.seed_hosts: ["10.0.0.18","10.0.0.19","10.0.0.20"]
cluster.initial_master_nodes: ["10.0.0.18"]
path.repo: /es-client-data/
# Restart service
systemctl restart elasticsearch.service

Verify Restart

1. Register Snapshot Repository

PUT /_snapshot/my_backup
{
  "type": "fs",
  "settings": {
    "location": "/es-client-data/my_backup_location",
    "compress": true
  }
}
# Verify repository
GET /_snapshot/my_backup

2. Create a Snapshot

PUT /_snapshot/my_backup/snapshot_1?wait_for_completion=true

Check Snapshot

Snapshot Diagram (NFS)

3. Snapshot Specific Indexes

# Create a second snapshot for indexes t1 and t2
PUT /_snapshot/my_backup/snapshot_2?wait_for_completion=true
{
  "indices": "t1,t2",
  "ignore_unavailable": true,
  "include_global_state": false
}

4. View Snapshot Information

GET /_snapshot
GET /_snapshot/my_backup/
GET /_snapshot/my_backup/snapshot_1
GET /_snapshot/my_backup/snapshot_2

5. View Running Snapshots

GET /_snapshot/my_backup/_current
{
  "snapshots": []
}

6. Restore an Index (Practice)

# Delete index t2
# Restore from snapshot_2
POST /_snapshot/my_backup/snapshot_2/_restore
# Restore only index t2 with rename
POST /_snapshot/my_backup/snapshot_2/_restore
{
  "indices": "t2",
  "ignore_unavailable": true,
  "include_global_state": false,
  "rename_pattern": "t(.+)",
  "rename_replacement": "restored_index_$1",
  "include_aliases": false
}

7. Date‑Based Snapshot Names (Not Recommended)

PUT /_snapshot/my_backup/<snapshot-{now/d}>
PUT /_snapshot/my_backup/%3Csnapshot-%7Bnow%2Fd%7D%3E

2. Third‑Party Backup Tools

2.1 Install Node.js (required for elasticdump)

wget https://nodejs.org/dist/v10.16.3/node-v10.16.3-linux-x64.tar.xz
tar -xf node-v10.16.3-linux-x64.tar.xz
ln -s node-v10.16.3-linux-x64/ node
export PATH=/opt/node/bin:$PATH
npm config set registry https://registry.npm.taobao.org
npm install elasticdump -g
elasticdump --version

2.2 Backup Commands (elasticdump)

Export data to readable JSON

elasticdump \
  --input=http://10.0.0.18:9200/t1 \
  --output=/es-nfs-data/t1.json \
  --type=data

Compress backup

elasticdump \
  --input=http://10.0.0.18:9200/t2 \
  --output=- | gzip > /es-nfs-data/t2.json.gz
gzip -d t2.json.gz

2.3 Restore Data

# Reverse input and output
elasticdump \
  --input=/es-nfs-data/t2.json \
  --output=http://10.0.0.18:9200/t2

2.4 Bulk Backup Script

#!/bin/bash
indexs=$(curl -s 10.0.0.18:9200/_cat/indices | awk '{print $3}' | grep -v '^\.')
for i in $indexs; do
  elasticdump \
    --input=http://10.0.0.18:9200/${i} \
    --output=/es-nfs-data/${i}.json \
    --type=data
done

2.5 Password‑Protected Backup

elasticdump \
  --input=http://user:[email protected]:9200/t2 \
  --output=/es-nfs-data/t2.json \
  --type=data

2.6 Recommended Usage

1. Use elasticdump to export JSON for analysis.
2. Use the official Elasticsearch snapshot tool for pure backups.
3. Restoring data will overwrite existing documents if IDs clash.

3. Elasticsearch Security Authentication

Generate Certificates

# Create a CA
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
# Create node certificates using the CA
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# Verify files
file /usr/share/elasticsearch/elastic-stack-ca.p12

Distribute Certificates to All Nodes

scp -r /etc/elasticsearch/certs [email protected]:/etc/elasticsearch/
scp -r /etc/elasticsearch/certs [email protected]:/etc/elasticsearch/

Enable X‑Pack Security in elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-stack-ca.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-stack-ca.p12

Set File Permissions and Restart

chown -R elasticsearch:elasticsearch /etc/elasticsearch/
systemctl restart elasticsearch.service

Configure Built‑in Users and Passwords

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Set passwords for users such as elastic, kibana_system, logstash_system, etc.

Configure Kibana to Use the New Credentials

# /etc/kibana/kibana.yml
elasticsearch.username: "kibana_system"
elasticsearch.password: "123123"
# Restart Kibana
systemctl restart kibana

Create Role‑Based Access for Developers

# In Kibana Management → Security → Roles, create a role (e.g., dev) that only has read access to index t2 and the Discover feature.
# Create a user and assign the dev role:
POST /_security/user/yu {
  "password" : "yu123123",
  "roles" : [ "dev" ]
}

When the developer logs into Kibana, they can only view the t2 index and the allowed features.

Additional screenshots illustrate differences between roles and index access.

Original source: https://www.cnblogs.com/sxy-blog/p/18128248 (copyright belongs to the author)