监控平台——SkyWalking摆设

天空闲话  论坛元老 | 2025-4-2 21:28:05 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 1745|帖子 1745|积分 5235




一、情况准备

先下载SkyWalking安装包,需要注意的是SkyWalking 版本在10.X以上使用的nacos-client是2.X,如果安装的Nacos版本是1.X就会存在兼容性的问题。由于本人使用的SpringBoot项目是2.7.X版本,安装的Nacos版本只能是1.X版本的,就选择最新的是1.4.8,以是只能选择SkyWalking版本是9.7.0,对应的nacos-client版本是1.4.2。
1、下载安装

  1. wget https://archive.apache.org/dist/skywalking/9.7.0/apache-skywalking-apm-9.7.0.tar.gz
  2. tar -zxvf apache-skywalking-apm-9.7.0.tar.gz
  3. cd apache-skywalking-apm-bin
复制代码
2、配置集群方式

修改SkyWalking的配置文件 config/application.yml中集群的方式:
  1. cluster:
  2.   selector: ${SW_CLUSTER:nacos}
  3.   nacos:
  4.     serviceName: ${SW_SERVICE_NAME:"SkyWalking_OAP_Cluster"}
  5.     hostPort: ${SW_CLUSTER_NACOS_HOST_PORT:10.60.1.63:8848}
  6.     namespace: ${SW_CLUSTER_NACOS_NAMESPACE:"public"}  # 替换为你的Namespace ID,这里使用默认的命名空间
  7.     username: ${SW_CLUSTER_NACOS_USERNAME:"nacos"}  # nacos用户名
  8.     password: ${SW_CLUSTER_NACOS_PASSWORD:"nacos"}  # nacos登录密码
  9.     # 高级配置(可选)
  10.     clusterName: ${SW_CLUSTER_NACOS_CLUSTER_NAME:"DEFAULT"}
  11.     healthCheckInterval: ${SW_CLUSTER_NACOS_HEALTH_CHECK_INTERVAL:5}
复制代码
3、配置 Elasticsearch 8 存储

关于ES8存储的配置出现了许多问题,搞了几个小时才乐成,重要是 安全证书问题,针对该问题,这里会详细形貌遇到的问题息争决方案。
起首第一步是使用如下命令将oap-libs中oap-libs/storage-elasticsearch-plugin-9.7.0.jar复制到plugins文件夹下。
  1. # 进入skywalking安装目录下
  2. cd /home/app/apache-skywalking-apm-bin
  4. #创建plugins文件夹
  5. mkdir plugins
  7. #将storage-elasticsearch-plugin-9.7.0.jar拷贝到plugins文件夹下
  8. cp oap-libs/storage-elasticsearch-plugin-9.7.0.jar plugins/
复制代码
 由于Elasticsearch 自动天生的自署名CA证书http_ca.crt 是 PEM 格式证书,但 SkyWalking 9.7.0 默认渴望 JKS 或 PKCS12 格式的密钥库。如果不转化就会报如下错误信息:
  1. 2025-03-30 07:06:12,544 - org.apache.skywalking.oap.server.starter.OAPServerBootstrap - 64 [main] ERROR [] - Invalid keystore format
  2. org.apache.skywalking.oap.server.library.module.ModuleStartException: Invalid keystore format
  3.         at org.apache.skywalking.oap.server.storage.plugin.elasticsearch.StorageModuleElasticsearchProvider.start(StorageModuleElasticsearchProvider.java:281) ~[storage-elasticsearch-plugin-9.7.0.jar:9.7.0]
  4.         at org.apache.skywalking.oap.server.library.module.BootstrapFlow.start(BootstrapFlow.java:46) ~[library-module-9.7.0.jar:9.7.0]
  5.         at org.apache.skywalking.oap.server.library.module.ModuleManager.init(ModuleManager.java:75) ~[library-module-9.7.0.jar:9.7.0]
  6.         at org.apache.skywalking.oap.server.starter.OAPServerBootstrap.start(OAPServerBootstrap.java:52) [server-starter-9.7.0.jar:9.7.0]
  7.         at org.apache.skywalking.oap.server.starter.OAPServerStartUp.main(OAPServerStartUp.java:23) [server-starter-9.7.0.jar:9.7.0]
  8. Caused by: java.io.IOException: Invalid keystore format
  9.         at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:688) ~[?:?]
  10.         at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[?:?]
  11.         at java.security.KeyStore.load(KeyStore.java:1473) ~[?:?]
复制代码
以是需要将 PEM 证书转换为 PKCS12 格式(保举)
  1. # 进入elasticsearch安装包的证书目录
  2. cd /home/app/elasticsearch-8.17.4/config/certs
  4. # 转换证书(无密码版)
  5. openssl pkcs12 -export -nokeys -in http_ca.crt -out http_ca.p12 -passout pass:
  7. # 设置权限
  8. chmod 644 http_ca.p12
复制代码
接下来执行下面脚本需要验证证书有效性
  1. # 检查PKCS12文件有效性
  2. keytool -list -v -keystore /home/app/elasticsearch-8.17.4/config/certs/http_ca.p12 -storepass ""
复制代码
验证结果如下:

此时可以配置SkyWalking的application.yml文件的存储模块内容如下:
  1. storage:
  2.   selector: ${SW_STORAGE:elasticsearch}
  3.   elasticsearch:
  4.     nameSpace: ${SW_NAMESPACE:""}
  5.     clusterNodes: ${SW_STORAGE_ES_CLUSTER_NODES:10.60.1.63:9200}  # 修改为单节点地址
  6.     protocol: ${SW_STORAGE_ES_HTTP_PROTOCOL:"https"}
  7.     trustStorePath: ${SW_STORAGE_ES_SSL_JKS_PATH:"/home/app/elasticsearch-8.17.4/config/certs/http_ca.p12"}  # 使用CA证书
  8.     trustStorePass: ${SW_STORAGE_ES_SSL_JKS_PASS:""}  # 如果证书有密码需填写
  9.     user: ${SW_ES_USER:"elastic"}
  10.     password: ${SW_ES_PASSWORD:"HAIyi123*"}
  11.     indexShardsNumber: ${SW_STORAGE_ES_INDEX_SHARDS_NUMBER:1}    # 单节点建议设为1
  12.     indexReplicasNumber: ${SW_STORAGE_ES_INDEX_REPLICAS_NUMBER:0} # 单节点必须设为0
  13.     secretsManagementFile: ${SW_ES_SECRETS_MANAGEMENT_FILE:"/home/app/elasticsearch-8.17.4/config/certs/credentials.json"}  # 可选密钥文件
复制代码
由于trustStorePass为空,在启动skywalking时会报如下错误信息:
  1. 2025-03-30 07:02:56,422 - org.apache.skywalking.oap.server.starter.OAPServerBootstrap - 64 [main] ERROR [] - Cannot invoke "String.toCharArray()" because "this.trustStorePass" is null
  2. org.apache.skywalking.oap.server.library.module.ModuleStartException: Cannot invoke "String.toCharArray()" because "this.trustStorePass" is null
  3.         at org.apache.skywalking.oap.server.storage.plugin.elasticsearch.StorageModuleElasticsearchProvider.start(StorageModuleElasticsearchProvider.java:281) ~[storage-elasticsearch-plugin-9.7.0.jar:9.7.0]
  4.         at org.apache.skywalking.oap.server.library.module.BootstrapFlow.start(BootstrapFlow.java:46) ~[library-module-9.7.0.jar:9.7.0]
  5.         at org.apache.skywalking.oap.server.library.module.ModuleManager.init(ModuleManager.java:75) ~[library-module-9.7.0.jar:9.7.0]
  6.         at org.apache.skywalking.oap.server.starter.OAPServerBootstrap.start(OAPServerBootstrap.java:52) [server-starter-9.7.0.jar:9.7.0]
  7.         at org.apache.skywalking.oap.server.starter.OAPServerStartUp.main(OAPServerStartUp.java:23) [server-starter-9.7.0.jar:9.7.0]
  8. Caused by: java.lang.NullPointerException: Cannot invoke "String.toCharArray()" because "this.trustStorePass" is null
  9.         at org.apache.skywalking.library.elasticsearch.ElasticSearchBuilder.build(ElasticSearchBuilder.java:167) ~[library-elasticsearch-client-9.7.0.jar:9.7.0]
  10.         at org.apache.skywalking.oap.server.library.client.elasticsearch.ElasticSearchClient.connect(ElasticSearchClient.java:152) ~[library-client-9.7.0.jar:9.7.0]
  11.         at org.apache.skywalking.oap.server.storage.plugin.elasticsearch.StorageModuleElasticsearchProvider.start(StorageModuleElasticsearchProvider.java:268) ~[storage-elasticsearch-plugin-9.7.0.jar:9.7.0]
  12.         ... 4 more
复制代码
也可以在执行上面的转换证书是进行加密,如下:
  1. keytool -list -v -keystore /home/app/elasticsearch-8.17.4/config/certs/http_ca.p12 -storepass "HAIyi123*"  # 设置证书的密码
复制代码
然后指定trustStorePass,再次启动skywalking时会报如下错误信息:
  1. Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  2.         at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:?]
  3.         at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) ~[?:?]
  4.         at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) ~[?:?]
  5.         at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:98) ~[?:?]
  6.         at sun.security.validator.Validator.getInstance(Validator.java:181) ~[?:?]
  7.         at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:309) ~[?:?]
  8.         at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183) ~[?:?]
  9.         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:255) ~[?:?]
  10.         at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
  11.         at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  12.         at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:235) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  13.         at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:790) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  14.         at io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36) ~[netty-tcnative-classes-2.0.61.Final.jar:2.0.61.Final]
  15.         at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48) ~[netty-tcnative-classes-2.0.61.Final.jar:2.0.61.Final]
  16.         at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42) ~[netty-tcnative-classes-2.0.61.Final.jar:2.0.61.Final]
  17.         at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.runAndResetNeedTask(ReferenceCountedOpenSslEngine.java:1534) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  18.         at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.access$700(ReferenceCountedOpenSslEngine.java:96) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  19.         at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1509) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  20.         at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1647) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  21.         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1493) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  22.         at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1345) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  23.         at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1385) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  24.         at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
  25.         at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
  26.         at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
  27.         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  28.         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  29.         at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  30.         at io.netty.handler.flush.FlushConsolidationHandler.channelRead(FlushConsolidationHandler.java:152) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
  31.         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  32.         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  33.         at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  34.         at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  35.         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  36.         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  37.         at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
  38.         at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800) ~[netty-transport-classes-epoll-4.1.100.Final.jar:4.1.100.Final]
  39.         at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:509) ~[netty-transport-classes-epoll-4.1.100.Final.jar:4.1.100.Final]
  40.         at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:407) ~[netty-transport-classes-epoll-4.1.100.Final.jar:4.1.100.Final]
复制代码
这表明 Java 安全库无法从您的证书文件中提取可信的 CA 证书链。以下是完备的解决方案:
步调1:验证证书完备性

  1. # 检查证书内容
  2. openssl x509 -in /home/app/elasticsearch-8.17.4/config/certs/http_ca.crt -noout -text
  4. # 检查证书链(应显示完整的CA链)
  5. openssl crl2pkcs7 -nocrl -certfile /home/app/elasticsearch-8.17.4/config/certs/http_ca.crt | openssl pkcs7 -print_certs -noout
复制代码
步调2:重修证书链

如果证书链不完备,手动构建完备链:
  1. # 获取Elasticsearch生成的CA证书
  2. cat /home/app/elasticsearch-8.17.4/config/certs/http_ca.crt > full_chain.crt
  4. # 追加系统CA证书(可选)
  5. cat /etc/ssl/certs/ca-certificates.crt >> full_chain.crt
  7. # 转换为PKCS12格式(必须)
  8. openssl pkcs12 -export -nokeys -in full_chain.crt -out full_chain.p12 -passout pass:
  10. # 设置权限
  11. chmod 644 full_chain.p12
  12. chown skywalking:skywalking full_chain.p12
复制代码
步调3:将自署名证书到场Java信任库(保举)

  1. # 1. 进入证书目录
  2. cd /home/app/elasticsearch-8.17.4/config/certs
  4. # 2. 将CA证书导入Java默认信任库
  5. sudo keytool -importcert \
  6.     -alias elasticsearch-ca \
  7.     -file http_ca.crt \
  8.     -keystore $JAVA_HOME/lib/security/cacerts \
  9.     -storepass changeit \
  10.     -noprompt
  12. # 3. 修改SkyWalking配置(不再需要指定trustStore)
  13. storage:
  14.   elasticsearch:
  15.     protocol: "HTTPS"
  16.     # 注释掉trustStore相关配置
  17.     # trustStorePath: ""
  18.     # trustStorePass: ""
  19.     user: "elastic"
  20.     password: "HAIyi123*"
复制代码
步调4:验证Java信任库

  1. keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep elasticsearch
复制代码
应显示:
  1. elasticsearch-ca, Mar 30, 2025, trustedCertEntry
复制代码
测试HTTPS连接

  1. curl --cacert /home/app/elasticsearch-8.17.4/config/certs/http_ca.crt \
  2.      -u elastic:HAIyi123* \
  3.      https://10.60.1.63:9200/_cluster/health
复制代码
应显示:
  1. [root@localhost certs]# curl --cacert /home/app/elasticsearch-8.17.4/config/certs/http_ca.crt -u elastic:HAIyi123* https://10.60.1.63:9200/_cluster/health
  2. {"cluster_name":"my-es-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":3,"active_shards":3,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"unassigned_primary_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}[root@localhost certs]#
  3. [root@localhost certs]#
复制代码
二、启动服务


  • 启动OAP服务:

    1. cd /home/app/apache-skywalking-apm-bin/bin
    2. ./oapService.sh
    复制代码
  • Web UI摆设

    1. cd /home/app/apache-skywalking-apm-bin/bin
    2. ./webappService.sh
    复制代码
    启动后,直接可以在浏览器上输入http://10.60.1.63:8080/打开SkyWalking的页面:



免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

天空闲话

论坛元老
这个人很懒什么都没写!

楼主热帖

标签云

集成商 AI 运维 CIO 存储 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表