|
|
@@ -1,5 +1,30 @@
|
|
|
[role="exclude"]
|
|
|
|
|
|
+When {es} starts for the first time, the security auto-configuration process
|
|
|
+binds the HTTP layer to both `_site_` and `_local_`, but only binds the
|
|
|
+transport layer to `_local_`. This intended behavior ensures that you can start
|
|
|
+a single-node cluster with security enabled by default without any additional
|
|
|
+configuration.
|
|
|
+
|
|
|
+Before enrolling a new node, additional actions such as binding to an address
|
|
|
+other than `localhost` or satisfying bootstrap checks are typically necessary
|
|
|
+in production clusters. During that time, an auto-generated enrollment token
|
|
|
+could expire, which is why enrollment tokens aren't generated automatically.
|
|
|
+
|
|
|
+Additionally, only nodes on the same host can join the cluster without
|
|
|
+additional configuration. If you want nodes from another host to join your
|
|
|
+cluster, you need to set `transport.host` to a
|
|
|
+{ref}/modules-network.html#network-interface-values[supported value] other than
|
|
|
+`_local_` (such as `_site_`), or an IP address that's bound to an interface
|
|
|
+where other hosts can reach it. Refer to
|
|
|
+{ref}/modules-network.html#transport-settings[transport settings] for more
|
|
|
+information.
|
|
|
+
|
|
|
+To enroll new nodes in your cluster, create an enrollment token with the
|
|
|
+`elasticsearch-create-enrollment-token` tool on any existing node in your
|
|
|
+cluster. You can then start a new node with the `--enrollment-token` parameter
|
|
|
+so that it joins an existing cluster.
|
|
|
+
|
|
|
. In a separate terminal from where {es} is running, navigate to the directory
|
|
|
where you installed {es} and run the
|
|
|
<<create-enrollment-token,`elasticsearch-create-enrollment-token`>> tool
|
Adam Locke