1. 下载etcd 安装包
etcd地址:https://github.com/etcd-io/etcd/
2. etcd签发证书
采用cfssl签发证书,具体有:
[root@y ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
[root@y ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssl-json
[root@y ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
[root@y ~]# chmod u+x /usr/local/bin/cfssl*
[root@y ~]# mkdir /opt/certs/ ; cd /opt/certs/
# 根证书配置:
# CN 一般写域名,浏览器会校验
# names 为地区和公司信息
# expiry 为过期时间
[root@y certs]# vim /opt/certs/ca-csr.json
{
"CN": "ALIYUN",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "Ali",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
[root@y certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
[root@y certs]# ls -l ca*
-rw-r--r-- 1 root root 993 Jan 5 10:42 ca.csr
-rw-r--r-- 1 root root 328 Jan 5 10:39 ca-csr.json
-rw------- 1 root root 1675 Jan 5 10:42 ca-key.pem
-rw-r--r-- 1 root root 1346 Jan 5 10:42 ca.pem
2.1 签发etcd的证书
创建ca的json配置: /opt/certs/ca-config.json
- server 表示服务端连接客户端时携带的证书,用于客户端验证服务端身份
- client 表示客户端连接服务端时携带的证书,用于服务端验证客户端身份
- peer 表示相互之间连接时使用的证书,如etcd节点之间验证
{ "signing": { "default": { "expiry": "175200h" }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
创建etcd证书配置:/opt/certs/etcd-peer-csr.json
重点在hosts上,将所有可能的etcd服务器添加到host列表,不能使用网段,新增etcd服务器需要重新签发证书
{ "CN": "k8s-etcd", "hosts": [ "172.17.0.4" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "Ali", "OU": "ops" } ] }
签发证书:
[root@y certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer [root@y certs]# ll etcd-peer*
3. 安装etcd
- 创建用户,建立软连接
[root@y ~]# useradd -s /sbin/nologin -M etcd [root@y src]# tar -xf etcd-v3.1.20-linux-amd64.tar.gz [root@y src]# mv etcd-v3.1.20-linux-amd64 /opt/release/etcd-v3.1.20 [root@y src]# ln -s /opt/release/etcd-v3.1.20 /opt/apps/etcd // 创建日志文件路径 [root@hdss7-12 src]# mkdir -p /opt/apps/etcd/certs /data/etcd /data/logs/etcd-server
- 下发证书到各个etcd上
将ca.pem etcd-peer.pem etcd-peer-key.pem拷贝到ectd的certs目录下/opt/apps/etcd/certs
- 创建启动脚本(部分参数每台机器不同)
[root@y ~]# vim /opt/apps/etcd/etcd-server-startup.sh #!/bin/sh # listen-peer-urls 本member侧使用,用于监听其他member发送信息的地址 # listen-client-urls 本member侧使用,用于监听etcd客户发送信息的地址 # quota-backend-bytes 配额大小 # initial-advertise-peer-urls:其他member使用,其他member通过该地址与本member交互信息 # advertise-client-urls etcd客户使用,客户通过该地址与本member交互信息。 #initial-cluster: 集群配置信息 WORK_DIR=$(dirname $(readlink -f $0)) [ $? -eq 0 ] && cd $WORK_DIR || exit /opt/apps/etcd/etcd --name etcd-server-174 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls https://172.17.0.4:2380 \ --listen-client-urls https://172.17.0.4:2379,http://127.0.0.1:2379 \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls https://172.17.0.4:2380 \ --advertise-client-urls https://172.17.0.4:2379,http://127.0.0.1:2379 \ --initial-cluster etcd-server-174=https://172.17.0.4:2380 \ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout
- 添加执行权限
[root@y ~]# chmod u+x /opt/apps/etcd/etcd-server-startup.sh [root@y ~]# chown -R etcd.etcd /opt/apps/etcd/ /data/etcd /data/logs/etcd-server
- 利用supervisor监控启动
[root@y ~]# yum install -y supervisor [root@y ~]# systemctl start supervisord ; systemctl enable supervisord [root@y ~]# vim /etc/supervisord.d/etcd-server.ini [program:etcd-server-174] command=/opt/apps/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/apps/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=5 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) [root@y ~]# supervisorctl update [root@y ~]# supervisorctl status
- etcd 进程查询
[root@y ~]# supervisorctl status # supervisorctl 状态 [root@y ~]# netstat -lntp|grep etcd [root@y ~]# /opt/apps/etcd/etcdctl member list # 随着etcd重启,leader会变化 [root@y ~]# /opt/apps/etcd/etcdctl cluster-health
- etcd 重启
[root@y ~]# supervisorctl start etcd-server-174 [root@y ~]# supervisorctl stop etcd-server-174 [root@y ~]# supervisorctl restart etcd-server-174 [root@y ~]# supervisorctl status etcd-server-174