1.基本环境配置
关闭防火墙
systemctl stop firewalld && systemctl disable firewalld
关闭selinux
sed -i ‘s/enforcing/disabled/’ /etc/selinux/config
关闭swap
sed -ri ‘s/.swap./#&/’ /etc/fstab
设置host名称,此处m1为节点名称,请自行进行定义[73: m1, 75:n1, 76:n2]
hostnamectl set-hostname ‘m1’
设置hosts
192.168.2.73 m1
192.168.2.75 n1
192.168.2.76 n2
同步时间
yum -y install chrony
echo ‘server ntp.aliyun.com iburst’ >> /etc/chrony.conf
systemctl restart chronyd.service
systemctl enable chronyd
2.制作etcd自签证书
下载cfssl并解压到/opt
https://github.com/cloudflare/cfssl/archive/refs/tags/v1.6.2.tar.gz
然后编译
cd cfssl&&make
编译后的结果会在生成在bin目录中
开始制作自签证书
cd bin&&mkdir etcd&&cd etcd
cat > Makefile << EOF
.PHONY: cfssl ca req clean
CFSSL = ../cfssl
JSON = ../cfssljson
all: ca req
#cfssl:
# HTTPS_PROXY=127.0.0.1:12639 go get -u -tags nopkcs11 github.com/cloudflare/cfssl/cmd/cfssl
# HTTPS_PROXY=127.0.0.1:12639 go get -u github.com/cloudflare/cfssl/cmd/cfssljson
# HTTPS_PROXY=127.0.0.1:12639 go get -u github.com/mattn/goreman
ca:
mkdir -p certs
$(CFSSL) gencert -initca config/ca-csr.json | $(JSON) -bare certs/ca
req:
$(CFSSL) gencert \
-ca certs/ca.pem \
-ca-key certs/ca-key.pem \
-config config/ca-config.json \
-profile client \
config/client.json | $(JSON) -bare certs/client -
$(CFSSL) gencert \
-ca certs/ca.pem \
-ca-key certs/ca-key.pem \
-config config/ca-config.json \
-profile server \
config/etcd.json | $(JSON) -bare certs/server
$(CFSSL) gencert \
-ca certs/ca.pem \
-ca-key certs/ca-key.pem \
-config config/ca-config.json \
-profile peer \
config/etcd.json | $(JSON) -bare certs/peer
clean:
rm -rf certs
EOF
mkdir config && cd config
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"server": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
cat > client.json << EOF
{
"CN": "client",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
cat > etcd.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.2.73",
"192.168.2.75",
"192.168.2.76"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BJ"
}
]
}
EOF
cat > server-csr.json << EOF
{
"CN": "ca",
"hosts": [
"localhost",
"127.0.0.1",
"192.168.2.73",
"192.168.2.75",
"192.168.2.76"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "test",
"OU": "etcd"
}
]
}
EOF
cd .. && make
然后会在etc/certs中生成证书
certs
├── ca.csr
├── ca-key.pem
├── ca.pem
├── client.csr
├── client-key.pem
├── client.pem
├── peer.csr
├── peer-key.pem
├── peer.pem
├── server.csr
├── server-key.pem
└── server.pem
3.配置ETCD集群
下载etcd并解压到/opt目录中
https://github.com/etcd-io/etcd/releases/download/v3.4.20/etcd-v3.4.20-linux-arm64.tar.gz
拷贝证书
cd /opt/etcd && mkdir ssl
cp -r /opt/cfssl/bin/etcd/certs/* ./ssl
编写配置文件
mkdir cfg && cd cfg
cat > etcd.conf << EOF
ETCD_HOME="/opt/etcd"
ETCD_UNSUPPORTED_ARCH="arm64"
#[Member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="${ETCD_HOME}/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.2.73:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.2.73:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.2.73:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.2.73:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.2.73:2380,etcd2=https://192.168.2.75:2380,etcd3=https://192.168.2.76:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ENABLE_V2="true"
#[Security]
ETCD_CERT_FILE="/opt/etcd/ssl/server.pem"
ETCD_KEY_FILE="/opt/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/opt/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/opt/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/opt/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/opt/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF
编写service文件并设置为开机自启
cd ..&&mkdir service
cat > etcd.service << EOF
[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd-io/etcd
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
cp etcd.service /usr/lib/systemd/system
systemctl daemon-reload
systemctl start etcd.service
systemctl enable etcd
将etcd整个发送到其他两个节点上并在俩节点上重复1中的所有操作
scp -r /opt/etcd/* root@192.168.2.75:/opt/etcd
scp -r /opt/etcd/* root@192.168.2.76:/opt/etcd
然后更改75节点配置
ETCD_NAME="etcd2"
ETCD_LISTEN_PEER_URLS="https://192.168.2.75:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.2.75:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.2.75:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.2.75:2379"
重复service操作
cp etcd.service /usr/lib/systemd/system
systemctl daemon-reload
systemctl start etcd.service
systemctl enable etcd
然后更改76节点配置
ETCD_NAME="etcd2"
ETCD_LISTEN_PEER_URLS="https://192.168.2.76:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.2.76:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.2.76:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.2.76:2379"
重复service操作
cp etcd.service /usr/lib/systemd/system
systemctl daemon-reload
systemctl start etcd.service
systemctl enable etcd