本次使用环境為:
CentOs 7.3
Etcd v3.2.9
IP | 组件 |
---|---|
192.168.2.11 | etcd1 |
192.168.2.12 | etcd1 |
192.168.2.13 | etcd1 |
192.168.2.1 | 宿主机 |
每个虚拟机已经提前安装好了etcd
脚步在宿主机上运行,宿主机需要无密ssh各服务器。宿主机需要安装cfssl
kubernetes 1.8 安装脚本一共有3个脚本,每个脚本需要放在对应名字的文件夹下。3个文件夹需要在同一父目录之下,因为后面的脚本需要使用前面脚本生成的*.pem
wget https://raw.githubusercontent.com/bravem/bravem.github.com/master/k8sinstall/etcd/etcd.sh
#!/bin/bash #******************************************************************** #Author: bravewang #QQ: 6142553 #blog http://brave666.blog.51cto.com/ #Date: 2017-11-14 #******************************************************************** export host1=192.168.2.11 export host2=192.168.2.12 export host3=192.168.2.13 export zhuji="$host1 $host2 $host3" cat << EOF > etcd-csr.json { "key": { "algo": "rsa", "size": 2048 }, "names": [ { "O": "etcd", "OU": "etcd Security", "L": "Beijing", "ST": "Beijing", "C": "CN" } ], "CN": "etcd", "hosts": [ "127.0.0.1", "localhost", "$host1", "$host2", "$host3", "$host4", "$host5" ] } EOF cat << EOF > etcd-gencert.json { "signing": { "default": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } EOF cat << EOF > etcd-root-ca-csr.json { "key": { "algo": "rsa", "size": 4096 }, "names": [ { "O": "etcd", "OU": "etcd Security", "L": "Beijing", "ST": "Beijing", "C": "CN" } ], "CN": "etcd-root-ca" } EOF cfssl gencert --initca=true etcd-root-ca-csr.json | cfssljson --bare etcd-root-ca cfssl gencert --ca etcd-root-ca.pem --ca-key etcd-root-ca-key.pem --config etcd-gencert.json etcd-csr.json | cfssljson --bare etcd #for IP in $zhuji ; do # scp etcd-3.2.7-1.fc28.x86_64.rpm root@$IP:~ # ssh root@$IP rpm -ivh etcd-3.2.7-1.fc28.x86_64.rpm #done for IP in $zhuji ;do ssh root@$IP mkdir /etc/etcd/ssl -p scp *.pem root@$IP:/etc/etcd/ssl ssh root@$IP chown -R etcd:etcd /etc/etcd/ssl ssh root@$IP chmod -R 644 /etc/etcd/ssl/* ssh root@$IP chmod 755 /etc/etcd/ssl ssh root@$IP chown -R etcd:etcd /var/lib/etcd done conf() { cat << EOF > etcd${IP##*.}.conf # [member] ETCD_NAME=etcd${IP: -1} ETCD_DATA_DIR="/var/lib/etcd/etcd.etcd" ETCD_WAL_DIR="/var/lib/etcd/wal" ETCD_SNAPSHOT_COUNT="100" ETCD_HEARTBEAT_INTERVAL="100" ETCD_ELECTION_TIMEOUT="1000" ETCD_LISTEN_PEER_URLS="https://$IP:2380" ETCD_LISTEN_CLIENT_URLS="https://$IP:2379,http://127.0.0.1:2379" ETCD_MAX_SNAPSHOTS="5" ETCD_MAX_WALS="5" #ETCD_CORS="" # [cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380" # if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..." ETCD_INITIAL_CLUSTER="etcd1=https://$host1:2380,etcd2=https://$host2:2380,etcd3=https://$host3:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379" #ETCD_DISCOVERY="" #ETCD_DISCOVERY_SRV="" #ETCD_DISCOVERY_FALLBACK="proxy" #ETCD_DISCOVERY_PROXY="" #ETCD_STRICT_RECONFIG_CHECK="false" #ETCD_AUTO_COMPACTION_RETENTION="0" # [proxy] #ETCD_PROXY="off" #ETCD_PROXY_FAILURE_WAIT="5000" #ETCD_PROXY_REFRESH_INTERVAL="30000" #ETCD_PROXY_DIAL_TIMEOUT="1000" #ETCD_PROXY_WRITE_TIMEOUT="5000" #ETCD_PROXY_READ_TIMEOUT="0" # [security] ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-root-ca.pem" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-root-ca.pem" ETCD_PEER_AUTO_TLS="true" # [logging] #ETCD_DEBUG="false" # examples for -log-package-levels etcdserver=WARNING,security=DEBUG #ETCD_LOG_PACKAGE_LEVELS="" EOF } for IP in $zhuji; do ssh root@$IP hostnamectl set-hostname docker${IP##*.} conf scp etcd${IP##*.}.conf root@$IP:/etc/etcd/etcd.conf ssh root@$IP systemctl daemon-reload sleep 1 ssh root@$IP systemctl restart etcd sleep 2 ssh root@$IP systemctl enable etcd done
测试
export ETCDCTL_API=3 etcdctl --cacert=/etc/etcd/ssl/etcd-root-ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.2.11:2379,https://192.168.2.12:2379,https://192.168.2.13:2379 endpoint health
[root@localhost ~]# export ETCDCTL_API=3 [root@localhost ~]# etcdctl --cacert=/etc/etcd/ssl/etcd-root-ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.2.11:2379,https://192.168.2.12:2379,https://192.168.2.13:2379 endpoint health https://192.168.2.13:2379 is healthy: successfully committed proposal: took = 7.411904ms https://192.168.2.11:2379 is healthy: successfully committed proposal: took = 2.796868ms https://192.168.2.12:2379 is healthy: successfully committed proposal: took = 2.456265ms
转载于:https://blog.51cto.com/brave666/1950051