etcd离线安装

smile~成长

已于 2022-03-17 11:50:16 修改

阅读量616

点赞数

分类专栏： k8s 文章标签： etcd linux 服务器 kubernetes

于 2022-03-17 11:45:39 首次发布

本文链接：https://blog.csdn.net/weixin_34735604/article/details/123546377

版权

k8s 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

1、关闭linux防火墙

systemctl stop firewalld

systemctl disable firewalld

2、关闭linux安全机制

view /etc/selinux/config

更改为SELINUX=disabled

命令行输入setenforce 0设置生效

查询 getenforce 是否已经是disabled，如果没有生效reboot服务器

3、使用cfssl来生成自签证书，先下载cfssl工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

mv cfssl_linux-amd64 /usr/local/bin/cfssl

mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

4、创建证书

4.1、创建以下三个文件：

# cat ca-config.json

{

"signing": {

"default": {

"expiry": "87600h"

},

"profiles": {

"www": {

"expiry": "87600h",

"usages": [

"signing",

"key encipherment",

"server auth",

"client auth"

]

}}

}

}

# cat ca-csr.json

{

"CN": "etcd CA",

"key": {

"algo": "rsa",

"size": 2048

},

"names": [

{

"C": "CN",

"L": "Beijing",

"ST": "Beijing"

}

]

}

# cat server-csr.json

{

"CN": "etcd",

"hosts": [

"192.168.31.63",

"192.168.31.65",

"192.168.31.66"

],

"key": {

"algo": "rsa",

"size": 2048

},

"names": [

{

"C": "CN",

"L": "BeiJing",

"ST": "BeiJing"

}

]

}

5、生成证书：

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-

csr.json | cfssljson -bare server

# ls *pem

ca-key.pem ca.pem server-key.pem server.pem

证书这块知道怎么生成、怎么用即可，建议暂时不必过多研究。

6、部署etcd

二进制包下载地址：https://github.com/coreos/etcd/releases/tag/v3.2.12

以下部署步骤在规划的三个etcd节点操作一样，唯一不同的是etcd配置文件中的服务器IP要写当前的：解压二进制包：

1、创建etcd配置文件：

# cat /opt/etcd/cfg/etcd

#[Member]

ETCD_NAME="etcd01"

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

ETCD_LISTEN_PEER_URLS="https://192.168.31.63:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.31.63:2379"

#[Clustering]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.63:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.63:2379"

ETCD_INITIAL_CLUSTER="etcd01=https://192.168.31.63:2380,etcd02=https://192.168.31.65:23

80,etcd03=https://192.168.31.66:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_NAME 节点名称

ETCD_DATA_DIR 数据目录

ETCD_LISTEN_PEER_URLS 集群通信监听地址

ETCD_LISTEN_CLIENT_URLS 客户端访问监听地址

ETCD_INITIAL_ADVERTISE_PEER_URLS 集群通告地址

ETCD_ADVERTISE_CLIENT_URLS 客户端通告地址

ETCD_INITIAL_CLUSTER 集群节点地址

ETCD_INITIAL_CLUSTER_TOKEN 集群Token

ETCD_INITIAL_CLUSTER_STATE 加入集群的当前状态，new是新集群，existing表示加入已有集群

2、systemd管理etcd：

# mkdir /opt/etcd/{bin,cfg,ssl} -p

# tar zxvf etcd-v3.2.12-linux-amd64.tar.gz

# mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

# cat /opt/etcd/cfg/etcd

#[Member]

ETCD_NAME="etcd01"

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

ETCD_LISTEN_PEER_URLS="https://192.168.31.63:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.31.63:2379"

#[Clustering]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.63:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.63:2379"

ETCD_INITIAL_CLUSTER="etcd01=https://192.168.31.63:2380,etcd02=https://192.168.31.65:23

80,etcd03=https://192.168.31.66:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_INITIAL_CLUSTER_STATE="new"

# cat /usr/lib/systemd/system/etcd.service

[Unit]

Description=Etcd Server

After=network.target

After=network-online.target

Wants=network-online.target

[Service]

Type=notify

EnvironmentFile=/opt/etcd/cfg/etcd

ExecStart=/opt/etcd/bin/etcd \

--name=${ETCD_NAME} \

--data-dir=${ETCD_DATA_DIR} \

--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \

--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \

--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \

--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \

--initial-cluster=${ETCD_INITIAL_CLUSTER} \

--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \

--initial-cluster-state=new \

--cert-file=/opt/etcd/ssl/server.pem \

--key-file=/opt/etcd/ssl/server-key.pem \

--peer-cert-file=/opt/etcd/ssl/server.pem \

--peer-key-file=/opt/etcd/ssl/server-key.pem \

--trusted-ca-file=/opt/etcd/ssl/ca.pem \

--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

3、把刚才生成的证书拷贝到配置文件中的位置：

# cp ca*pem server*pem /opt/etcd/ssl

4、启动并设置开启启动：

# systemctl start etcd

# systemctl enable etcd

5、都部署完成后，检查etcd集群状态：

# /opt/etcd/bin/etcdctl \

--ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \

--

endpoints="https://192.168.31.63:2379,https://192.168.31.65:2379,https://192.168.31.66:

2379" \

cluster-health

member 18218cfabd4e0dea is healthy: got healthy result from https://192.168.31.63:2379

member 541c1c40994c939b is healthy: got healthy result from https://192.168.31.65:2379

member a342ea2798d20705 is healthy: got healthy result from https://192.168.31.66:2379

cluster is healthy

如果输出上面信息，就说明集群部署成功。如果有问题第一步先看日志：/var/log/message 或 journalctl -u etcd

在其他节点启动etcd时只需要将master上安装过的scp过去就可以了

scp -r /opt/etcd root@192.168.0.124:/opt/

scp /usr/lib/systemd/system/etcd.service root@192.168.0.123:/usr/lib/systemd/system

拷贝过后修改ip，集群里面的ip不用修改。

修改过后启动etcd ，查看主节点日志/var/log/message 看是否还有没有链接成功的提示。