ip | IS LEADER |
---|
10.240.13.187 | true |
10.240.13.137 | false |
10.240.13.66 | false |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo
chmod +x cfssl-certinfo cfssl cfssljson
mv cfssl-certinfo cfssl cfssljson /usr/local/bin
mkdir /usr/local/src/ssl -p
cd /usr/local/src/ssl
cat << EOF | tee ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"etcd": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat << EOF | tee ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "etcd",
"OU": "etcd Security",
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat << EOF | tee server-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"10.240.13.187",
"10.240.13.66",
"10.240.13.137"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "etcd",
"OU": "etcd Security",
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
总用量 36
-rw-r----- 1 etcd etcd 290 6月 30 09:48 ca-config.json
-rw-r----- 1 etcd etcd 1009 6月 30 09:48 ca.csr
-rw-r----- 1 etcd etcd 269 6月 30 09:48 ca-csr.json
-rw------- 1 etcd etcd 1679 6月 30 09:48 ca-key.pem
-rw-r----- 1 etcd etcd 1371 6月 30 09:48 ca.pem
-rw-r----- 1 etcd etcd 1074 6月 30 09:48 server.csr
-rw-r----- 1 etcd etcd 358 6月 30 09:48 server-csr.json
-rw------- 1 etcd etcd 1679 6月 30 09:48 server-key.pem
-rw-r----- 1 etcd etcd 1456 6月 30 09:48 server.pem
https://github.com/etcd-io/etcd/releases/
- 上传etcd-v3.5.4-linux-amd64.tar.gz到/usr/local/src下
- 解压安装包
cd /usr/local/src
tar -zxvf etcd-v3.5.4-linux-amd64.tar.gz
mv etcd-v3.5.4-linux-amd64 /usr/local/etcd
mv /usr/local/src/ssl /usr/local/etcd
[root@10-240-13-187 etcd]
name: etcd01
data-dir: /usr/local/etcd/data
initial-advertise-peer-urls: https://10.240.13.187:2380
listen-peer-urls: https://10.240.13.187:2380
listen-client-urls: https://10.240.13.187:2379,https://127.0.0.1:2379
advertise-client-urls: https://10.240.13.187:2379
initial-cluster-token: shiajun-etcd-cluster
initial-cluster: etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd03=https://10.240.13.66:2380
client-transport-security:
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
client-cert-auth: true
auto-tls: false
peer-transport-security:
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
client-cert-auth: true
auto-tls: false
name: etcd02
data-dir: /usr/local/etcd/data
initial-advertise-peer-urls: https://10.240.13.137:2380
listen-peer-urls: https://10.240.13.137:2380
listen-client-urls: https://10.240.13.137:2379,https://127.0.0.1:2379
advertise-client-urls: https://10.240.13.137:2379
initial-cluster-token: shiajun-etcd-cluster
initial-cluster: etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd03=https://10.240.13.66:2380
initial-cluster-state: new
client-transport-security:
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
client-cert-auth: true
auto-tls: false
peer-transport-security:
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
client-cert-auth: true
auto-tls: false
[root@10-240-13-66 etcd]
name: etcd03
data-dir: /usr/local/etcd/data
initial-advertise-peer-urls: https://10.240.13.66:2380
listen-peer-urls: https://10.240.13.66:2380
listen-client-urls: https://10.240.13.66:2379,https://127.0.0.1:2379
advertise-client-urls: https://10.240.13.66:2379
initial-cluster-token: shiajun-etcd-cluster
initial-cluster: etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd03=https://10.240.13.66:2380
initial-cluster-state: existing
client-transport-security:
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
client-cert-auth: true
auto-tls: false
peer-transport-security:
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
client-cert-auth: true
auto-tls: false
[Unit]
Description=etcd
After=network.target
[Service]
Type=notify
User=root
Group=root
WorkingDirectory=/usr/local/etcd/
EnvironmentFile=/usr/local/etcd/conf.yml
ExecStart=/usr/local/etcd/etcd --config-file=/usr/local/etcd/conf.yml
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
groupadd etcd
useradd etcd -g etcd -d /usr/local/etcd -s /sbin/nologin
systemctl start etcd
systemctl status etcd
systemctl enable etcd
./etcdctl -w table --endpoints="http://10.240.13.137:2380,http://10.240.13.187:2380" endpoint status --cluster
./etcdctl -w table --cacert=./ssl/ca.pem --cert=./ssl/server.pem --key=./ssl/server-key.pem endpoint status --cluster
./etcdctl -w table -cacert=./ssl/ca.pem --cert=./ssl/server.pem --key=./ssl/server-key.pem --endpoints="https://10.240.13.137:2380,https://10.240.13.187:2380,https://10.240.13.66:2380" member list
./etcdctl -w table -cacert=./ssl/ca.pem --cert=./ssl/server.pem --key=./ssl/server-key.pem --endpoints="https://10.240.13.137:2380,https://10.240.13.187:2380,https://10.240.13.66:2380" endpoint health
./etcdctl snapshot save ./etcd-snapshot-`date +%Y%m%d.db`
恢复ectd01数据
./etcdctl snapshot restore etcd-snapshot-20220629.db \
--name=etcd01 \
--initial-cluster=etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd02=https://10.240.13.66:2380 \
--initial-cluster-token=shiajun-etcd-cluster \
--initial-advertise-peer-urls=https://10.240.13.187:2380 \
--data-dir=/usr/local/etcd/data
恢复ectd02数据
./etcdctl snapshot restore etcd-snapshot-20220629.db \
--name=etcd02 \
--initial-cluster=etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd02=https://10.240.13.66:2380 \
--initial-cluster-token=shiajun-etcd-cluster \
--initial-advertise-peer-urls=https://10.240.13.137:2380 \
--data-dir=/usr/local/etcd/data
恢复ectd03数据
./etcdctl snapshot restore etcd-snapshot-20220629.db \
--name=etcd03 \
--initial-cluster=etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd02=https://10.240.13.66:2380 \
--initial-cluster-token=shiajun-etcd-cluster \
--initial-advertise-peer-urls=https://10.240.13.66:2380 \
--data-dir=/usr/local/etcd/data
./etcdctl -cacert=./ssl/ca.pem --cert=./ssl/server.pem --key=./ssl/server-key.pem member add etcd04 --peer-urls="https://10.240.13.67:2380"
name: etcd04
[root@10-240-13-67 etcd]
name: etcd04
data-dir: /usr/local/etcd/data
initial-advertise-peer-urls: https://10.240.13.67:2380
listen-peer-urls: https://10.240.13.67:2380
listen-client-urls: https://10.240.13.67:2379,https://127.0.0.1:2379
advertise-client-urls: https://10.240.13.67:2379
initial-cluster-token: shiajun-etcd-cluster
initial-cluster: etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd03=https://10.240.13.66:2380,etcd04=https://10.240.13.67:2380
initial-cluster-state: existing
client-transport-security:
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
client-cert-auth: true
auto-tls: false
peer-transport-security:
cert-file: /usr/local/etcd/ssl/server.pem
key-file: /usr/local/etcd/ssl/server-key.pem
trusted-ca-file: /usr/local/etcd/ssl/ca.pem
client-cert-auth: true
auto-tls: false
systemctl start etcd
systemctl status etcd
systemctl enable etcd
initial-cluster: etcd01=https://10.240.13.187:2380,etcd02=https://10.240.13.137:2380,etcd03=https://10.240.13.66:2380,etcd04=https://10.240.13.67:2380
systemctl restart etcd