`工作原理`
ETCD使用Raft协议来维护集群内各个节点状态的一致性。简单说,ETCD集群是一个分布式系统,由多个节点相互通信构成整体对外服务,每个节点都存储了完整的数据,并且通过Raft协议保证每个节点维护的数据是一致的。
1、启动容器
[root@iZuf612i9bshiuw3zzlfe9Z etcd]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cbcba4dd6c44 etcd "/usr/sbin/init" 4 seconds ago Up 2 seconds 0.0.0.0:2379->2379/tcp etcd_etcd-master_1
b8dba884f38c etcd "/usr/sbin/init" 4 seconds ago Up 2 seconds 0.0.0.0:2377->2379/tcp etcd_etcd-slave2_1
2af6e886f4f0 etcd "/usr/sbin/init" 4 seconds ago Up 2 seconds 0.0.0.0:2378->2379/tcp etcd_etcd-slave1_1
2、新建目录,存放证书、配置文件等
mkdir -p /opt/etcd/{bin,cfg,ssl}
3、生成证书文件
(1)下载工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
(2)生成ca证书
ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing","key encipherment",
"server auth",
"client auth"
]
}
}
}
}
ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}]
}
root@etcd-master:/opt/etcd/ssl# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
root@etcd-master:/opt/etcd/ssl# ls ca*
ca-config.json ca-csr.json ca-key.pem ca.csr ca.pem
(3)使用自签 CA 签发 Etcd HTTPS 证书
server-csr.json
{
"CN": "etcd",
"hosts": [
"172.18.62.37",
"172.18.62.38",
"172.18.62.39"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}]
}
root@etcd-master:/opt/etcd/ssl# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
root@etcd-master:/opt/etcd/ssl# ls server*
server-csr.json server-key.pem server.csr server.pem
4、部署etcd
wget https://github.com/coreos/etcd/releases/download/v3.1.5/etcd-v3.1.5-linux-amd64.tar.gz
tar xvf etcd-v3.1.5-linux-amd64.tar.gz
mv etcd-v3.1.5-linux-amd64/etcd /opt/etcd/bin/
mv etcd-v3.1.5-linux-amd64/etcdctl /opt/etcd/bin/
5、修改配置文件
etcd.conf
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.18.62.37:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.18.62.37:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.18.62.37:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.18.62.37:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://172.18.62.37:2380,etcd-2=https://172.18.62.38:2380,etcd-3=https://172.18.62.39:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
6、将所有配置拷贝从节点,修改etcd.conf
scp -r /opt/etcd root@etcd-slave1:/opt
scp -r /usr/lib/systemd/system/etcd.service root@etcd-slave1:/usr/lib/systemd/system
scp -r /opt/etcd root@etcd-slave2:/opt
scp -r /usr/lib/systemd/system/etcd.service root@etcd-slave2:/usr/lib/systemd/system
7、启动服务
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd
8、验证集群状态
ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://172.18.62.37:2379,https://172.18.62.38:2379,https://172.18.62.39:2379" endpoint health