zoukankan      html  css  js  c++  java
  • etcd集群安装

    etcd 是一个分布式一致性k-v存储系统,可用于服务注册发现与共享配置,具有以下优点:
    1.简单:相比于晦涩难懂的paxos算法,etcd基于相对简单且易实现的raft算法实现一致性,并通过gRPC提供接口调用
    2.安全:支持TLS通信,并可以针对不同的用户进行对key的读写控制
    3.高性能:10,000/秒的写性能

    开放端口:

    firewall-cmd --zone=public --add-port=2379/tcp --permanent
    firewall-cmd --zone=public --add-port=2380/tcp --permanent
    firewall-cmd --zone=public --add-port=4001/tcp --permanent
    firewall-cmd --reload
    

        

    设置hosts

    172.16.150.25 etcd1
    172.16.150.26 etcd2
    172.16.150.27 etcd3
    

      

    创建用户

    mkdir -p /opt/platform/etcd
    useradd etcd -d /opt/platform/etcd -c "Etcd user" -r -s /sbin/nologin

      

    安装cfssl

    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    chmod +x cfssl_linux-amd64 cfssljson_linux-amd64
    mv cfssl_linux-amd64 /usr/local/bin/cfssl
    mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
    

     

    创建CA证书配置,生成CA证书和私钥, 只需要在一台机器上操作即可

    先用 cfssl 命令生成包含默认配置的 config.json和 csr.json文件

    mkdir /opt/ssl
    cd /opt/ssl
    cfssl print-defaults config > config.json
    cfssl print-defaults csr > csr.json
    

      

    然后分别修改这两个文件为如下内容

    vim /opt/ssl/config.json
    
    {
        "signing": {
            "default": {
                "expiry": "87600h"
                },
            "profiles": {
                "kubernetes": {
                     "usages": [
                         "signing",
                         "key encipherment",
                         "server auth",
                         "client auth"
                      ],
                     "expiry": "87600h"
                    }
                }
           }
    }
    

    config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
    signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
    server auth:表示client可以用该 CA 对server提供的证书进行验证;
    client auth:表示server可以用该CA对client提供的证书进行验证;

    vim /opt/ssl/csr.json
    
    {
      "CN": "kubernetes",
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "Wuhan",
          "L": "Hubei",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }
    

    CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (UserName);浏览器使用该字段验证网站是否合法;
    O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组(Group)

    生成CA 证书和私钥

    cd /opt/ssl
    cfssl gencert -initca csr.json | cfssljson -bare ca
    

      

    CA有关证书列表如下

    [root@k8s-console ssl]# tree
    .
    ├── ca.csr
    ├── ca-key.pem
    ├── ca.pem
    ├── config.json
    └── csr.json
    

      

    创建etcd证书配置,生成 etcd 证书和私钥

    在/opt/ssl 下添加文件 etcd-csr.json,内容如下

    {
      "CN": "etcd",
      "hosts": [
        "127.0.0.1",
        "172.16.150.25",
        "172.16.150.26",
        "172.16.150.27"
      ],
      "key": {
        "algo": "rsa",
        "size": 2048
    },
      "names": [
      {
        "C": "CN",
        "ST": "Shanghai",
        "L": "Shanghai",
        "O": "etcd",
        "OU": "Etcd Security"
        }
      ]
    }
    

      

    生成etcd证书和密钥

    cd /opt/ssl
    cfssl gencert -ca=/opt/ssl/ca.pem 
    -ca-key=/opt/ssl/ca-key.pem 
    -config=/opt/ssl/config.json 
    -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
    

     

    给证书读权限

    chmod 644 /opt/ssl/*
    

      

    etcd 有关证书证书列表如下

    etcd.csr etcd-csr.json etcd-key.pem etcd.pem
    

      

    至此CA证书就弄完了, 将这台机器侠/opt/ssl下所有东西,拷贝到其他两台机器下面的/opt/ssl下即可

    安装etcd

    在三台上都安装etcd

    yum install etcd -y

     

    添加etcd配置

    wget https://github.com/coreos/etcd/releases/download/v3.3.7/etcd-v3.3.7-linux-amd64.tar.gz
    tar -xvf etcd-v3.3.7-linux-amd64.tar.gz
    cd etcd-v3.3.7-linux-amd64
    cp -a etcd* /opt/platform/etcd/
    

     

    添加etcd为系统服务
    vim /usr/lib/systemd/system/etcd.service 

    etcd1

    [Unit]
    Description=etcd server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    User=etcd
    WorkingDirectory=/opt/platform/etcd
    EnvironmentFile=-/opt/platform/etcd/etcd.conf
    ExecStart=/opt/platform/etcd/etcd 
      --name etcd1 
      --cert-file=/opt/ssl/etcd.pem 
      --key-file=/opt/ssl/etcd-key.pem 
      --trusted-ca-file=/opt/ssl/ca.pem 
      --peer-cert-file=/opt/ssl/etcd.pem 
      --peer-key-file=/opt/ssl/etcd-key.pem 
      --peer-trusted-ca-file=/opt/ssl/ca.pem 
      --initial-advertise-peer-urls https://172.16.150.25:2380 
      --listen-peer-urls https://172.16.150.25:2380 
      --listen-client-urls https://172.16.150.25:2379,https://127.0.0.1:2379 
      --advertise-client-urls https://172.16.150.25:2379 
      --initial-cluster-token consul_etcd 
      --initial-cluster etcd1=https://172.16.150.25:2380,etcd2=https://172.16.150.26:2380,etcd3=https://172.16.150.27:2380 
      --initial-cluster-state new 
      --data-dir=/opt/platform/etcd/data
    Restart=on-failure
    RestartSec=5
    

      

    etcd2

    [Unit]
    Description=etcd server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    User=etcd
    WorkingDirectory=/opt/platform/etcd
    EnvironmentFile=-/opt/platform/etcd/etcd.conf
    ExecStart=/opt/platform/etcd/etcd 
      --name etcd2 
      --cert-file=/opt/ssl/etcd.pem 
      --key-file=/opt/ssl/etcd-key.pem 
      --trusted-ca-file=/opt/ssl/ca.pem 
      --peer-cert-file=/opt/ssl/etcd.pem 
      --peer-key-file=/opt/ssl/etcd-key.pem 
      --peer-trusted-ca-file=/opt/ssl/ca.pem 
      --initial-advertise-peer-urls https://172.16.150.26:2380 
      --listen-peer-urls https://172.16.150.26:2380 
      --listen-client-urls https://172.16.150.26:2379,https://127.0.0.1:2379 
      --advertise-client-urls https://172.16.150.26:2379 
      --initial-cluster-token consul_etcd 
      --initial-cluster etcd1=https://172.16.150.25:2380,etcd2=https://172.16.150.26:2380,etcd3=https://172.16.150.27:2380 
      --initial-cluster-state new 
      --data-dir=/opt/platform/etcd/data
    Restart=on-failure
    RestartSec=5
    

      

    etcd3

    [Unit]
    Description=etcd server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    User=etcd
    WorkingDirectory=/opt/platform/etcd
    EnvironmentFile=-/opt/platform/etcd/etcd.conf
    ExecStart=/opt/platform/etcd/etcd 
      --name etcd3 
      --cert-file=/opt/ssl/etcd.pem 
      --key-file=/opt/ssl/etcd-key.pem 
      --trusted-ca-file=/opt/ssl/ca.pem 
      --peer-cert-file=/opt/ssl/etcd.pem 
      --peer-key-file=/opt/ssl/etcd-key.pem 
      --peer-trusted-ca-file=/opt/ssl/ca.pem 
      --initial-advertise-peer-urls https://172.16.150.27:2380 
      --listen-peer-urls https://172.16.150.27:2380 
      --listen-client-urls https://172.16.150.27:2379,https://127.0.0.1:2379 
      --advertise-client-urls https://172.16.150.27:2379 
      --initial-cluster-token consul_etcd 
      --initial-cluster etcd1=https://172.16.150.25:2380,etcd2=https://172.16.150.26:2380,etcd3=https://172.16.150.27:2380 
      --initial-cluster-state new 
      --data-dir=/opt/platform/etcd/data
    Restart=on-failure
    RestartSec=5
    

      

    启动etcd:

    mkdir -p /opt/platform/etcd/data && chown etcd:etcd -R /opt/platform/etcd
    systemctl enable etcd.service && systemclt daemon-reload && systemctl start etcd.service
    

     

    添加alias:

    vim /etc/profile.d/alias_bash.sh
    alias etcdctl='etcdctl --endpoints=https://172.16.150.25:2379,https://172.16.150.26:2379,https://172.16.150.27:2379 --cert-file=/opt/ssl/etcd.pem --ca-file=/opt/ssl/ca.pem --key-file=/opt/ssl/etcd-key.pem'
    source /etc/profile.d/alias_bash.sh
    

    验证etcd集群状态

    etcdctl cluster-health
    

       

    查看etcd 集群成员

    etcdctl member list

    测试验证:

    etcdctl set test/testkey0 0 
    etcdctl get test/testkey0
    

     

  • 相关阅读:
    使用tcmalloc编译启动时宕机
    使用tcmalloc编译出现undefined reference to `sem_init'
    使用AddressSanitizer做内存分析(一)——入门篇
    VIM-美化你的标签栏
    Entity Framework Code First (六)存储过程
    Entity Framework Code First (五)Fluent API
    Entity Framework Code First (四)Fluent API
    Entity Framework Code First (三)Data Annotations
    Entity Framework Code First (二)Custom Conventions
    Entity Framework Code First (一)Conventions
  • 原文地址:https://www.cnblogs.com/cjsblogs/p/8716976.html
Copyright © 2011-2022 走看看