etcd安装
etcd 是基于 Raft 的分布式 key-value 存储系统,由 CoreOS 开发,常用于服务发现、共享配置以及并发控制(如 leader 选举、分布式锁等)。kubernetes 使用 etcd 存储所有运行数据。
本文档介绍部署一个三节点高可用 etcd 集群的步骤:
- 下载和分发 etcd 二进制文件;
- 创建 etcd 集群各节点的 x509 证书,用于加密客户端(如 etcdctl) 与 etcd 集群、etcd 集群之间的数据流;
- 创建 etcd 的 systemd unit 文件,配置服务参数;
- 检查集群工作状态;
etcd 集群各节点的名称和 IP 如下:
- 192.168.110.100 k8s-master
- 192,168.110.101 k8s-node01
- 192.168.110.102 k8s-node02
关闭防火墙以及SELinux
systemctl stop iptables systemctl stop firewalld systemctl disable iptables systemctl disable firewalld vi /etc/selinux/config SELINUX=disable
设置hosts
vim /etc/hosts 192.168.110.100 k8s-master 192,168.110.101 k8s-node01 192.168.110.102 k8s-node02
创建用户
useradd etcd -d /data/home -c "Etcd user" -r -s /sbin/nologin
下载和分发 etcd 二进制文件
在每个节点下载etcd二进制文件
wget https://github.com/coreos/etcd/releases/download/v3.3.7/etcd-v3.3.7-linux-amd64.tar.gz tar -xvf etcd-v3.3.7-linux-amd64.tar.gz
cfssl安装
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
创建 CA 证书配置,生成 CA 证书和私钥
mkdir /opt/ssl cd /opt/ssl cfssl print-defaults config > config.json cfssl print-defaults csr > csr.json
然后分别修改这两个文件为如下内容
config.json
cat > config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF
ca-config.json:
可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
signing:
表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:
表示 Client 可以用该 CA 对 Server 提供的证书进行验证;
client auth:
表示 Server 可以用该 CA 对 Client 提供的证书进行验证;
csr.json
cat > csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
CN:
Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名(User Name);浏览器使用该字段验证网站是否合法;
O:
Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组(Group);
生成 CA 证书和私钥
cd /opt/ssl
cfssl gencert -initca csr.json | cfssljson -bare ca
CA 有关证书列表如下:
[root@k8s-master ssl]# tree . ├── ca.csr ├── ca-key.pem ├── ca.pem ├── config.json └── csr.json
创建 etcd 证书配置,生成 etcd 证书和私钥
在 /opt/ssl 下添加文件 etcd-csr.json,内容如下
{ "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.110.100", "192.168.110.101", "192.168.110.102" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "etcd", "OU": "Etcd Security" } ] }
生成 etcd 证书和密钥
cd /opt/ssl cfssl gencert -ca=/opt/ssl/ca.pem -ca-key=/opt/ssl/ca-key.pem -config=/opt/ssl/config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
etcd 有关证书证书列表如下
ls etcd*
etcd.csr etcd-csr.json etcd-key.pem etcd.pem
将证书分别传到各个节点并设置权限
chmod 644 /opt/ssl/*
在三台上都安装 etcd
tar -xvf etcd-v3.3.4-linux-amd64.tar.gz cd etcd-v3.3.4-linux-amd64 cp mv etcd* /opt/platform/etcd/
分别添加 etcd 配置
vim /opt/platform/etcd/etcd.conf # [member] ETCD_NAME="etcd1" #不同机器需要做修改 与下面集群配置相对应 ETCD_DATA_DIR="/data/etcd" ETCD_LISTEN_PEER_URLS="https://192.168.110.100:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.110.100:2379,http://127.0.0.1:2379" # [cluster] ETCD_ADVERTISE_CLIENT_URLS="https://192.168.110.100:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.110.100:2380" ETCD_INITIAL_CLUSTER="etcd1=https://192.168.110.100:2380,etcd2=https://192.168.110.101:2380,etcd3=https://192.168.110.102:2380" ETCD_INITIAL_CLUSTER_STATE=new ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster ETCD_ENABLE_V2="true"
配置说明
ETCD_NAME:
etcd 集群中的节点名,这里可以随意,可区分且不重复就行。
ETCD_LISTEN_PEER_URLS:
监听的用于节点之间通信的 URL,可监听多个,集群内部将通过这些 URL 进行数据交互(如选举、数据同步等)。
ETCD_LISTEN_CLIENT_URLS:
监听的用于客户端通信的 URL,同样可以监听多个。
ETCD_ADVERTISE_CLIENT_URLS:
建议使用的客户端通信 URL,该值用于 etcd 代理或 etcd 成员与 etcd 节点通信。
ETCD_INITIAL_ADVERTISE_PEER_URLS:
建议用于节点之间通信的 URL,节点间将以该值进行通信。
ETCD_INITIAL_CLUSTER:
也就是集群中所有的 initial--advertise-peer-urls 的合集。
ETCD_INITIAL_CLUSTER_STATE:
新建集群的标志。
ETCD_INITIAL_CLUSTER_TOKEN:
节点的 token 值,设置该值后集群将生成唯一 ID,并为每个节点也生成唯一 ID,当使用相同配置文件再启动一个集群时,只要该 token 值不一样,etcd 集群就不会相互影响。
flannel操作etcd使用的是v2的API,而kubernetes操作etcd使用的v3的API,为了兼容flannel,将默认开启v2版本,故配置文件中设置 ETCD_ENABLE_V2="true"
添加系统服务
vim /usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/platform/etcd/etcd.conf ExecStart=/usr/bin/etcd --cert-file=/opt/ssl/etcd.pem --key-file=/opt/ssl/etcd-key.pem --peer-cert-file=/opt/ssl/etcd.pem --peer-key-file=/opt/ssl/etcd-key.pem --trusted-ca-file=/opt/ssl/ca.pem --peer-trusted-ca-file=/opt/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
创建 data 目录,然后启动 etcd 服务
mkdir -p /opt/platform/etcd/data && chown etcd:etcd -R /opt/platform/etcd && chmod 755 /opt/platform/etcd/data systemctl enable etcd.service && systemctl start etcd.service
etcd 3.4注意事项
ETCD3.4版本ETCDCTL_API=3 etcdctl 和 etcd --enable-v2=false 成为了默认配置,如要使用v2版本,执行etcdctl时候需要设置ETCDCTL_API环境变量,例如:ETCDCTL_API=2 etcdctl ETCD3.4版本会自动读取环境变量的参数,所以EnvironmentFile文件中有的参数,不需要再次在ExecStart启动参数中添加,二选一,如同时配置,会触发以下类似报错“etcd: conflicting environment variable "ETCD_NAME" is shadowed by corresponding command-line flag (either unset environment variable or disable flag)” flannel操作etcd使用的是v2的API,而kubernetes操作etcd使用的v3的API
验证 etcd 集群状态
[root@localhost data]# etcdctl --endpoints=https://192.168.110.100:2379 --cacert="/opt/ssl/ca.pem" --cert="/opt/ssl/etcd.pem" --key="/opt/ssl/etcd-key.pem" endpoint health https://192.168.110.100:2379 is healthy: successfully committed proposal: took = 16.533873ms [root@localhost data]# etcdctl --endpoints=https://192.168.110.101:2379 --cacert="/opt/ssl/ca.pem" --cert="/opt/ssl/etcd.pem" --key="/opt/ssl/etcd-key.pem" endpoint health https://192.168.110.101:2379 is healthy: successfully committed proposal: took = 24.19221ms [root@localhost data]# etcdctl --endpoints=https://192.168.110.102:2379 --cacert="/opt/ssl/ca.pem" --cert="/opt/ssl/etcd.pem" --key="/opt/ssl/etcd-key.pem" endpoint health https://192.168.110.102:2379 is healthy: successfully committed proposal: took = 20.12311ms
查看 etcd 集群成员
etcdctl --endpoints=https://192.168.110.100:2379 --cacert="/opt/ssl/ca.pem" --cert="/opt/ssl/etcd.pem" --key="/opt/ssl/etcd-key.pem" member list 3e49d4614347212d, started, etcd1, https://192.168.110.100:2380, https://192.168.110.100:2379, false 8d2730b8d7d6bbb3, started, etcd3, https://192.168.110.102:2380, https://192.168.110.102:2379, false f7edfa2ae51ff5e8, started, etcd2, https://192.168.110.101:2380, https://192.168.110.101:2379, false
添加etcd节点
ETCDCTL_API=3 etcdctl member add node-3-172.17.166.219 https://172.17.166.219:2379 --endpoints=https://127.0.0.1:2379 --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/kubernetes.pem --key=/etc/etcd/kubernetes-key.pem
更新etcd节点
ETCDCTL_API=3 etcdctl member update node-6-172.17.27.248 https://172.17.166.219:2380 --endpoints=https://127.0.0.1:2379 --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/kubernetes.pem --key=/etc/etcd/kubernetes-key.pem
删除etcd节点
ETCDCTL_API=3 etcdctl member remove 420ac0182fbc116e --endpoints=https://127.0.0.1:2379 --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/kubernetes.pem --key=/etc/etcd/kubernetes-key.pem
etcd数据备份
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/kubernetes.pem --key=/etc/etcd/kubernetes-key.pem snapshot save /home/etcd_snapshot.db
etcd节点数据恢复
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/kubernetes.pem --key=/etc/etcd/kubernetes-key.pem snapshot restore /home/etcd_snapshot.db
注(以上需要修改配置文件重新下发etcd证书并更新apiserver配置)
查看etcd metrics信息
curl --cert /etc/etcd/kubernetes.pem --key /etc/etcd/kubernetes-key.pem https://127.0.0.1:2379/metrics -k