部署 etcd(在master节点上执行)
-
下载安装etcd
cd /opt/k8s/work wget https://github.com/etcd-io/etcd/releases/download/v3.3.18/etcd-v3.3.18-linux-amd64.tar.gz tar -xvf etcd-v3.3.18-linux-amd64.tar.gz -
安装etcd
cd /opt/k8s/work cp etcd-v3.3.18-linux-amd64/etcd* /opt/k8s/bin/ chmod +x /opt/k8s/bin/* -
创建 etcd 证书和私钥
-
创建证书签名请求文件
cd /opt/k8s/work cat > etcd-csr.json <<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.0.107" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "NanJing", "L": "NanJing", "O": "k8s", "OU": "system" } ] } EOF- 指定授权使用该证书的 etcd 节点 IP 列表
-
生成证书和私钥
cd /opt/k8s/work cfssl gencert -ca=/opt/k8s/work/ca.pem -ca-key=/opt/k8s/work/ca-key.pem -config=/opt/k8s/work/ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd ls etcd*pem -
安装证书
cd /opt/k8s/work cp etcd*.pem /etc/etcd/cert/
-
-
创建etcd启动文件
cat> /etc/systemd/system/etcd.service<< EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/data/k8s/etcd/data ExecStart=/opt/k8s/bin/etcd \ --data-dir=/etc/etcd/cfg/etcd \ --name=etcd-chengf \ --cert-file=/etc/etcd/cert/etcd.pem \ --key-file=/etc/etcd/cert/etcd-key.pem \ --trusted-ca-file=/etc/kubernetes/cert/ca.pem \ --peer-cert-file=/etc/etcd/cert/etcd.pem \ --peer-key-file=/etc/etcd/cert/etcd-key.pem \ --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem \ --peer-client-cert-auth \ --client-cert-auth \ --listen-peer-urls=https://192.168.0.107:2380 \ --initial-advertise-peer-urls=https://192.168.0.107:2380 \ --listen-client-urls=https://192.168.0.107:2379,http://127.0.0.1:2379 \ --advertise-client-urls=https://192.168.0.107:2379 \ --initial-cluster-token=etcd-cluster-0\ --initial-cluster=etcd-chengf=https://192.168.0.107:2380 \ --initial-cluster-state=new \ --auto-compaction-mode=periodic \ --auto-compaction-retention=1 \ --max-request-bytes=33554432 \ --quota-backend-bytes=6442450944 \ --heartbeat-interval=250 \ --election-timeout=2000 Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF- WorkingDirectory、--data-dir:指定工作目录和数据目录,需在启动服务前创建这个目录;
- --name:指定节点名称,当 --initial-cluster-state 值为 new 时,--name 的参数值必须位于 --initial-cluster 列表中;
- --cert-file、--key-file:etcd server 与 client 通信时使用的证书和私钥;
- --trusted-ca-file:签名 client 证书的 CA 证书,用于验证 client 证书;
- --peer-cert-file、--peer-key-file:etcd 与 peer 通信使用的证书和私钥;
- --peer-trusted-ca-file:签名 peer 证书的 CA 证书,用于验证 peer 证书;
-
创建etcd数据目录
mkdir -p /data/k8s/etcd/data -
启动 etcd 服务
systemctl enable etcd && systemctl start etcd -
检查启动结果
systemctl status etcd|grep Active-
确保状态为 active (running),否则查看日志,确认原因
-
如果出现异常,通过如下命令查看
journalctl -u etcd
-
-
验证服务状态
export ETCD_ENDPOINTS=https://192.168.0.107:2379 etcdctl --endpoints=${ETCD_ENDPOINTS} --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem cluster-healthetcdctl --endpoints=${ETCD_ENDPOINTS} --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem member list输出结果
root@master:/opt/k8s/work# etcdctl --endpoints=${ETCD_ENDPOINTS} --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem cluster-health
member c0d3b56a9878e38f is healthy: got healthy result from https://192.168.0.107:2379
cluster is healthy
root@master:/opt/k8s/work# etcdctl --endpoints=${ETCD_ENDPOINTS} --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pemmember list
c0d3b56a9878e38f: name=etcd-chengf peerURLs=https://192.168.0.107:2380 clientURLs=https://192.168.0.107:2379 isLeader=true
```