这里的etcd集群复用我们测试的3个节点,3个node都要安装并启动,注意修改配置文件
1、TLS认证文件分发:etcd集群认证用,除了本机有,分发到其他node节点
scp ca.pem kubernetes-key.pem kubernetes.pem root@10.10.90.106:/etc/kubernetes/ssl scp ca.pem kubernetes-key.pem kubernetes.pem root@10.10.90.107:/etc/kubernetes/ssl
2、安装Etcd,这里使用的yum安装方式
#查询版本是否合适,我这里是3.2.9版本 yum info etcd #安装 yum install etcd
若使用yum安装,默认etcd命令将在/usr/bin目录下,注意修改下面的etcd.service文件中的启动命令地址为/usr/bin/etcd
3、创建etcd的systemd unit文件(既centos7下的服务定义文件)
文件位置:/usr/lib/systemd/system/etcd.service ,默认该文件存在,删除重建即可。
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/etcd/etcd.conf ExecStart=/usr/bin/etcd --name etcd-host0 --cert-file=/etc/kubernetes/ssl/kubernetes.pem --key-file=/etc/kubernetes/ssl/kubernetes-key.pem --peer-cert-file=/etc/kubernetes/ssl/kubernetes.pem --peer-key-file=/etc/kubernetes/ssl/kubernetes-key.pem --trusted-ca-file=/etc/kubernetes/ssl/ca.pem --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem --initial-advertise-peer-urls https://10.10.90.105:2380 --listen-peer-urls https://10.10.90.105:2380 --listen-client-urls https://10.10.90.105:2379,http://127.0.0.1:2379 --advertise-client-urls https://10.10.90.105:2379 --initial-cluster-token etcd-cluster-0 --initial-cluster etcd-host0=https://10.10.90.105:2380,etcd-host1=https://10.10.90.106:2380,etcd-host2=https://10.10.90.107:2380 --initial-cluster-state new --data-dir=/var/lib/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
配置注意事项:所有节点都必须配置此文件,并且注意下面4个注意事项。
1、IP地址除了initial-cluster 配置项是配置集群内3个地址的ip外,其他IP均为本机的IP。
2、配置下--name必须与--initial-cluster配置项里的的对应,比如图上配置就是我master的配置,name是etcd-host0,下面的IP对应的名称也是这个。
3、通过不同方式安装的软件Execstart配置项下的程序启动命令路径注意修改
4、WorkingDirectory工作目录需要实现创建,否则启动会报错。
4、创建etcd环境变量文件
文件位置:/etc/etcd/etcd.conf,yum安装完之后该文件会存在,删除重建即可。
# [member] ETCD_NAME=infra1 ETCD_DATA_DIR="/var/lib/etcd" ETCD_LISTEN_PEER_URLS="https://10.10.90.105:2380" ETCD_LISTEN_CLIENT_URLS="https://10.10.90.105:2379" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.90.105:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://10.10.90.105:2379"
注意事项:
1、再次提醒ETCD_DATA_DIR一定要存在,其他的IP地址替换为本机的即可,maser及node节点都需要配置
2、ETCD_NAME按照etcd系统服务里面的配置一一对应,分别是infra1,infra2,infra3
5、设置开机启动及启动etcd
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
6、检测集群工作情况
在任意一个节点,master或者node都可以,执行以下命令
etcdctl --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/kubernetes/ssl/kubernetes.pem --key-file=/etc/kubernetes/ssl/kubernetes-key.pem cluster-health
如果输出类似如下如的情况,代表成功:
结果最后一行为 cluster is healthy 时表示集群服务正常
注意事项:
1、建议所有节点都运行一次进行检测,我在maser检点进行检测的时候发现master本身的几点都链接上,报unhealthy错误,查看报错后发现是使用了代理上网设置
当初为了在线软件设置的上网代理,需要关闭代理,取消配置参数,重启了服务器才检测成功。
2、防火墙务必关闭,否则会有链接不到etcd的问题。。
3、以后使用etcd查询数据都需要使用认证文件,查询格式:
etcdctl --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/kubernetes/ssl/kubernetes.pem --key-file=/etc/kubernetes/ssl/kubernetes-key.pem cluster-health
否则出错,例如:
[root@kube_master ssl]# etcdctl cluster-health failed to check the health of member 2f590aa6fa719c4b on https://10.10.90.105:2379: Get https://10.10.90.105:2379/health: x509: certificate signed by unknown authority member 2f590aa6fa719c4b is unreachable: [https://10.10.90.105:2379] are all unreachable failed to check the health of member 43ea47a48fb7ffce on https://10.10.90.106:2379: Get https://10.10.90.106:2379/health: x509: certificate signed by unknown authority member 43ea47a48fb7ffce is unreachable: [https://10.10.90.106:2379] are all unreachable failed to check the health of member d965bb336acbfc6c on https://10.10.90.107:2379: Get https://10.10.90.107:2379/health: x509: certificate signed by unknown authority member d965bb336acbfc6c is unreachable: [https://10.10.90.107:2379] are all unreachable cluster is unhealthy