安装etcd服务
1 2 3 4 5
| wget https://github.com/etcd-io/etcd/releases/download/ \ v3.3.17/etcd-v3.3.18-linux-arm64.tar.gz tar xf etcd-v3.3.17-linux-amd64.tar.gz cd etcd-v3.3.17-linux-amd64 mv etcd* /usr/bin/
|
单节点部署
配置文件
1 2 3 4 5 6 7 8 9
| # etho是网卡名称 node_ip=$(ifconfig etho | grep inet | grep -v inet6 | awk '{print $2}') cat << EOF | tee /etc/etcd/etcd.conf ETCD_NAME="etcd01" ETCD_DATA_DIR="/var/lib/etcd" ETCD_LISTEN_PEER_URLS="http://${node_ip}:2380" ETCD_LISTEN_CLIENT_URLS="http://${node_ip}:2379" ETCD_ADVERTISE_CLIENT_URLS="http://${node_ip}:2379" EOF
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| cat << \EOF | tee /lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/bin/etcd \ --name=${ETCD_NAME} \ --data-dir=${ETCD_DATA_DIR} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
|
etcd集群
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| # master结点的IP地址 master_ip="10.0.2.15" # etho是网卡名称, node_ip是etcd结点的IP地址 node_ip=$(ifconfig etho | grep inet | grep -v inet6 | awk '{print $2}')
cat << EOF | tee /etc/etcd/etcd.conf ETCD_NAME="etcd01" # {etcd01, etcd02, etcd03}, 结点名称 ETCD_DATA_DIR="/var/lib/etcd" ETCD_LISTEN_PEER_URLS="http://${node_ip}:2380" ETCD_LISTEN_CLIENT_URLS="http://${node_ip}:2379" ETCD_ADVERTISE_CLIENT_URLS="http://${node_ip}:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${node_ip}:2380" # node{num}_ip是每个结点的IP地址 ETCD_INITIAL_CLUSTER="etcd01=https://${master_ip}:2380,\ etcd02=https://${node1_ip}:2380,etcd03=https://${node2_ip}:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| cat << \EOF | tee /lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/bin/etcd \ --name=${ETCD_NAME} \ --data-dir=${ETCD_DATA_DIR} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
|
etcd之HTTPS
购买证书或者自制私有证书,使etcd支持https方式访问
安装配置CFSSL
创建证书工具,用于提供https服务, 只需要在master结点上安装
1 2 3 4 5 6 7
| wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
|
创建证书
生成根证书
只需在master结点上生成ca证书,然后同步至node结点中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| cat << EOF | tee ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| # etcd ca配置文件 cat << EOF | tee ca-csr.json { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shanghai", "ST": "Shanghai" } ] } EOF
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| # etcd server证书 # hosts是etcd结点ip列表 cat << EOF | tee server-csr.json { "CN": "etcd", "hosts": [ "10.0.2.15", "10.0.2.4", "10.0.2.5" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shanghai", "ST": "Shanghai" } ] } EOF
|
1 2 3 4
| cfssl gencert -initca ca-csr.json | cfssljson -bare ca - cfssl gencert -ca=ca.pem \ -ca-key=ca-key.pem -config=ca-config.json \ -profile=www server-csr.json | cfssljson -bare server
|
配置证书
更新完master结点的service文件之后,同步到node结点
编辑文件,vim /lib/systemd/system/etcd.service
,在ExecStart指令后面添加如下启动参数
1 2 3 4 5 6
| --cert-file=/etc/etcd/ssl/server.pem \ --key-file=/etc/etcd/ssl/server-key.pem \ --peer-cert-file=/etc/etcd/ssl/server.pem \ --peer-key-file=/etc/etcd/ssl/server-key.pem \ --trusted-ca-file=/etc/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem
|
编辑文件,vim /etc/etcd/etcd.conf
, 更新协议, http -> https
服务健康检测
默认检测的endpoint是http://0.0.0.0:2379