etcd集群搭建
主机
kubermaster1 192.168.4.11 kubermaster2 192.168.4.12 kubermaster3 192.163.4.13
系统
[root@kubermaster1 etcd-v3.2.11-linux-amd64]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
TLS密钥和证书
这里部署的etcd集群使用TLS证书对证书通讯进行加密,并开启基于CA根证书签名的双向数字证书认证。node
安装go语言组件
登陆 https://golang.org/dl/ 找到最新版的go并下载
cd /usr/local/src wget http://redirector.gvt1.com/edgedl/go/go1.9.2.linux-amd64.tar.gz tar -xvf go1.9.2.linux-amd64.tar.gz -C /usr/local
配置go环境
cat >> /etc/profile << EOF #go的安装路径 export GOROOT=/usr/local/go #go安装的工具路径 export GOPATH=/apps/local/go export PATH=$GOROOT/bin:$PATH EOF source /etc/profile
GOPATH和GOROOT不能相同linux
配置生效git
[root@kubermaster2 bin]# go version go version go1.9.2 linux/amd64
安装cfssl
将会用使用cfssl生成所须要的私钥和证书github
go get -u github.com/cloudflare/cfssl/cmd/...
会在$GOPATH/bin下安装cfssl, cfssjosn, mkbundle等工具。golang
建立CA证书和私钥,准备为etcd和其它组件办法证书和签名
建立ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"aspire": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
ca-config.json中能够定义多个profile,分别设置不一样的expiry和usages等参数。如上面的ca-config.json中定义了名称为aspire的profile,这个profile的expiry 87600h为10年,useages中:shell
- signing表示此CA证书能够用于签名其余证书,ca.pem中的CA=TRUE
- server auth表示TLS Server Authentication
- client auth表示TLS Client Authentication
建立CA证书签名请求配置ca-csr.json
{
"CN": "aspire",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "aspire",
"OU": "cloudnative"
}
]
}
生成CA证书和私钥json
cfssl gencert -initca ca-csr.json | cfssljson -bare ca ls ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
生成etcd证书和私钥
建立etcd证书签名请求配置etcd-csr.jsonapi
{
"CN": "aspire.etcd",
"hosts": [
"127.0.0.1",
"192.168.4.11",
"192.168.4.12",
"192.168.4.13",
"kubermaster1",
"kubermaster2",
"kubermaster3"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "aspire.etcd",
"OU": "Operation and maintenance center"
}
]
}
该"hosts"是能够使用该证书域名列表。‘CN’,kube-apiserver从证书中提取该字段做为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;浏览器
该"names"值其实是名称对象的列表。每一个名称对象应至少包含一个“C”,“L”,“O”,“OU”或“ST”值(或这些的任意组合)。这些值是:app
- “C”:国家
- “L”:地区或城市(如城市或城镇名称)
- “O”:组织 Organization,kube-apiserver从证书中提取该字段做为请求用户所属的组 (Group);
- “OU”:组织单位,如负责拥有密钥的部门; 它也能够用于“作生意”(DBS)的名称
- “ST”:州或省
下面生成etcd的证书和私钥:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=aspire etcd-csr.json | cfssljson -bare etcd
对生成的证书能够使用cfssl或openssl查看
$ cfssl-certinfo -cert etcd.pem
{
"subject": {
...
"cloudnative",
"aspire"
]
},
"serial_number": "555738010691550377350124675225187029254417657480",
"sans": [
"kubermaster1",
"kubermaster2",
"kubermaster3",
"127.0.0.1",
"192.168.4.11",
"192.168.4.12",
"192.168.4.13"
],
"not_before": "2017-12-18T06:57:00Z",
"not_after": "2027-12-16T06:57:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "DB:5D:58:25:31:D5:2A:D8:DB:C1:EF:C4:68:B4:B0:13:FA:6B:42:C3",
"subject_key_id": "6D:9B:6E:6A:F8:40:4D:4C:03:A4:0F:05:58:E1:9A:72:2E:8E:AB:58",
"pem": "-----BEGIN CERTIFICATE-----\nMIIETjCCAzagAwIBAgIUYVgnfkNJEfm75Tye3fynwTrvrogwDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDA...
"
}
将生成的CA证书ca.pem, etcd秘钥etcd-key.pem, etcd证书etcd.pem拷贝到各节点的/etc/etcd/ssl目录中
安装etcd
下载安装包
访问github https://github.com/coreos/etcd/releases 找到最新安装包并下载
cd /usr/local/src wget https://github.com/coreos/etcd/releases/download/v3.2.11/etcd-v3.2.11-linux-amd64.tar.gz
解压缩etcd-v3.2.11-linux-amd64.tar.gz,将其中的etcd和etcdctl两个可执行文件复制到各节点的/usr/bin目录。
在各节点建立etcd的数据目录:
mkdir -p /var/lib/etcd
在每一个节点上建立etcd的systemd unit文件/usr/lib/systemd/system/etcd.service,注意替换ETCD_NAME和INTERNAL_IP变量的值:
export ETCD_NAME=kubermaster3
export INTERNAL_IP=192.168.4.13
cat > /usr/lib/systemd/system/etcd.service <<EOF
[Unit]
Description=etcd server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd \
--name ${ETCD_NAME} \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \
--listen-peer-urls https://${INTERNAL_IP}:2380 \
--listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://${INTERNAL_IP}:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster node1=https://192.168.4.11:2380,node2=https://192.168.4.12:2380,node3=https://192.168.4.13:2380 \
--initial-cluster-state new \
--data-dir=/var/lib/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
上面在启动参数中指定了etcd的工做目录和数据目录是/var/lib/etcd
- --cert-file和--key-file分别指定etcd的公钥证书和私钥
- --peer-cert-file和--peer-key-file分别指定了etcd的Peers通讯的公钥证书和私钥。
- --trusted-ca-file指定了客户端的CA证书
- --peer-trusted-ca-file指定了Peers的CA证书
- --initial-cluster-state new表示这是新初始化集群,--name指定的参数值必须在--initial-cluster中
启动etcd
在各节点启动etcd
systemctl daemon-reload systemctl enable etcd systemctl start etcd systemctl status etcd
检查集群是否健康
etcdctl \ --ca-file=/etc/etcd/ssl/ca.pem \ --cert-file=/etc/etcd/ssl/etcd.pem \ --key-file=/etc/etcd/ssl/etcd-key.pem \ --endpoints=https://node1:2379,https://node2:2379,https://node3:2379 \ cluster-health 2017-04-24 19:53:40.545148 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated 2017-04-24 19:53:40.546127 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated member 4f2f99d70000fc19 is healthy: got healthy result from https://192.168.61.12:2379 member 99a756f799eb4163 is healthy: got healthy result from https://192.168.61.11:2379 member a9aff19397de2e4e is healthy: got healthy result from https://192.168.61.13:2379 cluster is healthy
相关文章
- 1. etcd集群搭建
- 2. etcd 集群搭建
- 3. etcd集群的搭建
- 4. Centos7下Etcd集群搭建
- 5. 搭建etcd集群,python调etcd接口
- 6. etcd windows 静态集群搭建
- 7. docker搭建etcd集群环境
- 8. Docker 搭建 etcd 集群及管理
- 9. Etcd学习(二)集群搭建Clustering
- 10. 在AWS EC2上搭建ETCD集群
- 更多相关文章...
- • Swarm 集群管理 - Docker教程
- • Swift 环境搭建 - Swift 教程
- • 适用于PHP初学者的学习线路和建议
- • ☆技术问答集锦(13)Java Instrument原理
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. eclipse设置粘贴字符串自动转义
- 2. android客户端学习-启动模拟器异常Emulator: failed to initialize HAX: Invalid argument
- 3. android.view.InflateException: class com.jpardogo.listbuddies.lib.views.ListBuddiesLayout问题
- 4. MYSQL8.0数据库恢复 MYSQL8.0ibd数据恢复 MYSQL8.0恢复数据库
- 5. 你本是一个肉体,是什么驱使你前行【1】
- 6. 2018.04.30
- 7. 2018.04.30
- 8. 你本是一个肉体,是什么驱使你前行【3】
- 9. 你本是一个肉体,是什么驱使你前行【2】
- 10. 【资讯】LocalBitcoins达到每周交易比特币的7年低点
欢迎关注本站公众号,获取更多信息
相关文章
- 1. etcd集群搭建
- 2. etcd 集群搭建
- 3. etcd集群的搭建
- 4. Centos7下Etcd集群搭建
- 5. 搭建etcd集群,python调etcd接口
- 6. etcd windows 静态集群搭建
- 7. docker搭建etcd集群环境
- 8. Docker 搭建 etcd 集群及管理
- 9. Etcd学习(二)集群搭建Clustering
- 10. 在AWS EC2上搭建ETCD集群