原文地址:https://blog.csdn.net/wenwst/article/details/79851235
ETCD安裝
服務(wù)器準備
ETCD集群我們這里使用三臺獨立服務(wù)器安裝昔字。如果是生產(chǎn)環(huán)境,服務(wù)器足夠的話喧枷,最好用獨立服務(wù)器,當(dāng)然聘芜,也可以和別的服務(wù)安裝在一起歇拆。但是我們在這里使用獨立服務(wù)器择浊。這樣也更好理解原理,配置也更為清晰捣域。
首先啼染,我們要對服務(wù)器做一些初始化的配置。比如服務(wù)名配置焕梅,IP配置迹鹅,系統(tǒng)更新等。
0001…..服務(wù)器初始配置
yds-dev-svc01-etcd01 主機名配置
[root@localhost ~]# hostnamectl
Static hostname: yds-dev-svc01-etcd01
Icon name: computer-vm
Chassis: vm
Machine ID: 86551c512ea14b06a9eaf8ad100e7973
Boot ID: 5b698ae318804cbfb578302d563bee36
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.el7.x86_64
Architecture: x86-64
配置完成后贞言,重新登錄一下
yds-dev-svc01-etcd01 IP地址配置
修改網(wǎng)絡(luò)配置文件
[root@yds-dev-svc01-etcd01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.50
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS2=114.114.114.114
查看網(wǎng)絡(luò)配置信息徒欣。
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7c:79:54 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.50/24 brd 192.168.3.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
yds-dev-svc01-etcd02 主機名配置
[root@localhost ~]# hostnamectl set-hostname yds-dev-svc01-etcd02
[root@localhost ~]# hostnamectl
Static hostname: yds-dev-svc01-etcd02
Icon name: computer-vm
Chassis: vm
Machine ID: 86551c512ea14b06a9eaf8ad100e7973
Boot ID: 80402b905e324612812f2e03dc6d6949
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.el7.x86_64
Architecture: x86-64
配置完成后,重新登錄一下
yds-dev-svc01-etcd02 IP地址配置
修改網(wǎng)絡(luò)配置文件
[root@yds-dev-svc01-etcd02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.51
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS2=114.114.114.114
查看網(wǎng)絡(luò)配置信息蜗字。
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:42:a8:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.3.51/24 brd 192.168.3.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
yds-dev-svc01-etcd03 主機名配置
[root@localhost ~]# hostnamectl set-hostname yds-dev-svc01-etcd03
[root@localhost ~]# hostnamectl
Static hostname: yds-dev-svc01-etcd03
Icon name: computer-vm
Chassis: vm
Machine ID: 86551c512ea14b06a9eaf8ad100e7973
Boot ID: 509a0b69f26c41d2bc4e3ba18dba4c39
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.el7.x86_64
Architecture: x86-64
配置完成后打肝,重新登錄一下
修改網(wǎng)絡(luò)配置文件
[root@yds-dev-svc01-etcd03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.52
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS1=114.114.114.114
查看網(wǎng)絡(luò)配置信息。
[root@yds-dev-svc01-etcd03 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ae:06:3e brd ff:ff:ff:ff:ff:ff
inet 192.168.3.52/24 brd 192.168.3.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
yds-dev-svc01-etcd01 系統(tǒng)更新
執(zhí)行以下命令
[root@yds-dev-svc01-etcd01 ~]# yum install -y epel-release; yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirrors.sohu.com
* extras: mirrors.sohu.com
* updates: mirrors.cn99.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirrors.sohu.com
* extras: mirrors.sohu.com
* updates: mirrors.cn99.com
No packages marked for update
yds-dev-svc01-etcd02 系統(tǒng)更新
執(zhí)行以下命令
[root@yds-dev-svc01-etcd02 ~]# yum install -y epel-release; yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.sohu.com
* updates: mirrors.aliyun.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.sohu.com
* updates: mirrors.aliyun.com
No packages marked for update
yds-dev-svc01-etcd03 系統(tǒng)更新
執(zhí)行以下命令
[root@yds-dev-svc01-etcd03 ~]# yum install -y epel-release ; yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
No packages marked for update
yds-dev-svc01-etcd01 關(guān)閉selinux
setenforce 0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
getenforce
yds-dev-svc01-etcd02 關(guān)閉selinux
setenforce 0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
getenforce
yds-dev-svc01-etcd03 關(guān)閉selinux
setenforce 0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
getenforce
yds-dev-svc01-etcd01 關(guān)閉交換分區(qū)swap
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab
yds-dev-svc01-etcd02 關(guān)閉交換分區(qū)swap
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab
yds-dev-svc01-etcd03 關(guān)閉交換分區(qū)swap
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab
yds-dev-svc01-etcd01 設(shè)置內(nèi)核
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf
執(zhí)行效果
[root@yds-dev-svc01-etcd01 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd01 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd01 ~]#
yds-dev-svc01-etcd02 設(shè)置內(nèi)核
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf
執(zhí)行效果
[root@yds-dev-svc01-etcd02 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd02 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd02 ~]#
yds-dev-svc01-etcd02 設(shè)置內(nèi)核
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf
執(zhí)行效果
[root@yds-dev-svc01-etcd03 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd03 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd03 ~]# sysctl -p
[root@yds-dev-svc01-etcd03 ~]#
0002…..ETCD環(huán)境配置
yds-dev-svc01-etcd01 設(shè)置ETCD環(huán)境
復(fù)制執(zhí)行以下命令:
cat <<EOF >> /etc/hosts
192.168.3.50 yds-dev-svc01-etcd01
192.168.3.51 yds-dev-svc01-etcd02
192.168.3.52 yds-dev-svc01-etcd03
EOF
cat <<EOF >> ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd01
export NODE_IP=192.168.3.50
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
echo $NODE_NAME
echo $NODE_IP
echo $NODE_IPS
echo $ETCD_NODES
yds-dev-svc01-etcd02 設(shè)置ETCD環(huán)境
復(fù)制執(zhí)行以下命令:
cat <<EOF >> /etc/hosts
yds-dev-svc01-etcd01 192.168.3.50
yds-dev-svc01-etcd02 192.168.3.51
yds-dev-svc01-etcd03 192.168.3.52
EOF
cat <<EOF >> ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd02
export NODE_IP=192.168.3.51
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
yds-dev-svc01-etcd03 設(shè)置ETCD環(huán)境
復(fù)制執(zhí)行以下命令:
cat <<EOF >> /etc/hosts
yds-dev-svc01-etcd01 192.168.3.50
yds-dev-svc01-etcd02 192.168.3.51
yds-dev-svc01-etcd03 192.168.3.52
EOF
cat <<EOF >> ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd03
export NODE_IP=192.168.3.52
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
0003…..ETCD證書配置
此部分可以在自己的電腦上面執(zhí)行挪捕,也可以只在yds-dev-svc01-etcd01中執(zhí)行粗梭。在這里,我們在yds-dev-svc01-etcd01在執(zhí)行级零。
- 安裝證書生成工具 *
yum install -y wget
mkdir /tmp/key
cd /tmp/key
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
- 創(chuàng)建 CA 配置文件 *
創(chuàng)建CA文件:
signing: 表示該證書可用于簽名其它證書断医;生成的 ca.pem 證書中 CA=TRUE;
server auth: 表示 client 可以用該 CA 對 server 提供的證書進行驗證;
client auth: 表示 server 可以用該 CA 對 client 提供的證書進行驗證;
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
這里可以根據(jù)你的需要修改CN和O。
“CN”:Common Name奏纪,kube-apiserver 從證書中提取該字段作為請求的用戶名 (User Name)鉴嗤;瀏覽器使用該字段驗證網(wǎng)站是否合法;
“O”:Organization序调,kube-apiserver 從證書中提取該字段作為請求用戶所屬的組 (Group)醉锅;
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "chengdu",
"L": "chengdu",
"O": "k8s",
"OU": "System"
}
]
}
EOF
- 生成 CA 證書和私鑰 *
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls ca*
- 創(chuàng)建 etcd 證書簽名請求 *
hosts 字段指定授權(quán)使用該證書的 etcd 節(jié)點 IP;
每個節(jié)點IP 都要在里面 或者 每個機器申請一個對應(yīng)IP的證書
cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.3.50",
"192.168.3.51",
"192.168.3.52"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "chengdu",
"L": "chengdu",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成 etcd 證書和私鑰
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
ls etcd*
以上證書生產(chǎn)完成发绢。為了安全起見硬耍,需要將生成的證書及配置文件進行備份。
在yds-dev-svc01-etcd01边酒,yds-dev-svc01-etcd02经柴,yds-dev-svc01-etcd03中創(chuàng)建/etc/etcd/ssl目錄
mkdir -p /etc/etcd/ssl
將生成etcd證書復(fù)制到各個etcd安裝目錄中
cp etcd.pem etcd-key.pem ca.pem /etc/etcd/ssl/
scp -r /etc/etcd/ssl/* root@yds-dev-svc01-etcd02:/etc/etcd/ssl/
scp -r /etc/etcd/ssl/* root@yds-dev-svc01-etcd03:/etc/etcd/ssl/
下載ETCD安裝文件
我們在這里使用的ETCD版本為3.2.18,如果你在安裝的時候墩朦,也可以使用這個版本坯认,當(dāng)然,也可以使用更高的版本或其他版本。
在yds-dev-svc01-etcd01中下載ETCD牛哺,下載完成后陋气,復(fù)制安裝文件到y(tǒng)ds-dev-svc01-etcd02和yds-dev-svc01-etcd03中。
cd /tmp
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
tar -xvzf etcd-v3.2.18-linux-amd64.tar.gz
cd etcd-v3.2.18-linux-amd64
cp etcd* /usr/local/bin/
scp etcd* root@yds-dev-svc01-etcd02:/usr/local/bin/
scp etcd* root@yds-dev-svc01-etcd03:/usr/local/bin/
創(chuàng)建 etcd 的 systemd unit 文件
先創(chuàng)建ETCD工作目錄
mkdir -p /var/lib/etcd
如果沒有配置這個目錄荆隘,會現(xiàn)現(xiàn)Failed at step CHDIR spawning /usr/local/bin/etcd: No such file or directory的錯誤信息。
在各個服務(wù)器執(zhí)行以下命令創(chuàng)建systemd unit文件赴背。
因為在命令中包含變量椰拒,這些變量我們在前面已經(jīng)創(chuàng)建了,為了保險凰荚,我們再檢查一下:
echo ${NODE_NAME}
echo ${NODE_IP}
echo ${ETCD_NODES}
生成ETCD配置文件
這里生成的配置文件有: /etc/etcd/etcd-key.conf, /etc/etcd/etcd.conf
網(wǎng)上大部分是把這兩個配置文件和systemd unit文件存放在一起, 也可以參考這樣的方法燃观,看個人習(xí)慣。
/etc/etcd/etcd-key.conf:存放我們證書的配置信息便瑟。
/etc/etcd/etcd.conf:存放ETCD集群的配置信息缆毁。
cat > /etc/etcd/etcd-key.conf <<EOF
ETCD_KEY='--cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --peer-cert-file=/etc/etcd/ssl/etcd.pem --peer-key-file=/etc/etcd/ssl/etcd-key.pem --trusted-ca-file=/etc/etcd/ssl/ca.pem --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem'
EOF
cat > /etc/etcd/etcd.conf <<EOF
ETCD_NAME='--name=${NODE_NAME}'
DATA_DIR='--data-dir=/var/lib/etcd'
INITIAL_CLUSTER_STATE='--initial-cluster-state=new'
INITIAL_CLUSTER_TOKEN='--initial-cluster-token=etcd-cluster-0'
INITIAL_ADVERTISE_PEER_URLS='--initial-advertise-peer-urls=https://${NODE_IP}:2380'
LISTEN_PEER_URLS='--listen-peer-urls=https://${NODE_IP}:2380'
LISTEN_CLIENT_URLS='--listen-client-urls=https://${NODE_IP}:2379,http://127.0.0.1:2379'
ADVERTISE_CLIENT_URLS='--advertise-client-urls=https://${NODE_IP}:2379'
INITIAL_CLUSTER='--initial-cluster=${ETCD_NODES}'
EOF
創(chuàng)建/etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
EnvironmentFile=-/etc/etcd/etcd-key.conf
ExecStart=/usr/local/bin/etcd \
$ETCD_NAME \
$DATA_DIR \
$INITIAL_CLUSTER_STATE \
$INITIAL_CLUSTER_TOKEN \
$INITIAL_ADVERTISE_PEER_URLS \
$LISTEN_PEER_URLS \
$LISTEN_CLIENT_URLS \
$ADVERTISE_CLIENT_URLS \
$INITIAL_CLUSTER \
$ETCD_KEY
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
參數(shù)說明:
WorkingDirectory: ETCD工作目錄
開放2379和2380端口
如果沒有開啟,ETCD可能無法啟動到涂。
firewall-cmd --add-port=2379/tcp --permanent
firewall-cmd --add-port=2379/tcp --permanent
firewall-cmd --reload
啟動 etcd 服務(wù)
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
驗證ETCD服務(wù)
etcdctl \
--endpoints=https://${NODE_IP}:2379 \
--ca-file=/etc/etcd/ssl/ca.pem \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
cluster-health
返回如下信息就表示我們配置的ETCD集群正常:
member 4f0deb6feb86262a is healthy: got healthy result from https://192.168.3.51:2379
member 88ccd3107db11e1e is healthy: got healthy result from https://192.168.3.50:2379
member a7363df6be39715b is healthy: got healthy result from https://192.168.3.52:2379
cluster is healthy
以上脊框,我們完成了ETCD的配置工作,但是践啄,如果我們要將ETCD在生產(chǎn)環(huán)境中使用浇雹,還需要對ETCD做備份。
ETCD備份
數(shù)據(jù)備份的重要性這里不詳說了屿讽。只能說昭灵,非常重要。
要了解etcd的備份伐谈,我們可以先看下以下連接.
https://github.com/coreos/etcd/blob/master/Documentation/v2/admin_guide.md#disaster-recovery
備份ETCD集群有兩種方式: ETCD內(nèi)置的snapshot和volume snapshot烂完。
ETCD內(nèi)置的快照(snapshot)備份非常簡單∷锌茫可以使用使用命令“etcdctl snapshot save”或者直接保存member/snap/db抠蚣。
API3備份
我們剛創(chuàng)建的ETCD集群生成快照命令如下,執(zhí)行下面的命令履澳,會在當(dāng)前生成一個snapshotdb文件柱徙。
ETCDCTL_API=3 etcdctl \
--endpoints=https://${NODE_IP}:2379 \
--cacert=/etc/etcd/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
snapshot save snapshotdb
ETCDCTL_API=3 etcdctl \
--endpoints=https://${NODE_IP}:2379 \
--cacert=/etc/etcd/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
--write-out=table snapshot status snapshotdb
API3備份恢復(fù)
yds-dev-svc01-etcd01 中執(zhí)行:
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
--name yds-dev-svc01-etcd01 \
--initial-cluster ${ETCD_NODES} \
--initial-cluster-token etcd-cluster-0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls http://192.168.3.50:2380
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
--name yds-dev-svc01-etcd02 \
--initial-cluster ${ETCD_NODES} \
--initial-cluster-token etcd-cluster-0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls http://192.168.3.51:2380
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
--name yds-dev-svc01-etcd03 \
--initial-cluster ${ETCD_NODES} \
--initial-cluster-token etcd-cluster-0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls http://192.168.3.52:2380
API2備份
備份命令:
etcdctl backup --data-dir /var/lib/etcd --backup-dir /tmp/etcd_backup
備份恢復(fù):
etcd -data-dir=/tmp/etcd_backup -force-new-cluster
未完成的部分: ETCD監(jiān)控和ETCD調(diào)優(yōu)。這兩部分會在整篇文章寫完后再寫奇昙。
以上配置有什么問題护侮,請留言,會即時更改储耐。感謝各位老鐵羊初。
文檔組成(會更據(jù)編寫時調(diào)整):
- 1. ETCD集群安裝 – 完成
- 2. apiserver高可用安裝 — 完成
- 3. node中docker安裝及配置
- 4. Docker倉庫安裝
- 5. Kubernetes安裝
- 6. Kubernetes中Jenkins安裝
- 7. Kubernetes中日志收集Graylog2安裝
- 8. Kubernetes中日志收集flume安裝
- 9. Kubernetes監(jiān)控prometheus安裝
- 10. Kubernetes監(jiān)控grafana安裝
你的支持,是筆者最大的動力:
這里寫圖片描述
</article>
版權(quán)聲明:本文為博主原創(chuàng)文章,未經(jīng)博主允許不得轉(zhuǎn)載长赞。 https://blog.csdn.net/wenwst/article/details/79851235
