部署etcd集群1 集群规划 主机名 角色 IP CFZX55-12.host.cometcd lead10.211.55.12CFZX55-21.host.cometcd follow10.211.55.21CFZX55-22.host.cometcd follow10.211.55.22 以下在运维主机200上操作。 2 创建生成自签证书签名
以下在运维主机200上操作。
2 创建生成自签证书签名请求CSR文件创建etcd证书,客户端访问与节点互相访问使用同一套证书。
/opt/certs/etcd-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"127.0.0.1",
"10.211.55.11",
"10.211.55.12",
"10.211.55.21",
"10.211.55.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "k8s",
"OU": "system"
}
]
}
-
CN
- 本处CN可随便定义
-
hosts
- etcd安装的主机IP地址,必须是IP地址,不能是网段,可能的主机都列出来
- 这里列出的主机和
--advertise-client-urls定义有关 - 如果有新增主机不在列表中,需要重新签发证书
-
names中的配置
- C:国家
- ST:州/省
- L:市
- O:组织,二进制部署随便定义,使用kubeadm时,要求值为
system:masters - OU:部门
[root@cfzx55-200 certs]# cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
etcd-csr.json | cfssl-json -bare etcd
2022/03/12 19:07:37 [INFO] generate received request
2022/03/12 19:07:37 [INFO] received CSR
2022/03/12 19:07:37 [INFO] generating key: rsa-2048
2022/03/12 19:07:37 [INFO] encoded CSR
2022/03/12 19:07:37 [INFO] signed certificate with serial number 248382666391640353028509397700472746492757329729
[root@cfzx55-200 certs]# ll etcd*
-rw-r--r-- 1 root root 400 Mar 12 19:06 etcd-csr.json
-rw------- 1 root root 1675 Mar 12 19:07 etcd-key.pem
-rw-r--r-- 1 root root 1078 Mar 12 19:07 etcd.csr
-rw-r--r-- 1 root root 1448 Mar 12 19:07 etcd.pem
[root@cfzx55-200 certs]#
etcd程序使用etcd用户启动,需要创建该用户。
在12主机上操作。
[root@cfzx55-12 ~]# useradd -s /sbin/nologin -M etcd
[root@cfzx55-12 ~]# id etcd
uid=1000(etcd) gid=1000(etcd) groups=1000(etcd)
[root@cfzx55-12 ~]#
etcd版本:3.5.2,提前下载好并上传到12主机的/opt/src目录下。
在12主机上操作
[root@cfzx55-12 src]# tar xf etcd-v3.5.2-linux-amd64.tar.gz -C /opt/
[root@cfzx55-12 src]# cd ..
[root@cfzx55-12 opt]# mv etcd-v3.5.2-linux-amd64/ etcd-v3.5.2
[root@cfzx55-12 opt]# ln -s /opt/etcd-v3.5.2/ /opt/etcd
[root@cfzx55-12 etcd]# vim /etc/profile
export PATH=$PATH:/opt/etcd
[root@cfzx55-12 etcd]# source /etc/profile
[root@cfzx55-12 etcd]# etcd --version
etcd Version: 3.5.2
Git SHA: 99018a77b
Go Version: go1.16.3
Go OS/Arch: linux/amd64
[root@cfzx55-12 etcd]#
在12主机上操作。
创建目录
/opt/etcd/certs保存etcd集群通信使用证书和私钥。
/data/etcd保存etcd数据库
/data/logs/etcd-server保存etcd日志文件。
[root@cfzx55-12 etcd]# mkdir -pv /opt/etcd/certs /data/etcd /data/logs/etcd-server
[root@cfzx55-12 etcd]# mkdir -pv /data/etcd/etcd-server
拷贝证书和私钥:把以下根CA证书、etcd证书和etcd私钥三个文件从200主机上拷贝过来
[root@cfzx55-12 certs]# ll
total 12
-rw-r--r-- 1 root root 1310 Mar 12 19:30 ca.pem
-rw------- 1 root root 1675 Mar 12 19:29 etcd-key.pem
-rw-r--r-- 1 root root 1448 Mar 12 19:29 etcd.pem
[root@cfzx55-12 certs]#
注意:私钥的权限 400
8 创建etcd启动脚本在12主机上操作。
/opt/etcd/etcd-server-startup.sh
#!/bin/bash
./etcd \
--name etcd-server-55-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.211.55.12:2380 \
--listen-client-urls https://10.211.55.12:2379,http://127.0.0.1:2379 \
--initial-advertise-peer-urls https://10.211.55.12:2380 \
--initial-cluster etcd-server-55-12=https://10.211.55.12:2380,etcd-server-55-21=https://10.211.55.21:2380,etcd-server-55-22=https://10.211.55.22:2380 \
--initial-cluster-token etcd-cluster-k8s \
--initial-cluster-state new \
--advertise-client-urls https://10.211.55.12:2379,http://127.0.0.1:2379 \
--client-cert-auth=true \
--trusted-ca-file=./certs/ca.pem \
--cert-file=./certs/etcd.pem \
--key-file=./certs/etcd-key.pem \
--peer-client-cert-auth=true \
--peer-trusted-ca-file=./certs/ca.pem \
--peer-cert-file=./certs/etcd.pem \
--peer-key-file=./certs/etcd-key.pem \
--log-outputs stdout \
--listen-metrics-urls=https://10.211.55.12:2381 \
--enable-pprof=false
etcd成员之间通信,2380端口
外部访问etcd,2379端口
参数说明
name:etcd节点成员名称,在一个etcd集群中必须唯一性,可使用Hostname或者machine-id
data-dir:etcd数据保存目录
listen-peer-urls:和其它成员节点间通信地址,每个节点不同,必须使用IP,使用域名无效。
listen-client-urls:对外提供服务的地址,127.0.0.1允许非安全方式访问,使用域名无效。
initial-advertise-peer-urls:节点监听地址,集群成员使用该地址访问本节点,并会通告集群其它节点
initial-cluster:集群中所有节点信息,格式为:节点名称+监听的本地端口,多个节点用逗号隔开,即:name=https://initial-advertise-peer-urls
initial-cluster-state:加入集群的当前状态,new是新集群,existing表示加入已有集群
initial-cluster-token:集群引导创建期间所使用的TOKEN。
advertise-client-urls:节点成员客户端url列表,对外公告此节点客户端监听地址,可以使用域名
client-cert-auth:客户端访问本节点时,是否需要证书认证
trusted-ca-file:本节点2379使用的CA证书
cert-file:本节点2379所使用的证书
key-file:本节点2379所使用的密钥
peer-client-cert-auth:集群成员访问本节点时,是否需要证书认证
peer-trusted-ca-file:本节点2380所使用的CA证书
peer-cert-file:本节点2380所使用的证书
peer-key-file:本节点2380所使用的密钥
log-outputs:日志输出方式
listen-metrics-urls:metrics数据的获取地址
enable-pprof:通过`url/debug/pprof/`获取启动时的状态,建议禁用
[root@cfzx55-12 etcd]# chmod +x etcd-server-startup.sh
[root@cfzx55-12 etcd]# chown -R etcd.etcd /opt/etcd-v3.5.2/ /data/etcd /data/logs/etcd-server/
[root@cfzx55-12 etcd]# chown -R etcd.etcd /opt/etcd
[root@cfzx55-12 etcd]# yum install supervisor -y
[root@cfzx55-12 etcd]# systemctl enable supervisord
[root@cfzx55-12 etcd]# systemctl start supervisord
[root@cfzx55-12 etcd]# systemctl status supervisord
● supervisord.service - Process Monitoring and Control Daemon
Loaded: loaded (/usr/lib/systemd/system/supervisord.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-03-12 19:46:46 CST; 8min ago
Process: 12253 ExecStart=/usr/bin/supervisord -c /etc/supervisord.conf (code=exited, status=0/SUCCESS)
Main PID: 12256 (supervisord)
CGroup: /system.slice/supervisord.service
└─12256 /usr/bin/python /usr/bin/supervisord -c /etc/supervisord.conf
Mar 12 19:46:45 cfzx55-12.host.com systemd[1]: Starting Process Monitoring and Control Daemon...
Mar 12 19:46:46 cfzx55-12.host.com systemd[1]: Started Process Monitoring and Control Daemon.
[root@cfzx55-12 etcd]#
/etc/supervisord.d/etcd-server.ini
[program:etcd-server-55-12]
command=/opt/etcd/etcd-server-startup.sh
numprocs=1
directory=/opt/etcd
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=etcd
redirect_stderr=true
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capturee_maxbytes=1MB
stdout_events_enabled=false
其余节点,对应修改[program:]后面的程序名称。
12 启动etcd服务并检查[root@cfzx55-12 etcd]# supervisorctl update
etcd-server-55-12: added process group
[root@cfzx55-12 etcd]# supervisorctl status
etcd-server-55-12 RUNNING pid 12270, uptime 0:00:48
[root@cfzx55-12 etcd]# netstat -luntp | grep etcd
tcp 0 0 10.211.55.12:2379 0.0.0.0:* LISTEN 12271/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 12271/./etcd
tcp 0 0 10.211.55.12:2380 0.0.0.0:* LISTEN 12271/./etcd
tcp 0 0 10.211.55.12:2381 0.0.0.0:* LISTEN 12271/./etcd
[root@cfzx55-12 etcd]#
确保监听了2379、2380和2381三个端口。
13 安装部署集群其余主机安装21主机。
# 把12节点上已经安装好的etcd拷贝到21节点上
[root@cfzx55-12 ~]# scp -r /opt/etcd root@cfzx55-21:/opt
# 修改 /opt/etcd/etcd-server-startup.sh 中的IP地址
# 创建目录
[root@cfzx55-21 ~]# mkdir -pv /data/etcd/etcd-server /data/logs/etcd-server
# 创建etcd用户
[root@cfzx55-21 ~]# useradd -s /sbin/nologin -M etcd
[root@cfzx55-21 ~]# id etcd
uid=1000(etcd) gid=1000(etcd) groups=1000(etcd)
# 调整用户和组
[root@cfzx55-21 ~]# chown -R etcd.etcd /opt/etcd/ /data/etcd /data/logs/etcd-server/
# 安装并启动supervisor
[root@cfzx55-21 ~]# yum install -y supervisor
[root@cfzx55-21 ~]# systemctl enable supervisord
[root@cfzx55-21 ~]# systemctl start supervisord
[root@cfzx55-21 ~]# systemctl status supervisord
# 创建etcd启动文件
[root@cfzx55-21 ~]# vim /etc/supervisord.d/etcd-server.ini
[root@cfzx55-21 ~]# supervisorctl update
[root@cfzx55-21 ~]# supervisorctl status
etcd-server-55-21 RUNNING pid 12486, uptime 0:00:39
[root@cfzx55-21 ~]# netstat -luntp | grep etcd
tcp 0 0 10.211.55.21:2379 0.0.0.0:* LISTEN 12487/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 12487/./etcd
tcp 0 0 10.211.55.21:2380 0.0.0.0:* LISTEN 12487/./etcd
tcp 0 0 10.211.55.21:2381 0.0.0.0:* LISTEN 12487/./etcd
[root@cfzx55-21 ~]#
安装22主机。
# 把12节点上已经安装好的etcd拷贝到22节点上
[root@cfzx55-12 ~]# scp -r /opt/etcd root@cfzx55-22:/opt
# 修改 /opt/etcd/etcd-server-startup.sh 中的IP地址
# 创建目录
[root@cfzx55-22 ~]# mkdir -pv /data/etcd/etcd-server /data/logs/etcd-server
# 创建etcd用户
[root@cfzx55-22 ~]# useradd -s /sbin/nologin -M etcd
[root@cfzx55-22 ~]# id etcd
uid=1000(etcd) gid=1000(etcd) groups=1000(etcd)
# 调整用户和组
[root@cfzx55-22 ~]# chown -R etcd.etcd /opt/etcd/ /data/etcd /data/logs/etcd-server/
# 安装并启动supervisor
[root@cfzx55-22 ~]# yum install -y supervisor
[root@cfzx55-22 ~]# systemctl enable supervisord
[root@cfzx55-22 ~]# systemctl start supervisord
[root@cfzx55-22 ~]# systemctl status supervisord
# 创建etcd启动文件
[root@cfzx55-22 ~]# vim /etc/supervisord.d/etcd-server.ini
[root@cfzx55-22 ~]# supervisorctl update
[root@cfzx55-22 ~]# supervisorctl status
etcd-server-55-22 RUNNING pid 12438, uptime 0:00:34
[root@cfzx55-22 ~]# netstat -luntp | grep etcd
tcp 0 0 10.211.55.22:2379 0.0.0.0:* LISTEN 12439/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 12439/./etcd
tcp 0 0 10.211.55.22:2380 0.0.0.0:* LISTEN 12439/./etcd
tcp 0 0 10.211.55.22:2381 0.0.0.0:* LISTEN 12439/./etcd
[root@cfzx55-22 ~]#
# 查看集群节点
[root@cfzx55-12 ~]# etcdctl --cacert=/opt/etcd/certs/ca.pem --cert=/opt/etcd/certs/etcd.pem --key=/opt/etcd/certs/etcd-key.pem --endpoints="https://10.211.55.12:2379,https://10.211.55.21:2379,https://10.211.55.22:2379" member list -w table
[root@cfzx55-12 ~]# etcdctl --cacert=/opt/etcd/certs/ca.pem --cert=/opt/etcd/certs/etcd.pem --key=/opt/etcd/certs/etcd-key.pem --endpoints="https://10.211.55.12:2379,https://10.211.55.21:2379,https://10.211.55.22:2379" endpoint status -w table
[root@cfzx55-12 ~]# etcdctl --cacert=/opt/etcd/certs/ca.pem --cert=/opt/etcd/certs/etcd.pem --key=/opt/etcd/certs/etcd-key.pem --endpoints="https://10.211.55.12:2379,https://10.211.55.21:2379,https://10.211.55.22:2379" endpoint health -w table
至此,etcd集群部署完成。