這里的etcd集群復用我們測試的3個節點,3個node都要安裝並啟動,注意修改配置文件
1、TLS認證文件分發:etcd集群認證用,除了本機有,分發到其他node節點
scp ca.pem kubernetes-key.pem kubernetes.pem root@10.10.90.106:/etc/kubernetes/ssl scp ca.pem kubernetes-key.pem kubernetes.pem root@10.10.90.107:/etc/kubernetes/ssl
2、安裝Etcd,這里使用的yum安裝方式
#查詢版本是否合適,我這里是3.2.9版本 yum info etcd #安裝 yum install etcd
若使用yum安裝,默認etcd命令將在/usr/bin目錄下,注意修改下面的etcd.service文件中的啟動命令地址為/usr/bin/etcd
3、創建etcd的systemd unit文件(既centos7下的服務定義文件)
文件位置:/usr/lib/systemd/system/etcd.service ,默認該文件存在,刪除重建即可。
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/etcd/etcd.conf ExecStart=/usr/bin/etcd \ --name etcd-host0 \ --cert-file=/etc/kubernetes/ssl/kubernetes.pem \ --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \ --peer-cert-file=/etc/kubernetes/ssl/kubernetes.pem \ --peer-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \ --trusted-ca-file=/etc/kubernetes/ssl/ca.pem \ --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \ --initial-advertise-peer-urls https://10.10.90.105:2380 \ --listen-peer-urls https://10.10.90.105:2380 \ --listen-client-urls https://10.10.90.105:2379,http://127.0.0.1:2379 \ --advertise-client-urls https://10.10.90.105:2379 \ --initial-cluster-token etcd-cluster-0 \ --initial-cluster etcd-host0=https://10.10.90.105:2380,etcd-host1=https://10.10.90.106:2380,etcd-host2=https://10.10.90.107:2380 \ --initial-cluster-state new \ --data-dir=/var/lib/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
配置注意事項:所有節點都必須配置此文件,並且注意下面4個注意事項。
1、IP地址除了initial-cluster 配置項是配置集群內3個地址的ip外,其他IP均為本機的IP。
2、配置下--name必須與--initial-cluster配置項里的的對應,比如圖上配置就是我master的配置,name是etcd-host0,下面的IP對應的名稱也是這個。
3、通過不同方式安裝的軟件Execstart配置項下的程序啟動命令路徑注意修改
4、WorkingDirectory工作目錄需要實現創建,否則啟動會報錯。
4、創建etcd環境變量文件
文件位置:/etc/etcd/etcd.conf,yum安裝完之后該文件會存在,刪除重建即可。
# [member] ETCD_NAME=infra1 ETCD_DATA_DIR="/var/lib/etcd" ETCD_LISTEN_PEER_URLS="https://10.10.90.105:2380" ETCD_LISTEN_CLIENT_URLS="https://10.10.90.105:2379" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.90.105:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://10.10.90.105:2379"
注意事項:
1、再次提醒ETCD_DATA_DIR一定要存在,其他的IP地址替換為本機的即可,maser及node節點都需要配置
2、ETCD_NAME按照etcd系統服務里面的配置一一對應,分別是infra1,infra2,infra3
5、設置開機啟動及啟動etcd
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
6、檢測集群工作情況
在任意一個節點,master或者node都可以,執行以下命令
etcdctl \ --ca-file=/etc/kubernetes/ssl/ca.pem \ --cert-file=/etc/kubernetes/ssl/kubernetes.pem \ --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \ cluster-health
如果輸出類似如下如的情況,代表成功:
結果最后一行為 cluster is healthy 時表示集群服務正常
注意事項:
1、建議所有節點都運行一次進行檢測,我在maser檢點進行檢測的時候發現master本身的幾點都鏈接上,報unhealthy錯誤,查看報錯后發現是使用了代理上網設置
當初為了在線軟件設置的上網代理,需要關閉代理,取消配置參數,重啟了服務器才檢測成功。
2、防火牆務必關閉,否則會有鏈接不到etcd的問題。。
3、以后使用etcd查詢數據都需要使用認證文件,查詢格式:
etcdctl \ --ca-file=/etc/kubernetes/ssl/ca.pem \ --cert-file=/etc/kubernetes/ssl/kubernetes.pem \ --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \ cluster-health
否則出錯,例如:
[root@kube_master ssl]# etcdctl cluster-health failed to check the health of member 2f590aa6fa719c4b on https://10.10.90.105:2379: Get https://10.10.90.105:2379/health: x509: certificate signed by unknown authority member 2f590aa6fa719c4b is unreachable: [https://10.10.90.105:2379] are all unreachable failed to check the health of member 43ea47a48fb7ffce on https://10.10.90.106:2379: Get https://10.10.90.106:2379/health: x509: certificate signed by unknown authority member 43ea47a48fb7ffce is unreachable: [https://10.10.90.106:2379] are all unreachable failed to check the health of member d965bb336acbfc6c on https://10.10.90.107:2379: Get https://10.10.90.107:2379/health: x509: certificate signed by unknown authority member d965bb336acbfc6c is unreachable: [https://10.10.90.107:2379] are all unreachable cluster is unhealthy