摘要:etcd 是k8s集群最重要的組件,用來存儲k8s的所有服務信息, etcd 掛了,集群就掛了,我們這里把etcd部署在master三台節點上做高可用,etcd集群采用raft算法選舉Leader, 由於Raft算法在做決策時需要多數節點的投票,所以etcd一般部署集群推薦奇數個節點,推薦的數量為3、5或者7個節點構成一個集群。
1)下載etcd二進制文件
etcd命令為下載的二進制文件,解壓后復制到指定目錄即可
[root@k8s-master01 ~]# cd k8s/ [root@k8s-master01 k8s]# wget https://github.com/etcd-io/etcd/releases/download/v3.3.12/etcd-v3.3.12-linux-amd64.tar.gz [root@k8s-master01 k8s]# tar -xf etcd-v3.3.12-linux-amd64.tar.gz [root@k8s-master01 k8s]# cd etcd-v3.3.12-linux-amd64 ##有2個文件,etcdctl是操作etcd的命令 ##把etcd二進制文件傳輸到三個master節點 [root@k8s-master01 ~]# ansible k8s-master -m copy -a 'src=/root/k8s/etcd-v3.3.12-linux-amd64/etcd dest=/usr/local/bin/ mode=0755' [root@k8s-master01 ~]# ansible k8s-master -m copy -a 'src=/root/k8s/etcd-v3.3.12-linux-amd64/etcdctl dest=/usr/local/bin/ mode=0755' 說明:若是不用ansible,可以直接用scp把兩個文件傳輸到三個master節點的/usr/local/bin/目錄下
2)創建etcd證書請求模板文件
[root@k8s-master01 ~]# vim /opt/k8s/certs/etcd-csr.json ##證書請求文件 { "CN": "etcd", "hosts": [ "127.0.0.1", "10.10.0.18", "10.10.0.19", "10.10.0.20" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ShangHai", "L": "ShangHai", "O": "k8s", "OU": "System" } ] } 說明:hosts中的IP為各etcd節點IP及本地127地址,etcd的證書需要簽入所有節點ip,在生產環境中hosts列表最好多預留幾個IP,這樣后續擴展節點或者因故障需要遷移時不需要再重新生成證書。(我生產環境使用阿里雲VPC網絡,所以會預留指定段的IP)
3)生成證書及私鑰
注意命令中使用的證書的具體位置
[root@k8s-master01 ~]# cd /opt/k8s/certs/ [root@k8s-master01 certs]# cfssl gencert -ca=/opt/k8s/certs/ca.pem \ -ca-key=/opt/k8s/certs/ca-key.pem \ -config=/opt/k8s/certs/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd 2019/04/22 17:17:51 [INFO] generate received request 2019/04/22 17:17:51 [INFO] received CSR 2019/04/22 17:17:51 [INFO] generating key: rsa-2048 2019/04/22 17:17:51 [INFO] encoded CSR 2019/04/22 17:17:51 [INFO] signed certificate with serial number 335217685822754469090490767964903486042452749906 2019/04/22 17:17:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
4)查看證書
etcd.csr是簽署時用到的中間文件,如果你不打算自己簽署證書,而是讓第三方的CA機構簽署,只需要把etcd.csr文件提交給CA機構。
[root@k8s-master01 certs]# ll etcd* -rw-r--r--. 1 root root 1066 Apr 22 17:17 etcd.csr -rw-r--r--. 1 root root 293 Apr 22 17:10 etcd-csr.json -rw-------. 1 root root 1679 Apr 22 17:17 etcd-key.pem -rw-r--r--. 1 root root 1444 Apr 22 17:17 etcd.pem
5)證書分發
把生成的etcd證書復制到創建的證書目錄並放至另2台etcd節點正常情況下只需要copy這三個文件即可,ca.pem(已經存在)、etcd-key.pem、etcd.pem
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/etcd.pem dest=/etc/kubernetes/ssl/' [root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/etcd-key.pem dest=/etc/kubernetes/ssl/'
6)修改etcd配置參數
為了安全性起我這里使用單獨的用戶啟動 Etcd
##創建etcd用戶和組 [root@k8s-master01 ~]# ansible k8s-master -m group -a 'name=etcd' [root@k8s-master01 ~]# ansible k8s-master -m user -a 'name=etcd group=etcd comment="etcd user" shell=/sbin/nologin home=/var/lib/etcd createhome=no' ##創建etcd數據存放目錄並授權 [root@k8s-master01 ~]# ansible k8s-master -m file -a 'path=/var/lib/etcd state=directory owner=etcd group=etcd'
說明:以上步驟若是感覺比較麻煩,可以直接在對應三台master主機執行以下命令即可mkdir /etc/kubernetes/configgroupadd -r etcduseradd -r -g etcd -d /var/lib/etcd -s /sbin/nologin -c "etcd user" etcdmkdir /var/lib/etcd/chown -R etcd:etcd /var/lib/etcd/
7)配置etcd配置文件
etcd.conf配置文件信息,配置文件中涉及證書,etcd用戶需要對其有可讀權限,否則會提示無法獲取證書,644權限即可。
[root@k8s-master01 ~]# vim /opt/k8s/cfg/etcd.conf #[member] ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd"
#ETCD_SNAPSHOT_COUNTER="10000" #ETCD_HEARTBEAT_INTERVAL="100" #ETCD_ELECTION_TIMEOUT="1000" ETCD_LISTEN_PEER_URLS="https://10.10.0.18:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.10.0.18:2379,https://127.0.0.1:2379"
#ETCD_MAX_SNAPSHOTS="5" #ETCD_MAX_WALS="5" #ETCD_CORS="" ETCD_AUTO_COMPACTION_RETENTION="1" ETCD_QUOTA_BACKEND_BYTES="8589934592" ETCD_MAX_REQUEST_BYTES="5242880" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.0.18:2380" # if you use different ETCD_NAME (e.g. test), # set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..." ETCD_INITIAL_CLUSTER="etcd01=https://10.10.0.18:2380,etcd02=https://10.10.0.19:2380,etcd03=https://10.10.0.20:2380"
ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://10.10.0.18:2379" #[security] CLIENT_CERT_AUTH="true" ETCD_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_CERT_FILE="/etc/kubernetes/ssl/etcd.pem" ETCD_KEY_FILE="/etc/kubernetes/ssl/etcd-key.pem" PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_PEER_CERT_FILE="/etc/kubernetes/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/kubernetes/ssl/etcd-key.pem"
參數解釋:
- ETCD_NAME:etcd節點成員名稱,在一個etcd集群中必須唯一性,可使用Hostname或者machine-id
- ETCD_LISTEN_PEER_URLS:和其它成員節點間通信地址,每個節點不同,必須使用IP,使用域名無效
- ETCD_LISTEN_CLIENT_URLS:對外提供服務的地址,通常為本機節點。使用域名無效
- ETCD_INITIAL_ADVERTISE_PEER_URLS:節點監聽地址,並會通告集群其它節點
- ETCD_INITIAL_CLUSTER:集群中所有節點信息,格式為:節點名稱+監聽的本地端口,及:ETCD_NAME:https://ETCD_INITIAL_ADVERTISE_PEER_URLS
- ETCD_ADVERTISE_CLIENT_URLS:節點成員客戶端url列表,對外公告此節點客戶端監聽地址,可以使用域名
- ETCD_AUTO_COMPACTION_RETENTION: 在一個小時內為mvcc鍵值存儲的自動壓實保留。0表示禁用自動壓縮
- ETCD_QUOTA_BACKEND_BYTES: ETCDdb存儲數據大小,默認2G,推薦8G
- ETCD_MAX_REQUEST_BYTES: 事務中允許的最大操作數,默認1.5M,官方推薦10M,我這里設置5M,大家根據自己實際業務設置
由於我們是三個節點etcd集群,所以需要把etcd.conf配置文件復制到另外2個節點,並把上面參數解釋中紅色參數修改為對應主機IP。
分發etcd.conf配置文件,當然你不用ansible,可以直接用scp命令把配置文件傳輸到三台機器對應位置,然后三台機器分別修改IP、ETCD_NAME等參數。
[root@k8s-master01 config]# ansible k8s-master -m copy -a 'src=/opt/k8s/cfg/etcd.conf dest=/etc/kubernetes/config/etcd.conf' ##登陸對應主機修改配置文件,把對應IP修改為本地IP
編輯etcd.service 啟動文件
[root@k8s-master01 ~]# vim /opt/k8s/unit/etcd.service
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/kubernetes/config/etcd.conf User=etcd # set GOMAXPROCS to number of processors ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\"" Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target [root@k8s-master01 ~]# ansible k8s-master -m copy -a 'src=/opt/k8s/unit/etcd.service dest=/usr/lib/systemd/system/etcd.service' [root@k8s-master01 ~]# ansible k8s-master -m shell -a 'systemctl daemon-reload' [root@k8s-master01 ~]# ansible k8s-master -m shell -a 'systemctl enable etcd' [root@k8s-master01 ~]# ansible k8s-master -m shell -a 'systemctl start etcd'
注:
這里需要三台etcd服務同時啟動,在三台機器上同時執行啟動命令,啟動其中一台后,服務會卡在那里,直到集群中所有etcd節點都已啟動。我這里因為是ansible遠程執行,所以沒有出現這個問題。
8)驗證集群
etcd3版本,查看集群狀態時,需要指定對應的證書位置
[root@k8s-master01 ~]# etcdctl --endpoints=https://10.10.0.18:2379,https://10.10.0.19:2379,https://10.10.0.20:2379 \ --cert-file=/etc/kubernetes/ssl/etcd.pem \ --ca-file=/etc/kubernetes/ssl/ca.pem \ --key-file=/etc/kubernetes/ssl/etcd-key.pem \ cluster-health member 804ed05b4beec304 is healthy: got healthy result from https://10.10.0.20:2379 member 8a5b84381bee52dd is healthy: got healthy result from https://10.10.0.19:2379 member caba783185460428 is healthy: got healthy result from https://10.10.0.18:2379 cluster is healthy [root@k8s-master01 ~]# etcdctl --endpoints=https://10.10.0.18:2379,https://10.10.0.19:2379,https://10.10.0.20:2379 \ --cert-file=/etc/kubernetes/ssl/etcd.pem \ --ca-file=/etc/kubernetes/ssl/ca.pem \ --key-file=/etc/kubernetes/ssl/etcd-key.pem \ member list 804ed05b4beec304: name=etcd03 peerURLs=https://10.10.0.20:2380 clientURLs=https://10.10.0.20:2379 isLeader=false 8a5b84381bee52dd: name=etcd02 peerURLs=https://10.10.0.19:2380 clientURLs=https://10.10.0.19:2379 isLeader=true caba783185460428: name=etcd01 peerURLs=https://10.10.0.18:2380 clientURLs=https://10.10.0.18:2379 isLeader=false ## 可以看到集群顯示健康,並可以看到isLeader=true 所在節點