單機配置
安裝etcd
1、安裝
yum install etcd -y
2、啟動
systemctl start etcd
3、設置開機啟動
systemctl enable etcd
4、開放遠程
vi /etc/etcd/etcd.conf
配置如下(監聽任意的ip,這樣才能在外部訪問,后續會啟用安全方面的相關設置)
#[Member]
#ETCD_CORS=""
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_WAL_DIR=""
#ETCD_LISTEN_PEER_URLS="http://localhost:2380"
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
ETCD_NAME="default"
#ETCD_SNAPSHOT_COUNT="100000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
#ETCD_QUOTA_BACKEND_BYTES="0"
#ETCD_MAX_REQUEST_BYTES="1572864"
#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"
#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"
#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
#
#[Clustering]
#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.2.155:2379"
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_DISCOVERY_SRV=""
#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"
#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_STRICT_RECONFIG_CHECK="true"
#ETCD_ENABLE_V2="true"
#
#[Proxy]
#ETCD_PROXY="off"
#ETCD_PROXY_FAILURE_WAIT="5000"
#ETCD_PROXY_REFRESH_INTERVAL="30000"
#ETCD_PROXY_DIAL_TIMEOUT="1000"
#ETCD_PROXY_WRITE_TIMEOUT="5000"
#ETCD_PROXY_READ_TIMEOUT="0"
#
#[Security]
ETCD_CERT_FILE="/ssl/server.pem"
ETCD_KEY_FILE="/ssl/server-key.pem"
#ETCD_CLIENT_CERT_AUTH="false"
#ETCD_TRUSTED_CA_FILE=""
#ETCD_AUTO_TLS="false"
#ETCD_PEER_CERT_FILE=""
#ETCD_PEER_KEY_FILE=""
#ETCD_PEER_CLIENT_CERT_AUTH="false"
#ETCD_PEER_TRUSTED_CA_FILE=""
#ETCD_PEER_AUTO_TLS="false"
#
#[Logging]
#ETCD_DEBUG="false"
#ETCD_LOG_PACKAGE_LEVELS=""
#ETCD_LOG_OUTPUT="default"
#
#[Unsafe]
#ETCD_FORCE_NEW_CLUSTER="false"
#
#[Version]
#ETCD_VERSION="false"
#ETCD_AUTO_COMPACTION_RETENTION="0"
#
#[Profiling]
#ETCD_ENABLE_PPROF="false"
#ETCD_METRICS="basic"
#
#[Auth]
#ETCD_AUTH_TOKEN="simple"
5、設置環境變量
( coredns只能使用etcd v3版本api添加的數據,etcdctl命令默認使用v2版本api,設置v3 api方法)
vim /etc/profile 或者(vim ~/.bash_profile) 在文件最后添加:
export ETCDCTL_API=3
6、使環境變量生效
source /etc/profile
7、編輯etcd啟動文件
(/usr/lib/systemd/system/etcd.service)
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
User=etcd
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --cert-file=\"${ETCD_CERT_FILE}\" --key-file=\"${ETCD_KEY_FILE}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\""
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
8、賦值/ssl/ca.pem文件到其他服務器
(沒有scp命令的自行安裝)
(在其他服務器:192.168.2.134上執行) mkdir /ssl
scp /ssl/ca.pem root@192.168.2.134:/ssl
9、驗證
curl --cacert /ssl/ca.pem https://192.168.2.155:2379/v3/keys/foo -XPUT -d value=bar -v
安裝coredns
1、下載並解壓源碼,該項目是開源項目,可以到github上自行下載源碼。
tar zxvf coredns_1.6.4_linux_amd64.tgz
mv coredns /usr/bin
mkdir /etc/coredns
2、添加主配置文件 vi /etc/coredns/Corefile,內容如下:
.:53 {
health # 監聽tcp和udp的53端口
etcd { # 配置啟用etcd插件,后面可以指定域名,例如 etcd test.com {
stubzones # 啟用存根區域功能。 stubzone僅在位於指定的第一個區域下方的etcd樹中完成
path /coredns # etcd里面的路徑 默認為/skydns,以后所有的dns記錄就是存儲在該存根路徑底下
endpoint http://localhost:2379 # etcd訪問地址,多個空格分開
# upstream設置要使用的上游解析程序解決指向外部域名的在etcd(認為CNAME)中找到的外部域名。
upstream 114.114.114.114:53 8.8.8.8:53 /etc/resolv.conf
fallthrough # 如果區域匹配但不能生成記錄,則將請求傳遞給下一個插件
# tls CERT KEY CACERT # 可選參數,etcd認證證書設置
tls /ssl/server.pem /ssl/server-key.pem /ssl/ca.pem
# 指定訪問etcd用戶名和密碼(根據實際情況使用)
credentials USERNAME PASSWORD
}
prometheus # 監控插件
cache 160 # 緩存時間
loop #
reload 6s # 自動加載時間間隔
loadbalance # 負載均衡,開啟DNS記錄輪詢策略
forward . /etc/resolv.conf # 上面etcd未查詢到的請求轉發給設置的DNS服務器解析
log # 打印日志
errors # 輸出錯誤
}
3、啟動(常規命令行啟動--非后台運行):
/usr/bin/coredns -conf /etc/coredns/Corefile
4、添加運行用戶:
useradd coredns -s /sbin/nologin
5、將coredns做成系統服務:
vi /usr/lib/systemd/system/coredns.service
配置如下:
[Unit]
Description=CoreDNS DNS server
Documentation=https://coredns.io
After=network.target
[Service]
PermissionsStartOnly=true
LimitNOFILE=1048576
LimitNPROC=512
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
User=coredns
WorkingDirectory=~
ExecStart=/usr/bin/coredns -conf=/etc/coredns/Corefile
ExecReload=/bin/kill -SIGUSR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
6、啟動(需要切換到coredns用戶):
systemctl daemon-reload
systemctl enable coredns
systemctl start coredns
systemctl status coredns
7、設置域名解析:
A記錄
% etcdctl put /coredns/com/leffss/www '{"host":"1.1.1.1","ttl":10}'
OK
* etcd的目錄結構和域名是相反的,即上面表示域名:www.leffss.com
* ttl值設置60s后,coredns每60s才會到etcd讀取這個域名的記錄一次
查詢結果:
% dig @localhost +short www.leffss.com
1.1.1.1
如果想添加多條記錄,讓coredns輪詢,方法如下:
% etcdctl put /coredns/com/leffss/www/x1 '{"host":"1.1.1.2","ttl":10}'
OK
% etcdctl put /coredns/com/leffss/www/x2 '{"host":"1.1.1.3","ttl":10}'
OK
* x1和x2可以自定義,比如a、b、c等
* 設置多個AAAA、CNAME等方法類似
* 添加/coredns/com/leffss/www/x1、x2后,請求www.leffss.com就不會再讀取/coredns/com/leffss/www,可以使用etcdctl del /coredns/com/leffss/www刪除值
查詢結果:
% dig @localhost +short www.leffss.com
1.1.1.21.1.1.3
**注意:**如果想讓取消設置的輪詢值,需要刪除/coredns/com/leffss/www/x1與/coredns/com/leffss/www/x2
AAAA記錄
% etcdctl put /coredns/com/leffss/www '{"host":"1002::4:2","ttl":10}'
OK
查詢結果:
% dig -t AAAA @localhost +short www.leffss.com
1002::4:2
CNAME記錄
% etcdctl put /coredns/com/leffss/www '{"host":"www.baidu.com","ttl":10}'
OK
查詢結果:
% dig -t CNAME @localhost +short www.leffss.com
www.baidu.com.
* 這里cname設置成外部百度域名,按理說coredns應該也把這個cname記錄繼續解析成www.baidu.cm的IP地址,但是經過測試發現請求www.leffss.com只能解析到CNAME:www.baidu.com,無法繼續解析,原因未知,以后研究
SRV記錄
% etcdctl put /coredns/com/leffss/www '{"host":"www.baidu.com","port":80,"ttl":10}'
OK
* SRV記錄和CNAME記錄類似,只是多了port,它們的添加方法其實可以通用
查詢結果:
% dig -t SRV @localhost +short www.leffss.com
10 100 80 www.baidu.com.
TXT記錄
% etcdctl put /coredns/com/leffss/www '{"text":"This is text!","ttl":10}'
OK
查詢結果:
% dig -t TXT @localhost +short www.leffss.com
"This is text!"
8、修改服務器名(可選操作):
hostnamectl set-hostname coredns
9、通過java代碼想etcd添加解析記錄(etcd-api使用版本3,因此客戶端使用0.3.0):
public static void main(String[] args) throws Exception {
// create client
Client client = Client.builder().endpoints("http://192.168.2.155:2379").build();
KV kvClient = client.getKVClient();
ByteSequence key = ByteSequence.from(formatKey("www.leffss.com"), Charset.forName("UTF-8"));
ByteSequence value = ByteSequence.from(formatValue("192.168.2.133", 53), Charset.forName("UTF-8"));
// put the key-value
kvClient.put(key, value).get();
// get the CompletableFuture
CompletableFuture<GetResponse> getFuture = kvClient.get(key);
// get the value from CompletableFuture
GetResponse response = getFuture.get();
List<KeyValue> keyValues = response.getKvs();
for (KeyValue kv : keyValues) {
System.out.println("key :" + kv.getKey().toString(Charset.forName("UTF-8")) + " val :" + kv.getValue().toString(Charset.forName("UTF-8")));
}
10、需要在pom中引入的依賴:
<dependency>
<groupId>dnsjava</groupId>
<artifactId>dnsjava</artifactId>
<version>2.1.8</version>
</dependency>
<dependency>
<groupId>io.etcd</groupId>
<artifactId>jetcd-core</artifactId>
<version>0.3.0</version>
</dependency>
11、下載證書生成工具:
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
12、創建目錄:
mkdir /ssl
cd /ssl
vi etcd-cert.sh
13、生成tls證書腳本代碼:
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hunan",
"ST": "changsha"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.2.155",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hunan",
"ST": "changsha"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
// 單機模式tls
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"server": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hunan",
"O": "thyc",
"ST": "changsha"
}
]
}
EOF
# 使用定義好的簽名生成證書
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成服務器證書
# -----------------------
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.2.155",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hunan",
"O": "thyc",
"ST": "changsha"
}
]
}
EOF
# 生成服務器證書
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server-csr.json | cfssljson -bare server
注意:
本博文中涉及到的ip請根據自己部署的服務器ip進行調整。
如啟用tls后,你需要用java去連接etcd做域名解析記錄的添加修改等,你需要引入ca.pem到你的java項目目錄中。
ETCD 集群TLS(各節點需要保持時間同步,關閉防火牆(或開放指定端口),關閉selinux)
時間同步(如果沒有ntpdate命令則自行安裝):
ntpdate time1.aliyun.com