1、集群規划
| 服務器名稱 | 服務地址 | 角色 |
|---|---|---|
| YN101-22.host.com | 192.168.101.22 | etcd leader |
| YN101-31.host.com | 192.168.101.31 | etcd follow |
| YN101-32.host.com | 192.168.101.32 | etcd follow |
2、創建基於根證書的config配置文件YN101-100.host.com主機操作
cd /opt/certs/
vi ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
vi etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"192.168.101.21",
"192.168.101.22",
"192.168.101.31",
"192.168.101.32"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "YN",
"L": "KM",
"O": "kevin",
"OU": "edu"
}
]
}
#生成etcd證書和私鑰
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
#生成證書如下
[root@yn101-100 certs]# ll
total 36
-rw-r--r-- 1 root root 610 Feb 17 22:54 ca-config.json
-rw-r--r-- 1 root root 985 Feb 16 12:53 ca.csr
-rw-r--r-- 1 root root 189 Feb 16 12:53 ca-csr.json
-rw------- 1 root root 1679 Feb 16 12:53 ca-key.pem
-rw-r--r-- 1 root root 1322 Feb 16 12:53 ca.pem
-rw-r--r-- 1 root root 1054 Feb 17 22:56 etcd-peer.csr
-rw-r--r-- 1 root root 300 Feb 17 22:37 etcd-peer-csr.json
-rw------- 1 root root 1679 Feb 17 22:56 etcd-peer-key.pem
-rw-r--r-- 1 root root 1395 Feb 17 22:56 etcd-peer.pem
3、YN101-22.host.com主機操作
給etcd創建一個用戶
useradd -s /sbin/nologin -M etcd
[root@yn101-22 src]# id etcd
uid=1000(etcd) gid=1000(etcd) groups=1000(etcd)
#etcd下載地址,本機安裝3.1.20版本
https://github.com/etcd-io/etcd/releases/tag/v3.1.20
#解壓
cd /opt/src
tar xfv etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
#軟連接
[root@yn101-22 opt]# ln -s /opt/etcd-v3.1.20/ /opt/etcd
[root@yn101-22 opt]# ll
total 0
lrwxrwxrwx 1 root root 18 Feb 17 23:05 etcd -> /opt/etcd-v3.1.20/
drwxr-xr-x 3 478493 89939 123 Oct 11 2018 etcd-v3.1.20
drwxr-xr-x 2 root root 45 Feb 17 22:19 src
#創建目錄,拷貝證書和私鑰
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
scp yn101-100:/opt/certs/ca.pem .
scp yn101-100:/opt/certs/etcd-peer.pem .
scp yn101-100:/opt/certs/etcd-peer-key.pem .
創建etcd的啟動腳本 vi /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-101-22 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://192.168.101.22:2380 \
--listen-client-urls https://192.168.101.22:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://192.168.101.22:2380 \
--advertise-client-urls https://192.168.101.22:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-101-22=https://192.168.101.22:2380,etcd-server-101-31=https://192.168.101.31:2380,etcd-server-101-32=https://192.168.101.32:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
chmod +x etcd-server-startup.sh
chown -R etcd.etcd /opt/etcd-v3.1.20/
#更改后輸出如下,文件為etcd用戶
[root@yn101-22 etcd]# ll
total 30072
drwxr-xr-x 2 etcd etcd 66 Feb 17 23:12 certs
drwxr-xr-x 11 etcd etcd 4096 Oct 11 2018 Documentation
-rwxr-xr-x 1 etcd etcd 16406432 Oct 11 2018 etcd
-rwxr-xr-x 1 etcd etcd 14327712 Oct 11 2018 etcdctl
-rwxr-xr-x 1 etcd etcd 876 Feb 17 23:30 etcd-server-startup.sh
-rw-r--r-- 1 etcd etcd 32632 Oct 11 2018 README-etcdctl.md
-rw-r--r-- 1 etcd etcd 5878 Oct 11 2018 README.md
-rw-r--r-- 1 etcd etcd 7892 Oct 11 2018 READMEv2-etcdctl.md
[root@yn101-22 etcd]# chown -R etcd.etcd /data/etcd/
[root@yn101-22 etcd]# chown -R etcd.etcd /data/logs/etcd-server/
#安裝管理后台進程軟件,etcd后台啟動如果進程掉了會自動啟動
yum install supervisor -y
[root@yn101-22 etcd]# systemctl start supervisord
[root@yn101-22 etcd]# systemctl enable supervisord
Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service.
#創建supervisor的啟動文件
vi /etc/supervisord.d/etcd-server.ini
#內容如下
[program:etcd-server-101-22]
command=/opt/etcd/etcd-server-startup.sh
numprocs=1
directory=/opt/etcd
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=etcd
redirect_stderr=true
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
[root@yn101-22 etcd]# supervisorctl update
etcd-server-101-22: added process group
#查看啟動狀態
[root@yn101-22 etcd]# supervisorctl status
etcd-server-101-22 RUNNING pid 11849, uptime 0:01:31
#查看啟動日志
tail -fn 200 /data/logs/etcd-server/etcd.stdout.log
#為running狀態,監聽2379和2380端口才算啟動成功
[root@yn101-22 etcd]# netstat -luntp | grep etcd
tcp 0 0 192.168.101.22:2379 0.0.0.0:* LISTEN 11850/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 11850/./etcd
tcp 0 0 192.168.101.22:2380 0.0.0.0:* LISTEN 11850/./etcd
4、YN101-31.host.com安裝etcd
cd /opt/src
tar xfv etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
#軟連接
ln -s /opt/etcd-v3.1.20/ /opt/etcd
#創建一個etcd的用戶
useradd -s /sbin/nologin -M etcd
#創建目錄,拷貝證書和私鑰
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
scp yn101-100:/opt/certs/ca.pem .
scp yn101-100:/opt/certs/etcd-peer.pem .
scp yn101-100:/opt/certs/etcd-peer-key.pem .
創建etcd的啟動腳本 vi /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-101-32 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://192.168.101.32:2380 \
--listen-client-urls https://192.168.101.32:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://192.168.101.32:2380 \
--advertise-client-urls https://192.168.101.32:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-101-22=https://192.168.101.22:2380,etcd-server-101-31=https://192.168.101.31:2380,etcd-server-101-32=https://192.168.101.32:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
chmod +x etcd-server-startup.sh
#更改文件為etcd用戶權限
chown -R etcd.etcd /opt/etcd-v3.1.20/
chown -R etcd.etcd /data/etcd/
chown -R etcd.etcd /data/logs/etcd-server/
#安裝管理后台進程軟件,etcd后台啟動如果進程掉了會自動啟動
yum install supervisor -y
[root@yn101-22 etcd]# systemctl start supervisord
[root@yn101-22 etcd]# systemctl enable supervisord
Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service.
#創建supervisor的啟動文件
vi /etc/supervisord.d/etcd-server.ini
#內容如下
[program:etcd-server-101-32]
command=/opt/etcd/etcd-server-startup.sh
numprocs=1
directory=/opt/etcd
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=etcd
redirect_stderr=true
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
[root@yn101-22 etcd]# supervisorctl update
etcd-server-101-22: added process group
#查看啟動狀態
[root@yn101-22 etcd]# supervisorctl status
etcd-server-101-22 RUNNING pid 11849, uptime 0:01:31
#查看啟動日志
tail -fn 200 /data/logs/etcd-server/etcd.stdout.log
#為running狀態,監聽2379和2380端口才算啟動成功
[root@yn101-22 etcd]# netstat -luntp | grep etcd
tcp 0 0 192.168.101.22:2379 0.0.0.0:* LISTEN 11850/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 11850/./etcd
tcp 0 0 192.168.101.22:2380 0.0.0.0:* LISTEN 11850/./etcd
#全部狀態為running時,可在任意節點查看etcd健康狀態
[root@yn101-22 etcd]# supervisorctl status
etcd-server-101-22 RUNNING pid 11849, uptime 0:01:31
#健康狀態監測
cd /opt/etcd
./etcdctl cluster-health