一 系統設置
1.1 系統時間同步
~# apt -y install chrony
~# systemctl start chrony
~# systemctl enable chrony1.2 服務器規划
| 主機名 | IP | 角色 |
| consul-01 | 192.168.174.103 | consul server |
| sonsul-02 | 192.168.174.104 | consul client |
| sonsul-03 | 192.168.174.105 | consul client |
1.3 軟件清單
consul:1.10.4
1.4 推薦部署架構
官方文檔:
https://www.consul.io/docs/install#precompiled-binaries
https://learn.hashicorp.com/tutorials/consul/deployment-guide?in=consul/production-deploy#configure-consul-agents
https://github.com/hashicorp/consul
1.4 服務器配置
| Size | CPU | Memory | Disk Capacity | Disk IO | Disk Throughput |
|---|---|---|---|---|---|
| Large | 8-16 core | 32-64 GB RAM | 200+ GB | 7500+ IOPS | 250+ MB/s |
二 安裝consul
2.1 下載consul安裝包
https://www.consul.io/downloads
~# wget https://releases.hashicorp.com/consul/1.15.2/consul_1.15.2_linux_amd64.zip2.2 安裝consul
root@consul-01:~# unzip consul_1.10.4_linux_amd64.zip -d /usr/local/bin
root@consul-02:~# unzip consul_1.10.4_linux_amd64.zip -d /usr/local/bin
root@consul-03:~# unzip consul_1.10.4_linux_amd64.zip -d /usr/local/bin2.3 設置屬主屬組
root@consul-01:~# chown root.root /usr/local/bin/consul 2.4 consul命令補齊
root@consul-01:~# consul -autocomplete-install # 重新登錄可以實現命令補齊功能
root@consul-01:~# complete -C /usr/local/bin/consul sonsul2.5 創建普通用戶consul
root@consul-01:~# useradd --system --home /etc/consul.d --shell /bin/false consul
root@consul-02:~# useradd --system --home /etc/consul.d --shell /bin/false consul
root@consul-03:~# useradd --system --home /etc/consul.d --shell /bin/false consul2.6 創建數據目錄
root@consul-01:~# mkdir --parents /opt/consul
root@consul-02:~# mkdir --parents /opt/consul
root@consul-03:~# mkdir --parents /opt/consul2.7 設置數據目錄權限
root@consul-01:~# chown --recursive consul:consul /opt/consul
root@consul-02:~# chown --recursive consul:consul /opt/consul
root@consul-03:~# chown --recursive consul:consul /opt/consul2.8 驗證版本
root@consul-01:~# consul version
Consul v1.10.4
Revision 7bbad6fe
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)三 准備安全憑證
3.1 生成gossip 加密密鑰
gossip是用對稱密鑰加密的,因為節點之間的gossip是通過 UDP 完成的。所有代理必須具有相同的加密密鑰。
root@consul-01:~# consul keygen
VTd56Fa6qg0HVJ1+UqLeub7rGLYn7EncFbyMnSaKZ9o=3.2 為 RPC 加密生成 TLS 證書
3.2.1 創建證書頒發機構
Start by creating the CA on your admin instance, using the Consul CLI.
root@consul-01:~# consul tls ca create -domain wgs
==> Saved wgs-agent-ca.pem
==> Saved wgs-agent-ca-key.pem3.2.2 創建證書
接下來創建一組證書,每個 Consul 代理一個。您現在需要為您的主數據中心選擇一個名稱,以便正確命名證書以及您的 Consul 數據中心的域。
root@consul-01:~# consul tls cert create -server -dc <dc_name> -domain <domain> #創建格式
root@consul-01:~# consul tls cert create -server -dc wgs -domain wgs
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using wgs-agent-ca.pem and wgs-agent-ca-key.pem
==> Saved wgs-server-wgs-0.pem
==> Saved wgs-server-wgs-0-key.pem3.3 將證書分發給agent
root@consul-01:~# scp wgs-agent-ca.pem wgs-server-wgs-0.pem wgs-server-wgs-0-key.pem root@192.168.174.103:/etc/consul.d/certs
root@consul-01:~# scp wgs-agent-ca.pem wgs-server-wgs-0.pem wgs-server-wgs-0-key.pem root@192.168.174.104:/etc/consul.d/certs
root@consul-01:~# scp wgs-agent-ca.pem wgs-server-wgs-0.pem wgs-server-wgs-0-key.pem root@192.168.174.105:/etc/consul.d/certs3.4 設置證書權限
chown -R consul.consul /etc/consul.d/四 配置文件
4.1 創建配置文件
touch /etc/consul.d/consul.hcl
chown --recursive consul:consul /etc/consul.d
chmod 640 /etc/consul.d/consul.hcl4.2 consul-01配置
查看代碼
root@ceph-node01:~# cat /etc/consul.d/consul.hcl
datacenter = "wgs01"
data_dir = "/opt/consul"
encrypt = "XSsXcaGKyxfa00zAw7Lw0zvlQJ6PcTFlCl+40J9quyw="
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
cert_file = "/etc/consul.d/certs/wgs01-server-consul-0.pem"
key_file = "/etc/consul.d/certs/wgs01-server-consul-0-key.pem"
auto_encrypt {
allow_tls = true
}
performance {
raft_multiplier = 1
}
server = true
bootstrap_expect = 3
bind_addr = "192.168.174.103"
client_addr = "0.0.0.0"
ui_config {
enabled = true
}
node_name = "consul-01"
bootstrap_expect = 1
connect {
enabled = true
}
addresses {
grpc = "127.0.0.1"
}
ports {
grpc = 8502
}4.3 consul-02配置
查看代碼
root@ceph-node02:~# cat /etc/consul.d/consul.hcl
datacenter = "wgs01"
data_dir = "/opt/consul"
encrypt = "XSsXcaGKyxfa00zAw7Lw0zvlQJ6PcTFlCl+40J9quyw="
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
auto_encrypt = {
tls = true
}
retry_join = ["192.168.174.103"]
performance {
raft_multiplier = 1
}
bind_addr = "192.168.174.104"
client_addr = "0.0.0.0"
node_name = "consul-02"
connect {
enabled = true
}
addresses {
grpc = "127.0.0.1"
}
ports {
grpc = 8502
}4.4 consul-03配置
查看代碼
root@ceph-node03:~# cat /etc/consul.d/consul.hcl
datacenter = "wgs01"
data_dir = "/opt/consul"
encrypt = "XSsXcaGKyxfa00zAw7Lw0zvlQJ6PcTFlCl+40J9quyw="
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
auto_encrypt = {
tls = true
}
retry_join = ["192.168.174.103"]
performance {
raft_multiplier = 1
}
bind_addr = "192.168.174.105"
client_addr = "0.0.0.0"
node_name = "consul-03"
connect {
enabled = true
}
addresses {
grpc = "127.0.0.1"
}
ports {
grpc = 8502
}五 配置詳解
ca_file- 指定 CA 公共證書文件的路徑。cert_file- 指定代理公共證書文件的路徑。key_file- 指定代理證書私鑰文件的路徑。- auto_encrypt: 自動給客戶端簽發證書。
raft_multiplier- Consul 服務器用於縮放關鍵 Raft 計時參數的整數乘法器。將此值設置為 1 會將 Raft 配置為其最高性能模式,相當於 Consul 0.7 之前的默認時間,建議用於生產 Consul 服務器。server- 此標志用於控制代理處於服務器模式還是客戶端模式。bootstrap_expect- 此標志提供數據中心中預期的服務器數量。不應提供此值,或者該值應在數據中心的所有服務器中保持一致。ui- 啟用內置的 Web UI。connect.enabled- 控制是否在此代理上啟用連接功能。應在集群中的所有服務器上啟用,以便 Connect 正常運行。addresses.grpc- Consul 將綁定 gRPC API 的地址。默認為,client_addr但出於安全原因,將其打開localhost/可能很敏感127.0.0.1。ports.grpc- gRPC API 端口。我們建議按慣例使用8502forgrpc因為某些工具會自動使用它。目前 gRPC 僅用於將 Envoy xDS API 暴露給 Envoy 代理。
注意:默認情況下,Consul Connect 服務網格使用嵌入式 CA 為服務生成和簽署證書。可以將 Consul 配置為使用不同的 CA。
datacenter- 運行代理的數據中心。data_dir- 代理存儲狀態的數據目錄。encrypt- 指定用於 Consul 網絡流量的gossip加密密鑰。verify_incoming- 如果設置為 true,Consul 要求所有傳入連接都使用 TLS。verify_outgoing- 如果設置為 true,Consul 要求來自該代理的所有傳出連接都使用 TLS。verify_server_hostname- 如果設置為 true,Consul 將為所有傳出 TLS 連接驗證服務器提供的 TLS 證書是否與server.<datacenter>.<domain>主機名匹配。raft_multiplier- Consul 服務器用於縮放關鍵 Raft 計時參數的整數乘法器。將此值設置為 1 會將 Raft 配置為其最高性能模式,相當於 Consul 0.7 之前的默認時間,建議用於生產 Consul 服務器。connect.enabled- 控制是否在此代理上啟用連接功能。應在集群中的所有服務器上啟用,以便 Connect 正常運行。addresses.grpc- Consul 將綁定 gRPC API 的地址。默認為,client_addr但出於安全原因,將其打開localhost/可能很敏感127.0.0.1。ports.grpc- gRPC API 端口。我們建議按慣例使用8502forgrpc因為某些工具會自動使用它。目前 gRPC 僅用於將 Envoy xDS API 暴露給 Envoy 代理。
注意:默認情況下,Consul Connect 服務網格使用嵌入式 CA 為服務生成和簽署證書。可以將 Consul 配置為使用不同的 CA。
六 檢查配置文件
~# consul validate /etc/consul.d/
Configuration is valid!七 節點啟動測試
7.1 consul-01節點
root@consul-01:~/consul# /usr/local/bin/consul agent -config-dir=/etc/consul.d/
==> Starting Consul agent...
Version: '1.10.4'
Node ID: 'c63043d5-f525-10c6-c244-49bd16e7d261'
Node name: 'consul-01'
Datacenter: 'wgs01' (Segment: '<all>')
Server: true (Bootstrap: true)
Client Addr: [0.0.0.0] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
Cluster Addr: 192.168.174.103 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true
==> Log data will now stream in as it occurs:7.2 consul-02節點
root@consul-02:/etc/consul.d# /usr/local/bin/consul agent -config-dir=/etc/consul.d/
==> Starting Consul agent...
Version: '1.10.4'
Node ID: '1bd3df65-f957-4ad3-3074-0dbffb9815be'
Node name: 'consul-02'
Datacenter: 'wgs01' (Segment: '')
Server: false (Bootstrap: false)
Client Addr: [0.0.0.0] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
Cluster Addr: 192.168.174.104 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true
==> Log data will now stream in as it occurs:7.3 consul-03節點
root@consul-03:/etc/consul.d# /usr/local/bin/consul agent -config-dir=/etc/consul.d/
==> Starting Consul agent...
Version: '1.10.4'
Node ID: 'c3ac7a90-c9ec-a7b4-228c-66d5245fb8ae'
Node name: 'consul-03'
Datacenter: 'wgs01' (Segment: '')
Server: false (Bootstrap: false)
Client Addr: [0.0.0.0] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
Cluster Addr: 192.168.174.105 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true
==> Log data will now stream in as it occurs:八 添加consul.service文件
root@consul-01:~# cat /lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
[Service]
EnvironmentFile=/etc/consul.d/consul.env
User=consul
Group=consul
ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/ -log-file=/opt/consul/consul.log
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target九 設置consul開機啟動
root@consul-01:~# systemctl enable consul
Created symlink /etc/systemd/system/multi-user.target.wants/consul.service → /lib/systemd/system/consul.service.
root@consul-01:~# systemctl start consul
root@consul-01:~# systemctl status consul
● consul.service - "HashiCorp Consul - A service mesh solution"
Loaded: loaded (/lib/systemd/system/consul.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-11-25 13:43:20 CST; 12s ago
Docs: https://www.consul.io/
Main PID: 11179 (consul)
Tasks: 11 (limit: 2245)
Memory: 20.3M
CGroup: /system.slice/consul.service
└─11179 /usr/local/bin/consul agent -config-dir=/etc/consul.d/ -log-file=/opt/consul/consul.log
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.994+0800 [INFO] agent: Retry join is supported for the following discovery methods: cluster=LAN discovery_methods="aliyun aws azure digitalocean g>
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.994+0800 [INFO] agent: Joining cluster...: cluster=LAN
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.994+0800 [INFO] agent: (LAN) joining: lan_addresses=[192.168.174.103]
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.994+0800 [INFO] agent: started state syncer
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.994+0800 [INFO] agent: Consul agent running!
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.994+0800 [WARN] agent: grpc: addrConn.createTransport failed to connect to {dc1-192.168.174.103:8300 0 consul-01.dc1 <nil>}. Err :connection error>
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.995+0800 [INFO] agent: (LAN) joined: number_of_nodes=1
Nov 25 13:43:20 consul-01 consul[11179]: 2021-11-25T13:43:20.995+0800 [INFO] agent: Join cluster completed. Synced with initial agents: cluster=LAN num_agents=1
Nov 25 13:43:22 consul-01 consul[11179]: 2021-11-25T13:43:22.510+0800 [WARN] agent.server.raft: no known peers, aborting election
Nov 25 13:43:28 consul-01 consul[11179]: 2021-11-25T13:43:28.220+0800 [ERROR] agent.anti_entropy: failed to sync remote state: error="No cluster leader"十 查看consul集群成員
root@consul-01:~# consul members
Node Address Status Type Build Protocol DC Segment
consul-01 192.168.174.103:8301 alive server 1.10.4 2 wgs01 <all>
consul-02 192.168.174.104:8301 alive client 1.10.4 2 wgs01 <default>
consul-03 192.168.174.105:8301 alive client 1.10.4 2 wgs01 <default>
root@consul-02:~# consul members
Node Address Status Type Build Protocol DC Segment
consul-01 192.168.174.103:8301 alive server 1.10.4 2 wgs01 <all>
consul-02 192.168.174.104:8301 alive client 1.10.4 2 wgs01 <default>
consul-03 192.168.174.105:8301 alive client 1.10.4 2 wgs01 <default>
root@consul-03:~# consul members
Node Address Status Type Build Protocol DC Segment
consul-01 192.168.174.103:8301 alive server 1.10.4 2 wgs01 <all>
consul-02 192.168.174.104:8301 alive client 1.10.4 2 wgs01 <default>
consul-03 192.168.174.105:8301 alive client 1.10.4 2 wgs01 <default>十一 刪除consul集群節點
11.1 查看當前成員信息
root@consul-03:~# consul members
Node Address Status Type Build Protocol DC Segment
consul-01 192.168.174.103:8301 alive server 1.10.4 2 wgs01 <all>
consul-02 192.168.174.104:8301 alive client 1.10.4 2 wgs01 <default>
consul-03 192.168.174.105:8301 alive client 1.10.4 2 wgs01 <default>11.2 移除consul-03節點
root@consul-03:~# consul leave #移除集群並停止服務
Graceful leave complete
root@consul-03:~# consul force-leave <node> #強制刪除11.3 其它節點驗證
root@consul-01:~# consul members
Node Address Status Type Build Protocol DC Segment
consul-01 192.168.174.103:8301 alive server 1.10.4 2 wgs01 <all>
consul-02 192.168.174.104:8301 alive client 1.10.4 2 wgs01 <default>
consul-03 192.168.174.105:8301 left client 1.10.4 2 wgs01 <default>十二 驗證consul web界面
