一个关于etcd集群部署的总结
环境: centos7+
服务器列表:
公网ip
内网ip
角色
39.96.46.xx
172.17.34.80
master
39.96.11.xx
172.17.34.79
node
39.105.65.xx
172.17.198.174
node
一、部署etcd 集群 1.cfssl 安装
自定一个文件路径,在该路径下执行以下命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 chmod +x cfssl_linux-amd64 sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x cfssljson_linux-amd64 sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl-certinfo_linux-amd64 sudo mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo cfssl gencert -initca ca-csr.json | cfssljson -bare ca export PATH=/bin:/usr/bin:$PATH cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
2.创建ssl证书 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 mkdir -p /opt/cfssl/etcdSSL cd /opt/cfssl/etcdSSL wget https://github.com/Drazen08/myConfig/blob/master/kubernetes/opt/cfssl/etcdSSL/ca-config.json wget https://github.com/Drazen08/myConfig/blob/master/kubernetes/opt/cfssl/etcdSSL/ca-csr.json cfssl gencert -initca ca-csr.json | cfssljson -bare ca wget https://github.com/Drazen08/myConfig/blob/master/kubernetes/opt/cfssl/etcdSSL/etcd-csr.json cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd mkdir -p /etc/etcd/etcdSSL cp /opt/cfssl/etcdSSL/* /etc/etcd/etcdSSL
3.安装etcd 3.1静态配置 ip为80服务器etcd部署
3.1.1 cfssl 工具的安装 ,用于创建各类证书。安装方式可自行百度。 3.1.2 创建目录 /opt /opt/cfssl/etcdSSL 3.1.3 创建 CA 配置文件(ca-config.json) {
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"etcd": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
1 2 3 4 5 "字段说明" "ca-config.json":可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile; "signing":表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE; "server auth":表示client可以用该 CA 对server提供的证书进行验证; "client auth":表示server可以用该CA对client提供的证书进行验证;
3.1.4 创建 CA 证书签名请求(ca-csr.json) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shenzhen", "L": "shenzhen", "O": "etcd", "OU": "System" } ] }
1 2 3 4 "CN":Common Name,etcd 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法; "O":Organization,etcd 从证书中提取该字段作为请求用户所属的组 (Group); 这两个参数在后面的kubernetes启用RBAC模式中很重要,因为需要设置kubelet、admin等角色权限,那么在配置证书的时候就必须配置对了,具体后面在部署kubernetes的时候会进行讲解。 "在etcd这两个参数没太大的重要意义,跟着配置就好。"
3.1.5 生成 CA 证书和私钥 1 2 cfssl gencert -initca ca-csr.json | cfssljson -bare ca 说明:生成 "ca-csr.json ca-key.pem ca.pem" 三个文件
3.1.6 创建 etcd证书签名请求(etcd-csr.json) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 { "CN": "etcd", "hosts": [ "127.0.0.1", "172.17.34.80", "172.17.34.79", "172.17.198.174" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shenzhen", "L": "shenzhen", "O": "etcd", "OU": "System" } ] }
3.1.7 生成 etcd证书和私钥 1 2 3 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd 生成 "etcd-csr.json etcd-key.pem etcd.pem" 三个文件。
3.1.8 确认生成证书列表 并 创建 /etc/etcd/etcdSSL 目录 3.1.9 将所有证书文件拷贝至 /etc/etcd/etcdSSL 目录
cp /opt/cfssl/etcdSSL/* /etc/etcd/etcdSSL
3.1.10 安装 etcd服务
3.1.11 配置 etcd 的 service文件(/usr/lib/systemd/system)
vim /usr/lib/systemd/system/etcd.service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/etcd/etcd.conf # set GOMAXPROCS to number of processors ExecStart=/usr/bin/etcd \ --name ${ETCD_NAME} \ --cert-file=/etc/etcd/etcdSSL/etcd.pem \ --key-file=/etc/etcd/etcdSSL/etcd-key.pem \ --peer-cert-file=/etc/etcd/etcdSSL/etcd.pem \ --peer-key-file=/etc/etcd/etcdSSL/etcd-key.pem \ --trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \ --peer-trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \ --initial-advertise-peer-urls ${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --listen-peer-urls ${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls ${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls ${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-cluster-token ${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster infra1=https://172.17.34.80:2380,https://172.17.34.79:2380,https://172.17.198.174:2380 \ --initial-cluster-state new \ --data-dir=${ETCD_DATA_DIR} Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 参数说明: 1、指定 etcd 的工作目录为 /var/lib/etcd,数据目录为 /var/lib/etcd,需在启动服务前创建这两个目录; 在配置中的命令是这条: WorkingDirectory=/var/lib/etcd/ 2、为了保证通信安全,需要指定 etcd 的公私钥(cert-file和key-file)、Peers 通信的公私钥和 CA 证书(peer-cert-file、peer-key-file、peer-trusted-ca-file)、客户端的CA证书(trusted-ca-file); 在配置中添加etcd证书的命令是以下: --cert-file=/etc/etcd/etcdSSL/etcd.pem \ --key-file=/etc/etcd/etcdSSL/etcd-key.pem \ --peer-cert-file=/etc/etcd/etcdSSL/etcd.pem \ --peer-key-file=/etc/etcd/etcdSSL/etcd-key.pem \ --trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \ --peer-trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \ 3、配置etcd的endpoint: --initial-cluster infra1=https:// 172.17.34.80:2380,infra2=https:// 172.17.34.79:2380,infra3=https:// 172.17.198.174:2380 \ 4、配置etcd的监听服务集群: --initial-advertise-peer-urls ${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --listen-peer-urls ${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls ${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls ${ETCD_ADVERTISE_CLIENT_URLS} \ 5、配置etcd创建的集群为新集群,则定义集群状态为new --initial-cluster-state 值为 new 6、定义etcd节点的名称,该名称等下从配置文件中获取: --name ${ETCD_NAME} \ 其中配置文件:EnvironmentFile=-/etc/etcd/etcd.conf
3.1.12 编写 etcd的配置文件(/etc/etcd/etcd.conf) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 #[Member] #ETCD_CORS="" ETCD_DATA_DIR="/var/lib/etcd" #ETCD_WAL_DIR="" ETCD_LISTEN_PEER_URLS="https://172.17.34.80:2380" ETCD_LISTEN_CLIENT_URLS="https://172.17.34.80:2379" #ETCD_MAX_SNAPSHOTS="5" #ETCD_MAX_WALS="5" ETCD_NAME="infra1" #ETCD_SNAPSHOT_COUNT="100000" #ETCD_HEARTBEAT_INTERVAL="100" #ETCD_ELECTION_TIMEOUT="1000" #ETCD_QUOTA_BACKEND_BYTES="0" #ETCD_MAX_REQUEST_BYTES="1572864" #ETCD_GRPC_KEEPALIVE_MIN_TIME="5s" #ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s" #ETCD_GRPC_KEEPALIVE_TIMEOUT="20s" # #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.34.80:2380" ETCD_ADVERTISE_CLIENT_URLS="https://172.17.34.80:2379" #ETCD_DISCOVERY="" #ETCD_DISCOVERY_FALLBACK="proxy" #ETCD_DISCOVERY_PROXY="" #ETCD_DISCOVERY_SRV="" #ETCD_INITIAL_CLUSTER="default=http://localhost:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #ETCD_INITIAL_CLUSTER_STATE="new" #ETCD_STRICT_RECONFIG_CHECK="true" #ETCD_ENABLE_V2="true" # #[Proxy] #ETCD_PROXY="off" #ETCD_PROXY_FAILURE_WAIT="5000" #ETCD_PROXY_REFRESH_INTERVAL="30000" #ETCD_PROXY_DIAL_TIMEOUT="1000" #ETCD_PROXY_WRITE_TIMEOUT="5000" #ETCD_PROXY_READ_TIMEOUT="0" # #[Security] #ETCD_CERT_FILE="" #ETCD_KEY_FILE="" #ETCD_CLIENT_CERT_AUTH="false" #ETCD_TRUSTED_CA_FILE="" #ETCD_AUTO_TLS="false" #ETCD_PEER_CERT_FILE="" #ETCD_PEER_KEY_FILE="" #ETCD_PEER_CLIENT_CERT_AUTH="false" #ETCD_PEER_TRUSTED_CA_FILE="" #ETCD_PEER_AUTO_TLS="false" # #[Logging] #ETCD_DEBUG="false" #ETCD_LOG_PACKAGE_LEVELS="" #ETCD_LOG_OUTPUT="default" # #[Unsafe] #ETCD_FORCE_NEW_CLUSTER="false" # #[Version] #ETCD_VERSION="false" #ETCD_AUTO_COMPACTION_RETENTION="0" # #[Profiling] #ETCD_ENABLE_PPROF="false" #ETCD_METRICS="basic" # #[Auth] #ETCD_AUTH_TOKEN="simple"
这是172.17.34.80节点的配置,如果配置其他etcd节点只要将上面的IP地址改成相应节点的IP地址即可。
3.1.13 启动 etcd 服务 1 2 3 4 systemctl daemon-reload systemctl enable etcd systemctl start etcd systemctl status etcd
3.2 ip 为 79 和 174 服务器的etcd部署 3.2.1 证书文件拷贝
将 80服务器上/etc/etcd/etcdSSL 目录下的证书文件分别拷贝到 79 和 174 上的同样目录下/etc/etcd/etcdSSL/。
3.2.2 分别安装etcd 同 1.1.2
3.2.3 分别配置etcd的service文件 同 1.1.11
3.2.4 分别编写etcd的配置文件 etcd.conf 同 1.1.12
3.2.5 分别启动etcd服务 同 1.1.13
3.3. 检查etcd健康状况 1 2 3 4 5 etcdctl \ --ca-file=/etc/etcd/etcdSSL/ca.pem \ --cert-file=/etc/etcd/etcdSSL/etcd.pem \ --key-file=/etc/etcd/etcdSSL/etcd-key.pem \ cluster-health
返回如下则为安装成功:
1 2 3 4 member 2dbd9a0c7ed8083a is healthy: got healthy result from https://172.17.34.79:2379 member 919be24b29e0636b is healthy: got healthy result from https://172.17.34.80:2379 member d767afc27e01c0a3 is healthy: got healthy result from https://172.17.198.174:2379 cluster is healthy
动态配置 (服务发现)
etcd 服务自发现的原理是通过一个现有的etcd 集群来启动一个新的etcd 集群
1.etcd 自发现
可以借助etcd官方提供的公网etcd集群进行自发现
步骤
执行curl https://discovery.etcd.io/new?size=? 命令,其中? 代表节点个数
第一步的应答值保存下来,是一个etcd官网提供的url,该url用来以后写入配置文件,如:https://discovery.etcd.io/XXXX
我把模板文件放在远程仓库,所以可以直接执行命令:etcd.conf文件中#[Security]项的子项配置,且把所有url变更为http类型)1 2 3 4 cd /etc/etcd wget https://github.com/Drazen08/myConfig/blob/master/etcd/dynamic/etc/etcd/etcd.conf cd /usr/lib/systemd/system wget https://github.com/Drazen08/myConfig/blob/master/etcd/dynamic/usr/lib/systemd/system/etcd.service
执行vim /etc/etcd/etcd.conf, 把文件中ip换成本节点的ip,以上操作所有节点通用
执行命令:
1 2 3 4 systemctl daemon-reload systemctl enable etcd systemctl start etcd systemctl status etcd
注意,上述步骤是对etcd.conf进行操作,我们也可以放弃conf,直接用命令进行服务发现:
1 2 3 4 5 6 7 8 9 10 11 12 etcd --name <etcd node name> --data-dir <your data dir> \ --initial-advertise-peer-urls <node-ip:2379> \ --listen-peer-urls <node-ip:2380>\ --listen-client-urls <node-ip:2379>,http://127.0.0.1:2379 \ --advertise-client-urls <node-ip:2379> \ --discovery https://discovery.etcd.io/XXXX --cert-file=/etc/etcd/etcdSSL/etcd.pem \ --key-file=/etc/etcd/etcdSSL/etcd-key.pem \ --peer-cert-file=/etc/etcd/etcdSSL/etcd.pem \ --peer-key-file=/etc/etcd/etcdSSL/etcd-key.pem \ --trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \ --peer-trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \
如果你没有证书,则去掉--discovery 项之后的配置,该命令每个节点执行一次
** 当操作完成后,执行命令进行检查**
1 etcdctl --ca-file=/etc/etcd/etcdSSL/ca.pem --cert-file=/etc/etcd/etcdSSL/etcd.pem --key-file=/etc/etcd/etcdSSL/etcd-key.pem --endpoints=https://172.17.34.80:2379,https://172.17.34.79:2379,https://172.17.198.174:2379 cluster-health
如果你在后期想增加节点,则可以执行:
1 etcdctl --ca-file=/etc/etcd/etcdSSL/ca.pem --cert-file=/etc/etcd/etcdSSL/etcd.pem --key-file=/etc/etcd/etcdSSL/etcd-key.pem --endpoints=https://172.17.34.80:2379,https://172.17.34.79:2379,https://172.17.198.174:2379 member add <node name> <node url>
2.DNS 自发现
原理是利用DNS的SRV记录不断轮训查询实现的。DNS SRV是DNS数据库中支持的一种资源记录的类型,它记录了哪台计算机提供了哪个服务这么一个简单信息。
可以采用dnsmasq作为dns服务器,进行dns自发现
