2、二进制安装K8s 之 部署ETCD集群
二进制安装K8s 之 部署ETCD集群
一、下载安装cfssl,用于k8s证书签名
二进制包地址:https://pkg.cfssl.org/
所需软件包:
- cfssl 1.6.0
- cfssljson 1.6.0
- cfssl-certinfo 1.6.0
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl_1.6.0_linux_amd64 -O cfssl
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssljson_1.6.0_linux_amd64 -O cfssljson
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl-certinfo_1.6.0_linux_amd64 -O cfssl-certinfo
chmod +x cfssl*
mv cfssl* /usr/local/bin/
2、生成etcd证书
- [x] 自签CA:
#生成默认的证书配置文件【可以省略此步骤】,如果没有证书配置文件模板可以使用
cfssl print-defaults config >ca-config.json
cfssl print-defaults csr >ca-csr.json
- [x] 修改证书
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
- [x] 生成证书
生成ca.pem ca-key.pem 根证书文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
- [x] 使用自签CA签发Etcd HTTPS证书
创建证书申请文件:
#注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.100.170",
"192.168.100.171",
"192.168.100.172",
"192.168.100.173"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
# 生成域名证书 server-key.pem server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
3、下载安装etcd
- [x] 下载二进制包
#下载
wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz -O /data/download/
#解压
tar -zxvf etcd-v3.5.0-linux-amd64.tar.gz
#建议复制到/usr/local/bin/ 目录下
mv /data/download/etcd-v3.5.0-linux-amd64/{etcd,etcdctl} /usr/local/bin/
mv /data/download/etcd-v3.5.0-linux-amd64/{etcd,etcdctl} /data/k8s/etcd/bin/
- [x] 创建etcd配置文件
cat > /data/etcd/config/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.100.170:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.170:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.170:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.170:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.170:2380,etcd-2=https://192.168.100.171:2380,etcd-3=https://192.168.100.172:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
- [x] 3、systemd管理etcd
注意证书路径
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/data/etcd/config/etcd.conf
ExecStart=/usr/local/bin/etcd \
--cert-file=/data/etcd/ssl/server.pem \
--key-file=/data/etcd/ssl/server-key.pem \
--peer-cert-file=/data/etcd/ssl/server.pem \
--peer-key-file=/data/etcd/ssl/server-key.pem \
--trusted-ca-file=/data/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/data/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
- [x] 4、拷贝刚才生成的证书
把刚才生成的证书拷贝到配置文件中的路径:
cp /data/docker/TSL/etcd/*.pem /data/etcd/ssl/
- [x] 5、启动并设置开机启动
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
6 、将上面节点1所有生成的文件拷贝到节点2和节点3
#复制整个目录
scp -r /data/etcd/* root@192.168.100.171:/data/etcd/
scp -r /data/etcd/* root@192.168.100.172:/data/etcd/
#复制systemd文件
scp /usr/lib/systemd/system/etcd.service root@192.168.100.171:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service root@192.168.100.172:/usr/lib/systemd/system/
#cp etcd 二进制文件 集群其他机器上操作
cp /data/etcd/bin/etc* /usr/local/bin/
#然后在节点2和节点3分别修改etcd.conf配置文件中的节点名称和当前服务器IP:
vi /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1" # 修改此处,节点2改为etcd-2,节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.100.71:2380" # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.71:2379" # 修改此处为当前服务器IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.71:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.71:2379" # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.71:2380,etcd-2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#启动,并设置开始启动
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
7、查看集群状态
systemctl status etcd
● etcd.service - Etcd Server
Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2021-07-18 19:04:49 CST; 18s ago
Main PID: 1875 (etcd)
Tasks: 8
Memory: 33.5M
CGroup: /system.slice/etcd.service
└─1875 /usr/local/bin/etcd --cert-file=/data/k8s/etcd/ssl/server.pem --key-file=/data/k8s/etcd/ssl/server-key.pem --peer-cert-file=/data/k8s/etcd/ssl/server.pem --peer-key-file=/data/k8s/etcd/ssl/serve...
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.863+0800","caller":"rafthttp/peer_status.go:53","msg":"peer became active","peer-id":"1bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.864+0800","caller":"rafthttp/stream.go:412","msg":"established TCP streaming connection with remote peer","stream-rea...bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.865+0800","caller":"rafthttp/stream.go:412","msg":"established TCP streaming connection with remote peer","stream-rea...bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.866+0800","caller":"rafthttp/stream.go:249","msg":"set message encoder","from":"7f0b6bf57639838f","to":"1bd67ef396fd8...eam MsgApp v2"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.866+0800","caller":"rafthttp/stream.go:274","msg":"established TCP streaming connection with remote peer","stream-wri...bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.899+0800","caller":"rafthttp/stream.go:249","msg":"set message encoder","from":"7f0b6bf57639838f","to":"1bd67ef396fd8...tream Message"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.899+0800","caller":"rafthttp/stream.go:274","msg":"established TCP streaming connection with remote peer","stream-wri...bd67ef396fd86"}
7月 18 19:04:53 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:53.988+0800","caller":"etcdserver/server.go:2481","msg":"updating cluster version using v2 API","from":"3.0","to":"3.5"}
7月 18 19:04:53 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:53.991+0800","caller":"membership/cluster.go:523","msg":"updated cluster version","cluster-id":"a89a4473c024c0a2","local....0","to":"3.5"}
7月 18 19:04:53 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:53.991+0800","caller":"etcdserver/server.go:2500","msg":"cluster version is updated","cluster-version":"3.5"}
Hint: Some lines were ellipsized, use -l to show in full.
etcdctl --cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/server.pem \
--key=/data/etcd/ssl/server-key.pem \
--endpoints="https://192.168.0.170:2379,https://192.168.100.171:2379,https://192.168.100.172:2379" endpoint status -w table
etcdctl --cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/server.pem \
--key=/data/etcd/ssl/server-key.pem \
--endpoints="https://192.168.100.170:2379,https://192.168.100.171:2379,https://192.168.100.172:2379" endpoint health
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://192.168.100.170:2379 | 32e07c4d987eefc | 3.5.0 | 29 kB | true | false | 2 | 9 | 9 | |
| https://192.168.100.171:2379 | 7ec2542a2723e9e3 | 3.5.0 | 20 kB | false | false | 2 | 9 | 9 | |
| https://192.168.100.172:2379 | 2186647c238c4402 | 3.5.0 | 20 kB | false | false | 2 | 9 | 9 | |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
https://192.168.100.170:2379 is healthy: successfully committed proposal: took = 32.498535ms
https://192.168.100.171:2379 is healthy: successfully committed proposal: took = 37.070854ms
https://192.168.100.172:2379 is healthy: successfully committed proposal: took = 37.475938ms
#如果输出上面信息,就说明集群部署成功。如果有问题第一步先看日志:/var/log/message 或 journalctl -u etcd
2、二进制安装K8s 之 部署ETCD集群的更多相关文章
- 二进制安装 k8s 1.15.6 集群
目录: 第一篇 环境介绍与基础配置 第二篇 部署前期准备工作 第三篇 ETCD 集群部署 第四篇 master节点的部署介绍和前置工作 第五篇 kube-nginx 和 keepalived 部署安装 ...
- 8、二进制安装K8s之部署CIN网络
二进制安装K8s之部署CIN网络 部署CIN网络可以使用flannel或者calico,这里介绍使用calico ecd 方式部署. 1.下载calico二进制安装包 创建所需目录 mkdir -p ...
- 3、二进制安装K8s之部署kube-apiserver
二进制安装K8s之部署kube-apiserver 一.生成 kube-apiserver 证书 1.自签证书颁发机构(CA) cat > ca-config.json <<EOF ...
- 10、二进制安装K8s之部署CoreDNS 和Dashboard
二进制安装K8s之部署CoreDNS 和Dashboard CoreDNS 和Dashboard 的yaml文件在 k8s源代码压缩包里面可以找到对应的配置文件,很多人从网上直接下载使用别人的,会导致 ...
- 7、二进制安装K8s之部署kube-proxy
二进制安装K8s之部署kube-proxy 1.创建配置文件 cat > /data/k8s/config/kube-proxy.conf << EOF KUBE_PROXY_OPT ...
- 6、二进制安装K8s之部署kubectl
二进制安装K8s之部署kubectl 我们把k8s-master 也设置成node,所以先master上面部署node,在其他机器上部署node也适用,更换名称即可. 1.在所有worker node ...
- 5、二进制安装K8s 之 部署kube-scheduler
二进制安装K8s之部署kube-scheduler 1.创建配置文件 cat > /data/k8s/config/kube-scheduler.conf << EOF KUBE_S ...
- suse 12 二进制部署 Kubernetets 1.19.7 - 第02章 - 部署etcd集群
文章目录 1.2.部署etcd集群 1.2.0.下载etcd二进制文件 1.2.1.创建etcd证书和私钥 1.2.2.生成etcd证书和私钥 1.2.3.配置etcd为systemctl管理 1.2 ...
- Kubernetes后台数据库etcd:安装部署etcd集群,数据备份与恢复
目录 一.系统环境 二.前言 三.etcd数据库 3.1 概述 四.安装部署etcd单节点 4.1 环境介绍 4.2 配置节点的基本环境 4.3 安装部署etcd单节点 4.4 使用客户端访问etcd ...
随机推荐
- 前端-HTML标签
1.<p></p>段落标签 <p>别在最该拼搏的年纪选择稳定,世界上最大的不变是改变,只有每天进步,才能拥抱生命的无限可能!</p> 2.</b& ...
- 结对开发_石家庄地铁查询web系统_psp表
结对开发_石家庄地铁查询_博客地址:https://www.cnblogs.com/flw0322/p/10680172.html PSP0: PSP0 Personal Software Proce ...
- [刘阳Java]_处理并发有哪些方法
1.HTML静态化 ,将活动页面上的所有可以静态的元素全部静态化,并尽量减少动态元素2.禁止重复提交:用户提交之后按钮置灰,禁止重复提交3.用户限流:在某一时间段内只允许用户提交一次请求,比如可以采取 ...
- 前端开发入门到进阶第一集【使用sublime快速编写Html和Css】
1,安装sublime编辑器,下载地址:http://www.sublimetext.com/3 2,要使用sublime的插件机制必须安装package control:https://packag ...
- 微信小程序云开发-添加数据
一.数据的添加 使用add方法添加数据 添加完成后,在数据库中查询,可以看到数据库中添加了1条数据,此时添加的数据系统自动添加了_openid 将[添加]功能写到对应的方法中 wxml页面中,点击[添 ...
- 解决proto文件生成pb文件时提示(e.g."message")的问题
原因:格式不支持 解决办法:去下个notepad,打开方式选择notepad,文件属性的只读取消掉 打开后会发现最下面显示了文件的格式是unix,utf-8 右键红框处,选择转换为windows格式, ...
- HTTP_CLIENT_IP、HTTP_X_FORWARDED_FOR、REMOTE_ADDR
REMOTE_ADDR 是你的客户端跟你的服务器"握手"时候的IP.如果使用了"匿名代理",REMOTE_ADDR将显示代理服务器的IP. HTTP_CLIEN ...
- 3分钟搭建一个网站?腾讯云Serverless开发体验
作为一个开发者,应该都能理解一个网站从开发到上线,要经过很多繁琐的步骤. 编写代码,部署应用,部署数据库,申请域名,申请SSL证书,域名备案,到最终上线起码要几天时间. 作为一个不精通代码的业务玩家, ...
- Laravel Ignition 2.5.1 代码执行漏洞(CVE-2021-3129)
影响范围 Laravel 框架 < 8.4.3 facade ignition 组件 < 2.5.2 poc git clone https://github.com/simonlee-h ...
- 为MySQL的source命令导入SQL文件配置参数
为MySQL的source命令导入SQL文件配置参数 执行 mysql -uroot -p 输入密码后进入 MySQL 命令提示符 set charset utf8; source /root/xxx ...