2、二进制安装K8s 之 部署ETCD集群
二进制安装K8s 之 部署ETCD集群
一、下载安装cfssl,用于k8s证书签名
二进制包地址:https://pkg.cfssl.org/
所需软件包:
- cfssl 1.6.0
- cfssljson 1.6.0
- cfssl-certinfo 1.6.0
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl_1.6.0_linux_amd64 -O cfssl
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssljson_1.6.0_linux_amd64 -O cfssljson
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl-certinfo_1.6.0_linux_amd64 -O cfssl-certinfo
chmod +x cfssl*
mv cfssl* /usr/local/bin/
2、生成etcd证书
- [x] 自签CA:
#生成默认的证书配置文件【可以省略此步骤】,如果没有证书配置文件模板可以使用
cfssl print-defaults config >ca-config.json
cfssl print-defaults csr >ca-csr.json
- [x] 修改证书
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
- [x] 生成证书
生成ca.pem ca-key.pem 根证书文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
- [x] 使用自签CA签发Etcd HTTPS证书
创建证书申请文件:
#注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.100.170",
"192.168.100.171",
"192.168.100.172",
"192.168.100.173"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
# 生成域名证书 server-key.pem server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
3、下载安装etcd
- [x] 下载二进制包
#下载
wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz -O /data/download/
#解压
tar -zxvf etcd-v3.5.0-linux-amd64.tar.gz
#建议复制到/usr/local/bin/ 目录下
mv /data/download/etcd-v3.5.0-linux-amd64/{etcd,etcdctl} /usr/local/bin/
mv /data/download/etcd-v3.5.0-linux-amd64/{etcd,etcdctl} /data/k8s/etcd/bin/
- [x] 创建etcd配置文件
cat > /data/etcd/config/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.100.170:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.170:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.170:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.170:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.170:2380,etcd-2=https://192.168.100.171:2380,etcd-3=https://192.168.100.172:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
- [x] 3、systemd管理etcd
注意证书路径
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/data/etcd/config/etcd.conf
ExecStart=/usr/local/bin/etcd \
--cert-file=/data/etcd/ssl/server.pem \
--key-file=/data/etcd/ssl/server-key.pem \
--peer-cert-file=/data/etcd/ssl/server.pem \
--peer-key-file=/data/etcd/ssl/server-key.pem \
--trusted-ca-file=/data/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/data/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
- [x] 4、拷贝刚才生成的证书
把刚才生成的证书拷贝到配置文件中的路径:
cp /data/docker/TSL/etcd/*.pem /data/etcd/ssl/
- [x] 5、启动并设置开机启动
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
6 、将上面节点1所有生成的文件拷贝到节点2和节点3
#复制整个目录
scp -r /data/etcd/* root@192.168.100.171:/data/etcd/
scp -r /data/etcd/* root@192.168.100.172:/data/etcd/
#复制systemd文件
scp /usr/lib/systemd/system/etcd.service root@192.168.100.171:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service root@192.168.100.172:/usr/lib/systemd/system/
#cp etcd 二进制文件 集群其他机器上操作
cp /data/etcd/bin/etc* /usr/local/bin/
#然后在节点2和节点3分别修改etcd.conf配置文件中的节点名称和当前服务器IP:
vi /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1" # 修改此处,节点2改为etcd-2,节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.100.71:2380" # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.71:2379" # 修改此处为当前服务器IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.71:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.71:2379" # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.71:2380,etcd-2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#启动,并设置开始启动
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
7、查看集群状态
systemctl status etcd
● etcd.service - Etcd Server
Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2021-07-18 19:04:49 CST; 18s ago
Main PID: 1875 (etcd)
Tasks: 8
Memory: 33.5M
CGroup: /system.slice/etcd.service
└─1875 /usr/local/bin/etcd --cert-file=/data/k8s/etcd/ssl/server.pem --key-file=/data/k8s/etcd/ssl/server-key.pem --peer-cert-file=/data/k8s/etcd/ssl/server.pem --peer-key-file=/data/k8s/etcd/ssl/serve...
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.863+0800","caller":"rafthttp/peer_status.go:53","msg":"peer became active","peer-id":"1bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.864+0800","caller":"rafthttp/stream.go:412","msg":"established TCP streaming connection with remote peer","stream-rea...bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.865+0800","caller":"rafthttp/stream.go:412","msg":"established TCP streaming connection with remote peer","stream-rea...bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.866+0800","caller":"rafthttp/stream.go:249","msg":"set message encoder","from":"7f0b6bf57639838f","to":"1bd67ef396fd8...eam MsgApp v2"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.866+0800","caller":"rafthttp/stream.go:274","msg":"established TCP streaming connection with remote peer","stream-wri...bd67ef396fd86"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.899+0800","caller":"rafthttp/stream.go:249","msg":"set message encoder","from":"7f0b6bf57639838f","to":"1bd67ef396fd8...tream Message"}
7月 18 19:04:51 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:51.899+0800","caller":"rafthttp/stream.go:274","msg":"established TCP streaming connection with remote peer","stream-wri...bd67ef396fd86"}
7月 18 19:04:53 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:53.988+0800","caller":"etcdserver/server.go:2481","msg":"updating cluster version using v2 API","from":"3.0","to":"3.5"}
7月 18 19:04:53 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:53.991+0800","caller":"membership/cluster.go:523","msg":"updated cluster version","cluster-id":"a89a4473c024c0a2","local....0","to":"3.5"}
7月 18 19:04:53 master01 etcd[1875]: {"level":"info","ts":"2021-07-18T19:04:53.991+0800","caller":"etcdserver/server.go:2500","msg":"cluster version is updated","cluster-version":"3.5"}
Hint: Some lines were ellipsized, use -l to show in full.
etcdctl --cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/server.pem \
--key=/data/etcd/ssl/server-key.pem \
--endpoints="https://192.168.0.170:2379,https://192.168.100.171:2379,https://192.168.100.172:2379" endpoint status -w table
etcdctl --cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/server.pem \
--key=/data/etcd/ssl/server-key.pem \
--endpoints="https://192.168.100.170:2379,https://192.168.100.171:2379,https://192.168.100.172:2379" endpoint health
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://192.168.100.170:2379 | 32e07c4d987eefc | 3.5.0 | 29 kB | true | false | 2 | 9 | 9 | |
| https://192.168.100.171:2379 | 7ec2542a2723e9e3 | 3.5.0 | 20 kB | false | false | 2 | 9 | 9 | |
| https://192.168.100.172:2379 | 2186647c238c4402 | 3.5.0 | 20 kB | false | false | 2 | 9 | 9 | |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
https://192.168.100.170:2379 is healthy: successfully committed proposal: took = 32.498535ms
https://192.168.100.171:2379 is healthy: successfully committed proposal: took = 37.070854ms
https://192.168.100.172:2379 is healthy: successfully committed proposal: took = 37.475938ms
#如果输出上面信息,就说明集群部署成功。如果有问题第一步先看日志:/var/log/message 或 journalctl -u etcd
2、二进制安装K8s 之 部署ETCD集群的更多相关文章
- 二进制安装 k8s 1.15.6 集群
目录: 第一篇 环境介绍与基础配置 第二篇 部署前期准备工作 第三篇 ETCD 集群部署 第四篇 master节点的部署介绍和前置工作 第五篇 kube-nginx 和 keepalived 部署安装 ...
- 8、二进制安装K8s之部署CIN网络
二进制安装K8s之部署CIN网络 部署CIN网络可以使用flannel或者calico,这里介绍使用calico ecd 方式部署. 1.下载calico二进制安装包 创建所需目录 mkdir -p ...
- 3、二进制安装K8s之部署kube-apiserver
二进制安装K8s之部署kube-apiserver 一.生成 kube-apiserver 证书 1.自签证书颁发机构(CA) cat > ca-config.json <<EOF ...
- 10、二进制安装K8s之部署CoreDNS 和Dashboard
二进制安装K8s之部署CoreDNS 和Dashboard CoreDNS 和Dashboard 的yaml文件在 k8s源代码压缩包里面可以找到对应的配置文件,很多人从网上直接下载使用别人的,会导致 ...
- 7、二进制安装K8s之部署kube-proxy
二进制安装K8s之部署kube-proxy 1.创建配置文件 cat > /data/k8s/config/kube-proxy.conf << EOF KUBE_PROXY_OPT ...
- 6、二进制安装K8s之部署kubectl
二进制安装K8s之部署kubectl 我们把k8s-master 也设置成node,所以先master上面部署node,在其他机器上部署node也适用,更换名称即可. 1.在所有worker node ...
- 5、二进制安装K8s 之 部署kube-scheduler
二进制安装K8s之部署kube-scheduler 1.创建配置文件 cat > /data/k8s/config/kube-scheduler.conf << EOF KUBE_S ...
- suse 12 二进制部署 Kubernetets 1.19.7 - 第02章 - 部署etcd集群
文章目录 1.2.部署etcd集群 1.2.0.下载etcd二进制文件 1.2.1.创建etcd证书和私钥 1.2.2.生成etcd证书和私钥 1.2.3.配置etcd为systemctl管理 1.2 ...
- Kubernetes后台数据库etcd:安装部署etcd集群,数据备份与恢复
目录 一.系统环境 二.前言 三.etcd数据库 3.1 概述 四.安装部署etcd单节点 4.1 环境介绍 4.2 配置节点的基本环境 4.3 安装部署etcd单节点 4.4 使用客户端访问etcd ...
随机推荐
- GKCTF X DASCTF 2021_babycat复现学习
17解的一道题,涉及到了java反序列化的知识,学习了. 看了下积分榜,如果做出来可能能进前20了哈哈哈,加油吧,这次就搞了两个misc签到,菜的扣脚. 打开后是个登录框,sign up提示不让注册, ...
- File类与常用IO流第八章——缓冲流
第八章.缓冲流 缓冲流概述 缓冲流,也叫高效流,是对4个基本的FileXxx流的增强.按照数据类型分为4类: 输入缓冲流 输出缓冲流 字节缓冲流 BufferedInputStream Buffe ...
- React组件三大属性之 props
React组件三大属性之 props 理解1) 每个组件对象都会有props(properties的简写)属性2) 组件标签的所有属性都保存在props中 作用1) 通过标签属性从组件外向组件内传递变 ...
- Spring总结之SpringMvc下
五.拦截器 SpringMVC中的拦截器是通过HandlerInterceptor来实现的,定义一个Interceptor有两种方式 1.实现HandlerInterceptor接口或者继承实现了Ha ...
- 【动画消消乐】HTML+CSS 自定义加载动画 064(currentColor的妙用!)
前言 Hello!小伙伴! 非常感谢您阅读海轰的文章,倘若文中有错误的地方,欢迎您指出- 自我介绍ଘ(੭ˊᵕˋ)੭ 昵称:海轰 标签:程序猿|C++选手|学生 简介:因C语言结识编程,随后转入计算机专 ...
- Beam Search快速理解及代码解析(上)
Beam Search 简单介绍一下在文本生成任务中常用的解码策略Beam Search(集束搜索). 生成式任务相比普通的分类.tagging等NLP任务会复杂不少.在生成的时候,模型的输出是一个时 ...
- HCNA Routing&Switching之OSPF度量值和基础配置命令总结
前文我们了解了OSPF的网络类型,OSPF中的DR和BDR的选举规则.作用等相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15054938.html: ...
- 【搜索】单词接龙 luogu-1019
题目描述 单词接龙是一个与我们经常玩的成语接龙相类似的游戏,现在我们已知一组单词,且给定一个开头的字母,要求出以这个字母开头的最长的"龙"(每个单词都最多在"龙" ...
- odoo里面context用法
原文转自:https://www.cnblogs.com/zhaoweihang/p/9698852.html <field name="partner_id" string ...
- 第十五篇 -- QListWidget与QToolButton(界面)
效果图: 这还只是一个界面,并没有实现相应功能. 先看下这图的构成吧. 工具栏的就是将Action拖上去,这部分前面已经介绍过了,那就看下面这部分的构图. 1.左侧是一个工具箱(ToolBox)组件, ...