etcd的安装注意两点 1.systemd的配置文件   2. 证书

1. 解决 systemd的问题,想安装指定版本的etcd可以通过 yum方式安装 etcd 可以获得 systemc 和 etcd.conf 的模板。

[root@master01 etcd-v3.3.13-linux-amd64]# rpm -ql etcd

/etc/etcd

/etc/etcd/etcd.conf

/usr/bin/etcd

/usr/bin/etcdctl

/usr/lib/systemd/system/etcd.service

/usr/share/doc/etcd-3.3.11

/usr/share/doc/etcd-3.3.11/CHANGELOG.md

........

.......

.....

/usr/share/man/man1/etcdctl3.1.gz

/var/lib/etcd

------------------------------------------------------------------------------------

[root@master01 etcd-v3.3.13-linux-amd64]# !cat

cat /usr/lib/systemd/system/etcd.service

[Unit]

Description=Etcd Server

After=network.target

After=network-online.target

Wants=network-online.target

[Service]

Type=notify

WorkingDirectory=/var/lib/etcd/

EnvironmentFile=-/etc/etcd/etcd.conf

User=etcd

# set GOMAXPROCS to number of processors

ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\""

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

[root@master01 etcd-v3.3.13-linux-amd64]# cat /etc/etcd/etcd.conf

#[Member]

#ETCD_CORS=""

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

#ETCD_WAL_DIR=""

#ETCD_LISTEN_PEER_URLS="http://localhost:2380"

ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"

#ETCD_MAX_SNAPSHOTS="5"

#ETCD_MAX_WALS="5"

ETCD_NAME="default"

#ETCD_SNAPSHOT_COUNT="100000"

#ETCD_HEARTBEAT_INTERVAL="100"

#ETCD_ELECTION_TIMEOUT="1000"

#ETCD_QUOTA_BACKEND_BYTES="0"

#ETCD_MAX_REQUEST_BYTES="1572864"

#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"

#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"

#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"

#

#[Clustering]

#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"

ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"

#ETCD_DISCOVERY=""

#ETCD_DISCOVERY_FALLBACK="proxy"

#ETCD_DISCOVERY_PROXY=""

#ETCD_DISCOVERY_SRV=""

#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"

#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

#ETCD_INITIAL_CLUSTER_STATE="new"

#ETCD_STRICT_RECONFIG_CHECK="true"

#ETCD_ENABLE_V2="true"

#

#[Proxy]

#ETCD_PROXY="off"

#ETCD_PROXY_FAILURE_WAIT="5000"

#ETCD_PROXY_REFRESH_INTERVAL="30000"

#ETCD_PROXY_DIAL_TIMEOUT="1000"

#ETCD_PROXY_WRITE_TIMEOUT="5000"

#ETCD_PROXY_READ_TIMEOUT="0"

#

#[Security]

#ETCD_CERT_FILE=""

#ETCD_KEY_FILE=""

#ETCD_CLIENT_CERT_AUTH="false"

#ETCD_TRUSTED_CA_FILE=""

#ETCD_AUTO_TLS="false"

#ETCD_PEER_CERT_FILE=""

#ETCD_PEER_KEY_FILE=""

#ETCD_PEER_CLIENT_CERT_AUTH="false"

#ETCD_PEER_TRUSTED_CA_FILE=""

#ETCD_PEER_AUTO_TLS="false"

#

#[Logging]

#ETCD_DEBUG="false"

#ETCD_LOG_PACKAGE_LEVELS=""

#ETCD_LOG_OUTPUT="default"

#

#[Unsafe]

#ETCD_FORCE_NEW_CLUSTER="false"

#

#[Version]

#ETCD_VERSION="false"

#ETCD_AUTO_COMPACTION_RETENTION="0"

#

#[Profiling]

#ETCD_ENABLE_PPROF="false"

#ETCD_METRICS="basic"

#

#[Auth]

#ETCD_AUTH_TOKEN="simple"

2. 解决证书问题

curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64  -o cfssl_linux-amd64

curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64  -o cfssljson_linux-amd64

mv  cfssl_linux_amd64 /bin/cfssl

mv cfssljson_linux_amd64 /bin/cfssljson

-------------------------------------------------------------------------

生成根证书文件

[root@master01 ~]# cat ca-config.json ca-csr.json

{

    "signing": {

        "default": {

            "expiry": "175200h"

        },

        "profiles": {

            "kubernetes": {

                "expiry": "175200h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

            "client auth"

                ]

            },

            "etcd": {

                "expiry": "175200h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

                    "client auth"

                ]

            }

        }

    }

}

{

    "key": {

        "algo": "rsa",

        "size":

    },

    "names": [

        {

            "C": "CN",

            "L": "Beijing",

            "ST": "Beijing",

            "O": "cnpc",

            "OU": "RF"

        }

    ]

}

-----------------------------------------------------------------------

[root@master01 ~]# ./cfssl_linux-amd64 gencert --initca ca-csr.json | cfssljson --bare ca

// :: [INFO] generating a new CA key and certificate from CSR

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

[root@master01 ~]# ls ca* -l

-rw-r--r--  root root   May  : ca-config.json

-rw-r--r--  root root   May  : ca.csr

-rw-r--r--  root root   May  : ca-csr.json

-rw-------  root root  May  : ca-key.pem

-rw-r--r--  root root  May  : ca.pem

------------------------------------------------------------------------

生产集群验证证书

[root@master01 ~]# cat etcd-csr.json

{

  "CN": "etcd-server",

  "hosts": [

    "localhost",

    "0.0.0.0",

    "127.0.0.1",

    "192.168.141.135",

    "192.168.141.136",

    "192.168.141.137"

  ],

  "key": {

    "algo": "rsa",

    "size":

  },

  "names": [

    {

        "C": "CN",

        "L": "Beijing",

        "ST": "Beijing",

        "O": "cnpc",

        "OU": "RF"}

  ]

}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2. ("Information Requirements").

-------------------------------------------------------------------------

etcd客户端访问证书 可有可不用。

[root@master01 ~]# cat etcd-client-csr.json

{

  "CN": "etcd-client",

  "hosts": [

    ""

  ],

  "key": {

    "algo": "rsa",

    "size":

  },

  "names": [

    {

        "C": "CN",

        "L": "Beijing",

        "ST": "Beijing",

        "O": "cnpc",

        "OU": "RF"}

  ]

}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-client-csr.json | cfssljson -bare etcd-client

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2. ("Information Requirements").

[root@master01 ~]# ls etcd-client* -l

-rw-r--r--  root root  May  : etcd-client.csr

-rw-r--r--  root root   May  : etcd-client-csr.json

-rw-------  root root  May  : etcd-client-key.pem

-rw-r--r--  root root  May  : etcd-client.pem

------------------------------------

3.修改配置文件进行etcd启动

 

[root@master01 ~]# cat /etc/etcd/etcd.conf

# [member]

ETCD_NAME=etcd1

ETCD_DATA_DIR="/var/lib/etcd/etcd1.etcd"

ETCD_WAL_DIR="/var/lib/etcd/wal"

ETCD_SNAPSHOT_COUNT="100"

ETCD_HEARTBEAT_INTERVAL="100"

ETCD_ELECTION_TIMEOUT="1000"

ETCD_LISTEN_PEER_URLS="https://192.168.141.136:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.141.136:2379,http://127.0.0.1:2379"

ETCD_MAX_SNAPSHOTS="5"

ETCD_MAX_WALS="5"

#ETCD_CORS=""

# [cluster]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.141.136:2380"

# if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."

ETCD_INITIAL_CLUSTER="etcd0=https://192.168.141.135:2380,etcd1=https://192.168.141.136:2380,etcd2=https://192.168.141.137:2380"

ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.141.136:2379"

#ETCD_DISCOVERY=""

#ETCD_DISCOVERY_SRV=""

#ETCD_DISCOVERY_FALLBACK="proxy"

#ETCD_DISCOVERY_PROXY=""

#ETCD_STRICT_RECONFIG_CHECK="false"

#ETCD_AUTO_COMPACTION_RETENTION="0"

# [proxy]

#ETCD_PROXY="off"/

#ETCD_PROXY_FAILURE_WAIT="5000"

#ETCD_PROXY_REFRESH_INTERVAL="30000"

#ETCD_PROXY_DIAL_TIMEOUT="1000"

#ETCD_PROXY_WRITE_TIMEOUT="5000"

#ETCD_PROXY_READ_TIMEOUT="0"

# [security]

ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_CLIENT_CERT_AUTH="true"

ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"

ETCD_AUTO_TLS="true"

ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_PEER_CLIENT_CERT_AUTH="true"

ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"

ETCD_PEER_AUTO_TLS="true"

# [logging]

#ETCD_DEBUG="false"

# examples for -log-package-levels etcdserver=WARNING,security=DEBUG

#ETCD_LOG_PACKAGE_LEVELS=""  

记得修改不通的node上的配置文件,保证统一合理。

4.启动查看状态

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint status

https://192.168.141.135:2379, b306da3cfa564bfe, 3.3.11, 20 kB, false, 2, 8

https://192.168.141.136:2379, e43238dbe44b3543, 3.3.11, 20 kB, true, 2, 8

https://192.168.141.137:2379, 95d8aab064c5a521, 3.3.11, 20 kB, false, 2, 8

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint health

https://192.168.141.137:2379 is healthy: successfully committed proposal: took = 6.097643ms

https://192.168.141.136:2379 is healthy: successfully committed proposal: took = 6.426622ms

https://192.168.141.135:2379 is healthy: successfully committed proposal: took = 2.639766ms

  

2.etcd集群的安装(cfssl版)的更多相关文章

  1. etcd集群证书安装过程一

    为确保安全,kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证. CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书. 本文档 ...

  2. Kubernetes-3.3:ETCD集群搭建及使用(https认证+数据备份恢复)

    etcd集群搭建 环境介绍 基于CentOS Linux release 7.9.2009 (Core) ip hostname role 172.17.0.4 cd782d0a790b etcd1 ...

  3. 彻底搞懂 etcd 系列文章(三):etcd 集群运维部署

    0 专辑概述 etcd 是云原生架构中重要的基础组件,由 CNCF 孵化托管.etcd 在微服务和 Kubernates 集群中不仅可以作为服务注册与发现,还可以作为 key-value 存储的中间件 ...

  4. kubernetes 集群安装etcd集群,带证书

    install etcd 准备证书 https://www.kubernetes.org.cn/3096.html 在master1需要安装CFSSL工具,这将会用来建立 TLS certificat ...

  5. etcd集群安装

    etcd 是一个分布式一致性k-v存储系统,可用于服务注册发现与共享配置,具有以下优点:1.简单:相比于晦涩难懂的paxos算法,etcd基于相对简单且易实现的raft算法实现一致性,并通过gRPC提 ...

  6. 2、二进制安装K8s 之 部署ETCD集群

    二进制安装K8s 之 部署ETCD集群 一.下载安装cfssl,用于k8s证书签名 二进制包地址:https://pkg.cfssl.org/ 所需软件包: cfssl 1.6.0 cfssljson ...

  7. centos下etcd集群安装

    先仔细了解学习etcd 官方: https://github.com/etcd-io/etcd https://www.cnblogs.com/softidea/p/6517959.html http ...

  8. ETCD集群安装实验

    目录 [1.下载二进制程序] [2.安装etcd集群] [3.查询集群状态] [4.存入读取数据] [5.注意事项] [6.参考链接] 简介:     Etcd的官网文档及其在GitHub上的文档,已 ...

  9. 使用k8s operator安装和维护etcd集群

    关于Kubernetes Operator这个新生事物,可以参考下文来了解这一技术的来龙去脉: https://yq.aliyun.com/articles/685522?utm_content=g_ ...

随机推荐

  1. .NET Reactor使用教程(加密源代码示例)

    更多:https://www.cnblogs.com/PiaoMiaoGongZi/category/1120300.html 1.打开 Eziriz .NET Reactor,主界面如图1所示: 图 ...

  2. QTextStream写文件中文乱码解决办法

    1.首先把Qt Creator的编辑器设置为使用 UTF-8:   工具-->选项-->文本编辑器-->行为,在右侧选项界面找到文件编码选项,设置为 UTF-8.2.使用 QText ...

  3. Java 静态方法、私有方法、常量的使用

    1.静态方法 2.私有方法 3.常量 4.接口小结

  4. Kconfig的简单例子

    https://cloud.tencent.com/developer/article/1431908 使用Kconfig时,需要注意的地方 1.在Kconfig中定义的配置宏,前缀都没有" ...

  5. Conda 中安装 Keras

    conda create -n keras python=3.5 ipykernel activate keras python -m ipykernel install --user --name ...

  6. [CH5E02] A Little Shop of Flowers

    问题描述 You want to arrange the window of your flower shop in a most pleasant way. You have F bunches o ...

  7. 【leetcode】394. Decode String

    题目如下: 解题思路:这种题目和四则运算,去括号的题目很类似.解法也差不多. 代码如下: class Solution(object): def decodeString(self, s): &quo ...

  8. @ControllerAdvice全局数据绑定

        @ModelAttribute 注解标记该方法的返回数据是一个全局数据,默认情况下,这个全局数据的 key 就是返回的变量名,value 就是方法返回值,当然开发者可以通过 @ModelAtt ...

  9. spring boot构建

    1.新建Maven工程 1.File-->new-->project-->maven project 2.webapp 3.工程名称 k3 2.Maven 三个常用命令 选 项目右击 ...

  10. postgresql主从同步配置

    前言 不久前,公司的一台物理机器硬件坏了,导致运行在其上的虚拟机都挂了.很不凑巧的是,我负责的那台虚拟机的系统盘坏了(ps:感觉老天在玩我),导致里面的数据永远的离我而去(ps:当时我的内心是崩溃的) ...