etcd的安装注意两点 1.systemd的配置文件   2. 证书

1. 解决 systemd的问题,想安装指定版本的etcd可以通过 yum方式安装 etcd 可以获得 systemc 和 etcd.conf 的模板。

[root@master01 etcd-v3.3.13-linux-amd64]# rpm -ql etcd

/etc/etcd

/etc/etcd/etcd.conf

/usr/bin/etcd

/usr/bin/etcdctl

/usr/lib/systemd/system/etcd.service

/usr/share/doc/etcd-3.3.11

/usr/share/doc/etcd-3.3.11/CHANGELOG.md

........

.......

.....

/usr/share/man/man1/etcdctl3.1.gz

/var/lib/etcd

------------------------------------------------------------------------------------

[root@master01 etcd-v3.3.13-linux-amd64]# !cat

cat /usr/lib/systemd/system/etcd.service

[Unit]

Description=Etcd Server

After=network.target

After=network-online.target

Wants=network-online.target

[Service]

Type=notify

WorkingDirectory=/var/lib/etcd/

EnvironmentFile=-/etc/etcd/etcd.conf

User=etcd

# set GOMAXPROCS to number of processors

ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\""

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

[root@master01 etcd-v3.3.13-linux-amd64]# cat /etc/etcd/etcd.conf

#[Member]

#ETCD_CORS=""

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

#ETCD_WAL_DIR=""

#ETCD_LISTEN_PEER_URLS="http://localhost:2380"

ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"

#ETCD_MAX_SNAPSHOTS="5"

#ETCD_MAX_WALS="5"

ETCD_NAME="default"

#ETCD_SNAPSHOT_COUNT="100000"

#ETCD_HEARTBEAT_INTERVAL="100"

#ETCD_ELECTION_TIMEOUT="1000"

#ETCD_QUOTA_BACKEND_BYTES="0"

#ETCD_MAX_REQUEST_BYTES="1572864"

#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"

#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"

#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"

#

#[Clustering]

#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"

ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"

#ETCD_DISCOVERY=""

#ETCD_DISCOVERY_FALLBACK="proxy"

#ETCD_DISCOVERY_PROXY=""

#ETCD_DISCOVERY_SRV=""

#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"

#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

#ETCD_INITIAL_CLUSTER_STATE="new"

#ETCD_STRICT_RECONFIG_CHECK="true"

#ETCD_ENABLE_V2="true"

#

#[Proxy]

#ETCD_PROXY="off"

#ETCD_PROXY_FAILURE_WAIT="5000"

#ETCD_PROXY_REFRESH_INTERVAL="30000"

#ETCD_PROXY_DIAL_TIMEOUT="1000"

#ETCD_PROXY_WRITE_TIMEOUT="5000"

#ETCD_PROXY_READ_TIMEOUT="0"

#

#[Security]

#ETCD_CERT_FILE=""

#ETCD_KEY_FILE=""

#ETCD_CLIENT_CERT_AUTH="false"

#ETCD_TRUSTED_CA_FILE=""

#ETCD_AUTO_TLS="false"

#ETCD_PEER_CERT_FILE=""

#ETCD_PEER_KEY_FILE=""

#ETCD_PEER_CLIENT_CERT_AUTH="false"

#ETCD_PEER_TRUSTED_CA_FILE=""

#ETCD_PEER_AUTO_TLS="false"

#

#[Logging]

#ETCD_DEBUG="false"

#ETCD_LOG_PACKAGE_LEVELS=""

#ETCD_LOG_OUTPUT="default"

#

#[Unsafe]

#ETCD_FORCE_NEW_CLUSTER="false"

#

#[Version]

#ETCD_VERSION="false"

#ETCD_AUTO_COMPACTION_RETENTION="0"

#

#[Profiling]

#ETCD_ENABLE_PPROF="false"

#ETCD_METRICS="basic"

#

#[Auth]

#ETCD_AUTH_TOKEN="simple"

2. 解决证书问题

curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64  -o cfssl_linux-amd64

curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64  -o cfssljson_linux-amd64

mv  cfssl_linux_amd64 /bin/cfssl

mv cfssljson_linux_amd64 /bin/cfssljson

-------------------------------------------------------------------------

生成根证书文件

[root@master01 ~]# cat ca-config.json ca-csr.json

{

    "signing": {

        "default": {

            "expiry": "175200h"

        },

        "profiles": {

            "kubernetes": {

                "expiry": "175200h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

            "client auth"

                ]

            },

            "etcd": {

                "expiry": "175200h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

                    "client auth"

                ]

            }

        }

    }

}

{

    "key": {

        "algo": "rsa",

        "size":

    },

    "names": [

        {

            "C": "CN",

            "L": "Beijing",

            "ST": "Beijing",

            "O": "cnpc",

            "OU": "RF"

        }

    ]

}

-----------------------------------------------------------------------

[root@master01 ~]# ./cfssl_linux-amd64 gencert --initca ca-csr.json | cfssljson --bare ca

// :: [INFO] generating a new CA key and certificate from CSR

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

[root@master01 ~]# ls ca* -l

-rw-r--r--  root root   May  : ca-config.json

-rw-r--r--  root root   May  : ca.csr

-rw-r--r--  root root   May  : ca-csr.json

-rw-------  root root  May  : ca-key.pem

-rw-r--r--  root root  May  : ca.pem

------------------------------------------------------------------------

生产集群验证证书

[root@master01 ~]# cat etcd-csr.json

{

  "CN": "etcd-server",

  "hosts": [

    "localhost",

    "0.0.0.0",

    "127.0.0.1",

    "192.168.141.135",

    "192.168.141.136",

    "192.168.141.137"

  ],

  "key": {

    "algo": "rsa",

    "size":

  },

  "names": [

    {

        "C": "CN",

        "L": "Beijing",

        "ST": "Beijing",

        "O": "cnpc",

        "OU": "RF"}

  ]

}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2. ("Information Requirements").

-------------------------------------------------------------------------

etcd客户端访问证书 可有可不用。

[root@master01 ~]# cat etcd-client-csr.json

{

  "CN": "etcd-client",

  "hosts": [

    ""

  ],

  "key": {

    "algo": "rsa",

    "size":

  },

  "names": [

    {

        "C": "CN",

        "L": "Beijing",

        "ST": "Beijing",

        "O": "cnpc",

        "OU": "RF"}

  ]

}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-client-csr.json | cfssljson -bare etcd-client

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2. ("Information Requirements").

[root@master01 ~]# ls etcd-client* -l

-rw-r--r--  root root  May  : etcd-client.csr

-rw-r--r--  root root   May  : etcd-client-csr.json

-rw-------  root root  May  : etcd-client-key.pem

-rw-r--r--  root root  May  : etcd-client.pem

------------------------------------

3.修改配置文件进行etcd启动

 

[root@master01 ~]# cat /etc/etcd/etcd.conf

# [member]

ETCD_NAME=etcd1

ETCD_DATA_DIR="/var/lib/etcd/etcd1.etcd"

ETCD_WAL_DIR="/var/lib/etcd/wal"

ETCD_SNAPSHOT_COUNT="100"

ETCD_HEARTBEAT_INTERVAL="100"

ETCD_ELECTION_TIMEOUT="1000"

ETCD_LISTEN_PEER_URLS="https://192.168.141.136:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.141.136:2379,http://127.0.0.1:2379"

ETCD_MAX_SNAPSHOTS="5"

ETCD_MAX_WALS="5"

#ETCD_CORS=""

# [cluster]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.141.136:2380"

# if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."

ETCD_INITIAL_CLUSTER="etcd0=https://192.168.141.135:2380,etcd1=https://192.168.141.136:2380,etcd2=https://192.168.141.137:2380"

ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.141.136:2379"

#ETCD_DISCOVERY=""

#ETCD_DISCOVERY_SRV=""

#ETCD_DISCOVERY_FALLBACK="proxy"

#ETCD_DISCOVERY_PROXY=""

#ETCD_STRICT_RECONFIG_CHECK="false"

#ETCD_AUTO_COMPACTION_RETENTION="0"

# [proxy]

#ETCD_PROXY="off"/

#ETCD_PROXY_FAILURE_WAIT="5000"

#ETCD_PROXY_REFRESH_INTERVAL="30000"

#ETCD_PROXY_DIAL_TIMEOUT="1000"

#ETCD_PROXY_WRITE_TIMEOUT="5000"

#ETCD_PROXY_READ_TIMEOUT="0"

# [security]

ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_CLIENT_CERT_AUTH="true"

ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"

ETCD_AUTO_TLS="true"

ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_PEER_CLIENT_CERT_AUTH="true"

ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"

ETCD_PEER_AUTO_TLS="true"

# [logging]

#ETCD_DEBUG="false"

# examples for -log-package-levels etcdserver=WARNING,security=DEBUG

#ETCD_LOG_PACKAGE_LEVELS=""  

记得修改不通的node上的配置文件,保证统一合理。

4.启动查看状态

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint status

https://192.168.141.135:2379, b306da3cfa564bfe, 3.3.11, 20 kB, false, 2, 8

https://192.168.141.136:2379, e43238dbe44b3543, 3.3.11, 20 kB, true, 2, 8

https://192.168.141.137:2379, 95d8aab064c5a521, 3.3.11, 20 kB, false, 2, 8

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint health

https://192.168.141.137:2379 is healthy: successfully committed proposal: took = 6.097643ms

https://192.168.141.136:2379 is healthy: successfully committed proposal: took = 6.426622ms

https://192.168.141.135:2379 is healthy: successfully committed proposal: took = 2.639766ms

  

2.etcd集群的安装(cfssl版)的更多相关文章

  1. etcd集群证书安装过程一

    为确保安全,kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证. CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书. 本文档 ...

  2. Kubernetes-3.3:ETCD集群搭建及使用(https认证+数据备份恢复)

    etcd集群搭建 环境介绍 基于CentOS Linux release 7.9.2009 (Core) ip hostname role 172.17.0.4 cd782d0a790b etcd1 ...

  3. 彻底搞懂 etcd 系列文章(三):etcd 集群运维部署

    0 专辑概述 etcd 是云原生架构中重要的基础组件,由 CNCF 孵化托管.etcd 在微服务和 Kubernates 集群中不仅可以作为服务注册与发现,还可以作为 key-value 存储的中间件 ...

  4. kubernetes 集群安装etcd集群,带证书

    install etcd 准备证书 https://www.kubernetes.org.cn/3096.html 在master1需要安装CFSSL工具,这将会用来建立 TLS certificat ...

  5. etcd集群安装

    etcd 是一个分布式一致性k-v存储系统,可用于服务注册发现与共享配置,具有以下优点:1.简单:相比于晦涩难懂的paxos算法,etcd基于相对简单且易实现的raft算法实现一致性,并通过gRPC提 ...

  6. 2、二进制安装K8s 之 部署ETCD集群

    二进制安装K8s 之 部署ETCD集群 一.下载安装cfssl,用于k8s证书签名 二进制包地址:https://pkg.cfssl.org/ 所需软件包: cfssl 1.6.0 cfssljson ...

  7. centos下etcd集群安装

    先仔细了解学习etcd 官方: https://github.com/etcd-io/etcd https://www.cnblogs.com/softidea/p/6517959.html http ...

  8. ETCD集群安装实验

    目录 [1.下载二进制程序] [2.安装etcd集群] [3.查询集群状态] [4.存入读取数据] [5.注意事项] [6.参考链接] 简介:     Etcd的官网文档及其在GitHub上的文档,已 ...

  9. 使用k8s operator安装和维护etcd集群

    关于Kubernetes Operator这个新生事物,可以参考下文来了解这一技术的来龙去脉: https://yq.aliyun.com/articles/685522?utm_content=g_ ...

随机推荐

  1. Spring Data Elasticsearch 用户指南

    https://www.jianshu.com/p/27e1d583aafb 翻译自官方文档英文版,有删减. BioMed Central Development Team version 2.1.3 ...

  2. 学Python的第五天

    最近忙着学MySQL,但是小编也不会放弃学Python!!! 因为热爱所以学习~ 好了各位,进入正题,由于时间问题今天学的不是很多.... #!/usr/bin/env python # -*- co ...

  3. Linux性能优化从入门到实战:04 CPU篇:CPU使用率

      CPU使用率是单位时间内CPU使用情况的统计,以百分比方式展示. $ top top - 11:46:45 up 7 days, 11:52, 1 user, load average: 0.00 ...

  4. 【容器化】容器技术实践.pdf_视频学习笔记

    容器运行时 docker rkt gvisor containerd 容器编排系统:kubernetes (简称k8s)

  5. 关于Extjs获取容器和元素的方法

    1.当前对象的父对象(上级对象) this.ownerCt: 2.当前对象的下一个相邻的对象 this.nextSibling(); 3.当前对象的上一个相邻的对象 this.previousSibl ...

  6. iOS10以上App请求用户授权系统设置权限

    <key>NSAppleMusicUsageDescription</key> <string>使用媒体资源</string> <key>N ...

  7. JS一些概念知识及参考链接

    1.setTimeout.setInterval.promise.宏任务.微任务 先执行宏任务整体 script 同步代码,然后遇到 setTimeout 或者 setInterval 即放到宏任务队 ...

  8. Reporting Services 配置工具

    使用 Reporting Services 配置管理器可配置 Reporting Services 安装.如果使用“仅文件”选项安装报表服务器,则必须使用此工具来配置服务器,才能使用该服务器.如果使用 ...

  9. 【HDOJ6616】Divide the Stones(构造)

    题意:给定n堆石子,第i堆的个数为i,要求构造出一种方案将其分成k堆,使得这k堆每堆数量之和相等且堆数相等 保证k是n的一个约数 n<=1e5 思路:先把非法的情况判掉 n/k为偶数的方法及其简 ...

  10. 各操作系统下php.ini文件的位置在哪里

    这个问题虽然说很小,但是却还是经常会出现的问题,特别是刚入门php的同学更是如此.而这个问题呢,我也经常被问到,所以就在这里总结一下. 首先php.ini文件并不是隐藏文件,寻找php.ini文件的方 ...