etcd的安装注意两点 1.systemd的配置文件   2. 证书

1. 解决 systemd的问题,想安装指定版本的etcd可以通过 yum方式安装 etcd 可以获得 systemc 和 etcd.conf 的模板。

[root@master01 etcd-v3.3.13-linux-amd64]# rpm -ql etcd

/etc/etcd

/etc/etcd/etcd.conf

/usr/bin/etcd

/usr/bin/etcdctl

/usr/lib/systemd/system/etcd.service

/usr/share/doc/etcd-3.3.11

/usr/share/doc/etcd-3.3.11/CHANGELOG.md

........

.......

.....

/usr/share/man/man1/etcdctl3.1.gz

/var/lib/etcd

------------------------------------------------------------------------------------

[root@master01 etcd-v3.3.13-linux-amd64]# !cat

cat /usr/lib/systemd/system/etcd.service

[Unit]

Description=Etcd Server

After=network.target

After=network-online.target

Wants=network-online.target

[Service]

Type=notify

WorkingDirectory=/var/lib/etcd/

EnvironmentFile=-/etc/etcd/etcd.conf

User=etcd

# set GOMAXPROCS to number of processors

ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\""

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

[root@master01 etcd-v3.3.13-linux-amd64]# cat /etc/etcd/etcd.conf

#[Member]

#ETCD_CORS=""

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

#ETCD_WAL_DIR=""

#ETCD_LISTEN_PEER_URLS="http://localhost:2380"

ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"

#ETCD_MAX_SNAPSHOTS="5"

#ETCD_MAX_WALS="5"

ETCD_NAME="default"

#ETCD_SNAPSHOT_COUNT="100000"

#ETCD_HEARTBEAT_INTERVAL="100"

#ETCD_ELECTION_TIMEOUT="1000"

#ETCD_QUOTA_BACKEND_BYTES="0"

#ETCD_MAX_REQUEST_BYTES="1572864"

#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"

#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"

#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"

#

#[Clustering]

#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"

ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"

#ETCD_DISCOVERY=""

#ETCD_DISCOVERY_FALLBACK="proxy"

#ETCD_DISCOVERY_PROXY=""

#ETCD_DISCOVERY_SRV=""

#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"

#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

#ETCD_INITIAL_CLUSTER_STATE="new"

#ETCD_STRICT_RECONFIG_CHECK="true"

#ETCD_ENABLE_V2="true"

#

#[Proxy]

#ETCD_PROXY="off"

#ETCD_PROXY_FAILURE_WAIT="5000"

#ETCD_PROXY_REFRESH_INTERVAL="30000"

#ETCD_PROXY_DIAL_TIMEOUT="1000"

#ETCD_PROXY_WRITE_TIMEOUT="5000"

#ETCD_PROXY_READ_TIMEOUT="0"

#

#[Security]

#ETCD_CERT_FILE=""

#ETCD_KEY_FILE=""

#ETCD_CLIENT_CERT_AUTH="false"

#ETCD_TRUSTED_CA_FILE=""

#ETCD_AUTO_TLS="false"

#ETCD_PEER_CERT_FILE=""

#ETCD_PEER_KEY_FILE=""

#ETCD_PEER_CLIENT_CERT_AUTH="false"

#ETCD_PEER_TRUSTED_CA_FILE=""

#ETCD_PEER_AUTO_TLS="false"

#

#[Logging]

#ETCD_DEBUG="false"

#ETCD_LOG_PACKAGE_LEVELS=""

#ETCD_LOG_OUTPUT="default"

#

#[Unsafe]

#ETCD_FORCE_NEW_CLUSTER="false"

#

#[Version]

#ETCD_VERSION="false"

#ETCD_AUTO_COMPACTION_RETENTION="0"

#

#[Profiling]

#ETCD_ENABLE_PPROF="false"

#ETCD_METRICS="basic"

#

#[Auth]

#ETCD_AUTH_TOKEN="simple"

2. 解决证书问题

curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64  -o cfssl_linux-amd64

curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64  -o cfssljson_linux-amd64

mv  cfssl_linux_amd64 /bin/cfssl

mv cfssljson_linux_amd64 /bin/cfssljson

-------------------------------------------------------------------------

生成根证书文件

[root@master01 ~]# cat ca-config.json ca-csr.json

{

    "signing": {

        "default": {

            "expiry": "175200h"

        },

        "profiles": {

            "kubernetes": {

                "expiry": "175200h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

            "client auth"

                ]

            },

            "etcd": {

                "expiry": "175200h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

                    "client auth"

                ]

            }

        }

    }

}

{

    "key": {

        "algo": "rsa",

        "size":

    },

    "names": [

        {

            "C": "CN",

            "L": "Beijing",

            "ST": "Beijing",

            "O": "cnpc",

            "OU": "RF"

        }

    ]

}

-----------------------------------------------------------------------

[root@master01 ~]# ./cfssl_linux-amd64 gencert --initca ca-csr.json | cfssljson --bare ca

// :: [INFO] generating a new CA key and certificate from CSR

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

[root@master01 ~]# ls ca* -l

-rw-r--r--  root root   May  : ca-config.json

-rw-r--r--  root root   May  : ca.csr

-rw-r--r--  root root   May  : ca-csr.json

-rw-------  root root  May  : ca-key.pem

-rw-r--r--  root root  May  : ca.pem

------------------------------------------------------------------------

生产集群验证证书

[root@master01 ~]# cat etcd-csr.json

{

  "CN": "etcd-server",

  "hosts": [

    "localhost",

    "0.0.0.0",

    "127.0.0.1",

    "192.168.141.135",

    "192.168.141.136",

    "192.168.141.137"

  ],

  "key": {

    "algo": "rsa",

    "size":

  },

  "names": [

    {

        "C": "CN",

        "L": "Beijing",

        "ST": "Beijing",

        "O": "cnpc",

        "OU": "RF"}

  ]

}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2. ("Information Requirements").

-------------------------------------------------------------------------

etcd客户端访问证书 可有可不用。

[root@master01 ~]# cat etcd-client-csr.json

{

  "CN": "etcd-client",

  "hosts": [

    ""

  ],

  "key": {

    "algo": "rsa",

    "size":

  },

  "names": [

    {

        "C": "CN",

        "L": "Beijing",

        "ST": "Beijing",

        "O": "cnpc",

        "OU": "RF"}

  ]

}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-client-csr.json | cfssljson -bare etcd-client

// :: [INFO] generate received request

// :: [INFO] received CSR

// :: [INFO] generating key: rsa-

// :: [INFO] encoded CSR

// :: [INFO] signed certificate with serial number

// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2. ("Information Requirements").

[root@master01 ~]# ls etcd-client* -l

-rw-r--r--  root root  May  : etcd-client.csr

-rw-r--r--  root root   May  : etcd-client-csr.json

-rw-------  root root  May  : etcd-client-key.pem

-rw-r--r--  root root  May  : etcd-client.pem

------------------------------------

3.修改配置文件进行etcd启动

 

[root@master01 ~]# cat /etc/etcd/etcd.conf

# [member]

ETCD_NAME=etcd1

ETCD_DATA_DIR="/var/lib/etcd/etcd1.etcd"

ETCD_WAL_DIR="/var/lib/etcd/wal"

ETCD_SNAPSHOT_COUNT="100"

ETCD_HEARTBEAT_INTERVAL="100"

ETCD_ELECTION_TIMEOUT="1000"

ETCD_LISTEN_PEER_URLS="https://192.168.141.136:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.141.136:2379,http://127.0.0.1:2379"

ETCD_MAX_SNAPSHOTS="5"

ETCD_MAX_WALS="5"

#ETCD_CORS=""

# [cluster]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.141.136:2380"

# if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."

ETCD_INITIAL_CLUSTER="etcd0=https://192.168.141.135:2380,etcd1=https://192.168.141.136:2380,etcd2=https://192.168.141.137:2380"

ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.141.136:2379"

#ETCD_DISCOVERY=""

#ETCD_DISCOVERY_SRV=""

#ETCD_DISCOVERY_FALLBACK="proxy"

#ETCD_DISCOVERY_PROXY=""

#ETCD_STRICT_RECONFIG_CHECK="false"

#ETCD_AUTO_COMPACTION_RETENTION="0"

# [proxy]

#ETCD_PROXY="off"/

#ETCD_PROXY_FAILURE_WAIT="5000"

#ETCD_PROXY_REFRESH_INTERVAL="30000"

#ETCD_PROXY_DIAL_TIMEOUT="1000"

#ETCD_PROXY_WRITE_TIMEOUT="5000"

#ETCD_PROXY_READ_TIMEOUT="0"

# [security]

ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_CLIENT_CERT_AUTH="true"

ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"

ETCD_AUTO_TLS="true"

ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_PEER_CLIENT_CERT_AUTH="true"

ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"

ETCD_PEER_AUTO_TLS="true"

# [logging]

#ETCD_DEBUG="false"

# examples for -log-package-levels etcdserver=WARNING,security=DEBUG

#ETCD_LOG_PACKAGE_LEVELS=""  

记得修改不通的node上的配置文件,保证统一合理。

4.启动查看状态

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint status

https://192.168.141.135:2379, b306da3cfa564bfe, 3.3.11, 20 kB, false, 2, 8

https://192.168.141.136:2379, e43238dbe44b3543, 3.3.11, 20 kB, true, 2, 8

https://192.168.141.137:2379, 95d8aab064c5a521, 3.3.11, 20 kB, false, 2, 8

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint health

https://192.168.141.137:2379 is healthy: successfully committed proposal: took = 6.097643ms

https://192.168.141.136:2379 is healthy: successfully committed proposal: took = 6.426622ms

https://192.168.141.135:2379 is healthy: successfully committed proposal: took = 2.639766ms

  

2.etcd集群的安装(cfssl版)的更多相关文章

  1. etcd集群证书安装过程一

    为确保安全,kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证. CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书. 本文档 ...

  2. Kubernetes-3.3:ETCD集群搭建及使用(https认证+数据备份恢复)

    etcd集群搭建 环境介绍 基于CentOS Linux release 7.9.2009 (Core) ip hostname role 172.17.0.4 cd782d0a790b etcd1 ...

  3. 彻底搞懂 etcd 系列文章(三):etcd 集群运维部署

    0 专辑概述 etcd 是云原生架构中重要的基础组件,由 CNCF 孵化托管.etcd 在微服务和 Kubernates 集群中不仅可以作为服务注册与发现,还可以作为 key-value 存储的中间件 ...

  4. kubernetes 集群安装etcd集群,带证书

    install etcd 准备证书 https://www.kubernetes.org.cn/3096.html 在master1需要安装CFSSL工具,这将会用来建立 TLS certificat ...

  5. etcd集群安装

    etcd 是一个分布式一致性k-v存储系统,可用于服务注册发现与共享配置,具有以下优点:1.简单:相比于晦涩难懂的paxos算法,etcd基于相对简单且易实现的raft算法实现一致性,并通过gRPC提 ...

  6. 2、二进制安装K8s 之 部署ETCD集群

    二进制安装K8s 之 部署ETCD集群 一.下载安装cfssl,用于k8s证书签名 二进制包地址:https://pkg.cfssl.org/ 所需软件包: cfssl 1.6.0 cfssljson ...

  7. centos下etcd集群安装

    先仔细了解学习etcd 官方: https://github.com/etcd-io/etcd https://www.cnblogs.com/softidea/p/6517959.html http ...

  8. ETCD集群安装实验

    目录 [1.下载二进制程序] [2.安装etcd集群] [3.查询集群状态] [4.存入读取数据] [5.注意事项] [6.参考链接] 简介:     Etcd的官网文档及其在GitHub上的文档,已 ...

  9. 使用k8s operator安装和维护etcd集群

    关于Kubernetes Operator这个新生事物,可以参考下文来了解这一技术的来龙去脉: https://yq.aliyun.com/articles/685522?utm_content=g_ ...

随机推荐

  1. java.lang.NoClassDefFoundError: javax/transaction/Synchronization

    转自:https://blog.csdn.net/andsionok/article/details/68490848 今天在整合ssh框架中 程序报告Java.lang.NoClassDefFoun ...

  2. java 中的引用类型

    GC基本原理 GC (Garbage Collection)的基本原理:将内存中不再被使用的对象进行回收,GC中用于回收的方法称为收集器,由于GC需要消耗一些资源和时间,Java在对对象的生命周期特征 ...

  3. Java基础学习(4)

    Java基础学习(四) String类 特点:创建后不可再修改,看起来的修改只是创建了新的对象 常用方法 StringBuilder类 目的:解决String类频繁创建对象的问题 常用方法 特点:非线 ...

  4. bzoj2306 [Ctsc2011]幸福路径 倍增 Floyd

    题目传送门 https://lydsy.com/JudgeOnline/problem.php?id=2306 题解 倍增 Floyd. 令 \(f[i][j][k]\) 表示走了 \(2^i\) 步 ...

  5. CH5E26 扑克牌 (计数类DP)

    $ CH~5E26~\times ~ $ 扑克牌: (计数类DP) $ solution: $ 唉,计数类DP总是这么有套路,就是想不到. 这道题我们首先可以发现牌的花色没有价值,只需要知道每种牌有 ...

  6. java int整数相乘溢出

    int整数相乘溢出 我们计算一天中的微秒数: * * * * ;// 正确结果应为:86400000000 System.out.println(microsPerDay);// 实际上为:50065 ...

  7. man lsof

    LSOF(8)                                                                LSOF(8) NAME       lsof - lis ...

  8. 对eventloop的研究

    javasctipt是一门单线程的非阻塞的脚本语言,单线程意味着,JavaScript 单线程意味着,javascript代码在执行的任何时候,都只有一个主线程来处理所有的任务. JavaScript ...

  9. ClickOnce是什么?如何使用?

    ClickOnce是一种部署方式,主要解决C/S软件版本更新后,所有客户端都要重新安装的问题. 场景:假如,你的客户有1000个,你的服务端更新后,这1000个客户都要重新安装,难道要员工一个一个的电 ...

  10. BZOJ 2226: [Spoj 5971] LCMSum 莫比乌斯反演 + 严重卡常

    Code: #pragma GCC optimize(2) #include<bits/stdc++.h> #define setIO(s) freopen(s".in" ...