Step1: 相关二进制包下载和一些初始化操作
# etcd 二进制包 https://github.com/etcd-io/etcd/releases/tag/v3.5.2
$ wget https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linux-amd64.tar.gz
$ tar zxvf etcd-v3.5.2-linux-amd64.tar.gz -C /usr/local/
$ ln -sv etcd-v3.5.2-linux-amd64 etcd
$ ln -sv /usr/local/etcd/etcd /usr/local/bin/etcd
$ ln -sv /usr/local/etcd/etcdctl /usr/local/bin/etcdctl
$ ln -sv /usr/local/etcd/etcdutl /usr/local/bin/etcdutl
# cfssl 系列工具 https://github.com/cloudflare/cfssl/releases
# 用于生成TLS/SSL证书
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
$ install cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
$ install cfssl-certinfo_1.6.1_linux_amd64 /usr/local/bin/cfssl-certinfo
$ install cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson
# 创建ETCD用户
$ useradd -r etcd
Step2: 建立私有CA和ETCD证书
$ mkdir -pv /etc/etcd/ssl
$ cd /etc/etcd/ssl
# 生成CA配置文件, 用于创建ca.csr/ca.pem/ca-key.pem(CA CSR, CA证书, CA Key)
$ cat > ca-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "etcd",
"OU": "beijixs"
}
]
}
EOF
# 创建自签证书
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 将会生成: ca.csr ca.pem ca-key.pem
# 创建ca配置文件
$ cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
# 创建ETCD证书申请配置
$ cat > etcd-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"master",
"node-1",
"node-2",
"192.168.234.130",
"192.168.234.131",
"192.168.234.132"
],
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "etcd",
"OU": "beijixs"
}
]
}
EOF
# 为etcd颁发证书
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
# 将会生成: etcd.csr etcd.pem etcd-key.pem
# 当前文件夹(/etc/etcd/ssl)内容:
$ tree
.
├── ca-config.json
├── ca.csr
├── ca-csr.json
├── ca-key.pem
├── ca.pem
├── etcd.csr
├── etcd-csr.json
├── etcd-key.pem
└── etcd.pem
0 directories, 9 files
etcd-csr.json
中的hosts
一定是集群member的ip或域名
Step3: 修改配置文件/添加systemd unit
# 当前配置的是第一个的节点
$ cat > /etc/etcd.conf << EOF
# Member config
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.234.130:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.234.130:2379,http://127.0.0.1:2379"
# Clustering config
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.130:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.130:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 第一次安装的时候(也就是集群不存在的时候)这个选项为new
# 当集群已经存在了, 设置为: existing
ETCD_INITIAL_CLUSTER_STATE="new"
# Security config
ETCD_CERT_FILE="/etc/etcd/ssletcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF
$ cat > /etc/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=etcd
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=muti-user.target
EOF
$ systemctl daemon-reload
# 最后别忘了添加数据目录和修改相关配置文件的的权限
$ chown -R etcd.etcd /etc/etcd
$ mkdir -p /var/lib/etcd && chown -R etcd.etcd /var/lib/etcd
# 第一个ETCD就部署好了
$ systemctl start etcd.service
# 需要复制service文件到其他主机
在新版本的ETCD中, 如果在环境变量中包含了配置信息, 就不需要在命令行再次指定. 如:
ETCD_NAME="etcd01" == --name=etcd01
Step4: 部署其他节点
# 当前配置的是第二个的节点
$ cat > /etc/etcd.conf << EOF
# Member config
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.234.131:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.234.131:2379,http://127.0.0.1:2379"
# Clustering config
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.131:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.131:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 第一次安装的时候(也就是集群不存在的时候)这个选项为new
# 当集群已经存在了, 设置为: existing
ETCD_INITIAL_CLUSTER_STATE="new"
# Security config
ETCD_CERT_FILE="/etc/etcd/ssletcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF
# 当前配置的是第三个的节点
$ cat > /etc/etcd.conf << EOF
# Member config
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.234.132:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.234.132:2379,http://127.0.0.1:2379"
# Clustering config
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.132:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.132:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 第一次安装的时候(也就是集群不存在的时候)这个选项为new
# 当集群已经存在了, 设置为: existing
ETCD_INITIAL_CLUSTER_STATE="new"
# Security config
ETCD_CERT_FILE="/etc/etcd/ssletcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF
完成上面的步骤启动服务即可
$ systemctl daemon-reload
$ systemctl start etcd
集群在第一次安装的时候要将配置
ETCD_INITIAL_CLUSTER_STATE="new",否则集群可能初始化失败