Loading... ## Step1: 相关二进制包下载和一些初始化操作 ```bash # etcd 二进制包 https://github.com/etcd-io/etcd/releases/tag/v3.5.2 $ wget https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linux-amd64.tar.gz $ tar zxvf etcd-v3.5.2-linux-amd64.tar.gz -C /usr/local/ $ ln -sv etcd-v3.5.2-linux-amd64 etcd $ ln -sv /usr/local/etcd/etcd /usr/local/bin/etcd $ ln -sv /usr/local/etcd/etcdctl /usr/local/bin/etcdctl $ ln -sv /usr/local/etcd/etcdutl /usr/local/bin/etcdutl # cfssl 系列工具 https://github.com/cloudflare/cfssl/releases # 用于生成TLS/SSL证书 $ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 $ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64 $ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 $ install cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl $ install cfssl-certinfo_1.6.1_linux_amd64 /usr/local/bin/cfssl-certinfo $ install cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson # 创建ETCD用户 $ useradd -r etcd ``` ## Step2: 建立私有CA和ETCD证书 ```bash $ mkdir -pv /etc/etcd/ssl $ cd /etc/etcd/ssl # 生成CA配置文件, 用于创建ca.csr/ca.pem/ca-key.pem(CA CSR, CA证书, CA Key) $ cat > ca-csr.json << EOF { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "etcd", "OU": "beijixs" } ] } EOF # 创建自签证书 $ cfssl gencert -initca ca-csr.json | cfssljson -bare ca # 将会生成: ca.csr ca.pem ca-key.pem # 创建ca配置文件 $ cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF # 创建ETCD证书申请配置 $ cat > etcd-csr.json << EOF { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "hosts": [ "master", "node-1", "node-2", "192.168.234.130", "192.168.234.131", "192.168.234.132" ], "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "etcd", "OU": "beijixs" } ] } EOF # 为etcd颁发证书 $ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd # 将会生成: etcd.csr etcd.pem etcd-key.pem # 当前文件夹(/etc/etcd/ssl)内容: $ tree . ├── ca-config.json ├── ca.csr ├── ca-csr.json ├── ca-key.pem ├── ca.pem ├── etcd.csr ├── etcd-csr.json ├── etcd-key.pem └── etcd.pem 0 directories, 9 files ``` <div class="tip inlineBlock info"> `etcd-csr.json`中的`hosts`一定是集群member的ip或域名 </div> ## Step3: 修改配置文件/添加systemd unit ```bash # 当前配置的是第一个的节点 $ cat > /etc/etcd.conf << EOF # Member config ETCD_NAME="etcd01" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.234.130:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.234.130:2379,http://127.0.0.1:2379" # Clustering config ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.130:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.130:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" # 第一次安装的时候(也就是集群不存在的时候)这个选项为new # 当集群已经存在了, 设置为: existing ETCD_INITIAL_CLUSTER_STATE="new" # Security config ETCD_CERT_FILE="/etc/etcd/ssletcd.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" EOF $ cat > /etc/systemd/system/etcd.service << EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=simple User=etcd EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/local/bin/etcd Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=muti-user.target EOF $ systemctl daemon-reload # 最后别忘了添加数据目录和修改相关配置文件的的权限 $ chown -R etcd.etcd /etc/etcd $ mkdir -p /var/lib/etcd && chown -R etcd.etcd /var/lib/etcd # 第一个ETCD就部署好了 $ systemctl start etcd.service # 需要复制service文件到其他主机 ``` <div class="tip inlineBlock success"> 在新版本的ETCD中, 如果在环境变量中包含了配置信息, 就不需要在命令行再次指定. 如:`ETCD_NAME="etcd01" == --name=etcd01` </div> ## Step4: 部署其他节点 ```bash # 当前配置的是第二个的节点 $ cat > /etc/etcd.conf << EOF # Member config ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.234.131:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.234.131:2379,http://127.0.0.1:2379" # Clustering config ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.131:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.131:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" # 第一次安装的时候(也就是集群不存在的时候)这个选项为new # 当集群已经存在了, 设置为: existing ETCD_INITIAL_CLUSTER_STATE="new" # Security config ETCD_CERT_FILE="/etc/etcd/ssletcd.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" EOF # 当前配置的是第三个的节点 $ cat > /etc/etcd.conf << EOF # Member config ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.234.132:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.234.132:2379,http://127.0.0.1:2379" # Clustering config ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.132:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.132:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" # 第一次安装的时候(也就是集群不存在的时候)这个选项为new # 当集群已经存在了, 设置为: existing ETCD_INITIAL_CLUSTER_STATE="new" # Security config ETCD_CERT_FILE="/etc/etcd/ssletcd.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" EOF ``` 完成上面的步骤启动服务即可 ``` $ systemctl daemon-reload $ systemctl start etcd ``` <div class="tip inlineBlock warning"> 集群在第一次安装的时候要将配置`ETCD_INITIAL_CLUSTER_STATE="new",否则集群可能初始化失败` </div> 最后修改:2022 年 03 月 19 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 4 如果觉得我的文章对你有用,请随意赞赏
2 条评论
想想你的文章写的特别好https://www.237fa.com/
不错不错,我喜欢看