Step1: 相关二进制包下载和一些初始化操作

# etcd 二进制包 https://github.com/etcd-io/etcd/releases/tag/v3.5.2
$ wget https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linux-amd64.tar.gz
$ tar zxvf etcd-v3.5.2-linux-amd64.tar.gz -C /usr/local/
$ ln -sv etcd-v3.5.2-linux-amd64 etcd
$ ln -sv /usr/local/etcd/etcd /usr/local/bin/etcd
$ ln -sv /usr/local/etcd/etcdctl /usr/local/bin/etcdctl
$ ln -sv /usr/local/etcd/etcdutl /usr/local/bin/etcdutl

# cfssl 系列工具 https://github.com/cloudflare/cfssl/releases
# 用于生成TLS/SSL证书
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
$ install cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
$ install cfssl-certinfo_1.6.1_linux_amd64 /usr/local/bin/cfssl-certinfo
$ install cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson

# 创建ETCD用户
$ useradd -r etcd

Step2: 建立私有CA和ETCD证书

$ mkdir -pv /etc/etcd/ssl
$ cd /etc/etcd/ssl
# 生成CA配置文件, 用于创建ca.csr/ca.pem/ca-key.pem(CA CSR, CA证书, CA Key)
$ cat > ca-csr.json << EOF
{
    "CN": "etcd",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Shanghai",
            "L": "Shanghai",
            "O": "etcd",
            "OU": "beijixs"
        }
    ]
}
EOF
# 创建自签证书
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 将会生成: ca.csr ca.pem ca-key.pem
# 创建ca配置文件
$ cat > ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "etcd": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF
# 创建ETCD证书申请配置
$ cat > etcd-csr.json << EOF
{
    "CN": "etcd",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "hosts": [
        "master",
        "node-1",
        "node-2",
        "192.168.234.130",
        "192.168.234.131",
        "192.168.234.132"
    ],
    "names": [
        {
            "C": "CN",
            "ST": "Shanghai",
            "L": "Shanghai",
            "O": "etcd",
            "OU": "beijixs"
        }
    ]
}
EOF

# 为etcd颁发证书
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
# 将会生成: etcd.csr etcd.pem etcd-key.pem
# 当前文件夹(/etc/etcd/ssl)内容:
$ tree
.
├── ca-config.json
├── ca.csr
├── ca-csr.json
├── ca-key.pem
├── ca.pem
├── etcd.csr
├── etcd-csr.json
├── etcd-key.pem
└── etcd.pem

0 directories, 9 files

etcd-csr.json中的hosts一定是集群member的ip或域名

Step3: 修改配置文件/添加systemd unit

# 当前配置的是第一个的节点
$ cat > /etc/etcd.conf << EOF
# Member config
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.234.130:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.234.130:2379,http://127.0.0.1:2379"

# Clustering config
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.130:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.130:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 第一次安装的时候(也就是集群不存在的时候)这个选项为new
# 当集群已经存在了, 设置为: existing
ETCD_INITIAL_CLUSTER_STATE="new"

# Security config
ETCD_CERT_FILE="/etc/etcd/ssletcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

EOF


$ cat > /etc/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=etcd
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=muti-user.target
EOF

$ systemctl daemon-reload
# 最后别忘了添加数据目录和修改相关配置文件的的权限
$ chown -R etcd.etcd /etc/etcd
$ mkdir -p /var/lib/etcd && chown -R etcd.etcd /var/lib/etcd
# 第一个ETCD就部署好了
$ systemctl start etcd.service
# 需要复制service文件到其他主机

在新版本的ETCD中, 如果在环境变量中包含了配置信息, 就不需要在命令行再次指定. 如:ETCD_NAME="etcd01" == --name=etcd01

Step4: 部署其他节点

# 当前配置的是第二个的节点
$ cat > /etc/etcd.conf << EOF
# Member config
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.234.131:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.234.131:2379,http://127.0.0.1:2379"

# Clustering config
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.131:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.131:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 第一次安装的时候(也就是集群不存在的时候)这个选项为new
# 当集群已经存在了, 设置为: existing
ETCD_INITIAL_CLUSTER_STATE="new"

# Security config
ETCD_CERT_FILE="/etc/etcd/ssletcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

EOF

# 当前配置的是第三个的节点
$ cat > /etc/etcd.conf << EOF
# Member config
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.234.132:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.234.132:2379,http://127.0.0.1:2379"

# Clustering config
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.234.132:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.234.132:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.234.130:2380,etcd02=https://192.168.234.131:2380,etcd03=https://192.168.234.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 第一次安装的时候(也就是集群不存在的时候)这个选项为new
# 当集群已经存在了, 设置为: existing
ETCD_INITIAL_CLUSTER_STATE="new"

# Security config
ETCD_CERT_FILE="/etc/etcd/ssletcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

EOF

完成上面的步骤启动服务即可

$ systemctl daemon-reload
$ systemctl start etcd 

集群在第一次安装的时候要将配置ETCD_INITIAL_CLUSTER_STATE="new",否则集群可能初始化失败

最后修改:2022 年 03 月 19 日
如果觉得我的文章对你有用,请随意赞赏