标签:opt hdss7 部署 server Master etcd peer 集群 certs
目录- 1.集群规划
- 2.创建基于根证书的config配置文件
- 3.创建生成etcd自签证书peer的csr的json配置文件
- 4.生成etcd证书文件
- 5.创建etcd用户
- 6.软件下载解压
- 7.拷贝证书
- 8.创建etcd服务启动脚本(注意每台etcd服务器个别配置不一样)
- 9.授权
- 10.安装supervisor软件
- 11.配置supervisor(注意每台etcd服务器个别配置不一样)
- 12.启动etcd服务并检查
- 13.检查集群状态
1.集群规划
| 主机 | IP | 角色 |
|---|---|---|
| hdss7-12.host.com | 10.4.7.12 | etcd-server |
| hdss7-21.host.com | 10.4.7.21 | etcd-server |
| hdss7-22.host.com | 10.4.7.22 | etcd-server |
2.创建基于根证书的config配置文件
在hdss7-200主机上执行:
cat > /opt/certs/ca-config.json <<'eof'
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
eof
- peer:相互通信,服务端找客户端需要证书,客户端找服务端也需要证书。
- client:客户端跟服务器端需要证书,服务器端找客户端不需要证书。
- server:服务端启动的时候需要证书。
3.创建生成etcd自签证书peer的csr的json配置文件
cat > /opt/certs/etcd-peer-csr.json <<'eof'
{
"CN": "k8s-etcd",
"hosts": [
"10.4.7.11",
"10.4.7.12",
"10.4.7.21",
"10.4.7.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangZhou",
"L": "GuangZhou",
"O": "k8s",
"OU": "yw"
}
]
}
eof
hosts字段表示可能安装etcd的服务器主机ip。
4.生成etcd证书文件
cd /opt/certs/
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
[root@hdss7-200 certs]# ll
etcd-peer.csr
etcd-peer-csr.json
etcd-peer-key.pem
etcd-peer.pem
5.创建etcd用户
以下在hdss7-12,hdss7-21,hdss7-22操作
以hdss7-12部署为例:
useradd -s /sbin/nologin -M etcd
6.软件下载解压
下载链接:https://github.com/etcd-io/etcd/releases/tag/v3.1.20
mkdir /opt/src
cd /opt/src
rz ==> etcd-v3.1.20-linux-amd64.tar.gz
tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
cd /opt
mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
ln -s /opt/etcd-v3.1.20/ /opt/etcd
7.拷贝证书
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
scp hdss7-200:/opt/certs/ca.pem /opt/etcd/certs/
scp hdss7-200:/opt/certs/etcd-peer.pem /opt/etcd/certs/
scp hdss7-200:/opt/certs/etcd-peer-key.pem /opt/etcd/certs/
8.创建etcd服务启动脚本(注意每台etcd服务器个别配置不一样)
cat > /opt/etcd/etcd-server-startup.sh <<'eof'
#!/bin/sh
./etcd --name etcd-server-7-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.12:2380 \
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8589934592 \
--initial-advertise-peer-urls https://10.4.7.12:2380 \
--advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
eof
9.授权
chmod +x /opt/etcd/etcd-server-startup.sh
chown -R etcd: /opt/etcd-v3.1.20/ /data/etcd/ /data/logs/etcd-server/
10.安装supervisor软件
yum install supervisor -y
systemctl start supervisord
systemctl enable supervisord
11.配置supervisor(注意每台etcd服务器个别配置不一样)
cat > /etc/supervisord.d/etcd-server.ini <<'eof'
[program:etcd-server-7-12]
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
eof
12.启动etcd服务并检查
supervisorctl update
supervisorctl status
netstat -lntup|grep etcd
tcp 0 0 10.4.7.12:2379 0.0.0.0:* LISTEN 11225/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 11225/./etcd
tcp 0 0 10.4.7.12:2380 0.0.0.0:* LISTEN 11225/./etcd
13.检查集群状态
[root@hdss7-21 etcd]# /opt/etcd/etcdctl cluster-health
member 988139385f78284 is healthy: got healthy result from http://127.0.0.1:2379
member 5a0ef2a004fc4349 is healthy: got healthy result from http://127.0.0.1:2379
member f4a0cb0a765574a8 is healthy: got healthy result from http://127.0.0.1:2379
cluster is healthy
[root@hdss7-21 etcd]# /opt/etcd/etcdctl member list
988139385f78284: name=etcd-server-7-22 peerURLs=https://10.4.7.22:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.22:2379 isLeader=false
5a0ef2a004fc4349: name=etcd-server-7-21 peerURLs=https://10.4.7.21:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.21:2379 isLeader=false
f4a0cb0a765574a8: name=etcd-server-7-12 peerURLs=https://10.4.7.12:2380 clientURLs=http://127.0.0.1:23
标签:opt,hdss7,部署,server,Master,etcd,peer,集群,certs 来源: https://www.cnblogs.com/even160941/p/15040967.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。