環境說明
主機規劃
本文件使用說明:全域性將IP修改為自己環境的地址,其它版本亦可參照本文,操作步驟大體類似。
高可用叢集的三種形式
-
靜態配置
--initial-cluster引數直接指定好etcd的各個節點地址。-
etcd動態發現
-
DNS動態發現
一、主機初始化
1.1 配置/etc/hosts
$
cat
<<
EOF >> /etc/hosts
192.168.2.51 etcd1
192.168.2.52 etcd2
192.168.2.53 etcd3
EOF
1.2 安裝cfssl證書工具
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl_1.6.0_linux_amd64 -O /usr/local/bin/cfssl
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssljson_1.6.0_linux_amd64 -O /usr/local/bin/cfssljson
$ wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl-certinfo_1.6.0_linux_amd64 -O /usr/local/bin/cfssl-certinfo
$ chmod +x /usr/local/bin/cfssl*
1.3 建立工作目錄
$ mkdir -p /etc/etcd/cert
-
/etc/etcd/為etcd工作目錄;
-
/etc/etcd/cert為etcd相關證書存放目錄;
1.4 關閉SELinux、firewalld
$ sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
$ systemctl status firewalld.service
$ systemctl disable --now firewalld.service
二、製作證書
2.1 建立證書頒發機構(CA)
$ cfssl
print
-defaults
config
> /etc/etcd/cert/ca-
config
.json #生成預設配置檔案
$ cat <<EOF > /etc/etcd/cert/ca-
config
.json
{
"signing"
: {
"default"
: {
"expiry"
:
"87600h"
},
"profiles"
: {
"etcd"
: {
"expiry"
:
"87600h"
,
"usages"
: [
"signing"
,
"key encipherment"
,
"server auth"
,
"client auth"
]
}
}
}
}
EOF
default
.expiry:預設證書有效期(單位:h)
profiles.etcd:為服務使用該配置檔案頒發證書的配置模組;
signing:簽署,表示該證書可用於簽名其它證書;生成的 ca.pem 證書中 CA=
TRUE
;
key
encipherment:金鑰加密;
profiles:指定了不同角色的配置資訊;可以定義多個 profiles,分別指定不同的過期時間、使用場景等引數;後續在簽名證書時使用某個 profile。
server auth:伺服器身份驗證;表示 client 可以用該 CA 對 server 提供的證書進行驗證;
client auth:客戶端身份驗證;表示 server 可以用該 CA 對 client 提供的證書進行驗證;
$
cfssl print
-defaults
csr > /etc/etcd/cert/ca
-csr
.json
$cat
<<EOF > ca
-csr
.json
{
"CN"
:
"etcd"
,
"key"
: {
"algo"
:
"rsa"
,
"size"
:
2048
},
"names"
: [
{
"C"
:
"CN"
,
"ST"
:
"BeiJing"
,
"L"
:
"BeiJing"
,
"O"
:
"etcd"
,
"OU"
:
"system"
}
]
}
EOF
**hosts**
:包含的授權範圍,不在此範圍的的節點或者服務使用此證書就會報證書不匹配錯誤,證書如果不包含可能會出現無法連線的情況;
**Key:**
指定使用的加密演算法,一般使用rsa非對稱加密演算法(algo:rsa;size:2048)
**CN**
:Common Name,從證書中提取該欄位作為請求的使用者名稱 (User Name);瀏覽器使用該欄位驗證網站是否合法;CN是域名,也就是你現在使用什麼域名就寫什麼域名。
**C**
:國家(CN中國)
**ST**
:類似省份(如湖南省等)
**L**
:城市(如北京市)
**O**
:Organization,從證書中提取該欄位作為請求使用者所屬的組 (Group);
/etc/etcd/cert/下
$ cfssl gencert -initca /etc/etcd/cert/ca-csr
.json
| cfssljson -bare /etc/etcd/cert/etcd-ca
2022
/
12
/
2815
:
34
:
42
[INFO] generating a
new
CA key
and
certificate from CSR
2022
/
12
/
2815
:
34
:
42
[INFO]
generate
received request
2022
/
12
/
2815
:
34
:
42
[INFO] received CSR
2022
/
12
/
2815
:
34
:
42
[INFO] generating key: ecdsa-
256
2022
/
12
/
2815
:
34
:
42
[INFO] encoded CSR
2022
/
12
/
2815
:
34
:
42
[INFO]
signed
certificate
with
serial number
235381723861351140457367252786107821197429045799
$ ls /etc/etcd/cert/etcd-ca*
/etc/etcd/cert/etcd-ca
.csr
/etc/etcd/cert/etcd-ca-key
.pem
/etc/etcd/cert/etcd-ca
.pem
2.2 頒發etcd證書
$ cfssl print-defaults csr >
/etc/
etcd/cert/etcd-csr.
json
$ cat <<
EOF
>
/etc/
etcd/cert/etcd-csr.
json
{
"CN"
:
"etcd"
,
"hosts"
: [
"127.0.0.1"
,
"192.168.2.51"
,
"192.168.2.52"
,
"192.168.2.53"
],
"key"
: {
"algo"
:
"rsa"
,
"size"
:
2048
},
"names"
: [
{
"C"
:
"CN"
,
"ST"
:
"BeiJing"
,
"L"
:
"BeiJing"
,
"O"
:
"etcd"
,
"OU"
:
"system"
}
]
}
EOF
-
hosts:所有etcd節點的地址列表和本地迴環地址;
/etc/etcd/cert/下$
cfssl gencert -ca=/etc/etcd/cert/etcd-ca.pem \
-ca-key=/etc/etcd/cert/etcd-ca-key.pem \
-config=/etc/etcd/cert/ca-config.json -profile=etcd \
/etc/etcd/cert/etcd-csr.json | cfssljson -bare /etc/etcd/cert/etcd
# 輸出:
2022/12/28 15:49:13 [INFO] generate received request
2022/12/28 15:49:13 [INFO] received CSR
2022/12/28 15:49:13 [INFO] generating key: rsa-2048
2022/12/28 15:49:13 [INFO] encoded CSR
2022/12/28 15:49:13 [INFO] signed certificate with serial number 456751516901369921492152169340720764647499480668
$ ls /etc/etcd/cert/
ca-config.json ca-csr.json etcd-ca.csr etcd-ca-key.pem etcd-ca.pem etcd.csr etcd-csr.json etcd-key.pem etcd.pem
# etcd.csr、etcd-key.pem、etcd.pem為新生成的證書檔案
-
ca
-
key:指定
CA證書機構的私鑰;
-
config:指定
CA證書策略;
-
profile:指定使用
CA證書策略中的哪個模組
,即
CA配置檔案中的signing
.profiles.etcd引數;
etcd.pem:公鑰
etcd
-
key.pem:私鑰
2.3 證書分發
$
scp /etc/etcd/cert/{etcd-ca.pem,etcd.pem,etcd-key.pem}
192.168
.
2.52:/etc/etcd/cert/
$
scp /etc/etcd/cert/{etcd-ca.pem,etcd.pem,etcd-key.pem}
192.168
.
2.53:/etc/etcd/cert/
三、部署etcd叢集
3.1 下載二進位制包
$ wget -c https://github.com/etcd-io/etcd/releases/download/v3.5.5/etcd-v3.5.5-linux-amd64.tar.gz -k
$ tar -xf etcd-v3.5.5-linux-amd64.tar.gz
$ cp -p etcd-v3.5.5-linux-amd64/{etcd,etcdctl,etcdutl} /usr/local/bin/
$ ls /usr/local/bin/
etcd etcdctl etcdutl
$ etcd -version
etcd Version: 3.5.5
Git SHA: 19002cfc6
Go Version: go1.16.15
Go OS/Arch: linux/amd64
-
etcd:服務端;
-
etcdctl:etcd客戶端工具;
-
etcdutl:資料恢復工具,舊版是使用etcdctl完成資料的備份和恢復;
3.2 建立etcd配置檔案
$ cat /etc/etcd/etcd.conf
# Member(成員):
ETCD_NAME=
"etcd-1"
ETCD_DATA_DIR=
"/etc/etcd/etcd-data"
ETCD_SNAPSHOT_COUNT=
"5000"
ETCD_HEARTBEAT_INTERVAL=
"100"
ETCD_ELECTION_TIMEOUT=
"500"
ETCD_LISTEN_PEER_URLS=
"https://192.168.2.51:2380"
ETCD_LISTEN_CLIENT_URLS=
"https://192.168.2.51:2379,https://127.0.0.1:2379"
# Clustering(叢集):
ETCD_INITIAL_ADVERTISE_PEER_URLS=
"https://192.168.2.51:2380"
ETCD_INITIAL_CLUSTER_STATE=
"new"
ETCD_INITIAL_CLUSTER=
"etcd-1=https://192.168.2.51:2380,etcd-2=https://192.168.2.52:2380,etcd-3=https://192.168.2.52:2380"
ETCD_INITIAL_CLUSTER_TOKEN=
"etcd-cluster-1"
ETCD_ADVERTISE_CLIENT_URLS=
"https://192.168.2.51:2379"
# Security(安全):
ETCD_CLIENT_CERT_AUTH=
"true"
ETCD_CERT_FILE=
"/etc/etcd/cert/etcd.pem"
ETCD_KEY_FILE=
"/etc/etcd/cert/etcd-key.pem"
ETCD_TRUSTED_CA_FILE=
"/etc/etcd/cert/etcd-ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH=
"true"
ETCD_PEER_CERT_FILE=
"/etc/etcd/cert/etcd.pem"
ETCD_PEER_KEY_FILE=
"/etc/etcd/cert/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE=
"/etc/etcd/cert/etcd-ca.pem"
$ cat /etc/etcd/etcd.conf
# [Member]成員
ETCD_NAME=
"etcd-2"
ETCD_DATA_DIR=
"/etc/etcd/etcd-data"
ETCD_SNAPSHOT_COUNT=
"5000"
ETCD_HEARTBEAT_INTERVAL=
"100"
ETCD_ELECTION_TIMEOUT=
"500"
ETCD_LISTEN_PEER_URLS=
"https://192.168.2.52:2380"
ETCD_LISTEN_CLIENT_URLS=
"https://192.168.2.52:2379,https://127.0.0.1:2379"
# Clustering(叢集)
ETCD_INITIAL_ADVERTISE_PEER_URLS=
"https://192.168.2.52:2380"
ETCD_INITIAL_CLUSTER_STATE=
"new"
ETCD_INITIAL_CLUSTER=
"etcd-1=https://192.168.2.51:2380,etcd-2=https://192.168.2.52:2380,etcd-3=https://192.168.2.53:2380"
ETCD_INITIAL_CLUSTER_TOKEN=
"etcd-cluster-1"
ETCD_ADVERTISE_CLIENT_URLS=
"https://192.168.2.52:2379"
# Security(安全)
ETCD_CLIENT_CERT_AUTH=
"true"
ETCD_CERT_FILE=
"/etc/etcd/cert/etcd.pem"
ETCD_KEY_FILE=
"/etc/etcd/cert/etcd-key.pem"
ETCD_TRUSTED_CA_FILE=
"/etc/etcd/cert/etcd-ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH=
"true"
ETCD_PEER_CERT_FILE=
"/etc/etcd/cert/etcd.pem"
ETCD_PEER_KEY_FILE=
"/etc/etcd/cert/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE=
"/etc/etcd/cert/etcd-ca.pem"
$ cat /etc/etcd/etcd.conf
# [Member]成員
ETCD_NAME=
"etcd-3"
ETCD_DATA_DIR=
"/etc/etcd/etcd-data"
ETCD_SNAPSHOT_COUNT=
"5000"
ETCD_HEARTBEAT_INTERVAL=
"100"
ETCD_ELECTION_TIMEOUT=
"500"
ETCD_LISTEN_PEER_URLS=
"https://192.168.2.53:2380"
ETCD_LISTEN_CLIENT_URLS=
"https://192.168.2.53:2379,https://127.0.0.1:2379"
# Clustering(叢集)
ETCD_INITIAL_ADVERTISE_PEER_URLS=
"https://192.168.2.53:2380"
ETCD_INITIAL_CLUSTER_STATE=
"new"
ETCD_INITIAL_CLUSTER=
"etcd-1=https://192.168.2.51:2380,etcd-2=https://192.168.2.52:2380,etcd-3=https://192.168.2.53:2380"
ETCD_INITIAL_CLUSTER_TOKEN=
"etcd-cluster-1"
ETCD_ADVERTISE_CLIENT_URLS=
"https://192.168.2.53:2379"
# Security(安全)
ETCD_CLIENT_CERT_AUTH=
"true"
ETCD_CERT_FILE=
"/etc/etcd/cert/etcd.pem"
ETCD_KEY_FILE=
"/etc/etcd/cert/etcd-key.pem"
ETCD_TRUSTED_CA_FILE=
"/etc/etcd/cert/etcd-ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH=
"true"
ETCD_PEER_CERT_FILE=
"/etc/etcd/cert/etcd.pem"
ETCD_PEER_KEY_FILE=
"/etc/etcd/cert/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE=
"/etc/etcd/cert/etcd-ca.pem"
[Cluster tag]
#叢集標記部分
ETCD_INITIAL_CLUSTER:叢集節點地址(為啟動初始化叢集配置)
ETCD_INITIAL_CLUSTER_STATE:加入叢集的當前狀態,new是新叢集,existing表示加入已有叢集
ETCD_INITIAL_CLUSTER_TOKEN:在啟動期間用於叢集初始化標記,叢集Token(叢集名稱)
ETCD_INITIAL_ADVERTISE_PEER_URLS:列出該成員URL,以便通告給其他成員,用於在叢集中通訊etcd資料;
ETCD_ADVERTISE_CLIENT_URLS:列出該成員客戶端URL,通告給叢集中的其他成員;
[Member tag]
#成員標記部分
ETCD_NAME:當前節點名稱,與
`ETCD_INITIAL_CLUSTER`
中的一致
ETCD_DATA_DIR:
#etcd資料目錄
ETCD_HEARTBEAT_INTERVAL:心跳間隔時間 (單位 毫秒).預設
100
ETCD_ELECTION_TIMEOUT: 選舉的超時時間(單位 毫秒).預設
1000
ETCD_LISTEN_PEER_URLS:監聽叢集內部的URL列表,為本叢集其他節點提供的服務監聽URL地址(內部)
ETCD_LISTEN_CLIENT_URLS:為
`客戶端`
提供的服務監聽URL地址(外部);
# Security(安全):
ETCD_CLIENT_CERT_AUTH: 是否啟用客戶端證書認證,當這個選項被設定時,etcd 將為受信任CA簽名的客戶端證書檢查所有的傳入的 HTTPS 請求,不能提供有效客戶端證書的請求將會失敗。
ETCD_PEER_CERT_FILE: etcd的peers通訊的公鑰證書,叢集各節點相互認證使用的證書(-crt檔案)
ETCD_PEER_KEY_FILE: etcd的peers通訊的私鑰, 叢集各節點相互認證使用的私鑰(-key檔案)
ETCD_PEER_CLIENT_CERT_AUTH:是否開啟peer client 證書驗證
ETCD_PEER_TRUSTED_CA_FILE:CA根證書檔案,peer server TLS 信任證書檔案路徑.。
ETCD_PEER_AUTO_TLS=
"true"
ETCD_CERT_FILE:指定etcd的證書(etcd.pem),客戶端伺服器TLS證書檔案,供客戶端訪問
ETCD_KEY_FILE:指定etcd的私鑰,客戶端訪問認證
ETCD_CLIENT_CERT_AUTH=
"true"#是否開啟客戶端證書認證;
ETCD_TRUSTED_CA_FILE: 指定CA的證書(ca.pem或ca.crt),
ETCD_AUTO_TLS=
"true"
使用生成證書的客戶端TLS
#####################################################################################################
# [Member]成員
--name=etcd1
--data-dir=
/etc/
etcd/etcd-data
#etcd資料目錄,啟動時會z
--snapshot-count=
5000
--heartbeat-interval=
100#心跳間隔的時間
--election-timeout=
500#選舉超時的時間(預設100)
--
listen
-peer-urls https:
//192.168
.
2.52
:
2380#叢集節點間通訊監聽地址(本機IP:2380埠)
--
listen
-client-urls https:
//192.168
.
2.52
:
2379
,https:
//127.0
.
0
.
1
:
2379#監聽客戶端訪問地址
# Clustering(叢集)
--initial-advertise-peer-urls=https:
//192.168
.
2.52
:
2380#本機IP,叢集通告地址
--initial-cluster infra
0
=https:
//192.168
.
2.51
:
2380
,infra1=https:
//192.168
.
2.52
:
2380
,infra2=https:
//10.0
.
1.12
:
2380
\
--initial-cluster-
state
new
#初始叢集狀態
--advertise-client-urls https:
//192.168
.
2.52
:
2379#向客戶端通告此成員地址
--initial-cluster-token etcd-cluster-
1#初始叢集令牌
# Security(安全):
--client-cert-auth=
"true"#是否啟用客戶端證書認證
--cert-file=
/path/
to/infra1-client.crt
#客戶端、服務端通訊的TLS證書檔案
--key-file=
/path/
to/infra1-client.key
#客戶端、伺服器通訊的TLS金鑰檔案
--trusted-ca-file=
/path/
to/ca-client.crt
#客戶端伺服器TLS受信任CA證書檔案的路徑。
--peer-client-cert-auth=
"true"#是否啟用叢集節點間通訊認證
--peer-cert-file=
/path/
to/infra1-peer.crt
#叢集節點間通訊TLS證書檔案
--peer-key-file=
/path/
to/infra1-peer.key
#叢集節點間通訊TLS金鑰檔案(私鑰)
--peer-trusted-ca-file=ca-peer.crt
#叢集節點間通訊TLS受信任CA檔案的路徑
3.3 建立服務啟動檔案
$ cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
#WorkingDirectory=/etc/etcd/etcd-data
ExecStart=/usr/local/bin/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
-
WorkingDirectory:etcd資料目錄,與ETCD_DATA_DIR會衝突;
-
EnvironmentFile:指定etcd配置檔案;
-
ExecStart:啟動指令;
3.4 啟動etcd叢集
$
systemctl daemon-reload
$ systemctl start etcd.service
$ systemctl enable etcd.service
$ systemctl status etcd
3.5 檢視叢集狀態
$ etcdctl endpoint health --
write
-out=table \
--endpoints=https:
//192.168
.
2.51
:
2379
,https:
//192.168
.
2.52
:
2379
,https:
//192.168
.
2.53
:
2379
\
--cacert=
/etc/
etcd/cert/etcd-ca.pem --cert=
/etc/
etcd/cert/etcd.pem --key=
/etc/
etcd/cert/etcd-key.pem
# shu'chu
+---------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+---------------------------+--------+-------------+-------+
| https:
//192.168
.
2.52
:
2379
| true |
20.340362
ms | |
| https:
//192.168
.
2.53
:
2379
| true |
26.419585
ms | |
| https:
//192.168
.
2.51
:
2379
| true |
26.196417
ms | |
+---------------------------+--------+-------------+-------+
-
–write-out=table/-w table:以表格形式輸出結果;
-
–cacert: 指定CA證書
-
–cert:指定etcd服務證書
-
–key:指定etcd私鑰
-
–endpoints:指定叢集地址
-
–HEALTH:是否健康;
馬哥教育
三月IT充電計劃
