使用二進位制檔案部署Etcd叢集
阿新 • • 發佈:2021-06-22
Etcd 是一個分散式鍵值儲存系統,Kubernetes使用Etcd進行資料儲存,所以先準備一個Etcd資料庫,為解決Etcd單點故障,應採用叢集方式部署,這裡使用3臺組建叢集,可容忍1臺機器故障,當然,你也可以使用5臺組建叢集,可容忍2臺機器故障。
主機規劃
| 節點名稱 | IP |
|---|---|
| etcd-1,k8s-master | 192.168.80.220 |
| etcd-2,k8s-node1 | 192.168.80.221 |
| etcd-3,k8s-node1 | 192.168.80.222 |
作業系統初始化配置
# 關閉防火牆 systemctl stop firewalld systemctl disable firewalld # 關閉 selinux sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久 setenforce 0 # 臨時 # 關閉 swap swapoff -a # 臨時 sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久 # 根據規劃設定主機名 hostnamectl set-hostname <hostname> # 在 master 新增 hosts cat >> /etc/hosts << EOF 192.168.80.220 k8s-master1 192.168.80.221 k8s-node1 192.168.80.222 k8s-node2 EOF # 將橋接的 IPv4 流量傳遞到 iptables 的鏈 cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl --system # 生效 # 時間同步 yum install ntpdate -y ntpdate time.windows.com
準備cfssl證書生成工具
cfssl是一個開源的證書管理工具,使用json檔案生成證書,相比openssl更方便使用。找任意一臺伺服器操作,這裡用Master節點。
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
若是下載不了的話可以用我下載好的這個:https://files.cnblogs.com/files/sanduzxcvbnm/etcd叢集生成證書的工具.zip
生成Etcd證書
自簽證書頒發機構(CA)
# 建立工作目錄 mkdir -p ~/TLS/{etcd,k8s} cd ~/TLS/etcd # 自籤CA cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json << EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF # 生成證書,會生成ca.pem和ca-key.pem檔案 cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
使用自籤CA簽發Etcd HTTPS證書
# 建立證書申請檔案
# 檔案hosts欄位中IP為所有etcd節點的叢集內部通訊IP,一個都不能少!為了方便後期擴容可以多寫幾個預留的IP。
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.80.220",
"192.168.80.221",
"192.168.80.222",
"192.168.80.223",
"192.168.80.224",
"192.168.80.225"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
# 生成證書,會生成server.pem和server-key.pem檔案
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
從Github下載二進位制檔案
可以使用迅雷下載
https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
百度雲網盤分享地址
連結:https://pan.baidu.com/s/1LvnMZSGgwafkH3Bdce-s8A
提取碼:40bc
部署Etcd叢集
以下在節點etcd-1上操作,為簡化操作,待會將節點1生成的所有檔案拷貝到節點2和節點3.
# 建立工作目錄並解壓二進位制包
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxvf etcd-v3.5.0-linux-amd64.tar.gz
mv etcd-v3.5.0-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
# 建立etcd配置檔案
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.80.220:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.80.220:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.80.220:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.80.220:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.80.220:2380,etcd-2=https://192.168.80.221:2380,etcd-3=https://192.168.80.222:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
- ETCD_NAME:節點名稱,叢集中唯一
- ETCD_DATA_DIR:資料目錄
- ETCD_LISTEN_PEER_URLS:叢集通訊監聽地址
- ETCD_LISTEN_CLIENT_URLS:客戶端訪問監聽地址
- ETCD_INITIAL_ADVERTISE_PEERURLS:叢集通告地址
- ETCD_ADVERTISE_CLIENT_URLS:客戶端通告地址
- ETCD_INITIAL_CLUSTER:叢集節點地址
- ETCD_INITIALCLUSTER_TOKEN:叢集Token
- ETCD_INITIALCLUSTER_STATE:加入叢集的當前狀態,new是新叢集,existing表示加入已有叢集
# systemd管理etcd
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
# 拷貝剛才生成的證書,把剛才生成的證書拷貝到配置檔案中的路徑
cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
# 啟動並設定開機啟動
systemctl daemon-reload
systemctl start etcd # 第一個節點啟動比較慢,是連線另外倆節點連線不上超時導致的,等另外倆節點的etcd起來後狀態就正常了
systemctl enable etcd
# 將上面節點etcd-1所有生成的檔案拷貝到節點etcd-2和節點etcd-3
scp -r /opt/etcd/ [email protected]:/opt/
scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
scp -r /opt/etcd/ [email protected]:/opt/
scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
# 在節點2和節點3分別修改etcd.conf配置檔案中的節點名稱和當前伺服器IP
vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1" # 修改此處,節點2改為etcd-2,節點3改為etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.80.220:2380" # 修改此處為當前伺服器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.80.220:2379" # 修改此處為當前伺服器IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.80.220:2380" # 修改此處為當前伺服器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.80.220:2379" # 修改此處為當前伺服器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.80.220:2380,etcd-2=https://192.168.80.221:2380,etcd-3=https://192.168.80.222:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
# 最後啟動etcd並設定開機啟動,操作命令同上
檢視叢集狀態
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.80.220:2379,https://192.168.80.221:2379,https://192.168.80.222:2379" endpoint health --write-out=table
+-----------------------------+--------+------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-----------------------------+--------+------------+-------+
| https://192.168.80.220:2379 | true | 7.327348ms | |
| https://192.168.80.221:2379 | true | 7.532873ms | |
| https://192.168.80.222:2379 | true | 7.732458ms | |
+-----------------------------+--------+------------+-------+
如果輸出上面資訊,就說明叢集部署成功。
如果有問題第一步先看日誌:/var/log/message 或 journalctl -u etcd