OS: CentOS Linux release 7.3.1611 (Core) etcd Version: 3.2.4 Git SHA: c31bec0 Go Version: go1.8.3 Go OS/Arch: linux/amd64
NAME ADDRESS HOSTNAME CONFIGURATION infra0 192.168.16.227 bjo-ep-kub-01.dev.fwmrm.net 8cpus, 16GB内存, 500GB磁盘 infra1 192.168.16.228 bjo-ep-kub-02.dev.fwmrm.net 8cpus, 16GB内存, 500GB磁盘 infra2 192.168.16.229 bjo-ep-kub-03.dev.fwmrm.net 8cpus, 16GB内存, 500GB磁盘
硬件 通常场景 重负载 CPU 2-4 cores 8-18 cores Memory 8GB 16GB-64GB Disk 50 sequential IOPS 500 sequential IOPS Network 1GbE 10GbE
$ /export/etcd/etcd --name infra0 --initial-advertise-peer-urls http://192.168.16.227:2380 \ --listen-peer-urls http://192.168.16.227:2380 \ --listen-client-urls http://192.168.16.227:2379,http://127.0.0.1:2379 \ --advertise-client-urls http://192.168.16.227:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=http://192.168.16.227:2380,infra1=http://192.168.16.228:2380,infra2=http://192.168.16.229:2380 \ --initial-cluster-state new
$ /export/etcd/etcd --name infra1 --initial-advertise-peer-urls http://192.168.16.228:2380 \ --listen-peer-urls http://192.168.16.228:2380 \ --listen-client-urls http://192.168.16.228:2379,http://127.0.0.1:2379 \ --advertise-client-urls http://192.168.16.228:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=http://192.168.16.227:2380,infra1=http://192.168.16.228:2380,infra2=http://192.168.16.229:2380 \ --initial-cluster-state new
$ /export/etcd/etcd --name infra2 --initial-advertise-peer-urls http://192.168.16.229:2380 \ --listen-peer-urls http://192.168.16.229:2380 \ --listen-client-urls http://192.168.16.229:2379,http://127.0.0.1:2379 \ --advertise-client-urls http://192.168.16.229:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=http://192.168.16.227:2380,infra1=http://192.168.16.228:2380,infra2=http://192.168.16.229:2380 \ --initial-cluster-state new
$ cd /export $ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz $ tar -xzf go1.8.3.linux-amd64.tar.gz $ sudo vim ~/.profile $ export GOPATH=/export/go_path $ export GOROOT=/export/go/ $ export CFSSL=/export/go_path/ $ export PATH=$PATH:$GOROOT/bin:$CFSSL/bin $ source ~/.profile
$ go get -u github.com/cloudflare/cfssl/cmd/cfssl $ go get -u github.com/cloudflare/cfssl/cmd/cfssljson
$ mkdir ~/cfssl $ cd ~/cfssl $ cfssl print-defaults config > ca-config.json $ cfssl print-defaults csr > ca-csr.json
{ "signing": { "default": { "expiry": "43800h" }, "profiles": { "server": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }
{ "CN": "My own CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "US", "L": "CA", "O": "My Company Name", "ST": "San Francisco", "OU": "Org Unit 1", "OU": "Org Unit 2" } ]
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2017/08/02 00:56:03 [INFO] generating a new CA key and certificate from CSR 2017/08/02 00:56:03 [INFO] generate received request 2017/08/02 00:56:03 [INFO] received CSR 2017/08/02 00:56:03 [INFO] generating key: rsa-2048 2017/08/02 00:56:04 [INFO] encoded CSR 2017/08/02 00:56:04 [INFO] signed certificate with serial number 81101109133309828380726760425799837279517519090
ca-key.pem ca.csr ca.pem
$ cfssl print-defaults csr > server.json
{ "CN": "server", "hosts": [ "127.0.0.1", "192.168.16.227", "192.168.16.228", "192.168.16.229", "bjo-ep-kub-01.dev.fwmrm.net", "bjo-ep-kub-02.dev.fwmrm.net", "bjo-ep-kub-03.dev.fwmrm.net" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "US", "L": "CA", "ST": "San Francisco" } ]}
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server 2017/08/02 00:57:12 [INFO] generate received request 2017/08/02 00:57:12 [INFO] received CSR 2017/08/02 00:57:12 [INFO] generating key: ecdsa-256 2017/08/02 00:57:12 [INFO] encoded CSR 2017/08/02 00:57:12 [INFO] signed certificate with serial number 138149747694684969550285630966539823697635905885
server-key.pem server.csr server.pem
$ cfssl print-defaults csr > member1.json
{ "CN": "member1", "hosts": [ "127.0.0.1", "192.168.16.227", "192.168.16.228", "192.168.16.229", "bjo-ep-kub-01.dev.fwmrm.net", "bjo-ep-kub-02.dev.fwmrm.net", "bjo-ep-kub-03.dev.fwmrm.net" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "US", "ST": "CA", "L": "San Francisco" } ]
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1 2017/08/02 00:59:12 [INFO] generate received request 2017/08/02 00:59:12 [INFO] received CSR 2017/08/02 00:59:12 [INFO] generating key: rsa-2048 2017/08/02 00:59:13 [INFO] encoded CSR 2017/08/02 00:59:13 [INFO] signed certificate with serial number 222573666682951886940627822839805508037201209158
member1-key.pem member1.csr member1.pem
$ cfssl print-defaults csr > client.json
{ "CN": "client", "hosts": [ "127.0.0.1", "192.168.16.227", "192.168.16.228", "192.168.16.229" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "US", "ST": "CA", "L": "San Francisco" } ]
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
client-key.pem client.csr client.pem
$ /export/etcd/etcd -name infra0 --data-dir infra0 \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/foo -XPUT -d value=bar -v
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/foo {"action":"get","node":{"key":"/foo","value":"bar","modifiedIndex":12,"createdIndex":12
$ /export/etcd/etcd \ --name infra0 \ --initial-advertise-peer-urls https://192.168.16.227:2380 \ --listen-peer-urls https://192.168.16.227:2380 \ --listen-client-urls https://192.168.16.227:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://192.168.16.227:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-state new \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \ --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \ --peer-cert-file=/etc/ssl/etcd/member1.pem --peer-key-file=/etc/ssl/etcd/member1-key.pem
$ /export/etcd/etcd \ --name infra1 \ --initial-advertise-peer-urls https://192.168.16.228:2380 \ --listen-peer-urls https://192.168.16.228:2380 \ --listen-client-urls https://192.168.16.228:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://192.168.16.228:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-state new \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \ --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \ --peer-cert-file=/etc/ssl/etcd/member2.pem --peer-key-file=/etc/ssl/etcd/member2-key.pem
$ /export/etcd/etcd \ --name infra2 \ --initial-advertise-peer-urls https://192.168.16.229:2380 \ --listen-peer-urls https://192.168.16.229:2380 \ --listen-client-urls https://192.168.16.229:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://192.168.16.229:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-state new \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \ --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \ --peer-cert-file=/etc/ssl/etcd/member3.pem --peer-key-file=/etc/ssl/etcd/member3-key.pem
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/fristname -XPUT -d value=Xia -v $ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 put lasttname 'Zhang'
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/ {"action":"get","node":{"dir":true,"nodes":[{"key":"/foo","value":"bar","modifiedIndex":19,"createdIndex":19},{"key":"/fristname","value":"Xia","modifiedIndex":20,"createdIndex":20},{"key":"/lasttname","value":"Zhang","modifiedIndex":21,"createdIndex":21}]
$ ETCDCTL_API=3 etcdctl --endpoints $ENDPOINT snapshot save snapshot.db}} 如果enable TLS,需要如下命令: {{{$ ETCDCTL_API=3 /export/etcd/etcdctl --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.228:2379 snapshot save snapshot.db --cacert=/etc/ssl/etcd/ca.pem --cert=/etc/ssl/etcd/client.pem --key=/etc/ssl/etcd/client-key.pem Snapshot saved at snapshot.db
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/fristname -XPUT -d value=Xia -v $ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 put lasttname 'Zhang'
$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 get firstname $ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/ {"action":"get","node":{"dir":true,"nodes":[{"key":"/foo","value":"bar","modifiedIndex":19,"createdIndex":19},{"key":"/fristname","value":"Xia","modifiedIndex":20,"createdIndex":20},{"key":"/lasttname","value":"Zhang","modifiedIndex":21,"createdIndex":21}]
$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db \ --name infra0 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-token etcd-cluster-1 \ --initial-advertise-peer-urls https://192.168.16.227:2380 \ --cacert /etc/ssl/etcd/ca.pem \ --cert /etc/ssl/etcd/client.pem \ --key /etc/ssl/etcd/client-key.pem
$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db \ --name infra1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-token etcd-cluster-1 \ --initial-advertise-peer-urls https://192.168.16.228:2380 \ --cacert /etc/ssl/etcd/ca.pem \ --cert /etc/ssl/etcd/client.pem \ --key /etc/ssl/etcd/client-key.pem
$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db \ --name infra2 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-token etcd-cluster-1 \ --initial-advertise-peer-urls https://192.168.16.229:2380 \ --cacert /etc/ssl/etcd/ca.pem \ --cert /etc/ssl/etcd/client.pem \ --key /etc/ssl/etcd/client-key.pem
$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db --name infra0 --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 --initial-cluster-token etcd-cluster-1 --initial-advertise-peer-urls https://192.168.16.227:2380 --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem 2017-08-06 04:09:12.853510 I | etcdserver/membership: added member 3e5097be4ea17ebe [https://192.168.16.229:2380] to cluster cabc8098aa3afc98 2017-08-06 04:09:12.853567 I | etcdserver/membership: added member 67d47e92a1704b1a [https://192.168.16.227:2380] to cluster cabc8098aa3afc98 2017-08-06 04:09:12.853583 I | etcdserver/membership: added member b4725a5341abf1a0 [https://192.168.16.228:2380] to cluster cabc8098aa3afc98
$ /export/etcd/etcd \ --name infra0 \ --initial-advertise-peer-urls https://192.168.16.227:2380 \ --listen-peer-urls https://192.168.16.227:2380 \ --listen-client-urls https://192.168.16.227:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://192.168.16.227:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-state new \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \ --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \ --peer-cert-file=/etc/ssl/etcd/member1.pem --peer-key-file=/etc/ssl/etcd/member1-key.pem
$ /export/etcd/etcd \ --name infra1 \ --initial-advertise-peer-urls https://192.168.16.228:2380 \ --listen-peer-urls https://192.168.16.228:2380 \ --listen-client-urls https://192.168.16.228:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://192.168.16.228:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-state new \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \ --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \ --peer-cert-file=/etc/ssl/etcd/member2.pem --peer-key-file=/etc/ssl/etcd/member2-key.pem
$ /export/etcd/etcd \ --name infra2 \ --initial-advertise-peer-urls https://192.168.16.229:2380 \ --listen-peer-urls https://192.168.16.229:2380 \ --listen-client-urls https://192.168.16.229:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://192.168.16.229:2379 \ --initial-cluster-token etcd-cluster-1 \ --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \ --initial-cluster-state new \ --client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \ --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \ --peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \ --peer-cert-file=/etc/ssl/etcd/member3.pem --peer-key-file=/etc/ssl/etcd/member3-key.pem
$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 get lasttname lasttname Zhang $ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 get firstname firstname Xia
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/metrics etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="1"} 0 etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="2"} 0 etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="4"} 0 etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="8"} 0 ... ... process_start_time_seconds 1.50390583624e+09 process_virtual_memory_bytes 1.0787151872e+10
欢迎转载,请注明作者出处:张夏,FreeWheel Lead Engineer,DockOne社区
原文发布时间为:2017-08-06
本文作者:张夏
本文来自云栖社区合作伙伴Dockerone.io,了解相关信息可以关注Dockerone.io。
原文标题:CentOS 7上搭建安全、容灾、高可用的etcd集群