Centos7.4 二进制方式部署ETCD数据库
环境
系统:Centos7.4-1708
主机:ku-master 192.168.199.61,ku-node1 192.168.199.62,ku-node2 192.168.199.63
一、准备工作
1、地址解析
cat >> /etc/hosts << EOF
192.168.199.61 ku-master
192.168.199.62 ku-node1
192.168.199.63 ku-node2
EOF
2、关闭firewalld,NetworkManager,selinx
systemctl stopfirewalld ;systemctl mask firewalld ; systemctl stop NetworkManager; systemctl disable NetworkManager ;setenforce 0 ; sed -i 's/SELINUX=enforcing/SELINUX=disabled'
3、时间同步
ntpdate ntp1.aliyun.com
4、关闭swap分区
swapoff -a
二、生成etcd所需要的https的证书【ku-master】
1、部署cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl_linux-amd64 /usr/local/bin/cfssl
2、创建工作目录
mkdir -p ~/TLS/{etcd,k8s}
cd /root/TLS/etcd
编辑自签CA的json配置文件和证书文件
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
3、生成自签CA证书
gencert -initca ca-csr.json | cfssljson -bare ca -
4、创建证书申请文件
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.199.61",
"192.168.199.62",
"192.168.199.63"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
三、部署ETCD
1、创建工作目录,下载二进制etcd源码文件
mkdir -p /opt/etcd/{bin,cfg,ssl}
wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
tar -xf etcd-v3.4.9-linux-amd64.tar.gz
cp /root/TLS/etcd/*.pem /opt/etcd/ssl/
cp -r etcd-v3.4.9-linux-amd64/etcd* /opt/etcd/bin/
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.199.61:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.199.61:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.199.61:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.199.61:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.199.61:2380,etcd-2=https://192.168.199.62:2380,etcd-3=https://192.168.199.63:2380,etcd-4=https://192.168.199.64:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
把master的opt下的etcd全部拷贝到其他节点。把etcd.service也拷贝过去。然后修改etcd.conf就可以启动假如数据库集群。
验证集群
ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.199.61:2379,https://192.168.199.62:2379,https://192.168.199.63:2379,https://192.168.199.64:2379" endpoint health