【ETCD】通过 docker 快速搭建集群 etcd 环境

【ETCD】通过 docker 快速搭建集群 etcd 环境

一、准备

1.下载镜像

docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.2.24

2.修改镜像为自己的镜像

docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.2.24 镜像名:版本
docker push 镜像名:版本

二、安装简单版本

1.创建文件夹

mkdir -p /opt/etcd

2.运行

docker run --name etcd1 \
--restart=always \
--net host -d \
--restart always \
--privileged=true \
-m 4g \
-v /opt/etcd:/var/etcd \
-v /etc/localtime:/etc/localtime \
registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.2.24 \
etcd --name etcd-mscm1 \
--auto-compaction-retention=1 --max-request-bytes=33554432 --quota-backend-bytes=8589934592 \
--data-dir=/var/etcd/etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://172.16.46.214:2380 \
--advertise-client-urls http://172.16.46.214:2379,http://172.16.46.214:2380 \
-initial-cluster-token mscm-etcd-cluster \
-initial-cluster "etcd-mscm1=http://172.16.46.214:2380,etcd-mscm2=http://172.16.46.213:2380" \
-initial-cluster-state new
docker run --name etcd2 \
--restart=always \
--net host -d \
--restart always \
--privileged=true \
-m 4g \
-v /opt/etcd:/var/etcd \
-v /etc/localtime:/etc/localtime \
registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.2.24 \
etcd --name etcd-mscm2 \
--auto-compaction-retention=1 --max-request-bytes=33554432 --quota-backend-bytes=8589934592 \
--data-dir=/var/etcd/etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://172.16.46.213:2380 \
--advertise-client-urls http://172.16.46.213:2379,http://172.16.46.213:2380 \
-initial-cluster-token mscm-etcd-cluster \
-initial-cluster "etcd-mscm1=http://172.16.46.214:2380,etcd-mscm2=http://172.16.46.213:2380" \
-initial-cluster-state new

参数:

  • –auto-compaction-retention

    • 由于ETCD数据存储多版本数据,随着写入的主键增加历史版本需要定时清理,默认的历史数据是不会清理的,数据达到2G就不能写入,必须要清理压缩历史数据才能继续写入;所以根据业务需求,在上生产环境之前就提前确定,历史数据多长时间压缩一次;推荐一小时压缩一次数据这样可以极大的保证集群稳定,减少内存和磁盘占用
  • –max-request-bytes

    • etcd Raft消息最大字节数,ETCD默认该值为1.5M; 但是很多业务场景发现同步数据的时候1.5M完全没法满足要求,所以提前确定初始值很重要;由于1.5M导致我们线上的业务无法写入元数据的问题,我们紧急升级之后把该值修改为默认32M,但是官方推荐的是10M,大家可以根据业务情况自己调整
  • –quota-backend-bytes

    • ETCD db数据大小,默认是2G,当数据达到2G的时候就不允许写入,必须对历史数据进行压缩才能继续写入;参加1里面说的,我们启动的时候就应该提前确定大小,官方推荐是8G,这里我们也使用8G的配置
  • –data-dir

    • 数据存储目录
  • –listen-client-urls

    • 本节点访问地址,地址写法是 scheme://IP:port,可以多个并用逗号隔开,如果配置是http://0.0.0.0:2379,将不限制node访问地址
  • –listen-peer-urls

    • 本节点与其他节点进行数据交换(选举,数据同步)的监听地址,地址写法是 scheme://IP:port,可以多个并用逗号隔开,如果配置是http://0.0.0.0:2379,将不限制node访问地址
  • –initial-advertise-peer-urls

    • 通知其他节点与本节点进行数据交换(选举,同步)的地址,URL可以使用domain地址。

      与–listener-peer-urls不同在于listener-peer-urls用于请求客户端的接入控制,initial-advertise-peer-urls是告知其他集群节点访问哪个URL,一般来说,initial-advertise-peer-urlsl将是istener-peer-urls的子集

  • –advertise-client-urls

    • 用于通知其他ETCD节点,客户端接入本节点的监听地址,一般来说advertise-client-urls是listen-client-urls子集
  • –initial-cluster-token

    • 集群唯一标识,相同标识的节点将视为在一个集群内
  • –initial-cluster

    • 集群所有节点配置,多个用逗号隔开。
  • –initial-cluster-state

    • 节点初始化方式,new 表示如果没有集群不存在,创建新集群,existing表示如果集群不存在,节点将处于加入集群失败状态。

3.验证

#进入容器
docker exec -it 容器 /bin/sh
#输入
etcdctl  member list
etcdctl cluster-health

三、TLS证书安装

1.安装证书生成工具cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

2.验证

cfssl --hellp

3.生成一个配置模板

cfssl print-defaults config > ca-config.json
#修改成下面
{
     
    "signing": {
     
        "default": {
     
            "expiry": "87600h"
        },
        "profiles": {
     
            "mscmssl": {
     
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

4.生成一个csr

cfssl print-defaults csr > ca-csr.json
{
     
    "CN": "mscmssl",
    "key": {
     
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
     
            "C": "CN",
            "L": "HangZhou",
            "ST": "HangZhou",
            "O": "mscm",
            "OU":"System"
        }
    ]
}

5.生成ca证书

cfssl  gencert -initca ca-csr.json | cfssljson -bare ca -

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ZD8kFufX-1603246454241)( https://typora-hb.oss-cn-shanghai.aliyuncs.com/typera/image-20200915151953140.png)]

6.生成server-csr.json

cat > server-csr.json <<EOF
{
    "CN": "mscmssl",
    "hosts": [
        "127.0.0.1",
        "172.16.46.214",
        "172.16.46.213"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "HangZhou",
            "ST": "HangZhou",
            "O":"mscm",
            "OU": "System"
        }
    ]
}
EOF

7.生成server证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
-profile=mscmssl server-csr.json | cfssljson -bare server

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-AKNLtpYF-1603246454242)( https://typora-hb.oss-cn-shanghai.aliyuncs.com/typera/image-20200915153415753.png)]

8.生成admin-csr.json

cat > admin-csr.json <<EOF

{
    "CN": "admin",
    "hosts": [  ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "HangZhou",
            "ST": "HangZhou",
            "O":"system:masters",
            "OU": "System"
        }
    ]
}

EOF

9.生成admin证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
-profile=mscmssl admin-csr.json | cfssljson -bare admin

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9BlLvJ3T-1603246454243)( https://typora-hb.oss-cn-shanghai.aliyuncs.com/typera/image-20200915153842455.png)]

10.删除其他文件,保存.pem文件

ls | grep -v pem | xargs -i rm {
     }

11.把证书放入相应的文件夹

mkdir /opt/etcd/ssl
cp -rf  ca-key.pem  ca.pem  server-key.pem  server.pem /opt/etcd/ssl/

11.运行

docker run --name etcd-213 \
--restart=always \
--net host -d \
--restart always \
--privileged=true \
-m 4g \
-v /opt/etcd:/var/etcd \
-v /etc/localtime:/etc/localtime \
registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.2.24 \
etcd --name etcd-mscm-213 \
--auto-compaction-retention=1 --max-request-bytes=33554432 --quota-backend-bytes=8589934592 \
--enable-v2='true' \
--client-cert-auth='true' \
--trusted-ca-file=/var/etcd/ssl/ca.pem \
--cert-file=/var/etcd/ssl/server.pem \
--key-file=/var/etcd/ssl/server-key.pem \
--peer-client-cert-auth='true' \
--peer-trusted-ca-file=/var/etcd/ssl/ca.pem \
--peer-cert-file=/var/etcd/ssl/server.pem \
--peer-key-file=/var/etcd/ssl/server-key.pem \
--trusted-ca-file=/var/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/var/etcd/ssl/ca.pem \
--data-dir=/var/etcd/etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://172.16.46.213:2380 \
--advertise-client-urls http://172.16.46.213:2379,http://172.16.46.213:2380 \
-initial-cluster-token mscm-etcd-cluster \
-initial-cluster "etcd-mscm-214=http://172.16.46.214:2380,etcd-mscm-213=http://172.16.46.213:2380" \
-initial-cluster-state new
docker run --name etcd-214 \
--restart=always \
--net host -d \
--restart always \
--privileged=true \
-m 4g \
-v /opt/etcd:/var/etcd \
-v /etc/localtime:/etc/localtime \
registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.2.24 \
etcd --name etcd-mscm-214 \
--auto-compaction-retention=1 --max-request-bytes=33554432 --quota-backend-bytes=8589934592 \
--enable-v2='true' \
--client-cert-auth='true' \
--ca-file=/var/etcd/ssl/ca.pem \
--cert-file=/var/etcd/ssl/server.pem \
--key-file=/var/etcd/ssl/server-key.pem \
--peer-client-cert-auth='true' \
--peer-trusted-ca-file=/var/etcd/ssl/ca.pem \
--peer-cert-file=/var/etcd/ssl/server.pem \
--peer-key-file=/var/etcd/ssl/server-key.pem \
--trusted-ca-file=/var/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/var/etcd/ssl/ca.pem \
--data-dir=/var/etcd/etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://172.16.46.214:2380 \
--advertise-client-urls http://172.16.46.214:2379,http://172.16.46.214:2380 \
-initial-cluster-token mscm-etcd-cluster \
-initial-cluster "etcd-mscm-214=http://172.16.46.214:2380,etcd-mscm-213=http://172.16.46.213:2380" \
-initial-cluster-state new

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-UkVZCQ6w-1603246454245)(/Users/hbsky/Library/Application Support/typora-user-images/image-20200915165739599.png)]

注意:docker安装的etcd有问题,集群一会好一会坏,推荐使用二进制

四、二进制安装

1.下载二进制文件

wget https://github.com/etcd-io/etcd/releases/download/v3.2.12/etcd-v3.2.12-linux-amd64.tar.gz

2.创建文件夹

mkdir -p /opt/etcd/bin cfg ssl 

3.解压后文件迁移

tar -zxvf etcd-v3.2.12-linux-amd64.tar.gz
cd etcd-v3.2.12-linux-amd64
mv etcd /opt/etcd/bin/
mv etcdctl /opt/etcd/bin/

4.创建配置文件

cat > /opt/etcd/cfg/etcd <<EOF

#[Member] 
ETCD_NAME="etcd214" 
ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://172.16.46.214:2380" ETCD_LISTEN_CLIENT_URLS="https://172.16.46.214:2379" 
#[Clustering] 
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.46.214:2380" ETCD_ADVERTISE_CLIENT_URLS="https://172.16.46.214:2379" ETCD_INITIAL_CLUSTER="etcd214=https://172.16.46.214:2380,etcd213=https://172.16.46.213:2380" 
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" 
ETCD_INITIAL_CLUSTER_STATE="new"

EOF

5.启动文件

vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service] 
Type=notify 
EnvironmentFile=-/opt/etcd/cfg/etcd 
ExecStart=/opt/etcd/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-state=new \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure 
LimitNOFILE=65536 
[Install] 
WantedBy=multi-user.target

6.设置互信

cd /root
ssh-keygen  #注意:一直回车
#设置通讯
ssh-copy-id [email protected]
#分别在节点创建文件夹,文件传递
mkdir /opt/etcd/{
     bin,cfg,ssl} -p
scp -r /opt/etcd/bin/ [email protected]:/opt/etcd
scp -r /opt/etcd/cfg/ [email protected]:/opt/etcd
scp -r /opt/etcd/ssl/ [email protected]:/opt/etcd
scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system

注意:记得修改其他节点配置文件信息

7.启动

#启动服务
systemctl start etcd
#开机自启
systemctl enable etcd
#有问题查看日志
tail /var/log/messages

8.配置环境变量,让etcdctl命令任何地方都可以调用类似于配置jdk的环境变量一样

vim /etc/profile
#后面追加
PATH=$PATH:/opt/etcd/bin
#重置环境变量
source /etc/profile

9.验证 客户端访问查看集群因为我们的etcd是加密的.需要加密key

etcdctl --ca-file=/opt/etcd/ssl/ca.pem \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--endpoints="https://172.16.46.213:2379,https://172.16.46.214:2379" cluster-health

五、flannel网路集群

1.写入分配的子网段到etcd,供flanneld使用

#设置
etcdctl --ca-file=/opt/etcd/ssl/ca.pem \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--endpoints="https://172.16.46.213:2379,https://172.16.46.214:2379" \
set /coreos.com/network/config '{"Network":"100.10.0.0/16","Backend":{"Type":"vxlan"}}'

#查看
etcdctl --ca-file=/opt/etcd/ssl/ca.pem \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--endpoints="https://172.16.46.213:2379,https://172.16.46.214:2379" \
get /coreos.com/network/config

2.下载二进制包

wget https://github.com/coreos/flannel/releases/download/v0.9.1/flannel-v0.9.1-linux-amd64.tar.gz

3.解压

tar -zxvf flannel-v0.9.1-linux-amd64.tar.gz
mv flanneld mk-docker-opts.sh /opt/etcd/bin/
#复制到另一个节点
scp -r /opt/etcd/bin/flanneld [email protected]:/opt/etcd/bin
scp -r /opt/etcd/bin/mk-docker-opts.sh [email protected]:/opt/etcd/bin

4.创建配置文件

vim /opt/etcd/cfg/flanneld
FLANNEL_ETCD="-etcd-endpoints=https://172.16.46.213:2379,https://172.16.46.214:2379"
FLANNEL_ETCD_CAFILE="--etcd-cafile=/opt/etcd/ssl/ca.pem"
FLANNEL_ETCD_CERTFILE="--etcd-certfile=/opt/etcd/ssl/server.pem"
FLANNEL_ETCD_KEYFILE="--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

5.systemd管理flannel

vim /usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=-/opt/etcd/cfg/flanneld
ExecStart=/opt/etcd/bin/flanneld --ip-masq ${FLANNEL_ETCD} ${FLANNEL_ETCD_CAFILE} ${FLANNEL_ETCD_CERTFILE} ${FLANNEL_ETCD_KEYFILE}
ExecStartPost=/opt/etcd/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

6.启动

systemctl start flanneld
systemctl enable flanneld

7.配置docker启动指定子网段

vim /run/flannel/subnet.env

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-IXGyJ8EV-1603246454246)( https://typora-hb.oss-cn-shanghai.aliyuncs.com/typera/image-20200915192508251.png)]

#设置docker启动类
vim /usr/lib/systemd/system/docker.service
#添加
EnvironmentFile=-/run/flannel/subnet.env

$DOCKER_NETWORK_OPTIONS

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-MRduTGMc-1603246454247)( https://typora-hb.oss-cn-shanghai.aliyuncs.com/typera/image-20200915193216757.png)]

8.重启docker

systemctl daemon-reload
systemctl restart docker

9.验证

ifconfig #docker与flannel的ip在一个网段就正确

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-31lYZVMl-1603246454248)( https://typora-hb.oss-cn-shanghai.aliyuncs.com/typera/image-20200915193640996.png)]

etcd配置参数详解

针对ETCD版本 3.2.17

--name 节点名称
default: "default"
env variable: ETCD_NAME

这个值和--initial-cluster flag (e.g., default=http://localhost:2380)中的key值一一对应,如果在集群环境中,name必须是唯一的,建议用主机名称或者机器ID。

--data-dir 数据存储目录
default: "${name}.etcd"
env variable: ETCD_DATA_DIR

--wal-dir
default: ""
env variable: ETCD_WAL_DIR

存放预写式日志,最大的作用是记录了整个数据变化的全部历程。未设置,共用--data-dir文件所在目录。

--snapshot-count
default: "100000"
env variable: ETCD_SNAPSHOT_COUNT

数据快照触发数量,etcd处理指定的次数的事务提交后,生产数据快照

--heartbeat-interval 客户端连接后的心跳间隔(毫秒)
default: "100"
env variable: ETCD_HEARTBEAT_INTERVAL

--election-timeout 集群选举的超时时间
default: "1000"
env variable: ETCD_ELECTION_TIMEOUT

--listen-peer-urls
本节点与其他节点进行数据交换(选举,数据同步)的监听地址,地址写法是 scheme://IP:port,可以多个并用逗号隔开,如果配置是http://0.0.0.0:2379,将不限制node访问地址

default: "http://localhost:2380"
env variable: ETCD_LISTEN_PEER_URLS
example: "http://10.0.0.1:2380"
invalid example: "http://example.com:2380" (domain name is invalid for binding)

--listen-client-urls
本节点访问地址,地址写法是 scheme://IP:port,可以多个并用逗号隔开,如果配置是http://0.0.0.0:2379,将不限制node访问地址

default: "http://localhost:2379"
env variable: ETCD_LISTEN_CLIENT_URLS
example: "http://10.0.0.1:2379"
invalid example: "http://example.com:2379" (domain name is invalid for binding)

--max-snapshots
最大快照数量 0表示不限制,在window平台设置无效。

default: 5
env variable: ETCD_MAX_SNAPSHOTS

--max-wals
最大预写日志数量 0表示不限制,在window平台设置无效。

default: 5
env variable: ETCD_MAX_WALS

--cors
Comma-separated white list of origins for CORS (cross-origin resource sharing).

default: none
env variable: ETCD_CORS

集群配置
--initial-advertise-peer-urls
通知其他节点与本节点进行数据交换(选举,同步)的地址,URL可以使用domain地址。

与--listener-peer-urls不同在于listener-peer-urls用于请求客户端的接入控制,initial-advertise-peer-urls是告知其他集群节点访问哪个URL,一般来说,initial-advertise-peer-urlsl将是istener-peer-urls的子集

default: "http://localhost:2380"
env variable: ETCD_INITIAL_ADVERTISE_PEER_URLS
example: "http://example.com:2380, http://10.0.0.1:2380"

--initial-cluster
集群所有节点配置,多个用逗号隔开。

default: "default=http://localhost:2380"
env variable: ETCD_INITIAL_CLUSTER
The key is the value of the --name flag for each node provided. The default uses default for the key because this is the default for the --name flag.

--initial-cluster-state
节点初始化方式,new 表示如果没有集群不存在,创建新集群,existing表示如果集群不存在,节点将处于加入集群失败状态。

default: "new"
env variable: ETCD_INITIAL_CLUSTER_STATE

--initial-cluster-token
集群唯一标识,相同标识的节点将视为在一个集群内。

default: "etcd-cluster"
env variable: ETCD_INITIAL_CLUSTER_TOKEN

--advertise-client-urls
用于通知其他ETCD节点,客户端接入本节点的监听地址,一般来说advertise-client-urls是listen-client-urls子集

default: "http://localhost:2379"
env variable: ETCD_ADVERTISE_CLIENT_URLS
example: "http://example.com:2379, http://10.0.0.1:2379"

注意,不能写http://localhost:237,这样就是通知其他节点,可以用localhost访问,将导致ectd的客户端用localhost访问本地,导致访问不通。还有一个更可怕情况,ectd布置了代理层,代理层将一直通过locahost访问自己的代理接口,导致无限循环。

--discovery
集群发现服务地址

default: none
env variable: ETCD_DISCOVERY

--discovery-srv
DNS发现服务地址

default: none
env variable: ETCD_DISCOVERY_SRV

--discovery-fallback
Expected behavior ("exit" or "proxy") when discovery services fails. "proxy" supports v2 API only.

default: "proxy"
env variable: ETCD_DISCOVERY_FALLBACK

--discovery-proxy
HTTP proxy to use for traffic to discovery service.

default: none
env variable: ETCD_DISCOVERY_PROXY

--strict-reconfig-check
Reject reconfiguration requests that would cause quorum loss.

default: false
env variable: ETCD_STRICT_RECONFIG_CHECK

--auto-compaction-retention
Auto compaction retention for mvcc key value store in hour. 0 means disable auto compaction.

default: 0
env variable: ETCD_AUTO_COMPACTION_RETENTION

--enable-v2 是否接受V2的API访问
default: true
env variable: ETCD_ENABLE_V2

代理
--proxy
Proxy mode setting ("off", "readonly" or "on").

default: "off"
env variable: ETCD_PROXY

--proxy-failure-wait
Time (in milliseconds) an endpoint will be held in a failed state before being reconsidered for proxied requests.

default: 5000
env variable: ETCD_PROXY_FAILURE_WAIT

--proxy-refresh-interval
代理节点刷新时间间隔(毫秒)
Time (in milliseconds) of the endpoints refresh interval.

default: 30000
env variable: ETCD_PROXY_REFRESH_INTERVAL

--proxy-dial-timeout
Time (in milliseconds) for a dial to timeout or 0 to disable the timeout

default: 1000
env variable: ETCD_PROXY_DIAL_TIMEOUT

--proxy-write-timeout
Time (in milliseconds) for a write to timeout or 0 to disable the timeout.

default: 5000
env variable: ETCD_PROXY_WRITE_TIMEOUT

--proxy-read-timeout
Time (in milliseconds) for a read to timeout or 0 to disable the timeout.
Don't change this value if using watches because use long polling requests.

default: 0
env variable: ETCD_PROXY_READ_TIMEOUT

安全
--cert-file
Path to the client server TLS cert file.

default: none
env variable: ETCD_CERT_FILE

--key-file
Path to the client server TLS key file.

default: none
env variable: ETCD_KEY_FILE

--client-cert-auth
Enable client cert authentication.

default: false
env variable: ETCD_CLIENT_CERT_AUTH

--trusted-ca-file
Path to the client server TLS trusted CA key file.

default: none
env variable: ETCD_TRUSTED_CA_FILE

--auto-tls
Client TLS using generated certificates

default: false
env variable: ETCD_AUTO_TLS

--peer-cert-file
Path to the peer server TLS cert file.

default: none
env variable: ETCD_PEER_CERT_FILE

--peer-key-file
Path to the peer server TLS key file.

default: none
env variable: ETCD_PEER_KEY_FILE

--peer-client-cert-auth
启用对等客户端证书认证。

default: false
env variable: ETCD_PEER_CLIENT_CERT_AUTH

--peer-trusted-ca-file
Path to the peer server TLS trusted CA file.

default: none
env variable: ETCD_PEER_TRUSTED_CA_FILE

--peer-auto-tls
Peer TLS using generated certificates

default: false
env variable: ETCD_PEER_AUTO_TLS

日志
--debug
Drop the default log level to DEBUG for all subpackages.

default: false (INFO for all packages)
env variable: ETCD_DEBUG

--log-package-levels
Set individual etcd subpackages to specific log levels. An example being etcdserver=WARNING,security=DEBUG

default: none (INFO for all packages)
env variable: ETCD_LOG_PACKAGE_LEVELS

不安全配置
--force-new-cluster
Force to create a new one-member cluster. It commits configuration changes forcing to remove all existing members in the cluster and add itself. It needs to be set to restore a backup.

default: false
env variable: ETCD_FORCE_NEW_CLUSTER

其他配置
--version
Print the version and exit.

default: false

--config-file
Load server configuration from a file.

default: none
Profiling flags

--enable-pprof
Enable runtime profiling data via HTTP server. Address is at client URL + "/debug/pprof/"

default: false

--metrics
Set level of detail for exported metrics, specify 'extensive' to include histogram metrics.

default: basic

认证
--auth-token
Specify a token type and token specific options, especially for JWT. Its format is "type,var1=val1,var2=val2,…". Possible type is 'simple' or 'jwt'. Possible variables are 'sign-method' for specifying a sign method of jwt (its possible values are 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', or 'PS512'), 'pub-key' for specifying a path to a public key for verifying jwt, and 'priv-key' for specifying a path to a private key for signing jwt.

你可能感兴趣的:(docker)