etcd二进制安装

创建基础环境

三台服务器搭建群集环境

名称 主机
etcd1 10.0.20.120
etcd2 10.0.20.121
etcd3 10.0.20.122

创建相关目录

1
2
mkdir -p /data/etcd # etcd数据目录
mkdir -p /opt/kubernetes/{bin,conf,ssl}

创建证书

下载证书工具 CFSSL

1
2
3
4
5
6
7
8
9
10
11
12
13
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
export PATH=/usr/local/bin:$PATH

创建CA证书

CA配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}

CA签名请求文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "XS",
"O": "k8s",
"OU": "System"
}
]
}

生成 CA 证书和私钥

1
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

创建etcd证书

etcd证书请求文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cat etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"10.0.20.120",
"10.0.20.121",
"10.0.20.122"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "XS",
"O": "k8s",
"OU": "System"
}
]
}

生成etcd证书和私钥

1
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

安装etcd

下载etcd

etcd github

1
2
3
4
5
6
7
wget https://github.com/coreos/etcd/releases/download/v3.3.2/etcd-v3.3.2-linux-amd64.tar.gz
tar zxf etcd-v3.3.2-linux-amd64.tar.gz
cp /root/etcd-v3.3.2-linux-amd64/etcd /opt/kubernetes/bin/
cp /root/etcd-v3.3.2-linux-amd64/etcdctl /opt/kubernetes/bin/
export PATH=/opt/kubernetes/bin:$PATH

创建etcd的systemd unit文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/data/etcd/
EnvironmentFile=-/opt/kubernetes/conf/etcd.conf
ExecStart=/opt/kubernetes/bin/etcd \
--name ${ETCD_NAME} \
--cert-file=/opt/kubernetes/ssl/etcd.pem \
--key-file=/opt/kubernetes/ssl/etcd-key.pem \
--peer-cert-file=/opt/kubernetes/ssl/etcd.pem \
--peer-key-file=/opt/kubernetes/ssl/etcd-key.pem \
--trusted-ca-file=/opt/kubernetes/ssl/ca.pem \
--peer-trusted-ca-file=/opt/kubernetes/ssl/ca.pem \
--initial-advertise-peer-urls ${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--listen-peer-urls ${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls ${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls ${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-cluster-token ${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster etcd1=https://10.0.20.120:2380,etcd2=https://10.0.20.121:2380,etcd3=https://10.0.20.122:2380 \
--initial-cluster-state new \
--data-dir=${ETCD_DATA_DIR}
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
1
2
3
4
5
6
7
8
9
10
11
cat /opt/kubernetes/conf/etcd.conf
# [member]
ETCD_NAME=etcd1 # 其他服务器需修改如etcd2,etcd3
ETCD_DATA_DIR="/data/etcd"
ETCD_LISTEN_PEER_URLS="https://10.0.20.120:2380" # 地址修改为当前服务器地址,下面同此
ETCD_LISTEN_CLIENT_URLS="https://10.0.20.120:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.20.120:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.20.120:2379"

开启etcd服务

1
2
3
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd

其他服务器配置

其他服务器配置同上,修改上面/opt/kubernetes/conf/etcd.conf配置文件中指定配置即可

验证etcd群集

1
2
3
4
5
etcdctl --ca-file=ca.pem --cert-file=etcd.pem --key-file=etcd-key.pem cluster-health
member 2ace0d1d062de77a is healthy: got healthy result from https://10.0.20.120:2379
member d27b13efcc954f59 is healthy: got healthy result from https://10.0.20.121:2379
member f896a8df22b61213 is healthy: got healthy result from https://10.0.20.122:2379
cluster is healthy

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器