[!TIP]
Alma
部署etcd
集群并开启ssl
认证转载请注明出处:https://janrs.com
Alma
版本为8.6
Etcd
版本为3.5.5
Alma 部署 etcd 集群
[!NOTE]
采用的是方式是二进制部署方式
工作目录为:/var/lib/etcd/
数据存放目录为:/data/etcd/
配置文件位置为:/etc/etcd/etcd.conf
集群部署方式为:static
。 其他部署还有etcd discovery
以及DNS discovery
1.创建目录
[!NOTE]
每台服务器都要创建
mkdir /var/lib/etcd/ &&
mkdir -p /data/etcd/
2.下载 etcd
[!NOTE]
每台etcd
服务器都要下载安装
下载对应硬件架构的 etcd
二进制文件
cd home && \
wget https://github.com/etcd-io/etcd/releases/download/v3.5.5/etcd-v3.5.5-linux-amd64.tar.gz
解压
tar etcd-v3.5.5-linux-amd64.tar.gz
复制命令到 /usr/local/bin/
cp etcd etcdctl etcdutl /usr/local/bin/
3.创建 etcd.conf
[!NOTE]
etcd.conf
配置文件位置为/etc/etcd/etcd.conf
在每台服务器都要创建etcd.conf
,把ip
地址修改为对应的服务器地址
目录/etc/etcd/
已经在 创建ssl
证书的时候创建
3-1.在 etcd-01 服务器创建
cat > /etc/etcd/etcd.conf <<EOF
ETCD_NAME=etcd-01
ETCD_DATA_DIR="/data/etcd/"
ETCD_LISTEN_CLIENT_URLS="https://172.16.222.251:2379,https://127.0.0.1:2379"
ETCD_LISTEN_PEER_URLS="https://172.16.222.251:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.222.251:2380"
ETCD_INITIAL_CLUSTER="etcd-01=https://172.16.222.251:2380,etcd-02=https://172.16.222.252:2380,etcd-03=https://172.16.222.253:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.222.251:2379"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CERT_FILE="/etc/etcd/ssl/etcd-server.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-server-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-peer-key.pem"
EOF
3-2.在 etcd-02 服务器创建
cat > /etc/etcd/etcd.conf <<EOF
ETCD_NAME=etcd-02
ETCD_DATA_DIR="/data/etcd/"
ETCD_LISTEN_CLIENT_URLS="https://172.16.222.252:2379,https://127.0.0.1:2379"
ETCD_LISTEN_PEER_URLS="https://172.16.222.252:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.222.252:2380"
ETCD_INITIAL_CLUSTER="etcd-01=https://172.16.222.251:2380,etcd-02=https://172.16.222.252:2380,etcd-03=https://172.16.222.253:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.222.252:2379"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CERT_FILE="/etc/etcd/ssl/etcd-server.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-server-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-peer-key.pem"
EOF
3-3.在 etcd-03 服务器创建
cat > /etc/etcd/etcd.conf <<EOF
ETCD_NAME=etcd-03
ETCD_DATA_DIR="/data/etcd/"
ETCD_LISTEN_CLIENT_URLS="https://172.16.222.253:2379,https://127.0.0.1:2379"
ETCD_LISTEN_PEER_URLS="https://172.16.222.253:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.222.253:2380"
ETCD_INITIAL_CLUSTER="etcd-01=https://172.16.222.251:2380,etcd-02=https://172.16.222.252:2380,etcd-03=https://172.16.222.253:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.222.253:2379"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CERT_FILE="/etc/etcd/ssl/etcd-server.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-server-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-peer-key.pem"
EOF
4.创建启动服务
[!NOTE]
在每台服务器都创建
cat > /usr/lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/etc/etcd/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd"
Type=notify
[Install]
WantedBy=multi-user.target
EOF
5.启动服务
[!NOTE]
在每台服务器执行
由于是部署集群而不是单节点部署,所以要打开三个ssh
标签都连接到服务器并且尽可能同时执行启动
因为每个服务都会在一定时间内监听其他服务的状态把集群节点加入进来
systemctl start etcd && \
systemctl enable etcd
6.检查状态
检查健康状态
etcdctl --cacert=/etc/etcd/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd-peer.pem \
--key=/etc/etcd/ssl/etcd-peer-key.pem \
--endpoints="https://172.16.222.251:2379,https://172.16.222.252:2379,https://172.16.222.253:2379" \
endpoint health --write-out="table"
显示。可以看到 HEALTH
状态为 true
+-----------------------------+--------+--------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-----------------------------+--------+--------------+-------+
| https://172.16.222.251:2379 | true | 87.487725ms | |
| https://172.16.222.253:2379 | true | 94.307218ms | |
| https://172.16.222.252:2379 | true | 101.805089ms | |
+-----------------------------+--------+--------------+-------+
查看成员列表
etcdctl --cacert=/etc/etcd/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd-peer.pem \
--key=/etc/etcd/ssl/etcd-peer-key.pem \
--endpoints="https://172.16.222.251:2379,https://172.16.222.252:2379,https://172.16.222.253:2379" \
member list --write-out="table"
显示
+------------------+---------+---------+-----------------------------+-----------------------------+------------+
| ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER |
+------------------+---------+---------+-----------------------------+-----------------------------+------------+
| 8933da549f2df9c1 | started | etcd-03 | https://172.16.222.253:2380 | https://172.16.222.253:2379 | false |
| e183d05eac83e8f9 | started | etcd-02 | https://172.16.222.252:2380 | https://172.16.222.252:2379 | false |
| e50946ec693869c1 | started | etcd-01 | https://172.16.222.251:2380 | https://172.16.222.251:2379 | false |
+------------------+---------+---------+-----------------------------+-----------------------------+------------+
7.其他操作
停止服务
systemctl stop etcd && \
systemctl disable etcd && \
systemctl daemon-reload
如果重启报错需要删除旧的数据
rm -rvf /data/etcd/* && rm -rvf /var/lib/etcd/*
删除 ssl
证书
rm -rvf /etc/etcd/ssl/*
删除配置文件
rm -rvf /etc/etcd/etcd.conf
发表回复