2.etcd集群的安装（cfssl版）

etcd的安装注意两点 1.systemd的配置文件   2. 证书

1. 解决 systemd的问题，想安装指定版本的etcd可以通过 yum方式安装 etcd 可以获得 systemc 和 etcd.conf 的模板。

[root@master01 etcd-v3.3.13-linux-amd64]# rpm -ql etcd
/etc/etcd
/etc/etcd/etcd.conf
/usr/bin/etcd
/usr/bin/etcdctl
/usr/lib/systemd/system/etcd.service
/usr/share/doc/etcd-3.3.11
/usr/share/doc/etcd-3.3.11/CHANGELOG.md
........
.......
.....
/usr/share/man/man1/etcdctl3.1.gz
/var/lib/etcd
------------------------------------------------------------------------------------
[root@master01 etcd-v3.3.13-linux-amd64]# !cat
cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
User=etcd
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\""
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
[root@master01 etcd-v3.3.13-linux-amd64]# cat /etc/etcd/etcd.conf
#[Member]
#ETCD_CORS=""
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_WAL_DIR=""
#ETCD_LISTEN_PEER_URLS="http://localhost:2380"
ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
ETCD_NAME="default"
#ETCD_SNAPSHOT_COUNT="100000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
#ETCD_QUOTA_BACKEND_BYTES="0"
#ETCD_MAX_REQUEST_BYTES="1572864"
#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"
#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"
#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
#
#[Clustering]
#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_DISCOVERY_SRV=""
#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"
#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_STRICT_RECONFIG_CHECK="true"
#ETCD_ENABLE_V2="true"
#
#[Proxy]
#ETCD_PROXY="off"
#ETCD_PROXY_FAILURE_WAIT="5000"
#ETCD_PROXY_REFRESH_INTERVAL="30000"
#ETCD_PROXY_DIAL_TIMEOUT="1000"
#ETCD_PROXY_WRITE_TIMEOUT="5000"
#ETCD_PROXY_READ_TIMEOUT="0"
#
#[Security]
#ETCD_CERT_FILE=""
#ETCD_KEY_FILE=""
#ETCD_CLIENT_CERT_AUTH="false"
#ETCD_TRUSTED_CA_FILE=""
#ETCD_AUTO_TLS="false"
#ETCD_PEER_CERT_FILE=""
#ETCD_PEER_KEY_FILE=""
#ETCD_PEER_CLIENT_CERT_AUTH="false"
#ETCD_PEER_TRUSTED_CA_FILE=""
#ETCD_PEER_AUTO_TLS="false"
#
#[Logging]
#ETCD_DEBUG="false"
#ETCD_LOG_PACKAGE_LEVELS=""
#ETCD_LOG_OUTPUT="default"
#
#[Unsafe]
#ETCD_FORCE_NEW_CLUSTER="false"
#
#[Version]
#ETCD_VERSION="false"
#ETCD_AUTO_COMPACTION_RETENTION="0"
#
#[Profiling]
#ETCD_ENABLE_PPROF="false"
#ETCD_METRICS="basic"
#
#[Auth]
#ETCD_AUTH_TOKEN="simple"

2. 解决证书问题

curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64  -o cfssl_linux-amd64
curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64  -o cfssljson_linux-amd64
mv  cfssl_linux_amd64 /bin/cfssl
mv cfssljson_linux_amd64 /bin/cfssljson
-------------------------------------------------------------------------
生成根证书文件
[root@master01 ~]# cat ca-config.json ca-csr.json
{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
            "client auth"
                ]
            },
            "etcd": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
{
    "key": {
        "algo": "rsa",
        "size":
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "cnpc",
            "OU": "RF"
        }
    ]
}
-----------------------------------------------------------------------
[root@master01 ~]# ./cfssl_linux-amd64 gencert --initca ca-csr.json | cfssljson --bare ca
// :: [INFO] generating a new CA key and certificate from CSR
// :: [INFO] generate received request
// :: [INFO] received CSR
// :: [INFO] generating key: rsa-
// :: [INFO] encoded CSR
// :: [INFO] signed certificate with serial number
[root@master01 ~]# ls ca* -l
-rw-r--r--  root root   May  : ca-config.json
-rw-r--r--  root root   May  : ca.csr
-rw-r--r--  root root   May  : ca-csr.json
-rw-------  root root  May  : ca-key.pem
-rw-r--r--  root root  May  : ca.pem
------------------------------------------------------------------------
生产集群验证证书
[root@master01 ~]# cat etcd-csr.json
{
  "CN": "etcd-server",
  "hosts": [
    "localhost",
    "0.0.0.0",
    "127.0.0.1",
    "192.168.141.135",
    "192.168.141.136",
    "192.168.141.137"
  ],
  "key": {
    "algo": "rsa",
    "size":
  },
  "names": [
    {
        "C": "CN",
        "L": "Beijing",
        "ST": "Beijing",
        "O": "cnpc",
        "OU": "RF"}
  ]
}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
// :: [INFO] generate received request
// :: [INFO] received CSR
// :: [INFO] generating key: rsa-
// :: [INFO] encoded CSR
// :: [INFO] signed certificate with serial number
// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2. ("Information Requirements").

-------------------------------------------------------------------------
etcd客户端访问证书 可有可不用。

[root@master01 ~]# cat etcd-client-csr.json
{
  "CN": "etcd-client",
  "hosts": [
    ""
  ],
  "key": {
    "algo": "rsa",
    "size":
  },
  "names": [
    {
        "C": "CN",
        "L": "Beijing",
        "ST": "Beijing",
        "O": "cnpc",
        "OU": "RF"}
  ]
}

[root@master01 ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-client-csr.json | cfssljson -bare etcd-client
// :: [INFO] generate received request
// :: [INFO] received CSR
// :: [INFO] generating key: rsa-
// :: [INFO] encoded CSR
// :: [INFO] signed certificate with serial number
// :: [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1., from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2. ("Information Requirements").
[root@master01 ~]# ls etcd-client* -l
-rw-r--r--  root root  May  : etcd-client.csr
-rw-r--r--  root root   May  : etcd-client-csr.json
-rw-------  root root  May  : etcd-client-key.pem
-rw-r--r--  root root  May  : etcd-client.pem
------------------------------------

3.修改配置文件进行etcd启动

　

[root@master01 ~]# cat /etc/etcd/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/etcd1.etcd"
ETCD_WAL_DIR="/var/lib/etcd/wal"
ETCD_SNAPSHOT_COUNT="100"
ETCD_HEARTBEAT_INTERVAL="100"
ETCD_ELECTION_TIMEOUT="1000"
ETCD_LISTEN_PEER_URLS="https://192.168.141.136:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.141.136:2379,http://127.0.0.1:2379"
ETCD_MAX_SNAPSHOTS="5"
ETCD_MAX_WALS="5"
#ETCD_CORS=""
# [cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.141.136:2380"
# if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
ETCD_INITIAL_CLUSTER="etcd0=https://192.168.141.135:2380,etcd1=https://192.168.141.136:2380,etcd2=https://192.168.141.137:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.141.136:2379"

#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_SRV=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_STRICT_RECONFIG_CHECK="false"
#ETCD_AUTO_COMPACTION_RETENTION="0"
# [proxy]
#ETCD_PROXY="off"/
#ETCD_PROXY_FAILURE_WAIT="5000"
#ETCD_PROXY_REFRESH_INTERVAL="30000"
#ETCD_PROXY_DIAL_TIMEOUT="1000"
#ETCD_PROXY_WRITE_TIMEOUT="5000"
#ETCD_PROXY_READ_TIMEOUT="0"
# [security]
ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_AUTO_TLS="true"
# [logging]
#ETCD_DEBUG="false"
# examples for -log-package-levels etcdserver=WARNING,security=DEBUG
#ETCD_LOG_PACKAGE_LEVELS=""　　

记得修改不通的node上的配置文件，保证统一合理。

4.启动查看状态

[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint status
https://192.168.141.135:2379, b306da3cfa564bfe, 3.3.11, 20 kB, false, 2, 8
https://192.168.141.136:2379, e43238dbe44b3543, 3.3.11, 20 kB, true, 2, 8
https://192.168.141.137:2379, 95d8aab064c5a521, 3.3.11, 20 kB, false, 2, 8
[root@master01 ~]# etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 endpoint health
https://192.168.141.137:2379 is healthy: successfully committed proposal: took = 6.097643ms
https://192.168.141.136:2379 is healthy: successfully committed proposal: took = 6.426622ms
https://192.168.141.135:2379 is healthy: successfully committed proposal: took = 2.639766ms