一 介绍

     Etcd是一个高可用的 Key/Value 存储系统,主要用于分享配置和服务发现。

     简单:支持 curl 方式的用户 API (HTTP+JSON)

     安全:可选 SSL 客户端证书认证

     快速:单实例可达每秒 1000 次写操作

     可靠:使用 Raft 实现分布式

二 搭建开始

2.1 yum 安装etcd服务 (三台执行)

yum  -y install etcd

[root@k8s-master ~]# etcd -version
etcd Version: 3.3.11
Git SHA: 2cf9e51
Go Version: go1.10.3
Go OS/Arch: linux/amd64

2.2 安装cfssl工具,并配置证书:这里采用的是共用证书的方式(master执行)

mkdir  /etc/etcd/ssl

cd /etc/etcd/ssl

cat  etcd-root-ca-csr.json       #etcd根CA证书

{

   "key": {

     "algo": "rsa",

     "size": 4096

   },

   "names": [

     {

       "O": "etcd",

       "OU": "etcd Security",

       "L": "Beijing",

       "ST": "Beijing",

       "C": "CN"

     }

   ],

   "CN": "etcd-root-ca"

}

cat etcd-gencert.json      #etcd集群证书

{

  "signing": {

    "default": {

        "usages": [

          "signing",

          "key encipherment",

          "server auth",

          "client auth"

        ],

        "expiry": "87600h"

    }

  }

}

cat  etcd-csr.json    #etcd集群证书

{

  "key": {

    "algo": "rsa",

    "size": 4096

  },

  "names": [

    {

      "O": "etcd",

      "OU": "etcd Security",

      "L": "Beijing",

      "ST": "Beijing",

      "C": "CN"

    }

  ],

  "CN": "etcd",

  "hosts": [

    "127.0.0.1",

    "localhost",

    "192.168.137.66",

    "192.168.137.16",

    "192.168.137.26",

    "k8s-master",

    "k8s-node1",

    "k8s-node2"            -------->注意最后没有 ,

  ]

}

下载 cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64

mv cfssl_linux-amd64 /usr/local/bin/cfssl

mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

生成证书

cfssl gencert --initca=true etcd-root-ca-csr.json | cfssljson --bare etcd-root-ca

cfssl gencert --ca etcd-root-ca.pem --ca-key etcd-root-ca-key.pem --config etcd-gencert.json etcd-csr.json | cfssljson --bare etcd

生成的文件列表如下 tree  .

.

├── etcd.csr

├── etcd-csr.json

├── etcd-gencert.json

├── etcd-key.pem

├── etcd.pem

├── etcd-root-ca.csr

├── etcd-root-ca-csr.json

├── etcd-root-ca-key.pem

├── etcd-root-ca.pem

2.3 分发证书(master执行)

I="192.168.137.16 192.168.137.26"

for IP in $I; do

    ssh root@$IP mkdir /etc/etcd/ssl/

    scp *.pem root@$IP:/etc/etcd/ssl/

    ssh root@$IP chown -R etcd:etcd /etc/etcd/ssl/

    ssh root@$IP chmod -R 755 /etc/etcd/

done

#本台服务器也要设置权限
cd  /etc/etcd/ssl
chown -R etcd:etcd /etc/etcd/ssl
chmod -R 755 /etc/etcd/ssl

2.4 修改配置文件(master执行)

[root@k8s-master ssl]# cat /etc/etcd/etcd.conf |grep -v '^#'

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

ETCD_LISTEN_PEER_URLS="https://192.168.137.66:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.137.66:2379,http://127.0.0.1:2379"

ETCD_NAME="etcd01"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.137.66:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.137.66:2379"

ETCD_INITIAL_CLUSTER="etcd01=https://192.168.137.66:2380,etcd02=https://192.168.137.16:2380,etcd03=https://192.168.137.26:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_INITIAL_CLUSTER_STATE="new"    #注意状态为new

ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_CLIENT_CERT_AUTH="True"

ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-root-ca.pem"

ETCD_AUTO_TLS="True"

ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"

ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

ETCD_PEER_CLIENT_CERT_AUTH="True"

ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-root-ca.pem"

ETCD_PEER_AUTO_TLS="True"

其他节点:注意上面的蓝色部分是要 修改的(其他节点上执行)

# k8s-node1

ETCD_LISTEN_PEER_URLS="https://192.168.137.16:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.137.16:2379,http://127.0.0.1:2379"

ETCD_NAME="etcd02"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.137.16:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.137.16:2379"
ETCD_INITIAL_CLUSTER_STATE="existing"  #注意这里,不能为new,有的是exist,但是这个版本测试为existing

# k8s-node2
ETCD_LISTEN_PEER_URLS="https://192.168.137.26:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.137.26:2379,http://127.0.0.1:2379"

ETCD_NAME="etcd02"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.137.26:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.137.26:2379"
ETCD_INITIAL_CLUSTER_STATE="existing"

2.5 启动(master先执行,其他两台后执行):master启动时间漫长,说明配置有问题

systemctl  daemon-reload

systemctl  start etcd

systemctl  enable  etcd

2.6 设置 etcdctl 的版本,有 v2和v3版本,他们的命令不同,这里采用v3版本

#export ETCDCTL_API=3
#cat /etc/profile
 .....
 export ETCDCTL_API=3

2.7 验证节点状态

etcdctl --cacert=/etc/etcd/ssl/etcd-root-ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem   \
--endpoints=https://192.168.137.66:2379,https://192.168.137.16:2379,https://192.168.137.26:2379 endpoint health
[root@k8s-master ssl]# etcdctl --cacert=/etc/etcd/ssl/etcd-root-ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.137.66:2379,https://192.168.137.16:2379,https://192.168.137.26:2379 endpoint health

https://192.168.137.16:2379 is healthy: successfully committed proposal: took = 4.807966ms

https://192.168.137.66:2379 is healthy: successfully committed proposal: took = 3.790949ms
https://192.168.137.66:2379 is healthy: successfully committed proposal: took = 2.493048ms

2.8 版本为2时对etcd的检查

export ETCDCTL_API=2

[root@k8s-master ssl]# etcdctl --ca-file=/etc/etcd/ssl/etcd-root-ca.pem --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem  \
  --endpoints=https://192.168.137.66:2379,https://192.168.137.16:2379 cluster-health

member 457528f516aae01a is healthy: got healthy result from https://192.168.137.66:2379

member b13478c4279881c2 is healthy: got healthy result from https://192.168.137.16:2379

cluster is healthy

三 报错以及解决

error 1:执行etcdctl命令检查时报错

etcdctl --cacert=/etc/etcd/ssl/etcd-root-ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem   \
--endpoints=https://192.168.137.66:2379,https://192.168.137.16:2379,https://192.168.137.26:2379 endpoint health
........
flag provided but not defined: -cacert

solution:版本不同,命令的格式不同

export ETCDCTL_API=3

error 2: failed to check the health of member 6c70a880257288f on https://192.168.137.16:2379: Get https://192.168.137.16:2379/health: remote error: tls: bad certificate

solution:证书问题

重做步骤2.2和2.3

error 3: couldn't find local name "etcd04" in the initial cluster configuration

solution:配置文件问题

检查步骤2.4,着重看以下方面

ETCD_NAME="etcd01"

ETCD_INITIAL_CLUSTER="etcd01=https://192.168.137.66:2380,etcd02=https://192.168.137.16:2380,etcd03=https://192.168.137.26:2380"

接着执行下面的命令
systemctl stop etcd

rm -rf /var/lib/etcd/default.etcd

systemctl daemon-reload && systemctl restart etcd

error 4:错误如下

[root@k8s-node1 ~]# etcdctl member list

Error: dial tcp 127.0.0.1:2379: connect: connection refused

solution:根据步骤2.4修改

ETCD_LISTEN_CLIENT_URLS="https://192.168.137.16:2379,http://127.0.0.1:2379"

[root@k8s-node1 ~]# etcdctl member list
457528f516aae01a, started, etcd01, https://192.168.137.66:2380, https://192.168.137.66:2379
b13478c4279881c2, started, etcd02, https://192.168.137.16:2380, https://192.168.137.16:2379

a93278c4200188c5, started, etcd03, https://192.168.137.26:2380, https://192.168.137.26:2379

k8s集群搭建之二:etcd集群的搭建的更多相关文章

  1. linux下oracle11G DG搭建(二):环绕主库搭建操作

    linux下oracle11G DG搭建(二):环绕主库搭建操作 环境 名称 主库 备库 主机名 bjsrv shsrv 软件版本号 RedHat Enterprise5.5.Oracle 11g 1 ...

  2. kubeadm 线上集群部署(一) 外部 ETCD 集群搭建

      IP Hostname   192.168.1.23 k8s-etcd-01 etcd集群节点,默认关于ETCD所有操作均在此节点上操作 192.168.1.24 k8s-etcd-02 etcd ...

  3. 使用k8s operator安装和维护etcd集群

    关于Kubernetes Operator这个新生事物,可以参考下文来了解这一技术的来龙去脉: https://yq.aliyun.com/articles/685522?utm_content=g_ ...

  4. 彻底搞懂 etcd 系列文章(三):etcd 集群运维部署

    0 专辑概述 etcd 是云原生架构中重要的基础组件,由 CNCF 孵化托管.etcd 在微服务和 Kubernates 集群中不仅可以作为服务注册与发现,还可以作为 key-value 存储的中间件 ...

  5. 使用Kubeadm搭建高可用Kubernetes集群

    1.概述 Kubenetes集群的控制平面节点(即Master节点)由数据库服务(Etcd)+其他组件服务(Apiserver.Controller-manager.Scheduler...)组成. ...

  6. kubernetes部署 etcd 集群

    本文档介绍部署一个三节点高可用 etcd 集群的步骤: etcd 集群各节点的名称和 IP 如下: kube-node0:192.168.111.10kube-node1:192.168.111.11 ...

  7. 使用docker配置etcd集群

    docker配置etcd集群与直接部署etcd集群在配置上并没有什么太大差别. 我这里直接使用docker-compose来实现容器化的etcd部署 环境如下: HostName IP etcd1 1 ...

  8. Kubernetes(k8s)集群部署(k8s企业级Docker容器集群管理)系列之自签TLS证书及Etcd集群部署(二)

    0.前言 整体架构目录:ASP.NET Core分布式项目实战-目录 k8s架构目录:Kubernetes(k8s)集群部署(k8s企业级Docker容器集群管理)系列目录 一.服务器设置 1.把每一 ...

  9. Etcd学习(二)集群搭建Clustering

    1.单个etcd节点(测试开发用) 之前我一直开发测试一直是用的一个Etcd节点,然后启动命令一直都是直接打一个etcd(我已经将etcd安装目录的bin目录加入到PATH环 境变量中),然后启动信息 ...

随机推荐

  1. error: Error trying to parse settings: Unexpected trailing characters in Packages\User\Preferences.sublime-settings:9:2 reloading settings Packages/User/Preferences.sublime-settings

    error: Error trying to parse settings: Unexpected trailing characters in Packages\User\Preferences.s ...

  2. 【串线篇】idea下的springboot入门配置

    1.Spring Boot 简介 简化Spring应用开发的一个框架: 整个Spring技术栈的一个大整合: J2EE开发的一站式解决方案: 2.微服务 2014,martin fowler 微服务: ...

  3. c++ vector push_back对象的时候存起来的是拷贝[转]

    比如 class C1; vector<C1> vec; C1* p=new C1; vec v1; v1.push_back(&(*p)); delete p; 这里,传进函数的 ...

  4. 【多线程】synchronized 和ReentrantLock

    1. 锁的实现 synchronized 是 JVM 实现的,而 ReentrantLock 是 JDK 实现的. 2. 性能 新版本 Java 对 synchronized 进行了很多优化,例如自旋 ...

  5. C# ArrayList、HashSet、HashTable、List、Dictionary的区别

    在C#中,数组由于是固定长度的,所以常常不能满足我们开发的需求. 由于这种限制不方便,所以出现了ArrayList. ArrayList.List<T> ArrayList是可变长数组,你 ...

  6. 【dart学习】-- Dart之异步编程

    一,概述 编程中的代码执行,通常分为同步与异步两种. 同步:简单说,同步就是按照代码的编写顺序,从上到下依次执行,这也是最简单的我们最常接触的一种形式.但是同步代码的缺点也显而易见,如果其中某一行或几 ...

  7. nodejs搭建服务器 和 操作数据库

    1.express框架:是一个简洁而灵活的 node.js Web应用框架.一般的项目都是基于这个框架开发的.http://www.runoob.com/nodejs/nodejs-express-f ...

  8. rabbitmq安装-1

    原文地址和下载地址 原方地址: https://www.cnblogs.com/jiagoushi/p/9961388.html rabbitmq下载地址: https://github.com/ra ...

  9. django中初学常犯错误之梳理

    一,关于setting设置,1,两个INSRALLEN_APPS,需要将新建的app添加进去 2,需要再setting将html的路径拼接起来 二,urls.py 设置,from app名 impor ...

  10. Insmod模块加载过程分析

    一.背景 a) 在进行JZ2440的一个小demo开发的时候,使用自己编译的内核(3.4.2)及lcd模块进行加载时,insmod会提示加载失败因为内核版本不匹配(提示当前内核版本为空),并且显示模块 ...