本文详细介绍如何通过脚本自动化部署一个高可用的Etcd集群,包括防火墙端口配置、hosts文件设置、证书生成及分发、安装脚本编写等步骤。
0.1 防火墙相关端口开放
00.addPort2FW.sh
firewall-cmd --zone=public --add-port=2379/tcp --permanent
firewall-cmd --zone=public --add-port=2380/tcp --permanent
firewall-cmd --reload
0.2 配置所有节点hosts(用域名访问etcd节点必须的)
00.configHost.sh
echo '172.20.10.7 etcdnode01' >> /etc/hosts
echo '172.20.10.8 etcdnode02' >> /etc/hosts
echo '172.20.10.9 etcdnode03' >> /etc/hosts
echo '172.20.10.10 etcdnode04' >> /etc/hosts
echo '172.20.10.11 etcdnode05' >> /etc/hosts
1.主节点生成ca,并分发到各节点
ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
etcd-csr.json
{
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"O": "etcd",
"OU": "etcd Security",
"L": "Beijing",
"ST": "Beijing",
"C": "CN"
}
],
"CN": "etcd",
"hosts": [
"127.0.0.1",
"localhost",
"etcdnode01",
"etcdnode02",
"etcdnode03",
"etcdnode04",
"etcdnode05",
"node1",
"node2"
]
}
运行下列命令生成相关证书
./caTools/cfssl gencert -initca ./caTools/ca-csr.json | ./caTools/cfssljson -bare ca
./caTools/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=./caTools/ca-config.json -profile=kubernetes ./caTools/etcd-csr.json | ./caTools/cfssljson -bare etcd
cfssl cfssl-certinfo cfssljson 如何下载参照我另一篇文章
1.1用scp,命令发送到其他节点
2.准备安装脚本 02.installEtcd.sh
echo "input total etcd node number:"
read total
echo "input current node number:"
read current
cluster_url='ETCD_INITIAL_CLUSTER="'
check_url='nodelist="'
for((i=1;i<=total;i++));
do
cluster_url=${cluster_url}"etcd0"${i}"=https://etcdnode0"${i}":2380"
check_url=${check_url}"https://etcdnode0"${i}":2379"
if [ $i == $total ]; then
cluster_url=${cluster_url}"\""
check_url=${check_url}"\""
else
cluster_url=${cluster_url}","
check_url=${check_url}","
fi
done
echo "ETCD_NAME=etcd0"${current} > ./etcd.conf
echo ETCD_DATA_DIR=\"/opt/etcd/data\" >> ./etcd.conf
echo ETCD_LISTEN_PEER_URLS=\"https://0.0.0.0:2380\" >> ./etcd.conf
echo ETCD_LISTEN_CLIENT_URLS=\"https://0.0.0.0:2379\" >> ./etcd.conf
echo #[cluster] >> ./etcd.conf
echo ETCD_INITIAL_ADVERTISE_PEER_URLS="\"https://etcdnode0"${current}":2380\"" >> ./etcd.conf
echo ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" >> ./etcd.conf
echo ETCD_ADVERTISE_CLIENT_URLS="\"https://etcdnode0"${current}":2379\"" >> ./etcd.conf
echo "$cluster_url" >> ./etcd.conf
echo ${check_url} > ./04.checkStatus.sh
echo 'echo "--------- member list ----------------"' >> ./04.checkStatus.sh
echo '/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints=${nodelist} member list' >> ./04.checkStatus.sh
echo 'echo ""' >> ./04.checkStatus.sh
echo 'echo "------------ status ------------------"' >> ./04.checkStatus.sh
echo '/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints=${nodelist} endpoint status' >> ./04.checkStatus.sh
echo 'echo ""' >> ./04.checkStatus.sh
echo 'echo "------------ health ------------------"' >> ./04.checkStatus.sh
echo '/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints=${nodelist} endpoint health' >> ./04.checkStatus.sh
chmod +x ./04.checkStatus.sh
mkdir /opt/etcd
mkdir /opt/etcd/{logs,data,ssl,bin,conf}
mv {ca.pem,etcd-key.pem,etcd.pem} /opt/etcd/ssl/
cp ./etcd-3.4.13/{etcd,etcdctl} /opt/etcd/bin/
cp ./etcd.conf /opt/etcd/conf/
cp ./etcd.service /usr/lib/systemd/system/
echo "PATH=/opt/etcd/bin:$PATH" >> /etc/profile
source /etc/profile
systemctl daemon-reload
systemctl enable etcd
echo "install etcd complete,please invoke 05.startEtcd.sh"
健康检查脚本 04.checkStatus.sh
nodelist="https://etcdnode01:2379,https://etcdnode02:2379,https://etcdnode03:2379,https://etcdnode04:2379,https://etcdnode05:2379"
echo "--------- member list ----------------"
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints=${nodelist} member list
echo ""
echo "------------ status ------------------"
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints=${nodelist} endpoint status
echo ""
echo "------------ health ------------------"
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints=${nodelist} endpoint health
服务配置文件 etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/opt/etcd/data
EnvironmentFile=-/opt/etcd/conf/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--initial-cluster-state new
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
运行02.installEtcd.sh 后需要输入的第一个参数是:etcd集群总节点数,第二个节点是etcd当前第几个节点,脚本会根据此输入生成etcd需要的配置文件并安装到指定目录
3.所有节点运行
00.addPort2FW.sh
00.configHost.sh
02.installEtcd.sh
4.所有节点都安装好后
依次运行
05.startEtcd.sh
systemctl start etcd
5.检查整个集群健康状况,运行 04.checkStatus.sh
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
