0
点赞
收藏
分享

微信扫一扫

etcd安装

猫er聆听没落的旋律 2024-01-24 阅读 6

1、单节点部署

1.1、安装

# centos7环境安装etcd
#
# 下载etcd
wget https://github.com/etcd-io/etcd/releases/download/v3.5.11/etcd-v3.5.11-linux-amd64.tar.gz
 
# 解压
tar -xf etcd-v3.5.11-linux-amd64.tar.gz
 
# 进入 etcd-v3.5.11-linux-amd64目录
cd etcd-v3.5.11-linux-amd64
 
# 将etcd、etcdctl、etcdutl移动到/usr/local/bin目录
mv etcd /usr/local/bin/etcd
mv etcdctl /usr/local/bin/etcdctl
mv etcdutl /usr/local/bin/etcdutl
 
# 查看etcd版本
etcd --version
etcdctl version
etcdutl version

1.2、运行

# 运行etcd
# 会在当前目录创建data-dir="default.etcd",wal-dir="default.etcd/member/wal"
etcd

# 指定参数运行
etcd --listen-client-urls=http://$PRIVATE_IP:2379 \
   --advertise-client-urls=http://$PRIVATE_IP:2379


# 查看集群状态
etcdctl --endpoints=$ENDPOINTS endpoint status
etcdctl --endpoints=$ENDPOINTS endpoint health

 1.3、配置选项

1.3.1、使用命令行参数启动etcd

# 使用命令行参数运行etcd
etcd --name 'command-line-flags' --data-dir '/root/command-line-flags'

1.3.2、使用环境变量启动etcd

创建/root/etcd.conf配置文件:

cat >  /root/etcd.conf <<"EOF"
#[Member]
ETCD_NAME='environment-variable'
ETCD_DATA_DIR='/root/environment-variable'
EOF

创建/etc/systemd/system/etcd.service服务配置文件:

cat > /etc/systemd/system/etcd.service <<"EOF"
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/root/etcd.conf
ExecStart=/usr/local/bin/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

启动Systemd服务:

# systemctl daemon-reload && systemctl enable --now etcd.service
systemctl daemon-reload && systemctl enable etcd && systemctl start etcd

systemctl status etcd

1.3.3、使用配置文件启动etcd

下载etcd.config.yml配置文件:

# 下载配置文件
wget https://github.com/etcd-io/etcd/blob/main/etcd.conf.yml.sample -O /root/etcd.config.yml

查看/root/etcd.config.yml文件:

# This is the configuration file for the etcd server.

# Human-readable name for this member.
name: 'default'

# Path to the data directory.
data-dir:

# Path to the dedicated wal directory.
wal-dir:

# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 10000

# Time (in milliseconds) of a heartbeat interval.
heartbeat-interval: 100

# Time (in milliseconds) for an election to timeout.
election-timeout: 1000

# Raise alarms when backend size exceeds the given quota. 0 means use the
# default quota.
quota-backend-bytes: 0

# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: http://localhost:2380

# List of comma separated URLs to listen on for client traffic.
listen-client-urls: http://localhost:2379

# Maximum number of snapshot files to retain (0 is unlimited).
max-snapshots: 5

# Maximum number of wal files to retain (0 is unlimited).
max-wals: 5

# Comma-separated white list of origins for CORS (cross-origin resource sharing).
cors:

# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.
initial-advertise-peer-urls: http://localhost:2380

# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: http://localhost:2379

# Discovery URL used to bootstrap the cluster.
discovery:

# Valid values include 'exit', 'proxy'
discovery-fallback: 'proxy'

# HTTP proxy to use for traffic to discovery service.
discovery-proxy:

# DNS domain used to bootstrap initial cluster.
discovery-srv:

# Comma separated string of initial cluster configuration for bootstrapping.
# Example: initial-cluster: "infra0=http://10.0.1.10:2380,infra1=http://10.0.1.11:2380,infra2=http://10.0.1.12:2380"
initial-cluster:

# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'etcd-cluster'

# Initial cluster state ('new' or 'existing').
initial-cluster-state: 'new'

# Reject reconfiguration requests that would cause quorum loss.
strict-reconfig-check: false

# Enable runtime profiling data via HTTP server
enable-pprof: true

# Valid values include 'on', 'readonly', 'off'
proxy: 'off'

# Time (in milliseconds) an endpoint will be held in a failed state.
proxy-failure-wait: 5000

# Time (in milliseconds) of the endpoints refresh interval.
proxy-refresh-interval: 30000

# Time (in milliseconds) for a dial to timeout.
proxy-dial-timeout: 1000

# Time (in milliseconds) for a write to timeout.
proxy-write-timeout: 5000

# Time (in milliseconds) for a read to timeout.
proxy-read-timeout: 0

client-transport-security:
  # Path to the client server TLS cert file.
  cert-file:

  # Path to the client server TLS key file.
  key-file:

  # Enable client cert authentication.
  client-cert-auth: false

  # Path to the client server TLS trusted CA cert file.
  trusted-ca-file:

  # Client TLS using generated certificates
  auto-tls: false

peer-transport-security:
  # Path to the peer server TLS cert file.
  cert-file:

  # Path to the peer server TLS key file.
  key-file:

  # Enable peer client cert authentication.
  client-cert-auth: false

  # Path to the peer server TLS trusted CA cert file.
  trusted-ca-file:

  # Peer TLS using generated certificates.
  auto-tls: false

# The validity period of the self-signed certificate, the unit is year.
self-signed-cert-validity: 1

# Enable debug-level logging for etcd.
log-level: debug

logger: zap

# Specify 'stdout' or 'stderr' to skip journald logging even when running under systemd.
log-outputs: [stderr]

# Force to create a new one member cluster.
force-new-cluster: false

auto-compaction-mode: periodic
auto-compaction-retention: "1"

# Limit etcd to a specific set of tls cipher suites
cipher-suites: [
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]

# Limit etcd to specific TLS protocol versions 
tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'

编辑/root/etcd.config.yml文件:

# 需要修改以下字段
# name
# data-dir
# wal-dir
# listen-peer-urls
# listen-client-urls
# initial-advertise-peer-urls
# advertise-client-urls
# initial-cluster
# initial-cluster-token
# client-transport-security、client-transport-security下级字段
# peer-transport-security、peer-transport-security下级字段


name: 'configuration-file'
data-dir: '/root/configuration-file'
wal-dir:
snapshot-count: 10000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: http://localhost:2380
listen-client-urls: http://localhost:2379
max-snapshots: 5
max-wals: 5
cors:
initial-advertise-peer-urls: http://localhost:2380
advertise-client-urls: http://localhost:2379
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster:
initial-cluster-token: 'etcd-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
  cert-file:
  key-file:
  client-cert-auth: false
  trusted-ca-file:
  auto-tls: false
peer-transport-security:
  cert-file:
  key-file:
  client-cert-auth: false
  trusted-ca-file:
  auto-tls: false
self-signed-cert-validity: 1
log-level: debug
logger: zap
log-outputs: [stderr]
force-new-cluster: false
auto-compaction-mode: periodic
auto-compaction-retention: "1"
cipher-suites: [
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]
tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'

执行命令: 

# 使用配置文件运行etcd
etcd --config-file /root/etcd.config.yml

2、集群部署

2.1、使用http通信

172.17.0.2节点:

etcd --data-dir=data.etcd --name etcd-node-1 \
	--initial-advertise-peer-urls http://172.17.0.2:2380 \
	--listen-peer-urls http://172.17.0.2:2380 \
	--advertise-client-urls http://172.17.0.2:2379 \
	--listen-client-urls http://172.17.0.2:2379 \
	--initial-cluster etcd-node-1=http://172.17.0.2:2380,etcd-node-2=http://172.17.0.3:2380,etcd-node-3=http://172.17.0.4:2380 \
	--initial-cluster-state new \
	--initial-cluster-token etcd-token \
    --peer-key-file peer.key \
    --peer-cert-file peer.cert

172.17.0.3节点:

etcd --data-dir=data.etcd --name etcd-node-2 \
	--initial-advertise-peer-urls http://172.17.0.3:2380 \
	--listen-peer-urls http://172.17.0.3:2380 \
	--advertise-client-urls http://172.17.0.3:2379 \
	--listen-client-urls http://172.17.0.3:2379 \
	--initial-cluster etcd-node-1=http://172.17.0.2:2380,etcd-node-2=http://172.17.0.3:2380,etcd-node-3=http://172.17.0.4:2380 \
	--initial-cluster-state new \
	--initial-cluster-token etcd-token

172.17.0.4节点:

etcd --data-dir=data.etcd --name etcd-node-3 \
	--initial-advertise-peer-urls http://172.17.0.4:2380 \
	--listen-peer-urls http://172.17.0.4:2380 \
	--advertise-client-urls http://172.17.0.4:2379 \
	--listen-client-urls http://172.17.0.4:2379 \
	--initial-cluster etcd-node-1=http://172.17.0.2:2380,etcd-node-2=http://172.17.0.3:2380,etcd-node-3=http://172.17.0.4:2380 \
	--initial-cluster-state new \
	--initial-cluster-token etcd-token

172.17.0.2节点,查看集群:

# 1、查看集群
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379 member list

# 显示结果
17396d3aa5468ea, started, etcd-node-1, http://172.17.0.2:2380, http://172.17.0.2:2379, false
3a9e24ab09adc359, started, etcd-node-2, http://172.17.0.3:2380, http://172.17.0.3:2379, false
c79b72d1b9e2d891, started, etcd-node-3, http://172.17.0.4:2380, http://172.17.0.4:2379, false

# ===============================================================================
# 2、移除节点
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379 member remove c79b72d1b9e2d891

# 显示结果
Member c79b72d1b9e2d891 removed from cluster 8cc616c226560de7

# 3、查看集群
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379 member list

# 显示结果
17396d3aa5468ea, started, etcd-node-1, http://172.17.0.2:2380, http://172.17.0.2:2379, false
3a9e24ab09adc359, started, etcd-node-2, http://172.17.0.3:2380, http://172.17.0.3:2379, false


# ===============================================================================
# 4、添加节点
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379 member add etcd-node-3 --peer-urls=http://172.17.0.4:2380

# 显示结果
Member 99d9b4191b7df3f2 added to cluster 8cc616c226560de7

ETCD_NAME="etcd-node-3"
ETCD_INITIAL_CLUSTER="etcd-node-1=http://172.17.0.2:2380,etcd-node-2=http://172.17.0.3:2380,etcd-node-3=http://172.17.0.4:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://172.17.0.4:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"

# 5、查看集群
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379 member list

# 显示结果
17396d3aa5468ea, started, etcd-node-1, http://172.17.0.2:2380, http://172.17.0.2:2379, false
3a9e24ab09adc359, started, etcd-node-2, http://172.17.0.3:2380, http://172.17.0.3:2379, false
91fd2ad3e8b7b64f, unstarted, , http://172.17.0.4:2380, , false


# 6、172.17.0.4节点执行
rm -rf ./etcd-node-3.etcd

# 7、172.17.0.4节点执行
etcd --data-dir=data.etcd --name etcd-node-3 \
	--initial-advertise-peer-urls http://172.17.0.4:2380 \
	--listen-peer-urls http://172.17.0.4:2380 \
	--advertise-client-urls http://172.17.0.4:2379 \
	--listen-client-urls http://172.17.0.4:2379 \
	--initial-cluster etcd-node-1=http://172.17.0.2:2380,etcd-node-2=http://172.17.0.3:2380,etcd-node-3=http://172.17.0.4:2380 \
	--initial-cluster-state existing \
	--initial-cluster-token etcd-token

# 8、查看集群
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379 member list

# 显示结果
17396d3aa5468ea, started, etcd-node-1, http://172.17.0.2:2380, http://172.17.0.2:2379, false
2e6bc6b95d92f714, started, etcd-node-3, http://172.17.0.4:2380, http://172.17.0.4:2379, false
3a9e24ab09adc359, started, etcd-node-2, http://172.17.0.3:2380, http://172.17.0.3:2379, false

2.2、使用https通信

安装cfssl

# 1、下载cfssl、cfssljson、cfssl-certinfo
# cfssl:用于签发证书
# cfssljson:将cfssl签发生成的证书(json格式)变成文件承载式文件
# cfssl-certinfo:验证查看证书信息
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
 
# 2、给cfssl、cfssljson、cfssl-certinfo添加可执行权限
chmod +x /usr/local/bin/cfssl*

生成证书

ca-config.json文件:

{
  "signing": {
    "default": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "876000h"
    }
  }
}

ca-csr.json文件:

{
  "CN": "Autogenerated CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "Honest Achmed's Used Certificates",
      "OU": "Hastily-Generated Values Divison",
      "L": "San Francisco",
      "ST": "California",
      "C": "US"
    }
  ]
}

etcd-csr.json文件:

{
  "CN": "etcd",
  "hosts": [
    "localhost",
    "127.0.0.1",
    "172.17.0.2",
    "172.17.0.3",
    "172.17.0.4"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "autogenerated",
      "OU": "etcd cluster",
      "L": "the internet"
    }
  ]
}

执行命令: 

# 创建目录
mkdir -p etcd/ssl

# 切换目录
cd etcd/ssl

# 创建文件,复制上述ca-config.json、ca-csr.json、etcd-csr.json内容到对应文件
touch {ca-config.json,ca-csr.json,etcd-csr.json}

# 生成CA根证书及其私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

# 根据CA根证书及其私钥签名生成目标证书和私钥
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json etcd-csr.json | cfssljson -bare etcd

# 复制etcd目录到其他节点
scp -r /root/etcd 172.17.0.3:/root/etcd
scp -r /root/etcd 172.17.0.4:/root/etcd

172.17.0.2节点:

etcd --data-dir=data.etcd --name etcd-node-1 \
    --initial-advertise-peer-urls https://172.17.0.2:2380 \
    --listen-peer-urls https://172.17.0.2:2380 \
    --advertise-client-urls https://172.17.0.2:2379 \
    --listen-client-urls https://172.17.0.2:2379 \
    --initial-cluster 'etcd-node-1=https://172.17.0.2:2380,etcd-node-2=https://172.17.0.3:2380,etcd-node-3=https://172.17.0.4:2380' \
    --initial-cluster-state new \
    --initial-cluster-token etcd-token \
    --cert-file=/root/etcd/ssl/etcd.pem \
    --key-file=/root/etcd/ssl/etcd-key.pem \
    --peer-cert-file=/root/etcd/ssl/etcd.pem \
    --peer-key-file=/root/etcd/ssl/etcd-key.pem \
    --peer-client-cert-auth \
    --peer-trusted-ca-file=/root/etcd/ssl/ca.pem

172.17.0.3节点:

etcd --data-dir=data.etcd --name etcd-node-2 \
    --initial-advertise-peer-urls https://172.17.0.3:2380 \
    --listen-peer-urls https://172.17.0.3:2380 \
    --advertise-client-urls https://172.17.0.3:2379 \
    --listen-client-urls https://172.17.0.3:2379 \
    --initial-cluster 'etcd-node-1=https://172.17.0.2:2380,etcd-node-2=https://172.17.0.3:2380,etcd-node-3=https://172.17.0.4:2380' \
    --initial-cluster-state new \
    --initial-cluster-token etcd-token \
    --cert-file=/root/etcd/ssl/etcd.pem \
    --key-file=/root/etcd/ssl/etcd-key.pem \
    --peer-cert-file=/root/etcd/ssl/etcd.pem \
    --peer-key-file=/root/etcd/ssl/etcd-key.pem \
    --peer-client-cert-auth \
    --peer-trusted-ca-file=/root/etcd/ssl/ca.pem

172.17.0.4节点:

etcd --data-dir=data.etcd --name etcd-node-3 \
    --initial-advertise-peer-urls https://172.17.0.4:2380 \
    --listen-peer-urls https://172.17.0.4:2380 \
    --advertise-client-urls https://172.17.0.4:2379 \
    --listen-client-urls https://172.17.0.4:2379 \
    --initial-cluster 'etcd-node-1=https://172.17.0.2:2380,etcd-node-2=https://172.17.0.3:2380,etcd-node-3=https://172.17.0.4:2380' \
    --initial-cluster-state new \
    --initial-cluster-token etcd-token \
    --cert-file=/root/etcd/ssl/etcd.pem \
    --key-file=/root/etcd/ssl/etcd-key.pem \
    --peer-cert-file=/root/etcd/ssl/etcd.pem \
    --peer-key-file=/root/etcd/ssl/etcd-key.pem \
    --peer-client-cert-auth \
    --peer-trusted-ca-file=/root/etcd/ssl/ca.pem

172.17.0.2节点,查看集群:

# 查看集群
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379 \
  --cert=/root/etcd/ssl/etcd.pem \
  --key=/root/etcd/ssl/etcd-key.pem \
  --cacert=/root/etcd/ssl/ca.pem \
  member list

# 显示结果
c6b958fbe52963, started, etcd-node-1, https://172.17.0.2:2380, https://172.17.0.2:2379, false
5f334165954101b, started, etcd-node-3, https://172.17.0.4:2380, https://172.17.0.4:2379, false
964941aff35ec5da, started, etcd-node-2, https://172.17.0.3:2380, https://172.17.0.3:2379, false


# 不带证书访问集群
etcdctl --endpoints=172.17.0.2:2379,172.17.0.3:2379,172.17.0.4:2379   member list

# 显示结果
{"level":"warn","ts":"2024-01-20T21:58:12.352461Z","logger":"etcd-client","caller":"v3@v3.5.11/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000374380/172.17.0.2:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: EOF\""}
Error: context deadline exceeded

详见:

操作 Kubernetes 中的 etcd 集群 | Kubernetes

Clustering Guide | etcd

How to Set Up a Demo etcd Cluster | etcd

How to Add and Remove Members | etcd

3、docker部署

3.1、使用http通信

# 当前主机IP:10.0.8.13
# 创建目录
mkdir /root/etcd-data


# 当前主机IP:10.0.8.13
# 创建容器
docker run \
  -p 2379:2379 \
  -p 2380:2380 \
  --volume=/root/etcd-data:/root/etcd-data \
  --name etcd quay.io/coreos/etcd:latest \
  /usr/local/bin/etcd \
  --data-dir=/root/etcd-data --name node1 \
  --initial-advertise-peer-urls http://10.0.8.13:2380 \
  --listen-peer-urls http://0.0.0.0:2380 \
  --advertise-client-urls http://10.0.8.13:2379 \
  --listen-client-urls http://0.0.0.0:2379 \
  --initial-cluster node1=http://10.0.8.13:2380


# 当前主机IP:10.0.8.13
# 查看集群状态
etcdctl --endpoints=10.0.8.13:2379 member list

# 显示结果
942908011bbade83, started, node1, http://10.0.8.13:2380, http://10.0.8.13:2379, false

3.2、使用https通信

# 当前主机IP:10.0.8.13
# 创建目录
mkdir -p /root/etcd/{data,ssl}

# 生成证书
# 参考:“2.2、使用https通信” 的 “生成证书”
# 修改“etcd-csr.json文件” 的 “hosts” 字段,hosts值应为 “主机IP”

# 当前主机IP:10.0.8.13
# 创建容器
docker run \
  -p 2379:2379 \
  -p 2380:2380 \
  --volume=/root/etcd:/root/etcd \
  --name etcd quay.io/coreos/etcd:latest \
  /usr/local/bin/etcd \
  --data-dir=/root/etcd/data --name node1 \
  --initial-advertise-peer-urls https://10.0.8.13:2380 \
  --listen-peer-urls https://0.0.0.0:2380 \
  --advertise-client-urls https://10.0.8.13:2379 \
  --listen-client-urls https://0.0.0.0:2379 \
  --cert-file=/root/etcd/ssl/etcd.pem \
  --key-file=/root/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/root/etcd/ssl/etcd.pem \
  --peer-key-file=/root/etcd/ssl/etcd-key.pem \
  --peer-client-cert-auth \
  --peer-trusted-ca-file=/root/etcd/ssl/ca.pem


# 当前主机IP:10.0.8.13
# 查看集群
etcdctl --endpoints=10.0.8.13:2379 \
  --cert=/root/etcd/ssl/etcd.pem \
  --key=/root/etcd/ssl/etcd-key.pem \
  --cacert=/root/etcd/ssl/ca.pem \
  member list

# 显示结果
b0b9626eea1088ab, started, node1, https://10.0.8.13:2380, https://10.0.8.13:2379, false


# 当前主机IP:10.0.8.13
# 不带证书访问集群
etcdctl --endpoints=10.0.8.13:2379 member list

# 显示结果
{"level":"warn","ts":"2024-01-21T15:42:38.997455+0800","logger":"etcd-client","caller":"v3@v3.5.11/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00007c000/10.0.8.13:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: read tcp 10.0.8.13:56464->10.0.8.13:2379: read: connection reset by peer\""}
Error: context deadline exceeded

举报

相关推荐

0 条评论