【K8S运维知识汇总】第2天6：安装部署主控节点服务——etcd配置存储

【K8S运维知识汇总】第2天6：安装部署主控节点服务——etcd配置存储

部署etcd集群

集群规划

主机名 角色 ipHDss7-12.host.com ectc lead 10.4.7.12HDss7-21.host.com ectc follow 10.4.7.21HDss7-22.host.com ectc follow 10.4.7.22

注释：这里部署文档以HDss7-12.host.com主机为例，另外两台安装部署方法类似

创建etcd使用的证书

在HDss7-200上创建基于根证书的config配置文件 – 此文件夹内有，直接上传，不要粘贴复制

[root@hdss7-200 ~]# vi /opt/certs/ca-config.json{ "signing": { "default": { "expiry": "175200h" }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }}

此文档IP地址必须在文档内更改好再粘贴复制进去，IP地址为有可能装ETCD的主机，多一个IP为预备，-- 此文件夹内有，直接上传，不要粘贴复制

[root@hdss7-200 ~]# vi /opt/certs/etcd-peer-csr.json{ "CN": "k8s-etcd", "hosts": [ "10.4.7.11", "10.4.7.12", "10.4.7.21", "10.4.7.22" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shengezhen", "L": "shengzhen", "O": "od", "OU": "ops" } ]}

生成所有相关证书：

[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer[root@hdss7-200 certs]# ll总用量 36-rw-r--r-- 1 root root 836 12月 10 16:29 ca-config.json-rw-r--r-- 1 root root 993 12月 10 11:54 ca.csr-rw-r--r-- 1 root root 328 12月 10 11:53 ca-csr.json-rw------- 1 root root 1679 12月 10 11:54 ca-key.pem-rw-r--r-- 1 root root 1346 12月 10 11:54 ca.pem-rw-r--r-- 1 root root 1062 12月 10 16:31 etcd-peer.csr-rw-r--r-- 1 root root 383 12月 10 16:31 etcd-peer-csr.json-rw------- 1 root root 1679 12月 10 16:31 etcd-peer-key.pem-rw-r--r-- 1 root root 1428 12月 10 16:31 etcd-peer.pem

在3个节点上安装部署etcd集群

在etcd主机上创建不包含home目录的非登录用的etcd用户

[root@localhost certs]# useradd -s /sbin/nologin -M etcd[root@localhost certs]# id etcduid=1000(etcd) gid=1000(etcd) 组=1000(etcd)[root@localhost certs]# mkdir /opt/src[root@localhost certs]# cd /opt/src/

-etcd软件，建议用不超3.3的版本

[root@localhost src]# rz[root@localhost src]# lsetcd-v3.1.20-linux-amd64.tar.gz[root@localhost src]# tar zxvf etcd-v3.1.20-linux-amd64.tar.gz -C /opt[root@localhost src]# cd ..[root@localhost opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20

创建软链接方便以后更新版本

[root@hdss7-12 opt]# ln -s /opt/etcd-v3.1.20 /opt/etcd# ll总用量 0lrwxrwxrwx 1 root root 17 12月 10 16:45 etcd -> /opt/etcd-v3.1.20drwxr-xr-x 3 478493 89939 123 10月 11 2018 etcd-v3.1.20drwxr-xr-x 2 root root 45 12月 10 16:41

创建目录，拷贝证书、私钥

[root@localhost opt]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server

将运维主机上生成的ca.pem etc-peer-key.pem etc-peer.pem 拷贝到/opt/etcd/certs目录中，私钥文件权限为600

[root@hdss7-12 certs]# cd /opt/etcd/certs[root@hdss7-12 certs]# scp 10.4.7.200:/opt/certs/ca.pem .[root@hdss7-12 certs]# scp 10.4.7.200:/opt/certs/etcd-peer-key.pem .[root@hdss7-12 certs]# scp 10.4.7.200:/opt/certs/etcd-peer.pem .[root@localhost certs]# ll总用量 12-rw-r--r-- 1 root root 1346 6月 26 11:23 ca.pem-rw------- 1 root root 1675 6月 26 11:24 etcd-peer-key.pem-rw-r--r-- 1 root root 1436 6月 26 11:24 etcd-peer.pem

更改属主属组

[root@localhost certs]# chown -R etcd:etcd /opt/etcd/certs/ /data/etcd/ /data/logs/etcd-server/[root@localhost certs]# ll总用量 12-rw-r--r-- 1 etcd etcd 1346 6月 26 11:23 ca.pem-rw------- 1 etcd etcd 1675 6月 26 11:24 etcd-peer-key.pem # 权限600-rw-r--r-- 1 etcd etcd 1436 6月 26 11:24 etcd-peer.pem

创建etcd服务启动脚本，IP地址改成本机IP – 此文件本目录中有，上传修改即可，不要粘贴复制,格式容易出错

[root@hdss7-12 certs]# vi /opt/etcd/etcd-server-startup.sh#!/bin/sh./etcd --name etcd-server-7-12 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls \ --listen-client-urls \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls \ --advertise-client-urls \ --initial-cluster etcd-server-7-12=\ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout

赋予执行权限

[root@hdss7-12 certs]# chmod +x /opt/etcd/etcd-server-startup.sh[root@localhost etcd]# ll总用量 30072drwxr-xr-x 2 etcd etcd 66 6月 26 11:24 certsdrwxr-xr-x 11 etcd etcd 4096 10月 11 2018 Documentation-rwxr-xr-x 1 etcd etcd 16406432 10月 11 2018 etcd-rwxr-xr-x 1 etcd etcd 14327712 10月 11 2018 etcdctl-rwxr-xr-x 1 etcd etcd 981 6月 26 11:30 etcd-server-startup.sh-rw-r--r-- 1 etcd etcd 32632 10月 11 2018 README-etcdctl.md-rw-r--r-- 1 etcd etcd 5878 10月 11 2018 README.md-rw-r--r-- 1 etcd etcd 7892 10月 11 2018 READMEv2-etcdctl.md

更改属主属组

[root@hdss7-12 certs]# chown -R etcd.etcd /opt/etcd-v3.1.20/ /data/etcd /data/logs/etcd-server

使etcd后端运行

[root@hdss7-12 logs]# yum install supervisor -y[root@hdss7-12 logs]# systemctl start supervisord[root@hdss7-12 logs]# systemctl enable supervisord

更改supervisord的配置文件：[program:etcd-server-7-12]名字需要根据实际更改

[root@hdss7-12 logs]# vi /etc/supervisord.d/etcd-server.ini[program:etcd-server-7-12]command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1)directory=/opt/etcd ; directory to cwd to before exec (def no cwd)autostart=true ; start at supervisord start (default: true)autorestart=true ; retstart at unexpected quit (default: true)startsecs=30 ; number of secs prog must stay running (def. 1)startretries=3 ; max # of serial start failures (default 3)exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)stopsignal=QUIT ; signal used to kill process (default TERM)stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)user=etcd ; setuid to this UNIX account to run the programredirect_stderr=true ; redirect proc stderr to stdout (default false)stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTOstdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)stdout_events_enabled=false ; emit events on stdout writes (default false)

创建后端启动etcd

[root@hdss7-12 logs]# supervisorctl updateetcd-server-7-12: added process group[root@hdss7-12 logs]# supervisorctl statusetcd-server-7-12 STARTING [root@hdss7-12 logs]# netstat -luntp|grep etcdtcp 0 0 192.168.153.12:2379 0.0.0.0:* LISTEN 19395/./etcd tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 19395/./etcd tcp 0 0 192.168.153.12:2380 0.0.0.0:* LISTEN 19395/./etcd

查看日志

[root@hdss7-12 logs]# tail -fn 200 /data/logs/etcd-server/etcd.stdout.log

其它2个节点使用相同的方式部署即可！！！

报错处理：

1、查看目录是属对应上正确的权限归属

2、删除etcd-server.ini文件，然后update，再重新编辑配置文件

[root@localhost etcd]# rm /etc/supervisord.d/etcd-server.ini[root@localhost etcd]# supervisorctl updateetcd-server-7-12: stoppedetcd-server-7-12: removed process group[root@localhost etcd]# supervisorctl status[root@localhost etcd]# vi /etc/supervisord.d/etcd-server.ini[root@localhost etcd]# supervisorctl updateetcd-server-7-12: added process group[root@localhost etcd]# supervisorctl statusetcd-server-7-12

检查集群健康状态：

在任意一台etcd主机上执行即可

[root@localhost etcd]# ./etcdctl cluster-healthmember 988139385f78284 is healthy: got healthy result from 5a0ef2a004fc4349 is healthy: got healthy result from f4a0cb0a765574a8 is healthy: got healthy result from etcd]# ./etcdctl member list988139385f78284: name=etcd-server-7-22 peerURLs=clientURLs=isLeader=false5a0ef2a004fc4349: name=etcd-server-7-21 peerURLs=clientURLs=isLeader=falsef4a0cb0a765574a8: name=etcd-server-7-12 peerURLs=clientURLs=isLeader=true

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。