如果沒有特殊指明,所有操作均在 zhaoyixin-k8s-01 節點上執行,
etcd 是基于 Raft 的分布式 KV 存盤系統,由 CoreOS 開發,常用于服務發現、共享配置以及并發控制(如 leader 選舉、分布式鎖等),
kubernetes 使用 etcd 集群持久化存盤所有 API 物件、運行資料,
本節將部署一個三節點高可用 etcd 集群,
下載 etcd 二進制檔案
cd /opt/k8s/work
wget https://github.com/coreos/etcd/releases/download/v3.4.3/etcd-v3.4.3-linux-amd64.tar.gz
tar -xvf etcd-v3.4.3-linux-amd64.tar.gz
分發二進制檔案到集群所有節點:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp etcd-v3.4.3-linux-amd64/etcd* root@${node_ip}:/opt/k8s/bin
ssh root@${node_ip} "chmod +x /opt/k8s/bin/*"
done
創建 etcd 證書和私鑰
創建證書簽名請求檔案:
cd /opt/k8s/work
cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.16.8",
"192.168.16.10",
"192.168.16.6"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "zhaoyixin"
}
]
}
EOF
hosts:指定授權使用該證書的 etcd 節點 IP 串列,需要將 etcd 集群所有節點 IP 都列在其中,
生成證書和私鑰:
cd /opt/k8s/work
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
ls etcd*pem
分發生成的證書和私鑰到各 etcd 節點:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /etc/etcd/cert"
scp etcd*.pem root@${node_ip}:/etc/etcd/cert/
done
創建 etcd 的 systemd unit 模板檔案
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cat > etcd.service.template <<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=${ETCD_DATA_DIR}
ExecStart=/opt/k8s/bin/etcd \\
--data-dir=${ETCD_DATA_DIR} \\
--wal-dir=${ETCD_WAL_DIR} \\
--name=##NODE_NAME## \\
--cert-file=/etc/etcd/cert/etcd.pem \\
--key-file=/etc/etcd/cert/etcd-key.pem \\
--trusted-ca-file=/etc/kubernetes/cert/ca.pem \\
--peer-cert-file=/etc/etcd/cert/etcd.pem \\
--peer-key-file=/etc/etcd/cert/etcd-key.pem \\
--peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem \\
--peer-client-cert-auth \\
--client-cert-auth \\
--listen-peer-urls=https://##NODE_IP##:2380 \\
--initial-advertise-peer-urls=https://##NODE_IP##:2380 \\
--listen-client-urls=https://##NODE_IP##:2379,http://127.0.0.1:2379 \\
--advertise-client-urls=https://##NODE_IP##:2379 \\
--initial-cluster-token=etcd-cluster-0 \\
--initial-cluster=${ETCD_NODES} \\
--initial-cluster-state=new \\
--auto-compaction-mode=periodic \\
--auto-compaction-retention=1 \\
--max-request-bytes=33554432 \\
--quota-backend-bytes=6442450944 \\
--heartbeat-interval=250 \\
--election-timeout=2000
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
WorkingDirectory、--data-dir:指定作業目錄和資料目錄為${ETCD_DATA_DIR},需在啟動服務前創建這個目錄;--wal-dir:指定 wal 目錄,為了提高性能,一般使用 SSD 或者和--data-dir不同的磁盤;--name:指定節點名稱,當--initial-cluster-state值為new時,--name的引數值必須位于--initial-cluster串列中;--cert-file、--key-file:etcd server 與 client 通信時使用的證書和私鑰;--trusted-ca-file:簽名 client 證書的 CA 證書,用于驗證 client 證書;--peer-cert-file、--peer-key-file:etcd 與 peer 通信使用的證書和私鑰;--peer-trusted-ca-file:簽名 peer 證書的 CA 證書,用于驗證 peer 證書;
創建 etcd systemd unit 檔案
替換模板檔案中的變數,為各節點創建 systemd unit 檔案:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for (( i=0; i < 3; i++ ))
do
sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" etcd.service.template > etcd-${NODE_IPS[i]}.service
done
ls *.service
NODE_NAMES和NODE_IPS為相同長度的 bash 陣列,分別為節點名稱和對應的 IP;
分發生成的 systemd unit 檔案:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp etcd-${node_ip}.service root@${node_ip}:/etc/systemd/system/etcd.service
done
啟動 etcd 服務
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ${ETCD_DATA_DIR} ${ETCD_WAL_DIR}"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable etcd && systemctl restart etcd " &
done
- 必須先創建 etcd 資料目錄和作業目錄;
- etcd 行程首次啟動時會等待其它節點的 etcd 加入集群,命令
systemctl start etcd會卡住一段時間,為正常現象;
檢查啟動結果
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status etcd|grep Active"
done
確保狀態為 active(running),否則通過 journalctl -u etcd 查看日志,確認原因,
驗證服務狀態
部署完 etcd 集群后,在任一 etcd 節點上執行如下命令:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
/opt/k8s/bin/etcdctl \
--endpoints=https://${node_ip}:2379 \
--cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem endpoint health
done
輸出均為 healthy 時表示集群服務正常,
查看當前的 leader:
source /opt/k8s/bin/environment.sh
/opt/k8s/bin/etcdctl \
-w table --cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem \
--endpoints=${ETCD_ENDPOINTS} endpoint status
輸出:
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://192.168.16.8:2379 | 75d7781bdcb5dee5 | 3.4.3 | 20 kB | true | false | 2 | 8 | 8 | |
| https://192.168.16.10:2379 | d61a20f584018b21 | 3.4.3 | 20 kB | false | false | 2 | 8 | 8 | |
| https://192.168.16.6:2379 | 6ee27caaed0bfb6b | 3.4.3 | 20 kB | false | false | 2 | 8 | 8 | |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
- 可見,當前的 leader 為 192.168.16.8,
參考
opsnull/follow-me-install-kubernetes-cluster
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/10771.html
標籤:其他