docker-compose安裝etcd高可用集群
- 構建etcd鏡像
- 生成ssl證書
- 安裝cfssl證書生成工具
- 撰寫生成證書的組態檔
- 撰寫ca根證書組態檔
- 撰寫服務端認證證書組態檔
- 撰寫客戶端證書配置
- 撰寫docker-compose.yml檔案
- 回傳上級目錄
- docker-compose.yml如下
- 運行etcd集群
- 查看集群狀態
構建etcd鏡像
這里我安裝的etcd集群使用的是3.4.9版本的
1.下載etcd安裝包,并解壓
# cd到當前用戶所在目錄并創建etcd然后到etcd目錄
cd ~ && mkdir etcd && cd etcd
# 下載etcd二進制壓縮包并解壓
wget https://repo.huaweicloud.com/etcd/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz && tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
# 洗掉下載的etcd壓縮包
rm -rf etcd-v3.4.9-linux-amd64.tar.gz
# 創建bin目錄,并將etcd解壓出來的二進制檔案復制到bin目錄
mkdir bin && mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} bin/
# 洗掉解壓出來的etcd目錄
rm -rf etcd-v3.4.9-linux-amd64/
2.撰寫Dockerfile檔案
cat > Dockerfile <<EOF
FROM alpine
MAINTAINER lhstack@foxmail.com
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories \\
&& apk update \\
&& apk add --no-cache tzdata \\
&& cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ENV TZ Asia/Shanghai
VOLUME /work
WORKDIR /word
ADD bin/etcd /usr/sbin/etcd
ADD bin/etcdctl /usr/sbin/etcdctl
EXPOSE 2379 2380
CMD etcd
EOF
3.構建etcd鏡像,啟動并測驗是否能夠運行
# 構建鏡像
docker build -t etcd:3.4.9-alpine .
# 啟動etcd
docker run --rm -ti etcd:3.4.9-alpine
啟動成功同如下頁面
生成ssl證書
安裝cfssl證書生成工具
wget -O /usr/local/sbin/certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 && chmod +x /usr/local/sbin/certinfo
wget -O /usr/local/sbin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 && chmod +x /usr/local/sbin/cfssl
wget -O /usr/local/sbin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 && chmod +x /usr/local/sbin/cfssljson
撰寫生成證書的組態檔
1.創建證書檔案存放的目錄
# 后續生成的證書都會在ssl目錄
mkdir ssl && cd ssl
2.目錄結構如下
3.列印默認證書組態檔
cfssl print-defaults config > ca-config.json
4.修改ca-config.json中的配置
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"etcd": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
撰寫ca根證書組態檔
1.列印默認ca證書配置
cfssl print-defaults csr > ca-csr.json
2.修改ca-csr.json組態檔
cat > ca-csr.json <<EOF
{
"CN": "www.etcd.com.cn",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"City": "CN",
"Country": "ChengDu",
"Author": "Lhstack"
}
]
}
EOF
3.生成ca-key.pem,ca.pem檔案
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
撰寫服務端認證證書組態檔
1.列印默認server端證書配置
cfssl print-defaults csr > server-csr.json
2.修改server-csr.json組態檔
hosts為etcd每一臺集群的ip地址,如果后續要擴容,可以多預留幾個ip
cat > server-csr.json <<EOF
{
"CN": "www.etcd.com.cn",
"hosts":[
"10.100.110.80",
"10.100.110.81",
"10.100.110.82"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"City": "CN",
"Country": "ChengDu",
"Author": "Lhstack"
}
]
}
EOF
3.生成server端認證證書server.pem,server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
撰寫客戶端證書配置
1.列印默認server端證書配置
cfssl print-defaults csr > client-csr.json
2.修改client-csr.json組態檔
cat > client-csr.json <<EOF
{
"CN": "www.etcd.com.cn",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"City": "CN",
"Country": "ChengDu",
"Author": "Lhstack"
}
]
}
EOF
3.生成客戶端端認證證書client.pem,client-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd client-csr.json | cfssljson -bare client
撰寫docker-compose.yml檔案
回傳上級目錄
cd ..
docker-compose.yml如下
version: '3'
services:
etcd-1:
image: etcd:3.4.9-alpine
build: .
container_name: etcd-1
volumes:
- ./ssl:/opt/etcd/ssl
- ./data/etcd-1:/opt/etcd/data
command:
- sh
- -c
- |
etcd -name etcd-1 --cert-file=/opt/etcd/ssl/server.pem \
--listen-peer-urls https://10.100.110.80:2380 --listen-client-urls https://10.100.110.80:2379,http://10.100.110.80:2379 \
--key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem --initial-advertise-peer-urls https://10.100.110.80:2380 \
--advertise-client-urls https://10.100.110.80:2379 --initial-cluster-token etcd-cluster \
--trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--initial-cluster etcd-1=https://10.100.110.80:2380,etcd-2=https://10.100.110.81:2380,etcd-3=https://10.100.110.82:2380 \
--enable-v2=true \
--data-dir=/opt/etcd/data
--initial-cluster-state new
networks:
etcd:
ipv4_address: "10.100.110.80"
etcd-2:
image: etcd:3.4.9-alpine
container_name: etcd-2
volumes:
- ./ssl:/opt/etcd/ssl
- ./data/etcd-2:/opt/etcd/data
command:
- sh
- -c
- |
etcd -name etcd-2 --cert-file=/opt/etcd/ssl/server.pem \
--listen-peer-urls https://10.100.110.81:2380 --listen-client-urls https://10.100.110.81:2379,http://10.100.110.81:2379 \
--key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem --initial-advertise-peer-urls https://10.100.110.81:2380 \
--advertise-client-urls https://10.100.110.81:2379 --initial-cluster-token etcd-cluster \
--trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--initial-cluster etcd-1=https://10.100.110.80:2380,etcd-2=https://10.100.110.81:2380,etcd-3=https://10.100.110.82:2380 \
--enable-v2=true \
--data-dir=/opt/etcd/data
--initial-cluster-state new
networks:
etcd:
ipv4_address: "10.100.110.81"
etcd-3:
image: etcd:3.4.9-alpine
container_name: etcd-3
volumes:
- ./ssl:/opt/etcd/ssl
- ./data/etcd-3:/opt/etcd/data
command:
- sh
- -c
- |
etcd -name etcd-3 --cert-file=/opt/etcd/ssl/server.pem \
--listen-peer-urls https://10.100.110.82:2380 --listen-client-urls https://10.100.110.82:2379,http://10.100.110.82:2379 \
--key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem --initial-advertise-peer-urls https://10.100.110.82:2380 \
--advertise-client-urls https://10.100.110.82:2379 --initial-cluster-token etcd-cluster \
--trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--initial-cluster etcd-1=https://10.100.110.80:2380,etcd-2=https://10.100.110.81:2380,etcd-3=https://10.100.110.82:2380 \
--enable-v2=true \
--data-dir=/opt/etcd/data
--initial-cluster-state new
networks:
etcd:
ipv4_address: "10.100.110.82"
networks:
etcd:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.100.0.0/16
運行etcd集群
目錄結構如下
執行docker-compose
docker-compose up -d
運行結果如下
查看集群狀態
進入任意一個etcd集群節點
docker exec -ti etcd-1 sh
查看集群狀態
etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/client.pem --key=/opt/etcd/ssl/client-key.pem --endpoints="https://10.100.110.80:2379,https://10.100.110.81:2379,https://10.100.110.82:2379" endpoint status -w table
將etcdctl封裝成腳本使用
cat > etcdctl.sh << EOF
#!/bin/sh
SSL_DIR=/opt/etcd/ssl
ENDPOINTS="https://10.100.110.80:2379,https://10.100.110.81:2379,https://10.100.110.82:2379"
etcdctl --cacert=\$SSL_DIR/ca.pem --cert=\$SSL_DIR/client.pem --key=\$SSL_DIR/client-key.pem --endpoints=\$ENDPOINTS \$@
EOF
使用腳本查看集群狀態
sh etcdctl.sh endpoint status -w table
使用腳本添加資料
sh etcdctl.sh put msg hello
使用腳本獲取資料
sh etcdctl.sh get msg
使用腳本洗掉資料
sh etcdctl.sh del msg
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/275125.html
標籤:其他
下一篇:Kafka2.8最新情報