部署 etcd(在master節點上執行)
-
下載安裝etcd
cd /opt/k8s/work wget https://github.com/etcd-io/etcd/releases/download/v3.3.18/etcd-v3.3.18-linux-amd64.tar.gz tar -xvf etcd-v3.3.18-linux-amd64.tar.gz -
安裝etcd
cd /opt/k8s/work cp etcd-v3.3.18-linux-amd64/etcd* /opt/k8s/bin/ chmod +x /opt/k8s/bin/* -
創建 etcd 證書和私鑰
-
創建證書簽名請求檔案
cd /opt/k8s/work cat > etcd-csr.json <<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.0.107" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "NanJing", "L": "NanJing", "O": "k8s", "OU": "system" } ] } EOF- 指定授權使用該證書的 etcd 節點 IP 串列
-
生成證書和私鑰
cd /opt/k8s/work cfssl gencert -ca=/opt/k8s/work/ca.pem \ -ca-key=/opt/k8s/work/ca-key.pem \ -config=/opt/k8s/work/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd ls etcd*pem -
安裝證書
cd /opt/k8s/work cp etcd*.pem /etc/etcd/cert/
-
-
創建etcd啟動檔案
cat> /etc/systemd/system/etcd.service<< EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/data/k8s/etcd/data ExecStart=/opt/k8s/bin/etcd \\ --data-dir=/etc/etcd/cfg/etcd \\ --name=etcd-chengf \\ --cert-file=/etc/etcd/cert/etcd.pem \\ --key-file=/etc/etcd/cert/etcd-key.pem \\ --trusted-ca-file=/etc/kubernetes/cert/ca.pem \\ --peer-cert-file=/etc/etcd/cert/etcd.pem \\ --peer-key-file=/etc/etcd/cert/etcd-key.pem \\ --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem \\ --peer-client-cert-auth \\ --client-cert-auth \\ --listen-peer-urls=https://192.168.0.107:2380 \\ --initial-advertise-peer-urls=https://192.168.0.107:2380 \\ --listen-client-urls=https://192.168.0.107:2379,http://127.0.0.1:2379 \\ --advertise-client-urls=https://192.168.0.107:2379 \\ --initial-cluster-token=etcd-cluster-0\\ --initial-cluster=etcd-chengf=https://192.168.0.107:2380 \\ --initial-cluster-state=new \\ --auto-compaction-mode=periodic \\ --auto-compaction-retention=1 \\ --max-request-bytes=33554432 \\ --quota-backend-bytes=6442450944 \\ --heartbeat-interval=250 \\ --election-timeout=2000 Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF- WorkingDirectory、--data-dir:指定作業目錄和資料目錄,需在啟動服務前創建這個目錄;
- --name:指定節點名稱,當 --initial-cluster-state 值為 new 時,--name 的引數值必須位于 --initial-cluster 串列中;
- --cert-file、--key-file:etcd server 與 client 通信時使用的證書和私鑰;
- --trusted-ca-file:簽名 client 證書的 CA 證書,用于驗證 client 證書;
- --peer-cert-file、--peer-key-file:etcd 與 peer 通信使用的證書和私鑰;
- --peer-trusted-ca-file:簽名 peer 證書的 CA 證書,用于驗證 peer 證書;
-
創建etcd資料目錄
mkdir -p /data/k8s/etcd/data -
啟動 etcd 服務
systemctl enable etcd && systemctl start etcd -
檢查啟動結果
systemctl status etcd|grep Active-
確保狀態為 active (running),否則查看日志,確認原因
-
如果出現例外,通過如下命令查看
journalctl -u etcd
-
-
驗證服務狀態
export ETCD_ENDPOINTS=https://192.168.0.107:2379 etcdctl \ --endpoints=${ETCD_ENDPOINTS} \ --ca-file=/etc/kubernetes/cert/ca.pem \ --cert-file=/etc/etcd/cert/etcd.pem \ --key-file=/etc/etcd/cert/etcd-key.pem cluster-healthetcdctl \ --endpoints=${ETCD_ENDPOINTS} \ --ca-file=/etc/kubernetes/cert/ca.pem \ --cert-file=/etc/etcd/cert/etcd.pem \ --key-file=/etc/etcd/cert/etcd-key.pem member list輸出結果
root@master:/opt/k8s/work# etcdctl --endpoints=${ETCD_ENDPOINTS} --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem cluster-health
member c0d3b56a9878e38f is healthy: got healthy result from https://192.168.0.107:2379
cluster is healthy
root@master:/opt/k8s/work# etcdctl --endpoints=${ETCD_ENDPOINTS} --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pemmember list
c0d3b56a9878e38f: name=etcd-chengf peerURLs=https://192.168.0.107:2380 clientURLs=https://192.168.0.107:2379 isLeader=true
```
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/31171.html
標籤:其他