我是靠谱客的博主 文静蜜蜂,最近开发中收集的这篇文章主要介绍etcd集群(TLS)搭建和使用环境1、安装cfssl2、生成CA证书3、颁发证书4、复制证书到另外两台主机5、安装etcd6、使用systemd运行etcd7、验证状态8、与etcd交互参考,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
环境
| name | ip | os |
|---|---|---|
| etcd1 | 192.168.79.103 | centos7 |
| etcd2 | 192.168.79.104 | centos7 |
| etcd3 | 192.168.79.105 | centos7 |
以下操作默认在etcd1执行
1、安装cfssl
rm -f /tmp/cfssl* && rm -rf /tmp/certs && mkdir -p /tmp/certs
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /tmp/cfssl
chmod +x /tmp/cfssl
sudo mv /tmp/cfssl /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /tmp/cfssljson
chmod +x /tmp/cfssljson
sudo mv /tmp/cfssljson /usr/local/bin/cfssljson
/usr/local/bin/cfssl version
/usr/local/bin/cfssljson -h
2、生成CA证书
mkdir -p /tmp/certs
cat > /tmp/certs/etcd-root-ca-csr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "etcd",
"OU": "etcd",
"L": "Guangzhou",
"ST": "Guangdong",
"C": "china"
}
],
"CN": "etcd-root-ca"
}
EOF
cfssl gencert --initca=true /tmp/certs/etcd-root-ca-csr.json | cfssljson --bare /tmp/certs/etcd-root-ca
# verify
openssl x509 -in /tmp/certs/etcd-root-ca.pem -text -noout
# cert-generation configuration
cat > /tmp/certs/etcd-gencert.json <<EOF
{
"signing": {
"default": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
EOF
3、颁发证书
cat > /tmp/certs/etcd-ca-csr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "etcd",
"OU": "etcd",
"L": "Guangzhou",
"ST": "Guangdong",
"C": "china"
}
],
"CN": "etcd",
"hosts": [
"192.168.79.103",
"192.168.79.104",
"192.168.79.105"
]
}
EOF
cfssl gencert
--ca /tmp/certs/etcd-root-ca.pem
--ca-key /tmp/certs/etcd-root-ca-key.pem
--config /tmp/certs/etcd-gencert.json
/tmp/certs/etcd-ca-csr.json | cfssljson --bare /tmp/certs/server
# verify
openssl x509 -in /tmp/certs/server.pem -text -noout
4、复制证书到另外两台主机
scp -r /tmp/certs/ root@192.168.79.104:/tmp/certs/
scp -r /tmp/certs/ root@192.168.79.105:/tmp/certs/
5、安装etcd
# 三台主机都需要安装
ETCD_VER=v3.5.1
# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/coreos/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/test-etcd && mkdir -p /tmp/test-etcd
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/test-etcd --strip-components=1
# sudo cp /tmp/test-etcd/etcd* [YOUR_EXEC_DIR]
# sudo mkdir -p /usr/local/bin/ && sudo cp /tmp/test-etcd/etcd* /usr/local/bin/
/tmp/test-etcd/etcd --version
ETCDCTL_API=3 /tmp/test-etcd/etcdctl version
6、使用systemd运行etcd
# 如果集群是新的,则删除此目录;如果重新启动 etcd,则保留
# rm -rf /tmp/etcd/data
etcd1的配置文件
cat > /tmp/etcd.service <<EOF
[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0
ExecStart=/tmp/test-etcd/etcd --name etcd1
--data-dir /tmp/etcd/data
--listen-client-urls https://192.168.79.103:2379
--advertise-client-urls https://192.168.79.103:2379
--listen-peer-urls https://192.168.79.103:2380
--initial-advertise-peer-urls https://192.168.79.103:2380
--initial-cluster etcd1=https://192.168.79.103:2380,etcd2=https://192.168.79.104:2380,etcd3=https://192.168.79.105:2380
--initial-cluster-token tkn
--initial-cluster-state new
--client-cert-auth
--trusted-ca-file /tmp/certs/etcd-root-ca.pem
--cert-file /tmp/certs/server.pem
--key-file /tmp/certs/server-key.pem
--peer-client-cert-auth
--peer-trusted-ca-file /tmp/certs/etcd-root-ca.pem
--peer-cert-file /tmp/certs/server.pem
--peer-key-file /tmp/certs/server-key.pem
EOF
etcd2的配置文件
cat > /tmp/etcd.service <<EOF
[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0
ExecStart=/tmp/test-etcd/etcd --name etcd2
--data-dir /tmp/etcd/data
--listen-client-urls https://192.168.79.104:2379
--advertise-client-urls https://192.168.79.104:2379
--listen-peer-urls https://192.168.79.104:2380
--initial-advertise-peer-urls https://192.168.79.104:2380
--initial-cluster etcd1=https://192.168.79.103:2380,etcd2=https://192.168.79.104:2380,etcd3=https://192.168.79.105:2380
--initial-cluster-token tkn
--initial-cluster-state new
--client-cert-auth
--trusted-ca-file /tmp/certs/etcd-root-ca.pem
--cert-file /tmp/certs/server.pem
--key-file /tmp/certs/server-key.pem
--peer-client-cert-auth
--peer-trusted-ca-file /tmp/certs/etcd-root-ca.pem
--peer-cert-file /tmp/certs/server.pem
--peer-key-file /tmp/certs/server-key.pem
EOF
etcd3的配置文件
cat > /tmp/etcd.service <<EOF
[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0
ExecStart=/tmp/test-etcd/etcd --name etcd3
--data-dir /tmp/etcd/data
--listen-client-urls https://192.168.79.105:2379
--advertise-client-urls https://192.168.79.105:2379
--listen-peer-urls https://192.168.79.105:2380
--initial-advertise-peer-urls https://192.168.79.105:2380
--initial-cluster etcd1=https://192.168.79.103:2380,etcd2=https://192.168.79.104:2380,etcd3=https://192.168.79.105:2380
--initial-cluster-token tkn
--initial-cluster-state new
--client-cert-auth
--trusted-ca-file /tmp/certs/etcd-root-ca.pem
--cert-file /tmp/certs/server.pem
--key-file /tmp/certs/server-key.pem
--peer-client-cert-auth
--peer-trusted-ca-file /tmp/certs/etcd-root-ca.pem
--peer-cert-file /tmp/certs/server.pem
--peer-key-file /tmp/certs/server-key.pem
EOF
参数说明
| 参数 | 意义 |
|---|---|
| name | 节点名称, 在 --initial-cluster 标记中列出 |
| data-dir | 数据存放的目录 |
| listen-client-urls | 用于监听客户端通讯的URL列表 |
| advertise-client-urls | 告知客户端URL, 也就是服务的URL(一般与listen-client-urls一样) |
| listen-peer-urls | 监听URL,用于与其他节点通讯 |
| initial-advertise-peer-urls | 告知集群其他节点的URL(一般与listen-peer-urls一样) |
| initial-cluster | 集群中所有节点 |
启动服务
sudo mv /tmp/etcd.service /etc/systemd/system/etcd.service
# to start service
sudo systemctl daemon-reload
sudo systemctl cat etcd.service
sudo systemctl enable etcd.service
sudo systemctl start etcd.service
# to get logs from service
sudo systemctl status etcd.service -l --no-pager
# sudo journalctl -u etcd.service -l --no-pager|less
# sudo journalctl -f -u etcd.service
# to stop service
# sudo systemctl stop etcd.service
# sudo systemctl disable etcd.service
7、验证状态
ETCDCTL_API=3 /tmp/test-etcd/etcdctl
--endpoints 192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379
--cacert /tmp/certs/etcd-root-ca.pem
--cert /tmp/certs/server.pem
--key /tmp/certs/server-key.pem
endpoint health
8、与etcd交互
# 写数据
etcdctl
--endpoints 192.168.79.103:2379
--cacert /tmp/certs/etcd-root-ca.pem
--cert /tmp/certs/server.pem
--key /tmp/certs/server-key.pem
put foo bar
# 读数据
etcdctl
--endpoints 192.168.79.103:2379
--cacert /tmp/certs/etcd-root-ca.pem
--cert /tmp/certs/server.pem
--key /tmp/certs/server-key.pem
get foo
# 查看集群信息 是否为leader等
ETCDCTL_API=3 /tmp/test-etcd/etcdctl
--endpoints 192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379
--cacert /tmp/certs/etcd-root-ca.pem
--cert /tmp/certs/server.pem
--key /tmp/certs/server-key.pem
endpoint status --write-out=table
使用benchmark测试etcd集群性能
go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.io,direct
go get go.etcd.io/etcd/v3/tools/benchmark
# 在Gopath/bin路径下会生成一个benchmark二进制文件
# 读数据
benchmark --endpoints=192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379
--conns=100 --clients=1000
put --key-size=8 --sequential-keys --total=100000 --val-size=256
# 写数据
benchmark --endpoints=192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379
--conns=100 --clients=1000
range foo --consistency=l --total=10000
参考
http://play.etcd.io/install
https://github.com/etcd-io/etcd
最后
以上就是文静蜜蜂为你收集整理的etcd集群(TLS)搭建和使用环境1、安装cfssl2、生成CA证书3、颁发证书4、复制证书到另外两台主机5、安装etcd6、使用systemd运行etcd7、验证状态8、与etcd交互参考的全部内容,希望文章能够帮你解决etcd集群(TLS)搭建和使用环境1、安装cfssl2、生成CA证书3、颁发证书4、复制证书到另外两台主机5、安装etcd6、使用systemd运行etcd7、验证状态8、与etcd交互参考所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复