概述
集群信息
- node1 192.168.3.233
- node2 192.168.3.224
- node3 192.168.3.239
安装cfssl
curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /bin/cfssl*
安装etcd
yum install -y etcd
创建文件夹
mkdir -p /home/etcd/ssl
生成证书
进入 /home/etcd/ssl
#!/bin/bash
cat << EOF | tee ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat << EOF | tee ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Shenzhen",
"ST": "Shenzhen"
}
]
}
EOF
cat << EOF | tee server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.3.233",
"192.168.3.224",
"192.168.3.239"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Nanjing",
"ST": "Nanjing"
}
]
}
EOF
## 修改配置文件,注意把集群的ip加到server-csr.json中
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
设置权限
chown -R etcd:etcd /home/etcd
写配置文件
vim /etc/etcd/etcd.conf
#[Member]
ETCD_NAME="etcd01" ### 每个节点不一样
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.3.233:2380" ## 改成当前服务器的ip
ETCD_LISTEN_CLIENT_URLS="https://192.168.3.233:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.3.233:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.3.233:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.3.233:2380,etcd02=https://192.168.3.224:2380,etcd03=https://192.168.3.239:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
写etcd.service
# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
User=etcd
#set GOMAXPROCS to number of processors
ExecStart=/usr/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},https://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/home/etcd/ssl/server.pem --key-file=/home/etcd/ssl/server-key.pem --peer-cert-file=/home/etcd/ssl/server.pem --peer-key-file=/home/etcd/ssl/server-key.pem --trusted-ca-file=/home/etcd/ssl/ca.pem --peer-trusted-ca-file=/home/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
启动
启动前需要将其他节点配置文件和ssl文件等都复制到其他节点,然后一起启动,单一节点启动不了
systemctl start etcd
etcdctl apiv2,注意修改秘钥信息
vim ~/.bashrc
alias etcdctl="/k8s/etcd/bin/etcdctl --endpoints=https://192.168.3.211:2379 --cert-file=/k8s/etcd/ssl/server.pem --key-file=/k8s/etcd/ssl/server-key.pem --ca-file=/k8s/etcd/ssl/ca.pem"
source ~/.bashrc
etcdctl cluster-health
etcdctl apiv3 注意修改秘钥信息
# vim ~/.bashrc
alias etcdv3="ETCDCTL_API=3 etcdctl --endpoints https://192.168.3.142:2379,https://192.168.3.143:2379,https://192.168.3.144:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem --cert=/etc/ssl/etcd/ssl/node-test-master01.pem --key=/etc/ssl/etcd/ssl/node-test-master01-key.pem"
alias etcdv2="ETCDCTL_API=2 etcdctl --endpoints https://192.168.3.142:2379,https://192.168.3.143:2379,https://192.168.3.144:2379 --ca-file=/etc/ssl/etcd/ssl/ca.pem --cert-file=/etc/ssl/etcd/ssl/node-test-master01.pem --key-file=/etc/ssl/etcd/ssl/node-test-master01-key.pem"
source ~/.bashrc
查看集群状态
etcdv3 endpoint status --write-out=table
查看etcd的所有key
etcdv3 get / --prefix --keys-only
etcdv2 数据备份和恢复(不要与v3混用,未测试)
备份
etcdv2 backup --data-dir /var/lib/etcd --backup-dir /tmp/etcd_backup
恢复
把数据复制到 /var/lib/etcd
etcdv2 -data-dir=/var/lib/etcd -force-new-cluster
etcdv3 数据备份与恢复,已测试
吐槽下,网上好多etcd的数据备份与恢复,写的方法总体来说都是对的,但是有些细节部分没有写完整,导致各种恢复失败
- 备份(只需要在一个节点执行)
恢复的时候必须恢复当前节点的数据,不要通过复制的方式进行
etcdv3 snapshot save /tmp/snapshot.db
- 恢复
- 停止所有的etcd集群,(每个节点都要执行)
systemctl stop etcd
- 找到etcd文件存储位置,移动文件夹(模拟文件丢失)
mv /var/lib/etcd /var/lib/etcd_back
- 分发备份文件
scp /tmp/snapshot.db 192.168.3.168:/tmp
scp /tmp/snapshot.db 192.168.3.170:/tmp
- 恢复etcd数据(每个节点都要执行)
注意修改,name, data-dir ,initial-advertise-peer-urls,initial-cluster,initial-cluster-token,必须与首次安装时的参数一致(需要与/etc/etcd/etcd.conf 配置一致)
一定要修改etcd文件夹权限(systemd启动时设置的etcd用户和用户组),否则etcd无法启动,而且报的错误也比较诡异
#vim restore.sh(编写恢复脚本,方面修改参数,注意每个节点的配置不一样)
#!/bin/bash
export ETCDCTL_API=3
etcdctl snapshot restore /tmp/snapshot.db --name=etcd02 --data-dir=/var/lib/etcd/default.etcd --initial-advertise-peer-urls=https://192.168.3.233:2380 --initial-cluster=etcd01=https://192.168.3.224:2380,etcd02=https://192.168.3.233:2380,etcd03=https://192.168.3.239:2380 --initial-cluster-token=etcd-cluster
## 执行
sh restore.sh (执行数据备份恢复,数据恢复到指定的目录)
chown -R etcd:etcd /var/lib/etcd/default.etcd (修改权限组,不改etcd无法启动)
- 等三个节点数据恢复完成,再依次启动etcd(每个节点都要执行)
systemctl start etcd
最后
以上就是激昂冬瓜为你收集整理的etcd的安装(ssl),查看,备份恢复等常见操作的全部内容,希望文章能够帮你解决etcd的安装(ssl),查看,备份恢复等常见操作所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复