最新消息:

ETCD with CFSSL

未分类 admin 442浏览 0评论

cfssl是ETCD官方推荐的CA生产工具。
curl -s -L -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x /usr/bin/{cfssl,cfssljson}

ca-config.json

{
“signing”: {
“default”: {
“expiry”: “87600h”
},
“profiles”: {
“danny”: {
“usages”: [
“signing”,
“key encipherment”,
“server auth”,
“client auth”
],
“expiry”: “87600h”
}
}
}
}

ca-csr.json

{
“CN”: “danny”,
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“ST”: “BeiJing”,
“L”: “BeiJing”,
“O”: “danny”,
“OU”: “etcd”
}
]
}

etcd-csr.json

{
“CN”: “danny”,
“hosts”: [
“127.0.0.1”,
“192.168.136.128”,
“192.168.136.129”,
“192.168.136.130”,
“192.168.136.131”,
“192.168.136.132”
],
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“ST”: “BeiJing”,
“L”: “BeiJing”,
“O”: “danny”,
“OU”: “etcd”
}
]
}

生成证书命令
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=danny etcd-csr.json | cfssljson -bare etcd

chmod +x cfssl-certinfo_linux-amd64

4、service配置文件

vim /usr/lib/systemd/system/etcd.service, 三台机器配置不一样,需要替换为相应的IP和name。
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd
ExecStart=/usr/local/bin/etcd \
–data-dir=/var/lib/etcd \
–name=master1 \
–cert-file=/etc/etcd/pki/server.pem \
–key-file=/etc/etcd/pki/server-key.pem \
–trusted-ca-file=/etc/etcd/pki/ca.pem \
–peer-cert-file=/etc/etcd/pki/peer.pem \
–peer-key-file=/etc/etcd/pki/peer-key.pem \
–peer-trusted-ca-file=/etc/etcd/pki/ca.pem \
–listen-peer-urls=https://192.168.255.131:2380 \
–initial-advertise-peer-urls=https://192.168.255.131:2380 \
–listen-client-urls=https://192.168.255.131:2379,http://127.0.0.1:2379 \
–advertise-client-urls=https://192.168.255.131:2379 \
–initial-cluster-token=etcd-cluster-0 \
–initial-cluster=master1=https://192.168.255.131:2380,master2=https://192.168.255.132:2380,master3=https://192.168.255.133:2380 \
–initial-cluster-state=new \
–heartbeat-interval=250 \
–election-timeout=2000
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
————————————————

–name:方便理解的节点名称,默认为 default,在集群中应该保持唯一,可以使用 hostname
–data-dir:服务运行数据保存的路径,默认为 ${name}.etcd

–snapshot-count:指定有多少事务(transaction)被提交时,触发截取快照保存到磁盘
–heartbeat-interval:leader 多久发送一次心跳到 followers。默认值是 100ms
–eletion-timeout:重新投票的超时时间,如果 follow 在该时间间隔没有收到心跳包,会触发重新投票,默认为 1000 ms

–listen-peer-urls:和集群内其他节点通信的地址, http://ip:2380,如果有多个,使用逗号分隔。需要所有节点都能够访问,所以不要使用 localhost!
–listen-client-urls:节点与客户端通信的地址,比如 http://ip:2379,http://127.0.0.1:2379,客户端会连接到这里和 etcd 交互
–advertise-client-urls:对外通告的该节点客户端监听地址,http://ip:2379,这个值会通知集群中其他节点

–initial-advertise-peer-urls:节点与其他节点通信的地址,会通告给集群的其他成员。这个地址用来传输集群数据。因此这个地址必须是可以被集群中所有的成员访问http://ip:2380

–initial-cluster:集群中所有节点的信息,格式为 node1=http://ip1:2380,node2=http://ip2:2380,…。注意:这里的 node1 是节点的 –name 指定的名字;后面的 ip1:2380 是 –initial-advertise-peer-urls 指定的值
–initial-cluster-state:新建集群的时候,这个值为 new;假如已经存在的集群,这个值为 existing
–initial-cluster-token:创建集群的 token,这个值每个集群保持唯一。这样的话,如果你要重新创建集群,即使配置和之前一样,也会再次生成新的集群和节点 uuid;否则会导致多个集群之间的冲突,造成未知的错误

所有以–initial 开头的配置都是在 bootstrap(引导) 集群的时候才会用到,后续节点重启时会被忽略。

检查集群是否健康
etcdctl \
–ca-file=/etc/etcd/ssl/ca.pem \
–cert-file=/etc/etcd/ssl/etcd.pem \
–key-file=/etc/etcd/ssl/etcd-key.pem \
–endpoints=https://192.168.136.128:2379,https:///192.168.136.129:2379,https:///192.168.136.130:2379 \
cluster-health

etcdctl \

–ca-file=/etc/etcd/ssl/ca.pem \

–cert-file=/etc/etcd/ssl/etcd.pem \

–key-file=/etc/etcd/ssl/etcd-key.pem \

–endpoints=https://node0:2379,https://node1:2379,https://node2:2379 \

cluster-health

[Unit]
Description=etcd server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd \
–name node3\
–cert-file=/etc/etcd/ssl/etcd.pem \
–key-file=/etc/etcd/ssl/etcd-key.pem \
–peer-cert-file=/etc/etcd/ssl/etcd.pem \
–peer-key-file=/etc/etcd/ssl/etcd-key.pem \
–trusted-ca-file=/etc/etcd/ssl/ca.pem \
–peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
–initial-advertise-peer-urls https://192.168.136.130:2380 \
–listen-peer-urls https://192.168.136.130:2380 \
–listen-client-urls https://0.0.0.0:2379 \
–advertise-client-urls https://192.168.136.130:2379 \
–initial-cluster-token etcd-cluster \
–initial-cluster node1=https://192.168.136.128:2380,node2=https://192.168.136.129:2380,node3=https://192.168.136.130:2380 \
–initial-cluster-state new \
–data-dir=/data/etcd/
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

  • path: /etc/environment
    permissions: 0644
    content: |
    export ETCDCTL_CA_FILE=/etc/etcd/ssl/ca.pem
    export ETCDCTL_CERT_FILE=/etc/etcd/ssl/etcd.pem
    export ETCDCTL_KEY_FILE=/etc/etcd/ssl/etcd-key.pem
    export ETCDCTL_ENDPOINT=https://127.0.0.1:2379

etcdctl member add node4 http://192.168.136.131:2379

./etcd –name node5 –listen-client-urls http://127.0.0.1:2179 –advertise-client-urls http://127.0.0.1:2179 –listen-peer-urls http://127.0.0.1:2180 –initial-advertise-peer-urls http://127.0.0.1:2180 –initial-cluster-state existing –initial-cluster cd2=http://127.0.0.1:2580,cd0=http://127.0.0.1:2380,cd3=http://127.0.0.1:2180,cd1=http://127.0.0.1:2480 –initial-cluster-token etcd-cluster-1

/usr/bin/etcd \
–name node5\
–client-cert-auth \
–peer-client-cert-auth \
–auto-tls \
–peer-auto-tls \
–cert-file=/etc/etcd/ssl/etcd.pem \
–key-file=/etc/etcd/ssl/etcd-key.pem \
–peer-cert-file=/etc/etcd/ssl/etcd.pem \
–peer-key-file=/etc/etcd/ssl/etcd-key.pem \
–trusted-ca-file=/etc/etcd/ssl/ca.pem \
–peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
–initial-advertise-peer-urls https://192.168.136.132:2380 \
–listen-peer-urls https://192.168.136.132:2380 \
–listen-client-urls https://192.168.136.132:2379,https://127.0.0.1:2379 \
–advertise-client-urls https://192.168.136.132:2379 \
–initial-cluster-token etcd-cluster \
–initial-cluster node1=https://192.168.136.128:2380,node2=https://192.168.136.129:2380,node3=https://192.168.136.130:2380,node5=https://192.168.136.132:2380 \
–initial-cluster-state existing \
–data-dir=/data/etcd/

tee /etc/docker/daemon.json <<-‘EOF’
{
“registry-mirrors”: [
“https://1nj0zren.mirror.aliyuncs.com”,
“https://docker.mirrors.ustc.edu.cn”,
“http://f1361db2.m.daocloud.io”,
“https://registry.docker-cn.com”
]
}
EOF

转载请注明:Danny » ETCD with CFSSL

与本文相关的文章

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址