单主机安装配置etcd-v3.4.8
1 需求说明
在学习和测试的过程中,由于资源的限制,往往没有充足的设备提供所需的安装要求,为尽可能减少资源开销,需要简化配置,在有限的资源配置中完成最完整的测试需求。单节点配置成为必要。
1.网络ip规划
主机ip :192.168.137.131 主机名称:test
2.主机初始化配置
sed -i '$a\hostname=test' /etc/hostname sed -i '$a\hostname=test' /etc/sysconfig/network && hostnamectl set-hostname test
hosts解析
cat >>/etc/hosts<<EOF 192.168.137.131 test EOF
禁用selinux
sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/sysconfig/selinux set enforce 0
关闭swap
注释掉/etc/fstab文件中swap 行
sed -i 's/\/dev\/mapper\/centos-swap/#\/dev\/mapper\/centos-swap/g' /etc/fstab
关闭防火墙
systemctl stop firewalld && systemctl disable firewalld
开启forward (转发)
iptables -P FORWARD ACCEPT
配置转发参数
cat >> /etc/sysctl.d/k8s.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness=0 EOF
加载参数
sysctl --system
加载ipvs内核模块
# 如果重新开机,需要重新加载 modprobe ip_vs modprobe ip_vs_rr modprobe ip_vs_wrr modprobe ip_vs_sh modprobe nf_conntrack_ipv4 lsmod | grep ip_vs
3.下载配置etcd
下载etcd 包,根据官方提供的脚本下载,本例做了删减
下载地址:https://github.com/etcd-io/etcd/releases/
创建工作目录
mkdir /opt/etcd/{cfg,bin,ssl} -p
修改官方下载脚本
[root@test1 ~]# cat etcddown.sh ETCD_VER=v3.4.8 # choose either URL GOOGLE_URL=https://storage.googleapis.com/etcd GITHUB_URL=https://github.com/etcd-io/etcd/releases/download DOWNLOAD_URL=${GOOGLE_URL} rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
mv /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz /opt/etcd/ ### 灵活操作
执行下载脚本下载即可
将下载的软件包拷贝到自定义的文件夹目录并解压
tar -zxvf etcd-v3.4.8-linux-amd64.tar.gz && cd etcd-v3.4.8-linux-amd64
[root@test1 etcd-v3.4.8-linux-amd64]# ll
total 40540
drwxr-xr-x. 14 630384594 600260513 4096 May 18 15:39 Documentation
-rwxr-xr-x 1 630384594 600260513 23827424 May 18 15:39 etcd
-rwxr-xr-x 1 630384594 600260513 17612384 May 18 15:39 etcdctl
-rw-r--r-- 1 630384594 600260513 43094 May 18 15:39 README-etcdctl.md
-rw-r--r-- 1 630384594 600260513 8431 May 18 15:39 README.md
-rw-r--r-- 1 630384594 600260513 7855 May 18 15:39 READMEv2-etcdctl.md
将etcd 和etcdctl 两个文件拷贝到etcd 的可执行目录下/opt/etcd/bin
[root@test1 etcd-v3.4.8-linux-amd64]# pwd
/opt/etcd/etcd-v3.4.8-linux-amd64
[root@test1 etcd-v3.4.8-linux-amd64]# mv ./etcd ./etcdctl /opt/etcd/bin/
如果解压后的文件没有可执行权限,需要加上可执行权限
chmod +x /opt/etcd/bin/*
创建链接文件
ln -s /opt/etcd/bin/etcd /usr/bin/etcd ln -s /opt/etcd/bin/etcdctl /usr/bin/etcdctl
4.下载配置cfssl,仅需要将cfssl下载放到需要的文件夹中并授权即可使用
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
新建工作目录并创建pki文件
mkdir -p $HOME/ssl && cd $HOME/ssl
cat >ca-config.json<<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF
生成ca根证书,生成其他组件时会需要根证书
cd $HOME/ssl cat >ca-csr.json<<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ], "ca": { "expiry": "87600h" } } EOF
生成证书 cfssl gencert -initca ca-csr.json | cfssljson -bare ca
本讲将根证书复制到了/root/etcd_ssl
添加证书到受信任列表
如果不添加到Linux的受信任列表中,执行命令则需要带上证书,添加后则不需要
cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
生成etcd 证书
cd $HOME/ssl cat >etcd-csr.json<<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.137.131" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "etcd", "OU": "Etcd Security" } ] } EOF
生成证书 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
把etcd证书复制到专用目录里面
mkdir -p /etc/etcd/cert/ cp etcd*.pem /etc/etcd/cert/ chmod 777 /etc/etcd/cert/*
添加证书到linux受信任列表
cat etcd.pem >> /etc/pki/tls/certs/ca-bundle.crt
5.配置etcd 启动脚本
配置环境变量
cat >> /etc/profile << EOF export ETCD_NAME=$(hostname) export INTERNAL_IP=$(hostname -i | awk '{print $NF}') export ECTD_CLUSTER='test=https://192.168.137.131:2380' EOF source /etc/profile
配置启动文件
本文配置文件开启了集群外部服务端、客户端、认证,以及集群内部之间服务端、客户端认证。所以客户端etcdctl访问时候需要带上客户端证书 创建工作目录
mkdir -p /data/etcd
cat> /etc/systemd/system/etcd.service<< EOF [Service] Type=notify WorkingDirectory=/data/etcd EnvironmentFile=-/etc/etcd/etcd.conf ExecStart=/opt/etcd/bin/etcd \\ --name ${ETCD_NAME} \\ --cert-file=/etc/etcd/cert/etcd.pem \\ ###etcd 证书 --key-file=/etc/etcd/cert/etcd-key.pem \\ ###etcd 密钥 --peer-cert-file=/etc/etcd/cert/etcd.pem \\ --peer-key-file=/etc/etcd/cert/etcd-key.pem \\ --trusted-ca-file=/root/etcd_ssl/ca.pem \\ ### 根证书 --peer-trusted-ca-file=/root/etcd_ssl/ca.pem \\ ###根证书 --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\ --listen-peer-urls https://${INTERNAL_IP}:2380 \\ --listen-client-urls https://${INTERNAL_IP}:2379,http://127.0.0.1:2379 \\ --advertise-client-urls https://${INTERNAL_IP}:2379 \\ --initial-cluster-token my-etcd-token \\ --initial-cluster $ECTD_CLUSTER \\ --initial-cluster-state new \\ --data-dir=/data/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
启动etcd
systemctl daemon-reload
systemctl start etcd
systemctl status etcd
systemctl enable etcd
查看etcd 状态
[root@test1 ssl]# etcdctl member list 2eb105a43f6773f2, started, test, https://192.168.137.131:2380, https://192.168.137.131:2379, false [root@test1 ssl]# etcdctl endpoint health 127.0.0.1:2379 is healthy: successfully committed proposal: took = 1.192654ms
