- etcd简介
etcd是一个非常可靠的kv存储系统,常在分布式系统中存储着关键的数据如:kubernetes。
具备以下特点:
-简单:提供定义明确且面向用户的API
安全:支持SSL证书验证
性能:基准压测支持1w+/sec写入
可靠:采用Raft协议保证分布式系统数据的可用性和一致性。
- 这里使用etcd v3.5.4 版本
主机: k8snode1: 192.168.8.203 k8snode2: 192.168.8.204 k8snode3: 192.168.8.205 etcd下载地址:https://github.com/etcd-io/etcd/releases cfssl下载地址:https://github.com/cloudflare/cfssl/releases wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssl # 生成etcd证书和etcd证书的key cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json << EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 如果以后可能会扩容,可以在ip那多写几个ip预留出来,或者扩容时添加ip重新生成证书,重启etcd集群 cat > server-csr.json << EOF { "CN": "etcd", "hosts": [ "192.168.8.203", "192.168.8.204", "192.168.8.205" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 将如下证书拷贝到集群中的其他机器 [root@k8snode1 etcd]# ll /data/etcd/ssl/*.pem -rw-r--r-- 1 root root 1216 May 10 21:34 ssl/ca.pem -rw------- 1 root root 1675 May 10 21:34 ssl/server-key.pem -rw-r--r-- 1 root root 1338 May 10 21:34 ssl/server.pem nohup /data/etcd/etcd --name infra1 --initial-advertise-peer-urls https://192.168.8.203:2380 --initial-cluster-token etcd-cluster-1 --initial-cluster-state new --initial-cluster infra1=https://192.168.8.203:2380,infra2=https://192.168.8.204:2380,infra3=https://192.168.8.205:2380 --advertise-client-urls https://192.168.8.203:2379 --listen-client-urls https://192.168.8.203:2379 --listen-peer-urls https://192.168.8.203:2380 --cert-file=/data/etcd/ssl/server.pem --key-file=/data/etcd/ssl/server-key.pem --peer-cert-file=/data/etcd/ssl/server.pem --peer-key-file=/data/etcd/ssl/server-key.pem --trusted-ca-file=/data/etcd/ssl/ca.pem --peer-trusted-ca-file=/data/etcd/ssl/ca.pem --data-dir "/data/etcd/infra1.etcd" >> /data/etcd/etcd.log 2>&1 & nohup /data/etcd/etcd --name infra2 --initial-advertise-peer-urls https://192.168.8.204:2380 --initial-cluster-token etcd-cluster-1 --initial-cluster-state new --initial-cluster infra1=https://192.168.8.203:2380,infra2=https://192.168.8.204:2380,infra3=https://192.168.8.205:2380 --advertise-client-urls https://192.168.8.204:2379 --listen-client-urls https://192.168.8.204:2379 --listen-peer-urls https://192.168.8.204:2380 --cert-file=/data/etcd/ssl/server.pem --key-file=/data/etcd/ssl/server-key.pem --peer-cert-file=/data/etcd/ssl/server.pem --peer-key-file=/data/etcd/ssl/server-key.pem --trusted-ca-file=/data/etcd/ssl/ca.pem --peer-trusted-ca-file=/data/etcd/ssl/ca.pem --data-dir "/data/etcd/infra2.etcd" >> /data/etcd/etcd.log 2>&1 & nohup /data/etcd/etcd --name infra3 --initial-advertise-peer-urls https://192.168.8.205:2380 --initial-cluster-token etcd-cluster-1 --initial-cluster-state new --initial-cluster infra1=https://192.168.8.203:2380,infra2=https://192.168.8.204:2380,infra3=https://192.168.8.205:2380 --advertise-client-urls https://192.168.8.205:2379 --listen-client-urls https://192.168.8.205:2379 --listen-peer-urls https://192.168.8.205:2380 --cert-file=/data/etcd/ssl/server.pem --key-file=/data/etcd/ssl/server-key.pem --peer-cert-file=/data/etcd/ssl/server.pem --peer-key-file=/data/etcd/ssl/server-key.pem --trusted-ca-file=/data/etcd/ssl/ca.pem --peer-trusted-ca-file=/data/etcd/ssl/ca.pem --data-dir "/data/etcd/infra3.etcd" >> /data/etcd/etcd.log 2>&1 &etcd基本操作
# export ETCDCTL_API=3 # ETCD_HOST=https://192.168.8.203:2379,https://192.168.8.204:2379,https://192.168.8.205:2379 - #### 不带证书查看集群状态 /data/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST endpoint status /data/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST endpoint health /data/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST member list - #### 带证书查看集群状态 /data/etcd/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints=$ETCD_HOST --write-out=table endpoint status /data/etcd/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints=$ETCD_HOST --write-out=table endpoint health /data/etcd/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints=$ETCD_HOST --write-out=table member listetcd开启认证
增加root账户 etcdctl --endpoints=$ETCD_HOST user add root 开启账户认证 etcdctl --endpoints=$ETCD_HOST auth enable 创建一个普通账户 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR user add test 添加角色 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role add normal 角色授权 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role grant-permission normal readwrite /* etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role grant-permission normal readwrite /foo /foo/* 用户绑定角色 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR user grant-role root normal 查看role,user,role权限 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role list etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR user list etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role get normal 收回角色权限 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role revoke-permission normal / etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role revoke-permission normal /foo /foo/* /data/soft/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST --user=$ETCD_USR member list /data/soft/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST --user=$ETCD_USR endpoint status /data/soft/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST --user=$ETCD_USR endpoint health 使用自带命令访问 etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR put /config "{}" etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR get /config 使用api方式访问 curl http://127.0.0.1:2379/v3/member/list -X POST