kubernetes etcd组件部署
发表于:2024-09-23 作者:千家信息网编辑
千家信息网最后更新 2024年09月23日,这篇文章为大家带来有关kubernetes中etcd组件的部署方法。文章涵盖etcd组件的简介和etcd组件的部署方法,希望大家通过这篇文章能有所收获。etcd组件部署etcd简介etcd是CoreO
千家信息网最后更新 2024年09月23日kubernetes etcd组件部署
这篇文章为大家带来有关kubernetes中etcd组件的部署方法。文章涵盖etcd组件的简介和etcd组件的部署方法,希望大家通过这篇文章能有所收获。
etcd组件部署
etcd简介
- etcd是CoreOS团队于2013年6月发起的开源项目,它的目标是构建一个高可用的分布式键值(key-value)数据库。etcd内部采用raft协议作为一致性算法,etcd基于Go语言实现。
- etcd作为服务发现系统,有以下的特点:
- 简单:安装配置简单,而且提供了HTTP API进行交互,使用也很简单
- 安全:支持SSL证书验证
- 快速:根据官方提供的benchmark数据,单实例支持每秒2k+读操作
- 可靠:采用raft算法,实现分布式系统数据的可用性和一致性
master01服务器操作
- 自签etcd组件证书
[root@master01 ~]# systemctl stop firewalld.service //关闭防火墙[root@master01 ~]# setenforce 0 //关闭selinux[root@master01 ~]# mkdir k8s //创建k8s目录[root@master01 ~]# lsanaconda-ks.cfg k8s[root@master01 ~]# mount.cifs //192.168.80.2/shares/K8S/k8s01 /mnt/ //挂载宿主机中准备好的软件包Password for root@//192.168.80.2/shares/K8S/k8s01:[root@master01 ~]# cd /mnt/[root@master01 mnt]# lsetcd-cert etcd-v3.3.10-linux-amd64.tar.gz k8s-cert.sh master.zipetcd-cert.sh flannel.sh kubeconfig.sh node.zipetcd.sh flannel-v0.10.0-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz[root@master01 mnt]# cd /root/k8s/ //回到k8s目录[root@master01 k8s]# vim cfssl.sh //编辑脚本下载cfssl官方包 做ca认证的软件包curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfsslcurl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljsoncurl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfochmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo:wq[root@master01 k8s]# bash cfssl.sh //执行脚本,下载cfssl官方包% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 9.8M 100 9.8M 0 0 457k 0 0:00:22 0:00:22 --:--:-- 581k% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 2224k 100 2224k 0 0 300k 0 0:00:07 0:00:07 --:--:-- 517k% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 6440k 100 6440k 0 0 276k 0 0:00:23 0:00:23 --:--:-- 221k[root@master01 k8s]# ls /usr/local/bin/ //查看证书是否成功下载cfssl cfssl-certinfo cfssljson[root@master01 k8s]# mkdir etcd-cert //创建证书存放目录[root@master01 k8s]# lsetcd-cert[root@master01 k8s]# cd etcd-cert/ //进入证书存放目录[root@master01 etcd-cert]# cat > ca-config.json <{> "signing": {> "default": {> "expiry": "87600h" //证书失效> },> "profiles": {> "www": {> "expiry": "87600h",> "usages": [> "signing",> "key encipherment",> "server auth", //服务端验证> "client auth" //客户端验证> ]> }> }> }> }> EOF[root@master01 etcd-cert]# cat > ca-csr.json < {> "CN": "etcd CA",> "key": {> "algo": "rsa", //使用非对称密钥> "size": 2048 //密钥长度> },> "names": [> {> "C": "CN", //标识信息,可自行定义> "L": "Beijing",> "ST": "Beijing"> }> ]> }> EOF[root@master01 etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - //使用命令生成ca证书2020/02/09 16:53:08 [INFO] generating a new CA key and certificate from CSR2020/02/09 16:53:08 [INFO] generate received request2020/02/09 16:53:08 [INFO] received CSR2020/02/09 16:53:08 [INFO] generating key: rsa-20482020/02/09 16:53:08 [INFO] encoded CSR2020/02/09 16:53:08 [INFO] signed certificate with serial number 400787333165311350366024741004548366561538833100[root@master01 etcd-cert]# lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem //ca证书生成成功[root@master01 etcd-cert]# cat > server-csr.json < {> "CN": "etcd",> "hosts": [> "192.168.80.12", //群集IP地址设定,master地址> "192.168.80.13", //node01IP地址> "192.168.80.14" //node02IP地址> ],> "key": {> "algo": "rsa",> "size": 2048> },> "names": [> {> "C": "CN",> "L": "BeiJing",> "ST": "BeiJing"> }> ]> }> EOF[root@master01 etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server //生成ETCD证书 server-key.pem server.pem2020/02/09 16:59:12 [INFO] generate received request2020/02/09 16:59:12 [INFO] received CSR2020/02/09 16:59:12 [INFO] generating key: rsa-20482020/02/09 16:59:12 [INFO] encoded CSR2020/02/09 16:59:12 [INFO] signed certificate with serial number 1552958325767862410951779002486014699342606520492020/02/09 16:59:12 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@master01 etcd-cert]# lsca-config.json ca-csr.json ca.pem server-csr.json server.pemca.csr ca-key.pem server.csr server-key.pem //生成成功 - 部署etcd服务
[root@master01 etcd-cert]# cd /mnt/ //进入宿主机挂载过来的目录[root@master01 mnt]# lsetcd-cert etcd-v3.3.10-linux-amd64.tar.gz k8s-cert.sh master.zipetcd-cert.sh flannel.sh kubeconfig.sh node.zipetcd.sh flannel-v0.10.0-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz[root@master01 mnt]# cp etcd-v3.3.10-linux-amd64.tar.gz flannel-v0.10.0-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz etcd.sh /root/k8s/ //将软件包与etcd执行脚本复制到k8s工作目录中[root@master01 mnt]# cd /root/k8s/ //回到k8s工作目录[root@master01 k8s]# tar zvxf etcd-v3.3.10-linux-amd64.tar.gz //解压etcd软件包etcd-v3.3.10-linux-amd64/etcd-v3.3.10-linux-amd64/Documentation/etcd-v3.3.10-linux-amd64/Documentation/platforms/etcd-v3.3.10-linux-amd64/Documentation/platforms/container-linux-systemd.mdetcd-v3.3.10-linux-amd64/Documentation/platforms/aws.mdetcd-v3.3.10-linux-amd64/Documentation/platforms/freebsd.mdetcd-v3.3.10-linux-amd64/Documentation/rfc/...[root@master01 k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p //递归创建etcd工作目录[root@master01 k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/ //将etcd命令文件复制到工作目录中bin目录下[root@master01 k8s]# ls /opt/etcd/bin/ //查看etcd etcdctl[root@master01 k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/ //拷贝证书文件到etcd工作目录ssl目录下[root@master01 k8s]# ls /opt/etcd/ssl/ //查看ca-key.pem ca.pem server-key.pem server.pem[root@master01 k8s]# bash etcd.sh etcd01 192.168.80.12 etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380 //执行启动脚本 etcd01为master01服务器地址 etcd02、etcd03为node01、node02IP地址,稍后我们将分别在node01、node02中部署etcd,组成etcd群集,脚本执行同时生成etcd配置文件Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.//执行启动脚本后会进入卡住状态,等待其他节点加入,它也有一定的超时时间,超过超时时间会出现报错,不用理会 重新开启新的会话框
[root@master01 ~]# ps -ef | grep etcd //查看进程是否开启root 16146 1 0 17:14 ? 00:00:00 /opt/etcd/bin/etcd --name=etcd01 --data-dir=/var/lib/etcd/default.etcd --listen-peer-urls=https://192.168.80.12:2380 --listen-client-urls=https://192.168.80.12:2379,http://127.0.0.1:2379 --advertise-client-urls=https://192.168.80.12:2379 --initial-advertise-peer-urls=https://192.168.80.12:2380 --initial-cluster=etcd01=https://192.168.80.12:2380,etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380 --initial-cluster-token=etcd-cluster --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pemroot 16191 16160 0 17:15 pts/1 00:00:00 grep --color=auto etcd //成功开启[root@master01 ~]# scp -r /opt/etcd/ root@192.168.80.13:/opt/ //拷贝etcd工作目录到node01节点The authenticity of host '192.168.80.13 (192.168.80.13)' can't be established.ECDSA key fingerprint is SHA256:Ih0NpZxfLb+MOEFW8B+ZsQ5R8Il2Sx8dlNov632cFlo.ECDSA key fingerprint is MD5:a9:ee:e5:cc:40:c7:9e:24:5b:c1:cd:c1:7b:31:42:0f.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.80.13' (ECDSA) to the list of known hosts.root@192.168.80.13's password:etcd 100% 509 495.7KB/s 00:00etcd 100% 18MB 98.7MB/s 00:00etcdctl 100% 15MB 95.0MB/s 00:00ca-key.pem 100% 1675 1.6MB/s 00:00ca.pem 100% 1265 416.6KB/s 00:00server-key.pem 100% 1675 2.3MB/s 00:00server.pem 100% 1338 2.0MB/s 00:00[root@master01 ~]# scp -r /opt/etcd/ root@192.168.80.14:/opt/ //拷贝etcd工作目录到node02节点The authenticity of host '192.168.80.14 (192.168.80.14)' can't be established.ECDSA key fingerprint is SHA256:Ih0NpZxfLb+MOEFW8B+ZsQ5R8Il2Sx8dlNov632cFlo.ECDSA key fingerprint is MD5:a9:ee:e5:cc:40:c7:9e:24:5b:c1:cd:c1:7b:31:42:0f.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.80.14' (ECDSA) to the list of known hosts.root@192.168.80.14's password:etcd 100% 509 523.8KB/s 00:00etcd 100% 18MB 79.6MB/s 00:00etcdctl 100% 15MB 140.4MB/s 00:00ca-key.pem 100% 1675 1.9MB/s 00:00ca.pem 100% 1265 296.4KB/s 00:00server-key.pem 100% 1675 2.4MB/s 00:00server.pem 100% 1338 423.3KB/s 00:00[root@master01 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.80.13:/usr/lib/systemd/system/ //启动脚本拷贝到node01节点root@192.168.80.13's password:etcd.service 100% 923 628.8KB/s 00:00[root@master01 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.80.14:/usr/lib/systemd/system/ //启动脚本拷贝到node02节点root@192.168.80.14's password:etcd.service 100% 923 684.8KB/s 00:00node01服务器操作
更改复制过来的etcd配置文件
[root@node01 ~]# systemctl stop firewalld.service //关闭防火墙[root@node01 ~]# setenforce 0 //关闭selinux[root@node01 ~]# vim /opt/etcd/cfg/etcd#[Member] ETCD_NAME="etcd02" //更改名称为etcd02ETCD_DATA_DIR="/var/lib/etcd/default.etcd"ETCD_LISTEN_PEER_URLS="https://192.168.80.13:2380" //更改IP地址为192.168.80.13ETCD_LISTEN_CLIENT_URLS="https://192.168.80.13:2379" //更改IP地址为192.168.80.13#[Clustering]ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.80.13:2380" //更改IP地址为192.168.80.13ETCD_ADVERTISE_CLIENT_URLS="https://192.168.80.13:2379" //更改IP地址为192.168.80.13ETCD_INITIAL_CLUSTER="etcd01=https://192.168.80.12:2380,etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380" //注意:此处不用改动ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"ETCD_INITIAL_CLUSTER_STATE="new":wq [root@node01 ~]# systemctl start etcd //编辑完成后直接启动etcd服务[root@node01 ~]# systemctl status etcd //查看服务状态● etcd.service - Etcd ServerLoaded: loaded (/usr/lib/systemd/system/etcd.service; disabled; vendor preset: disabled)Active: active (running) since 日 2020-02-09 17:25:38 CST; 50s ago //正常运行Main PID: 15905 (etcd)...node02服务器操作
更改复制过来的etcd配置文件
[root@node02 ~]# systemctl stop firewalld.service //关闭防火墙[root@node02 ~]# setenforce 0 //关闭selinux[root@node02 ~]# vim /opt/etcd/cfg/etcd#[Member]ETCD_NAME="etcd03" //更改名称为etcd03ETCD_DATA_DIR="/var/lib/etcd/default.etcd"ETCD_LISTEN_PEER_URLS="https://192.168.80.14:2380" //更改IP地址为192.168.80.14ETCD_LISTEN_CLIENT_URLS="https://192.168.80.14:2379" //更改IP地址为192.168.80.14#[Clustering]ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.80.14:2380" //更改IP地址为192.168.80.14ETCD_ADVERTISE_CLIENT_URLS="https://192.168.80.14:2379" //更改IP地址为192.168.80.14ETCD_INITIAL_CLUSTER="etcd01=https://192.168.80.12:2380,etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380" //注意:此处不用改动ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"ETCD_INITIAL_CLUSTER_STATE="new":wq[root@node02 ~]# systemctl start etcd //启动服务[root@node02 ~]# systemctl status etcd //查看状态● etcd.service - Etcd ServerLoaded: loaded (/usr/lib/systemd/system/etcd.service; disabled; vendor preset: disabled)Active: active (running) since 日 2020-02-09 17:32:29 CST; 4s ago //成功运行Main PID: 15926 (etcd)...回到master01服务器操作
[root@master01 k8s]# cd etcd-cert/ //进入证书目录 因为要使用ca证书验证查看,所有要进入证书存放目录中查看[root@master01 etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.80.12:2379,https://192.168.80.13:2379,https://192.168.80.14:2379" cluster-health //使用目录查看群集状态member accc4008f61328 is healthy: got healthy result from https://192.168.80.13:2379member 88ef2b8e883800a0 is healthy: got healthy result from https://192.168.80.12:2379member fafd8a15257570ee is healthy: got healthy result from https://192.168.80.14:2379cluster is healthy //群集创建成功看完这篇文章,你们学会kubernetes中etcd组件的部署方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注行业资讯频道,感谢各位的阅读!
目录
地址
证书
服务
脚本
工作
组件
成功
拷贝
文件
服务器
状态
节点
生成
软件
软件包
配置
验证
不用
官方
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
常用的美国经济数据库
怎么设置表格中重复的数据库
交通部现行网络安全规范
好的历史欧赔数据库有哪些
数据处理软件开发
使用亚马逊云服务器注册亚马逊
电脑怎么查看软件的服务器地址
违反网络安全行为
小白数据库小米11u
java数据库edit
计算机报名网络技术
共筑网络安全校园
服务器sql安全软件下载
数据库图形工具完整中文版
如何将数据库表中字段名更名
计算机网络安全专业好吗
合肥云企网络技术有限公司
试设有一个spj数据库
出名的网络安全实验室
网络安全省察员
沈阳东塔网络安全学院
盲盒软件开发收费
机架式服务器 1u 2u
学习软件开发哪里好
远程服务器提示网关超时
吕梁市网络安全科
汽车的多维数据库
服务器外网数据传输安全
仿真软件开发手册
怎么通过后台查看数据库数据
