K8S 二进制安装部署_06_部署etcd集群

在hdss7-12.host.com(10.4.7.12)、hdss7-21.host.com(10.4.7.21)、hdss7-22.host.com(10.4.7.22)上面部署

部署etcd之前，需要在hdss7-200.host.com(10.4.7.200) 这台Server上面创建证书。
10.4.7.200 上面操作：创建基于根证书的config配置文件
cd /opt/certs
vim ca-config.json
{
     "signing": {
          "default": {
             "expiry": "175200h"
           },

        "profiles": {
           "server": {
              "expiry": "175200h",
              "usages": [
                 "signing",
                 "key encipherment",
                  "server auth"
                ]
              },

          "client": {
              "expiry": "175200h",
              "usages": [
                  "signing",
                 "key encipherment",
                 "client auth"
                ]
             },

          "peer": {
             "expiry": "175200h",
             "usages": [
                 "signing",
                 "key encipherment",
                 "server auth",
                 "client auth"
                ]
            }
      }
    }
}
++++++++++++
profile里面有三个段，
server：在启动这个server 端，需要证书。[[服务端需要证书]]
client：客户端去跟服务端通信，需要证书，服务端找客户端不需要证书。[client连接server需要证书]
peer(对端互相通信，服务端去找客户端需要证书，客户端去找服务端也需要证书)[两边都需要证书]
++++++++++++++
创建etcd 证书请求文件：

cd /opt/certs
vim etcd-peer-csr.json
{
       "CN": "k8s-etcd",
        "hosts": [
          "10.4.7.11",
          "10.4.7.12",
          "10.4.7.21",
           "10.4.7.22"
         ],

       "key": {
           "algo": "rsa",
            "size": 2048
         },
        "names": [
           {
              "C": "CN",
              "ST": "beijing",
              "L": "beijing",
              "O": "od",
             "OU": "ops"
           }
         ]
}
+++++++++=
host段：你的 etcd 有可能要部署在那些主机上，这里面都要写上他们的IP 。如果不写上，通信就会出错。
这里的10.4.7.11当成备用，如果etcd 集群中挂了一台，就可以10.4.7.11再部署。

签发证书：
cd /opt/certs


cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bare etcd-peer





#######++ 开始部署etcd 集群

10.4.7.12 上面部署etcd
etcd版本：etcd-v3.1.20-linux-amd64.tar.gz
官网地址：https://github.com/etcd-io/etcd/tags

创建etcd 用户
useradd -s /sbin/nologin -M etcd
tar zxf etcd-v3.1.20-linux-amd64.tar.gz -C /opt
cd /opt
mv etcd-v3.1.20-linux-amd64 etcd-v3.1.20
ln -s /opt/etcd-v3.1.20 /opt/etcd

创建etcd 目录：
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server

拷贝刚才创建的etcd证书
将在 10.4.7.200 上面创建的 ca.pem、etcd-peer-key.pem、etcd-peer.pem到/opt/etcd/certs

注意：私钥文件权限必须 是 600

cd /opt/etcd/certs/
scp hdss7-200:/opt/certs/ca.pem .
scp hdss7-200:/opt/certs/etcd-peer-key.pem .
scp hdss7-200:/opt/certs/etcd-peer.pem .


### 创建etcd 的启动脚本：
vim /opt/etcd/etcd-server-startup.sh

#!/bin/sh
./etcd --name etcd-server-7-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.12:2380 \
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.12:2380 \
--advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
#######++++++++++ 保存退出。

--listen-peer-urls https://10.4.7.12:2380 \## 集群内部访问走的是2380端口
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \## 外部访问etcd走2379端口
++++++++++++++++++
chmod +x /opt/etcd/etcd-server-startup.sh
chown -R etcd.etcd /opt/etcd-v3.1.20/
chown -R etcd.etcd /data/etcd/
chown -R etcd.etcd /data/logs/etcd-server/

###### 安装 supervisor ，用来启动 etcd ,当 etcd服务 down了,supervisor可以自动再重启 etcd
yum install supervisor -y
systemctl start supervisord
systemctl enable supervisord

#### 创建 supervisord的启动配置文件
vim /etc/supervisord.d/etcd-server.ini
[program:etcd-server-7-12]
command=/opt/etcd/etcd-server-startup.sh 
numprocs=1
directory=/opt/etcd
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=etcd
redirect_stderr=true
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
########+++++++++++++++++++++++++
command=/opt/etcd/etcd-server-startup.sh ##执行的命令
numprocs=1 ## 1 个进程
autostart=true ##是否自动启动
autorestart=true ##是否自动重启
startsecs=30 ##进程启动多久后，算是启动成功，单位秒。
startretries=3 ## 重启的次数，默认为3次
user=etcd ## 执行command 后面的命令，用的是那个用户。
+++++++++++++==
supervisorctl update
supervisorctl status
netstat -luntp|grep etcd


+++++++++++++++===
hdss7-21 hdss7-22 两台安装部署etcd，操作一样。修改的地方如下

hdss7-21：
vim /opt/etcd/etcd-server-startup.sh



vim /etc/supervisord.d/etcd-server.ini


######## ++++++++++++++++++=
hdss7-22：
vim /opt/etcd/etcd-server-startup.sh


vim /etc/supervisord.d/etcd-server.ini

######=========

集群健康状态检查：
在etcd 集群中的任一一个节点上运行检查命令：
cd /opt/etcd
./etcdctl cluster-health


./etcdctl member list ##查看谁是leader