感谢大家的支持,是我写这篇文章的动力。因为参照生产环境的部署,因此整个整部过程相对繁琐
生产环境使用Kubernetes差不多快3年,在期间确实遇到许多的坑,但生产环境没有出发生过事故。网上大部分教程都是针对于单个服务的部署,并没有将所有的应用结合起来。很多伙伴在测试环境或在本机上试验,不敢实际使用。这篇文章将我在生产环境近三年的工作中使用到的组件全部列出来。1是可以让你对生产环境使用有一个大概的了解。2可以为您提供一个更系统的学习环境。
由于在写文章时对Kubernetes1.9进了重新搭建,也力求所有配置都写的详细些,对重点的地放讲的清楚写,因此写的进度会有些慢。
文档组成(会更据编写时调整):
- 1. ETCD集群安装 – 完成
- 2. apiserver高可用安装 — 完成
- 3. node中docker安装及配置
- 4. Docker仓库安装
- 5. Kubernetes安装
- 6. Kubernetes中Jenkins安装
- 7. Kubernetes中日志收集Graylog2安装
- 8. Kubernetes中日志收集flume安装
- 9. Kubernetes监控prometheus安装
- 10. Kubernetes监控grafana安装
ETCD集群我们这里使用三台独立服务器安装。如果是生产环境,服务器足够的话,最好用独立服务器,当然,也可以和别的服务安装在一起。但是我们在这里使用独立服务器。这样也更好理解原理,配置也更为清晰。
首先,我们要对服务器做一些初始化的配置。比如服务名配置,IP配置,系统更新等。
yds-dev-svc01-etcd01 主机名配置
[root@localhost ~]# hostnamectl
Static hostname: yds-dev-svc01-etcd01
Icon name: computer-vm
Chassis: vm
Machine ID: 86551c512ea14b06a9eaf8ad100e7973
Boot ID: 5b698ae318804cbfb578302d563bee36
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.el7.x86_64
Architecture: x86-64
配置完成后,重新登录一下
yds-dev-svc01-etcd01 IP地址配置
修改网络配置文件
[root@yds-dev-svc01-etcd01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.50
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS2=114.114.114.114
查看网络配置信息。
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7c:79:54 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.50/24 brd 192.168.3.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
yds-dev-svc01-etcd02 主机名配置
[root@localhost ~]# hostnamectl set-hostname yds-dev-svc01-etcd02
[root@localhost ~]# hostnamectl
Static hostname: yds-dev-svc01-etcd02
Icon name: computer-vm
Chassis: vm
Machine ID: 86551c512ea14b06a9eaf8ad100e7973
Boot ID: 80402b905e324612812f2e03dc6d6949
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.el7.x86_64
Architecture: x86-64
配置完成后,重新登录一下
yds-dev-svc01-etcd02 IP地址配置
修改网络配置文件
[root@yds-dev-svc01-etcd02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.51
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS2=114.114.114.114
查看网络配置信息。
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:42:a8:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.3.51/24 brd 192.168.3.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
yds-dev-svc01-etcd03 主机名配置
[root@localhost ~]# hostnamectl set-hostname yds-dev-svc01-etcd03
[root@localhost ~]# hostnamectl
Static hostname: yds-dev-svc01-etcd03
Icon name: computer-vm
Chassis: vm
Machine ID: 86551c512ea14b06a9eaf8ad100e7973
Boot ID: 509a0b69f26c41d2bc4e3ba18dba4c39
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.el7.x86_64
Architecture: x86-64
配置完成后,重新登录一下
修改网络配置文件
[root@yds-dev-svc01-etcd03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.52
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS1=114.114.114.114
查看网络配置信息。
[root@yds-dev-svc01-etcd03 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ae:06:3e brd ff:ff:ff:ff:ff:ff
inet 192.168.3.52/24 brd 192.168.3.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
yds-dev-svc01-etcd01 系统更新
执行以下命令
[root@yds-dev-svc01-etcd01 ~]# yum install -y epel-release; yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirrors.sohu.com
* extras: mirrors.sohu.com
* updates: mirrors.cn99.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirrors.sohu.com
* extras: mirrors.sohu.com
* updates: mirrors.cn99.com
No packages marked for update
yds-dev-svc01-etcd02 系统更新
执行以下命令
[root@yds-dev-svc01-etcd02 ~]# yum install -y epel-release; yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.sohu.com
* updates: mirrors.aliyun.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sohu.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.sohu.com
* updates: mirrors.aliyun.com
No packages marked for update
yds-dev-svc01-etcd03 系统更新
执行以下命令
[root@yds-dev-svc01-etcd03 ~]# yum install -y epel-release ; yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
No packages marked for update
yds-dev-svc01-etcd01 关闭selinux
setenforce 0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
getenforce
yds-dev-svc01-etcd02 关闭selinux
setenforce 0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
getenforce
yds-dev-svc01-etcd03 关闭selinux
setenforce 0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
getenforce
yds-dev-svc01-etcd01 关闭交换分区swap
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab
yds-dev-svc01-etcd02 关闭交换分区swap
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab
yds-dev-svc01-etcd03 关闭交换分区swap
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab
yds-dev-svc01-etcd01 设置内核
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf
执行效果
[root@yds-dev-svc01-etcd01 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd01 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd01 ~]#
yds-dev-svc01-etcd02 设置内核
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf
执行效果
[root@yds-dev-svc01-etcd02 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd02 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd02 ~]#
yds-dev-svc01-etcd02 设置内核
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf
执行效果
[root@yds-dev-svc01-etcd03 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd03 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd03 ~]# sysctl -p
[root@yds-dev-svc01-etcd03 ~]#
yds-dev-svc01-etcd01 设置ETCD环境
复制执行以下命令:
cat <<EOF >> /etc/hosts
192.168.3.50 yds-dev-svc01-etcd01
192.168.3.51 yds-dev-svc01-etcd02
192.168.3.52 yds-dev-svc01-etcd03
EOF
cat <<EOF >> ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd01
export NODE_IP=192.168.3.50
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
echo $NODE_NAME
echo $NODE_IP
echo $NODE_IPS
echo $ETCD_NODES
yds-dev-svc01-etcd02 设置ETCD环境
复制执行以下命令:
cat <<EOF >> /etc/hosts
yds-dev-svc01-etcd01 192.168.3.50
yds-dev-svc01-etcd02 192.168.3.51
yds-dev-svc01-etcd03 192.168.3.52
EOF
cat <<EOF >> ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd02
export NODE_IP=192.168.3.51
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
yds-dev-svc01-etcd03 设置ETCD环境
复制执行以下命令:
cat <<EOF >> /etc/hosts
yds-dev-svc01-etcd01 192.168.3.50
yds-dev-svc01-etcd02 192.168.3.51
yds-dev-svc01-etcd03 192.168.3.52
EOF
cat <<EOF >> ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd03
export NODE_IP=192.168.3.52
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
此部分可以在自己的电脑上面执行,也可以只在yds-dev-svc01-etcd01中执行。在这里,我们在yds-dev-svc01-etcd01在执行。
* 安装证书生成工具 *
yum install -y wget
mkdir /tmp/key
cd /tmp/key
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
* 创建 CA 配置文件 *
创建CA文件:
signing: 表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth: 表示 client 可以用该 CA 对 server 提供的证书进行验证;
client auth: 表示 server 可以用该 CA 对 client 提供的证书进行验证;
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
这里可以根据你的需要修改CN和O。
“CN”:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
“O”:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "chengdu",
"L": "chengdu",
"O": "k8s",
"OU": "System"
}
]
}
EOF
* 生成 CA 证书和私钥 *
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls ca*
* 创建 etcd 证书签名请求 *
hosts 字段指定授权使用该证书的 etcd 节点 IP;
每个节点IP 都要在里面 或者 每个机器申请一个对应IP的证书
cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.3.50",
"192.168.3.51",
"192.168.3.52"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "chengdu",
"L": "chengdu",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成 etcd 证书和私钥
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
ls etcd*
以上证书生产完成。为了安全起见,需要将生成的证书及配置文件进行备份。
在yds-dev-svc01-etcd01,yds-dev-svc01-etcd02,yds-dev-svc01-etcd03中创建/etc/etcd/ssl目录
mkdir -p /etc/etcd/ssl
将生成etcd证书复制到各个etcd安装目录中
cp etcd.pem etcd-key.pem ca.pem /etc/etcd/ssl/
scp -r /etc/etcd/ssl/* root@yds-dev-svc01-etcd02:/etc/etcd/ssl/
scp -r /etc/etcd/ssl/* root@yds-dev-svc01-etcd03:/etc/etcd/ssl/
下载ETCD安装文件
我们在这里使用的ETCD版本为3.2.18,如果你在安装的时候,也可以使用这个版本,当然,也可以使用更高的版本或其他版本。
在yds-dev-svc01-etcd01中下载ETCD,下载完成后,复制安装文件到yds-dev-svc01-etcd02和yds-dev-svc01-etcd03中。
cd /tmp
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
tar -xvzf etcd-v3.2.18-linux-amd64.tar.gz
cd etcd-v3.2.18-linux-amd64
cp etcd* /usr/local/bin/
scp etcd* root@yds-dev-svc01-etcd02:/usr/local/bin/
scp etcd* root@yds-dev-svc01-etcd03:/usr/local/bin/
创建 etcd 的 systemd unit 文件
先创建ETCD工作目录
mkdir -p /var/lib/etcd
如果没有配置这个目录,会现现Failed at step CHDIR spawning /usr/local/bin/etcd: No such file or directory的错误信息。
在各个服务器执行以下命令创建systemd unit文件。
因为在命令中包含变量,这些变量我们在前面已经创建了,为了保险,我们再检查一下:
echo ${NODE_NAME}
echo ${NODE_IP}
echo ${ETCD_NODES}
生成ETCD配置文件
这里生成的配置文件有: /etc/etcd/etcd-key.conf, /etc/etcd/etcd.conf
网上大部分是把这两个配置文件和systemd unit文件存放在一起, 也可以参考这样的方法,看个人习惯。
/etc/etcd/etcd-key.conf:存放我们证书的配置信息。
/etc/etcd/etcd.conf:存放ETCD集群的配置信息。
cat > /etc/etcd/etcd-key.conf <<EOF
ETCD_KEY='--cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --peer-cert-file=/etc/etcd/ssl/etcd.pem --peer-key-file=/etc/etcd/ssl/etcd-key.pem --trusted-ca-file=/etc/etcd/ssl/ca.pem --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem'
EOF
cat > /etc/etcd/etcd.conf <<EOF
ETCD_NAME='--name=${NODE_NAME}'
DATA_DIR='--data-dir=/var/lib/etcd'
INITIAL_CLUSTER_STATE='--initial-cluster-state=new'
INITIAL_CLUSTER_TOKEN='--initial-cluster-token=etcd-cluster-0'
INITIAL_ADVERTISE_PEER_URLS='--initial-advertise-peer-urls=https://${NODE_IP}:2380'
LISTEN_PEER_URLS='--listen-peer-urls=https://${NODE_IP}:2380'
LISTEN_CLIENT_URLS='--listen-client-urls=https://${NODE_IP}:2379,http://127.0.0.1:2379'
ADVERTISE_CLIENT_URLS='--advertise-client-urls=https://${NODE_IP}:2379'
INITIAL_CLUSTER='--initial-cluster=${ETCD_NODES}'
EOF
创建/etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
EnvironmentFile=-/etc/etcd/etcd-key.conf
ExecStart=/usr/local/bin/etcd \
$ETCD_NAME \
$DATA_DIR \
$INITIAL_CLUSTER_STATE \
$INITIAL_CLUSTER_TOKEN \
$INITIAL_ADVERTISE_PEER_URLS \
$LISTEN_PEER_URLS \
$LISTEN_CLIENT_URLS \
$ADVERTISE_CLIENT_URLS \
$INITIAL_CLUSTER \
$ETCD_KEY
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
参数说明:
WorkingDirectory: ETCD工作目录
开放2379和2380端口
如果没有开启,ETCD可能无法启动。
firewall-cmd --add-port=2379/tcp --permanent
firewall-cmd --add-port=2379/tcp --permanent
firewall-cmd --reload
启动 etcd 服务
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
验证ETCD服务
etcdctl \
--endpoints=https://${NODE_IP}:2379 \
--ca-file=/etc/etcd/ssl/ca.pem \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
cluster-health
返回如下信息就表示我们配置的ETCD集群正常:
member 4f0deb6feb86262a is healthy: got healthy result from https://192.168.3.51:2379
member 88ccd3107db11e1e is healthy: got healthy result from https://192.168.3.50:2379
member a7363df6be39715b is healthy: got healthy result from https://192.168.3.52:2379
cluster is healthy
以上,我们完成了ETCD的配置工作,但是,如果我们要将ETCD在生产环境中使用,还需要对ETCD做备份。
数据备份的重要性这里不详说了。只能说,非常重要。
要了解etcd的备份,我们可以先看下以下连接.
https://github.com/coreos/etcd/blob/master/Documentation/v2/admin_guide.md#disaster-recovery
备份ETCD集群有两种方式: ETCD内置的snapshot和volume snapshot。
ETCD内置的快照(snapshot)备份非常简单。可以使用使用命令“etcdctl snapshot save”或者直接保存member/snap/db。
API3备份
我们刚创建的ETCD集群生成快照命令如下,执行下面的命令,会在当前生成一个snapshotdb文件。
ETCDCTL_API=3 etcdctl \
--endpoints=https://${NODE_IP}:2379 \
--cacert=/etc/etcd/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
snapshot save snapshotdb
ETCDCTL_API=3 etcdctl \
--endpoints=https://${NODE_IP}:2379 \
--cacert=/etc/etcd/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
--write-out=table snapshot status snapshotdb
API3备份恢复
yds-dev-svc01-etcd01 中执行:
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
--name yds-dev-svc01-etcd01 \
--initial-cluster ${ETCD_NODES} \
--initial-cluster-token etcd-cluster-0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls http://192.168.3.50:2380
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
--name yds-dev-svc01-etcd02 \
--initial-cluster ${ETCD_NODES} \
--initial-cluster-token etcd-cluster-0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls http://192.168.3.51:2380
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
--name yds-dev-svc01-etcd03 \
--initial-cluster ${ETCD_NODES} \
--initial-cluster-token etcd-cluster-0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls http://192.168.3.52:2380
API2备份
备份命令:
etcdctl backup --data-dir /var/lib/etcd --backup-dir /tmp/etcd_backup
备份恢复:
etcd -data-dir=/tmp/etcd_backup -force-new-cluster
文档组成(会更据编写时调整):
- 1. ETCD集群安装 – 完成
- 2. apiserver高可用安装 — 完成
- 3. node中docker安装及配置
- 4. Docker仓库安装
- 5. Kubernetes安装
- 6. Kubernetes中Jenkins安装
- 7. Kubernetes中日志收集Graylog2安装
- 8. Kubernetes中日志收集flume安装
- 9. Kubernetes监控prometheus安装
- 10. Kubernetes监控grafana安装
你的支持,是笔者最大的动力:
Original url: Access
Created at: 2019-04-16 10:30:35
Category: default
Tags: none
未标明原创文章均为采集,版权归作者所有,转载无需和我联系,请注明原出处,南摩阿彌陀佛,知识,不只知道,要得到
最新评论