Kubernetes1.9生产环境高可用实践--001-ETCD高可用集群部署 - wenwst的专栏 - CSDN博客

感谢大家的支持,是我写这篇文章的动力。

因为参照生产环境的部署,因此整个整部过程相对繁琐

    • *
生产环境使用Kubernetes差不多快3年,在期间确实遇到许多的坑,但生产环境没有出发生过事故。

网上大部分教程都是针对于单个服务的部署,并没有将所有的应用结合起来。很多伙伴在测试环境或在本机上试验,不敢实际使用。这篇文章将我在生产环境近三年的工作中使用到的组件全部列出来。1是可以让你对生产环境使用有一个大概的了解。2可以为您提供一个更系统的学习环境。

由于在写文章时对Kubernetes1.9进了重新搭建,也力求所有配置都写的详细些,对重点的地放讲的清楚写,因此写的进度会有些慢。

文档组成(会更据编写时调整):
- 1. ETCD集群安装 – 完成
- 2. apiserver高可用安装 — 完成
- 3. node中docker安装及配置
- 4. Docker仓库安装
- 5. Kubernetes安装
- 6. Kubernetes中Jenkins安装
- 7. Kubernetes中日志收集Graylog2安装
- 8. Kubernetes中日志收集flume安装
- 9. Kubernetes监控prometheus安装
- 10. Kubernetes监控grafana安装

ETCD安装

服务器准备

ETCD集群我们这里使用三台独立服务器安装。如果是生产环境,服务器足够的话,最好用独立服务器,当然,也可以和别的服务安装在一起。但是我们在这里使用独立服务器。这样也更好理解原理,配置也更为清晰。

首先,我们要对服务器做一些初始化的配置。比如服务名配置,IP配置,系统更新等。

0001…..服务器初始配置

yds-dev-svc01-etcd01 主机名配置

[root@localhost ~]# hostnamectl 
   Static hostname: yds-dev-svc01-etcd01
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 86551c512ea14b06a9eaf8ad100e7973
           Boot ID: 5b698ae318804cbfb578302d563bee36
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-693.el7.x86_64
      Architecture: x86-64

配置完成后,重新登录一下

yds-dev-svc01-etcd01 IP地址配置
修改网络配置文件

[root@yds-dev-svc01-etcd01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.50
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS2=114.114.114.114

查看网络配置信息。

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:7c:79:54 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.50/24 brd 192.168.3.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever

yds-dev-svc01-etcd02 主机名配置

[root@localhost ~]# hostnamectl set-hostname yds-dev-svc01-etcd02
[root@localhost ~]# hostnamectl 
   Static hostname: yds-dev-svc01-etcd02
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 86551c512ea14b06a9eaf8ad100e7973
           Boot ID: 80402b905e324612812f2e03dc6d6949
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-693.el7.x86_64
      Architecture: x86-64

配置完成后,重新登录一下

yds-dev-svc01-etcd02 IP地址配置
修改网络配置文件

[root@yds-dev-svc01-etcd02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.51
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS2=114.114.114.114

查看网络配置信息。

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:42:a8:9d brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.51/24 brd 192.168.3.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever

yds-dev-svc01-etcd03 主机名配置

[root@localhost ~]# hostnamectl set-hostname yds-dev-svc01-etcd03
[root@localhost ~]# hostnamectl 
   Static hostname: yds-dev-svc01-etcd03
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 86551c512ea14b06a9eaf8ad100e7973
           Boot ID: 509a0b69f26c41d2bc4e3ba18dba4c39
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-693.el7.x86_64
      Architecture: x86-64

配置完成后,重新登录一下

修改网络配置文件

[root@yds-dev-svc01-etcd03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=7d6fb2ed-364c-415f-9b02-0e54436ff1ec
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.3.52
NETMASK=255.255.255.0
GATEWAY=192.168.3.1
DNS1=192.168.3.10
DNS1=114.114.114.114

查看网络配置信息。

[root@yds-dev-svc01-etcd03 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:ae:06:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.52/24 brd 192.168.3.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::9cd:60a3:99e2:48ff/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::fbd2:5239:fe68:ea3d/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::2a36:8b76:9a1d:7d50/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever

yds-dev-svc01-etcd01 系统更新
执行以下命令

[root@yds-dev-svc01-etcd01 ~]# yum install -y epel-release; yum update -y 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.sohu.com
 * epel: mirrors.sohu.com
 * extras: mirrors.sohu.com
 * updates: mirrors.cn99.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.sohu.com
 * epel: mirrors.sohu.com
 * extras: mirrors.sohu.com
 * updates: mirrors.cn99.com
No packages marked for update

yds-dev-svc01-etcd02 系统更新
执行以下命令

[root@yds-dev-svc01-etcd02 ~]# yum install -y epel-release; yum update -y 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.sohu.com
 * epel: mirror01.idc.hinet.net
 * extras: mirrors.sohu.com
 * updates: mirrors.aliyun.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.sohu.com
 * epel: mirror01.idc.hinet.net
 * extras: mirrors.sohu.com
 * updates: mirrors.aliyun.com
No packages marked for update

yds-dev-svc01-etcd03 系统更新
执行以下命令

[root@yds-dev-svc01-etcd03 ~]# yum install -y epel-release ; yum update -y 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * epel: mirror01.idc.hinet.net
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * epel: mirror01.idc.hinet.net
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
No packages marked for update

yds-dev-svc01-etcd01 关闭selinux

setenforce  0 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config 
getenforce

yds-dev-svc01-etcd02 关闭selinux

setenforce  0 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config 
getenforce

yds-dev-svc01-etcd03 关闭selinux

setenforce  0 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config 
getenforce

yds-dev-svc01-etcd01 关闭交换分区swap

swapoff -a 
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab

yds-dev-svc01-etcd02 关闭交换分区swap

swapoff -a 
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab

yds-dev-svc01-etcd03 关闭交换分区swap

swapoff -a 
sed -i 's/.*swap.*/#&/' /etc/fstab
cat /etc/fstab

yds-dev-svc01-etcd01 设置内核

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf

执行效果

[root@yds-dev-svc01-etcd01 ~]# cat <<EOF >  /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd01 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd01 ~]# 

yds-dev-svc01-etcd02 设置内核

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf

执行效果

[root@yds-dev-svc01-etcd02 ~]# cat <<EOF >  /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd02 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd02 ~]# 

yds-dev-svc01-etcd02 设置内核

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.conf

执行效果

[root@yds-dev-svc01-etcd03 ~]# cat <<EOF >  /etc/sysctl.d/k8s.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@yds-dev-svc01-etcd03 ~]# sysctl -p /etc/sysctl.conf
[root@yds-dev-svc01-etcd03 ~]# sysctl -p
[root@yds-dev-svc01-etcd03 ~]# 

0002…..ETCD环境配置

yds-dev-svc01-etcd01 设置ETCD环境
复制执行以下命令:

cat <<EOF >>  /etc/hosts
192.168.3.50  yds-dev-svc01-etcd01
192.168.3.51  yds-dev-svc01-etcd02
192.168.3.52  yds-dev-svc01-etcd03
EOF
cat <<EOF >>  ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd01
export NODE_IP=192.168.3.50
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile
echo $NODE_NAME
echo $NODE_IP
echo $NODE_IPS
echo $ETCD_NODES

yds-dev-svc01-etcd02 设置ETCD环境
复制执行以下命令:

cat <<EOF >>  /etc/hosts
yds-dev-svc01-etcd01 192.168.3.50
yds-dev-svc01-etcd02 192.168.3.51
yds-dev-svc01-etcd03 192.168.3.52
EOF
cat <<EOF >>  ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd02
export NODE_IP=192.168.3.51
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile

yds-dev-svc01-etcd03 设置ETCD环境
复制执行以下命令:

cat <<EOF >>  /etc/hosts
yds-dev-svc01-etcd01 192.168.3.50
yds-dev-svc01-etcd02 192.168.3.51
yds-dev-svc01-etcd03 192.168.3.52
EOF
cat <<EOF >>  ~/.bash_profile
export NODE_NAME=yds-dev-svc01-etcd03
export NODE_IP=192.168.3.52
export NODE_IPS="192.168.3.50 192.168.3.51 192.168.3.52"
export ETCD_NODES=yds-dev-svc01-etcd01=https://192.168.3.50:2380,yds-dev-svc01-etcd02=https://192.168.3.51:2380,yds-dev-svc01-etcd03=https://192.168.3.52:2380
EOF
source ~/.bash_profile

0003…..ETCD证书配置

此部分可以在自己的电脑上面执行,也可以只在yds-dev-svc01-etcd01中执行。在这里,我们在yds-dev-svc01-etcd01在执行。

* 安装证书生成工具 *

yum install -y wget 
mkdir /tmp/key
cd /tmp/key

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

* 创建 CA 配置文件 *

创建CA文件:
signing: 表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth: 表示 client 可以用该 CA 对 server 提供的证书进行验证;
client auth: 表示 server 可以用该 CA 对 client 提供的证书进行验证;

cat >  ca-config.json <<EOF
{
"signing": {
"default": {
  "expiry": "87600h"
},
"profiles": {
  "kubernetes": {
    "usages": [
        "signing",
        "key encipherment",
        "server auth",
        "client auth"
    ],
    "expiry": "87600h"
  }
}
}
}
EOF

这里可以根据你的需要修改CN和O。
“CN”:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
“O”:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);

cat >  ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
  "C": "CN",
  "ST": "chengdu",
  "L": "chengdu",
  "O": "k8s",
  "OU": "System"
}
]
}
EOF

* 生成 CA 证书和私钥 *

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls ca*

* 创建 etcd 证书签名请求 *

hosts 字段指定授权使用该证书的 etcd 节点 IP;
每个节点IP 都要在里面 或者 每个机器申请一个对应IP的证书

cat > etcd-csr.json <<EOF
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "192.168.3.50",
    "192.168.3.51",
    "192.168.3.52"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "chengdu",
      "L": "chengdu",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

生成 etcd 证书和私钥

cfssl gencert -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
ls etcd*

以上证书生产完成。为了安全起见,需要将生成的证书及配置文件进行备份。

在yds-dev-svc01-etcd01,yds-dev-svc01-etcd02,yds-dev-svc01-etcd03中创建/etc/etcd/ssl目录

mkdir -p /etc/etcd/ssl

将生成etcd证书复制到各个etcd安装目录中

cp etcd.pem etcd-key.pem  ca.pem /etc/etcd/ssl/
scp -r /etc/etcd/ssl/* root@yds-dev-svc01-etcd02:/etc/etcd/ssl/
scp -r /etc/etcd/ssl/* root@yds-dev-svc01-etcd03:/etc/etcd/ssl/

下载ETCD安装文件
我们在这里使用的ETCD版本为3.2.18,如果你在安装的时候,也可以使用这个版本,当然,也可以使用更高的版本或其他版本。
在yds-dev-svc01-etcd01中下载ETCD,下载完成后,复制安装文件到yds-dev-svc01-etcd02和yds-dev-svc01-etcd03中。

cd /tmp
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
tar -xvzf etcd-v3.2.18-linux-amd64.tar.gz
cd etcd-v3.2.18-linux-amd64
cp etcd* /usr/local/bin/
scp etcd* root@yds-dev-svc01-etcd02:/usr/local/bin/
scp etcd* root@yds-dev-svc01-etcd03:/usr/local/bin/

创建 etcd 的 systemd unit 文件

先创建ETCD工作目录

mkdir -p /var/lib/etcd

如果没有配置这个目录,会现现Failed at step CHDIR spawning /usr/local/bin/etcd: No such file or directory的错误信息。
在各个服务器执行以下命令创建systemd unit文件。
因为在命令中包含变量,这些变量我们在前面已经创建了,为了保险,我们再检查一下:

echo ${NODE_NAME}
echo ${NODE_IP}
echo ${ETCD_NODES}

生成ETCD配置文件
这里生成的配置文件有: /etc/etcd/etcd-key.conf, /etc/etcd/etcd.conf
网上大部分是把这两个配置文件和systemd unit文件存放在一起, 也可以参考这样的方法,看个人习惯。
/etc/etcd/etcd-key.conf:存放我们证书的配置信息。
/etc/etcd/etcd.conf:存放ETCD集群的配置信息。

cat > /etc/etcd/etcd-key.conf <<EOF
ETCD_KEY='--cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --peer-cert-file=/etc/etcd/ssl/etcd.pem --peer-key-file=/etc/etcd/ssl/etcd-key.pem --trusted-ca-file=/etc/etcd/ssl/ca.pem --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem'
EOF
cat > /etc/etcd/etcd.conf <<EOF
ETCD_NAME='--name=${NODE_NAME}'
DATA_DIR='--data-dir=/var/lib/etcd'
INITIAL_CLUSTER_STATE='--initial-cluster-state=new'
INITIAL_CLUSTER_TOKEN='--initial-cluster-token=etcd-cluster-0'
INITIAL_ADVERTISE_PEER_URLS='--initial-advertise-peer-urls=https://${NODE_IP}:2380'
LISTEN_PEER_URLS='--listen-peer-urls=https://${NODE_IP}:2380'
LISTEN_CLIENT_URLS='--listen-client-urls=https://${NODE_IP}:2379,http://127.0.0.1:2379'
ADVERTISE_CLIENT_URLS='--advertise-client-urls=https://${NODE_IP}:2379'
INITIAL_CLUSTER='--initial-cluster=${ETCD_NODES}'
EOF

创建/etc/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
EnvironmentFile=-/etc/etcd/etcd-key.conf
ExecStart=/usr/local/bin/etcd \
    $ETCD_NAME \
    $DATA_DIR \
    $INITIAL_CLUSTER_STATE \
    $INITIAL_CLUSTER_TOKEN \
    $INITIAL_ADVERTISE_PEER_URLS \
    $LISTEN_PEER_URLS \
    $LISTEN_CLIENT_URLS \
    $ADVERTISE_CLIENT_URLS \
    $INITIAL_CLUSTER \
    $ETCD_KEY

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

参数说明:
WorkingDirectory: ETCD工作目录

开放2379和2380端口
如果没有开启,ETCD可能无法启动。

firewall-cmd --add-port=2379/tcp --permanent
firewall-cmd --add-port=2379/tcp --permanent
firewall-cmd --reload

启动 etcd 服务
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd

验证ETCD服务

 etcdctl \
  --endpoints=https://${NODE_IP}:2379  \
  --ca-file=/etc/etcd/ssl/ca.pem \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  cluster-health

返回如下信息就表示我们配置的ETCD集群正常:

member 4f0deb6feb86262a is healthy: got healthy result from https://192.168.3.51:2379
member 88ccd3107db11e1e is healthy: got healthy result from https://192.168.3.50:2379
member a7363df6be39715b is healthy: got healthy result from https://192.168.3.52:2379
cluster is healthy
以上,我们完成了ETCD的配置工作,但是,如果我们要将ETCD在生产环境中使用,还需要对ETCD做备份。

ETCD备份

数据备份的重要性这里不详说了。只能说,非常重要。
要了解etcd的备份,我们可以先看下以下连接.
https://github.com/coreos/etcd/blob/master/Documentation/v2/admin_guide.md#disaster-recovery

备份ETCD集群有两种方式: ETCD内置的snapshot和volume snapshot。

ETCD内置的快照(snapshot)备份非常简单。可以使用使用命令“etcdctl snapshot save”或者直接保存member/snap/db。

API3备份
我们刚创建的ETCD集群生成快照命令如下,执行下面的命令,会在当前生成一个snapshotdb文件。

ETCDCTL_API=3  etcdctl \
     --endpoints=https://${NODE_IP}:2379 \
     --cacert=/etc/etcd/ssl/ca.pem \
     --cert=/etc/etcd/ssl/etcd.pem \
     --key=/etc/etcd/ssl/etcd-key.pem \
     snapshot save snapshotdb
ETCDCTL_API=3  etcdctl \
    --endpoints=https://${NODE_IP}:2379 \
    --cacert=/etc/etcd/ssl/ca.pem \
    --cert=/etc/etcd/ssl/etcd.pem \
    --key=/etc/etcd/ssl/etcd-key.pem \
    --write-out=table snapshot status snapshotdb

API3备份恢复

yds-dev-svc01-etcd01 中执行:

ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
  --name yds-dev-svc01-etcd01 \
  --initial-cluster ${ETCD_NODES} \
  --initial-cluster-token etcd-cluster-0 \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --initial-advertise-peer-urls http://192.168.3.50:2380

ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
  --name yds-dev-svc01-etcd02 \
  --initial-cluster ${ETCD_NODES} \
  --initial-cluster-token etcd-cluster-0 \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --initial-advertise-peer-urls http://192.168.3.51:2380

ETCDCTL_API=3 etcdctl snapshot restore snapshot.db \
  --name yds-dev-svc01-etcd03 \
  --initial-cluster ${ETCD_NODES} \
  --initial-cluster-token etcd-cluster-0 \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --initial-advertise-peer-urls http://192.168.3.52:2380

API2备份
备份命令:

etcdctl backup --data-dir /var/lib/etcd --backup-dir /tmp/etcd_backup

备份恢复:

etcd -data-dir=/tmp/etcd_backup -force-new-cluster

未完成的部分: ETCD监控和ETCD调优。这两部分会在整篇文章写完后再写。

以上配置有什么问题,请留言,会即时更改。感谢各位老铁。

文档组成(会更据编写时调整):
- 1. ETCD集群安装 – 完成
- 2. apiserver高可用安装 — 完成
- 3. node中docker安装及配置
- 4. Docker仓库安装
- 5. Kubernetes安装
- 6. Kubernetes中Jenkins安装
- 7. Kubernetes中日志收集Graylog2安装
- 8. Kubernetes中日志收集flume安装
- 9. Kubernetes监控prometheus安装
- 10. Kubernetes监控grafana安装

你的支持,是笔者最大的动力:
这里写图片描述


Original url: Access
Created at: 2019-04-16 10:30:35
Category: default
Tags: none

请先后发表评论
  • 最新评论
  • 总共0条评论