关键词:
etcd的安装注意两点 1.systemd的配置文件 2. 证书
1. 解决 systemd的问题,想安装指定版本的etcd可以通过 yum方式安装 etcd 可以获得 systemc 和 etcd.conf 的模板。
[[email protected] etcd-v3.3.13-linux-amd64]# rpm -ql etcd /etc/etcd /etc/etcd/etcd.conf /usr/bin/etcd /usr/bin/etcdctl /usr/lib/systemd/system/etcd.service /usr/share/doc/etcd-3.3.11 /usr/share/doc/etcd-3.3.11/CHANGELOG.md ........ ....... ..... /usr/share/man/man1/etcdctl3.1.gz /var/lib/etcd ------------------------------------------------------------------------------------ [[email protected] etcd-v3.3.13-linux-amd64]# !cat cat /usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/etcd/etcd.conf User=etcd # set GOMAXPROCS to number of processors ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"$ETCD_NAME\" --data-dir=\"$ETCD_DATA_DIR\" --listen-client-urls=\"$ETCD_LISTEN_CLIENT_URLS\"" Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target [[email protected] etcd-v3.3.13-linux-amd64]# cat /etc/etcd/etcd.conf #[Member] #ETCD_CORS="" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #ETCD_WAL_DIR="" #ETCD_LISTEN_PEER_URLS="http://localhost:2380" ETCD_LISTEN_CLIENT_URLS="http://localhost:2379" #ETCD_MAX_SNAPSHOTS="5" #ETCD_MAX_WALS="5" ETCD_NAME="default" #ETCD_SNAPSHOT_COUNT="100000" #ETCD_HEARTBEAT_INTERVAL="100" #ETCD_ELECTION_TIMEOUT="1000" #ETCD_QUOTA_BACKEND_BYTES="0" #ETCD_MAX_REQUEST_BYTES="1572864" #ETCD_GRPC_KEEPALIVE_MIN_TIME="5s" #ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s" #ETCD_GRPC_KEEPALIVE_TIMEOUT="20s" # #[Clustering] #ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380" ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379" #ETCD_DISCOVERY="" #ETCD_DISCOVERY_FALLBACK="proxy" #ETCD_DISCOVERY_PROXY="" #ETCD_DISCOVERY_SRV="" #ETCD_INITIAL_CLUSTER="default=http://localhost:2380" #ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #ETCD_INITIAL_CLUSTER_STATE="new" #ETCD_STRICT_RECONFIG_CHECK="true" #ETCD_ENABLE_V2="true" # #[Proxy] #ETCD_PROXY="off" #ETCD_PROXY_FAILURE_WAIT="5000" #ETCD_PROXY_REFRESH_INTERVAL="30000" #ETCD_PROXY_DIAL_TIMEOUT="1000" #ETCD_PROXY_WRITE_TIMEOUT="5000" #ETCD_PROXY_READ_TIMEOUT="0" # #[Security] #ETCD_CERT_FILE="" #ETCD_KEY_FILE="" #ETCD_CLIENT_CERT_AUTH="false" #ETCD_TRUSTED_CA_FILE="" #ETCD_AUTO_TLS="false" #ETCD_PEER_CERT_FILE="" #ETCD_PEER_KEY_FILE="" #ETCD_PEER_CLIENT_CERT_AUTH="false" #ETCD_PEER_TRUSTED_CA_FILE="" #ETCD_PEER_AUTO_TLS="false" # #[Logging] #ETCD_DEBUG="false" #ETCD_LOG_PACKAGE_LEVELS="" #ETCD_LOG_OUTPUT="default" # #[Unsafe] #ETCD_FORCE_NEW_CLUSTER="false" # #[Version] #ETCD_VERSION="false" #ETCD_AUTO_COMPACTION_RETENTION="0" # #[Profiling] #ETCD_ENABLE_PPROF="false" #ETCD_METRICS="basic" # #[Auth] #ETCD_AUTH_TOKEN="simple"
2. 解决证书问题
curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl_linux-amd64 curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson_linux-amd64 mv cfssl_linux_amd64 /bin/cfssl mv cfssljson_linux_amd64 /bin/cfssljson ------------------------------------------------------------------------- 生成根证书文件 [[email protected] ~]# cat ca-config.json ca-csr.json "signing": "default": "expiry": "175200h" , "profiles": "kubernetes": "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] , "etcd": "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] "key": "algo": "rsa", "size": 2048 , "names": [ "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "cnpc", "OU": "RF" ] ----------------------------------------------------------------------- [[email protected] ~]# ./cfssl_linux-amd64 gencert --initca ca-csr.json | cfssljson --bare ca 2019/05/14 04:46:17 [INFO] generating a new CA key and certificate from CSR 2019/05/14 04:46:17 [INFO] generate received request 2019/05/14 04:46:17 [INFO] received CSR 2019/05/14 04:46:17 [INFO] generating key: rsa-2048 2019/05/14 04:46:17 [INFO] encoded CSR 2019/05/14 04:46:17 [INFO] signed certificate with serial number 542129512178184951176207072980197727070484397354 [[email protected] ~]# ls ca* -l -rw-r--r-- 1 root root 640 May 14 03:52 ca-config.json -rw-r--r-- 1 root root 968 May 14 04:46 ca.csr -rw-r--r-- 1 root root 237 May 14 04:45 ca-csr.json -rw------- 1 root root 1679 May 14 04:46 ca-key.pem -rw-r--r-- 1 root root 1294 May 14 04:46 ca.pem ------------------------------------------------------------------------ 生产集群验证证书 [[email protected] ~]# cat etcd-csr.json "CN": "etcd-server", "hosts": [ "localhost", "0.0.0.0", "127.0.0.1", "192.168.141.135", "192.168.141.136", "192.168.141.137" ], "key": "algo": "rsa", "size": 4096 , "names": [ "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "cnpc", "OU": "RF" ] [[email protected] ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd 2019/05/14 04:55:19 [INFO] generate received request 2019/05/14 04:55:19 [INFO] received CSR 2019/05/14 04:55:19 [INFO] generating key: rsa-4096 2019/05/14 04:55:23 [INFO] encoded CSR 2019/05/14 04:55:23 [INFO] signed certificate with serial number 246077356353194423743124239784275664122753186375 2019/05/14 04:55:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). ------------------------------------------------------------------------- etcd客户端访问证书 可有可不用。 [[email protected] ~]# cat etcd-client-csr.json "CN": "etcd-client", "hosts": [ "" ], "key": "algo": "rsa", "size": 4096 , "names": [ "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "cnpc", "OU": "RF" ] [[email protected] ~]# ./cfssl_linux-amd64 gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-client-csr.json | cfssljson -bare etcd-client 2019/05/14 04:58:46 [INFO] generate received request 2019/05/14 04:58:46 [INFO] received CSR 2019/05/14 04:58:46 [INFO] generating key: rsa-4096 2019/05/14 04:58:48 [INFO] encoded CSR 2019/05/14 04:58:48 [INFO] signed certificate with serial number 627937418614823301041449342112313001983243456545 2019/05/14 04:58:48 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [[email protected] ~]# ls etcd-client* -l -rw-r--r-- 1 root root 1732 May 14 04:58 etcd-client.csr -rw-r--r-- 1 root root 230 May 14 03:56 etcd-client-csr.json -rw------- 1 root root 3247 May 14 04:58 etcd-client-key.pem -rw-r--r-- 1 root root 1724 May 14 04:58 etcd-client.pem ------------------------------------
3.修改配置文件进行etcd启动
部署k8sssl集群实践2:cfssl配置根证书和秘钥(代码片段)
.../opsnull/follow-me-install-kubernetes-cluster感谢作者的无私分享。集群环境已搭建成功跑起来。文章是部署过程中遇到的错误和详细操作步骤记录。如有需要对比参考,请按照顺序阅读和测试。2.1##安装CFSSL使用CloudFlare的PKI工具集cfssl来... 查看详情
k8s-外置etcd集群部署(代码片段)
...所以先准备一个Etcd数据库,为解决Etcd单点故障,应采用集群方式部署,这里使用3台组建集群,可容忍1台机器故障。为了节省机器,这里把3个ETCD实例分别部署在一个Matser节点和两个Node节点上。ETCD实例IPetcd-1172.23.199.15etcd-2172.23.... 查看详情
kubernetes集群之二进制安装部署(单master节点)(代码片段)
...见的K8S按照部署方式二、安装部署分析三、首先部署ETCD集群3.1ETCD介绍3.2准备CFSSL证书签发环境3.3环境部署3.3.1搭建ETCD步骤3.3.2下载准备CFSSL证书制作工具3.3.3上传etcd-cert.sh和etcd.sh到/opt/k8s/目录中3.3.4安装ETCD服务3.3.5配置ETCD集群3.3.... 查看详情
为k8s集群建立只读权限帐号(代码片段)
kubernetesRBAC实战环境准备先用kubeadm安装好kubernetes集群,包地址在此 好用又方便,服务周到,童叟无欺本文目的,让名为devuser的用户只能有权限访问特定namespace下的pod命令行kubectl访问安装cfssl此工具生成证书非常方便,pem证书... 查看详情
harbor安全:cfssl工具为harbor颁发https证书(代码片段)
环境及注意事项本文以离线安装方式安装2.3.5版本的Harbor,操作系统为CentOS7.6;安装目录则为/app/harbor/注意事项:为便于后期Harbor的维护,建议将相关的证书放到Harbor的安装目录的ssl子目录下,在备份Harbor数据的时候一起进行备... 查看详情
k8s集群安装部署之网络拓扑图(代码片段)
...可用。etcd:为整个K8S的数据库(非关系型数据),存储集群的元数据信息,作用类同于ZK等。三、运维主机1.主机:10.3.153.200(test-operator)2.安装应用:harbor、cfssl、docker(docker-compose)3.应用服务作用:harbor:提供私有仓库,用于存放... 查看详情
1.rabbitmq集群版安装(代码片段)
1.安装erlang需要注意erlang的版本是否满足rabbitmq的需求这里用到的版本是:Erlang19.0.4 RabbitMQ3.6.15 wgethttp://www.rabbitmq.com/releases/erlang/erlang-19.0.4-1.el7.centos.x86_64.rpmrpm-ivherlang-19.0.4-1.el7.c 查看详情
kubernetes学习一:kubernetes集群搭建之etcd安装部署(代码片段)
目录1、软件版本和环境介绍2、服务器信息介绍(以下称主机名)3、etcd安装部署3.1、cfssl安装3.2、创建etcd证书3.3、etcdca配置3.4、etcdca证书3.5、etcdserver证书3.6、生成etcdca证书和私钥初始化ca3.7、生成server证书3.8、下发证书... 查看详情
kubernetes集群之二进制安装部署(单master节点)(代码片段)
...见的K8S按照部署方式二、安装部署分析三、首先部署ETCD集群3.1ETCD介绍3.2准备CFSSL证书签发环境3.3环境部署3.3.1搭建ETCD步骤3.3.2下载准备CFSSL证书制作工具3.3.3上传etcd-cert.sh和etcd.sh到/opt/k8s/目录中3.3.4安装ETCD服务3.3.5配置ETCD集群3.3.... 查看详情
项目环境搭建docker+k8s三||准备签发证书环境(代码片段)
目录1、部署主机2、安装证书签发工具CFSSL:R1.23、创建生成CA证书签名请求(csr)的json配置文件1、部署主机YN101-100.host.com(运维主机)2、安装证书签发工具CFSSL:R1.2#CFSSLwget"https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"-O/usr/bin/cfssl#CFS... 查看详情
2二进制方式搭建k8s集群(代码片段)
本文介绍单/多Master的K8S集群搭建全过程。 目录1环境要求、节点规划、配置1.1环境要求1.2节点规划1.3操作系统初始化配置2ETCD集群部署2.1 准备cfssl证书生成工具2.2 生成ETCD证书2.3下载ETCD的二进制文件2.4部署ETCD集群3安装Docker4部... 查看详情
kubernetes架构介绍(代码片段)
...什么?2、Kubernetes架构 一个基础的Kubernetes集群包含一个master节点和多个node节点。每个节点可以是一台物理机,也可以是一台虚拟机3、Master节点1.Kube-apiserver · kube-apiserver对外暴露了KubernetesAPI。它是Kuberne... 查看详情
一个简单的mysql集群(代码片段)
...p地址192.168.234.132从机192.168.234.131安装一主一丛的简单mysql集群一、yum安装版5.1.73yum-yinstallmysql-server#安装mysql的服务端安装完成1.1先配置主服务器vi/etc/my.cnf###进入mysql配置文件语句长而磁盘变化小,宜用row例如:updateage=age+1wh 查看详情
云原生|kubernetes篇自建高可用k8s集群前置概念与操作(代码片段)
文章目录自建高可用k8s集群前置概念与操作一、内核升级二、k8s集群架构三、cfssl使用1、集群相关证书类型2、简单使用3、cfssl使用4、证书规划5、证书生成自建高可用k8s集群前置概念与操作一、内核升级3.10内核在大规模集群具... 查看详情
启用k8smetricsserver监控(代码片段)
1、创建aggregator证书方法一:直接使用二进制源码包安装$wgethttps://pkg.cfssl.org/R1.2/cfssl_linux-amd64$chmod+xcfssl_linux-amd64$mvcfssl_linux-amd64/usr/local/bin/cfssl$wgethttps://pkg.cfssl.org/R1.2/cfssljson_linux-amd64$ 查看详情
(2022版)一套教程搞定k8s安装到实战|k8s集群安装(kubeadm)(代码片段)
视频来源:B站《(2022版)最新、最全、最详细的Kubernetes(K8s)教程,从K8s安装到实战一套搞定》一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持!附上... 查看详情
hadoop集群搭建(步骤图文超详细版)(代码片段)
...码登录!==**验证免密码登录五、Hadoop配置六、集群启动并测试集群一、前置条件需要安装下载方法 查看详情
k8s部署使用cfssl创建证书(代码片段)
证书的编码格式PEM(PrivacyEnhancedMail),通常用于数字证书认证机构(CertificateAuthorities,CA),扩展名为.pem, .crt, .cer,和 .key。内容为Base64编码的ASCII码文件,有类似"-----BEGINCERTIFICATE-----" 和 "-----ENDCERTIFICATE 查看详情