From 2211e3aed993d1976814f6f5f38d42a9287a785e Mon Sep 17 00:00:00 2001 From: jmgao Date: Thu, 30 Nov 2017 22:23:19 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B002-=E5=AE=89=E8=A3=85etcd?= =?UTF-8?q?=E9=9B=86=E7=BE=A4.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 5 +- docs/01-创建CA证书和环境配置.md | 2 +- docs/02-安装etcd集群.md | 125 +++++++++++++++++++++++ roles/etcd/tasks/.main.yml.swp | Bin 0 -> 12288 bytes 4 files changed, 129 insertions(+), 3 deletions(-) create mode 100644 roles/etcd/tasks/.main.yml.swp diff --git a/README.md b/README.md index a7d2187..aec8414 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,8 @@ 文档基于`Ubuntu 16.04`,其他系统如`CentOS 7`需要读者自行替换部分命令;由于使用经验有限和简化脚本考虑,已经尽量避免`ansible-playbook`的高级特性和复杂逻辑。 +你可能需要掌握基本`kubernetes` `docker` `linux shell` 知识,关于`ansible`建议阅读 [ansible超快入门](http://weiweidefeng.blog.51cto.com/1957995/1895261) 基本够用。 + 欢迎提`Issues`和`PRs`参与维护项目。 ## 组件版本 @@ -40,7 +42,6 @@ 1. 建议阅读 [feisky.gitbooks](https://feisky.gitbooks.io/kubernetes/) 原理和部署章节。 1. 建议阅读 [opsnull教程](https://github.com/opsnull/follow-me-install-kubernetes-cluster) 二进制手工部署。 -1. 建议阅读 [ansible超快入门](http://weiweidefeng.blog.51cto.com/1957995/1895261) 基本够用。 ## 版权 @@ -48,6 +49,6 @@ Copyright 2017 gjmzj (jmgaozz@163.com) Apache License 2.0,详情见 [LICENSE](LICENSE) 文件。 -如果你觉得这份文档对你有帮助,请支付宝扫描下方的二维码进行捐赠,谢谢! +如果觉得这份文档对你有帮助,请支付宝扫描下方的二维码进行捐赠,谢谢! ![donate](./pics/alipay.png) diff --git a/docs/01-创建CA证书和环境配置.md b/docs/01-创建CA证书和环境配置.md index 36603dc..8c3c18a 100644 --- a/docs/01-创建CA证书和环境配置.md +++ b/docs/01-创建CA证书和环境配置.md @@ -60,7 +60,7 @@ kubernetes 系统各组件需要使用 TLS 证书对通信进行加密,使用 #### 生成CA 证书和私钥 ``` bash -cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert -initca ca-csr.json | {{ bin_dir }}/cfssljson -bare ca +cfssl gencert -initca ca-csr.json | cfssljson -bare ca ``` + 注意整个集群只能有一个CA证书和配置文件,所以下一步要分发给每一个节点,包括calico/node也需要使用 diff --git a/docs/02-安装etcd集群.md b/docs/02-安装etcd集群.md index 3ac1e9d..b458a70 100644 --- a/docs/02-安装etcd集群.md +++ b/docs/02-安装etcd集群.md @@ -1 +1,126 @@ ## 02-安装etcd集群.md + +``` bash +roles/etcd +├── tasks +│   └── main.yml +└── templates + ├── etcd-csr.json.j2 + └── etcd.service.j2 +``` +kuberntes 系统使用 etcd 存储所有数据,是最重要的组件之一,注意 etcd集群只能有奇数个节点(1,3,5...),本文档使用3个节点做集群。 + +按照[roles/etcd/tasks/main.yml](../roles/etcd/tasks/main.yml) 下载etcd/etcdctl 二进制文件、创建证书目录 + +### 创建etcd证书请求 [etcd-csr.json.j2](../roles/etcd/templates/etcd-csr.json.j2) + +``` bash +{ + "CN": "etcd", + "hosts": [ + "127.0.0.1", + "{{ NODE_IP }}" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "ST": "HangZhou", + "L": "XS", + "O": "k8s", + "OU": "System" + } + ] +} +``` ++ hosts 字段指定授权使用该证书的 etcd 节点 IP + +### 创建证书和私钥 + +``` bash +cd /etc/etcd/ssl && {{ bin_dir }}/cfssl gencert \ + -ca={{ ca_dir }}/ca.pem \ + -ca-key={{ ca_dir }}/ca-key.pem \ + -config={{ ca_dir }}/ca-config.json \ + -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd +``` ++ 因为证书是在**etcd**节点生成的,所以要用ansible 模块`fetch` 把证书传送到**deploy**节点,以便后续再通过**deploy**节点传送到**calico/node**节点 + +### 创建etcd 服务文件 [etcd.service.j2](../roles/etcd/templates/etcd.service.j2) + +先创建工作目录 /var/lib/etcd/ + +``` bash +[Unit] +Description=Etcd Server +After=network.target +After=network-online.target +Wants=network-online.target +Documentation=https://github.com/coreos + +[Service] +Type=notify +WorkingDirectory=/var/lib/etcd/ +ExecStart={{ bin_dir }}/etcd \ + --name={{ NODE_NAME }} \ + --cert-file=/etc/etcd/ssl/etcd.pem \ + --key-file=/etc/etcd/ssl/etcd-key.pem \ + --peer-cert-file=/etc/etcd/ssl/etcd.pem \ + --peer-key-file=/etc/etcd/ssl/etcd-key.pem \ + --trusted-ca-file={{ ca_dir }}/ca.pem \ + --peer-trusted-ca-file={{ ca_dir }}/ca.pem \ + --initial-advertise-peer-urls=https://{{ NODE_IP }}:2380 \ + --listen-peer-urls=https://{{ NODE_IP }}:2380 \ + --listen-client-urls=https://{{ NODE_IP }}:2379,http://127.0.0.1:2379 \ + --advertise-client-urls=https://{{ NODE_IP }}:2379 \ + --initial-cluster-token=etcd-cluster-0 \ + --initial-cluster={{ ETCD_NODES }} \ + --initial-cluster-state=new \ + --data-dir=/var/lib/etcd +Restart=on-failure +RestartSec=5 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target +``` ++ 完整参数列表请使用 `etcd --help` 查询 ++ 注意{{ }} 中的参数与ansible hosts文件中设置对应 ++ 为了保证通信安全,需要指定 etcd 的公私钥(cert-file和key-file)、Peers 通信的公私钥和 CA 证书(peer-cert-file、peer-key-file、peer-trusted-ca-file)、客户端的CA证书(trusted-ca-file); ++ `--initial-cluster-state` 值为 `new` 时,`--name` 的参数值必须位于 `--initial-cluster` 列表中; + +### 启动etcd服务 + +``` bash +systemctl daemon-reload && systemctl enable etcd && systemctl start etcd +``` + +### 验证etcd集群状态 + ++ systemctl status etcd 查看服务状态 ++ journalctl -u etcd 查看运行日志 + +部署完 etcd 集群后,在任一 etcd 集群节点上执行如下命令: + +``` bash +# 根据hosts中配置设置shell变量 $NODE_IPS +export NODE_IPS="192.168.1.1 192.168.1.2 192.168.1.3" +$ for ip in ${NODE_IPS}; do + ETCDCTL_API=3 /root/local/bin/etcdctl \ + --endpoints=https://${ip}:2379 \ + --cacert=/etc/kubernetes/ssl/ca.pem \ + --cert=/etc/etcd/ssl/etcd.pem \ + --key=/etc/etcd/ssl/etcd-key.pem \ + endpoint health; done +``` +预期结果: + +``` text +https://192.168.1.1:2379 is healthy: successfully committed proposal: took = 2.210885ms +https://192.168.1.2:2379 is healthy: successfully committed proposal: took = 2.784043ms +https://192.168.1.3:2379 is healthy: successfully committed proposal: took = 3.275709ms +``` +三台 etcd 的输出均为 healthy 时表示集群服务正常。 diff --git a/roles/etcd/tasks/.main.yml.swp b/roles/etcd/tasks/.main.yml.swp new file mode 100644 index 0000000000000000000000000000000000000000..fba0801e280a98d8b148861abdeeb2c0a34c604c GIT binary patch literal 12288 zcmeI2J7^R^7{^B&-w(91P{s&?#oi`95D(S|XknpN3Q8c%?ap~?_I8h*jdJ)x5e=I7 z2pZJbSoo+6HbxUq!A@JPEG*vs!GYmYbbdO_3 zLUk*%C|o~NE_#0zij0T=5%^~Ui`a(s9qrm}P1|a|eA)hgjzA7XfCvx)B0vO)01+Sp zM1Tm)Tmn&P7CVjfXV*(G>(^P6uJv2G5CI}U1c(3;AOb{y2oM1xKm>>Y5g-CHkbrO) zdo_=-+w+k;{{L_M{{OH9X91v7P!Hrn1!y<43R($$U(DEZXbidubwXKaDfDp>V*}7N zCW5rtE7T5sTfo>?=sh$HJ%Y|d+o5gHI%qC52l|Y>-$8Go zQApQu3!+8@hyW2F0z`la5CI}E(+F^`3exkkT$NQMi+1GkP^w6T5!a_inZbQglv)1i zLVtX9Sa*%z>5nhoWo!yh=?fe>ZFNlhj3n4pK8}#Zz&Aqa1^AZScwB2Q{E%D86A>~| zp>64C870G`t}Qc1)^i6bTgk!Kv<$~gugS^RhG8>!+&dJHjp`T^x6jobc#rQ!tX#I@Ga(^s{{L zzMZ?e_U_oTi@OTx=3QSpT=>o}1D3_xbW$B{@IneGH_OXXC3m{QEKf>oJ=<#w&$RHuOiqZ9_3oz>lwlc6sosgm_;*ec8%QGw4-@Z-mM&h@)6>HOqL z)6RovGGgRJn6CD8#*%n;;OE`L7JO{cbP-0{okr|r+EO>e78?0)*7d34EtZq5k^;3w zeFwMMPP#xE)6Unfoho;JSo*fa2JdXHfOJPBh1Z79RG;0C2l^%+ocT0xPtW-8d#_2S zb@MeIoUXS9!AVciM(IOp!z1I5&raTM7*G85!u^ZwmWKMd-HfCPyvLAu`WYXNxly6Z zMI9=OJ3ATzp literal 0 HcmV?d00001