下载vmware版本的CoreOS:
https://stable.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova
登录http://ESXI-IP,我的是6.7试用版。创建虚拟机,创建类型选择“从OVF或OVA文件部署虚拟机”。下一步选择之前下载的ova镜像。
Esxi启动虚拟机。启动时按e,在最后一行末尾添加:coreos.autologin [core用户自动登录],按Ctrl+x或F10启动。这里有个技巧,由于启动vm时,web页里还没完全弹出小窗口,来不及按e就已经进入启动中段了。可以等它启动完成后,再点右上角的“操作”菜单——客户机操作系统——重新启动。这时因为小窗口开着,及时按e就行。
进去系统后修改 core的密码 sudo passwd core,sudo passwd root,然后就可以远程SSH登录了。
切换到root用户:
su - root
配置时区:
timedatectl set-timezone Asia/Shanghai #设置时区为上海
配置主机名:
hostnamectl set-hostname core1
reboot #务必重启,否则配置etcd集群时各个成员ID是一样的,无法建立集群
配置固定IP:
vi /etc/systemd/network/static.network
[Match]
Name=ens192
[Network]
Address=10.3.8.101/24
Gateway=10.3.8.254
DNS=10.1.4.80
重启网卡:
systemctl restart systemd-networkd
配置集群成员主机名解析:
vi /etc/hosts
10.3.8.101 core1
10.3.8.102 core2
10.3.8.103 core3
CoreOS系统的etcd服务是etcd-member.serivce,默认没有启动,我们需要修改这个服务,加入集群配置。复制/usr/lib/systemd/system/etcd-member.service到/etc/systemd/system/并修改之:
sudo cp /usr/lib/systemd/system/etcd-member.service /etc/systemd/system/
sudo vi /etc/systemd/system/etcd-member.service,修改如下:
ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \
--name="my-etcd-1" \
--listen-peer-urls="http://0.0.0.0:2380" \
--listen-client-urls="http://10.3.8.101:2379,http://127.0.0.1:2379" \
--initial-advertise-peer-urls="http://10.3.8.101:2380" \
--initial-cluster="my-etcd-1=http://10.3.8.101:2380,my-etcd-2=http://10.3.8.102:2380,my-etcd-3=http://10.3.8.103:2380" \
--initial-cluster-state="new" \
--initial-cluster-token="my-etcd-token" \
--advertise-client-urls="http://10.3.8.101:2379"
注意name=“名字”要与initial-cluster=“名字”一致。
创建自动加载服务的软链接:
ln -s /etc/systemd/system/etcd-member.service /etc/systemd/system/multi-user.target.wants/
ls -l /etc/systemd/system/multi-user.target.wants/
total 12
lrwxrwxrwx. 1 root root 39 Mar 2 18:26 etcd-member.service -> /etc/systemd/system/etcd-member.service
lrwxrwxrwx. 1 root root 41 Mar 2 14:59 oem-cloudinit.service -> /etc/systemd/system/oem-cloudinit.service
lrwxrwxrwx. 1 root root 36 Mar 2 14:59 vmtoolsd.service -> /etc/systemd/system/vmtoolsd.service
另两台成员同样修改etcd-member.service文件,name=换成自己的,IP换成自己的:
成员Core2:
--name="my-etcd-2" \
--listen-peer-urls="http://0.0.0.0:2380" \
--listen-client-urls="http://10.3.8.102:2379" \
--initial-advertise-peer-urls="http://10.3.8.102:2380" \
--initial-cluster="my-etcd-1=http://10.3.8.101:2380,my-etcd-2=http://10.3.8.102:2380,my-etcd-3=http://10.3.8.103:2380" \
--initial-cluster-state="new" \
--initial-cluster-token="my-etcd-token" \
--advertise-client-urls="http://10.3.8.102:2379"
成员Core3:
--name="my-etcd-3" \
--listen-peer-urls="http://0.0.0.0:2380" \
--listen-client-urls="http://10.3.8.103:2379" \
--initial-advertise-peer-urls="http://10.3.8.103:2380" \
--initial-cluster="my-etcd-1=http://10.3.8.101:2380,my-etcd-2=http://10.3.8.102:2380,my-etcd-3=http://10.3.8.103:2380" \
--initial-cluster-state="new" \
--initial-cluster-token="my-etcd-token" \
--advertise-client-urls="http://10.3.8.103:2379"
三台都准备妥当后,先后启动服务:
systemctl daemon-reload
systemctl start etcd-member
注意这里,第一台启动时它会尝试连接另两台,若另两台不启动,则第一台启动服务时会停在那儿等待。
如无意外,通过etcdctl查看集群信息:
export ETCDCTL_API=3
HOST_1=10.3.8.101
HOST_2=10.3.8.102
HOST_3=10.3.8.103
ENDPOINTS=
HOST_2:2379,$HOST_3:2379
etcdctl member list
9c44b44b17f43cfc, started, my-etcd-2, http://10.3.8.102:2380, http://10.3.8.102:2379
c2e7f9e9679f892a, started, my-etcd-1, http://10.3.8.101:2380, http://10.3.8.101:2379
c6c71c1f87c55a52, started, my-etcd-3, http://10.3.8.103:2380, http://10.3.8.103:2379
etcdctl --endpoints=$ENDPOINTS endpoint health
10.3.8.101:2379 is healthy: successfully committed proposal: took = 2.610361ms
10.3.8.102:2379 is healthy: successfully committed proposal: took = 1.400572ms
10.3.8.103:2379 is healthy: successfully committed proposal: took = 3.153116ms
$ etcdctl --write-out=table --endpoints=$ENDPOINTS endpoint status
±----------------±-----------------±--------±--------±----------±----------±-----------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX |
±----------------±-----------------±--------±--------±----------±----------±-----------+
| 10.3.8.101:2379 | c2e7f9e9679f892a | 3.3.12 | 20 kB | true | 558 | 9 |
| 10.3.8.102:2379 | 9c44b44b17f43cfc | 3.3.12 | 20 kB | false | 558 | 9 |
| 10.3.8.103:2379 | c6c71c1f87c55a52 | 3.3.12 | 20 kB | false | 558 | 9 |
±----------------±-----------------±--------±--------±----------±----------±-----------+
配置TLS
第一步:准备证书文件
证书的创建过程见另一篇博文《CFSSL制作ETCD证书》
mkdir /etc/ssl/etcd
scp [email protected]:/root/ssl/*.pem /etc/ssl/etcd/
chown -R etcd:etcd /etc/ssl/etcd
ls -l /etc/ssl/etcd
-rw-r–r--. 1 etcd etcd 1363 Dec 6 11:30 ca.pem
-rw-------. 1 etcd etcd 1679 Dec 6 11:30 etcd-key.pem
-rw-r–r--. 1 etcd etcd 1537 Dec 6 11:30 etcd.pem
更新系统证书库:
cp /etc/ssl/etcd/*.pem /etc/ssl/certs
update-ca-certificates
第二步:修改前面的etcd-member.service文件,添加证书参数并指定https连接:
ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \
--name="my-etcd-1" \
--client-cert-auth \
--cert-file=/etc/ssl/etcd/etcd.pem \
--key-file=/etc/ssl/etcd/etcd-key.pem \
--trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-client-cert-auth \
--peer-cert-file=/etc/ssl/etcd/etcd.pem \
--peer-key-file=/etc/ssl/etcd/etcd-key.pem \
--peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--listen-peer-urls="https://0.0.0.0:2380" \
--listen-client-urls="https://10.3.8.101:2379,https://127.0.0.1:2379" \
--initial-advertise-peer-urls="https://10.3.8.101:2380" \
--initial-cluster="my-etcd-1=https://10.3.8.101:2380,my-etcd-2=https://10.3.8.102:2380,my-etcd-3=https://10.3.8.103:2380" \
--initial-cluster-state="new" \
--initial-cluster-token="my-etcd-token" \
--advertise-client-urls="https://10.3.8.101:2379"
将另外两节点按同样的步骤准备妥当后,重启etcd-member服务:
systemctl stop etcd-member.service
systemctl daemon-reload
systemctl start etcd-member.service
本人实测启动etcd-member不成功,查看日志:
journalctl -xe
etcdmain: open /etc/ssl/etcd/etcd.pem: no such file or directory
查了老半天都没查出来是哪里问题,后来尝试改用/etc/ssl/certs/这个目录就没问题了,最终修改如下:
chown etcd:etcd /etc/ssl/certs/ca.pem
chown etcd:etcd /etc/ssl/certs/etcd.pem
chown etcd:etcd /etc/ssl/certs/etcd-key.pem
vi /etc/systemd/system/etcd-member.service
…
–client-cert-auth
–cert-file=/etc/ssl/certs/etcd.pem
–key-file=/etc/ssl/certs/etcd-key.pem
–trusted-ca-file=/etc/ssl/certs/ca.pem
–peer-client-cert-auth
–peer-cert-file=/etc/ssl/certs/etcd.pem
–peer-key-file=/etc/ssl/certs/etcd-key.pem
–peer-trusted-ca-file=/etc/ssl/certs/ca.pem
…
systemctl stop etcd-member
rm -rf /var/lib/etcd/*
systemctl daemon-reload
systemctl start etcd-member
检查集群是否健康,在任一节点执行:
HOST_1=10.3.8.101
HOST_2=10.3.8.102
HOST_3=10.3.8.103
ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
export ETCDCTL_API=2
etcdctl --ca-file=/etc/ssl/etcd/ca.pem --cert-file=/etc/ssl/etcd/etcd.pem --key-file=/etc/ssl/etcd/etcd-key.pem --endpoints=$ENDPOINTS cluster-health
或
export ETCDCTL_API=3
etcdctl --cacert="/etc/ssl/certs/ca.pem" --cert="/etc/ssl/certs/etcd.pem" --key="/etc/ssl/certs/etcd-key.pem" member list
etcdctl --cacert="/etc/ssl/certs/ca.pem" --cert="/etc/ssl/certs/etcd.pem" --key="/etc/ssl/certs/etcd-key.pem" --endpoints=$ENDPOINTS endpoint health
10.3.8.101:2379 is healthy: successfully committed proposal: took = 1.914653ms
10.3.8.102:2379 is healthy: successfully committed proposal: took = 24.978064ms
10.3.8.103:2379 is healthy: successfully committed proposal: took = 35.314698ms