1. Download and install, etcd issues certificate [master, each node]
①. Download the cfssl command tool
#Download to /usr/local/bin/cfssl<br>curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
②. Download cfssljson [Get json output from cfssl]
#Download to /usr/local/bin/cfssljson<br>curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
③. Install cfssl-certinfo [View certificate information]
#Download to /usr/local/bin/cfssljson<br>curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
④. Copy cfssl, cfssljson\cfssl-certinfot to usr/local/bin
#Copy to usr/local/bin<br>cp -rf cfssl cfssljson cfssl-certinfo /usr/local/bin<br>#Operation permissions<br>chmod +x cfssl cfssl-certinfo cfssljson
⑤. Create ca issuing authority configuration
#Create folder<br>mkdir /etc/opt/certs<br> #Create ca authority configuration vi ca-config.json <br>#Configuration information { "signing": { "default": { "expiry": "175200h" #Expiration time 20 years }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
⑥.ca issuing authority certificate configuration
#Create file<br>vi ca-csr.json<br>#Write configuration { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }
⑦, etcd domain name certificate
#Create file<br>vi server-csr.json<br> #Write configuration { "CN": "etcd", "hosts": [ "192.168.14.20",#master node host IP of each etcd node "192.168.14.21", "192.168.14.22" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }
⑧、Generate certificate
#Generate authority certificate ca-key.pem, ca.pem, ca.csr<br>cfssl gencert -initca ca-csr.json | cfssljson -bare ca -<br><br> #Generate server-key.pem, server.pem, server.csr and specify profile=peer cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server-csr.json | cfssljson -bare server
2. Install etcd
①. Download etcd
Download address: https://github.com/etcd-io/etcd/releases
#Download etcd and store it in [/usr/local/bin]<br> curl -L https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz -o /usr/local/bin/etcd.tar .gz<br> <br> #Extract etcd [cd /usr/local/bin] tar -xvf etcd.tar.gz<br><br> #Move etcd etcdctl to /opt/etcd/bin [mkdir /opt/etcd/bin]<br> mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin<br>
②. Create etcd configuration file
#Create etcd configuration file [cd /opt/etcd]<br>touch etcd.conf <br>#Read and write permissions chmod 777 etcd.conf <br>#Modify file vi etcd.conf
③. Write configuration [Note: Remove comments]
#[Member] #member ETCD_NAME="k8s-etcd-1" #Name ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #Data file ETCD_LISTEN_PEER_URLS="https://172.17.217.232:2380" #Listen to other etcd sending data ports ETCD_LISTEN_CLIENT_URLS="https://172.17.217.232:2379" #Listen to the api server sending port #[Clustering]#Clustering ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.217.232:2380" #Send data port to other etcd ETCD_ADVERTISE_CLIENT_URLS="https://172.17.217.232:2379" #Send data port to api server ETCD_INITIAL_CLUSTER="k8s-etcd-1=https://172.17.217.232:2380,k8s-etcd-2=https://172.17.217.226:2380,k8s-etcd-3=https://172.17.217.228:2380 " #etcd cluster address ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #etcd communication token ETCD_INITIAL_CLUSTER_STATE="new" #Cluster status new New, existing cluster already exists
④. Create etcd startup service file
touch etcd.service
⑤. Write service configuration
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/etcd.conf #Configuration file ExecStart=/opt/etcd/bin/etcd \ #etcd binary file --name=${ETCD_NAME} \ --data-dir=${ETCD_DATA_DIR} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --peer-cert-file=/opt/etcd/ssl/server.pem \ --peer-key-file=/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
⑥. Mobile startup service
mv etcd.service /usr/lib/systemd/system
3. Copy the certificate to /opt/etcd/ssl
①. Copy the certificate
#Create ssl folder [if not]<br>mkdir /opt/etcd/ssl <br>#The certificate address I generated [generate the certificate path yourself] cd /home/ssl<br> #Copy the certificate to /opt/etcd/ssl cp {ca,server,server-key}.pem /opt/etcd/ssl
4. Start the service
①. Start the service
systemctl start etcd
②.An error occurs
1). File not found –> Solution: Remove the comment
2). The environment variable already exists–>Solution: Remove the startup service and use environment variable parameter configuration.
3). Remove the configuration [Reason: https://blog.csdn.net/snipercai/article/details/101012124]
Modified service file:
4), reload configuration
#Reload service configuration<br>systemctl daemon-reload
5) Copy the above etcd, certificate, and configuration to each Node node [you can also repeat the above operation]
[master] scp /opt/etcd/* root@k8s-node:/opt/etcd #master copies all etcd files to the node node<br>【node】 mv /opt/etcd/etcd.service /usr/lib/systemd/system/ #Copy the service to the service startup file
6). Modify the node node/opt/etcd/etcd.conf configuration file
7). Delete the data file and restart the service [Delete the data file => Need to delete after modifying the configuration]
#Stop running etcd [each etcd]<br>sytemctl stop etcd<br><br>#Delete data files [each etcd]<br>rm -rf /var/lib/etcd/default.etcd<br><br>#Restart etcd, startup sequence [master->node1->node2]<br>systemctl start etcd<br><br>#Start on boot<br>systemctl enable etcd<br><br>
5. Check etcd health status
#etcd version【3.4.9, v3】【226 server is in unhealthy state】<br>/opt/etcd/bin/etcdctl \<br> --cacert=/opt/etcd/ssl/ca.pem --key=/opt/etcd/ssl/server-key.pem --cert=/opt/etcd/ssl/server.pem \<br>--endpoints="https://172.17.217.232:2379,https://172.17.217.226:2379,https://172.17.217.228:2379" endpoint health
#etcd lower version [v2]<br>/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd /ssl/server-key.pem<br>--endpoints="https://172.17.217.232:2379,https://172.17.217.266:2379,https://172.17.217.228:2379" cluster-health
1). Check the master firewall for errors.
#Check network status<br>firewall-cmd --state [running]
2). Execute the following command
systemctl stop firewalld; pkill -f firewalld; systemctl start firewalld
3), normal situation