Stay hungry,Stay foolish

0%

etcd集群部署

模拟3个节点(实例)的集群

为了测试方便,在同一机器上起3个etcd进程,监听不同端口

etcd支持两种形式的证书: 自签证书、自动证书

自签证书

这块儿需对证书签发有一定了解

1
TODO

自动证书配置

如果只需要集群间加密通信而不用身份验证时可采用此方式,节点(成员、实例)会根据其公开的IP地址和主机信息自动生成密钥集

在单实例部署的基础上etcd安装,对配置文件稍加改造

conf.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
name: test-etcd
data-dir: /var/lib/etcd
listen-client-urls: http://127.0.0.1:2379
advertise-client-urls: http://127.0.0.1:2379
listen-peer-urls: http://127.0.0.1:2380
initial-advertise-peer-urls: http://127.0.0.1:2380
initial-cluster: test-etcd=http://127.0.0.1:2380,test-etcd2=http://127.0.0.1:2390,test-etcd3=http://127.0.0.1:2400
initial-cluster-token: test-etcd-cluster-1
initial-cluster-state: new
#cert-file: /etc/ssl/etcd/server.pem
#key-file: /etc/ssl/etcd/server-key.pem
#client-cert-auth: false
#trusted-ca-file: /etc/ssl/etcd/ca.pem
auto-tls: true
peer-auto-tls: true
logger: zap

conf2.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
name: test-etcd2
data-dir: /var/lib/etcd2
listen-client-urls: http://127.0.0.1:2389
advertise-client-urls: http://127.0.0.1:2389
listen-peer-urls: http://127.0.0.1:2390
initial-advertise-peer-urls: http://127.0.0.1:2390
initial-cluster: test-etcd=http://127.0.0.1:2380,test-etcd2=http://127.0.0.1:2390,test-etcd3=http://127.0.0.1:2400
initial-cluster-token: test-etcd-cluster-1
initial-cluster-state: new
#cert-file: /etc/ssl/etcd/server.pem
#key-file: /etc/ssl/etcd/server-key.pem
#client-cert-auth: false
#trusted-ca-file: /etc/ssl/etcd/ca.pem
auto-tls: true
peer-auto-tls: true
logger: zap

conf3.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
name: test-etcd3
data-dir: /var/lib/etcd3
listen-client-urls: http://127.0.0.1:2399
advertise-client-urls: http://127.0.0.1:2399
listen-peer-urls: http://127.0.0.1:2400
initial-advertise-peer-urls: http://127.0.0.1:2400
initial-cluster: test-etcd=http://127.0.0.1:2380,test-etcd2=http://127.0.0.1:2390,test-etcd3=http://127.0.0.1:2400
initial-cluster-token: test-etcd-cluster-1
initial-cluster-state: new
#cert-file: /etc/ssl/etcd/server.pem
#key-file: /etc/ssl/etcd/server-key.pem
#client-cert-auth: false
#trusted-ca-file: /etc/ssl/etcd/ca.pem
auto-tls: true
peer-auto-tls: true
logger: zap

同样的在/lib/systemd/system/etcd.service基础上新增/lib/systemd/system/etcd2.service和/lib/systemd/system/etcd3.service并对指向的配置文件进行调整

启动服务

1
2
3
4
systemctl daemon-reload
systemctl start etcd
systemctl start etcd2
systemctl start etcd3

测试

etcdctl member list

1
2
3
80e0e4f6d1840df, started, test-etcd3, http://127.0.0.1:2400, http://127.0.0.1:2399, false
474484e628359cc4, started, test-etcd, http://127.0.0.1:2380, http://127.0.0.1:2379, false
4746b384e22d323b, started, test-etcd2, http://127.0.0.1:2390, http://127.0.0.1:2389, false

etcdctl endpoint status --write-out=table --endpoints='http://127.0.0.1:2379,http://127.0.0.1:2389,http://127.0.0.1:2399'

1
2
3
4
5
6
7
+-----------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+-----------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://127.0.0.1:2379 | 474484e628359cc4 | 3.4.14 | 20 kB | true | false | 18 | 13 | 13 | |
| http://127.0.0.1:2389 | 4746b384e22d323b | 3.4.14 | 20 kB | false | false | 18 | 13 | 13 | |
| http://127.0.0.1:2399 | 80e0e4f6d1840df | 3.4.14 | 20 kB | false | false | 18 | 13 | 13 | |
+-----------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

注意: IS LEADER IS LEARNER

建议

严格区分测试环境、生产环境

除证书、用户名密码 安全措施外,建议生产环境做iptables限制