CentOS 7 系统部署 ETCD 3.5.0 三节点 TLS 集群,并配置 ETCD UI 管理
CentOS 7 系统部署 ETCD 3.5.0 三节点 TLS 集群,并配置 ETCD UI 管理
本教程详细介绍如何在 CentOS 7 系统上部署 ETCD 3.5.0 三节点集群,并使用 TLS 进行安全通信。此外,还会配置 ETCD UI 管理界面,方便管理和监控 ETCD 集群。
1. 下载 ETCD 3.5.0
官方下载地址:https://github.com/etcd-io/etcd/releases/tag/v3.5.0
2. 部署 ETCD 3.5.0
(1) 安装 ETCD
yum install etcd -y
(2) 配置 ETCD
在三台机器上,分别创建配置文件:
mkdir -p /etc/etcd/cert
# node1
cat > /etc/etcd/etcd.conf <<EOF
#[member]
ETCD_NAME='node1'
ETCD_DATA_DIR='/var/lib/etcd/default.etcd'
ETCD_LISTEN_PEER_URLS='https://192.168.1.11:2380'
ETCD_LISTEN_CLIENT_URLS='https://192.168.1.11:2379'
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS='https://192.168.1.11:2380'
ETCD_INITIAL_CLUSTER='node1=https://192.168.1.11:2380,node2=https://192.168.1.12:2380,node3=https://192.168.1.13:2380'
ETCD_INITIAL_CLUSTER_STATE='new'
ETCD_INITIAL_CLUSTER_TOKEN='my-etcd-token'
ETCD_ADVERTISE_CLIENT_URLS='https://192.168.1.11:2379'
ETCD_CERT_FILE='/etc/etcd/cert/node1.pem'
ETCD_KEY_FILE='/etc/etcd/cert/node1-key.pem'
ETCD_TRUSTED_CA_FILE='/etc/etcd/cert/ca.pem'
EOF
# node2
cat > /etc/etcd/etcd.conf <<EOF
#[member]
ETCD_NAME='node2'
ETCD_DATA_DIR='/var/lib/etcd/default.etcd'
ETCD_LISTEN_PEER_URLS='https://192.168.1.12:2380'
ETCD_LISTEN_CLIENT_URLS='https://192.168.1.12:2379'
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS='https://192.168.1.12:2380'
ETCD_INITIAL_CLUSTER='node1=https://192.168.1.11:2380,node2=https://192.168.1.12:2380,node3=https://192.168.1.13:2380'
ETCD_INITIAL_CLUSTER_STATE='new'
ETCD_INITIAL_CLUSTER_TOKEN='my-etcd-token'
ETCD_ADVERTISE_CLIENT_URLS='https://192.168.1.12:2379'
ETCD_CERT_FILE='/etc/etcd/cert/node2.pem'
ETCD_KEY_FILE='/etc/etcd/cert/node2-key.pem'
ETCD_TRUSTED_CA_FILE='/etc/etcd/cert/ca.pem'
EOF
# node3
cat > /etc/etcd/etcd.conf <<EOF
#[member]
ETCD_NAME='node3'
ETCD_DATA_DIR='/var/lib/etcd/default.etcd'
ETCD_LISTEN_PEER_URLS='https://192.168.1.13:2380'
ETCD_LISTEN_CLIENT_URLS='https://192.168.1.13:2379'
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS='https://192.168.1.13:2380'
ETCD_INITIAL_CLUSTER='node1=https://192.168.1.11:2380,node2=https://192.168.1.12:2380,node3=https://192.168.1.13:2380'
ETCD_INITIAL_CLUSTER_STATE='new'
ETCD_INITIAL_CLUSTER_TOKEN='my-etcd-token'
ETCD_ADVERTISE_CLIENT_URLS='https://192.168.1.13:2379'
ETCD_CERT_FILE='/etc/etcd/cert/node3.pem'
ETCD_KEY_FILE='/etc/etcd/cert/node3-key.pem'
ETCD_TRUSTED_CA_FILE='/etc/etcd/cert/ca.pem'
EOF
(3) 生成证书
cd /etc/etcd/cert
# CA证书
cat > ca-config.json << EOF
{
'signing': {
'default': {
'expiry': '87600h'
},
'profiles': {
'server': {
'expiry': '87600h',
'usages': [
'signing',
'key encipherment',
'server auth'
]
},
'client': {
'expiry': '87600h',
'usages': [
'signing',
'key encipherment',
'client auth'
]
},
'peer': {
'expiry': '87600h',
'usages': [
'signing',
'key encipherment',
'server auth',
'client auth'
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
'CN': 'etcd-ca',
'key': {
'algo': 'rsa',
'size': 2048
},
'names': [
{
'C': 'CN',
'L': 'Beijing',
'O': 'etcd',
'OU': 'etcd',
'ST': 'Beijing'
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 生成etcd证书
cat > etcd-csr.json << EOF
{
'CN': 'etcd',
'hosts': [
'127.0.0.1',
'192.168.1.11',
'192.168.1.12',
'192.168.1.13'
],
'key': {
'algo': 'rsa',
'size': 2048
},
'names': [
{
'C': 'CN',
'L': 'Beijing',
'O': 'etcd',
'OU': 'etcd',
'ST': 'Beijing'
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-csr.json | cfssljson -bare etcd
(4) 启动 ETCD
在三台机器上,启动 ETCD:
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
(5) 检查 ETCD
在一台机器上,使用 etcdctl 查看 ETCD 集群状态:
ETCDCTL_API=3 etcdctl --endpoints=https://192.168.1.11:2379,https://192.168.1.12:2379,https://192.168.1.13:2379 --cacert=/etc/etcd/cert/ca.pem --cert=/etc/etcd/cert/node1.pem --key=/etc/etcd/cert/node1-key.pem endpoint health
3. 部署 ETCD UI 管理
(1) 下载 ETCD-UI
git clone https://github.com/soyking/etcd-ui.git
(2) 修改 ETCD-UI 配置文件
cd etcd-ui
cp config.sample.json config.json
vi config.json
修改 config.json 中的 ETCD 地址和证书路径:
{
'etcd': {
'hosts': [
'https://192.168.1.11:2379',
'https://192.168.1.12:2379',
'https://192.168.1.13:2379'
],
'tls': {
'cert': '/etc/etcd/cert/node1.pem',
'key': '/etc/etcd/cert/node1-key.pem',
'caCert': '/etc/etcd/cert/ca.pem'
}
},
'port': 8000,
'logLevel': 'INFO'
}
(3) 安装依赖
npm install
(4) 启动 ETCD-UI
npm start
访问 http://your_ip:8000 即可。
4. 优化 ETCD
(1) 优化网络
ETCD 需要使用高速网络才能保证性能,建议使用千兆网卡或更高速的网络设备。
(2) 优化存储
ETCD 的存储需要使用 SSD 或者 NVMe 等高速存储设备,可以使用 RAID 0 或者分布式存储等方式提高性能。
(3) 优化配置
可以根据实际情况调整 ETCD 的配置,例如调整选举超时时间、心跳超时时间、最大请求大小等。
(4) 监控和告警
建议在 ETCD 集群中部署监控和告警系统,例如 Prometheus、Grafana 等,及时发现和解决问题。
原文地址: https://www.cveoy.top/t/topic/ndAJ 著作权归作者所有。请勿转载和采集!