{"id":365,"date":"2023-05-20T17:14:56","date_gmt":"2023-05-20T09:14:56","guid":{"rendered":"https:\/\/www.bunnyism.com\/?p=365"},"modified":"2024-12-18T21:53:23","modified_gmt":"2024-12-18T13:53:23","slug":"k8s%e4%ba%8c%e8%bf%9b%e5%88%b6%e6%90%ad%e5%bb%ba%e8%af%a6%e7%bb%86%e6%b5%81%e7%a8%8b","status":"publish","type":"post","link":"https:\/\/www.bunnyism.com\/?p=365","title":{"rendered":"k8s\u4e8c\u8fdb\u5236\u642d\u5efa\u8be6\u7ec6\u6d41\u7a0b (etcd\u7bc7 v3.4.13) \uff08\u6d4b\u8bd5\u73af\u5883\uff09"},"content":{"rendered":"

\u600e\u4e48\u4f7f\u7528\u4e8c\u8fdb\u5236\u642d\u5efak8s\u60f3\u5fc5\u5927\u5bb6\u4e00\u5b9a\u542c\u8bf4\u8fc7\u5b83\u7684\u5730\u72f1\u96be\u5ea6<\/p>\n

\u63a5\u4e0b\u6765 \u6211\u6765\u5e26\u9886\u5927\u5bb6\u6765\u642d\u5efa\u4e00\u4e0b \u6765\u4f53\u9a8c\u611f\u53d7\u4e0b\u6709\u591a\u96be<\/p>\n

etcd\u642d\u5efa<\/h1>\n

gitlab\u5730\u5740: \u00a0 https:\/\/github.com\/etcd-io\/etcd<\/a><\/p>\n

\u6d4b\u8bd5\u73af\u5883<\/h2>\n
192.168.32.11 master1 2C4G CentOS7.9 master kube-apiserver\u3001kube-controller-manager\u3001kube-scheduler\u3001etcd\r\n192.168.32.12 msater2 2C4G CentOS7.9 master kube-apiserver\u3001kube-controller-manager\u3001kube-scheduler\u3001etcd\r\n192.168.32.13 master3 2C4G CentOS7.9 master kube-apiserver\u3001kube-controller-manager\u3001kube-scheduler\u3001etcd\r\n192.168.32.14 node1 2C4G CentOS7.9 worker kubelet\u3001kube-proxy\r\n192.168.32.15 node2 2C4G CentOS7.9 worker kubelet\u3001kube-proxy\r\n192.168.32.16 node2 2C4G CentOS7.9 worker kubelet\u3001kube-proxy\r\n192.168.32.17 proxy1 2C4G CentOS7.9 keepalived haproxy\r\n192.168.32.18 proxy2 2C4G CentOS7.9 keepalived haproxy<\/pre>\n
\u4fee\u6539\u4e3b\u673a\u540d<\/h2>\n
hostnamectl set-hostname master1\r\nhostnamectl set-hostname node1\r\nhostnamectl set-hostname proxy1<\/pre>\n
\u57fa\u7840\u914d\u7f6e<\/h2>\n
\u914d\u7f6ehosts\u89e3\u6790<\/h3>\n
\n
cat >> \/etc\/hosts << EOF \r\n<\/span>192.168.32.11 master1 \r\n<\/span>192.168.32.12 master2 \r\n<\/span>192.168.32.13 master3 \r\n<\/span>192.168.32.14 node1 \r\n<\/span>192.168.32.15 node2 \r\n<\/span>192.168.32.16 node3 \r\n<\/span>192.168.32.17 proxy1 \r\n<\/span>192.168.32.18 proxy2 \r\nEOF\r\n<\/span><\/pre>\n
\n
\u5173\u95ed\u9632\u706b\u5899\u548cselinux<\/span><\/h3>\n
systemctl stop firewalld && setenforce 0 && sed -i 's\/^SELINUX=.\\*\/SELINUX=disabled\/' \/etc\/selinux\/config && systemctl disable firewalld<\/pre>\n
\u5173\u95ed\u4ea4\u6362\u5206\u533a<\/h3>\n
sed -ri '\/^[^#]*swap\/s@^@#@' \/etc\/fstab && swapoff -a<\/pre>\n<\/div>\n<\/div>\n
\u65f6\u95f4\u540c\u6b65<\/h3>\n
yum install -y chrony\r\nsystemctl start chronyd\r\nsystemctl enable chronyd\r\nchronyc sources<\/pre>\n
\u4fee\u6539\u5185\u6838\u53c2\u6570<\/h3>\n
cat > \/etc\/sysctl.d\/k8s.conf << EOF\r\nnet.ipv4.ip_forward = 1\r\nnet.bridge.bridge-nf-call-ip6tables = 1\r\nnet.bridge.bridge-nf-call-iptables = 1\r\nEOF\r\nsysctl --system<\/pre>\n
ipvs\u6a21\u5757\u914d\u7f6e<\/h3>\n
modprobe -- ip_vs\r\nmodprobe -- ip_vs_rr\r\nmodprobe -- ip_vs_wrr\r\nmodprobe -- ip_vs_sh\r\nmodprobe -- nf_conntrack_ipv4\r\nlsmod | grep ip_vs\r\nlsmod | grep nf_conntrack_ipv4\r\nyum install -y ipvsadm<\/pre>\n
\u521b\u5efaetcd\u8bc1\u4e66<\/h2>\n
\u5de5\u5177\u4e0b\u8f7d<\/h3>\n
unzip oldboyedu-cfssl-v1.6.5.zip \r\nyum install rename\r\nrename -v \"s\/_1.6.5_linux_amd64\/\/g\" cfssl*\r\nmv cfssl* \/usr\/local\/bin\/\r\nchmod +x \/usr\/local\/bin\/cfssl*\r\nll \/usr\/local\/bin\/cfssl*<\/pre>\n
\u914d\u7f6eca\u8bf7\u6c42\u6587\u4ef6<\/h3>\n
cd \/data\/work\r\ncat > etcd-ca-csr.json <<EOF\r\n{\r\n\"CN\": \"etcd\",\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"names\": [\r\n{\r\n\"C\": \"CN\",\r\n\"ST\": \"Beijing\",\r\n\"L\": \"Beijing\",\r\n\"O\": \"etcd\",\r\n\"OU\": \"Etcd Security\"\r\n}\r\n],\r\n\"ca\": {\r\n\"expiry\": \"876000h\"\r\n}\r\n}\r\nEOF\r\n<\/code><\/pre>\n
\u751f\u6210\u8bc1\u4e66<\/h3>\n
mkdir etcd \r\ncfssl gencert -initca ca-csr.json | cfssljson -bare etcd\/ca<\/pre>\n
\u914d\u7f6eca\u8bc1\u4e66\u7b56\u7565<\/h3>\n
vim ca-config.json\r\n{\r\n\"signing\": {\r\n\"default\": {\r\n\"expiry\": \"87600h\"\r\n},\r\n\"profiles\": {\r\n\"kubernetes\": {\r\n\"usages\": [\r\n\"signing\",\r\n\"key encipherment\",\r\n\"server auth\",\r\n\"client auth\"\r\n],\r\n\"expiry\": \"87600h\"\r\n}\r\n}\r\n}\r\n}<\/pre>\n
\u914d\u7f6eetcd\u8bf7\u6c42csr\u6587\u4ef6<\/h3>\n
vim etcd-csr.json\r\n{\r\n\"CN\": \"etcd\",\r\n\"hosts\": [\r\n\"127.0.0.1\",\r\n\"192.168.32.11\",\r\n\"192.168.32.12\",\r\n\"192.168.32.13\"\r\n],\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"names\": [{\r\n\"C\": \"CN\",\r\n\"ST\": \"Hubei\",\r\n\"L\": \"Wuhan\",\r\n\"O\": \"k8s\",\r\n\"OU\": \"system\"\r\n}]\r\n}<\/pre>\n
\u751f\u6210\u8bc1\u4e66<\/h3>\n
 cfssl gencert -ca=etcd\/ca.pem -ca-key=etcd\/ca-key.pem -conetes etcd-csr.json | cfssljson -bare etcd<\/pre>\n
\u90e8\u7f72etcd\u96c6\u7fa4<\/h2>\n
wget https:\/\/github.com\/etcd-io\/etcd\/releases\/download\/v3.4.13\/etcd-v3.4.13-linux-amd64.tar.gz\r\ntar -xf etcd-v3.4.13-linux-amd64.tar.gz \r\ncp -p etcd-v3.4.13-linux-amd64\/etcd* \/usr\/local\/bin\/\r\nrsync -vaz etcd-v3.4.13-linux-amd64\/etcd* master2:\/usr\/local\/bin\/\r\nrsync -vaz etcd-v3.4.13-linux-amd64\/etcd* master3:\/usr\/local\/bin\/\r\n<\/pre>\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h3>\n
#[Member]\r\nETCD_NAME=\"etcd1\"\r\nETCD_DATA_DIR=\"\/var\/lib\/etcd\/default.etcd\"\r\nETCD_LISTEN_PEER_URLS=\"https:\/\/192.168.32.11:2380\"\r\nETCD_LISTEN_CLIENT_URLS=\"https:\/\/192.168.32.11:2379,http:\/\/127.0.0.1:2379\"\r\n\r\n#[Clustering]\r\nETCD_INITIAL_ADVERTISE_PEER_URLS=\"https:\/\/192.168.32.11:2380\"\r\nETCD_ADVERTISE_CLIENT_URLS=\"https:\/\/192.168.32.11:2379\"\r\nETCD_INITIAL_CLUSTER=\"etcd1=https:\/\/192.168.32.11:2380,etcd2=https:\/\/192.168.32.12:2380,etcd3=https:\/\/192.168.32.1\r\n3:2380\"\r\nETCD_INITIAL_CLUSTER_TOKEN=\"etcd-cluster\"\r\nETCD_INITIAL_CLUSTER_STATE=\"new\"<\/pre>\n
ETCD_NAME\uff1a\u8282\u70b9\u540d\u79f0\uff0c\u96c6\u7fa4\u4e2d\u552f\u4e00
\nETCD_DATA_DIR\uff1a\u6570\u636e\u76ee\u5f55
\nETCD_LISTEN_PEER_URLS\uff1a\u96c6\u7fa4\u901a\u4fe1\u76d1\u542c\u5730\u5740
\nETCD_LISTEN_CLIENT_URLS\uff1a\u5ba2\u6237\u7aef\u8bbf\u95ee\u76d1\u542c\u5730\u5740
\nETCD_INITIAL_ADVERTISE_PEER_URLS\uff1a\u96c6\u7fa4\u901a\u544a\u5730\u5740
\nETCD_ADVERTISE_CLIENT_URLS\uff1a\u5ba2\u6237\u7aef\u901a\u544a\u5730\u5740
\nETCD_INITIAL_CLUSTER\uff1a\u96c6\u7fa4\u8282\u70b9\u5730\u5740
\nETCD_INITIAL_CLUSTER_TOKEN\uff1a\u96c6\u7fa4Token
\nETCD_INITIAL_CLUSTER_STATE\uff1a\u52a0\u5165\u96c6\u7fa4\u7684\u5f53\u524d\u72b6\u6001\uff0cnew\u662f\u65b0\u96c6\u7fa4\uff0cexisting\u8868\u793a\u52a0\u5165\u5df2\u6709\u96c6\u7fa4<\/p><\/blockquote>\n
\u521b\u5efa\u542f\u52a8\u670d\u52a1\u6587\u4ef6<\/h3>\n
\u62f7\u8d1d\u76f8\u5173\u6587\u4ef6<\/h3>\n
cp etcd-key.pem \/etc\/etcd\/ssl\r\ncp etcd.pem \/etc\/etcd\/ssl\r\ncp etcd\/* \/etc\/etcd\/ssl\r\ncp etcd.conf \/etc\/etcd\r\nmkdir -p \/var\/lib\/etcd\/default.etcd\r\nfor i in master2 master3;do rsync -vaz \/etc\/etcd\/etcd.conf $i:\/etc\/etcd\/;done\r\nfor i in master2 master3;do rsync -vaz \/etc\/etcd\/ssl\/* $i:\/etc\/etcd\/ssl\/;done\r\nfor i in master2 master3;do rsync -vaz \/usr\/lib\/systemd\/system\/etcd.service $i:\/usr\/lib\/systemd\/system\/;done\r\nfor i in master2 master3;do rsync -vaz \/var\/lib\/etcd\/default.etcd $i:\/var\/lib\/etcd\/default.etcd;done<\/pre>\n
\u7f16\u5199\u542f\u52a8\u6587\u4ef6<\/h3>\n
[Unit]\r\nDescription=Etcd Server\r\nAfter=network.target\r\nAfter=network-online.target\r\nWants=network-online.target\r\n\r\n[Service]\r\nType=notify\r\nEnvironmentFile=-\/etc\/etcd\/etcd.conf\r\nWorkingDirectory=\/var\/lib\/etcd\/\r\nExecStart=\/usr\/local\/bin\/etcd \\\r\n--cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\r\n--key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\r\n--trusted-ca-file=\/etc\/etcd\/ssl\/ca.pem \\\r\n--peer-cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\r\n--peer-key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\r\n--peer-trusted-ca-file=\/etc\/etcd\/ssl\/ca.pem \\\r\n--peer-client-cert-auth \\\r\n--client-cert-auth\r\nRestart=on-failure\r\nRestartSec=5\r\nLimitNOFILE=65536\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
\u5176\u4ed6\u4e24\u4e2a\u8282\u70b9\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\u7684\u8282\u70b9\u540d\u79f0\u548cip \u5e76\u4e14\u521b\u5efa \/var\/lib\/etcd\/default.etcd<\/p>\n
\u542f\u52a8etcd\u96c6\u7fa4<\/h3>\n
mkdir -p \/var\/lib\/etcd\/default.etcd\r\nsystemctl daemon-reload\r\nsystemctl enable etcd.service\r\nsystemctl start etcd.service\r\nsystemctl status etcd<\/pre>\n
\u67e5\u770b\u8282\u70b9\u72b6\u6001<\/h3>\n
 ETCDCTL_API=3 \/usr\/local\/bin\/etcdctl --write-out=table --cacert=\/etc\/etcd\/ssl\/ca.pem --cert=\/etc\/etcd\/ssl\/etcd.pem --key=\/etc\/etcd\/ssl\/etcd-key.pem --endpoints=https:\/\/192.168.32.11:2379,https:\/\/192.168.32.12:2379,https:\/\/192.168.32.13:2379 endpoint health<\/pre>\n
 +----------------------------+--------+------------+-------+\r\n| ENDPOINT | HEALTH | TOOK | ERROR |\r\n+----------------------------+--------+------------+-------+\r\n| https:\/\/192.168.32.11:2379 | true | 7.708613ms | |\r\n| https:\/\/192.168.32.12:2379 | true | 7.790347ms | |\r\n| https:\/\/192.168.32.13:2379 | true | 9.038279ms | |\r\n+----------------------------+--------+------------+-------+<\/pre>\n
\u4e0b\u4e00\u7ae0\u5c06\u914d\u7f6ek8s\u7684\u7ec4\u4ef6\u5b89\u88c5~<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
\u600e\u4e48\u4f7f\u7528\u4e8c\u8fdb\u5236\u642d\u5efak8s\u60f3\u5fc5\u5927\u5bb6\u4e00\u5b9a\u542c\u8bf4\u8fc7\u5b83\u7684\u5730\u72f1\u96be\u5ea6 \u63a5\u4e0b\u6765 \u6211\u6765\u5e26\u9886\u5927\u5bb6\u6765\u642d\u5efa\u4e00\u4e0b \u6765\u4f53\u9a8c\u611f\u53d7\u4e0b\u6709\u591a\u96be e […]<\/p>\n","protected":false},"author":1,"featured_media":368,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-k8s"],"_links":{"self":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts\/365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=365"}],"version-history":[{"count":77,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts\/365\/revisions"}],"predecessor-version":[{"id":475,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts\/365\/revisions\/475"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/media\/368"}],"wp:attachment":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}