导航：首页 > 服务器 >

K8S集群安装之安装主控节点etcd服务

发表于：2025-12-02 作者：千家信息网编辑

千家信息网最后更新 2025年12月02日，一、在根证书服务器上创建基于根证书的config配置文件200 certs]# cd /opt/certs/200 certs]# vi /opt/certs/ca-config.json{ "

千家信息网最后更新 2025年12月02日K8S集群安装之安装主控节点etcd服务

一、在根证书服务器上创建基于根证书的config配置文件

200 certs]# cd /opt/certs/200 certs]# vi /opt/certs/ca-config.json{    "signing": {        "default": {            "expiry": "175200h"        },        "profiles": {            "server": {                "expiry": "175200h",                "usages": [                    "signing",                    "key encipherment",                    "server auth"                ]            },            "client": {                "expiry": "175200h",                "usages": [                    "signing",                    "key encipherment",                    "client auth"                ]            },            "peer": {                "expiry": "175200h",                "usages": [                    "signing",                    "key encipherment",                    "server auth",                    "client auth"                ]            }        }    }}

二、创建etcd自签证书签名请求csr的json配置文件

200 certs]# vi etcd-peer-csr.json{    "CN": "k8s-etcd",    "hosts": [        "10.3.153.212",        "10.3.153.221",        "10.3.153.222"    ],    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "ST": "beijing",            "L": "beijing",            "O": "od",            "OU": "ops"        }    ]}200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer[root@test-operator certs]# ll | grep etcd-peer-rw-r--r-- 1 root root 1062 Feb  1 00:19 etcd-peer.csr-rw-r--r-- 1 root root  375 Feb  1 00:15 etcd-peer-csr.json-rw------- 1 root root 1675 Feb  1 00:19 etcd-peer-key.pem    #证书私钥-rw-r--r-- 1 root root 1428 Feb  1 00:19 etcd-peer.pem            #证书文件

三、分别在三台主机上安装etcd服务

# 212/221/222机器：~]# mkdir /opt/src~]# cd /opt/src/src]# useradd -s /sbin/nologin -M etcdsrc]# id etcd# 到GitHub下载或者直接用我给得安装包 https://github.com/etcd-io/etcd/tagssrc]# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /optopt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20opt]# ln -s /opt/etcd-v3.1.20/ /opt/etcdopt]# cd etcd~~~~~~# 212/221/222机器：etcd]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-serveretcd]# cd certs/certs]# scp 10.3.153.200:/opt/certs/ca.pem .# 输入200虚机密码certs]# scp 10.3.153.200:/opt/certs/etcd-peer.pem .certs]# scp 10.3.153.200:/opt/certs/etcd-peer-key.pem .certs]# cd ..etcd]# vi /opt/etcd/etcd-server-startup.sh# 注意，如果是21机器，这下面得12都得改成21，initial-cluster则是全部机器都有，不需要改，一共5处#!/bin/sh./etcd --name etcd-server-7-12 \       --data-dir /data/etcd/etcd-server \       --listen-peer-urls https://10.3.153.212:2380 \       --listen-client-urls https://10.3.153.212:2379,http://127.0.0.1:2379 \       --quota-backend-bytes 8000000000 \       --initial-advertise-peer-urls https://10.3.153.212:2380 \       --advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \       --initial-cluster  etcd-server-7-12=https://10.3.153.212:2380,etcd-server-7-21=https://10.3.153.221:2380,etcd-server-7-22=https://10.3.153.222:2380 \       --ca-file ./certs/ca.pem \       --cert-file ./certs/etcd-peer.pem \       --key-file ./certs/etcd-peer-key.pem \       --client-cert-auth  \       --trusted-ca-file ./certs/ca.pem \       --peer-ca-file ./certs/ca.pem \       --peer-cert-file ./certs/etcd-peer.pem \       --peer-key-file ./certs/etcd-peer-key.pem \       --peer-client-cert-auth \       --peer-trusted-ca-file ./certs/ca.pem \       --log-output stdoutetcd]# chmod +x etcd-server-startup.shetcd]# chown -R etcd.etcd /opt/etcd-v3.1.20/etcd]# chown -R etcd.etcd /data/etcd/etcd]# chown -R etcd.etcd /data/logs/etcd-server/~~~~~~# 212/221/222机器：etcd]# yum install supervisor -y        #用于把服务以后台服务启动etcd]# systemctl start supervisord etcd]# systemctl enable supervisordetcd]# vi /etc/supervisord.d/etcd-server.ini# 注意修改下面得7-12，对应上机器，如21机器就是7-21，一共一处[program:etcd-server-7-12]command=/opt/etcd/etcd-server-startup.sh                        ; the program (relative uses PATH, can take args)numprocs=1                                                      ; number of processes copies to start (def 1)directory=/opt/etcd                                             ; directory to cwd to before exec (def no cwd)autostart=true                                                  ; start at supervisord start (default: true)autorestart=true                                                ; retstart at unexpected quit (default: true)startsecs=30                                                    ; number of secs prog must stay running (def. 1)startretries=3                                                  ; max # of serial start failures (default 3)exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)stopsignal=QUIT                                                 ; signal used to kill process (default TERM)stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)user=etcd                                                       ; setuid to this UNIX account to run the programredirect_stderr=true                                            ; redirect proc stderr to stdout (default false)stdout_logfile=/data/logs/etcd-server/etcd.stdout.log           ; stdout log path, NONE for none; default AUTOstdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)stdout_events_enabled=false                                     ; emit events on stdout writes (default false)12 etcd]# supervisorctl update# out：etcd-server-7-21: added process group12 etcd]# supervisorctl status# out: etcd-server-7-12                 RUNNING   pid 16582, uptime 0:00:5912 etcd]# netstat -luntp|grep etcd# 必须是监听了2379和2380这两个端口才算成功12 etcd]# etcd-server-7-12: added process group~~~~~~# 任意节点检测集群健康状态的两种方法22 etcd]# ./etcdctl cluster-health[root@test-nodes1 etcd]# ./etcdctl cluster-healthmember 3657c30473e13ab3 is healthy: got healthy result from http://127.0.0.1:2379member 6cbe98b6a135fd14 is healthy: got healthy result from http://127.0.0.1:2379member b7ffbb00070336e7 is healthy: got healthy result from http://127.0.0.1:2379cluster is healthy22 etcd]# ./etcdctl member list[root@test-nodes1 etcd]# ./etcdctl member list3657c30473e13ab3: name=etcd-server-7-12 peerURLs=https://10.3.153.212:2380 clientURLs=http://127.0.0.1:2379,https://10.3.153.212:2379 isLeader=false6cbe98b6a135fd14: name=etcd-server-7-21 peerURLs=https://10.3.153.221:2380 clientURLs=http://127.0.0.1:2379,https://10.3.153.221:2379 isLeader=falseb7ffbb00070336e7: name=etcd-server-7-22 peerURLs=https://10.3.153.222:2380 clientURLs=http://127.0.0.1:2379,https://10.3.153.222:2379 isLeader=true

很赞哦！