etcd集群(TLS)搭建和使用

环境

name	ip	os
etcd1	192.168.79.103	centos7
etcd2	192.168.79.104	centos7
etcd3	192.168.79.105	centos7

以下操作默认在etcd1执行

1、安装cfssl

rm -f /tmp/cfssl* && rm -rf /tmp/certs && mkdir -p /tmp/certs

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /tmp/cfssl
chmod +x /tmp/cfssl
sudo mv /tmp/cfssl /usr/local/bin/cfssl

curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /tmp/cfssljson
chmod +x /tmp/cfssljson
sudo mv /tmp/cfssljson /usr/local/bin/cfssljson

/usr/local/bin/cfssl version
/usr/local/bin/cfssljson -h

2、生成CA证书

mkdir -p /tmp/certs

cat > /tmp/certs/etcd-root-ca-csr.json <<EOF
{
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "etcd",
      "OU": "etcd",
      "L": "Guangzhou",
      "ST": "Guangdong",
      "C": "china"
    }
  ],
  "CN": "etcd-root-ca"
}
EOF
cfssl gencert --initca=true /tmp/certs/etcd-root-ca-csr.json | cfssljson --bare /tmp/certs/etcd-root-ca

# verify
openssl x509 -in /tmp/certs/etcd-root-ca.pem -text -noout

# cert-generation configuration
cat > /tmp/certs/etcd-gencert.json <<EOF
{
  "signing": {
    "default": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "87600h"
    }
  }
}
EOF

3、颁发证书

cat > /tmp/certs/etcd-ca-csr.json <<EOF
{
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "etcd",
      "OU": "etcd",
      "L": "Guangzhou",
      "ST": "Guangdong",
      "C": "china"
    }
  ],
  "CN": "etcd",
  "hosts": [
    "192.168.79.103",
    "192.168.79.104",
    "192.168.79.105"
  ]
}
EOF

cfssl gencert \
  --ca /tmp/certs/etcd-root-ca.pem \
  --ca-key /tmp/certs/etcd-root-ca-key.pem \
  --config /tmp/certs/etcd-gencert.json \
  /tmp/certs/etcd-ca-csr.json | cfssljson --bare /tmp/certs/server

# verify
openssl x509 -in /tmp/certs/server.pem -text -noout

4、复制证书到另外两台主机

scp -r /tmp/certs/ root@192.168.79.104:/tmp/certs/
scp -r /tmp/certs/ root@192.168.79.105:/tmp/certs/

5、安装etcd

# 三台主机都需要安装

ETCD_VER=v3.5.1
# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/coreos/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/test-etcd && mkdir -p /tmp/test-etcd

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/test-etcd --strip-components=1

# sudo cp /tmp/test-etcd/etcd* [YOUR_EXEC_DIR]
# sudo mkdir -p /usr/local/bin/ && sudo cp /tmp/test-etcd/etcd* /usr/local/bin/

/tmp/test-etcd/etcd --version
ETCDCTL_API=3 /tmp/test-etcd/etcdctl version

6、使用systemd运行etcd

# 如果集群是新的，则删除此目录；如果重新启动 etcd，则保留
# rm -rf /tmp/etcd/data

etcd1的配置文件

cat > /tmp/etcd.service <<EOF

[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0

ExecStart=/tmp/test-etcd/etcd --name etcd1 \
  --data-dir /tmp/etcd/data \
  --listen-client-urls https://192.168.79.103:2379 \
  --advertise-client-urls https://192.168.79.103:2379 \
  --listen-peer-urls https://192.168.79.103:2380 \
  --initial-advertise-peer-urls https://192.168.79.103:2380 \
  --initial-cluster etcd1=https://192.168.79.103:2380,etcd2=https://192.168.79.104:2380,etcd3=https://192.168.79.105:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new \
  --client-cert-auth \
  --trusted-ca-file /tmp/certs/etcd-root-ca.pem \
  --cert-file /tmp/certs/server.pem \
  --key-file /tmp/certs/server-key.pem \
  --peer-client-cert-auth \
  --peer-trusted-ca-file /tmp/certs/etcd-root-ca.pem \
  --peer-cert-file /tmp/certs/server.pem \
  --peer-key-file /tmp/certs/server-key.pem

EOF

etcd2的配置文件

cat > /tmp/etcd.service <<EOF

[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0

ExecStart=/tmp/test-etcd/etcd --name etcd2 \
  --data-dir /tmp/etcd/data \
  --listen-client-urls https://192.168.79.104:2379 \
  --advertise-client-urls https://192.168.79.104:2379 \
  --listen-peer-urls https://192.168.79.104:2380 \
  --initial-advertise-peer-urls https://192.168.79.104:2380 \
  --initial-cluster etcd1=https://192.168.79.103:2380,etcd2=https://192.168.79.104:2380,etcd3=https://192.168.79.105:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new \
  --client-cert-auth \
  --trusted-ca-file /tmp/certs/etcd-root-ca.pem \
  --cert-file /tmp/certs/server.pem \
  --key-file /tmp/certs/server-key.pem \
  --peer-client-cert-auth \
  --peer-trusted-ca-file /tmp/certs/etcd-root-ca.pem \
  --peer-cert-file /tmp/certs/server.pem \
  --peer-key-file /tmp/certs/server-key.pem

EOF

etcd3的配置文件

cat > /tmp/etcd.service <<EOF

[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0

ExecStart=/tmp/test-etcd/etcd --name etcd3 \
  --data-dir /tmp/etcd/data \
  --listen-client-urls https://192.168.79.105:2379 \
  --advertise-client-urls https://192.168.79.105:2379 \
  --listen-peer-urls https://192.168.79.105:2380 \
  --initial-advertise-peer-urls https://192.168.79.105:2380 \
  --initial-cluster etcd1=https://192.168.79.103:2380,etcd2=https://192.168.79.104:2380,etcd3=https://192.168.79.105:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new \
  --client-cert-auth \
  --trusted-ca-file /tmp/certs/etcd-root-ca.pem \
  --cert-file /tmp/certs/server.pem \
  --key-file /tmp/certs/server-key.pem \
  --peer-client-cert-auth \
  --peer-trusted-ca-file /tmp/certs/etcd-root-ca.pem \
  --peer-cert-file /tmp/certs/server.pem \
  --peer-key-file /tmp/certs/server-key.pem

EOF

参数说明

参数	意义
name	节点名称， 在 --initial-cluster 标记中列出
data-dir	数据存放的目录
listen-client-urls	用于监听客户端通讯的URL列表
advertise-client-urls	告知客户端URL, 也就是服务的URL(一般与listen-client-urls一样)
listen-peer-urls	监听URL，用于与其他节点通讯
initial-advertise-peer-urls	告知集群其他节点的URL(一般与listen-peer-urls一样)
initial-cluster	集群中所有节点

启动服务

sudo mv /tmp/etcd.service /etc/systemd/system/etcd.service

# to start service
sudo systemctl daemon-reload
sudo systemctl cat etcd.service
sudo systemctl enable etcd.service
sudo systemctl start etcd.service

# to get logs from service
sudo systemctl status etcd.service -l --no-pager
# sudo journalctl -u etcd.service -l --no-pager|less
# sudo journalctl -f -u etcd.service

# to stop service
# sudo systemctl stop etcd.service
# sudo systemctl disable etcd.service

7、验证状态

ETCDCTL_API=3 /tmp/test-etcd/etcdctl \
  --endpoints 192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 \
  --cacert /tmp/certs/etcd-root-ca.pem \
  --cert /tmp/certs/server.pem \
  --key /tmp/certs/server-key.pem \
  endpoint health

8、与etcd交互

# 写数据
etcdctl \
  --endpoints 192.168.79.103:2379 \
  --cacert /tmp/certs/etcd-root-ca.pem \
  --cert /tmp/certs/server.pem \
  --key /tmp/certs/server-key.pem \
  put foo bar
# 读数据 
etcdctl \
  --endpoints 192.168.79.103:2379 \
  --cacert /tmp/certs/etcd-root-ca.pem \
  --cert /tmp/certs/server.pem \
  --key /tmp/certs/server-key.pem \
  get foo
  
# 查看集群信息 是否为leader等
ETCDCTL_API=3 /tmp/test-etcd/etcdctl \
  --endpoints 192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 \
  --cacert /tmp/certs/etcd-root-ca.pem \
  --cert /tmp/certs/server.pem \
  --key /tmp/certs/server-key.pem \
  endpoint status --write-out=table
  

使用benchmark测试etcd集群性能

go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.io,direct
go get go.etcd.io/etcd/v3/tools/benchmark

# 在Gopath/bin路径下会生成一个benchmark二进制文件

# 读数据
benchmark --endpoints=192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 \
 --conns=100 --clients=1000 \
 put --key-size=8 --sequential-keys --total=100000 --val-size=256

# 写数据
benchmark --endpoints=192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 \
 --conns=100 --clients=1000 \
 range foo --consistency=l --total=10000

参考

http://play.etcd.io/install

https://github.com/etcd-io/etcd