您好,登錄后才能下訂單哦!
[root@master01 ~]# systemctl stop firewalld.service //關閉防火墻
[root@master01 ~]# setenforce 0 //關閉selinux
[root@master01 ~]# mkdir k8s //創建k8s目錄
[root@master01 ~]# ls
anaconda-ks.cfg k8s
[root@master01 ~]# mount.cifs //192.168.80.2/shares/K8S/k8s01 /mnt/ //掛載宿主機中準備好的軟件包
Password for root@//192.168.80.2/shares/K8S/k8s01:
[root@master01 ~]# cd /mnt/
[root@master01 mnt]# ls
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz k8s-cert.sh master.zip
etcd-cert.sh flannel.sh kubeconfig.sh node.zip
etcd.sh flannel-v0.10.0-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz
[root@master01 mnt]# cd /root/k8s/ //回到k8s目錄
[root@master01 k8s]# vim cfssl.sh //編輯腳本下載cfssl官方包 做ca認證的軟件包
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
:wq
[root@master01 k8s]# bash cfssl.sh //執行腳本,下載cfssl官方包
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9.8M 100 9.8M 0 0 457k 0 0:00:22 0:00:22 --:--:-- 581k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2224k 100 2224k 0 0 300k 0 0:00:07 0:00:07 --:--:-- 517k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6440k 100 6440k 0 0 276k 0 0:00:23 0:00:23 --:--:-- 221k
[root@master01 k8s]# ls /usr/local/bin/ //查看證書是否成功下載
cfssl cfssl-certinfo cfssljson
[root@master01 k8s]# mkdir etcd-cert //創建證書存放目錄
[root@master01 k8s]# ls
etcd-cert
[root@master01 k8s]# cd etcd-cert/ //進入證書存放目錄
[root@master01 etcd-cert]# cat > ca-config.json <<EOF //定義ca證書
> {
> "signing": {
> "default": {
> "expiry": "87600h" //證書失效
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth", //服務端驗證
> "client auth" //客戶端驗證
> ]
> }
> }
> }
> }
> EOF
[root@master01 etcd-cert]# cat > ca-csr.json <<EOF //實現證書簽名
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa", //使用非對稱密鑰
> "size": 2048 //密鑰長度
> },
> "names": [
> {
> "C": "CN", //標識信息,可自行定義
> "L": "Beijing",
> "ST": "Beijing"
> }
> ]
> }
> EOF
[root@master01 etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - //使用命令生成ca證書
2020/02/09 16:53:08 [INFO] generating a new CA key and certificate from CSR
2020/02/09 16:53:08 [INFO] generate received request
2020/02/09 16:53:08 [INFO] received CSR
2020/02/09 16:53:08 [INFO] generating key: rsa-2048
2020/02/09 16:53:08 [INFO] encoded CSR
2020/02/09 16:53:08 [INFO] signed certificate with serial number 400787333165311350366024741004548366561538833100
[root@master01 etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem //ca證書生成成功
[root@master01 etcd-cert]# cat > server-csr.json <<EOF //指定etcd三個節點之間的通信驗證
> {
> "CN": "etcd",
> "hosts": [
> "192.168.80.12", //群集IP地址設定,master地址
> "192.168.80.13", //node01IP地址
> "192.168.80.14" //node02IP地址
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
[root@master01 etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server //生成ETCD證書 server-key.pem server.pem
2020/02/09 16:59:12 [INFO] generate received request
2020/02/09 16:59:12 [INFO] received CSR
2020/02/09 16:59:12 [INFO] generating key: rsa-2048
2020/02/09 16:59:12 [INFO] encoded CSR
2020/02/09 16:59:12 [INFO] signed certificate with serial number 155295832576786241095177900248601469934260652049
2020/02/09 16:59:12 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master01 etcd-cert]# ls
ca-config.json ca-csr.json ca.pem server-csr.json server.pem
ca.csr ca-key.pem server.csr server-key.pem //生成成功
[root@master01 etcd-cert]# cd /mnt/ //進入宿主機掛載過來的目錄
[root@master01 mnt]# ls
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz k8s-cert.sh master.zip
etcd-cert.sh flannel.sh kubeconfig.sh node.zip
etcd.sh flannel-v0.10.0-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz
[root@master01 mnt]# cp etcd-v3.3.10-linux-amd64.tar.gz flannel-v0.10.0-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz etcd.sh /root/k8s/ //將軟件包與etcd執行腳本復制到k8s工作目錄中
[root@master01 mnt]# cd /root/k8s/ //回到k8s工作目錄
[root@master01 k8s]# tar zvxf etcd-v3.3.10-linux-amd64.tar.gz //解壓etcd軟件包
etcd-v3.3.10-linux-amd64/
etcd-v3.3.10-linux-amd64/Documentation/
etcd-v3.3.10-linux-amd64/Documentation/platforms/
etcd-v3.3.10-linux-amd64/Documentation/platforms/container-linux-systemd.md
etcd-v3.3.10-linux-amd64/Documentation/platforms/aws.md
etcd-v3.3.10-linux-amd64/Documentation/platforms/freebsd.md
etcd-v3.3.10-linux-amd64/Documentation/rfc/
...
[root@master01 k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p //遞歸創建etcd工作目錄
[root@master01 k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/ //將etcd命令文件復制到工作目錄中bin目錄下
[root@master01 k8s]# ls /opt/etcd/bin/ //查看
etcd etcdctl
[root@master01 k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/ //拷貝證書文件到etcd工作目錄ssl目錄下
[root@master01 k8s]# ls /opt/etcd/ssl/ //查看
ca-key.pem ca.pem server-key.pem server.pem
[root@master01 k8s]# bash etcd.sh etcd01 192.168.80.12 etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380 //執行啟動腳本 etcd01為master01服務器地址 etcd02、etcd03為node01、node02IP地址,稍后我們將分別在node01、node02中部署etcd,組成etcd群集,腳本執行同時生成etcd配置文件
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
//執行啟動腳本后會進入卡住狀態,等待其他節點加入,它也有一定的超時時間,超過超時時間會出現報錯,不用理會
重新開啟新的會話框
[root@master01 ~]# ps -ef | grep etcd //查看進程是否開啟
root 16146 1 0 17:14 ? 00:00:00 /opt/etcd/bin/etcd --name=etcd01 --data-dir=/var/lib/etcd/default.etcd --listen-peer-urls=https://192.168.80.12:2380 --listen-client-urls=https://192.168.80.12:2379,http://127.0.0.1:2379 --advertise-client-urls=https://192.168.80.12:2379 --initial-advertise-peer-urls=https://192.168.80.12:2380 --initial-cluster=etcd01=https://192.168.80.12:2380,etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380 --initial-cluster-token=etcd-cluster --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
root 16191 16160 0 17:15 pts/1 00:00:00 grep --color=auto etcd //成功開啟
[root@master01 ~]# scp -r /opt/etcd/ root@192.168.80.13:/opt/ //拷貝etcd工作目錄到node01節點
The authenticity of host '192.168.80.13 (192.168.80.13)' can't be established.
ECDSA key fingerprint is SHA256:Ih0NpZxfLb+MOEFW8B+ZsQ5R8Il2Sx8dlNov632cFlo.
ECDSA key fingerprint is MD5:a9:ee:e5:cc:40:c7:9e:24:5b:c1:cd:c1:7b:31:42:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.13' (ECDSA) to the list of known hosts.
root@192.168.80.13's password:
etcd 100% 509 495.7KB/s 00:00
etcd 100% 18MB 98.7MB/s 00:00
etcdctl 100% 15MB 95.0MB/s 00:00
ca-key.pem 100% 1675 1.6MB/s 00:00
ca.pem 100% 1265 416.6KB/s 00:00
server-key.pem 100% 1675 2.3MB/s 00:00
server.pem 100% 1338 2.0MB/s 00:00
[root@master01 ~]# scp -r /opt/etcd/ root@192.168.80.14:/opt/ //拷貝etcd工作目錄到node02節點
The authenticity of host '192.168.80.14 (192.168.80.14)' can't be established.
ECDSA key fingerprint is SHA256:Ih0NpZxfLb+MOEFW8B+ZsQ5R8Il2Sx8dlNov632cFlo.
ECDSA key fingerprint is MD5:a9:ee:e5:cc:40:c7:9e:24:5b:c1:cd:c1:7b:31:42:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.14' (ECDSA) to the list of known hosts.
root@192.168.80.14's password:
etcd 100% 509 523.8KB/s 00:00
etcd 100% 18MB 79.6MB/s 00:00
etcdctl 100% 15MB 140.4MB/s 00:00
ca-key.pem 100% 1675 1.9MB/s 00:00
ca.pem 100% 1265 296.4KB/s 00:00
server-key.pem 100% 1675 2.4MB/s 00:00
server.pem 100% 1338 423.3KB/s 00:00
[root@master01 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.80.13:/usr/lib/systemd/system/ //啟動腳本拷貝到node01節點
root@192.168.80.13's password:
etcd.service 100% 923 628.8KB/s 00:00
[root@master01 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.80.14:/usr/lib/systemd/system/ //啟動腳本拷貝到node02節點
root@192.168.80.14's password:
etcd.service 100% 923 684.8KB/s 00:00
更改復制過來的etcd配置文件
[root@node01 ~]# systemctl stop firewalld.service //關閉防火墻
[root@node01 ~]# setenforce 0 //關閉selinux
[root@node01 ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02" //更改名稱為etcd02
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.80.13:2380" //更改IP地址為192.168.80.13
ETCD_LISTEN_CLIENT_URLS="https://192.168.80.13:2379" //更改IP地址為192.168.80.13
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.80.13:2380" //更改IP地址為192.168.80.13
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.80.13:2379" //更改IP地址為192.168.80.13
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.80.12:2380,etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380" //注意:此處不用改動
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
:wq
[root@node01 ~]# systemctl start etcd //編輯完成后直接啟動etcd服務
[root@node01 ~]# systemctl status etcd //查看服務狀態
● etcd.service - Etcd Server
Loaded: loaded (/usr/lib/systemd/system/etcd.service; disabled; vendor preset: disabled)
Active: active (running) since 日 2020-02-09 17:25:38 CST; 50s ago //正常運行
Main PID: 15905 (etcd)
...
更改復制過來的etcd配置文件
[root@node02 ~]# systemctl stop firewalld.service //關閉防火墻
[root@node02 ~]# setenforce 0 //關閉selinux
[root@node02 ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03" //更改名稱為etcd03
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.80.14:2380" //更改IP地址為192.168.80.14
ETCD_LISTEN_CLIENT_URLS="https://192.168.80.14:2379" //更改IP地址為192.168.80.14
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.80.14:2380" //更改IP地址為192.168.80.14
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.80.14:2379" //更改IP地址為192.168.80.14
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.80.12:2380,etcd02=https://192.168.80.13:2380,etcd03=https://192.168.80.14:2380" //注意:此處不用改動
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
:wq
[root@node02 ~]# systemctl start etcd //啟動服務
[root@node02 ~]# systemctl status etcd //查看狀態
● etcd.service - Etcd Server
Loaded: loaded (/usr/lib/systemd/system/etcd.service; disabled; vendor preset: disabled)
Active: active (running) since 日 2020-02-09 17:32:29 CST; 4s ago //成功運行
Main PID: 15926 (etcd)
...
[root@master01 k8s]# cd etcd-cert/ //進入證書目錄 因為要使用ca證書驗證查看,所有要進入證書存放目錄中查看
[root@master01 etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.80.12:2379,https://192.168.80.13:2379,https://192.168.80.14:2379" cluster-health //使用目錄查看群集狀態
member accc4008f61328 is healthy: got healthy result from https://192.168.80.13:2379
member 88ef2b8e883800a0 is healthy: got healthy result from https://192.168.80.12:2379
member fafd8a15257570ee is healthy: got healthy result from https://192.168.80.14:2379
cluster is healthy //群集創建成功
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。