etcd集群(TLS)搭建和使用

以下操作默认在etcd1执行

rm -f /tmp/cfssl* && rm -rf /tmp/certs && mkdir -p /tmp/certs

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /tmp/cfssl
chmod +x /tmp/cfssl
sudo mv /tmp/cfssl /usr/local/bin/cfssl

curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /tmp/cfssljson
chmod +x /tmp/cfssljson
sudo mv /tmp/cfssljson /usr/local/bin/cfssljson

/usr/local/bin/cfssl version
/usr/local/bin/cfssljson -h

mkdir -p /tmp/certs

cat > /tmp/certs/etcd-root-ca-csr.json < /tmp/certs/etcd-gencert.json < 
3、颁发证书 
cat > /tmp/certs/etcd-ca-csr.json < 
4、复制证书到另外两台主机 
scp -r /tmp/certs/ root@192.168.79.104:/tmp/certs/
scp -r /tmp/certs/ root@192.168.79.105:/tmp/certs/
 
5、安装etcd 
# 三台主机都需要安装

ETCD_VER=v3.5.1
# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/coreos/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/test-etcd && mkdir -p /tmp/test-etcd

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/test-etcd --strip-components=1

# sudo cp /tmp/test-etcd/etcd* [YOUR_EXEC_DIR]
# sudo mkdir -p /usr/local/bin/ && sudo cp /tmp/test-etcd/etcd* /usr/local/bin/

/tmp/test-etcd/etcd --version
ETCDCTL_API=3 /tmp/test-etcd/etcdctl version
 
6、使用systemd运行etcd 
# 如果集群是新的，则删除此目录；如果重新启动 etcd，则保留
# rm -rf /tmp/etcd/data

 
etcd1的配置文件
 
cat > /tmp/etcd.service < 
etcd2的配置文件
 
cat > /tmp/etcd.service < 
etcd3的配置文件
 
cat > /tmp/etcd.service < 
参数说明
 
参数
意义
name
节点名称， 在 --initial-cluster 标记中列出
data-dir
数据存放的目录
listen-client-urls
用于监听客户端通讯的URL列表
advertise-client-urls
告知客户端URL, 也就是服务的URL(一般与listen-client-urls一样)
listen-peer-urls
监听URL，用于与其他节点通讯
initial-advertise-peer-urls
告知集群其他节点的URL(一般与listen-peer-urls一样)
initial-cluster
集群中所有节点
启动服务
 
sudo mv /tmp/etcd.service /etc/systemd/system/etcd.service

# to start service
sudo systemctl daemon-reload
sudo systemctl cat etcd.service
sudo systemctl enable etcd.service
sudo systemctl start etcd.service

# to get logs from service
sudo systemctl status etcd.service -l --no-pager
# sudo journalctl -u etcd.service -l --no-pager|less
# sudo journalctl -f -u etcd.service

# to stop service
# sudo systemctl stop etcd.service
# sudo systemctl disable etcd.service
 
7、验证状态 
ETCDCTL_API=3 /tmp/test-etcd/etcdctl 
  --endpoints 192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 
  --cacert /tmp/certs/etcd-root-ca.pem 
  --cert /tmp/certs/server.pem 
  --key /tmp/certs/server-key.pem 
  endpoint health
 
8、与etcd交互 
# 写数据
etcdctl 
  --endpoints 192.168.79.103:2379 
  --cacert /tmp/certs/etcd-root-ca.pem 
  --cert /tmp/certs/server.pem 
  --key /tmp/certs/server-key.pem 
  put foo bar
# 读数据 
etcdctl 
  --endpoints 192.168.79.103:2379 
  --cacert /tmp/certs/etcd-root-ca.pem 
  --cert /tmp/certs/server.pem 
  --key /tmp/certs/server-key.pem 
  get foo
  
# 查看集群信息 是否为leader等
ETCDCTL_API=3 /tmp/test-etcd/etcdctl 
  --endpoints 192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 
  --cacert /tmp/certs/etcd-root-ca.pem 
  --cert /tmp/certs/server.pem 
  --key /tmp/certs/server-key.pem 
  endpoint status --write-out=table
  

 
使用benchmark测试etcd集群性能 
go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.io,direct
go get go.etcd.io/etcd/v3/tools/benchmark

# 在Gopath/bin路径下会生成一个benchmark二进制文件
 
# 读数据
benchmark --endpoints=192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 
 --conns=100 --clients=1000 
 put --key-size=8 --sequential-keys --total=100000 --val-size=256

# 写数据
benchmark --endpoints=192.168.79.103:2379,192.168.79.104:2379,192.168.79.105:2379 
 --conns=100 --clients=1000 
 range foo --consistency=l --total=10000

 
参考 
http://play.etcd.io/install
 
https://github.com/etcd-io/etcd