ETCD数据库部署、flannel网络组件安装
ETCD数据库部署、flannel网络组件安装
1、安装包准备
注意:
etcd使用3.3版本的都可以
下载地址:https://github.com/etcd-io/etcd/releases?after=v3.4.4
flannel版本不限制,用最新的就可以
下载地址:https://github.com/coreos/flannel/releases/tag/v0.10.0
kubernetes使用1.19(最新的即可)
下载地址:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#downloads-for-v1191
2、环境准备及介绍
2.1安装环境为内网虚拟机(无外网),采取rmp安装或者本地yum镜像挂载方式解决环境依赖问题
2.2IP为静态IP(BOOTPROTO=static)即可
cd /etc/sysconfig/network-scripts/
ls
vi ifcfg-ens160 #这里写自己的网卡名字
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6sH13iRx-1602674522155)(C:\Users\issuser\AppData\Roaming\Typora\typora-user-images\image-20200914143754066.png)]
2.3关闭了防火墙(不关闭可以修改防火墙规则)
service iptables stop
chkconfig iptables off
2.4确认docker环境依赖
uname -r
centos7版本内核需要大于3.10
centos版本内核需要大于2.6.32-431
dockcer version
确认docker EC已经安装
2.5提前下载安装包
wget https://dl.k8s.io/v1.19.1/kubernetes-server-linux-amd64.tar.gz
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
wget https://github.com/etcd-io/etcd/releases/download/v3.3.18/etcd-v3.3.18-linux-amd64.tar.gz
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64
3、安装制作证书工具cfsssl
mkdir k8s
cd k8s/
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
cfssl version
ls /usr/local/bin/
#cfssl:生成证书工具
#cfssl-certinfo:查看证书信息
#cfssljson:通过传入json文件生成证书
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-SYOf57Zx-1602674522160)(C:\Users\issuser\AppData\Roaming\Typora\typora-user-images\image-20200914155623798.png)]
4、制作CA证书
mkdir etcd-cert
cd etcd-cert/
#制作证书
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",#这里就是说生成双向证书,既可以做服务器也阔以用于客户端
"client auth" #可以单独做服务端和客户端的
]
}
}
}
}
EOF
#制作ca证书的签名证书
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu"
}
]
}
EOF
#用ca签名证书生成ca证书-----ca-key.pem ca.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"10.25.247.141", #修改成自己的节点IP地址
"10.25.247.142",
"10.25.247.143",
"10.25.247.144",
"10.25.247.145",
"10.25.193.138"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu"
}
]
}
EOF
#生成ETC证书----server-key.pem、server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
5、使用证书搭建ETCD集群
master节点上执行
5.1修改hostname
#修改hostname名字为自己的名字(我这里命名etcd01)
hostnamectl set-hostname etcd01
#确定修改成功
hostname
5.2编写执行脚本
vi /root/k8s/etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.100.128 etcd02=https://192.168.100.131:2380,etcd03=https://192.168.100.136:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
#创建节点的配置文件模板
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #每次重启需要删除该目录内容,否则会有缓存
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" #不能为localhost
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #不能为localhost
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="${ETCD_NAME}=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#创建节点的启动脚本模板
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \ #所有机器必须一致
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#重启服务,并设置开机自启
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
Node节点和Master节点都执行
5.3解压文件并修改配置
tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
ls etcd-v3.3.10-linux-amd64
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
mkdir -p /opt/etcd/{cfg,bin,ssl}
mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
chmod +x /opt/etcd/bin/*
#验证etcd版本
/opt/etcd/bin/etcd --version
/opt/etcd/bin/etcdctl --version
注意:默认API为3
vi /etc/profile
#在末尾增加如下内容,改变API版本
export ETCDCTL_API=2
source /etc/profile
/opt/etcd/bin/etcd --version
/opt/etcd/bin/etcdctl --version
5.4master节点启动
cp /root/etcd-cert/*.pem /opt/etcd/ssl/
ls /opt/etcd/ssl/
ca-key.pem ca.pem server-key.pem server.pem
scp -r /opt/etcd/* aaa@qq.com:/opt/etcd/
scp /usr/lib/systemd/system/etcd.service aaa@qq.com:/usr/lib/systemd/system
#输入密码
scp -r /opt/etcd/* aaa@qq.com:/opt/etcd/
scp /usr/lib/systemd/system/etcd.service aaa@qq.com:/usr/lib/systemd/system
#输入密码
#执行启动
sh etcd.sh etcd00 10.25.193.138 etcd01=https://10.25.247.14:2380,etcd02=https://10.25.193.138:2380,etcd03=https://10.25.247.142:2380,etcd03=https://10.25.247.142:2380,etcd03=https://10.25.247.142:2380
#会出现阻塞状态
//使用另外一个会话窗口,会发现etcd进程己经开启
ps -ef | grep etcd
5.5Node节点启动
修改/usr/lib/systemd/system/etcd.service文件
#查看服务文件
vi /usr/lib/systemd/system/etcd.service
(脚本跑完就有,只要看到参数是变量就没有问题)
#编辑配置文件
vi /opt/etcd/cfg/etcd
#Node节点启动
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
进入阻塞状态
#直接输入下面ps的内容也可以启动,使用ps命令查看内容参数是否正确
ps -ef | grep etcd
5.6、节点健康检查
#使用etcdctl检查节点情况
cd /opt/etcd/ssl/
#执行
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379" cluster-health
#使用curl 方式检查单个通信(10.25.247.144)节点
curl --cacert /opt/etcd/ssl/ca.pem --cert /opt/etcd/ssl/server.pem --key /opt/etcd/ssl/server-key.pem https://10.25.247.144:2379/health
6、部署flannel网络组件
6.1master上分配子网
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
#查看信息
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
6.2在Node节点部署flannel
#解压文件flannel-v0.10.0-linux-amd64.tar.gz
tar -zxvf flannel-v0.10.0-linux-amd64.tar.gz
#生成如下三个文件
#flanneld
#mk-docker-opts.sh
#README.md
mkdir -p /opt/kubernetes/{cfg,bin,ssl}
mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
ls /opt/kubernetes/bin/
#部署脚本
vi flannel.sh
#!/bin/bash
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
sh flannel.sh https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379
#查看网络状态
systemctl status flanneld
#修改docker配置文件
vi /usr/lib/systemd/system/docker.service
//修改添加两处:
EnvironmentFile=/run/flannel/subnet.env
$DOCKER_NETWORK_OPTIONS
#查看flanne网络分配的子网段
cat /run/flannel/subnet.env
#重启docker服务
systemctl daemon-reload
systemctl restart docker
6.3验证
#查看分配的网段
cat /run/flannel/subnet.env
ip addr show flannel.1
ip addr show docker0
#在同一网段及说明OK