生产环境ETCD高可用集群

etcd 是分布式键值对数据库，应用于存储 k8s 集群的配置、运行数据等。 虽然 k8s 官方部署工具 kubeadm 可以快速地搭建起 etcd 集群，但是也造成一个不好的影响：etcd 的管理跟 k8s 集群耦合在一起。在生产环境中，我们更希望数据库是独立于其他系统。 先部署独立的外部 etcd 集群，再部署 k8s 集群，既有利于后续部署高可用集群，又方便运维管理，是更加稳健的生产方案。 外部 etcd 集群部署极其灵活：在节点数量上，既可以是单个节点，也可以是多个节点；在部署位置上，既可以部署在 k8s 集群节点上，也可以部署在独立的非 k8s 集群节点上。 除了二进制手动部署之外，还有自动化工具 etcdadm，但是目前还是开发版本，不建议用它部署生产环境。

节点名称	节点内网IP
etcd1	172.22.0.12
etcd2	172.22.0.14
etcd3	172.22.0.4

1. 在每台服务器中将三台服务器的内、外网 IP 和对应的 hostname 写入 hosts 文件

我们只走内网，所有不用加外网

cat >>  /etc/hosts << EOF
172.22.0.12  etcd1
172.22.0.14  etcd2
172.22.0.4   etcd3  
EOF

2. 创建存储目录（所有节点）

mkdir  /data/etcd
mkdir  /data/etcd/data
mkdir  /data/etcd/bin
mkdir  /data/etcd/ssl

3. 制作安全证书（主节点）

etcd 通过证书来实现安全验证。可以通过 cfssl 或者 openssl 工具制作证书。本文采用 cfssl。 在主节点 etcd1 安装 cfssl 套件，制作证书后传输给其他节点。

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.2/cfssl_1.6.2_linux_amd64 -O /data/etcd/bin/cfssl
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.2/cfssljson_1.6.2_linux_amd64 -O /data/etcd/bin/cfssljson
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.2/cfssl-certinfo_1.6.2_linux_amd64 -O /data/etcd/bin/cfssl-certinfo


chmod +x /data/etcd/bin/cfssl*

4. 制作 CA 根证书（主节点）

• 1. 生成 csr 文件

• 1. 创建证书

填写 CA 的 csr 信息，json 格式 csr 全称 Certificate Signing Request，即“证书签名请求”，类似于申请表，填写申请人的基本信息

4.1 填写 CA 的 csr 信息，json 格式

/data/etcd/bin/cfssl print-defaults csr > /data/etcd/ssl/ca-csr.json

vim /data/etcd/ssl/ca-csr.json
{
    "CN": "etcd",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Guangdong",
            "L": "GuangZhou",
            "O": "etcd"
        }
    ]
}

4.2 创建 CA 根证书，以 ca 为前缀，保存在 /data/etcd/ssl/

ca.pem 是公钥，ca-key.pem 是私钥。 有了根证书，我们这台服务器就可以算一个 CA 机构了，能够给 etcd 颁发证书。

/data/etcd/bin/cfssl gencert -initca /data/etcd/ssl/ca-csr.json | /data/etcd/bin/cfssljson -bare /data/etcd/ssl/ca


ls /data/etcd/ssl
ca.csr  ca-csr.json  ca-key.pem  ca.pem

4.3 配置证书策略

profiles：为不同角色配置不同的证书参数，此处只设了 etcd 一个角色，有需要的话可以添加多个角色。 重要的参数包括有效期、用途（签名、密钥加密、服务端认证、客户端认证）

/data/etcd/bin/cfssl print-defaults config > /data/etcd/ssl/ca-config.json

vim /data/etcd/ssl/ca-config.json
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "etcd": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

4.4 颁发 etcd 的安全证书

此处多了个 hosts 字段，需要包括所有 etcd 节点的内、外网 IP 地址(这里只使用内网)。 如果 etcd 的配置包含了本地回环地址，也需要加上去。 如果后面新增加 etcd 节点，需要先更新 etcd 的 csr 信息，重新制作证书。

/data/etcd/bin/cfssl print-defaults csr > /data/etcd/ssl/etcd-csr.json

vim /data/etcd/ssl/etcd-csr.json
{
    "CN": "etcd",
    "hosts": [
        "127.0.0.1",
        "172.22.0.12",
        "172.22.0.14",
        "172.22.0.4"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Guangdong",
            "L": "GuangZhou",
            "O": "etcd"
        }
    ]
}

4.5 创建 etcd 的安全证书，以 etcd 为前缀，保存在 /data/etcd/ssl/

/data/etcd/bin/cfssl gencert \
-ca=/data/etcd/ssl/ca.pem \
-ca-key=/data/etcd/ssl/ca-key.pem \
--config=/data/etcd/ssl/ca-config.json --profile=etcd \
/data/etcd/ssl/etcd-csr.json | /data/etcd/bin/cfssljson -bare /data/etcd/ssl/etcd


ls /data/etcd/ssl/
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  etcd.csr  etcd-csr.json  etcd-key.pem  etcd.pem

4.6 分发 etcd 证书到其他 etcd 节点, 要提前在 etcd2 和 etcd3 创建 ssl 目录

scp /data/etcd/ssl/*  etcd2:/data/etcd/ssl/
scp /data/etcd/ssl/*  etcd3:/data/etcd/ssl/

5. 部署 etcd 集群(所有节点)

cd /usr/local/src
wget https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gz
tar zxvf etcd-v3.5.4-linux-amd64.tar.gz
cp  etcd-v3.5.4-linux-amd64/etcd*  /data/etcd/bin/

• 成员标记的环境变量，其中的 url 是内部可见的 IP（内网 IP、本地回环 IP）

• ETCD_NAME：节点的 hostname

• ETCD_LISTEN_PEER_URLS：本地 etcd 端对端监听 url

• ETCD_LISTEN_CLIENT_URLS：本地 etcd 客户端监听 url

• 集群标记的环境变量，其中的 url 可用内网IP || （外网 IP）

• ETCD_INITIAL_ADVERTISE_PEER_URLS：初始化对外端对端通讯 url

• ETCD_INITIAL_CLUSTER：初始化集群的所有 etcd 节点 url 的集合

• ETCD_ADVERTISE_CLIENT_URLS：对外客户端监听 url

• 安全标记部分用到了刚刚创建的证书，所有 url 用 https 协议。

• 此处列举的是 etcd1 的配置，其他 etcd 节点的配置类似，只需要修改 ETCD_NAME 和与 url 相关的所有环境变量。

cat >> /data/etcd/etcd.conf << EOF
# [Member tag] 成员标记部分
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/data/etcd/data"
ETCD_LISTEN_PEER_URLS="https://172.22.0.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.22.0.12:2379, https://127.0.0.1:2379"

# [Cluster tag] 成员标记部分
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.22.0.12:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.22.0.12:2380,etcd2=https://172.22.0.14:2380,etcd3=https://172.22.0.4:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.22.0.12:2379"

# [Safety mark] 安全标记部分
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/data/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/data/etcd/ssl/etcd-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/data/etcd/ssl/ca.pem"

ETCD_CERT_FILE="/data/etcd/ssl/etcd.pem"
ETCD_KEY_FILE="/data/etcd/ssl/etcd-key.pem"
ETCD_TRUSTED_CA_FILE="/data/etcd/ssl/ca.pem"
EOF

6. 用 systemd 服务启动 etcd (所有节点)

cat >> /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/data/etcd/etcd.conf
WorkingDirectory=/data/etcd/data/
ExecStart=/data/etcd/bin/etcd   
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd.service
systemctl start etcd.service
systemctl status etcd.service # 查看etcd运行状况

7. 在任意的 etcd 节点检查 etcd 集群健康状况

/data/etcd/bin/etcdctl -w table \
--cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/etcd.pem \
--key=/data/etcd/ssl/etcd-key.pem \
--endpoints=https://172.22.0.12:2379,https://172.22.0.14:2379,https://172.22.0.4:2379 \
endpoint health  # 查询是否健康


+--------------------------+--------+-------------+-------+
|         ENDPOINT         | HEALTH |    TOOK     | ERROR |
+--------------------------+--------+-------------+-------+
| https://172.22.0.14:2379 |   true | 12.935264ms |       |
|  https://172.22.0.4:2379 |   true | 13.266081ms |       |
| https://172.22.0.12:2379 |   true | 16.062599ms |       |
+--------------------------+--------+-------------+-------+


/data/etcd/bin/etcdctl -w table \
--cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/etcd.pem \
--key=/data/etcd/ssl/etcd-key.pem \
--endpoints=https://172.22.0.12:2379,https://172.22.0.14:2379,https://172.22.0.4:2379 \
member list       # started 证明我们的集群处于正常运行状态   
+------------------+---------+-------+--------------------------+--------------------------+------------+
|        ID        | STATUS  | NAME  |        PEER ADDRS        |       CLIENT ADDRS       | IS LEARNER |
+------------------+---------+-------+--------------------------+--------------------------+------------+
| 9197f28cdea6dd9c | started | etcd2 | https://172.22.0.14:2380 | https://172.22.0.14:2379 |      false |
| adcfd99939b3aee8 | started | etcd1 | https://172.22.0.12:2380 | https://172.22.0.12:2379 |      false |
| c2218527ef41ca14 | started | etcd3 |  https://172.22.0.4:2380 |  https://172.22.0.4:2379 |      false |
+------------------+---------+-------+--------------------------+--------------------------+------------+


/data/etcd/bin/etcdctl -w table \
--cacert=/data/etcd/ssl/ca.pem \
--cert=/data/etcd/ssl/etcd.pem \
--key=/data/etcd/ssl/etcd-key.pem \
--endpoints=https://172.22.0.12:2379,https://172.22.0.14:2379,https://172.22.0.4:2379 \
endpoint status   # 查询集群内哪个节点是Leader节点

+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|         ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://172.22.0.12:2379 | adcfd99939b3aee8 |   3.5.4 |   20 kB |     false |      false |         3 |         23 |                 23 |        |
| https://172.22.0.14:2379 | 9197f28cdea6dd9c |   3.5.4 |   20 kB |     false |      false |         3 |         23 |                 23 |        |
|  https://172.22.0.4:2379 | c2218527ef41ca14 |   3.5.4 |   25 kB |      true |      false |         3 |         23 |                 23 |        |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

8. 优化一下

cp /etc/security/limits.conf /etc/security/limits.conf.bak
cat >>/etc/security/limits.conf <<EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
echo "ulimit -SHn 65535" >> /etc/profile
echo "ulimit -SHn 65535" >> /etc/rc.local

9. 时间同步一下

mv /etc/localtime /etc/localtime.bak
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate cn.pool.ntp.org && hwclock -w

echo "10 * * * * root /usr/sbin/ntpdate cn.pool.ntp.org >> /var/log/ntpdate.log" >> /etc/crontab

10. 重启服务器,重新查看状态

reboot

11. ETCD集群备份

[root@VM-0-12-centos ~]# /data/etcd/bin/etcdctl  --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/etcd.pem --key=/data/etcd/ssl/etcd-key.pem --endpoints=https://172.22.0.12:2379 snapshot save /data/backup/etcd-202205081723.db
{"level":"info","ts":"2023-10-08T21:36:27.784+0800","caller":"snapshot/v3_snapshot.go:65","msg":"created temporary db file","path":"/data/backup/etcd-202205081723.db.part"}
{"level":"info","ts":"2023-10-08T21:36:27.791+0800","logger":"client","caller":"v3/maintenance.go:211","msg":"opened snapshot stream; downloading"}
{"level":"info","ts":"2023-10-08T21:36:27.791+0800","caller":"snapshot/v3_snapshot.go:73","msg":"fetching snapshot","endpoint":"https://172.22.0.12:2379"}
{"level":"info","ts":"2023-10-08T21:36:27.794+0800","logger":"client","caller":"v3/maintenance.go:219","msg":"completed snapshot read; closing"}
{"level":"info","ts":"2023-10-08T21:36:27.796+0800","caller":"snapshot/v3_snapshot.go:88","msg":"fetched snapshot","endpoint":"https://172.22.0.12:2379","size":"20 kB","took":"now"}
{"level":"info","ts":"2023-10-08T21:36:27.796+0800","caller":"snapshot/v3_snapshot.go:97","msg":"saved","path":"/data/backup/etcd-202205081723.db"}
Snapshot saved at /data/backup/etcd-202310082136.db

12. ETCD集群恢复

• 1. 找到备份的 ETCD 数据文件

• 1. 通过命令恢复

/data/etcd/bin/etcdctl  --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/etcd.pem --key=/data/etcd/ssl/etcd-key.pem --endpoints=https://172.22.0.12:2379 snapshot restore /data/backup/etcd-202310082136.db

13. ETCD 节点扩容

例如新加节点IP： 172.22.0.8

• 1. 所有同步 /etc/hosts 节点信息

• 1. 添加节点到 /data/etcd/ssl/etcd-csr.json , 重新生成新的证书

• 1. 同步证书到所有节点 scp /data/etcd/ssl/* 节点地址:/data/etcd/ssl/

• 1. 新节点安装 etcd 二进制

• 1. 修改配置文件 etcd.conf, 在 ETCD_INITIAL_CLUSTER 后添加 etcd4=https://172.22.0.8:2380， 并同步所有,重启服务

• 1. 如下

• 1. 启动新添加的节点

/data/etcd/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/etcd.pem --key=/data/etcd/ssl/etcd-key.pem --endpoints="https://172.22.0.14:2379"  member add etcd4 --peer-urls=https://172.22.0.8:2380

 /data/etcd/bin/etcdctl -w table --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/etcd.pem --key=/data/etcd/ssl/etcd-key.pem --endpoints=https://172.22.0.12:2379,https://172.22.0.14:2379,https://172.22.0.4:2379 member list
+------------------+-----------+-------+--------------------------+--------------------------+------------+
|        ID        |  STATUS   | NAME  |        PEER ADDRS        |       CLIENT ADDRS       | IS LEARNER |
+------------------+-----------+-------+--------------------------+--------------------------+------------+
| 9197f28cdea6dd9c |   started | etcd2 | https://172.22.0.14:2380 | https://172.22.0.14:2379 |      false |
| adcfd99939b3aee8 |   started | etcd1 | https://172.22.0.12:2380 | https://172.22.0.12:2379 |      false |
| c2218527ef41ca14 |   started | etcd3 |  https://172.22.0.4:2380 |  https://172.22.0.4:2379 |      false |
| ee2c6ab6d3897479 | unstarted |       |  https://172.22.0.8:2380 |                          |      false |

~... member list -w table 查看是信息

14. ETCD 节点扩容

1. 先获取节点ID

2. 删除节点ID

/data/etcd/bin/etcdctl -w table --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/etcd.pem --key=/data/etcd/ssl/etcd-key.pem --endpoints=https://172.22.0.12:2379,https://172.22.0.14:2379,https://172.22.0.4:2379,https://172.22.0.8:2379 endpoint status


+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|         ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://172.22.0.12:2379 | adcfd99939b3aee8 |   3.5.4 |   20 kB |     false |      false |        15 |        107 |                107 |        |
| https://172.22.0.14:2379 | 9197f28cdea6dd9c |   3.5.4 |   20 kB |      true |      false |        15 |        107 |                107 |        |
|  https://172.22.0.4:2379 | c2218527ef41ca14 |   3.5.4 |   25 kB |     false |      false |        15 |        107 |                107 |        |
|  https://172.22.0.8:2379 | ee2c6ab6d3897479 |   3.5.4 |   20 kB |     false |      false |        15 |        107 |                107 |        |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+


/data/etcd/bin/etcdctl  --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/etcd.pem --key=/data/etcd/ssl/etcd-key.pem --endpoints=https://172.22.0.12:2379,https://172.22.0.14:2379,https://172.22.0.4:2379 member remove <ID>