ETCD——装有部署

uster

etcd启动时的时候，通过这个内置找寻其他ectd近据流的邮箱列出，文件格式：'近据流拼法1=近据流IP1:2380,近据流拼法1=近据流ip1:2380,.....'

---initial-cluster-state

调用的时候，协同的精神状态 "new" 或者 "existing"两种精神状态，new推选增建的协同，existing表示转到已经存有的协同。

---advertise-client-urls

如果---listen-client-urls内置了，多个NSAHTTP劝说的邮箱，这个参近可以给出，敦促HTTP用到什么邮箱访问期间etcd。

---initial-advertise-peer-urls

软件的系统密切关系无线电用到的邮箱列出。

---listen-client-urls

NSAHTTP劝说的邮箱列出，文件格式：'', 多个用逗号相通。

---listen-peer-urls

软件的系统近据流密切关系无线电的NSA邮箱，文件格式：''

检测# 查阅协同精神状态[root@linux9 ~]# etcdctl endpoint status ---cluster -w table+------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | raft TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| | 9a20d64f814efc90 | 3.4.23 | 20 kB | true | false | 2 | 4 | 4 | |+------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+# 新设key value[root@linux9 ~]# etcdctl put greeting "Hello, etcd"OK# 获取value[root@linux9 ~]# etcdctl get greetinggreetingHello, etcddocker容器布署

此前XML参考邮箱：，此前docker示例用到GUI参近启动时，并不力荐。

# 创始信息近据库与XML近据库[root@linux9 ~]# mkdir -p /etc/etcd[root@linux9 ~]# mkdir -p /data/etcd# 变更信息近据库权限，否则不则会载入信息[root@linux9 ~]# chown -R 1001:1001 /data/etcd/# 创始etcdXML[root@linux9 ~]# cat /etc/etcd/etcd.conf# 近据流拼法name: 'etcd-1'# 均须近据流的信息加载近据库data-dir: '/data'# 对内提供咨询服务的邮箱，HTTP则会连通到这里和 etcd 交互listen-client-urls: ''# 启动时etcd容器[root@linux9 ~]# docker run -d ---name etcd -p 2379:2379 -v /data/etcd:/data -v /etc/etcd:/conf bitnami/etcd:latest etcd ---config-file /conf/etcd.conf# 访问期间检测[root@linux9 etcd]# docker exec etcd sh -c "etcd ---version"etcd Version: 3.5.6Git SHA: cecbe35ceGo Version: go1.16.15Go OS/Arch: linux/amd64[root@linux9 etcd]# docker exec etcd sh -c "etcdctl version"etcdctl version: 3.5.6API version: 3.5[root@linux9 etcd]# docker exec etcd sh -c "etcdctl endpoint status ---cluster -w table"+------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| | 8e9e05c52164694d | 3.5.6 | 20 kB | true | false | 6 | 13 | 13 | |+------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+[root@linux9 etcd]# docker exec etcd sh -c "etcdctl put foo bar"OK[root@linux9 etcd]# docker exec etcd sh -c "etcdctl get foo"foobarweb管理工具etcdkeeper布署[root@linux9 ~]# docker run -d -p 8080:8080 ---name=etcdkeeper evildecay/etcdkeeper:latest 二进制XML布署etcd协同

在投入生产生存环境或对很高可用有促请的生存环境下，只能用到 etcd 的很高可用布署方式为透过布署，etcd 的 raft 协约义务各个近据流信息的一致性。大概用到三台以上奇近近据流，才能达到毫无疑问的协同容错。

主角规划

个人电脑拼法

的系统

IP邮箱

布署三框架

tiaoban

CentOS 8.5

192.168.10.100

etcd1

k8s-work1

CentOS 8.5

192.168.10.11

etcd2

k8s-work2

CentOS 8.5

192.168.10.12

etcd3

我们以3个近据流的很高可用型式方式为布署 etcd，3个近据流的IP邮箱分别是192.168.10.100、192.168.10.11和192.168.10.12。每个近据流etcdXML主要的差异就是当前近据流的 IP 邮箱和起名。布署启动时方法与单近据流布署启动时方式为完全一致，只只能更改XML内容才可。

警惕事项

---listen-client-urls用作NSAHTTP消息,才则会新设为真实ip邮箱，如果工具为云个人电脑，可以新设为云个人电脑的私有财产ip邮箱或0.0.0.0(推选NSA所有邮箱),没法新设为公网ip邮箱

---listen-peer-urls用作NSA其他member发送过来的消息，跟listen-client-urls一样，才则会新设为真实ip邮箱,如果工具为云个人电脑,没法新设为公网ip

---initial-advertise-peer-urls用作NSA其他member同步信号，该邮箱其他member才则会能如此一来访问期间，所以如果是云个人电脑该邮箱才则会新设为云个人电脑的公网ip邮箱

---initial-cluster群集列出，该列出中所的数值才则会跟各个member的initial-advertise-peer-urls数值一样

tiaoban近据流内置# 近据流拼法name: "etcd1"# 信息加载近据库data-dir: "/data/etcd"# 对内暂定的该近据流HTTPNSA邮箱，这个数值则会得知协同中所其他近据流advertise-client-urls: ""# NSAHTTP劝说的邮箱列出listen-client-urls: ","# NSAURL，用作近据流密切关系通信NSA邮箱listen-peer-urls: ""# 软件的系统密切关系无线电用到的邮箱列出,该近据流兄弟俩NSA邮箱，这个数值则会得知协同中所其他近据流initial-advertise-peer-urls: ""# etcd的系统则会，etcd协同的近据流邮箱列出initial-cluster: "etcd1=,etcd2=,etcd3="# etcd协同的初始协同方将initial-cluster-token: 'etcd-cluster'# etcd协同调用的精神状态，new推选增建协同，existing表示转到整体协同initial-cluster-state: 'new'k8s-work1近据流内置# 近据流拼法name: "etcd2"# 信息加载近据库data-dir: "/data/etcd"# 对内暂定的该近据流HTTPNSA邮箱，这个数值则会得知协同中所其他近据流advertise-client-urls: ""# NSAHTTP劝说的邮箱列出listen-client-urls: ","# NSAURL，用作近据流密切关系通信NSA邮箱listen-peer-urls: ""# 软件的系统密切关系无线电用到的邮箱列出,该近据流兄弟俩NSA邮箱，这个数值则会得知协同中所其他近据流initial-advertise-peer-urls: ""# etcd的系统则会，etcd协同的近据流邮箱列出initial-cluster: "etcd1=,etcd2=,etcd3="# etcd协同的初始协同方将initial-cluster-token: 'etcd-cluster'# etcd协同调用的精神状态，new推选增建协同，existing表示转到整体协同initial-cluster-state: 'new'k8s-work2近据流内置# 近据流拼法name: "etcd3"# 信息加载近据库data-dir: "/data/etcd"# 对内暂定的该近据流HTTPNSA邮箱，这个数值则会得知协同中所其他近据流advertise-client-urls: ""# NSAHTTP劝说的邮箱列出listen-client-urls: ","# NSAURL，用作近据流密切关系通信NSA邮箱listen-peer-urls: ""# 软件的系统密切关系无线电用到的邮箱列出,该近据流兄弟俩NSA邮箱，这个数值则会得知协同中所其他近据流initial-advertise-peer-urls: ""# etcd的系统则会，etcd协同的近据流邮箱列出initial-cluster: "etcd1=,etcd2=,etcd3="# etcd协同的初始协同方将initial-cluster-token: 'etcd-cluster'# etcd协同调用的精神状态，new推选增建协同，existing表示转到整体协同initial-cluster-state: 'new'访问期间检测[root@k8s-master etcd]# etcdctl endpoint status ---cluster -w table+----------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+----------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| | 5d2c1bd3b22f796f | 3.4.23 | 20 kB | true | false | 3 | 9 | 9 | || | 8c632555af4d958d | 3.4.23 | 16 kB | false | false | 3 | 9 | 9 | || | bc34c6bd673bdf9f | 3.4.23 | 20 kB | false | false | 3 | 9 | 9 | |+----------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+[root@k8s-master etcd]# etcdctl put foo barOK[root@k8s-master etcd]# etcdctl get foofoobar布署TLSTLS协同

etcd 支持通过 TLS 协约的TLS无线电，在确实企业投入生产生存环境中所，出于安全规范促请，敦促开启TLSTLS。TLS 入口可以用作TLS内部的协同无线电，也可以用作TLSHTTP劝说。

etcd 的 TLS 有两对，一对是 etcd 和 client 端的 TLS 内置。一对是 etcd 密切关系的 peer 的 TLS 内置。有很多方式为可以创始CA文凭和原稿，其中所比较流行起来的有两种

opensslcfssl

此前XML力荐用到cfssl聚合文凭

iTunes装上cfssl

iTunes邮箱：

[root@tiaoban ~]# wget _1.6.3_linux_amd64[root@tiaoban ~]# wget _1.6.3_linux_amd64[root@tiaoban ~]# mv cfssl_1.6.3_linux_amd64 /usr/bin/cfssl[root@tiaoban ~]# mv cfssljson_1.6.3_linux_amd64 /usr/bin/cfssljson[root@tiaoban ~]# chmod +x /usr/bin/{cfssl,cfssljson}[root@tiaoban ~]# cfssl versionVersion: 1.6.3Runtime: go1.18创始默认XML[root@tiaoban ~]# cfssl print-defaults config> ca-config.json[root@tiaoban ~]# cfssl print-defaults csr> ca-csr.json文凭类型HTTP文凭用作咨询服务器检测HTTP名义则会话文凭用作HTTP检测则会话名义对等文凭由etcd协同全体成员用到，同时用到HTTP认证和则会话认证创始 CA 文凭

由于各个三框架都只能内置文凭，并且贫乏 CA 文凭来发给文凭，所以我们首先要聚合好 CA 文凭以及在此之后的发给XML

# 变更ca-config内置[root@tiaoban etcd]# cat> ca-config.json < ca-csr.json <聚合的XML中所有下面三个中间则会用到:

ca-key.pem: CA 文凭TLSca.pem: CA 文凭ca-config.json: 文凭发给内置，用 CA 文凭来发给其它文凭时只能用

csr XMLURL说明了:

CN: Common Name，apiserver 从文凭中所提取该URL作为劝说的Gmail名 (User Name)Organization，apiserver 从文凭中所提取该URL作为劝说Gmail从属的三组 (Group)

由于这里是 CA 文凭，是发给其它文凭的根文凭，这个文凭TLS不则会分发出去作为 client 文凭，所有三框架用到的 client 文凭都是由 CA 文凭发给而来，所以 CA 文凭的 CN 和 O 的拼法并不最主要，在此之后其它发给出来的文凭的 CN 和 O 的拼法才是有效率的

聚合则会话文凭

警惕hostsURL只能缘故etcd全部近据流的IP/个人电脑名电子邮件及127.0.0.1

# 内置文凭劝说[root@tiaoban etcd]# cat> server-csr.json < client-csr.json <peer文凭可以确立，也可以分别聚合，如果只能确立，则只能在hostsURL缘故所有近据流的IP/个人电脑名电子邮件，如果隔开聚合，则hostsURL只只能附上对应近据流的IP/个人电脑名电子邮件才可

# 内置文凭劝说[root@tiaoban etcd]# cat> peer-csr.json <主要是将原本的http链接全部改名https，并均须文凭TLS邮箱

[root@tiaoban etcd]# cat /etc/etcd/etcd.conf# 近据流拼法name: "etcd1"# 信息加载近据库data-dir: "/data/etcd"# 对内暂定的该近据流HTTPNSA邮箱，这个数值则会得知协同中所其他近据流advertise-client-urls: ""# NSAHTTP劝说的邮箱列出listen-client-urls: ","# NSAURL，用作近据流密切关系通信NSA邮箱listen-peer-urls: ""# 软件的系统密切关系无线电用到的邮箱列出,该近据流兄弟俩NSA邮箱，这个数值则会得知协同中所其他近据流initial-advertise-peer-urls: ""# etcd的系统则会，etcd协同的近据流邮箱列出initial-cluster: "etcd1=,etcd2=,etcd3="# etcd协同的初始协同方将initial-cluster-token: 'etcd-cluster'# etcd协同调用的精神状态，new推选增建协同，existing表示转到整体协同initial-cluster-state: 'new'# 日志内置logger: zap# HTTPTLSclient-transport-security: cert-file: "/etc/etcd/pki/server.pem" key-file: "/etc/etcd/pki/server-key.pem" client-cert-auth: True trusted-ca-file: "/etc/etcd/pki/ca.pem"# 近据流TLSpeer-transport-security: cert-file: "/etc/etcd/pki/peer.pem" key-file: "/etc/etcd/pki/peer-key.pem" client-cert-auth: True trusted-ca-file: "/etc/etcd/pki/ca.pem"访问期间检测[root@tiaoban etcd]# etcdctl ---endpoints= ---cacert=ca.pem ---cert=client.pem ---key=client-key.pem endpoint status ---cluster -w table+-------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+-------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| | 6571fb7574e87dba | 3.4.23 | 20 kB | false | false | 310 | 46 | 46 | || | 9b449b0ff1d4c375 | 3.4.23 | 20 kB | false | false | 310 | 46 | 46 | || | f330bec74ce6c2 | 3.4.23 | 20 kB | true | false | 310 | 46 | 46 | |+-------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+[root@tiaoban etcd]# etcdctl ---endpoints= ---cacert=ca.pem ---cert=client.pem ---key=client-key.pem put /foo/bar "hello world"OK [root@tiaoban etcd]# etcdctl ---endpoints= ---cacert=ca.pem ---cert=client.pem ---key=client-key.pem get /foo/bar/foo/barhello worldhelm布署etcd协同

用到helm可以快速布署一个etcd协同，复刻了内置基于主角的访问期间控制和 TLS TLS，并且可以按须开启定时备份和监控举例来说采集。参考XML：，维护用到XML：

加到仓库，获取装上包[root@k8s-master k8s-test]# cd etcd/[root@k8s-master etcd]# helm repo add my-repo "my-repo" has been added to your repositories[root@k8s-master etcd]# helm pull my-repo/etcd[root@k8s-master etcd]# lsetcd-8.8.0.tgz[root@k8s-master etcd]# tar -zxf etcd-8.8.0.tgz[root@k8s-master etcd]# lsetcd etcd-8.8.0.tgz[root@k8s-master etcd]# cd etcd/[root@k8s-master etcd]# lsChart.lock charts Chart.yaml README.md templates values.yaml变更内置[root@k8s-master etcd]# vim values.yaml# 内置root破解 96 auth: 97 ## Role-based access control parameters 98 ## ref: 99 ##100 rbac:101 ## @param auth.rbac.create Switch to enable RBAC authentication102 ##103 create: true104 ## @param auth.rbac.allowNoneAuthentication Allow to use etcd without configuring RBAC authentication105 ##106 allowNoneAuthentication: true107 ## @param auth.rbac.rootPassword Root user password. The root user is always ----root----108 ##109 rootPassword: "123456" # 均须root破解# 内置加载方式为575 persistence:576 ## @param persistence.enabled If true, use a Persistent Volume Claim. If false, use emptyDir.577 ##578 enabled: true # 如果没有sc，此处改名false579 ## @param persistence.storageClass Persistent Volume Storage Class580 ## If defined, storageClassName: 581 ## If set to "-", storageClassName: "", which disables dynamic provisioning582 ## If undefined (the default) or set to null, no storageClassName spec is583 ## set, choosing the default provisioner. (gp2 on AWS, standard on584 ## GKE, AWS Co OpenStack)585 ##586 storageClass: "nfs-client" # 附上sc拼法# 变更原稿近，敦促奇近3个踏入257 ## @param replicaCount Number of etcd replicas to deploy258 ##259 replicaCount: 3装上etcd咨询服务[root@k8s-master etcd]# kubectl create ns etcdnamespace/etcd created[root@k8s-master etcd]# helm install etcd -n etcd ../etcdNAME: etcdLAST DEPLOYED: Fri Mar 17 20:43:31 2023NAMESPACE: etcdSTATUS: deployedREVISION: 1TEST SUITE: NoneNOTES:CHART NAME: etcdCHART VERSION: 8.8.0APP VERSION: 3.5.7** Please be patient while the chart is being deployed **etcd can be accessed via port 2379 on the following DNS name from within your cluster:etcd.etcd.svc.cluster.localTo create a pod that you can use as a etcd client run the following command:kubectl run etcd-client ---restart='Never' ---image docker.io/bitnami/etcd:3.5.7-debian-11-r14 ---env ROOT_PASSWORD=$(kubectl get secret ---namespace etcd etcd -o jsonpath="{.data.etcd-root-password}" | base64 -d) ---env ETCDCTL_ENDPOINTS="etcd.etcd.svc.cluster.local:2379" ---namespace etcd ---command --- sleep infinityThen, you can set/get a key using the commands below:kubectl exec ---namespace etcd -it etcd-client --- bashetcdctl ---user root:$ROOT_PASSWORD put /message Helloetcdctl ---user root:$ROOT_PASSWORD get /messageTo connect to your etcd server from outside the cluster execute the following commands:kubectl port-forward ---namespace etcd svc/etcd 2379:2379 Coecho "etcd URL: "* As rbac is enabled you should add the flag -------user root:$ETCD_ROOT_PASSWORD---- to the etcdctl commands. Use the command below to export the password:export ETCD_ROOT_PASSWORD=$(kubectl get secret ---namespace etcd etcd -o jsonpath="{.data.etcd-root-password}" | base64 -d)查阅自然资源电子邮件[root@k8s-master etcd]# kubectl get pod -n etcd -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESetcd-0 1/1 Running 0 1m13s 10.244.1.154 k8s-work1 etcd-1 1/1 Running 0 1m13s 10.244.2.50 k8s-work2 etcd-2 1/1 Running 0 1m13s 10.244.1.155 k8s-work1 [root@k8s-master etcd]# kubectl get svc -n etcd NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEetcd ClusterIP 10.102.32.213 2379/TCP,2380/TCP 9m48setcd-headless ClusterIP None 2379/TCP,2380/TCP 9m48s访问期间检测[root@k8s-master ~]# kubectl run etcd-client ---restart='Never' ---image docker.io/bitnami/etcd:3.5.7-debian-11-r14 ---env ROOT_PASSWORD=$(kubectl get secret ---namespace etcd etcd -o jsonpath="{.data.etcd-root-password}" | base64 -d) ---env ETCDCTL_ENDPOINTS="etcd.etcd.svc.cluster.local:2379" ---namespace etcd ---command --- sleep infinitypod/etcd-client created[root@k8s-master ~]# kubectl exec ---namespace etcd -it etcd-client --- bashI he no name!@etcd-client:/opt/bitnami/etcd$ etcdctl ---user root:$ROOT_PASSWORD put /message HelloOKI he no name!@etcd-client:/opt/bitnami/etcd$ etcdctl ---user root:$ROOT_PASSWORD get /message/messageHelloI he no name!@etcd-client:/opt/bitnami/etcd$ etcdctl ---user root:$ROOT_PASSWORD endpoint status ---cluster -w table+-------------------------------------------------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+-------------------------------------------------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+| | 3362be9fd588dbe9 | 3.5.7 | 20 kB | false | false | 7 | 3392 | 3392 | || | 7b5916ac26f643 | 3.5.7 | 20 kB | true | false | 7 | 3393 | 3393 | || | 7b5916ac26f643 | 3.5.7 | 20 kB | true | false | 7 | 3394 | 3394 | || | ee715aec72e126b7 | 3.5.7 | 20 kB | false | false | 7 | 3395 | 3395 | || | ee715aec72e126b7 | 3.5.7 | 20 kB | false | false | 7 | 3396 | 3396 | || | 3362be9fd588dbe9 | 3.5.7 | 20 kB | false | false | 7 | 3397 | 3397 | |+-------------------------------------------------------------------------------------+---------------------------+-------------+-------------+----------------+------------------+----------------+------------------+------------------------------+------------+。

空调病怎么治
肠炎宁和丁桂儿肚脐贴可以一起用吗
胃烧心是怎么回事
江中多维元素片效果怎么样
北京三代试管婴儿的费用