Kubernetes之etcd部署
1. 准备环境¶
| ip | 操作系统 | 角色 | 安装软件 | 主机名 |
|---|---|---|---|---|
| 192.168.186.139 | centos7.6_x64 | master1 | docker,etcd | k8s-master01 |
| 192.168.186.141 | centos7.6_x64 | node1 | docker,etcd | k8s-node01 |
| 192.168.186.142 | centos7.6_x64 | node2 | docker,etcd | k8s-node02 |
本教程以安装Centos7 mini版本为系统镜像安装
2. 部署方式¶
2.1 minikube¶
Minikube是一个工具,可以在本地快速运行一个单点的Kubernetes,仅用于尝试Kubernetes或日常开发的用户使用。部署地址
https://kubernetes.io/docs/setup/minikube/
2.2 kubeadm¶
Kubeadm也是一个工具,提供kubeadm init和kubeadm join,用于快速部署Kubernetes集群。[部署地址]https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/)
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/
2.3 binary¶
推荐,从官方下载发行版的二进制包,手动部署每个组件,组成Kubernetes集群。下载地址
https://github.com/kubernetes/kubernetes/releases
3. 集群规划¶
4. 自签ssl证书¶
| 组件 | 使用证书 |
|---|---|
| etcd | ca.pem,server.pem,server-key.pem |
| flannel | ca.pem,server.pem,server-key.pem |
| kube-apiserver | ca.pem,server.pem,server-key.pem |
| kubelet | ca.pem,ca-key.pem |
| kube-proxy | ca.pem,kube-proxy.pem,kube-proxy-key.pem |
| kubectl | ca.pem,admin.pem,admin-key.pem |
4.1 安装cfssl¶
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
4.2 etcd证书¶
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.186.139",
"192.168.186.141",
"192.168.186.142"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
其中192.168.186.139,192.168.186.141,192.168.186.142是etcd三台机器
ETCD CA证书
[root@k8s-master01 k8s-cert]# cat > ca-config.json <<EOF
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
"ST": "Beijing"
}
]
}
EOF
[root@k8s-master01 k8s-cert]#
[root@k8s-master01 k8s-cert]# cat > ca-csr.json <<EOF
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing"
> }
> ]
> }
> EOF
[root@k8s-master01 k8s-cert]# ls
ca-config.json ca-csr.json cfssl.sh etcd-cert.sh
[root@k8s-master01 k8s-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2019/04/17 17:35:51 [INFO] generating a new CA key and certificate from CSR
2019/04/17 17:35:51 [INFO] generate received request
2019/04/17 17:35:51 [INFO] received CSR
2019/04/17 17:35:51 [INFO] generating key: rsa-2048
2019/04/17 17:35:51 [INFO] encoded CSR
2019/04/17 17:35:51 [INFO] signed certificate with serial number 19362195409262761163364083373669733716717649253
[root@k8s-master01 k8s-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem cfssl.sh etcd-cert.sh
[root@k8s-master01 k8s-cert]# cat > server-csr.json <<EOF
> {
> "CN": "etcd",
> "hosts": [
> "192.168.186.139",
> "192.168.186.141",
> "192.168.186.142"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
[root@k8s-master01 k8s-cert]# ll
total 32
-rw-r--r-- 1 root root 287 Apr 17 17:34 ca-config.json
-rw-r--r-- 1 root root 956 Apr 17 17:35 ca.csr
-rw-r--r-- 1 root root 209 Apr 17 17:34 ca-csr.json
-rw------- 1 root root 1679 Apr 17 17:35 ca-key.pem
-rw-r--r-- 1 root root 1265 Apr 17 17:35 ca.pem
-rw-r--r-- 1 root root 342 Oct 20 23:08 cfssl.sh
-rw-r--r-- 1 root root 1088 Aug 27 2018 etcd-cert.sh
-rw-r--r-- 1 root root 296 Apr 17 17:44 server-csr.json
[root@k8s-master01 k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cf
ssljson -bare server2019/04/17 17:45:55 [INFO] generate received request
2019/04/17 17:45:55 [INFO] received CSR
2019/04/17 17:45:55 [INFO] generating key: rsa-2048
2019/04/17 17:45:55 [INFO] encoded CSR
2019/04/17 17:45:55 [INFO] signed certificate with serial number 701496650760603801976943167457047477178197782049
2019/04/17 17:45:55 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 k8s-cert]# ll
total 44
-rw-r--r-- 1 root root 287 Apr 17 17:34 ca-config.json
-rw-r--r-- 1 root root 956 Apr 17 17:35 ca.csr
-rw-r--r-- 1 root root 209 Apr 17 17:34 ca-csr.json
-rw------- 1 root root 1679 Apr 17 17:35 ca-key.pem
-rw-r--r-- 1 root root 1265 Apr 17 17:35 ca.pem
-rw-r--r-- 1 root root 342 Oct 20 23:08 cfssl.sh
-rw-r--r-- 1 root root 1088 Aug 27 2018 etcd-cert.sh
-rw-r--r-- 1 root root 1013 Apr 17 17:45 server.csr
-rw-r--r-- 1 root root 296 Apr 17 17:44 server-csr.json
-rw------- 1 root root 1675 Apr 17 17:45 server-key.pem
-rw-r--r-- 1 root root 1338 Apr 17 17:45 server.pem
5. 单master部署¶
5.1 基础准备¶
1. 关闭selinux 2. 关闭防火墙 3. 修改主机名
etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.186.139 etcd02=https://192.168.186.140:2380,etcd03=https://192.168.186.141:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
master机器上etcd配置文件和启动文件
[root@k8s-master01 cfg]# pwd
/opt/etcd/cfg
[root@k8s-master01 cfg]# cat etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.186.139:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.186.139:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.186.139:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.186.139:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.186.139:2380,etcd02=https://192.168.186.141:2380,etcd03=https://192.168.186.142:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@k8s-master01 cfg]# cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-
client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pemRestart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
node01机器上etcd配置文件和启动文件
[root@k8s-node01 cfg]# cat /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.186.141:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.186.141:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.186.141:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.186.141:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.186.139:2380,etcd02=https://192.168.186.141:2380,etcd03=https://192.168.186.142:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-
client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pemRestart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
node02机器上etcd配置文件和启动文件
[root@k8s-node02 cfg]# cat /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.186.142:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.186.142:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.186.142:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.186.142:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.186.139:2380,etcd02=https://192.168.186.141:2380,etcd03=https://192.168.186.142:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@k8s-node02 cfg]# cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-
client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pemRestart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
5.2 etcd部署¶
5.2.1 下载地址¶
二进制包下载 地址
https://github.com/etcd-io/etcd/releases
5.2.2 详细部署¶
[root@k8s-master01 ~]# mkdir soft
[root@k8s-master01 ~]# cd soft/
[root@k8s-master01 soft]# rz -E
rz waiting to receive.
[root@k8s-master01 soft]# ls
etcd-v3.3.10-linux-amd64.tar.gz
[root@k8s-master01 soft]# tar xf etcd-v3.3.10-linux-amd64.tar.gz
[root@k8s-master01 soft]# cd etcd-v3.3.10-linux-amd64/
[root@k8s-master01 etcd-v3.3.10-linux-amd64]# mkdir -p /opt/etcd/{ssl,cfg,bin} -p
[root@k8s-master01 etcd-v3.3.10-linux-amd64]# mv etcd etcdctl /opt/etcd/bin/
[root@k8s-master01 etcd-v3.3.10-linux-amd64]# ls /opt/etcd/bin/
etcd etcdctl <---- etcd 启动etcd服务的,etcdctl管理etcd的客户端
[root@k8s-master01 k8s]# ls
etcd-cert etcd.sh k8s-cert
[root@k8s-master01 k8s]# chmod +x etcd.sh
[root@k8s-master01 k8s-cert]# ls
ca-config.json ca-csr.json ca.pem etcd-cert.sh server-csr.json server.pem
ca.csr ca-key.pem cfssl.sh server.csr server-key.pem
[root@k8s-master01 k8s-cert]# pwd
/root/k8s/k8s-cert
[root@k8s-master01 k8s-cert]# cp {ca,server-key,server}.pem /opt/etcd/ssl/
[root@k8s-master01 k8s-cert]# ls /opt/etcd/ssl/
ca.pem server-key.pem server.pem
[root@k8s-master01 k8s]# ./etcd.sh etcd01 192.168.186.139 etcd02=https://192.168.186.140:2380,etcd03=https://192.168.186.141:2380
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
此时会卡着,因为等待其他成员
拷贝到其他机器
[root@k8s-master01 ~]# scp -r /opt/etcd/ root@192.168.186.141:/opt/
The authenticity of host '192.168.186.141 (192.168.186.141)' can't be established.
ECDSA key fingerprint is SHA256:liHoRWT1+1BGJquXvy2VzVd7bU1+Si/RNb7vIyFWpd8.
ECDSA key fingerprint is MD5:5a:81:8f:74:20:b6:89:e6:a9:14:9f:58:60:e9:7d:53.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.186.141' (ECDSA) to the list of known hosts.
root@192.168.186.141's password:
ca.pem 100% 1265 1.4MB/s 00:00
server-key.pem 100% 1675 1.2MB/s 00:00
server.pem 100% 1338 1.9MB/s 00:00
etcd 100% 523 256.9KB/s 00:00
etcd 100% 18MB 80.3MB/s 00:00
etcdctl 100% 15MB 77.4MB/s 00:00
[root@k8s-master01 ~]# scp -r /opt/etcd/ root@192.168.186.142:/opt/
The authenticity of host '192.168.186.142 (192.168.186.142)' can't be established.
ECDSA key fingerprint is SHA256:smdGSwwemIA+SHBzs0Lrnjg8ugPzneHChLWhl0y0m38.
ECDSA key fingerprint is MD5:f0:66:dc:78:d3:98:77:97:2c:be:69:58:22:73:a6:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.186.142' (ECDSA) to the list of known hosts.
root@192.168.186.142's password:
ca.pem 100% 1265 1.2MB/s 00:00
server-key.pem 100% 1675 1.1MB/s 00:00
server.pem 100% 1338 770.6KB/s 00:00
etcd 100% 523 278.0KB/s 00:00
etcd 100% 18MB 71.6MB/s 00:00
etcdctl
[root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.186.141:/usr/lib/systemd/system/
root@192.168.186.141's password:
etcd.service 100% 923 1.3MB/s 00:00
[root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.186.142:/usr/lib/systemd/system/
root@192.168.186.142's password:
etcd.service 100% 923 818.2KB/s 00:00
拷贝配置文件和启动文件到其他机器,同时在其他机器上修改配置,具体配置完的配置文件详见5.1准备章节的那三个配置文件
一定要修改其他两个机器的etcd配置文件
5.2.3 启动所有机器etcd¶
[root@k8s-master01 ssl]# systemctl start etcd [root@k8s-node01 ssl]# systemctl start etcd [root@k8s-node02 cfg]# systemctl start etcd
5.2.4 查看集群状态¶
/opt/etcd/bin/etcdctl \ --ca-file=/opt/etcd/ssl/ca.pem \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --endpoints="https://192.168.186.139:2379,https://192.168.186.141:2379,https://192.168.186.142:2379" \ cluster-health
操作
[root@k8s-master01 ssl]# /opt/etcd/bin/etcdctl \ > --ca-file=/opt/etcd/ssl/ca.pem \ > --cert-file=/opt/etcd/ssl/server.pem \ > --key-file=/opt/etcd/ssl/server-key.pem \ > --endpoints="https://192.168.186.139:2379,https://192.168.186.141:2379,https://192.168.186.142:2379" \ > cluster-health member b4802607144fc88c is healthy: got healthy result from https://192.168.186.139:2379 member d6d33d0b4d38dddf is healthy: got healthy result from https://192.168.186.142:2379 member ecb4d60ee7b08012 is healthy: got healthy result from https://192.168.186.141:2379 cluster is healthy [root@k8s-node01 cfg]# /opt/etcd/bin/etcdctl \ > --ca-file=/opt/etcd/ssl/ca.pem \ > --cert-file=/opt/etcd/ssl/server.pem \ > --key-file=/opt/etcd/ssl/server-key.pem \ > --endpoints="https://192.168.186.139:2379,https://192.168.186.141:2379,https://192.168.186.142:2379" \ > cluster-health member b4802607144fc88c is healthy: got healthy result from https://192.168.186.139:2379 member d6d33d0b4d38dddf is healthy: got healthy result from https://192.168.186.142:2379 member ecb4d60ee7b08012 is healthy: got healthy result from https://192.168.186.141:2379 cluster is healthy [root@k8s-node02 cfg]# /opt/etcd/bin/etcdctl \ > --ca-file=/opt/etcd/ssl/ca.pem \ > --cert-file=/opt/etcd/ssl/server.pem \ > --key-file=/opt/etcd/ssl/server-key.pem \ > --endpoints="https://192.168.186.139:2379,https://192.168.186.141:2379,https://192.168.186.142:2379" \ > cluster-health member b4802607144fc88c is healthy: got healthy result from https://192.168.186.139:2379 member d6d33d0b4d38dddf is healthy: got healthy result from https://192.168.186.142:2379 member ecb4d60ee7b08012 is healthy: got healthy result from https://192.168.186.141:2379 cluster is healthy 以上说明etcd机器OK
5.3 常见问题¶
- etcd启动不起来
错误1
因为etcd之间https通讯是基于证书的。我证书中的IP地址有错误。
- etcd启动后不加入集群
错误2
现象: Apr 18 10:34:45 k8s-master01 etcd: request cluster ID mismatch (got cf138cda9790f1d0 want 8732ef518b18f052) 解决方法: 此时etcd节点都已经启动,但是无法连接,发现有request cluster ID mismatch报错。找到etcd数据存储目录 [root@k8s-master01 ssl]# grep -i ETCD_DATA_DIR /opt/etcd/cfg/etcd ETCD_DATA_DIR="/var/lib/etcd/default.etcd" 删除各节点/var/lib/etcd/default.etcd,重启etcd即可解决。 由于删除的是数据存储目录,不是新建etcd集群,或者有重要数据的不可直接删除。
可以通过 journalctl -xefu etcd来详细排查问题
排查思路
部署常见问题,排除思路 查看日志报错信息方法,如下: systemctl status kubelet systemctl restart kubelet && journalctl -xefu kubelet systemctl restart kube-apiserver.service && journalctl -xefu kube-apiserver journalctl -u kubelet tail –f /var/log/message 或直接将应用的日志输出出来。 排查思路,如下: 1. iptables防火墙、Selinux问题。 2. 时间是否同步。 3. 二进制文件是否存在 4. 配置文件没修改完或者多个空格? 5. 目录是否存在 6. 证书是否存在,且是否正确[初始化的时候需要指定三台etcd机器,我就搞错了,第一次错误,证书问题搞了好久]
- 新机器加入etc集群
https://github.com/k8sp/sextant/issues/333