首页手记 etcd实战

etcd实战

标签：

Go Kubernetes 运维

INSTALL

基础环境配置

关闭selinux

sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

构建新的YUM

yum install -y wget
mkdir -p /etc/yum.repos.d/bak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum install epel-release
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

安装基础软件

yum install python-devel gcc zlib zlib-devel openssl-devel tcpdump net-tools lsof telnet ntp vim-* -y
yum install epel-release -y
yum install python-pip -y
pip install --upgrade pip

时间同步

yum install -y crontabs
systemctl restart crond
systemctl enable crond
systemctl reload crond
timedatectl set-timezone Asia/Shanghai
timedatectl set-local-rtc 1
hwclock --systohc --utc
cat >>/var/spool/cron/${USER}<<EOF
*/1 * * * * /usr/sbin/ntpdate ntp1.aliyun.com > /dev/null 2>&1
*/5 * * * * /usr/sbin/ntpdate ntp2.aliyun.com > /dev/null 2>&1
EOF

关闭防火墙服务和NetworkManager服务

systemctl stop firewalld.service
systemctl disable firewalld.service
iptables -F

systemctl stop NetworkManager.service
systemctl disable NetworkManager.service

关闭swap

swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab

设置文件描述符

cat >>/etc/rc.local<<EOF
#open files
ulimit -SHn 65535
#stack size
ulimit -s 65535
EOF

优化sshd服务

cp /etc/ssh/sshd_config{,.bak}
cat >/etc/ssh/sshd_config<<EOF
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem	sftp	/usr/libexec/openssh/sftp-server
UseDNS=no
UseDNS=no
IgnoreRhosts yes
EOF

内核优化

cat >/etc/sysctl.conf<<EOF
# 关闭 ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意 icmp 错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 关闭 sysrq 功能
kernel.sysrq = 0

# core 文件名中添加 pid 作为扩展名
kernel.core_uses_pid = 1

# 开启 SYN 洪水攻击保护
net.ipv4.tcp_syncookies = 1

# 修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536

# 设置最大内存共享段大小 bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# timewait 的数量，默认 180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# 每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144

# 限制仅仅是为了防止简单的 DDoS 攻击
net.ipv4.tcp_max_orphans = 3276800

# 未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0

# 内核放弃建立连接之前发送 SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1

# 内核放弃建立连接之前发送 SYN 包的数量
net.ipv4.tcp_syn_retries = 1

# 启用 timewait 快速回收
net.ipv4.tcp_tw_recycle = 1

# 开启重用，允许将 TIME-WAIT sockets 重新用于新的 TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

# 当 keepalive 起用的时候，TCP 发送 keepalive 消息的频度。缺省是 2 小时
net.ipv4.tcp_keepalive_time = 30

# 允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000

# 修改防火墙表大小，默认 65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200

# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF

设置vim配置主要是能编写格式

cat >>/etc/vimrc<<EOF
set expandtab
set tabstop=4
set softtabstop=4
set shiftwidth=4
autocmd FileType html setlocal shiftwidth=4 tabstop=4 softtabstop=4
autocmd FileType golang setlocal shiftwidth=4 tabstop=4 softtabstop=4
autocmd FileType go setlocal shiftwidth=4 tabstop=4 softtabstop=4
autocmd FileType yml setlocal shiftwidth=2 tabstop=2 softtabstop=2
autocmd FileType yaml setlocal shiftwidth=2 tabstop=2 softtabstop=2
autocmd FileType htmldjango setlocal shiftwidth=4 tabstop=4 softtabstop=4
autocmd FileType javascript setlocal shiftwidth=4 tabstop=4 softtabstop=4
set ls=2
set incsearch
set hlsearch
syntax on
set ruler
set autoindent
EOF

内核升级(重要)

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --disablerepo=\* --enablerepo=elrepo-kernel repolist
# 查看可用的rpm包
yum --disablerepo=\* --enablerepo=elrepo-kernel list kernel*
# 安装长期支持版本的kernel
yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-lt.x86_64
# 删除旧版本工具包
yum remove kernel-tools-libs.x86_64 kernel-tools.x86_64 -y
# 安装新版本工具包
yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-lt-tools.x86_64
#查看默认启动顺序
awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg  
#默认启动的顺序是从0开始，新内核是从头插入（目前位置在0，而4.4.4的是在1），所以需要选择0。
grub2-set-default 0  
#重启并检查
reboot

安装ETCD

配置ETCD证书(重要)

使用cfssl生成证书

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo

生成根证书

mkdir /opt/pki
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
cat ca-config.json
{
    # 表示此CA证书可以用于签名其他证书
    "signing": {
        "default": {
            # 过期时间
            "expiry": "87600h" 
        },
        "profiles": {
            # 表示TLS Server Authentication
            "server": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            # 表示TLS Client Authentication
            "client": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            # 表示TLS 对等证书
            "peer": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
cat ca-csr.json
{
    # Common Name
    "CN": "ETCD CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [{
        # 国家编码
        "C": "CN",
        # 省
        "ST": "Beijing",
        # 市
        "L": "Beijing",
        # 公司名称
        "O": "SMA",
        # 部门名称
        "OU": "DevOps"
    }]
}
# 生成自签证书
cfssl gencert -initca ca-csr.json | cfssljson -bare etcd-root-ca
# 证书名称为etcd-root-ca*.pem
# 根证书请求
# etcd-root-ca.csr
# 根证书私钥
# etcd-root-ca-key.pem
# 根证书
# etcd-root-ca.pem

生成server证书

cfssl print-defaults csr > server.json
{
    # CN和ca-csr.json中的profiles key尽量保证一致
    "CN": "server",
    # 能使用的机器
    "hosts": [
        "master.sma.org",
        "node01.sma.org",
        "node01.sma.org",
        "192.168.1.10",
        "192.168.1.11",
        "192.168.1.12"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing",
            "O": "SMA",
            "OU": "DevOps"
        }
    ]
}
cfssl gencert -config=ca-config.json -ca=./etcd-root-ca.pem -ca-key=./etcd-root-ca-key.pem -profile=server server.json | cfssljson -bare etcd-server
# server证书请求
# etcd-server.csr
# server证书私钥
# etcd-server-key.pem
# server证书
# etcd-server.pem

生成peer证书

cfssl print-defaults csr > peer.json
cat peer.json
{
    "CN": "peer",
    "hosts": [
        "master.sma.org",
        "node01.sma.org",
        "node01.sma.org",
        "192.168.1.10",
        "192.168.1.11",
        "192.168.1.12"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing",
            "O": "SMA",
            "OU": "DevOps"
        }
    ]
}
cfssl gencert -config=ca-config.json -ca=./etcd-root-ca.pem -ca-key=./etcd-root-ca-key.pem -profile=peer peer.json | cfssljson -bare etcd-peer
# peer证书请求
# etcd-peer.csr
# peer证书私钥
# etcd-peer-key.pem
# peer证书
# etcd-peer.pem

生成client证书

cfssl print-defaults csr > client.json
cat client.json
{
    "CN": "client",
    "hosts": [""],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing",
            "O": "SMA",
            "OU": "DevOps"
        }
    ]
}
cfssl gencert -config=ca-config.json -ca=./etcd-root-ca.pem -ca-key=./etcd-root-ca-key.pem -profile=client client.json | cfssljson -bare etcd-client
# client证书请求
# etcd-client.csr
# client证书私钥
# etcd-client-key.pem
# client证书
# etcd-client.pem

etcd配置(所有的节点,当前节点为10节点)

yum install -y etcd
mkdir -p /etc/etcd/pki
cd /opt/pki
cp etcd-client-key.pem  etcd-client.pem  etcd-peer-key.pem  etcd-peer.pem  etcd-root-ca.pem  etcd-server-key.pem  etcd-server.pem /etc/etcd/pki
chown -R etcd.etcd /etc/etcd/pki
scp -r /etc/etcd/pki root@192.168.1.11:/etc/etcd/
scp -r /etc/etcd/pki root@192.168.1.12:/etc/etcd/
cat etcd.conf
#[Member]
# 节点名称
ETCD_NAME="etcd00"
# 数据目录
ETCD_DATA_DIR="/var/lib/etcd/data"
# PEER 监听地址
ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380"
# 客户端 监听地址
ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379"
#[Clustering]
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.10:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.10:2380"
ETCD_INITIAL_CLUSTER="etcd00=https://192.168.1.10:2380,etcd01=https://192.168.1.11:2380,etcd02=https://192.168.1.12:2380,"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Proxy]
# 关闭ETCD 代理
ETCD_PROXY="off"

#[Security]
# ETCD 服务端key和ca
ETCD_CERT_FILE="/etc/etcd/pki/etcd-server.pem"
ETCD_KEY_FILE="/etc/etcd/pki/etcd-server-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
# ETCD root ca
ETCD_TRUSTED_CA_FILE="/etc/etcd/pki/etcd-root-ca.pem"
ETCD_AUTO_TLS="true"
# ETCD peer ca和key
ETCD_PEER_CERT_FILE="/etc/etcd/pki/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/pki/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
# ETCD 生成peer ca和key的根证书
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/pki/etcd-root-ca.pem"
ETCD_PEER_AUTO_TLS="true"

systemctl restart etcd

etcd验证

etcdctl   --endpoints=https://192.168.1.10:2379,https://192.168.1.11:2379,https://192.168.1.12:2379   --cert-file=/etc/etcd/pki/etcd-client.pem   --ca-file=/etc/etcd/pki/etcd-root-ca.pem   --key-file=/etc/etcd/pki/etcd-client-key.pem   cluster-health

etcd操作

ETCDCTL_API=3
ENDPOINTS="https://192.168.1.10:2379,https://192.168.1.11:2379,https://192.168.1.12:2379"
ETCD_CA="/etc/etcd/pki/etcd-root-ca.pem"
ETCD_CLIENT_CA="/etc/etcd/pki/etcd-client.pem"
ETCD_CLIENT_KEY="/etc/etcd/pki/etcd-client-key.pem"
etcdctl --endpoints=${ENDPOINTS} --ca-file=${ETCD_CA} --cert-file=${ETCD_CLIENT_CA} --key-file=${ETCD_CLIENT_KEY} set test "hello world"
etcdctl --endpoints=${ENDPOINTS} --ca-file=${ETCD_CA} --cert-file=${ETCD_CLIENT_CA} --key-file=${ETCD_CLIENT_KEY} get test