1393 字
7 分钟
Kubernetes 高可用集群搭建(一) | ETCD集群搭建
2019-12-21
blogs
Kubernetes

环境准备#

  • 服务器准备及系统配置调整, 这个参考前一篇基础配置.

  • ssh配置

> ssh-keygen -b 2048 -t rsa

以上环境的准备可在一台vm上创建好后, 后面只需要克隆这台就可以了.

  • containerd

这里不在使用 Docker 作为cri的依赖. 而是使用containerd.

Terminal window
> sudo apt-get update && sudo apt-get install -y containerd
> sudo mkdir -p /etc/containerd
> sudo containerd config default | sudo tee /etc/containerd/config.toml
* cni配置
Terminal window
> sudo mkdir -p /etc/cni/net.d
> sudo cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf
{
    "cniVersion": "0.3.1",
    "type": "loopback"
}
EOF
* 镜像加速配置及默认pause镜像配置
Terminal window
# /etc/containerd/config.toml 大概91行
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://wlij5bh2.mirror.aliyuncs.com"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
          endpoint = ["https://registry.cn-hangzhou.aliyuncs.com/morse_k8s"]


# sandbox_image 修改
sandbox_image = "k8s.gcr.io/pause:3.1"
# 改为
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/morse_k8s/pause:3.1"




# systemd
# 结合 runc 使用 systemd cgroup 驱动,在 /etc/containerd/config.toml 中设置
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  ...
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    SystemdCgroup = true
* containerd的几个重要命令
Terminal window
ctr image ls
# 简写: ctr i ls
ctr image remove docker.io/library/hello-world:latest
> ctr container list
# 简写: ctr c list
ctr c remove demo
# 命名空间
> sudo ctr ns ls
# 配置
> sudo containerd config default

怎么查其他信息, 这个时候我们可以用这个工具crictl.

-n: 命名空间, kubernetes的命名空间为 k8s.io. 注意 -n 的位置, 放在ctr后面 * 镜像准备

3.1
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.4.13-0
# registry.cn-hangzhou.aliyuncs.com/morse_k8s/etcd:3.4.13-0

参考 Container runtimes | Kubernetes Containerd 使用教程 – 云原生实验室 - Kubernetes|Docker|Istio|Envoy|Hugo|Golang|云原生 容器运行时 | Kubernetes containerd/ops.md at master · containerd/containerd · GitHub https://github.com/containerd/containerd/blob/master/docs/cri/config.md

Etcd集群搭建#

前置条件#

  • 2 GB 或更多的 RAM, 2 CPU 核或更多
  • 集群中的所有机器的网络彼此均能相互连接(公网和内网都可以)
  • 节点之中不可以有重复的主机名、MAC 地址或 product_uuid。
  • 禁用交换分区。为了保证 kubelet 正常工作,你 必须 禁用交换分区
  • 开启机器上的某些端口。(可以关闭防火墙)

sudo cat /sys/class/dmi/id/product_uuid用这个命令校验机器ID

这里的ProductId在虚拟机copy的时候可能会重复, 记得清理

  • 修改hosts
Terminal window
# 每台机器添加彼此的host解析
192.168.10.5 vm5.fuxiao.dev  vm5
192.168.10.6 vm6.fuxiao.dev  vm6
192.168.10.7 vm7.fuxiao.dev  vm7
  • 安装kubeadm, kubelet (每台) 因为使用kubelet来管理 etcd, 即通过容器运行Etcd. 所以需要先安装kubelet. CRI(即上面的containerd). 因为kubeadm 不能 帮你安装或者管理 kubelet 或 kubectl. 所以这里kubectl, kubelet, kubeadm就一起安装了.
Terminal window
sudo apt-get install -y kubelet kubeadm kubectl
  • 将 kubelet 配置为 etcd 的服务管理器。(每台)
Terminal window
> sudo cd /etc/systemd/system/kubelet.service.d
> # 修改10-kubeadm.conf文件
> # 屏蔽文件中的Environment, Environment 参数
> sudo mkdir -p /var/lib/kubelet
> sudo cat<<EOF|sudo tee /var/lib/kubelet/kubeadm-flags.env
KUBELET_KUBEADM_ARGS="--cgroup-driver=systemd --pod-manifest-path=/etc/kubernetes/manifests --container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock --runtime-request-timeout=15m"
EOF
> sudo systemctl daemon-reload
> sudo systemctl restart kubelet

当CRI非Docker时, 需要添加以下启动参数.

--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock --runtime-request-timeout=15m

不同的CRI sock 文件位置不同

Docker: /var/run/docker.sock
containerd: /run/containerd/containerd.sock
CRI-O: /var/run/crio/crio.sock

只是创建, kubelet这一步并不能运行

  • 配置脚本
# cat create_etcd.sh


#!/bin/bash
# 使用 IP 或可解析的主机名替换 HOST0、HOST1 和 HOST2
export HOST0=192.168.10.5
export HOST1=192.168.10.6
export HOST2=192.168.10.7


# 创建临时目录来存储将被分发到其它主机上的文件
rm -rf /tmp/${HOST0}/ /tmp/${HOST1}/ /tmp/${HOST2}/
mkdir -p /tmp/${HOST0}/ /tmp/${HOST1}/ /tmp/${HOST2}/


ETCDHOSTS=(${HOST0} ${HOST1} ${HOST2})
NAMES=("vm5" "vm6" "vm7")
# 注意这里的names中的值与下面initial-cluster中参数的key保持一致


for i in "${!ETCDHOSTS[@]}"; do
HOST=${ETCDHOSTS[$i]}
NAME=${NAMES[$i]}
cat << EOF > /tmp/${HOST}/kubeadmcfg.yaml
apiVersion: "kubeadm.k8s.io/v1beta2"
kind: ClusterConfiguration
etcd:
    local:
        serverCertSANs:
        - "${HOST}"
        peerCertSANs:
        - "${HOST}"
        extraArgs:
            initial-cluster: vm5=https://${ETCDHOSTS[0]}:2380,vm6=https://${ETCDHOSTS[1]}:2380,vm7=https://${ETCDHOSTS[2]}:2380
            initial-cluster-state: new
            name: ${NAME}
            listen-peer-urls: https://${HOST}:2380
            listen-client-urls: https://${HOST}:2379
            advertise-client-urls: https://${HOST}:2379
            initial-advertise-peer-urls: https://${HOST}:2380
EOF
done

注意: 1. NAMESinitial-cluster的key要匹配, initial-cluster中多个值不能用空格 2. 执行脚本: . create_etcd.sh, (注意执行命令前的那个点, 没有那个点导不出shell中的环境变量)

  • etcd证书
/etc/kubernetes/pki/etcd/ca.crt
sudo kubeadm init phase certs etcd-ca
# ls -la /etc/kubernetes/pki/etcd/
#  /etc/kubernetes/pki/etcd/ca.key
  • 为每个成员创建证书
Terminal window
sudo kubeadm init phase certs etcd-server --config=/tmp/${HOST2}/kubeadmcfg.yaml
sudo kubeadm init phase certs etcd-peer --config=/tmp/${HOST2}/kubeadmcfg.yaml
sudo kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST2}/kubeadmcfg.yaml
sudo kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST2}/kubeadmcfg.yaml
sudo cp -R /etc/kubernetes/pki /tmp/${HOST2}/
# 清理不可重复使用的证书
sudo find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete


sudo kubeadm init phase certs etcd-server --config=/tmp/${HOST1}/kubeadmcfg.yaml
sudo kubeadm init phase certs etcd-peer --config=/tmp/${HOST1}/kubeadmcfg.yaml
sudo kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST1}/kubeadmcfg.yaml
sudo kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST1}/kubeadmcfg.yaml
sudo cp -R /etc/kubernetes/pki /tmp/${HOST1}/
sudo find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete


sudo kubeadm init phase certs etcd-server --config=/tmp/${HOST0}/kubeadmcfg.yaml
sudo kubeadm init phase certs etcd-peer --config=/tmp/${HOST0}/kubeadmcfg.yaml
sudo kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST0}/kubeadmcfg.yaml
sudo kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST0}/kubeadmcfg.yaml
# 不需要移动 certs 因为它们是给 HOST0 使用的


# 清理不应从此主机复制的证书
sudo find /tmp/${HOST2} -name ca.key -type f -delete
sudo find /tmp/${HOST1} -name ca.key -type f -delete
  • 复制证书和 kubeadm 配置
#!/bin/bash
export USER=ubuntu
export HOST1=192.168.10.22
export HOST2=192.168.10.23
ETCDHOSTS=(${HOST1} ${HOST2})
for i in "${!ETCDHOSTS[@]}"; do
  sudo scp -r /tmp/${ETCDHOSTS[$i]}/* ${USER}@${ETCDHOSTS[$i]}:
done
Terminal window
USER=ubuntu
HOST=${HOST1}
ssh ${USER}@${HOST}
USER@HOST $ sudo -Es && mkdir /etc/kubernetes/pki
root@HOST $ chown -R root:root pki
root@HOST $ mv pki /etc/kubernetes/

  • 确保已经所有预期的文件都存在

  • 创建静态 Pod 清单

root@HOST0 $ sudo kubeadm init phase etcd local --config=/tmp/${HOST0}/kubeadmcfg.yaml
root@HOST1 $ sudo kubeadm init phase etcd local --config=/home/ubuntu/kubeadmcfg.yaml
root@HOST2 $ sudo kubeadm init phase etcd local --config=/home/ubuntu/kubeadmcfg.yaml

修改每个节点中etcd静态清单配置

# 将image的值改为下面的值
image: registry.cn-hangzhou.aliyuncs.com/morse_k8s/etcd:3.4.13-0
  • 可选:检查群集运行状况
HOST=192.168.10.5
sudo etcdctl \
--cert /etc/kubernetes/pki/etcd/peer.crt \
--key /etc/kubernetes/pki/etcd/peer.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--endpoints https://${HOST}:2379 endpoint health --cluster
...
# 注意: 正常可以看到全部主机列表
https://[HOST0 IP]:2379 is healthy: successfully committed proposal: took = 16.283339ms
https://[HOST1 IP]:2379 is healthy: successfully committed proposal: took = 19.44402ms
https://[HOST2 IP]:2379 is healthy: successfully committed proposal: took = 35.926451ms

etcdctl 命令可到etcd的github release页面下载

扩展#

  • crictl工具

初始配置如下:

sudo touch /etc/crictl.yaml
sudo cat << EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: /run/containerd/containerd.sock
EOF

使用方式基本等同docker的命令.

Terminal window
> sudo crictl pods
> sudo crictl images
> sudo crictl ps

SAN: Subject Alternative Names : 可选附加主题备用名称, 用于 API Server 服务证书的可选附加主题备用名称 #01 Blog/云原生# #01 Blog/Kubernetes#

Kubernetes 高可用集群搭建(一) | ETCD集群搭建
https://ihsiao.com/posts/cncf/etcd-cluster/
作者
Morse Hsiao
发布于
2019-12-21
许可协议
CC BY-NC-SA 4.0
负数在计算机中的表示方式
使用 NFS 作为 PersistentVolume
© 2026 Morse Hsiao. All Rights Reserved. | 陕ICP备2023013510号 | 陕公网安备61019102000495