备案控制台
开发者社区 安全 文章 正文

CentOS 7上搭建安全、容灾、高可用的etcd集群

2017-10-10 2468
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 本文讲的是CentOS 7上搭建安全、容灾、高可用的etcd集群【编者的话】etcd 是 CoreOS 团队发起的开源项目,基于 Go 语言实现,做为一个分布式键值对存储,通过分布式锁,leader选举和写屏障(write barriers)来实现可靠的分布式协作。
本文讲的是CentOS 7上搭建安全、容灾、高可用的etcd集群【编者的话】etcd 是 CoreOS 团队发起的开源项目,基于 Go 语言实现,做为一个分布式键值对存储,通过分布式锁,leader选举和写屏障(write barriers)来实现可靠的分布式协作。

本文目标是部署一个基于TLS(Self-signed certificates)的安全、快速灾难恢复(Disaster Recovery, SNAPSHOT)的高可用(High Availability)的etcd集群。

准备工作

版本信息: 
OS: CentOS Linux release 7.3.1611 (Core) 
etcd Version: 3.2.4
Git SHA: c31bec0
Go Version: go1.8.3
Go OS/Arch: linux/amd64

机器配置信息

CoreOS官方推荐集群规模5个为宜,为了简化本文仅以3个节点为例: 
NAME       ADDRESS             HOSTNAME                    CONFIGURATION
infra0  192.168.16.227  bjo-ep-kub-01.dev.fwmrm.net  8cpus, 16GB内存, 500GB磁盘
infra1  192.168.16.228  bjo-ep-kub-02.dev.fwmrm.net  8cpus, 16GB内存, 500GB磁盘
infra2  192.168.16.229  bjo-ep-kub-03.dev.fwmrm.net  8cpus, 16GB内存, 500GB磁盘

官方建议配置 
硬件            通常场景                    重负载
CPU           2-4 cores                 8-18 cores 
Memory        8GB                       16GB-64GB
Disk          50 sequential IOPS        500 sequential IOPS
Network       1GbE                      10GbE

注:重负载情况以CPU为例,每秒处理数以千计的client端请求。AWS、GCE推荐配置请参考: Example hardware configurations on AWS and GCE

搭建etcd集群

搭建etcd集群有3种方式,分别为Static, etcd Discovery, DNS Discovery。Discovery请参见官网 https://coreos.com/etcd/docs/l ... .html ,在此不再敖述。本文仅以Static方式展示一次集群搭建过程。
每个node的etcd配置分别如下: 
$ /export/etcd/etcd --name infra0 --initial-advertise-peer-urls http://192.168.16.227:2380 \
--listen-peer-urls http://192.168.16.227:2380 \
--listen-client-urls http://192.168.16.227:2379,http://127.0.0.1:2379 \
--advertise-client-urls http://192.168.16.227:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=http://192.168.16.227:2380,infra1=http://192.168.16.228:2380,infra2=http://192.168.16.229:2380 \
--initial-cluster-state new


$ /export/etcd/etcd --name infra1 --initial-advertise-peer-urls http://192.168.16.228:2380 \
--listen-peer-urls http://192.168.16.228:2380 \
--listen-client-urls http://192.168.16.228:2379,http://127.0.0.1:2379 \
--advertise-client-urls http://192.168.16.228:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=http://192.168.16.227:2380,infra1=http://192.168.16.228:2380,infra2=http://192.168.16.229:2380 \
--initial-cluster-state new


$ /export/etcd/etcd --name infra2 --initial-advertise-peer-urls http://192.168.16.229:2380 \
--listen-peer-urls http://192.168.16.229:2380 \
--listen-client-urls http://192.168.16.229:2379,http://127.0.0.1:2379 \
--advertise-client-urls http://192.168.16.229:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=http://192.168.16.227:2380,infra1=http://192.168.16.228:2380,infra2=http://192.168.16.229:2380 \
--initial-cluster-state new

TLS

etcd支持通过TLS加密通信,TLS channels可被用于集群peer间通信加密,以及client端traffic加密。Self-signed certificates与Automatic certificates两种安全认证形式,其中Self-signed certificates:自签名证书既可以加密traffic也可以授权其连接。本文以Self-signed certificates为例,使用Cloudflare的cfssl很容易生成集群所需证书。
首先,安装go以及设置环境变量GOPATH 
$ cd /export
$ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
$ tar -xzf go1.8.3.linux-amd64.tar.gz

$ sudo vim ~/.profile
$ export GOPATH=/export/go_path
$ export GOROOT=/export/go/
$ export CFSSL=/export/go_path/
$ export PATH=$PATH:$GOROOT/bin:$CFSSL/bin

$ source ~/.profile

下载并build CFSSL工具, 安装路径为$GOPATH/bin/cfssl, eg. cfssl, cfssljson会被安装到/export/go_path目录。 
$ go get -u github.com/cloudflare/cfssl/cmd/cfssl
$ go get -u github.com/cloudflare/cfssl/cmd/cfssljson

初始化certificate authority 
$ mkdir ~/cfssl
$ cd ~/cfssl
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json

配置CA选项, ca-config.json文件内容如下 
{
"signing": {
    "default": {
        "expiry": "43800h"
    },
    "profiles": {
        "server": {
            "expiry": "43800h",
            "usages": [
                "signing",
                "key encipherment",
                "server auth"
            ]
        },
        "client": {
            "expiry": "43800h",
            "usages": [
                "signing",
                "key encipherment",
                "client auth"
            ]
        },
        "peer": {
            "expiry": "43800h",
            "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
        }
    }
}

ca-csr.json Certificate Signing Request (CSR)文件内容如下 
{
"CN": "My own CA",
"key": {
    "algo": "rsa",
    "size": 2048
},
"names": [
    {
        "C": "US",
        "L": "CA",
        "O": "My Company Name",
        "ST": "San Francisco",
        "OU": "Org Unit 1",
        "OU": "Org Unit 2"
    }
]

用已定义的选项生成CA:cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2017/08/02 00:56:03 [INFO] generating a new CA key and certificate from CSR
2017/08/02 00:56:03 [INFO] generate received request
2017/08/02 00:56:03 [INFO] received CSR
2017/08/02 00:56:03 [INFO] generating key: rsa-2048
2017/08/02 00:56:04 [INFO] encoded CSR
2017/08/02 00:56:04 [INFO] signed certificate with serial number 81101109133309828380726760425799837279517519090

会在当前目录下生成如下文件 
ca-key.pem
ca.csr
ca.pem

注:保存好ca-key.pem文件。

生成server端证书: 
$ cfssl print-defaults csr > server.json

server.json内容如下: 
{
"CN": "server",
"hosts": [
    "127.0.0.1",
    "192.168.16.227",
    "192.168.16.228",
    "192.168.16.229",
    "bjo-ep-kub-01.dev.fwmrm.net",
    "bjo-ep-kub-02.dev.fwmrm.net",
    "bjo-ep-kub-03.dev.fwmrm.net"
],
"key": {
    "algo": "ecdsa",
    "size": 256
},
"names": [
    {
        "C": "US",
        "L": "CA",
        "ST": "San Francisco"
    }
]
}
接下来生成server端证书以及private key 
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server


$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
2017/08/02 00:57:12 [INFO] generate received request
2017/08/02 00:57:12 [INFO] received CSR
2017/08/02 00:57:12 [INFO] generating key: ecdsa-256
2017/08/02 00:57:12 [INFO] encoded CSR
2017/08/02 00:57:12 [INFO] signed certificate with serial number 138149747694684969550285630966539823697635905885

将会生成如下文件: 
server-key.pem
server.csr
server.pem

生成peer certificate 
$ cfssl print-defaults csr > member1.json

替换 CN和hosts值,如下: 
{
"CN": "member1",
"hosts": [
    "127.0.0.1",
    "192.168.16.227",
    "192.168.16.228",
    "192.168.16.229",
    "bjo-ep-kub-01.dev.fwmrm.net",
    "bjo-ep-kub-02.dev.fwmrm.net",
    "bjo-ep-kub-03.dev.fwmrm.net"
],
"key": {
    "algo": "rsa",
    "size": 2048
},
"names": [
    {
        "C": "US",
        "ST": "CA",
        "L": "San Francisco"
    }
]

生成 member1 certificate与private key 
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1


$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1
2017/08/02 00:59:12 [INFO] generate received request
2017/08/02 00:59:12 [INFO] received CSR
2017/08/02 00:59:12 [INFO] generating key: rsa-2048
2017/08/02 00:59:13 [INFO] encoded CSR
2017/08/02 00:59:13 [INFO] signed certificate with serial number 222573666682951886940627822839805508037201209158

得到如下文件: 
member1-key.pem
member1.csr
member1.pem

在集群其他节点上重复如上步骤。
生成 client certificate 
$ cfssl print-defaults csr > client.json

client.json内容如下: 
{
"CN": "client",
"hosts": [
    "127.0.0.1",
    "192.168.16.227",
    "192.168.16.228",
    "192.168.16.229"
],
"key": {
    "algo": "rsa",
    "size": 2048
},
"names": [
    {
        "C": "US",
        "ST": "CA",
        "L": "San Francisco"
    }
]

生成client certificate 
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client 

将会得到如下文件 
client-key.pem
client.csr
client.pem

拷贝节点1生成的证书到全部节点,并将证书全部置于/etc/ssl/etcd/目录, 至此TLS证书全部生成完成。

测试TLS
示例1: 客户端到服务器采用HTTPS客户端证书授权
启动etcd服务: 
$ /export/etcd/etcd -name infra0 --data-dir infra0 \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \  
--advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379

插入数据: 
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/foo -XPUT -d value=bar -v

读取数据成功 
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/foo
{"action":"get","node":{"key":"/foo","value":"bar","modifiedIndex":12,"createdIndex":12

示例2:Using self-signed certificates both encrypts traffic and authenticates its connections.
各节点的etcd配置分别如下 
$ /export/etcd/etcd \
--name infra0 \
--initial-advertise-peer-urls https://192.168.16.227:2380 \
--listen-peer-urls https://192.168.16.227:2380 \
--listen-client-urls https://192.168.16.227:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.16.227:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \
--cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-cert-file=/etc/ssl/etcd/member1.pem --peer-key-file=/etc/ssl/etcd/member1-key.pem


$ /export/etcd/etcd \
--name infra1 \
--initial-advertise-peer-urls https://192.168.16.228:2380 \
--listen-peer-urls https://192.168.16.228:2380 \
--listen-client-urls https://192.168.16.228:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.16.228:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \
--cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-cert-file=/etc/ssl/etcd/member2.pem --peer-key-file=/etc/ssl/etcd/member2-key.pem


$ /export/etcd/etcd \
--name infra2 \
--initial-advertise-peer-urls https://192.168.16.229:2380 \
--listen-peer-urls https://192.168.16.229:2380 \
--listen-client-urls https://192.168.16.229:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.16.229:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \
--cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-cert-file=/etc/ssl/etcd/member3.pem --peer-key-file=/etc/ssl/etcd/member3-key.pem

准备测试数据: 
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/fristname -XPUT -d value=Xia -v

$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 put lasttname 'Zhang'

验证测试结果: 
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/
{"action":"get","node":{"dir":true,"nodes":[{"key":"/foo","value":"bar","modifiedIndex":19,"createdIndex":19},{"key":"/fristname","value":"Xia","modifiedIndex":20,"createdIndex":20},{"key":"/lasttname","value":"Zhang","modifiedIndex":21,"createdIndex":21}]

etcd Troubleshooting

etcd failure主要分为如下5种情况:
1. 少数followers failure
2. Leader failure
3. 多数failure
4. Network partition
5. 启动时失败
接下来主要对上面情况3进行处理,也就是平时常说的Disaster Recovery

灾备恢复(Disaster Recovery)

以etcd v3 provides snapshot 方式为例说明etcd一次灾难恢复过程。
首先,etcd正常工作时利用etcdctl snapshot save命令或拷贝etcd目录中的member/snap/db文件,以前者为例: 
$ ETCDCTL_API=3 etcdctl --endpoints $ENDPOINT snapshot save snapshot.db}}
如果enable TLS,需要如下命令:
{{{$ ETCDCTL_API=3 /export/etcd/etcdctl --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.228:2379 snapshot save snapshot.db --cacert=/etc/ssl/etcd/ca.pem --cert=/etc/ssl/etcd/client.pem --key=/etc/ssl/etcd/client-key.pem

Snapshot saved at snapshot.db

将生成snapshot拷贝到集群其他2个节点上,所有节点灾备的恢复都用同一个snapshot。

插入部分数据用于测试灾备: 
$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/fristname -XPUT -d value=Xia -v

$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 put lasttname 'Zhang'

测试数据已插入成功: 
$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379  get  firstname

$ curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/v2/keys/
{"action":"get","node":{"dir":true,"nodes":[{"key":"/foo","value":"bar","modifiedIndex":19,"createdIndex":19},{"key":"/fristname","value":"Xia","modifiedIndex":20,"createdIndex":20},{"key":"/lasttname","value":"Zhang","modifiedIndex":21,"createdIndex":21}]

停止3个机器的etcd服务,并删除全部节点上etcd数据目录 。
恢复数据,以TLS enable为例,分别在3个节点执行如下命令进行恢复: 
$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db \
--name infra0 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-token etcd-cluster-1 \
--initial-advertise-peer-urls https://192.168.16.227:2380 \
--cacert /etc/ssl/etcd/ca.pem \
--cert /etc/ssl/etcd/client.pem \
--key /etc/ssl/etcd/client-key.pem


$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db \
--name infra1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-token etcd-cluster-1 \
--initial-advertise-peer-urls https://192.168.16.228:2380 \
--cacert /etc/ssl/etcd/ca.pem \
--cert /etc/ssl/etcd/client.pem \
--key /etc/ssl/etcd/client-key.pem


$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db \
--name infra2 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-token etcd-cluster-1 \
--initial-advertise-peer-urls https://192.168.16.229:2380 \
--cacert /etc/ssl/etcd/ca.pem \
--cert /etc/ssl/etcd/client.pem \
--key /etc/ssl/etcd/client-key.pem

恢复数据log示例: 
$ ETCDCTL_API=3 /export/etcd/etcdctl snapshot restore snapshot.db   --name infra0   --initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380   --initial-cluster-token etcd-cluster-1   --initial-advertise-peer-urls https://192.168.16.227:2380   --cacert /etc/ssl/etcd/ca.pem   --cert /etc/ssl/etcd/client.pem   --key /etc/ssl/etcd/client-key.pem
2017-08-06 04:09:12.853510 I | etcdserver/membership: added member 3e5097be4ea17ebe [https://192.168.16.229:2380] to cluster cabc8098aa3afc98
2017-08-06 04:09:12.853567 I | etcdserver/membership: added member 67d47e92a1704b1a [https://192.168.16.227:2380] to cluster cabc8098aa3afc98
2017-08-06 04:09:12.853583 I | etcdserver/membership: added member b4725a5341abf1a0 [https://192.168.16.228:2380] to cluster cabc8098aa3afc98

接下来,在3个节点上分别执行: 
$ /export/etcd/etcd \
--name infra0 \
--initial-advertise-peer-urls https://192.168.16.227:2380 \
--listen-peer-urls https://192.168.16.227:2380 \
--listen-client-urls https://192.168.16.227:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.16.227:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \
--cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-cert-file=/etc/ssl/etcd/member1.pem --peer-key-file=/etc/ssl/etcd/member1-key.pem


$ /export/etcd/etcd \
--name infra1 \
--initial-advertise-peer-urls https://192.168.16.228:2380 \
--listen-peer-urls https://192.168.16.228:2380 \
--listen-client-urls https://192.168.16.228:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.16.228:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \
--cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-cert-file=/etc/ssl/etcd/member2.pem --peer-key-file=/etc/ssl/etcd/member2-key.pem


$ /export/etcd/etcd \
--name infra2 \
--initial-advertise-peer-urls https://192.168.16.229:2380 \
--listen-peer-urls https://192.168.16.229:2380 \
--listen-client-urls https://192.168.16.229:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.16.229:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.16.227:2380,infra1=https://192.168.16.228:2380,infra2=https://192.168.16.229:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/ca.pem \
--cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem \
--peer-cert-file=/etc/ssl/etcd/member3.pem --peer-key-file=/etc/ssl/etcd/member3-key.pem

验证灾备恢复效果,原集群数据是否保存: 
$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 get lasttname
lasttname
Zhang

$ ETCDCTL_API=3 /export/etcd/etcdctl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem --endpoints=https://192.168.16.227:2379,https://192.168.16.228:2379,https://192.168.16.229:2379 get firstname
firstname
Xia

从上面结果可以看出,灾备恢复成功。

etcd系统限制

1. 请求大小限制:当前支持 RPC requests 1MB 数据,未来会有所增加或可配置
2. 存储大小限制:默认 2GB存储,可配置 --quota-backend-bytes扩展到8GB

监控

etcd提供基于Prometheus + builtin Grafana的etcd Metrics监控方案和监控项,具体请参见
etcd Metrics:  https://coreos.com/etcd/docs/latest/metrics.html

获取监控项举例 
$  curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/client.pem --key /etc/ssl/etcd/client-key.pem -L https://127.0.0.1:2379/metrics

etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="1"} 0
etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="2"} 0
etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="4"} 0
etcd_debugging_mvcc_db_compaction_pause_duration_milliseconds_bucket{le="8"} 0

... ...

process_start_time_seconds 1.50390583624e+09
process_virtual_memory_bytes 1.0787151872e+10

Prometheus + builtin Grafana:  https://coreos.com/etcd/docs/l ... .html

欢迎转载,请注明作者出处:张夏,FreeWheel Lead Engineer,DockOne社区

原文发布时间为:2017-08-06

本文作者:张夏

本文来自云栖社区合作伙伴Dockerone.io,了解相关信息可以关注Dockerone.io。

原文标题:CentOS 7上搭建安全、容灾、高可用的etcd集群

文章标签:
密钥管理服务
网络安全
安全
Linux
容灾
数据安全/隐私保护
关键词:
CentOS高可用集群
CentOS高可用
CentOS集群
CentOS安全
CentOS搭建
猫饭先生
目录
相关文章
yuanfan_2012
|
4月前
|
安全 Linux
CentOS7下快速升级至OpenSSH9.4p1安全版本
CentOS7下快速升级至OpenSSH9.4p1安全版本
yuanfan_2012
206 1
yuanfan_2012
|
4月前
|
安全 Linux Shell
CentOS7下快速升级至OpenSSH9.3p2安全版本
CentOS7下快速升级至OpenSSH9.3p2安全版本
yuanfan_2012
203 0
李振良_阿良
|
18天前
|
负载均衡 监控 Linux
CentOS6.5高可用集群LVS+Keepalived(DR模式)
CentOS6.5高可用集群LVS+Keepalived(DR模式)
李振良_阿良
12 0
jianz123
|
1月前
|
存储 分布式计算 资源调度
centos 部署Hadoop-3.0-高性能集群(二)
centos 部署Hadoop-3.0-高性能集群(二)
jianz123
20 0
centos 部署Hadoop-3.0-高性能集群(二)
jianz123
|
1月前
|
分布式计算 Hadoop Java
centos 部署Hadoop-3.0-高性能集群(一)安装
centos 部署Hadoop-3.0-高性能集群(一)安装
jianz123
26 0
jianz123
|
1月前
|
关系型数据库 MySQL Linux
centos7下 Mysql+Keepalived 双主热备高可用图文配置详解
centos7下 Mysql+Keepalived 双主热备高可用图文配置详解
jianz123
27 0
didiplus
|
1月前
|
Kubernetes 应用服务中间件 网络安全
CentOS7上二进制部署Kubernetes高可用集群(v1.18版本)
CentOS7上二进制部署Kubernetes高可用集群(v1.18版本)
didiplus
140 0
季风泯灭的季节
|
3月前
|
Java Linux 开发工具
Centos7搭建minio分布式集群
Centos7搭建minio分布式集群
季风泯灭的季节
72 0
晚风_END
|
Kubernetes 安全 大数据
centos7操作系统 ---ansible剧本离线快速部署etcd集群
centos7操作系统 ---ansible剧本离线快速部署etcd集群
晚风_END
328 0
技术小胖子
|
Linux 网络安全 开发工具
CentOS 部署Etcd集群
技术小胖子
1982 0

热门文章

最新文章

  • 1
    Centos7.9的ip更改--详细版
  • 2
    CentOS 7 下使用yum安装MySQL5.7.20 最简单 图文详解
  • 3
    linux centos7 挂载本地iso yum源
  • 4
    centos7安装mysql-带网盘安装包
  • 5
    Centos7的虚拟机创建流程
  • 6
    Centos7 /etc/sysconfig/network-scripts/ifcfg-<interface>网络配置
  • 7
    Centos6.5管理与ROOT密码重置
  • 8
    centos7 Nginx Log日志统计分析 常用命令
  • 9
    centos 部署docker容器 安装 、基本使用方法(一)
  • 10
    Centos 防火墙端口控制命令
  • 1
    【MYSQL】—— MySQL 在 Centos 7环境安装
    70
  • 2
    服务器Centos7 静默安装Oracle Database 12.2
    111
  • 3
    Flume【部署 02】Flume监控工具Ganglia的安装与配置(CentOS 7.5 在线安装系统监控工具Ganglia + 权限问题处理 + Flume接入监控配置 + 图例说明)
    39
  • 4
    如何在 VM 虚拟机中安装 CentOS Linux 9 操作系统保姆级教程(附链接)
    204
  • 5
    Linux环境下安装nmp(Centos环境)保姆级教学 一步到位
    61
  • 6
    Flume【环境搭建 01】CentOS Linux release 7.5 安装配置 apache-flume-1.9.0 并验证
    39
  • 7
    【VMware安装+centos 7Linux系统+MySQL安装】——在Linux系统中安装MySQL步骤,以及遇见的各种问题(如:vm两个虚拟网卡消失、vm网络适配器有感叹号等等)
    197
  • 8
    阿里云ECS(CentOS镜像)安装docker
    417
  • 9
    【PUSDN】centos查看日志文件内容,包含某个关键字的前后5行日志内容,centos查看日志的几种方法
    52
  • 10
    Centos8下编译安装最新版ffmpeg解决方案(含Centos8换源阿里云)
    177

    • 相关课程

    更多
  • 手把手基于阿里云 ACK 环境创建 Kubernetes 集群及部署应用
  • 高可用应用架构

    • 相关电子书

    更多
  • CentOS Nginx PHP JAVA 多语言镜像使用手
  • CentOS Nginx PHP JAVA多语言镜像使用手册
  • 腾讯云多Kubernetes集群高可用运维实践

    • 相关实验场景

    更多
  • 基于EBS部署高性能的MySQL服务
  • 高可用应用架构
  • 基于ROS快速部署LNMP环境(CentOS 7)
  • 手动部署MySQL数据库(CentOS 7)
  • 通过Helm CLI部署wordpress到ACK集群
  • 部署并使用Docker(CentOS 8)

    • 推荐镜像

    更多
  • centos
  • centos-vault
  • centos-altarch
    • 下一篇
    部署LAMP环境(Alibaba Cloud Linux 3)