readme.md 3.64 KB
Newer Older
1
2
3
4
Running etcd under Docker
https://etcd.io/docs/v2/docker_guide/

ETCD Security model
5
https://etcd.io/docs/v3.4.0/op-guide/security/
6
7
8
9
10
11

Generate self-signed certificates
https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md

Calico Docker container install
https://docs.projectcalico.org/getting-started/bare-metal/installation/container
12

13
## 1. ETCD Install
14

15
### 1.1. Сложная схема выкачивания архива с гита (рекомендуемая разрабами)
16
```sh
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
ETCD_VER=v3.4.14

# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz

/tmp/etcd-download-test/etcd --version
/tmp/etcd-download-test/etcdctl version
```

35
Ну либо так
36
```sh
37
wget https://github.com/etcd-io/etcd/releases/download/v3.4.14/etcd-v3.4.14-linux-amd64.tar.gz
38
tar zxvf etcd-v3.4.14-linux-amd64.tar.gz
39
40
```

41
### 1.2. Сразу запоминаем Как убить :) 
42
```sh
43
44
45
kill `pgrep etcd`
```

46
### 1.3. Для запуска служб копируем etcd и etcdctl в:
47
```sh
48
49
50
/usr/local/bin
```

51
### 1.4. Проверяем версии
52
```sh
53
54
55
etcd version
etcdctl version
```
56

57
58
59
### 1.5. Подготовка TLS
Генерим сертификаты (описание в п.2 Generate peer certificate ) или берем их у владельца Сервера.
Размещаем по адресу:
60
```sh
61
62
/etc/ssl/etcd/ssl/
```
63

64
65
### 1.5. Конфиг файл
Например тут
66
```sh
67
68
69
70
71
git clone https://git.digtlab.ru/LAssIphone/devops.git
cd devops/etcd
vim etcd.conf.yml
```
Редактируем по вкусу
72

73
### 1.6. Запускаем
74
```sh
75
nohup etcd --config-file etcd.conf.yml&
76
```
77

78
### 1.7. Проверяем
79
```sh
80
etcdctl member list
81
82
83
84
etcdctl --endpoints=localhost:2379 put foo bar
etcdctl --endpoints=https://37.9.13.235:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem  --cert=/etc/ssl/etcd/ssl/member1.pem --key=/etc/ssl/etcd/ssl/member1-key.pem member list
etcdctl --endpoints=https://37.9.13.235:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem  --cert=/etc/ssl/etcd/ssl/member1.pem --key=/etc/ssl/etcd/ssl/member1-key.pem get foo
```
85

86
## 2. Generate peer certificate
87

88
```sh
89
90
91
92
93
cfssl print-defaults csr > member1.json
```

Substitute CN and hosts values, for example:

94
```json
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
...
    "CN": "member1",
    "hosts": [
        "192.168.122.101",
        "ext.example.com",
        "member1.local",
        "member1"
    ],
...
```

Now we are ready to generate member1 certificate and private key:

```sh
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1
```

Or without CSR json file:

```sh
echo '{"CN":"member1","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="192.168.122.101,ext.example.com,member1.local,member1" - | cfssljson -bare member1
```

You'll get following files:

```
member1-key.pem
member1.csr
member1.pem
```

Repeat these steps for each `etcd` member hostname.
127

Владимир Карпов's avatar
test    
Владимир Карпов committed
128
## 3. Запускаем Docker с хранением в ETCD (или нет)
129
130
131
132
133

```sh
service docker stop
/usr/bin/dockerd  -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store=etcd://37.9.13.235:2379 --cluster-advertise=37.9.13.235:2375
```