Running etcd under Docker https://etcd.io/docs/v2/docker_guide/ ETCD Security model https://etcd.io/docs/v3.4.0/op-guide/security/ Generate self-signed certificates https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md Calico Docker container install https://docs.projectcalico.org/getting-started/bare-metal/installation/container ## 1. ETCD Install ### 1.1. Сложная схема выкачивания архива с гита (рекомендуемая разрабами) ```sh ETCD_VER=v3.4.14 # choose either URL GOOGLE_URL=https://storage.googleapis.com/etcd GITHUB_URL=https://github.com/etcd-io/etcd/releases/download DOWNLOAD_URL=${GOOGLE_URL} rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1 rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz /tmp/etcd-download-test/etcd --version /tmp/etcd-download-test/etcdctl version ``` Ну либо так ```sh wget https://github.com/etcd-io/etcd/releases/download/v3.4.14/etcd-v3.4.14-linux-amd64.tar.gz tar zxvf etcd-v3.4.14-linux-amd64.tar.gz ``` ### 1.2. Сразу запоминаем Как убить :) ```sh kill `pgrep etcd` ``` ### 1.3. Для запуска служб копируем etcd и etcdctl в: ```sh /usr/local/bin ``` ### 1.4. Проверяем версии ```sh etcd version etcdctl version ``` ### 1.5. Подготовка TLS Генерим сертификаты (описание в п.2 Generate peer certificate ) или берем их у владельца Сервера. Размещаем по адресу: ```sh /etc/ssl/etcd/ssl/ ``` ### 1.5. Конфиг файл Например тут ```sh git clone https://git.digtlab.ru/LAssIphone/devops.git cd devops/etcd vim etcd.conf.yml ``` Редактируем по вкусу ### 1.6. Запускаем ```sh nohup etcd --config-file etcd.conf.yml& ``` ### 1.7. Проверяем ```sh etcdctl member list etcdctl --endpoints=localhost:2379 put foo bar etcdctl --endpoints=https://37.9.13.235:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem --cert=/etc/ssl/etcd/ssl/member1.pem --key=/etc/ssl/etcd/ssl/member1-key.pem member list etcdctl --endpoints=https://37.9.13.235:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem --cert=/etc/ssl/etcd/ssl/member1.pem --key=/etc/ssl/etcd/ssl/member1-key.pem get foo ``` ## 2. Generate peer certificate ```sh cfssl print-defaults csr > member1.json ``` Substitute CN and hosts values, for example: ```json ... "CN": "member1", "hosts": [ "192.168.122.101", "ext.example.com", "member1.local", "member1" ], ... ``` Now we are ready to generate member1 certificate and private key: ```sh cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1 ``` Or without CSR json file: ```sh echo '{"CN":"member1","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="192.168.122.101,ext.example.com,member1.local,member1" - | cfssljson -bare member1 ``` You'll get following files: ``` member1-key.pem member1.csr member1.pem ``` Repeat these steps for each `etcd` member hostname. ## 3. Запускаем Docker с хранением в ETCD (или нет) ```sh service docker stop /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store=etcd://37.9.13.235:2379 --cluster-advertise=37.9.13.235:2375 ```