使用Ansible部署etcd 3.2高可用集群-白红宇

使用Ansible部署etcd 3.2高可用集群

阅读量：6687 次

发布时间：2019-06-25

本文共 7415 字，大约阅读时间需要 24 分钟。

之前写过一篇手动搭建etcd 3.1集群的文章，最近要初始化一套新的环境，考虑用ansible自动化部署整套环境，先从部署etcd 3.2集群开始。

需要部署etcd的主机信息如下：

node1 192.168.61.11node2 192.168.61.12node3 192.168.61.13

配置管理项目目录结构

├── inventories│   ├── staging│   │   ├── group_vars│   │   │   ├── all.yml│   │   │   └── etcd-nodes.yml│   │   ├── host_vars│   │   │   ├── node1.yml│   │   │   ├── node2.yml│   │   │   └── node3.yml│   │   └── hosts│   └── production├── roles│   ├── common│   │   ├── defaults│   │   │   └── main.yml│   │   └── tasks│   │       └── main.yml│   ├── etcd3│       ├── defaults│       │   └── main.yml│       ├── files│       │   └── make-ca-cert.sh│       ├── meta│       │   └── main.yml│       ├── tasks│       │   ├── create_etcd_user.yml│       │   ├── etcd-restart.yml│       │   ├── etcd-start.yml│       │   ├── etcd-stop.yml│       │   ├── gen-etcd-certs.yml│       │   ├── gen-etcd-systemd.yml│       │   ├── install_etcd_bin.yml│       │   └── main.yml│       └── templates│           ├── etcd.conf.j2│           └── etcd.service.j2├── deploy-etcd3.yml

roles/etcd3/defaults/main.yml：

---etcd_version: 3.2.0 etcd_download_url_base: "https://github.com/coreos/etcd/releases/download/v{ { etcd_version }}" etcd_release: "etcd-v{ { etcd_version }}-linux-amd64" etcd_download_url: "{ { etcd_download_url_base }}/{ { etcd_release}}.tar.gz" etcd_bin_path: /usr/bin etcd_data_dir: /var/lib/etcd etcd_conf_dir: /etc/etcd etcd_certs_dir: "{ { etcd_conf_dir }}/ssl" etcd_cert_group: root etcd_ca_file: "{ { etcd_certs_dir }}/ca.crt" etcd_cert_file: "{ { etcd_certs_dir }}/server.crt" etcd_key_file: "{ { etcd_certs_dir }}/server.key" etcd_peer_ca_file: "{ { etcd_certs_dir }}/ca.crt" etcd_peer_cert_file: "{ { etcd_certs_dir }}/peer.crt" etcd_peer_key_file: "{ { etcd_certs_dir }}/peer.key" etcd_client_cert_file: "{ { etcd_certs_dir }}/client.crt" etcd_client_key_file: "{ { etcd_certs_dir }}/client.key" etcd_client_cert_auth: true etcd_peer_client_cert_auth: true etcd_client_port: 2379 etcd_peer_port: 2380 etcd_initial_cluster_state: new etcd_initial_cluster_token: etcd-k8s-cluster etcd_initial_advertise_peer_urls: "https://{ { etcd_machine_address }}:{ { etcd_peer_port }}" etcd_listen_peer_urls: "https://{ { etcd_machine_address }}:{ { etcd_peer_port }}" etcd_advertise_client_urls: "https://{ { etcd_machine_address }}:{ { etcd_client_port }}" etcd_listen_client_urls: "https://{ { etcd_machine_address }}:2379,https://127.0.0.1:2379"

创建etcd用户和数据目录

创建etcd用户、用户组和数据目录。

- name: create system etcd group  group: name: etcd state: present - name: create system etcd user user: name: etcd comment: "etcd user" shell: /sbin/nologin state: present system: yes home: "{ { etcd_data_dir }}" groups: etcd - name: ensure etcd_data_dir exists file: path: "{ { etcd_data_dir }}" recurse: yes state: directory owner: etcd group: etcd

下载和解压etcd

下载和解压缩etcd release tar包，并将可执行文件etcd, etcdctl拷贝到/usr/bin。

---- name: set github s3 host on the first etcd server lineinfile: dest: /etc/hosts regexp: '.*github-production-release-asset-2e65be\.s3\.amazonaws\.com$' line: "219.76.4.4 github-production-release-asset-2e65be.s3.amazonaws.com" state: present delegate_to: "{ { groups['etcd-nodes'][0] }}" run_once: true - name: check whether etcd release tar extracted on the first etcd server stat: path: "{ { ansible_temp_dir }}/{ { etcd_release }}" register: etcd_release_tar_check delegate_to: "{ { groups['etcd-nodes'][0] }}" run_once: true - name: download etcd release tar file on first the etcd server get_url: url: "{ { etcd_download_url }}" dest: "{ { ansible_temp_dir }}" validate_certs: no timeout: 20 register: download_etcd delegate_to: "{ { groups['etcd-nodes'][0] }}" run_once: true when: not etcd_release_tar_check.stat.exists - name: extract etcd tar file unarchive: src: "{ { download_etcd.dest }}" dest: "{ { ansible_temp_dir }}" remote_src: yes run_once: true delegate_to: "{ { groups['etcd-nodes'][0] }}" when: not etcd_release_tar_check.stat.exists - name: fetch etcd bins from the first etcd server fetch: src: "{ { ansible_temp_dir }}/{ { etcd_release }}/{ { item }}" dest: "tmp/etcd3/{ { item }}" flat: yes register: fetch_etcd run_once: true delegate_to: "{ { groups['etcd-nodes'][0] }}" with_items: - etcd - etcdctl - name: copy etcd binary copy: src: "tmp/etcd3/{ { item }}" dest: "{ { etcd_bin_path }}" owner: etcd group: etcd mode: 0750 with_items: - etcd - etcdctl

生成并分发etcd TLS证书

---- name: ensure etcd certs directory file: path: "{ { etcd_certs_dir }}" state: directory owner: etcd group: etcd mode: 0750 recurse: yes - name: copy make-ca-cert.sh copy: src: make-ca-cert.sh dest: "{ { etcd_certs_dir }}" owner: root group: root mode: "0500" run_once: true delegate_to: "{ { groups['etcd-nodes'][0] }}" - name: gen certs on the first etcd server command: "{ { etcd_certs_dir }}/make-ca-cert.sh" args: creates: "{ { etcd_certs_dir }}/server.crt" run_once: true delegate_to: "{ { groups['etcd-nodes'][0] }}" environment: NODE_IPS: "{% for host in groups['etcd-nodes'] %}{ { hostvars[host]['etcd_machine_address'] }}{% if not loop.last %},{% endif %}{% endfor %}" NODE_DNS: "{ { groups['etcd-nodes']|join(',') }}" CERT_DIR: "{ { etcd_certs_dir }}" CERT_GROUP: "{ { etcd_cert_group }}" - name: slurp etcd certs slurp: src: "{ { item }}" register: pki_certs run_once: true delegate_to: "{ { groups['etcd-nodes'][0] }}" with_items: - "{ { etcd_ca_file }}" - "{ { etcd_cert_file }}" - "{ { etcd_key_file }}" - "{ { etcd_peer_ca_file }}" - "{ { etcd_peer_cert_file }}" - "{ { etcd_peer_key_file }}" - "{ { etcd_client_cert_file }}" - "{ { etcd_client_key_file }}" - name: copy etcd certs to other etcd servers copy: dest: "{ { item.item }}" content: "{ { item.content | b64decode }}" owner: etcd group: "{ { etcd_cert_group }}" mode: 0400 with_items: "{ { pki_certs.results }}" when: inventory_hostname != groups['etcd-nodes'][0]

systemd和配置

---- name: create etcd systemd unit file template: src: etcd.service.j2 dest: /etc/systemd/system/etcd.service - name: create etcd env conf template: src: etcd.conf.j2 dest: /etc/etcd/etcd.conf owner: etcd group: etcd mode: 0540

启动etcd

---- name: start etcd systemd: name: etcd daemon_reload: yes state: started enabled: yes - name: restart etcd systemd: name: etcd state: restarted

查看集群状态

检查集群是否健康，在任一节点执行：

etcdctl \  --ca-file=/etc/etcd/ssl/ca.crt \  --cert-file=/etc/etcd/ssl/client.crt \  --key-file=/etc/etcd/ssl/client.key \  --endpoints=https://node1:2379,https://node2:2379,https://node3:2379 \  cluster-healthmember 1e3da2bf674fd07 is healthy: got healthy result from https://192.168.61.11:2379member 88548a72a2e9a749 is healthy: got healthy result from https://192.168.61.13:2379member c3bda13bf78ed2ab is healthy: got healthy result from https://192.168.61.12:2379cluster is healthy

etcdctl \  --ca-file=/etc/etcd/ssl/ca.crt \  --cert-file=/etc/etcd/ssl/client.crt \  --key-file=/etc/etcd/ssl/client.key \  --endpoints=https://node1:2379,https://node2:2379,https://node3:2379 \  member list1e3da2bf674fd07: name=node1 peerURLs=https://192.168.61.11:2380 clientURLs=https://192.168.61.11:2379 isLeader=false88548a72a2e9a749: name=node3 peerURLs=https://192.168.61.13:2380 clientURLs=https://192.168.61.13:2379 isLeader=falsec3bda13bf78ed2ab: name=node2 peerURLs=https://192.168.61.12:2380 clientURLs=https://192.168.61.12:2379 isLeader=true

标题：使用Ansible部署etcd 3.2高可用集群

本文链接：

转载请注明出处。