From 1b65a94246f47c9ca4b0db46373939356ba582a6 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Sat, 15 Aug 2020 16:00:21 -0400 Subject: [PATCH] systemd instruction only, fixed some typos --- README.md | 199 +++++++++++++++++++++--------------------------------- 1 file changed, 77 insertions(+), 122 deletions(-) diff --git a/README.md b/README.md index 51e9463..2ae46e6 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,11 @@ ### /etc/hosts ```bash +cat <> /etc/hosts 3.14.3.102 red 3.14.3.103 grey 3.14.3.107 purple +EOF ``` ### Generate Certs @@ -17,14 +19,20 @@ Pick one server to act as the CA. Install make ```bash -sudo apt install make +apt install -y make ``` Install [go](https://golang.org/doc/install) ```bash -sudo tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz +tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz +rm go$VERSION.$OS-$ARCH.tar.gz + +cat <> ~/.bashrc export PATH=$PATH:/usr/local/go/bin +EOF + +source ~/.bashrc ``` Install [cfssl](https://github.com/cloudflare/cfssl) @@ -33,9 +41,7 @@ Install [cfssl](https://github.com/cloudflare/cfssl) git clone https://github.com/cloudflare/cfssl cd cfssl make -j 4 -sudo mkdir /usr/local/cfssl -sudo mv bin/ /usr/local/cfssl/bin -export PATH=$PATH:/usr/local/cfssl/bin +cp bin/cfssl bin/cfssljson /usr/local/bin/ ``` Create templates @@ -43,11 +49,8 @@ Create templates ```bash mkdir ~/.cfssl cd ~/.cfssl -``` -vim ca-config.json - -```json +cat < ca-config.json { "signing": { "default": { @@ -61,11 +64,9 @@ vim ca-config.json } } } -``` +EOF -vim ca-csr.json: - -```json +cat < ca-csr.json { "CN": "etcd", "key": { @@ -80,11 +81,9 @@ vim ca-csr.json: } ] } -``` +EOF -vim req-csr.json: - -```json +cat < req-csr.json { "CN": "etcd", "hosts": [ @@ -105,48 +104,55 @@ vim req-csr.json: } ] } +EOF ``` Generate CA: ```bash -sudo mkdir -p /certs -sudo chown -R pi:pi /certs -cfssl gencert -initca ca-csr.json | cfssljson -bare certs/ca +mkdir -p /certs +cfssl gencert -initca ca-csr.json | cfssljson -bare /certs/ca ``` Generate a Peer and Client Cert: ```bash cfssl gencert \ - -ca certs/ca.pem \ - -ca-key certs/ca-key.pem \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ -config ca-config.json \ - req-csr.json | cfssljson -bare certs/client + req-csr.json | cfssljson -bare /certs/client cfssl gencert \ - -ca certs/ca.pem \ - -ca-key certs/ca-key.pem \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ -config ca-config.json \ - req-csr.json | cfssljson -bare certs/red - -cp certs/ca.pem certs/client-key.pem certs/client.pem certs/red-key.pem certs/red.pem /certs/ + req-csr.json | cfssljson -bare /certs/red cfssl gencert \ - -ca certs/ca.pem \ - -ca-key certs/ca-key.pem \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ -config ca-config.json \ - req-csr.json | cfssljson -bare certs/purple - -scp certs/ca.pem certs/client-key.pem certs/client.pem certs/purple-key.pem certs/purple.pem purple:/certs/ + req-csr.json | cfssljson -bare /certs/purple cfssl gencert \ - -ca certs/ca.pem \ - -ca-key certs/ca-key.pem \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ -config ca-config.json \ - req-csr.json | cfssljson -bare certs/grey + req-csr.json | cfssljson -bare /certs/grey -scp certs/ca.pem certs/client-key.pem certs/client.pem certs/grey-key.pem certs/grey.pem grey:/certs/ +# Run this on every node +useradd etcd +usermod -aG etcd pi +chown -R etcd:etcd /certs +chmod 750 /certs + +scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/grey-key.pem /certs/grey.pem grey:/certs/ + +scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/purple-key.pem /certs/purple.pem purple:/certs/ + +chown -R etcd:etcd /certs +chmod 600 /certs/* ``` ## Install ETCD @@ -154,96 +160,33 @@ scp certs/ca.pem certs/client-key.pem certs/client.pem certs/grey-key.pem certs/ [Download the latest version](https://github.com/etcd-io/etcd/releases) ```bash -tar xf etcd.tar.gz -sudo cp etcd/etcd etcd/etcdctl /usr/local/bin/ -sudo chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl -``` +tar xf $(find . -maxdepth 1 -name etcd*) +cp $(find . -maxdepth 1 -type d -name "etcd*")/etcd $(find . -maxdepth 1 -type d -name "etcd*")/etcdctl /usr/local/bin/ +chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl +echo 'export ETCD_UNSUPPORTED_ARCH=arm64' >> ~/.bashrc +echo 'export ETCD_IP=3.14.3.102' >> ~/.basrc +echo 'export ETCD_NAME=red' >> ~/.bashrc +source ~/.bashrc +mkdir -p /var/lib/etcd +chown -R etcd:etcd /var/lib/etcd +chmod -R 700 /var/lib/etcd -## Start the server - -Create folders: - -```bash -sudo mkdir -p /certs/ -sudo chown -R pi:pi /certs/ -sudo mkdir -p /var/lib/etcd -sudo chown -R pi:pi /var/lib/etcd -sudo chmod -R 700 /var/lib/etcd -``` - -Unencrypted (testing only) - -```bash -etcd --name red --initial-advertise-peer-urls http://3.14.3.102:2380 \ - --listen-peer-urls http://3.14.3.102:2380 \ - --listen-client-urls http://3.14.3.102:2379,http://127.0.0.1:2379 \ - --advertise-client-urls http://3.14.3.102:2379 \ - --initial-cluster-token etcd-cluster-1 \ - --initial-cluster red=http://3.14.3.102:2380 \ - --initial-cluster-state new -``` - -TLS Encrypted - -```bash -export ETCD_UNSUPPORTED_ARCH=arm64 -etcd --name red --initial-advertise-peer-urls https://3.14.3.102:2380 \ - --listen-peer-urls https://3.14.3.102:2380 \ - --listen-client-urls https://3.14.3.102:2379,https://127.0.0.1:2379 \ - --advertise-client-urls https://3.14.3.102:2379 \ - --initial-cluster-token pi-cluster-1 \ - --initial-cluster red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380 \ - --initial-cluster-state new \ - --client-cert-auth --trusted-ca-file=/certs/ca.pem \ - --cert-file=/certs/client.pem --key-file=/certs/client-key.pem \ - --peer-client-cert-auth --peer-trusted-ca-file=/certs/ca.pem \ - --peer-cert-file=/certs/red.pem --peer-key-file=/certs/red-key.pem - -export ETCD_UNSUPPORTED_ARCH=arm64 -etcd --name purple --initial-advertise-peer-urls https://3.14.3.107:2380 \ - --listen-peer-urls https://3.14.3.107:2380 \ - --listen-client-urls https://3.14.3.107:2379,https://127.0.0.1:2379 \ - --advertise-client-urls https://3.14.3.107:2379 \ - --initial-cluster-token pi-cluster-1 \ - --initial-cluster red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380 \ - --initial-cluster-state new \ - --client-cert-auth --trusted-ca-file=/certs/ca.pem \ - --cert-file=/certs/client.pem --key-file=/certs/client-key.pem \ - --peer-client-cert-auth --peer-trusted-ca-file=/certs/ca.pem \ - --peer-cert-file=/certs/purple.pem --peer-key-file=/certs/purple-key.pem - -export ETCD_UNSUPPORTED_ARCH=arm64 -etcd --name grey --initial-advertise-peer-urls https://3.14.3.103:2380 \ - --listen-peer-urls https://3.14.3.103:2380 \ - --listen-client-urls https://3.14.3.103:2379,https://127.0.0.1:2379 \ - --advertise-client-urls https://3.14.3.103:2379 \ - --initial-cluster-token pi-cluster-1 \ - --initial-cluster red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380 \ - --initial-cluster-state new \ - --client-cert-auth --trusted-ca-file=/certs/ca.pem \ - --cert-file=/certs/client.pem --key-file=/certs/client-key.pem \ - --peer-client-cert-auth --peer-trusted-ca-file=/certs/ca.pem \ - --peer-cert-file=/certs/grey.pem --peer-key-file=/certs/grey-key.pem -``` - -## Systemd - -```conf +cat < /etc/systemd/system/etcd.service [Unit] Description=etcd service Documentation=https://github.com/etcd-io/etcd After=network.target [Service] -User=pi +User=etcd Type=notify Environment=ETCD_UNSUPPORTED_ARCH=arm64 Environment=ETCD_DATA_DIR=/var/lib/etcd -Environment=ETCD_NAME=red -Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$IP:2380 -Environment=ETCD_LISTEN_PEER_URLS=https://$IP:2380 -Environment=ETCD_LISTEN_CLIENT_URLS=https://$IP,https://127.0.0.1:2379 -Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$IP:2379 +Environment=ETCD_NAME=$ETCD_NAME +Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$ETCD_IP:2380 +Environment=ETCD_LISTEN_PEER_URLS=https://$ETCD_IP:2380 +Environment=ETCD_LISTEN_CLIENT_URLS=https://$ETCD_IP:2379,https://127.0.0.1:2379 +Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$ETCD_IP:2379 Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1 Environment=ETCD_INITIAL_CLUSTER="red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380" Environment=ETCD_INITIAL_CLUSTER_STATE=new @@ -251,8 +194,8 @@ Environment=ETCD_TRUSTED_CA_FILE=/certs/ca.pem Environment=ETCD_CERT_FILE=/certs/client.pem Environment=ETCD_KEY_FILE=/certs/client-key.pem Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem -Environment=ETCD_PEER_CERT_FILE=/certs/red.pem -Environment=ETCD_PEER_KEY_FILE=/certs/red-key.pem +Environment=ETCD_PEER_CERT_FILE=/certs/$ETCD_NAME.pem +Environment=ETCD_PEER_KEY_FILE=/certs/$ETCD_NAME-key.pem ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth Restart=on-failure RestartSec=5 @@ -260,12 +203,24 @@ LimitNOFILE=40000 [Install] WantedBy=multi-user.target +EOF + +systemctl start etcd +systemctl enable etcd +journalctl -u etcd -f ``` +## Use NFS + ```bash -sudo systemctl start etcd -sudo systemctl enable etcd -journalctl -u etcd -f +export SERVER=red +echo "freenas:/mnt/enc0/pi/$SERVER /var/lib/etcd nfs noexec,nosuid,nofail 0 0" >> /etc/fstab +service etcd stop +mount -t nfs freenas:/mnt/enc0/pi /media +rsync -a /var/lib/etcd/ /media/$SERVER/ +mount -a +umount /media +service etcd start ``` ## Testing