services/etcd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

systemd instruction only, fixed some typos

Browse Source
This commit is contained in:
ducoterra
2020-08-15 16:00:21 -04:00
parent c13ed04b50
commit 1b65a94246
1 changed files with 77 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

199
README.md
View File

@@ -5,9 +5,11 @@
### /etc/hosts ### /etc/hosts
```bash ```bash
cat <<EOF >> /etc/hosts
3.14.3.102 red 3.14.3.102 red
3.14.3.103 grey 3.14.3.103 grey
3.14.3.107 purple 3.14.3.107 purple
EOF
``` ```
### Generate Certs ### Generate Certs
@@ -17,14 +19,20 @@ Pick one server to act as the CA.
Install make Install make
```bash ```bash
sudo apt install make apt install -y make
``` ```
Install [go](https://golang.org/doc/install) Install [go](https://golang.org/doc/install)
```bash ```bash
sudo tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz
rm go$VERSION.$OS-$ARCH.tar.gz
cat <<EOF >> ~/.bashrc
export PATH=$PATH:/usr/local/go/bin export PATH=$PATH:/usr/local/go/bin
EOF
source ~/.bashrc
``` ```
Install [cfssl](https://github.com/cloudflare/cfssl) Install [cfssl](https://github.com/cloudflare/cfssl)
@@ -33,9 +41,7 @@ Install [cfssl](https://github.com/cloudflare/cfssl)
git clone https://github.com/cloudflare/cfssl git clone https://github.com/cloudflare/cfssl
cd cfssl cd cfssl
make -j 4 make -j 4
sudo mkdir /usr/local/cfssl cp bin/cfssl bin/cfssljson /usr/local/bin/
sudo mv bin/ /usr/local/cfssl/bin
export PATH=$PATH:/usr/local/cfssl/bin
``` ```
Create templates Create templates
@@ -43,11 +49,8 @@ Create templates
```bash ```bash
mkdir ~/.cfssl mkdir ~/.cfssl
cd ~/.cfssl cd ~/.cfssl
```
vim ca-config.json cat <<EOF > ca-config.json
```json
{ {
"signing": { "signing": {
"default": { "default": {
@@ -61,11 +64,9 @@ vim ca-config.json
} }
} }
} }
``` EOF
vim ca-csr.json: cat <<EOF > ca-csr.json
```json
{ {
"CN": "etcd", "CN": "etcd",
"key": { "key": {
@@ -80,11 +81,9 @@ vim ca-csr.json:
} }
] ]
} }
``` EOF
vim req-csr.json: cat <<EOF > req-csr.json
```json
{ {
"CN": "etcd", "CN": "etcd",
"hosts": [ "hosts": [
@@ -105,48 +104,55 @@ vim req-csr.json:
} }
] ]
} }
EOF
``` ```
Generate CA: Generate CA:
```bash ```bash
sudo mkdir -p /certs mkdir -p /certs
sudo chown -R pi:pi /certs cfssl gencert -initca ca-csr.json | cfssljson -bare /certs/ca
cfssl gencert -initca ca-csr.json | cfssljson -bare certs/ca
``` ```
Generate a Peer and Client Cert: Generate a Peer and Client Cert:
```bash ```bash
cfssl gencert \ cfssl gencert \
-ca certs/ca.pem \ -ca /certs/ca.pem \
-ca-key certs/ca-key.pem \ -ca-key /certs/ca-key.pem \
-config ca-config.json \ -config ca-config.json \
req-csr.json | cfssljson -bare certs/client req-csr.json | cfssljson -bare /certs/client
cfssl gencert \ cfssl gencert \
-ca certs/ca.pem \ -ca /certs/ca.pem \
-ca-key certs/ca-key.pem \ -ca-key /certs/ca-key.pem \
-config ca-config.json \ -config ca-config.json \
req-csr.json | cfssljson -bare certs/red req-csr.json | cfssljson -bare /certs/red
cp certs/ca.pem certs/client-key.pem certs/client.pem certs/red-key.pem certs/red.pem /certs/
cfssl gencert \ cfssl gencert \
-ca certs/ca.pem \ -ca /certs/ca.pem \
-ca-key certs/ca-key.pem \ -ca-key /certs/ca-key.pem \
-config ca-config.json \ -config ca-config.json \
req-csr.json | cfssljson -bare certs/purple req-csr.json | cfssljson -bare /certs/purple
scp certs/ca.pem certs/client-key.pem certs/client.pem certs/purple-key.pem certs/purple.pem purple:/certs/
cfssl gencert \ cfssl gencert \
-ca certs/ca.pem \ -ca /certs/ca.pem \
-ca-key certs/ca-key.pem \ -ca-key /certs/ca-key.pem \
-config ca-config.json \ -config ca-config.json \
req-csr.json | cfssljson -bare certs/grey req-csr.json | cfssljson -bare /certs/grey
scp certs/ca.pem certs/client-key.pem certs/client.pem certs/grey-key.pem certs/grey.pem grey:/certs/ # Run this on every node
useradd etcd
usermod -aG etcd pi
chown -R etcd:etcd /certs
chmod 750 /certs
scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/grey-key.pem /certs/grey.pem grey:/certs/
scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/purple-key.pem /certs/purple.pem purple:/certs/
chown -R etcd:etcd /certs
chmod 600 /certs/*
``` ```
## Install ETCD ## Install ETCD
@@ -154,96 +160,33 @@ scp certs/ca.pem certs/client-key.pem certs/client.pem certs/grey-key.pem certs/
[Download the latest version](https://github.com/etcd-io/etcd/releases) [Download the latest version](https://github.com/etcd-io/etcd/releases)
```bash ```bash
tar xf etcd.tar.gz tar xf $(find . -maxdepth 1 -name etcd*)
sudo cp etcd/etcd etcd/etcdctl /usr/local/bin/ cp $(find . -maxdepth 1 -type d -name "etcd*")/etcd $(find . -maxdepth 1 -type d -name "etcd*")/etcdctl /usr/local/bin/
sudo chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl
``` echo 'export ETCD_UNSUPPORTED_ARCH=arm64' >> ~/.bashrc
echo 'export ETCD_IP=3.14.3.102' >> ~/.basrc
echo 'export ETCD_NAME=red' >> ~/.bashrc
source ~/.bashrc
mkdir -p /var/lib/etcd
chown -R etcd:etcd /var/lib/etcd
chmod -R 700 /var/lib/etcd
## Start the server cat <<EOF > /etc/systemd/system/etcd.service
Create folders:
```bash
sudo mkdir -p /certs/
sudo chown -R pi:pi /certs/
sudo mkdir -p /var/lib/etcd
sudo chown -R pi:pi /var/lib/etcd
sudo chmod -R 700 /var/lib/etcd
```
Unencrypted (testing only)
```bash
etcd --name red --initial-advertise-peer-urls http://3.14.3.102:2380 \
--listen-peer-urls http://3.14.3.102:2380 \
--listen-client-urls http://3.14.3.102:2379,http://127.0.0.1:2379 \
--advertise-client-urls http://3.14.3.102:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster red=http://3.14.3.102:2380 \
--initial-cluster-state new
```
TLS Encrypted
```bash
export ETCD_UNSUPPORTED_ARCH=arm64
etcd --name red --initial-advertise-peer-urls https://3.14.3.102:2380 \
--listen-peer-urls https://3.14.3.102:2380 \
--listen-client-urls https://3.14.3.102:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://3.14.3.102:2379 \
--initial-cluster-token pi-cluster-1 \
--initial-cluster red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/certs/ca.pem \
--cert-file=/certs/client.pem --key-file=/certs/client-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/certs/ca.pem \
--peer-cert-file=/certs/red.pem --peer-key-file=/certs/red-key.pem
export ETCD_UNSUPPORTED_ARCH=arm64
etcd --name purple --initial-advertise-peer-urls https://3.14.3.107:2380 \
--listen-peer-urls https://3.14.3.107:2380 \
--listen-client-urls https://3.14.3.107:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://3.14.3.107:2379 \
--initial-cluster-token pi-cluster-1 \
--initial-cluster red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/certs/ca.pem \
--cert-file=/certs/client.pem --key-file=/certs/client-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/certs/ca.pem \
--peer-cert-file=/certs/purple.pem --peer-key-file=/certs/purple-key.pem
export ETCD_UNSUPPORTED_ARCH=arm64
etcd --name grey --initial-advertise-peer-urls https://3.14.3.103:2380 \
--listen-peer-urls https://3.14.3.103:2380 \
--listen-client-urls https://3.14.3.103:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://3.14.3.103:2379 \
--initial-cluster-token pi-cluster-1 \
--initial-cluster red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/certs/ca.pem \
--cert-file=/certs/client.pem --key-file=/certs/client-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/certs/ca.pem \
--peer-cert-file=/certs/grey.pem --peer-key-file=/certs/grey-key.pem
```
## Systemd
```conf
[Unit] [Unit]
Description=etcd service Description=etcd service
Documentation=https://github.com/etcd-io/etcd Documentation=https://github.com/etcd-io/etcd
After=network.target After=network.target
[Service] [Service]
User=pi User=etcd
Type=notify Type=notify
Environment=ETCD_UNSUPPORTED_ARCH=arm64 Environment=ETCD_UNSUPPORTED_ARCH=arm64
Environment=ETCD_DATA_DIR=/var/lib/etcd Environment=ETCD_DATA_DIR=/var/lib/etcd
Environment=ETCD_NAME=red Environment=ETCD_NAME=$ETCD_NAME
Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$IP:2380 Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$ETCD_IP:2380
Environment=ETCD_LISTEN_PEER_URLS=https://$IP:2380 Environment=ETCD_LISTEN_PEER_URLS=https://$ETCD_IP:2380
Environment=ETCD_LISTEN_CLIENT_URLS=https://$IP,https://127.0.0.1:2379 Environment=ETCD_LISTEN_CLIENT_URLS=https://$ETCD_IP:2379,https://127.0.0.1:2379
Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$IP:2379 Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$ETCD_IP:2379
Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1 Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1
Environment=ETCD_INITIAL_CLUSTER="red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380" Environment=ETCD_INITIAL_CLUSTER="red=https://3.14.3.102:2380,purple=https://3.14.3.107:2380,grey=https://3.14.3.103:2380"
Environment=ETCD_INITIAL_CLUSTER_STATE=new Environment=ETCD_INITIAL_CLUSTER_STATE=new
@@ -251,8 +194,8 @@ Environment=ETCD_TRUSTED_CA_FILE=/certs/ca.pem
Environment=ETCD_CERT_FILE=/certs/client.pem Environment=ETCD_CERT_FILE=/certs/client.pem
Environment=ETCD_KEY_FILE=/certs/client-key.pem Environment=ETCD_KEY_FILE=/certs/client-key.pem
Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem
Environment=ETCD_PEER_CERT_FILE=/certs/red.pem Environment=ETCD_PEER_CERT_FILE=/certs/$ETCD_NAME.pem
Environment=ETCD_PEER_KEY_FILE=/certs/red-key.pem Environment=ETCD_PEER_KEY_FILE=/certs/$ETCD_NAME-key.pem
ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth
Restart=on-failure Restart=on-failure
RestartSec=5 RestartSec=5
@@ -260,12 +203,24 @@ LimitNOFILE=40000
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
EOF
systemctl start etcd
systemctl enable etcd
journalctl -u etcd -f
``` ```
## Use NFS
```bash ```bash
sudo systemctl start etcd export SERVER=red
sudo systemctl enable etcd echo "freenas:/mnt/enc0/pi/$SERVER /var/lib/etcd nfs noexec,nosuid,nofail 0 0" >> /etc/fstab
journalctl -u etcd -f service etcd stop
mount -t nfs freenas:/mnt/enc0/pi /media
rsync -a /var/lib/etcd/ /media/$SERVER/
mount -a
umount /media
service etcd start
``` ```
## Testing ## Testing