「Etcd」:修訂間差異
跳至導覽
跳至搜尋
| (未顯示同一使用者於中間所作的 37 次修訂) | |||
| 第10行: | 第10行: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
另外一種方式是安裝官方的binary: | 另外一種方式是安裝官方的binary,這邊的<code>ETCD_VERSION</code>可以去[[GitHub]]上翻目前最新的版本: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cd /tmp; wget https://github.com/etcd-io/etcd/releases/download/ | ETCD_VERSION=3.5.9; cd /tmp; wget https://github.com/etcd-io/etcd/releases/download/v${ETCD_VERSION}/etcd-v${ETCD_VERSION}-linux-amd64.tar.gz; tar xvf etcd-v${ETCD_VERSION}-linux-amd64.tar.gz; cd etcd-v${ETCD_VERSION}-linux-amd64; sudo cp etcd etcdctl etcdutl /usr/bin | ||
</syntaxhighlight> | |||
== 設定 == | |||
如果是[[Ubuntu]]套件安裝的可以先跳過這段,如果是透過binary安裝的可以把[[systemd]]的設定放在<code>/etc/systemd/system/etcd.service</code>下(這其實是從Ubuntu套件裡撈出來的): | |||
<syntaxhighlight lang="ini"> | |||
[Unit] | |||
Description=etcd - highly-available key value store | |||
Documentation=https://etcd.io/docs | |||
Documentation=man:etcd | |||
After=network.target | |||
Wants=network-online.target | |||
[Service] | |||
Environment=DAEMON_ARGS= | |||
Environment=ETCD_NAME=%H | |||
Environment=ETCD_DATA_DIR=/var/lib/etcd/default | |||
EnvironmentFile=-/etc/default/%p | |||
Type=notify | |||
User=etcd | |||
PermissionsStartOnly=true | |||
#ExecStart=/bin/sh -c "GOMAXPROCS=$(nproc) /usr/bin/etcd $DAEMON_ARGS" | |||
ExecStart=/usr/bin/etcd $DAEMON_ARGS | |||
Restart=on-abnormal | |||
#RestartSec=10s | |||
LimitNOFILE=65536 | |||
[Install] | |||
WantedBy=multi-user.target | |||
Alias=etcd2.service | |||
</syntaxhighlight> | |||
另外建立<code>/etc/default/etcd</code>(要記得改<code>ETCD_INITIAL_ADVERTISE_PEER_URLS</code>、<code>ETCD_LISTEN_PEER_URLS</code>與<code>ETCD_NAME</code>): | |||
<syntaxhighlight lang="bash"> | |||
# | |||
ETCD_ADVERTISE_CLIENT_URLS="http://10.1.2.3:2379" | |||
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.1.2.3:2380" | |||
ETCD_INITIAL_CLUSTER="etcd-1-dev=http://10.1.2.3:2380,etcd-2-dev=http://10.1.2.4:2380,etcd-3-dev=http://10.1.2.5:2380" | |||
ETCD_INITIAL_CLUSTER_STATE="new" | |||
ETCD_INITIAL_CLUSTER_TOKEN="x" | |||
ETCD_LISTEN_CLIENT_URLS="http://10.1.2.3:2379" | |||
ETCD_LISTEN_PEER_URLS="http://10.1.2.3:2380" | |||
ETCD_NAME="etcd-1-dev" | |||
</syntaxhighlight> | |||
然後建立對應的使用者與群組,並且設定跑起來: | |||
<syntaxhighlight lang="bash"> | |||
sudo groupadd -r etcd; sudo useradd -r -g etcd etcd; sudo mkdir /var/lib/etcd; sudo chown etcd:etcd /var/lib/etcd; sudo systemctl daemon-reload; sudo systemctl enable --now etcd | |||
</syntaxhighlight> | |||
跑一次讓cluster建立後就可以把<code>new</code>改成<code>existing</code>,避免其他的機器加入: | |||
<syntaxhighlight lang="bash"> | |||
sudo sed -i 's/new/existing/' /etc/default/etcd; sudo service etcd restart | |||
</syntaxhighlight> | |||
=== Auditing === | |||
如果有Auditing需求,目前etcd只能透過把log開到debug等級才有辦法記錄。透過修改<code>/etc/default/etcd</code>,增加: | |||
<syntaxhighlight lang="bash"> | |||
DAEMON_ARGS="--log-level debug" | |||
</syntaxhighlight> | |||
另外開一個<code>/etc/rsyslog.d/30-etcd.conf</code>: | |||
<syntaxhighlight lang="c"> | |||
if $programname == 'etcd' then /var/log/etcd.log | |||
& stop | |||
</syntaxhighlight> | |||
以及對應的<code>/etc/logrotate.d/etcd</code>: | |||
<syntaxhighlight lang="c"> | |||
/var/log/etcd | |||
{ | |||
rotate 4 | |||
weekly | |||
missingok | |||
notifempty | |||
compress | |||
delaycompress | |||
sharedscripts | |||
postrotate | |||
/usr/lib/rsyslog/rsyslog-rotate | |||
endscript | |||
} | |||
</syntaxhighlight> | |||
=== DNS === | |||
多台etcd時可以透過[[DNS]]的<code>SRV</code> record讓client端知道有哪些服務可以用,像是這樣: | |||
<syntaxhighlight lang="bash"> | |||
_etcd-client._tcp.etcd.srv.example.net. 300 IN SRV 1 1 2379 etcd-1.private.example.net. | |||
_etcd-client._tcp.etcd.srv.example.net. 300 IN SRV 1 1 2379 etcd-2.private.example.net. | |||
_etcd-client._tcp.etcd.srv.example.net. 300 IN SRV 1 1 2379 etcd-3.private.example.net. | |||
</syntaxhighlight> | |||
這樣<code>etcdctl</code>就可以用<code>-d etcd.srv.example.net</code>指定服務的接口: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net member list | |||
</syntaxhighlight> | |||
=== 權限 === | |||
etcd可以透過user與role的設定控管權限,先看有哪些user以及role: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net user list | |||
etcdctl -d etcd.srv.example.net role list | |||
</syntaxhighlight> | |||
第一次可以設定<code>root</code>帳號(以及密碼),另外設定<code>root</code>權限。這兩個名字在etcd內是特殊身分,直接擁有最高權限: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net role add root | |||
etcdctl -d etcd.srv.example.net user add root | |||
etcdctl -d etcd.srv.example.net user grant-role root root | |||
</syntaxhighlight> | |||
然後可以啟動: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net auth enable | |||
</syntaxhighlight> | |||
接下來可以測試有提供使用者資訊與沒有提供時的差異: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net user list | |||
etcdctl -d etcd.srv.example.net --user=root:password user list | |||
</syntaxhighlight> | |||
另外比較特別的是所有key的指定方法,需要使用空的條件<code>'-{}-'</code>與<code>--from-key</code>的參數這樣組合出來。 | |||
這邊包含了<code>readonly</code>的user與role的建立: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net --user=root:password user add readonly | |||
etcdctl -d etcd.srv.example.net --user=root:password role add readonly | |||
etcdctl -d etcd.srv.example.net --user=root:password user grant-role readonly readonly | |||
etcdctl -d etcd.srv.example.net --user=root:password role grant-permission readonly read '' --from-key | |||
</syntaxhighlight> | |||
== 操作 == | |||
先看有哪些機器活著: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl --endpoints=10.1.2.3:2379 member list | |||
</syntaxhighlight> | |||
如果[[DNS]] record已經設定好,可以用<code>-d etcd.srv.example.net</code>指定cluster,而非單一伺服器: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl -d etcd.srv.example.net member list | |||
</syntaxhighlight> | |||
接著可以測試如果存取不同台時,結果會不會同步: | |||
<syntaxhighlight lang="bash"> | |||
etcdctl --endpoints=10.1.2.3:2379 put /foo test1234 | |||
etcdctl --endpoints=10.1.2.3:2379 get /foo | |||
etcdctl --endpoints=10.1.2.4:2379 get /foo | |||
etcdctl --endpoints=10.1.2.5:2379 get /foo | |||
etcdctl --endpoints=10.1.2.3:2379 del /foo | |||
etcdctl --endpoints=10.1.2.3:2379 get /foo | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== 相關連結 == | == 相關連結 == | ||
* [[etcd-adminer]] | |||
* [[Kubernetes]] | * [[Kubernetes]] | ||
* [[teller]] | |||
== 外部連結 == | == 外部連結 == | ||
於 2023年10月24日 (二) 16:24 的最新修訂
etcd是一套提供給分散式系統用的Key-Value Store。
安裝
在Ubuntu下可以直接安裝,但要注意目前Ubuntu 22.04還是3.3版,預設會是v2 data,在3.4以後就會是v3 data,會有轉移的成本:
sudo apt install -y etcd; sudo apt clean
另外一種方式是安裝官方的binary,這邊的ETCD_VERSION可以去GitHub上翻目前最新的版本:
ETCD_VERSION=3.5.9; cd /tmp; wget https://github.com/etcd-io/etcd/releases/download/v${ETCD_VERSION}/etcd-v${ETCD_VERSION}-linux-amd64.tar.gz; tar xvf etcd-v${ETCD_VERSION}-linux-amd64.tar.gz; cd etcd-v${ETCD_VERSION}-linux-amd64; sudo cp etcd etcdctl etcdutl /usr/bin
設定
如果是Ubuntu套件安裝的可以先跳過這段,如果是透過binary安裝的可以把systemd的設定放在/etc/systemd/system/etcd.service下(這其實是從Ubuntu套件裡撈出來的):
[Unit]
Description=etcd - highly-available key value store
Documentation=https://etcd.io/docs
Documentation=man:etcd
After=network.target
Wants=network-online.target
[Service]
Environment=DAEMON_ARGS=
Environment=ETCD_NAME=%H
Environment=ETCD_DATA_DIR=/var/lib/etcd/default
EnvironmentFile=-/etc/default/%p
Type=notify
User=etcd
PermissionsStartOnly=true
#ExecStart=/bin/sh -c "GOMAXPROCS=$(nproc) /usr/bin/etcd $DAEMON_ARGS"
ExecStart=/usr/bin/etcd $DAEMON_ARGS
Restart=on-abnormal
#RestartSec=10s
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Alias=etcd2.service
另外建立/etc/default/etcd(要記得改ETCD_INITIAL_ADVERTISE_PEER_URLS、ETCD_LISTEN_PEER_URLS與ETCD_NAME):
#
ETCD_ADVERTISE_CLIENT_URLS="http://10.1.2.3:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.1.2.3:2380"
ETCD_INITIAL_CLUSTER="etcd-1-dev=http://10.1.2.3:2380,etcd-2-dev=http://10.1.2.4:2380,etcd-3-dev=http://10.1.2.5:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="x"
ETCD_LISTEN_CLIENT_URLS="http://10.1.2.3:2379"
ETCD_LISTEN_PEER_URLS="http://10.1.2.3:2380"
ETCD_NAME="etcd-1-dev"
然後建立對應的使用者與群組,並且設定跑起來:
sudo groupadd -r etcd; sudo useradd -r -g etcd etcd; sudo mkdir /var/lib/etcd; sudo chown etcd:etcd /var/lib/etcd; sudo systemctl daemon-reload; sudo systemctl enable --now etcd
跑一次讓cluster建立後就可以把new改成existing,避免其他的機器加入:
sudo sed -i 's/new/existing/' /etc/default/etcd; sudo service etcd restart
Auditing
如果有Auditing需求,目前etcd只能透過把log開到debug等級才有辦法記錄。透過修改/etc/default/etcd,增加:
DAEMON_ARGS="--log-level debug"
另外開一個/etc/rsyslog.d/30-etcd.conf:
if $programname == 'etcd' then /var/log/etcd.log
& stop
以及對應的/etc/logrotate.d/etcd:
/var/log/etcd
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
DNS
多台etcd時可以透過DNS的SRV record讓client端知道有哪些服務可以用,像是這樣:
_etcd-client._tcp.etcd.srv.example.net. 300 IN SRV 1 1 2379 etcd-1.private.example.net.
_etcd-client._tcp.etcd.srv.example.net. 300 IN SRV 1 1 2379 etcd-2.private.example.net.
_etcd-client._tcp.etcd.srv.example.net. 300 IN SRV 1 1 2379 etcd-3.private.example.net.
這樣etcdctl就可以用-d etcd.srv.example.net指定服務的接口:
etcdctl -d etcd.srv.example.net member list
權限
etcd可以透過user與role的設定控管權限,先看有哪些user以及role:
etcdctl -d etcd.srv.example.net user list
etcdctl -d etcd.srv.example.net role list
第一次可以設定root帳號(以及密碼),另外設定root權限。這兩個名字在etcd內是特殊身分,直接擁有最高權限:
etcdctl -d etcd.srv.example.net role add root
etcdctl -d etcd.srv.example.net user add root
etcdctl -d etcd.srv.example.net user grant-role root root
然後可以啟動:
etcdctl -d etcd.srv.example.net auth enable
接下來可以測試有提供使用者資訊與沒有提供時的差異:
etcdctl -d etcd.srv.example.net user list
etcdctl -d etcd.srv.example.net --user=root:password user list
另外比較特別的是所有key的指定方法,需要使用空的條件''與--from-key的參數這樣組合出來。
這邊包含了readonly的user與role的建立:
etcdctl -d etcd.srv.example.net --user=root:password user add readonly
etcdctl -d etcd.srv.example.net --user=root:password role add readonly
etcdctl -d etcd.srv.example.net --user=root:password user grant-role readonly readonly
etcdctl -d etcd.srv.example.net --user=root:password role grant-permission readonly read '' --from-key
操作
先看有哪些機器活著:
etcdctl --endpoints=10.1.2.3:2379 member list
如果DNS record已經設定好,可以用-d etcd.srv.example.net指定cluster,而非單一伺服器:
etcdctl -d etcd.srv.example.net member list
接著可以測試如果存取不同台時,結果會不會同步:
etcdctl --endpoints=10.1.2.3:2379 put /foo test1234
etcdctl --endpoints=10.1.2.3:2379 get /foo
etcdctl --endpoints=10.1.2.4:2379 get /foo
etcdctl --endpoints=10.1.2.5:2379 get /foo
etcdctl --endpoints=10.1.2.3:2379 del /foo
etcdctl --endpoints=10.1.2.3:2379 get /foo