etcd2 集群在 HTTPS 迁移后无法通信
etcd2 cluster not communicating after HTTPS migration
我正在遵循有关在现有 etcd 集群中启用 HTTPS 的 Coreos 指南。 Link to Documentation
我有两个问题:
1) 使用文档中所述的以下命令将 Peer URL 重新配置为 HTTPS 后:
etcdctl member list | awk -F'[: =]' '{print "etcdctl member update "" https:"":"}'
输出与文档相同,但在 运行ning:
之后我想得到的输出是什么
etcdctl member list
我想看到 peerUrls 已更新为 HTTPs?
2) 我继续配置文档并更改 etcd 客户端 URLs。这样做之后集群完全停止通信:
etcd2[5063]: 5ebdc721c084a4b1 is starting a new election at term 20548
etcd2[5063]: 5ebdc721c084a4b1 became candidate at term 20549
etcd2[5063]: 5ebdc721c084a4b1 received vote from 5ebdc721c084a4b1 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to d5df37b45e3cb90f at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to f3aee5692d89a2a3 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to fb362473ced21e89 at term 20549
etcd2[5063]: the connection to peer d5df37b45e3cb90f is unhealthy
etcd2[5063]: the connection to peer f3aee5692d89a2a3 is unhealthy
etcd2[5063]: the connection to peer fb362473ced21e89 is unhealthy
并且当我运行使用以下命令进行调试时:
sudo etcdctl --ca-file /etc/ssl/etcd/ca.pem --cert-file /etc/ssl/etcd/server.pem --key-file /etc/ssl/etcd/server-key.pem member list
我得到以下输出
Failed to get leader: client: etcd cluster is unavailable or misconfigured
当我 运行 像文档中那样卷曲时,它给了我正确的输入
curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/server.pem --key /etc/ssl/etcd/server-key.pem https://172.16.0.2:2379/v2/stats/self
{"name":"coreos0","id":"5ebdc721c084a4b1","state":"StateFollower","startTime":"2017-03-21T11:33:13.964177689+03:00","leaderInfo":{"leader":"fb362473ced21e89","uptime":"13m37.308602575s","startTime":"2017-03-21T11:33:14.480109854+03:00"},"recvAppendRequestCnt":33,"sendAppendRequestCnt":0}
我的配置
/run/systemd/system/etcd2.service.d/20-cloudinit.conf
[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=http://172.16.0.2:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER=coreos1=http://172.16.0.4:2380,coreos2=http://172.16.0.5:2380,coreos0=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER_STATE=new"
Environment="ETCD_INITIAL_CLUSTER_TOKEN=cluster1"
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_NAME=coreos0"
/etc/systemd/system/etcd2.service.d/25-insecure_localhost.conf
[Service]
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://127.0.0.1:4001"
/etc/systemd/system/etcd2.service.d/30-certs.conf
[Service]
Environment="ETCD_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
/etc/systemd/system/etcd2.service.d/40-tls.conf
[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://172.16.0.2:2379"
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379,http://127.0.0.1:4001"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
提前致谢
cfssl 中存在错误,导致生成的对等证书错误。使用 echo 创建重新生成后,问题自行解决。
我正在遵循有关在现有 etcd 集群中启用 HTTPS 的 Coreos 指南。 Link to Documentation
我有两个问题:
1) 使用文档中所述的以下命令将 Peer URL 重新配置为 HTTPS 后:
etcdctl member list | awk -F'[: =]' '{print "etcdctl member update "" https:"":"}'
输出与文档相同,但在 运行ning:
之后我想得到的输出是什么etcdctl member list
我想看到 peerUrls 已更新为 HTTPs?
2) 我继续配置文档并更改 etcd 客户端 URLs。这样做之后集群完全停止通信:
etcd2[5063]: 5ebdc721c084a4b1 is starting a new election at term 20548
etcd2[5063]: 5ebdc721c084a4b1 became candidate at term 20549
etcd2[5063]: 5ebdc721c084a4b1 received vote from 5ebdc721c084a4b1 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to d5df37b45e3cb90f at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to f3aee5692d89a2a3 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to fb362473ced21e89 at term 20549
etcd2[5063]: the connection to peer d5df37b45e3cb90f is unhealthy
etcd2[5063]: the connection to peer f3aee5692d89a2a3 is unhealthy
etcd2[5063]: the connection to peer fb362473ced21e89 is unhealthy
并且当我运行使用以下命令进行调试时:
sudo etcdctl --ca-file /etc/ssl/etcd/ca.pem --cert-file /etc/ssl/etcd/server.pem --key-file /etc/ssl/etcd/server-key.pem member list
我得到以下输出
Failed to get leader: client: etcd cluster is unavailable or misconfigured
当我 运行 像文档中那样卷曲时,它给了我正确的输入
curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/server.pem --key /etc/ssl/etcd/server-key.pem https://172.16.0.2:2379/v2/stats/self
{"name":"coreos0","id":"5ebdc721c084a4b1","state":"StateFollower","startTime":"2017-03-21T11:33:13.964177689+03:00","leaderInfo":{"leader":"fb362473ced21e89","uptime":"13m37.308602575s","startTime":"2017-03-21T11:33:14.480109854+03:00"},"recvAppendRequestCnt":33,"sendAppendRequestCnt":0}
我的配置
/run/systemd/system/etcd2.service.d/20-cloudinit.conf
[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=http://172.16.0.2:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER=coreos1=http://172.16.0.4:2380,coreos2=http://172.16.0.5:2380,coreos0=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER_STATE=new"
Environment="ETCD_INITIAL_CLUSTER_TOKEN=cluster1"
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_NAME=coreos0"
/etc/systemd/system/etcd2.service.d/25-insecure_localhost.conf
[Service]
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://127.0.0.1:4001"
/etc/systemd/system/etcd2.service.d/30-certs.conf
[Service]
Environment="ETCD_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
/etc/systemd/system/etcd2.service.d/40-tls.conf
[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://172.16.0.2:2379"
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379,http://127.0.0.1:4001"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
提前致谢
cfssl 中存在错误,导致生成的对等证书错误。使用 echo 创建重新生成后,问题自行解决。