from earlier version of the etherpad ==== rkt ==== dpkg -i rkt_1.25.0-1_amd64.deb that's all! ==== etcd installation ==== etcd image, signature from below $ export HOST_IP=18.181.0.97 $ export CLUSTER_TOKEN=hyades-cluster-1 $ rkt run --volume data-dir,kind=host,source=/var/lib/etcd --volume etcd-certs,kind=host,source=/root/etcd-tls/ --mount volume=etcd-certs,target=/srv/etcd-tls/ --port=client:2379 --port=peer:2380 etcd-v3.1.7-linux-amd64.aci -- --name=master01 --advertise-client-urls=https://${HOST_IP}:2379 --initial-advertise-peer-urls=https://${HOST_IP}:2380 --listen-client-urls=https://0.0.0.0:2379 --listen-peer-urls=https://0.0.0.0:2380 --initial-cluster=master01=https://${HOST_IP}:2380 --initial-cluster-token $CLUSTER_TOKEN --initial-cluster-state=new --cert-file=/srv/etcd-tls/etcd.pem --key-file=/srv/etcd-tls/etcd-key.pem --client-cert-auth --trusted-ca-file=/srv/etcd-tls/ca-client.pem --peer-cert-file=/srv/etcd-tls/etcd.pem --peer-key-file=/srv/etcd-tls/etcd-key.pem --peer-client-cert-auth --peer-trusted-ca-file=/srv/etcd-tls/ca.pem try: creating tls secrets (# is /afs/sipb/hyades/provisioning/tls-secret/, $ is the server, * is both) # openssl genrsa -out ca-key.pem 2048 # openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=hyades-certificate-authority" # openssl genrsa -out ca-client-key.pem 2048 # openssl req -x509 -new -nodes -key ca-client-key.pem -days 10000 -out ca-client.pem -subj "/CN=hyades-client-certificate-authority" for each server: * cat >etcd.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = eggs-benedict.mit.edu IP.1 = 18.181.0.97 $ openssl genrsa -out etcd-key.pem 2048 $ openssl req -new -key etcd-key.pem -out etcd.csr -subj "/CN=hyades-master01" -config etcd.cnf # openssl x509 -req -in etcd.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out etcd.pem -days 365 -extensions v3_req -extfile etcd.cnf $ mkdir /root/etcd-tls/ $ mv etcd* /root/etcd-tls/ $ cp ca.pem ca-client.pem /root/etcd-tls/ for each client: * cat >etcli.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment $ openssl genrsa -out etcli-key.pem 2048 $ openssl req -new -key etcli-key.pem -out etcli.csr -subj "/CN=hyades-test" -config etcli.cnf # openssl x509 -req -in etcli.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out etcli.pem -days 365 -extensions v3_req -extfile etcli.cnf test with etcdctl: etcdctl --endpoints=https://18.181.0.97:2379 --cert-file etcli.pem --key-file etcli-key.pem --ca-file etcd-tls/ca.pem member list NEW VERSION: $ ./generate-secrets.sh ../secrets /home/cel/hyades/provisioning/tls-secret /afs/sipb.mit.edu/project/hyades/provisioning/tls-secret Run the CA command specified $ ./deploy-etcd.sh ../secrets NOTE: WHEN CREATING NEW CLUSTERS, MAY NEED TO WIPE /var/lib/etcd FROM OLD CLUSTERS configuration sample: ETCDNODE=master02 HOST_IP=18.181.0.104 INITIAL_CLUSTER="master02=https://18.181.0.104:2380" CLUSTER_TOKEN=hyades-cluster-3 ==== software notes ==== Downloaded rkt from https://github.com/rkt/rkt/releases/download/v1.25.0/rkt_1.25.0-1_amd64.deb Downloaded etcd from https://github.com/coreos/etcd/releases/download/v3.1.7/etcd-v3.1.7-linux-amd64.aci https://github.com/coreos/etcd/releases/ (Make sure to verify keys!)