Public | Automated Build

Last pushed: 7 months ago
Short Description
Etcd
Full Description

Etcd

image: rsrpsinr/etcd

Base: rsrpsinr/ubase:release-1.0

Etcd version: 3.1.8

About

Docker container to form a secured Etcd cluster.

How-to

Prepare the key-certs using Cfssl tools and map path accordingly. For eg. the dir '/home/core/etcd/cfssl' used in example here must contain the following files with exact filename:

Content of '/home/core/etcd/cfssl':

  • ca.pem
  • peer-key.pem
  • peer.pem
  • server-key.pem
  • server.pem

For connecting clients, install the following files (use your preferred locations):

  • /etc/etcd/client.pem
  • $HOME/.ssh/client-key.pem
  • Add the CA's cert into trusted chain of authority.

Prepare the etcd.conf.yaml file. Refer to samples. Map to the container as in example run below.

Example configuration file 'etcd.conf.yaml' for the bootstrap node (first Etcd member to start).

# Bootstrap node

# member
name: node1
data-dir: /var/lib/etcd/data
initial-advertise-peer-urls: https://192.168.56.20:3380
listen-peer-urls: https://192.168.56.20:3380
listen-client-urls: https://192.168.56.20:3379,https://127.0.0.1:3379
advertise-client-urls: https://192.168.56.20:3379
initial-cluster-token: 'my-cluster'
initial-cluster: node1=https://192.168.56.20:3380
initial-cluster-state: 'new'

# security
client-transport-security:
  cert-file: /cfssl/server.pem
  key-file: /cfssl/server-key.pem
  client-cert-auth: true
peer-transport-security:
  cert-file: /cfssl/peer.pem
  key-file: /cfssl/peer-key.pem
  client-cert-auth: true

Some notes about security:

We will serve clients at port 3379. The server will authorize the connecting client's cert. The client should connect with the correct parameters (as below).

Setup of etcdctl client to work with the cluster

Add the CA to the trusted chain. In Ubuntu, do the following:

sudo cp ca.pem /usr/local/share/ca-certificates/etcd-ca.crt
sudo update-ca-certificates

Set the following environment variables (point to the files accordingly)

export ETCDCTL_CERT_FILE=/etc/etcd/client.pem
export ETCDCTL_KEY_FILE=$HOME/.ssh/client-key.pem
export ETCDCTL_ENDPOINTS=https://127.0.0.1:3379

We can now use the command 'etcdctl'. Configuration are read from env vars.

Example Run

docker kill etcd
docker rm etcd

docker pull rsrpsinr/etcd

docker run --privileged --name etcd -d \
  --net=host \
  -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
  -v /home/core/temp:/tmp/core:rw \
  -v /home/core/etcd/cfssl:/cfssl:rw \
  -v /home/core/etcd/etcd.conf.yaml:/etc/etcd/etcd.conf.yaml \
  -v /home/core/etcd/data:/var/lib/etcd/data:rw \
  rsrpsinr/etcd

docker logs -f etcd
Docker Pull Command
Owner
rsrpsinr
Source Repository