From 4c05589ad484745bf1bbb22b0f7900de14357a30 Mon Sep 17 00:00:00 2001 From: anandrgitnirman Date: Thu, 8 Apr 2021 11:00:39 +0530 Subject: [PATCH] #163 --- docs/ai-developers/etcdscript.sh | 248 +++++++++++++++++++++++++++++++ docs/ai-developers/etcdsetup.md | 5 + 2 files changed, 253 insertions(+) create mode 100644 docs/ai-developers/etcdscript.sh diff --git a/docs/ai-developers/etcdscript.sh b/docs/ai-developers/etcdscript.sh new file mode 100644 index 00000000..977aff35 --- /dev/null +++ b/docs/ai-developers/etcdscript.sh @@ -0,0 +1,248 @@ +#! /bin/bash + +green="\033[0;32m" +blue="\033[1;34m" +red="\033[0;31m" +grey="\033[1;37m" +current_path=`pwd` + +echo -e "${green}<---------- ETCD INSTALLATION ---------->" +echo -e "${blue}Here is the list of prerequisite for the installation" +echo -e "${blue}\t 1. The Operating System has to be Ubuntu." +echo -e "${blue}\t 2. User should have root previliges." +echo -e "${blue}\t 3. The Host has to be mapped to a particular domain and should be accessible." +echo -e "${blue}\t 4. The Ports 2379 & 2380 should be accessible by Daemon and the Host" +echo -e "${green}" + +awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i ubuntu +if [ "$?" -ne 0 ]; +then + echo -e "${red}ERROR: The ETCD installation is currently supported for Ubuntu OS." + exit 1 +fi + +groups $user | grep sudo +if [ "$?" -ne 0 ]; +then + echo -e "${red}ERROR: User lacks sudo previliges. Switch to Root User" + exit 1 +fi + +echo -e "${blue}Domain Name of the Host:${grey}" +read domain_name +echo -e "${blue}Oragnization Name:${grey}" +read org_name +echo -e "${blue}Validity of the certificates in years:${grey}" +read years +echo -e "${green}" + +validity=$((years*365*24)) + +curl -V +if [ "$?" -ne 0 ]; +then + sudo apt-get update + sudo apt-get install curl -y +fi + +public_ip=`curl ifconfig.me` +private_ip=`hostname -I | awk '{print $1}'` + +getent hosts ${domain_name} | awk '{ print $1 }' | grep ${public_ip} +if [ "$?" -ne 0 ]; +then + getent hosts ${domain_name} | awk '{ print $1 }' | grep ${private_ip} + if [ "$?" -ne 0 ]; + then + echo -e "${red}ERROR: Domain is not mapped to the current host." + exit 1 + fi +fi + +mkdir ~/bin +curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 +curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 +chmod +x ~/bin/{cfssl,cfssljson} +export PATH=$PATH:~/bin + +cert_folder="/var/lib/etcd/cfssl" +sudo mkdir -p ${cert_folder} +sudo chmod 777 -R ${cert_folder} +cd ${cert_folder} +echo "{ + \"signing\": { + \"default\": { + \"expiry\": \"${validity}h\" + }, + \"profiles\": { + \"server\": { + \"expiry\": \"${validity}h\", + \"usages\": [ + \"signing\", + \"key encipherment\", + \"server auth\" + ] + }, + \"client\": { + \"expiry\": \"${validity}h\", + \"usages\": [ + \"signing\", + \"key encipherment\", + \"client auth\" + ] + }, + \"peer\": { + \"expiry\": \"${validity}h\", + \"usages\": [ + \"signing\", + \"key encipherment\", + \"server auth\", + \"client auth\" + ] + } + } + } +}" > ca-config.json + +echo "{ + \"CN\": \"${org_name} CA\", + \"key\": { + \"algo\": \"rsa\", + \"size\": 2048 + }, + \"names\": [ + { + \"C\": \"US\", + \"L\": \"CA\", + \"O\": \"${org_name} Name\", + \"ST\": \"San Francisco\", + \"OU\": \"Org Unit 1\", + \"OU\": \"Org Unit 2\" + } + ] +}" > ca-csr.json +cfssl gencert -initca ca-csr.json | cfssljson -bare ca - + +echo "{ + \"CN\": \"etcd-cluster\", + \"hosts\": [ + \"${domain_name}\", + \"${public_ip}\", + \"127.0.0.1\" + ], + \"key\": { + \"algo\": \"ecdsa\", + \"size\": 256 + }, + \"names\": [ + { + \"C\": \"US\", + \"L\": \"CA\", + \"ST\": \"San Francisco\" + } + ] +}" > server.json +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server + +echo "{ + \"CN\": \"member-1\", + \"hosts\": [ + \"member-1\", + \"member-1.local\", + \"${private_ip}\", + \"127.0.0.1\" + ], + \"key\": { + \"algo\": \"ecdsa\", + \"size\": 256 + }, + \"names\": [ + { + \"C\": \"US\", + \"L\": \"CA\", + \"ST\": \"San Francisco\" + } + ] +}" > member-1.json +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member-1.json | cfssljson -bare member-1 + +echo "{ + \"CN\": \"client\", + \"hosts\": [\"\"], + \"key\": { + \"algo\": \"ecdsa\", + \"size\": 256 + }, + \"names\": [ + { + \"C\": \"US\", + \"L\": \"CA\", + \"ST\": \"San Francisco\" + } + ] +}" > client.json +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client + +cd ${current_path} +wget https://github.com/etcd-io/etcd/releases/download/v3.1.20/etcd-v3.1.20-linux-amd64.tar.gz +tar -zxvf etcd-v3.1.20-linux-amd64.tar.gz +cd etcd-v3.1.20-linux-amd64/ +sudo mv etcd etcdctl /usr/bin/ +cd ${current_path} +rm -rf etcd-v3.1.20-linux-amd64* + +echo "[Unit] +Description=etcd service +Documentation=https://github.com/coreos/etcd + +[Service] +User=root +Type=notify +ExecStart=/usr/bin/etcd \\ + --name member-1 \\ + --data-dir /var/lib/etcd \\ + --initial-advertise-peer-urls https://${private_ip}:2380 \\ + --listen-peer-urls https://${private_ip}:2380 \\ + --listen-client-urls https://${private_ip}:2379,https://127.0.0.1:2379 \\ + --advertise-client-urls https://${private_ip}:2379 \\ + --initial-cluster-token etcd-cluster-1 \\ + --initial-cluster member-1=https://${private_ip}:2380 \\ + --client-cert-auth --trusted-ca-file=${cert_folder}/ca.pem \\ + --cert-file=${cert_folder}/server.pem --key-file=${cert_folder}/server-key.pem \\ + --peer-client-cert-auth --peer-trusted-ca-file=${cert_folder}/ca.pem \\ + --peer-cert-file=${cert_folder}/member-1.pem --peer-key-file=${cert_folder}/member-1-key.pem \\ + --initial-cluster-state new +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target " | sudo tee -a /lib/systemd/system/etcd.service + +sudo systemctl daemon-reload +sudo systemctl enable etcd +sudo systemctl start etcd.service +sleep 30s + + +curl --cacert ${cert_folder}/ca.pem --cert ${cert_folder}/client.pem --key ${cert_folder}/client-key.pem "https://${domain_name}:2379/health" +if [ "$?" -ne 0 ]; +then + echo -e "${red}ERROR: Port 2379 & 2380 seems to be not accessible from the host." + rm -rf ~/bin + sudo rm -rf ${cert_folder} + sudo systemctl disable etcd + sudo service etcd stop + sudo rm /lib/systemd/system/etcd.service + sudo rm /usr/bin/etcd /usr/bin/etcdctl + sudo systemctl daemon-reload + echo -e "${red}<---------- ETCD INSTALLATION FAILED---------->" +else + echo -e "${green}" + echo -e "<---------- ETCD INSTALLATED SUCCESSFULLY---------->" + echo -e "${blue} 1. ETCD ENDPOINT: ${grey} https://${domain_name}:2379/health" + echo -e "${blue} 2. CERTIFICATES PATH: ${grey} ${cert_folder}" + echo -e "${blue} 3. COMMAND TO TEST LOCALLY: ${grey} curl --cacert ${cert_folder}/ca.pem --cert ${cert_folder}/client.pem --key ${cert_folder}/client-key.pem https://${domain_name}:2379/health" + echo -e "${blue} 4. TO START ETCD: ${grey} sudo systemctl start etcd.service" + echo -e "${blue} 5. TO STOP ETCD: ${grey} sudo systemctl start etcd.service" + echo -e "${blue} 6. TO CHECK STATUS OF ETCD: ${grey} sudo systemctl status etcd.service" +fi diff --git a/docs/ai-developers/etcdsetup.md b/docs/ai-developers/etcdsetup.md index 22f5f0b0..efe1f6c2 100644 --- a/docs/ai-developers/etcdsetup.md +++ b/docs/ai-developers/etcdsetup.md @@ -27,6 +27,11 @@ Following are the example nodes for our reference. Infrastural diagram of ETCD Cluster setup on AWS. ![Etcd Cluster Infrastructure](/assets/img/etcd/etcd-cluster.png) +## ETCD set up Script +Download script + +For detailed explanation on every step , reference the sections below + ## Generating Certificates To setup the cluster, use three types of certificate, such as: