CoreOS Container Linux Logo

A container-focused OS that's designed for painless management in large clusters

Customizing the etcd unit

The etcd systemd unit can be customized by overriding the unit that ships with the default Container Linux settings. Common use-cases for doing this are covered below.

Use client certificates

etcd supports client certificates as a way to provide secure communication between clients ↔ leader and internal traffic between etcd peers in the cluster. Configuring certificates for both scenarios is done through the etcd section in a Container Linux Config. Options provided here will augment the unit that ships with Container Linux.

Please follow the instruction to know how to create self-signed certificates and private keys.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

etcd:
  # More settings are needed here for a functioning etcd daemon
  ca_file:        /path/to/CA.pem
  cert_file:      /path/to/server.crt
  key_file:       /path/to/server.key
  peer_ca_file:   /path/to/CA.pem
  peer_cert_file: /path/to/peers.crt
  peer_key_file:  /path/to/peers.key
storage:
  files:
    - path: /path/to/CA.pem
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN CERTIFICATE-----
          MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
          ...snip...
          EtHaxYQRy72yZrte6Ypw57xPRB8sw1DIYjr821Lw05DrLuBYcbyclg==
          -----END CERTIFICATE-----
    - path: /path/to/server.crt
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN CERTIFICATE-----
          MIIFWTCCA0OgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
          DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0y
          ...snip...
          rdmtCVLOyo2wz/UTzvo7UpuxRrnizBHpytE4u0KgifGp1OOKY+1Lx8XSH7jJIaZB
          a3m12FMs3AsSt7mzyZk+bH2WjZLrlUXyrvprI40=
          -----END CERTIFICATE-----
    - path: /path/to/server.key
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN RSA PRIVATE KEY-----
          Proc-Type: 4,ENCRYPTED
          DEK-Info: DES-EDE3-CBC,069abc493cd8bda6

          TBX9mCqvzNMWZN6YQKR2cFxYISFreNk5Q938s5YClnCWz3B6KfwCZtjMlbdqAakj
          ...snip...
          mgVh2LBerGMbsdsTQ268sDvHKTdD9MDAunZlQIgO2zotARY02MLV/Q5erASYdCxk
          -----END RSA PRIVATE KEY-----
    - path: /path/to/peers.crt
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN CERTIFICATE-----
          VQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0yMIIFWTCCA0OgAwIBAgIBAjALBgkq
          DgYDVQQKEwdldGNkLWNhMQswCQYDhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
          ...snip...
          BHpytE4u0KgifGp1OOKY+1Lx8XSH7jJIaZBrdmtCVLOyo2wz/UTzvo7UpuxRrniz
          St7mza3m12FMs3AsyZk+bH2WjZLrlUXyrvprI90=
          -----END CERTIFICATE-----
    - path: /path/to/peers.key
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN RSA PRIVATE KEY-----
          Proc-Type: 4,ENCRYPTED
          DEK-Info: DES-EDE3-CBC,069abc493cd8bda6

          SFreNk5Q938s5YTBX9mCqvzNMWZN6YQKR2cFxYIClnCWz3B6KfwCZtjMlbdqAakj
          ...snip...
          DvHKTdD9MDAunZlQIgO2zotmgVh2LBerGMbsdsTQ268sARY02MLV/Q5erASYdCxk
          -----END RSA PRIVATE KEY-----
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "config": {},
    "timeouts": {},
    "version": "2.1.0"
  },
  "networkd": {},
  "passwd": {},
  "storage": {
    "files": [
      {
        "filesystem": "root",
        "group": {},
        "path": "/path/to/CA.pem",
        "user": {},
        "contents": {
          "source": "data:,-----BEGIN%20CERTIFICATE-----%0AMIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw%0A...snip...%0AEtHaxYQRy72yZrte6Ypw57xPRB8sw1DIYjr821Lw05DrLuBYcbyclg%3D%3D%0A-----END%20CERTIFICATE-----%0A",
          "verification": {}
        },
        "mode": 420
      },
      {
        "filesystem": "root",
        "group": {},
        "path": "/path/to/server.crt",
        "user": {},
        "contents": {
          "source": "data:,-----BEGIN%20CERTIFICATE-----%0AMIIFWTCCA0OgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw%0ADgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0y%0A...snip...%0ArdmtCVLOyo2wz%2FUTzvo7UpuxRrnizBHpytE4u0KgifGp1OOKY%2B1Lx8XSH7jJIaZB%0Aa3m12FMs3AsSt7mzyZk%2BbH2WjZLrlUXyrvprI40%3D%0A-----END%20CERTIFICATE-----%0A",
          "verification": {}
        },
        "mode": 420
      },
      {
        "filesystem": "root",
        "group": {},
        "path": "/path/to/server.key",
        "user": {},
        "contents": {
          "source": "data:,-----BEGIN%20RSA%20PRIVATE%20KEY-----%0AProc-Type%3A%204%2CENCRYPTED%0ADEK-Info%3A%20DES-EDE3-CBC%2C069abc493cd8bda6%0A%0ATBX9mCqvzNMWZN6YQKR2cFxYISFreNk5Q938s5YClnCWz3B6KfwCZtjMlbdqAakj%0A...snip...%0AmgVh2LBerGMbsdsTQ268sDvHKTdD9MDAunZlQIgO2zotARY02MLV%2FQ5erASYdCxk%0A-----END%20RSA%20PRIVATE%20KEY-----%0A",
          "verification": {}
        },
        "mode": 420
      },
      {
        "filesystem": "root",
        "group": {},
        "path": "/path/to/peers.crt",
        "user": {},
        "contents": {
          "source": "data:,-----BEGIN%20CERTIFICATE-----%0AVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0yMIIFWTCCA0OgAwIBAgIBAjALBgkq%0ADgYDVQQKEwdldGNkLWNhMQswCQYDhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw%0A...snip...%0ABHpytE4u0KgifGp1OOKY%2B1Lx8XSH7jJIaZBrdmtCVLOyo2wz%2FUTzvo7UpuxRrniz%0ASt7mza3m12FMs3AsyZk%2BbH2WjZLrlUXyrvprI90%3D%0A-----END%20CERTIFICATE-----%0A",
          "verification": {}
        },
        "mode": 420
      },
      {
        "filesystem": "root",
        "group": {},
        "path": "/path/to/peers.key",
        "user": {},
        "contents": {
          "source": "data:,-----BEGIN%20RSA%20PRIVATE%20KEY-----%0AProc-Type%3A%204%2CENCRYPTED%0ADEK-Info%3A%20DES-EDE3-CBC%2C069abc493cd8bda6%0A%0ASFreNk5Q938s5YTBX9mCqvzNMWZN6YQKR2cFxYIClnCWz3B6KfwCZtjMlbdqAakj%0A...snip...%0ADvHKTdD9MDAunZlQIgO2zotmgVh2LBerGMbsdsTQ268sARY02MLV%2FQ5erASYdCxk%0A-----END%20RSA%20PRIVATE%20KEY-----",
          "verification": {}
        },
        "mode": 420
      }
    ]
  },
  "systemd": {
    "units": [
      {
        "dropins": [
          {
            "contents": "[Service]\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --ca-file=\"/path/to/CA.pem\" \\\n  --cert-file=\"/path/to/server.crt\" \\\n  --key-file=\"/path/to/server.key\" \\\n  --peer-ca-file=\"/path/to/CA.pem\" \\\n  --peer-cert-file=\"/path/to/peers.crt\" \\\n  --peer-key-file=\"/path/to/peers.key\"",
            "name": "20-clct-etcd-member.conf"
          }
        ],
        "enable": true,
        "name": "etcd-member.service"
      }
    ]
  }
}