Cluster bootstrapping in Container Linux is simplest with ; dynamically fetches the machine’s IP for discovery. Note that etcd’s discovery service protocol is only meant for bootstrapping, and cannot be used with runtime reconfiguration or cluster monitoring.

The Container Linux Config Transpiler compiles etcd configuration files into Ignition configuration files:

ct would produce the following Ignition Config:

  1. $ ct --platform=gce --in-file /tmp/ct-etcd.cnf
  2. {"ignition":{"version":"2.0.0","config"...
  1. {
  2.   "ignition":{"version":"2.0.0","config":{}},
  3.   "storage":{},
  4.   "systemd":{
  5.     "units":[{
  6.       "name":"etcd-member.service",
  7.       "enable":true,
  8.       "dropins":[{
  9.         "name":"20-clct-etcd-member.conf",
  10.         "contents":"[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nEnvironment=\"ETCD_IMAGE_TAG=v3.1.8\"\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --name=\"s1\" \\\n  --data-dir=\"/var/lib/etcd\" \\\n  --listen-peer-urls=\"http://${COREOS_GCE_IP_LOCAL_0}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_GCE_IP_LOCAL_0}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_GCE_IP_EXTERNAL_0}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\""}]}]},
  11.       "networkd":{},
  12.       "passwd":{}}

To avoid accidental misconfiguration, the transpiler helpfully verifies etcd configurations when generating Ignition files:

  1. etcd:
  2.   version: 3.2.0
  3.   name: s1
  4.   data_dir_x: /var/lib/etcd
  5.   advertise_client_urls:       http://{PUBLIC_IPV4}:2379
  6.   initial_advertise_peer_urls: http://{PRIVATE_IPV4}:2380
  7.   listen_client_urls:          http://0.0.0.0:2379
  8.   listen_peer_urls:            http://{PRIVATE_IPV4}:2380
  9.   discovery:                   https://discovery.etcd.io/<token>
  1. $ ct --platform=gce --in-file /tmp/ct-etcd.cnf
  2. warning at line 3, column 2
  3. Config has unrecognized key: data_dir_x

See for more details.

Confirm unit file exists:

Check if the etcd service is running:

  1. systemctl status etcd-member.service

Example systemd drop-in unit to override the default service settings:

  1. [Service]
  2. Environment="ETCD_IMAGE_TAG=v3.2.0"
  3. Environment="ETCD_DATA_DIR=/var/lib/etcd"
  4. Environment="ETCD_SSL_DIR=/etc/ssl/certs"
  5. Environment="ETCD_OPTS=--name s1 \
  6.   --listen-client-urls https://10.240.0.1:2379 \
  7.   --advertise-client-urls https://10.240.0.1:2379 \
  8.   --listen-peer-urls https://10.240.0.1:2380 \
  9.   --initial-advertise-peer-urls https://10.240.0.1:2380 \
  10.   --initial-cluster s1=https://10.240.0.1:2380,s2=https://10.240.0.2:2380,s3=https://10.240.0.3:2380 \
  11.   --initial-cluster-token mytoken \
  12.   --initial-cluster-state new \
  13.   --client-cert-auth \
  14.   --trusted-ca-file /etc/ssl/certs/etcd-root-ca.pem \
  15.   --cert-file /etc/ssl/certs/s1.pem \
  16.   --key-file /etc/ssl/certs/s1-key.pem \
  17.   --peer-client-cert-auth \
  18.   --peer-trusted-ca-file /etc/ssl/certs/etcd-root-ca.pem \
  19.   --peer-cert-file /etc/ssl/certs/s1.pem \
  20.   --peer-key-file /etc/ssl/certs/s1-key.pem \
  21.   --auto-compaction-retention 1"
  22. EOF
  23. mv /tmp/20-cl-etcd-member.conf /etc/systemd/system/etcd-member.service.d/20-cl-etcd-member.conf

Or use a Container Linux Config:

  1. systemd:
  2.   units:
  3.     - name: etcd-member.service
  4.       dropins:
  5.         - name: conf1.conf
  6.           contents: |
  7.             Environment="ETCD_SSL_DIR=/etc/ssl/certs"
  9. etcd:
  10.   version: 3.2.0
  11.   name: s1
  12.   data_dir: /var/lib/etcd
  13.   listen_client_urls:          https://0.0.0.0:2379
  14.   advertise_client_urls:       https://{PUBLIC_IPV4}:2379
  15.   listen_peer_urls:            https://{PRIVATE_IPV4}:2380
  16.   initial_advertise_peer_urls: https://{PRIVATE_IPV4}:2380
  17.   initial_cluster:             s1=https://{PRIVATE_IPV4}:2380,s2=https://10.240.0.2:2380,s3=https://10.240.0.3:2380
  18.   initial_cluster_token:       mytoken
  19.   initial_cluster_state:       new
  20.   client_cert_auth:            true
  21.   trusted_ca_file:             /etc/ssl/certs/etcd-root-ca.pem
  22.   cert_file:                   /etc/ssl/certs/s1.pem
  23.   key_file:                    /etc/ssl/certs/s1-key.pem
  24.   peer_client_cert_auth:       true
  25.   peer_trusted_ca_file:        /etc/ssl/certs/etcd-root-ca.pem
  26.   peer_cert_file:              /etc/ssl/certs/s1.pem
  27.   peer_key_file:               /etc/ssl/certs/s1-key.pem
  28.   auto_compaction_retention:   1
  1. $ ct --platform=gce --in-file /tmp/ct-etcd.cnf
  2. {"ignition":{"version":"2.0.0","config"...

To see all runtime drop-in changes for system units:

  1. systemctl daemon-reload
  2. systemctl enable --now etcd-member.service

To see the logs:

  1. journalctl --unit etcd-member.service --lines 10

To stop and disable the service:

  1. systemctl disable --now etcd-member.service

Container Linux includes a unit file etcd2.service for etcd 2.x, which will be removed in the near future. See for more details.

Confirm unit file is installed:

Check if the etcd service is running: