doc: scrub legacy ports and TLS information for v3

shailvipx · May 11, 2016 · db8f577 · db8f577
1 parent b03a2f0
commit db8f577
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 25 deletions.
diff --git a/Documentation/op-guide/clustering.md b/Documentation/op-guide/clustering.md
@@ -256,17 +256,17 @@ DNS [SRV records][rfc-srv] can be used as a discovery mechanism.
 The `-discovery-srv` flag can be used to set the DNS domain name where the discovery SRV records can be found.
 The following DNS SRV records are looked up in the listed order:
 
-* _etcd-server-ssl._tcp.example.com
+* _etcd-server-tls._tcp.example.com
 * _etcd-server._tcp.example.com
 
-If `_etcd-server-ssl._tcp.example.com` is found then etcd will attempt the bootstrapping process over SSL.
+If `_etcd-server-tls._tcp.example.com` is found then etcd will attempt the bootstrapping process over TLS.
 
 To help clients discover the etcd cluster, the following DNS SRV records are looked up in the listed order:
 
 * _etcd-client._tcp.example.com
-* _etcd-client-ssl._tcp.example.com
+* _etcd-client-tls._tcp.example.com
 
-If `_etcd-client-ssl._tcp.example.com` is found, clients will attempt to communicate with the etcd cluster over SSL.
+If `_etcd-client-tls._tcp.example.com` is found, clients will attempt to communicate with the etcd cluster over TLS.
 
 #### Create DNS SRV records
 

diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md
@@ -2,9 +2,9 @@
 
 etcd is configurable through command-line flags and environment variables. Options set on the command line take precedence over those from the environment.
 
-The format of environment variable for flag `--my-flag` is `ETCD_MY_FLAG`. It applies to all  flags.
+The format of environment variable for flag `--my-flag` is `ETCD_MY_FLAG`. It applies to all flags.
 
-The [official etcd ports][iana-ports] are 2379 for client requests, and 2380 for peer communication. Some legacy code and documentation still references ports 4001 and 7001, but all new etcd use and discussion should adopt the assigned ports.
+The [official etcd ports][iana-ports] are 2379 for client requests and 2380 for peer communication. The etcd ports can be set to accept TLS traffic, non-TLS traffic, or both TLS and non-TLS traffic.
 
 To start etcd automatically using custom settings at startup in Linux, using a [systemd][systemd-intro] unit is highly recommended.
 
@@ -16,7 +16,7 @@ To start etcd automatically using custom settings at startup in Linux, using a [
 + Human-readable name for this member.
 + default: "default"
 + env variable: ETCD_NAME
-+ This value is referenced as this node's own entries listed in the `--initial-cluster` flag (Ex: `default=http://localhost:2380` or `default=http://localhost:2380,default=http://localhost:7001`). This needs to match the key used in the flag if you're using [static bootstrapping][build-cluster]. When using discovery, each member must have a unique name. `Hostname` or `machine-id` can be a good choice.
++ This value is referenced as this node's own entries listed in the `--initial-cluster` flag (e.g., `default=http://localhost:2380`). This needs to match the key used in the flag if you're using [static bootstrapping][build-cluster]. When using discovery, each member must have a unique name. `Hostname` or `machine-id` can be a good choice.
 
 ### --data-dir
 + Path to the data directory.
@@ -45,14 +45,14 @@ To start etcd automatically using custom settings at startup in Linux, using a [
 
 ### --listen-peer-urls
 + List of URLs to listen on for peer traffic. This flag tells the etcd to accept incoming requests from its peers on the specified scheme://IP:port combinations. Scheme can be either http or https.If 0.0.0.0 is specified as the IP, etcd listens to the given port on all interfaces. If an IP address is given as well as a port, etcd will listen on the given port and interface. Multiple URLs may be used to specify a number of addresses and ports to listen on. The etcd will respond to requests from any of the listed addresses and ports.
-+ default: "http://localhost:2380,http://localhost:7001"
++ default: "http://localhost:2380"
 + env variable: ETCD_LISTEN_PEER_URLS
 + example: "http://10.0.0.1:2380"
 + invalid example: "http://example.com:2380" (domain name is invalid for binding)
 
 ### --listen-client-urls
 + List of URLs to listen on for client traffic. This flag tells the etcd to accept incoming requests from the clients on the specified scheme://IP:port combinations. Scheme can be either http or https. If 0.0.0.0 is specified as the IP, etcd listens to the given port on all interfaces. If an IP address is given as well as a port, etcd will listen on the given port and interface. Multiple URLs may be used to specify a number of addresses and ports to listen on. The etcd will respond to requests from any of the listed addresses and ports.
-+ default: "http://localhost:2379,http://localhost:4001"
++ default: "http://localhost:2379"
 + env variable: ETCD_LISTEN_CLIENT_URLS
 + example: "http://10.0.0.1:2379"
 + invalid example: "http://example.com:2379" (domain name is invalid for binding)
@@ -83,13 +83,13 @@ To start etcd automatically using custom settings at startup in Linux, using a [
 ### --initial-advertise-peer-urls
 
 + List of this member's peer URLs to advertise to the rest of the cluster. These addresses are used for communicating etcd data around the cluster. At least one must be routable to all cluster members. These URLs can contain domain names.
-+ default: "http://localhost:2380,http://localhost:7001"
++ default: "http://localhost:2380"
 + env variable: ETCD_INITIAL_ADVERTISE_PEER_URLS
 + example: "http://example.com:2380, http://10.0.0.1:2380"
 
 ### --initial-cluster
 + Initial cluster configuration for bootstrapping.
-+ default: "default=http://localhost:2380,default=http://localhost:7001"
++ default: "default=http://localhost:2380"
 + env variable: ETCD_INITIAL_CLUSTER
 + The key is the value of the `--name` flag for each node provided. The default uses `default` for the key because this is the default for the `--name` flag.
 
@@ -107,7 +107,7 @@ To start etcd automatically using custom settings at startup in Linux, using a [
 
 ### --advertise-client-urls
 + List of this member's client URLs to advertise to the rest of the cluster. These URLs can contain domain names.
-+ default: "http://localhost:2379,http://localhost:4001"
++ default: "http://localhost:2379"
 + env variable: ETCD_ADVERTISE_CLIENT_URLS
 + example: "http://example.com:2379, http://10.0.0.1:2379"
 + Be careful if you are advertising URLs such as http://localhost:2379 from a cluster member and are using the proxy feature of etcd. This will cause loops, because the proxy will be forwarding requests to itself until its resources (memory, file descriptors) are eventually depleted.

diff --git a/Documentation/op-guide/security.md b/Documentation/op-guide/security.md
@@ -1,6 +1,6 @@
 # Security Model
 
-etcd supports SSL/TLS as well as authentication through client certificates, both for clients to server as well as peer (server to server / cluster) communication.
+etcd supports automatic TLS as well as authentication through client certificates for both clients to server as well as peer (server to server / cluster) communication.
 
 To get up and running you first need to have a CA certificate and a signed key pair for one member. It is recommended to create and sign a new key pair for every member in a cluster.
 
@@ -52,7 +52,7 @@ This should start up fine and you can now test the configuration by speaking HTT
 $ curl --cacert /path/to/ca.crt https://127.0.0.1:2379/v2/keys/foo -XPUT -d value=bar -v
 ```
 
-You should be able to see the handshake succeed. Because we use self-signed certificates with our own certificate authorities you need to provide the CA to curl using the `--cacert` option. Another possibility would be to add your CA certificate to the trusted certificates on your system (usually in `/etc/ssl/certs`).
+You should be able to see the handshake succeed. Because we use self-signed certificates with our own certificate authorities you need to provide the CA to curl using the `--cacert` option. Another possibility would be to add your CA certificate to the trusted certificates on your system (usually in `/etc/pki/tls/certs` or `/etc/ssl/certs`).
 
 **OSX 10.9+ Users**: curl 7.30.0 on OSX 10.9+ doesn't understand certificates passed in on the command line.
 Instead you must import the dummy ca.crt directly into the keychain or add the `-k` flag to curl to ignore errors.
@@ -153,14 +153,7 @@ When client authentication is enabled for an etcd member, the administrator must
 
 ## Frequently Asked Questions
 
-### My cluster is not working with peer tls configuration?
-
-The internal protocol of etcd v2.0.x uses a lot of short-lived HTTP connections.
-So, when enabling TLS you may need to increase the heartbeat interval and election timeouts to reduce internal cluster connection churn.
-A reasonable place to start are these values: ` --heartbeat-interval 500 --election-timeout 2500`.
-These issues are resolved in the etcd v2.1.x series of releases which uses fewer connections.
-
-### I'm seeing a SSLv3 alert handshake failure when using SSL client authentication?
+### I'm seeing a SSLv3 alert handshake failure when using TLS client authentication?
 
 The `crypto/tls` package of `golang` checks the key usage of the certificate public key before using it.
 To use the certificate public key to do client auth, we need to add `clientAuth` to `Extended Key Usage` when creating the certificate public key.

diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@
 etcd is a distributed, consistent key-value store for shared configuration and service discovery, with a focus on being:
 
 * *Simple*: well-defined, user-facing API (gRPC)
-* *Secure*: optional SSL client cert authentication
+* *Secure*: automatic TLS with optional client cert authentication
 * *Fast*: benchmarked 1000s of writes/s per instance
 * *Reliable*: properly distributed using Raft
 

diff --git a/etcdctl/README.md b/etcdctl/README.md
@@ -30,12 +30,12 @@ You can also build etcdctl from source using the build script found in the paren
 
 ### --peers
 + a comma-delimited list of machine addresses in the cluster
-+ default: `"http://127.0.0.1:4001,http://127.0.0.1:2379"`
++ default: `"http://127.0.0.1:2379"`
 + env variable: ETCDCTL_PEERS
 
 ### --endpoint
 + a comma-delimited list of machine addresses in the cluster
-+ default: `"http://127.0.0.1:4001,http://127.0.0.1:2379"`
++ default: `"http://127.0.0.1:2379"`
 + env variable: ETCDCTL_ENDPOINT
 + Without `--no-sync` flag, this will be overwritten by etcd cluster when it does internal sync.