etcd 3 — CNCF distributed key-value store on Ubuntu 24.04 LTS by cloudimg. Bundled etcdkeeper web UI behind nginx basic-auth on port 80. Single-node Raft. RBAC enabled at first boot, per-VM passwords. Apache 2.0 licensed.
## etcd 3 on Ubuntu 24.04 by cloudimg
etcd is the CNCF-graduated, strongly consistent, distributed key-value store that powers Kubernetes, CoreOS, OpenStack, Rook, and most modern cloud-native control planes. Built around the Raft consensus algorithm, etcd guarantees that every write is durably committed to a quorum of replicas before acknowledgement, making it the canonical choice for the parts of distributed systems that absolutely cannot lose data — service discovery, leader election, distributed locking, feature flags, and shared application configuration.
The cloudimg image installs etcd 3.6.11 OSS (Apache 2.0) directly from the official etcd-io GitHub release tarball — Ubuntu noble main only ships etcd-server 3.4.x which is too old to be useful. The `etcd` and `etcdctl` binaries are placed in /usr/local/bin so they are on every customer's PATH out of the box. The cloudimg image runs in single-node mode by design (one etcd process, one Raft leader, one VM); customers who want a 3-node or 5-node Raft cluster can join additional cloudimg etcd VMs as peers using the steps documented in the user guide.
Why Choose cloudimg?
* 24/7 Expert Support with guaranteed 24 hour response. support@cloudimg.co.uk
* Production Ready from Launch Pre-configured, security-patched, validated
* Azure Native Integration Azure Linux Agent, cloud-init, Gen2 Hyper-V, TrustedLaunch
* RBAC enabled at first boot every customer VM rotates a unique root password and a unique cloudimg user password, then runs `etcdctl auth enable` before the validate stage exits. No two VMs ever share an etcd password, and port 2379 is never an unauthenticated remote key-value store.
* Peer port stays loopback --listen-peer-urls is hard-coded to http://127.0.0.1:2380. Single-node deployments never need peer traffic on the network and exposing 2380 to the internet is a CVE-class mistake.
* Bundled etcdkeeper web UI every cloudimg etcd VM ships with the open-source etcdkeeper browser UI (evildecay/etcdkeeper, MIT) sitting behind nginx HTTP basic-auth on port 80. Customers point a browser at http://
What is Included
* etcd 3.6.11 OSS from the official etcd-io GitHub release (Apache 2.0, CNCF graduated)
* etcd and etcdctl binaries at /usr/local/bin (on PATH for every user)
* etcd.service systemd unit running as the etcd system user with EnvironmentFile=/etc/etcd/etcd.conf
* etcd-firstboot.service oneshot resolving Azure IMDS for advertise URL + rotating per-VM passwords
* etcd-postboot.service oneshot enabling RBAC, creating the cloudimg user/role, and self-disabling
* etcdkeeper.service running the etcdkeeper web UI on 127.0.0.1:8080 (-auth flag enabled)
* nginx.service reverse-proxy on :80 with HTTP basic-auth (auth_basic_user_file /etc/nginx/etcdkeeper.htpasswd) — htpasswd is regenerated at firstboot from ETCD_PASSWORD so the customer logs in as cloudimg /
* /var/lib/etcd as the data directory (mnesia-equivalent for etcd)
* Pre-wired cloudimg user with the cloudimg-rw role granting readwrite on the / prefix — customers `etcdctl --user=cloudimg:$ETCD_PASSWORD put /key value` from launch
* /health endpoint anonymous on /health (Kubernetes liveness/readiness probe surface) — every authenticated KV op needs --user
* Ubuntu 24.04 LTS base with latest security patches applied at build time
* 24/7 cloudimg support with guaranteed 24 hour response SLA
Use Cases
* Service discovery — every service registers its host:port on a known prefix and watches for changes
* Distributed configuration — applications watch /config/
* Leader election — the canonical Raft-backed primitive for picking one active replica out of N
* Feature flags — a centralised flag store with watch semantics for instant fan-out to every consumer
* Distributed locks — short-lived leases on a key act as fencing tokens for critical sections
* Kubernetes control-plane backing store — the canonical etcd use case (cloudimg is the right choice for self-hosted K8s, kops clusters, kubeadm bootstraps, and air-gapped K8s)
* Shared coordination state for CoreOS, OpenStack, Rook, Calico, Cilium, and other cloud-native control planes
Technical Specifications
* Operating System: Ubuntu 24.04 LTS (Noble Numbat)
* etcd Version: 3.6.11 OSS (latest stable on the etcd v3 line)
* Client Port: 2379 (HTTP, all interfaces — security via RBAC + NSG)
* Peer Port: 2380 (HTTP, loopback only — single-node deployment)
* Data Directory: /var/lib/etcd (owned by etcd:etcd)
* RBAC: enabled at first boot via etcdctl auth enable; cloudimg user has readwrite on /
* Default User: azureuser (sudo enabled, OS); cloudimg (etcd RBAC user); root (etcd RBAC, emergency only)
* Service Management: systemd (etcd.service, etcd-firstboot.service, etcd-postboot.service)
* Recommended Size: Standard_B2s (2 vCPU, 4 GB) for dev/test; Standard_D2s_v5 or D4s_v5 for production
* VM Generation: Hyper-V Gen2 with UEFI boot
Notes on Single-Node Mode and Cluster Setup
The cloudimg image ships single-node etcd because a single-VM Marketplace image cannot meaningfully bootstrap a multi-VM Raft cluster at deploy time — the peers do not exist yet. For a 3-node or 5-node production cluster, deploy three or five cloudimg etcd VMs and follow the user guide section on `etcdctl member add` to join peers. When peers are added, the operator must rewrite --listen-peer-urls to bind the VM's private NIC IP and lock the NSG inbound rule for 2380 to the cluster's own VNet only — never the public internet.
Notes on TLS and Hardening
The cloudimg image listens HTTP on 2379 by default — TLS is intentionally left to the operator so customers can use their existing PKI. For TLS, generate a server cert signed by your internal CA, drop the cert + key + CA into /etc/etcd/, and edit /etc/etcd/etcd.conf to set ETCD_CERT_FILE / ETCD_KEY_FILE / ETCD_TRUSTED_CA_FILE plus rewrite the URLs to https://. Restart etcd.service. The user guide documents the full set of TLS env vars.
Support
cloudimg provides 24/7/365 expert technical support. Contact support@cloudimg.co.uk or visit www.cloudimg.co.uk for the latest documentation and deployment guides.
etcd and the etcd logo are trademarks of The Linux Foundation. This image is a repackaged upstream distribution provided by cloudimg. Additional charges apply for build, maintenance, and 24/7 support.