零、环境
etcd v3.5.1
centos 7.9
etcd配置可以用环境变量,也可以用参数形式,参数形式会覆盖环境变量
环境变量都是以ETCD_开头。
一、etcdctl操作
help
NAME:
etcdctl - A simple command line client for etcd3.
USAGE:
etcdctl [flags]
VERSION:
3.5.1
API VERSION:
3.5
COMMANDS:
alarm disarm Disarms all alarms
alarm list Lists all alarms
auth disable Disables authentication
auth enable Enables authentication
auth status Returns authentication status
check datascale Check the memory usage of holding data for different workloads on a given server endpoint.
check perf Check the performance of the etcd cluster
compaction Compacts the event history in etcd
defrag Defragments the storage of the etcd members with given endpoints
del Removes the specified key or range of keys [key, range_end)
elect Observes and participates in leader election
endpoint hashkv Prints the KV history hash for each endpoint in --endpoints
endpoint health Checks the healthiness of endpoints specified in `--endpoints` flag
endpoint status Prints out the status of endpoints specified in `--endpoints` flag
get Gets the key or a range of keys
help Help about any command
lease grant Creates leases
lease keep-alive Keeps leases alive (renew)
lease list List all active leases
lease revoke Revokes leases
lease timetolive Get lease information
lock Acquires a named lock
make-mirror Makes a mirror at the destination etcd cluster
member add Adds a member into the cluster
member list Lists all members in the cluster
member promote Promotes a non-voting member in the cluster
member remove Removes a member from the cluster
member update Updates a member in the cluster
move-leader Transfers leadership to another etcd cluster member.
put Puts the given key into the store
role add Adds a new role
role delete Deletes a role
role get Gets detailed information of a role
role grant-permission Grants a key to a role
role list Lists all roles
role revoke-permission Revokes a key from a role
snapshot restore Restores an etcd member snapshot to an etcd directory
snapshot save Stores an etcd node backend snapshot to a given file
snapshot status [deprecated] Gets backend snapshot status of a given file
txn Txn processes all the requests in one transaction
user add Adds a new user
user delete Deletes a user
user get Gets detailed information of a user
user grant-role Grants a role to a user
user list Lists all users
user passwd Changes password of user
user revoke-role Revokes a role from a user
version Prints the version of etcdctl
watch Watches events stream on keys or prefixes
OPTIONS:
--cacert="" verify certificates of TLS-enabled secure servers using this CA bundle
--cert="" identify secure client using this TLS certificate file
--command-timeout=5s timeout for short running command (excluding dial timeout)
--debug[=false] enable client-side debug logging
--dial-timeout=2s dial timeout for client connections
-d, --discovery-srv="" domain name to query for SRV records describing cluster endpoints
--discovery-srv-name="" service name to query when using DNS discovery
--endpoints=[127.0.0.1:2379] gRPC endpoints
-h, --help[=false] help for etcdctl
--hex[=false] print byte strings as hex encoded strings
--insecure-discovery[=true] accept insecure SRV records describing cluster endpoints
--insecure-skip-tls-verify[=false] skip server certificate verification (CAUTION: this option should be enabled only for testing purposes)
--insecure-transport[=true] disable transport security for client connections
--keepalive-time=2s keepalive time for client connections
--keepalive-timeout=6s keepalive timeout for client connections
--key="" identify secure client using this TLS key file
--password="" password for authentication (if this option is used, --user option shouldn't include password)
--user="" username[:password] for authentication (prompt if password is not supplied)
-w, --write-out="simple" set the output format (fields, json, protobuf, simple, table)
设置api version
设置环境变量,指定 etcdctl 工具使用的 API 版本
export ETCDCTL_API=3
获取所有键
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
get / --prefix --keys-only
打快照
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
snapshot save snp.db
恢复
暂停 Kube-Apiserver 与 Etcd
a.二进制创建的集群
systemctl stop kube-apiserver
systemctl stop etcd
b.kubeadm创建的集群
如果是kubeadm启动的,将manifests文件夹重命名
mv /etc/kubernetes/manifests /etc/kubernetes/manifests.bak
docker ps|grep etcd && docker ps|grep kube-apiserver
docker stop etcd && docker stop kube-apiserver
恢复etcd数据
注意:在每个节点进行恢复,一个是恢复数据,一个是重塑身份,对照/opt/etcd/cfg/etcd.conf完成命令行配置
rm -rf /var/lib/etcd/default.etcd/
/opt/etcd/bin/etcdctl \
--name etcd-1 \
--initial-cluster="etcd-1=https://192.168.0.58:2380" \
--initial-advertise-peer-urls="https://192.168.0.58:2380" \
--data-dir=/var/lib/etcd/default.etcd \
--initial-advertise-peer-urls="https://192.168.0.58:2380" \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
snapshot restore snp.db
恢复Kube-Apiserver 与 Etcd
a.二进制创建的集群
systemctl start etcd
systemctl start kube-apiserver
b.kubeadm创建的集群
mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests
停止服务
systemctl stop etcd
systemctl stop kube-apiserver
systemctl stop kube-controller-manager.service
systemctl stop kube-proxy.service
systemctl stop kube-scheduler.service
systemctl stop kubelet.service
systemctl disable etcd
systemctl disable kube-apiserver
systemctl disable kube-controller-manager.service
systemctl disable kube-proxy.service
systemctl disable kube-scheduler.service
systemctl disable kubelet.service
添加新节点
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
member add etcd-2 --peer-urls="https://192.168.0.58:3380"
证书
/k8s_install/ssl/etcd.pem
/k8s_install/ssl/etcd-key.pem
conf文件
/opt/etcd/cfg/etcd.conf
cat >/opt/etcd/cfg/etcd.conf<< EOF
#[Member]
ETCD_NAME="etcd-1" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.58:2380" #本机IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.58:2380" #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
EOF
原节点修改
cat >/opt/etcd/cfg/etcd-2.conf<< EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.58:2380" #本机IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
#[Clustering]
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.58:2380,etcd-2=https://192.168.0.57:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
EOF
新节点配置
cat >/opt/etcd/cfg/etcd-2.conf<< EOF
#[Member]
ETCD_NAME="etcd-2"
ETCD_DATA_DIR="/var/lib/etcd/etcd-2.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.58:2380" #本机IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
#[Clustering]
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.58:2380,etcd-2=https://192.168.0.58:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
EOF
命令行方式运行
#/opt/etcd/cfg/etcd.conf
IP=192.168.0.56
NAME="etcd-1"
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
ETCD_NAME="$NAME" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$IP:2380" #本机IP
ETCD_LISTEN_CLIENT_URLS="https://$IP:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380" #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379" #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.56:2380,etcd-2=https://192.168.0.57:2380,etcd-3=https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#/opt/etcd/cfg/etcd.conf
/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
etcd2
IP=192.168.0.57
NAME="etcd-2"
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
ETCD_NAME="$NAME" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$IP:2380" #本机IP
ETCD_LISTEN_CLIENT_URLS="https://$IP:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380" #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379" #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.56:2380,etcd-2=https://192.168.0.57:2380,etcd-3=https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#/opt/etcd/cfg/etcd.conf
/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
etcd3
IP=192.168.0.58
NAME="etcd-3"
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
ETCD_NAME="$NAME" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$IP:2380" #本机IP
ETCD_LISTEN_CLIENT_URLS="https://$IP:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380" #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379" #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.56:2380,etcd-2=https://192.168.0.57:2380,etcd-3=https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#/opt/etcd/cfg/etcd.conf
/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
systemctl stop etcd
rm -rf /var/lib/etcd/
systemctl daemon-reload
systemctl start etcd
查看状态
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.0.56:2379,https://192.168.0.57:2379,https://192.168.0.58:2379" endpoint health
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.0.56:2379,https://192.168.0.57:2379,https://192.168.0.58:2379" endpoint status
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.0.56:2379,https://192.168.0.57:2379,https://192.168.0.58:2379" member list -w table
二、etcd集群搭建
etcd.conf配置
etcd01
mkdir -p /opt/etcd/{cfg,bin,data,ssl}
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
#1.节点名称,必须唯一
ETCD_NAME="etcd01"
#2.设置数据保存的目录
ETCD_DATA_DIR="/opt/etcd/data"
#3.用于监听其他etcd member的url
ETCD_LISTEN_PEER_URLS="http://192.168.0.56:2380"
#4.该节点对外提供服务的地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.0.56:2379"
#[Clustering]
#5.对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.0.56:2379"
#6.该节点成员对等URL地址,且会通告集群的其余成员节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.0.56:2380"
#7.集群中所有节点的信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380"
#8.创建集群的token,这个值每个集群保持唯一
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#9.初始集群状态,新建集群的时候,这个值为new;
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
etcd02
mkdir -p /opt/etcd/{cfg,bin,data,ssl}
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
#1.节点名称,必须唯一
ETCD_NAME="etcd02"
#2.设置数据保存的目录
ETCD_DATA_DIR="/opt/etcd/data"
#3.用于监听其他etcd member的url
ETCD_LISTEN_PEER_URLS="http://192.168.0.57:2380"
#4.该节点对外提供服务的地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.0.57:2379"
#[Clustering]
#5.对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.0.57:2379"
#6.该节点成员对等URL地址,且会通告集群的其余成员节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.0.57:2380"
#7.集群中所有节点的信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380"
#8.创建集群的token,这个值每个集群保持唯一
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#9.初始集群状态,新建集群的时候,这个值为new;
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
etcd03
mkdir -p /opt/etcd/{cfg,bin,data,ssl}
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
#1.节点名称,必须唯一
ETCD_NAME="etcd03"
#2.设置数据保存的目录
ETCD_DATA_DIR="/opt/etcd/data"
#3.用于监听其他etcd member的url
ETCD_LISTEN_PEER_URLS="http://192.168.0.58:2380"
#4.该节点对外提供服务的地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.0.58:2379"
#[Clustering]
#5.对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.0.58:2379"
#6.该节点成员对等URL地址,且会通告集群的其余成员节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.0.58:2380"
#7.集群中所有节点的信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380"
#8.创建集群的token,这个值每个集群保持唯一
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#9.初始集群状态,新建集群的时候,这个值为new;
ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_INITIAL_CLUSTER_STATE="existing"
EOF
配置systemd 和 firewalld
etcd01、etcd02、etcd03 配置相同
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
firewall-cmd --zone=public --add-port=2379/tcp --permanent
firewall-cmd --zone=public --add-port=2380/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-port
启动
#自启动
systemctl daemon-reload
systemctl enable etcd
#启动
cd /opt/etcd/data && rm -rf *
systemctl start etcd
查看状态 停止 重启
systemctl status etcd
systemctl stop etcd
systemctl restart etcd
集群初始化完成后,最好将/opt/etcd/cfg/etcd.conf 配置改为ETCD_INITIAL_CLUSTER_STATE="existing"
etcdctl工具
检查节点健康
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 endpoint health
列出成员列表
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member list -w table
删除节点 (删除需要指定成员id)
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member remove cc04313116ad7afa
添加节点(添加需要成员名+peer-urls,使用--peer-urls=指定节点的邻居地址)
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member add etcd03 --peer-urls=http://192.168.0.58:2380
带证书etcdctl工具
#前缀
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints=https://192.168.0.56:2379 \
#列出成员列表
member list -w table
#检查节点健康状态
endpoint health
#删除节点 (删除需要指定成员id)
member remove cc04313116ad7afa
添加节点(添加需要成员名+peer-urls,使用--peer-urls=指定节点的邻居地址)
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints=https://192.168.0.56:2379 \
member add etcd04 --peer-urls=https://192.168.0.58:2380
添加节点(不带证书,http)
1.首先使用etcdctl给集群添加节点
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member add etcd04 --peer-urls=http://192.168.0.59:2380
2.配置/opt/etcd/cfg/etcd.conf 中
ETCD_INITIAL_CLUSTER_STATE="existing"
3.集群节点/opt/etcd/cfg/etcd.conf添加新节点信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380,etcd04=http://192.168.0.59:2380"
带证书添加节点(https)
旧节点加入新节点数据,集群状态改为"existing"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.0.56:2380,etcd02=https://192.168.0.57:2380,etcd03=https://192.168.0.58:2380,etcd04=https://192.168.0.59:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
使用etcdctl添加节点
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints=https://192.168.0.57:2379 \
member add etcd04 --peer-urls="https://192.168.0.59:2380"
重启旧节点
systemctl restart etcd
启动新节点(需要删除新节点数据目录,保证是空节点)
rm -rf /opt/etcd/data/*
systemctl start etcd
证书配置
生成ca证书
mkdir -p ~/ssl
cd ~/ssl
cat >etcd-csr.json<<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.0.56",
"192.168.0.57",
"192.168.0.58",
"192.168.0.59"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat >ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
生成etcd证书
cat >etcd-csr.json<<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"172.29.157.137",
"172.29.157.138",
"172.29.157.139",
"172.29.157.140"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
# 拷贝生成的证书至etcd证书路径
mkdir -p /opt/etcd/ssl/
scp ./*.pem /opt/etcd/ssl/
ls /opt/etcd/ssl/
#ca-key.pem ca.pem etcd-key.pem etcd.pem
conf文件配置
/opt/etcd/cfg/etcd.conf中http替换为https
systemd配置
cat >/usr/lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#恢复
/opt/etcd/bin/etcdctl \
--name etcd01 \
--initial-cluster="etcd01=https://192.168.0.56:2380,etcd02=https://192.168.0.57:2380,etcd03=https://192.168.0.58:2380,etcd04=https://192.168.0.59:2380" \
--initial-advertise-peer-urls="https://192.168.0.56:2380" \
--data-dir=/opt/etcd/data/default.etcd \
--initial-advertise-peer-urls="https://192.168.0.56:2380" \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.56:2379" \
snapshot restore db1.db
systemctl stop etcd
rm -rf /opt/etcd/data
systemctl start etcd
参考文档
https://blog.csdn.net/m0_58541541/article/details/123233136
https://blog.csdn.net/qq_40822283/article/details/125667706