etcd操作

最新推荐文章于 2023-06-14 12:09:22 发布
最新推荐文章于 2023-06-14 12:09:22 发布
阅读量290 收藏
点赞数
文章标签: etcd 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36819485/article/details/130704644
版权

零、环境

etcd v3.5.1

centos 7.9

etcd配置可以用环境变量,也可以用参数形式,参数形式会覆盖环境变量

环境变量都是以ETCD_开头。

一、etcdctl操作

help

NAME:
        etcdctl - A simple command line client for etcd3.

USAGE:
        etcdctl [flags]

VERSION:
        3.5.1

API VERSION:
        3.5


COMMANDS:
        alarm disarm            Disarms all alarms
        alarm list              Lists all alarms
        auth disable            Disables authentication
        auth enable             Enables authentication
        auth status             Returns authentication status
        check datascale         Check the memory usage of holding data for different workloads on a given server endpoint.
        check perf              Check the performance of the etcd cluster
        compaction              Compacts the event history in etcd
        defrag                  Defragments the storage of the etcd members with given endpoints
        del                     Removes the specified key or range of keys [key, range_end)
        elect                   Observes and participates in leader election
        endpoint hashkv         Prints the KV history hash for each endpoint in --endpoints
        endpoint health         Checks the healthiness of endpoints specified in `--endpoints` flag
        endpoint status         Prints out the status of endpoints specified in `--endpoints` flag
        get                     Gets the key or a range of keys
        help                    Help about any command
        lease grant             Creates leases
        lease keep-alive        Keeps leases alive (renew)
        lease list              List all active leases
        lease revoke            Revokes leases
        lease timetolive        Get lease information
        lock                    Acquires a named lock
        make-mirror             Makes a mirror at the destination etcd cluster
        member add              Adds a member into the cluster
        member list             Lists all members in the cluster
        member promote          Promotes a non-voting member in the cluster
        member remove           Removes a member from the cluster
        member update           Updates a member in the cluster
        move-leader             Transfers leadership to another etcd cluster member.
        put                     Puts the given key into the store
        role add                Adds a new role
        role delete             Deletes a role
        role get                Gets detailed information of a role
        role grant-permission   Grants a key to a role
        role list               Lists all roles
        role revoke-permission  Revokes a key from a role
        snapshot restore        Restores an etcd member snapshot to an etcd directory
        snapshot save           Stores an etcd node backend snapshot to a given file
        snapshot status         [deprecated] Gets backend snapshot status of a given file
        txn                     Txn processes all the requests in one transaction
        user add                Adds a new user
        user delete             Deletes a user
        user get                Gets detailed information of a user
        user grant-role         Grants a role to a user
        user list               Lists all users
        user passwd             Changes password of user
        user revoke-role        Revokes a role from a user
        version                 Prints the version of etcdctl
        watch                   Watches events stream on keys or prefixes

OPTIONS:
      --cacert=""                               verify certificates of TLS-enabled secure servers using this CA bundle
      --cert=""                                 identify secure client using this TLS certificate file
      --command-timeout=5s                      timeout for short running command (excluding dial timeout)
      --debug[=false]                           enable client-side debug logging
      --dial-timeout=2s                         dial timeout for client connections
  -d, --discovery-srv=""                        domain name to query for SRV records describing cluster endpoints
      --discovery-srv-name=""                   service name to query when using DNS discovery
      --endpoints=[127.0.0.1:2379]              gRPC endpoints
  -h, --help[=false]                            help for etcdctl
      --hex[=false]                             print byte strings as hex encoded strings
      --insecure-discovery[=true]               accept insecure SRV records describing cluster endpoints
      --insecure-skip-tls-verify[=false]        skip server certificate verification (CAUTION: this option should be enabled only for testing purposes)
      --insecure-transport[=true]               disable transport security for client connections
      --keepalive-time=2s                       keepalive time for client connections
      --keepalive-timeout=6s                    keepalive timeout for client connections
      --key=""                                  identify secure client using this TLS key file
      --password=""                             password for authentication (if this option is used, --user option shouldn't include password)
      --user=""                                 username[:password] for authentication (prompt if password is not supplied)
  -w, --write-out="simple"                      set the output format (fields, json, protobuf, simple, table)

设置api version

设置环境变量,指定 etcdctl 工具使用的 API 版本

export ETCDCTL_API=3

获取所有键

/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem  \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
get / --prefix --keys-only

打快照

/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem  \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
snapshot save  snp.db

恢复

暂停 Kube-Apiserver 与 Etcd
a.二进制创建的集群

systemctl stop kube-apiserver
systemctl stop etcd

b.kubeadm创建的集群

如果是kubeadm启动的,将manifests文件夹重命名

mv /etc/kubernetes/manifests /etc/kubernetes/manifests.bak

docker ps|grep etcd && docker ps|grep kube-apiserver

docker stop etcd && docker stop kube-apiserver

恢复etcd数据

注意:在每个节点进行恢复,一个是恢复数据,一个是重塑身份,对照/opt/etcd/cfg/etcd.conf完成命令行配置


rm -rf /var/lib/etcd/default.etcd/
/opt/etcd/bin/etcdctl \
--name etcd-1 \
--initial-cluster="etcd-1=https://192.168.0.58:2380" \
--initial-advertise-peer-urls="https://192.168.0.58:2380" \
--data-dir=/var/lib/etcd/default.etcd  \
--initial-advertise-peer-urls="https://192.168.0.58:2380" \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem  \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
snapshot restore snp.db
恢复Kube-Apiserver 与 Etcd
a.二进制创建的集群
systemctl start etcd
systemctl start kube-apiserver
b.kubeadm创建的集群
mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests
停止服务
systemctl stop etcd
systemctl stop kube-apiserver
systemctl stop kube-controller-manager.service
systemctl stop kube-proxy.service
systemctl stop kube-scheduler.service       
systemctl stop kubelet.service 

systemctl disable etcd
systemctl disable kube-apiserver
systemctl disable kube-controller-manager.service
systemctl disable kube-proxy.service
systemctl disable kube-scheduler.service       
systemctl disable kubelet.service
添加新节点
 /opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem  \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.58:2379" \
 member add etcd-2  --peer-urls="https://192.168.0.58:3380"
证书

/k8s_install/ssl/etcd.pem

/k8s_install/ssl/etcd-key.pem

conf文件

/opt/etcd/cfg/etcd.conf

cat  >/opt/etcd/cfg/etcd.conf<< EOF 
#[Member]
ETCD_NAME="etcd-1" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.58:2380"   #本机IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.58:2380"  #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.58:2379"        #本机IP
EOF

原节点修改

cat  >/opt/etcd/cfg/etcd-2.conf<< EOF 
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.58:2380"   #本机IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
#[Clustering]
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.58:2379"        #本机IP

ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.58:2380,etcd-2=https://192.168.0.57:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
EOF

新节点配置

cat  >/opt/etcd/cfg/etcd-2.conf<< EOF 
#[Member]
ETCD_NAME="etcd-2"
ETCD_DATA_DIR="/var/lib/etcd/etcd-2.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.58:2380"   #本机IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.58:2379" #本机IP
#[Clustering]
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.58:2379"        #本机IP

ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.58:2380,etcd-2=https://192.168.0.58:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.58:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
EOF

命令行方式运行

#/opt/etcd/cfg/etcd.conf 
IP=192.168.0.56
NAME="etcd-1"
cat > /opt/etcd/cfg/etcd.conf  <<EOF
#[Member]
ETCD_NAME="$NAME" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$IP:2380"   #本机IP
ETCD_LISTEN_CLIENT_URLS="https://$IP:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380"  #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379"        #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.56:2380,etcd-2=https://192.168.0.57:2380,etcd-3=https://192.168.0.58:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

#/opt/etcd/cfg/etcd.conf
/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap

etcd2

IP=192.168.0.57
NAME="etcd-2"
cat > /opt/etcd/cfg/etcd.conf  <<EOF
#[Member]
ETCD_NAME="$NAME" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$IP:2380"   #本机IP
ETCD_LISTEN_CLIENT_URLS="https://$IP:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380"  #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379"        #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.56:2380,etcd-2=https://192.168.0.57:2380,etcd-3=https://192.168.0.58:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

#/opt/etcd/cfg/etcd.conf
/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap

etcd3

IP=192.168.0.58
NAME="etcd-3"
cat > /opt/etcd/cfg/etcd.conf  <<EOF
#[Member]
ETCD_NAME="$NAME" # 唯一值
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$IP:2380"   #本机IP
ETCD_LISTEN_CLIENT_URLS="https://$IP:2379" #本机IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$IP:2380"  #本机IP
ETCD_ADVERTISE_CLIENT_URLS="https://$IP:2379"        #本机IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.56:2380,etcd-2=https://192.168.0.57:2380,etcd-3=https://192.168.0.58:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

#/opt/etcd/cfg/etcd.conf
/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap

systemctl stop etcd

rm -rf /var/lib/etcd/

systemctl daemon-reload

systemctl start etcd

查看状态

/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.0.56:2379,https://192.168.0.57:2379,https://192.168.0.58:2379" endpoint health

/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.0.56:2379,https://192.168.0.57:2379,https://192.168.0.58:2379"  endpoint status

/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/etcd.pem  --key=/opt/etcd/ssl/etcd-key.pem  --endpoints="https://192.168.0.56:2379,https://192.168.0.57:2379,https://192.168.0.58:2379" member list -w table

二、etcd集群搭建

etcd.conf配置
etcd01
mkdir -p /opt/etcd/{cfg,bin,data,ssl}
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
#1.节点名称,必须唯一
ETCD_NAME="etcd01"

#2.设置数据保存的目录
ETCD_DATA_DIR="/opt/etcd/data"

#3.用于监听其他etcd member的url
ETCD_LISTEN_PEER_URLS="http://192.168.0.56:2380"

#4.该节点对外提供服务的地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.0.56:2379"

#[Clustering]
#5.对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.0.56:2379"

#6.该节点成员对等URL地址,且会通告集群的其余成员节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.0.56:2380"

#7.集群中所有节点的信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380"

#8.创建集群的token,这个值每个集群保持唯一
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

#9.初始集群状态,新建集群的时候,这个值为new;
ETCD_INITIAL_CLUSTER_STATE="new"

EOF
etcd02
mkdir -p /opt/etcd/{cfg,bin,data,ssl}
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
#1.节点名称,必须唯一
ETCD_NAME="etcd02"

#2.设置数据保存的目录
ETCD_DATA_DIR="/opt/etcd/data"

#3.用于监听其他etcd member的url
ETCD_LISTEN_PEER_URLS="http://192.168.0.57:2380"

#4.该节点对外提供服务的地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.0.57:2379"

#[Clustering]
#5.对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.0.57:2379"

#6.该节点成员对等URL地址,且会通告集群的其余成员节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.0.57:2380"

#7.集群中所有节点的信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380"

#8.创建集群的token,这个值每个集群保持唯一
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

#9.初始集群状态,新建集群的时候,这个值为new;
ETCD_INITIAL_CLUSTER_STATE="new"

EOF
etcd03
mkdir -p /opt/etcd/{cfg,bin,data,ssl}
cat > /opt/etcd/cfg/etcd.conf <<EOF
#[Member]
#1.节点名称,必须唯一
ETCD_NAME="etcd03"

#2.设置数据保存的目录
ETCD_DATA_DIR="/opt/etcd/data"

#3.用于监听其他etcd member的url
ETCD_LISTEN_PEER_URLS="http://192.168.0.58:2380"

#4.该节点对外提供服务的地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.0.58:2379"

#[Clustering]
#5.对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.0.58:2379"

#6.该节点成员对等URL地址,且会通告集群的其余成员节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.0.58:2380"

#7.集群中所有节点的信息
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380"

#8.创建集群的token,这个值每个集群保持唯一
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

#9.初始集群状态,新建集群的时候,这个值为new;
ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_INITIAL_CLUSTER_STATE="existing"
EOF
配置systemd 和 firewalld

etcd01、etcd02、etcd03 配置相同

cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd 
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

firewall-cmd --zone=public --add-port=2379/tcp --permanent
firewall-cmd --zone=public --add-port=2380/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-port
启动
#自启动
systemctl daemon-reload
systemctl enable etcd

#启动
cd /opt/etcd/data && rm -rf * 
systemctl start etcd

查看状态 停止 重启
systemctl status etcd
systemctl stop etcd
systemctl restart etcd


集群初始化完成后,最好将/opt/etcd/cfg/etcd.conf 配置改为ETCD_INITIAL_CLUSTER_STATE="existing"
etcdctl工具
检查节点健康
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 endpoint health

列出成员列表
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member list -w table

删除节点 (删除需要指定成员id)
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member remove  cc04313116ad7afa

添加节点(添加需要成员名+peer-urls,使用--peer-urls=指定节点的邻居地址)
/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member add etcd03  --peer-urls=http://192.168.0.58:2380
带证书etcdctl工具
#前缀
/opt/etcd/bin/etcdctl \
 --cacert=/opt/etcd/ssl/ca.pem \
 --cert=/opt/etcd/ssl/etcd.pem \
 --key=/opt/etcd/ssl/etcd-key.pem \
 --endpoints=https://192.168.0.56:2379 \
 
 #列出成员列表
 member list -w table
 
 #检查节点健康状态
 endpoint health
 
 #删除节点 (删除需要指定成员id)
 member remove  cc04313116ad7afa
 
 添加节点(添加需要成员名+peer-urls,使用--peer-urls=指定节点的邻居地址)
/opt/etcd/bin/etcdctl \
 --cacert=/opt/etcd/ssl/ca.pem \
 --cert=/opt/etcd/ssl/etcd.pem \
 --key=/opt/etcd/ssl/etcd-key.pem \
 --endpoints=https://192.168.0.56:2379 \
member add etcd04  --peer-urls=https://192.168.0.58:2380
添加节点(不带证书,http)

1.首先使用etcdctl给集群添加节点

/opt/etcd/bin/etcdctl --endpoints=http://192.168.0.56:2379 member add etcd04  --peer-urls=http://192.168.0.59:2380

2.配置/opt/etcd/cfg/etcd.conf 中

ETCD_INITIAL_CLUSTER_STATE="existing"

3.集群节点/opt/etcd/cfg/etcd.conf添加新节点信息

ETCD_INITIAL_CLUSTER="etcd01=http://192.168.0.56:2380,etcd02=http://192.168.0.57:2380,etcd03=http://192.168.0.58:2380,etcd04=http://192.168.0.59:2380"
带证书添加节点(https)

旧节点加入新节点数据,集群状态改为"existing"

ETCD_INITIAL_CLUSTER="etcd01=https://192.168.0.56:2380,etcd02=https://192.168.0.57:2380,etcd03=https://192.168.0.58:2380,etcd04=https://192.168.0.59:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"

使用etcdctl添加节点

/opt/etcd/bin/etcdctl  \
--cacert=/opt/etcd/ssl/ca.pem  \
--cert=/opt/etcd/ssl/etcd.pem  \
--key=/opt/etcd/ssl/etcd-key.pem  \
--endpoints=https://192.168.0.57:2379  \
member add  etcd04 --peer-urls="https://192.168.0.59:2380"

重启旧节点

systemctl restart etcd

启动新节点(需要删除新节点数据目录,保证是空节点)

rm -rf  /opt/etcd/data/*

systemctl start etcd
证书配置

生成ca证书

mkdir -p ~/ssl
cd ~/ssl
cat >etcd-csr.json<<EOF
 
{
    "CN": "etcd",
    "hosts": [
        "127.0.0.1",
        "192.168.0.56",
        "192.168.0.57",
        "192.168.0.58",
        "192.168.0.59"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "system"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca 

cat >ca-config.json << EOF
 
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF

生成etcd证书

cat >etcd-csr.json<<EOF
 
{
    "CN": "etcd",
    "hosts": [
        "127.0.0.1",
        "172.29.157.137",
        "172.29.157.138",
        "172.29.157.139",
        "172.29.157.140"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "system"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd



# 拷贝生成的证书至etcd证书路径

mkdir -p /opt/etcd/ssl/
scp ./*.pem /opt/etcd/ssl/

ls /opt/etcd/ssl/
#ca-key.pem  ca.pem  etcd-key.pem  etcd.pem

conf文件配置

/opt/etcd/cfg/etcd.conf中http替换为https

systemd配置

cat >/usr/lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#恢复
/opt/etcd/bin/etcdctl \
--name etcd01 \
--initial-cluster="etcd01=https://192.168.0.56:2380,etcd02=https://192.168.0.57:2380,etcd03=https://192.168.0.58:2380,etcd04=https://192.168.0.59:2380" \
--initial-advertise-peer-urls="https://192.168.0.56:2380" \
--data-dir=/opt/etcd/data/default.etcd  \
--initial-advertise-peer-urls="https://192.168.0.56:2380" \
--cacert=/opt/etcd/ssl/ca.pem \
--cert=/opt/etcd/ssl/etcd.pem  \
--key=/opt/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.0.56:2379" \
snapshot restore db1.db

systemctl stop etcd

rm -rf /opt/etcd/data

systemctl start etcd

参考文档
https://blog.csdn.net/m0_58541541/article/details/123233136
https://blog.csdn.net/qq_40822283/article/details/125667706
花落无你
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
k8s 删除master和etcd节点并重新加入
xgw的专栏
03-22 7265
目前master集群有3个master节点,其中一个要更换。 删除主节点 在master1上执行如下命令 # kubectl drain master2 --delete-local-data --force --ignore-daemonsets node/master2 already cordoned WARNING: ignoring DaemonSet-managed Pods: kube-system/calico-node-xcqp8, kube-system/kube-proxy-spclw
etcd-operator:etcd操作员在Kubernetes上创建配置管理etcd集群
02-04
etcd操作员管理部署到etcd集群,并自动执行与操作etcd集群相关的任务。 有关使用不同配置设置集群的 阅读,以获取有关如何更好地使用etcd运算符的更多信息。 阅读以了解如何在存在RBAC的情况下为etcd运算符设置RBAC...
etcd基本使用
hanhan的博客
06-14 1691
我们这里开一个进程watch某一个key,在另外一个进程里进行替换或者删除key。很显然,如果我们在主线程进行event监控,会造成主线程阻塞。我们可以向watch加入回调函数,这样就不会阻塞主进程了。当我们不想继续watch后,我们可以显式取消watch。我们可以使用watch_once在第一个事件后停止。可以看到在接收到事件后watch进程仍在监听状态。这里我们在第3次处理watch事件后进行取消。
etcd入门详解
热门推荐
weixin_39540280的博客
12-18 3万+
1. etcd简介 简介 Etcd是CoreOS基于Raft协议开发的分布式key-value存储,可用于服务发现、共享配置以及一致性保障(如数据库选主、分布式锁等)。 在分布式系统中,如何管理节点间的状态一直是一个难题,etcd像是专门为集群环境的服务发现和注册而涉及,它提供了数据TTL失效、数据改变监视、多值、目录监听、分布式锁原子操作等功能,可以方便的跟踪并管理集群节点的状态。 特点 简单:curl可访问的用户的API(HTT...
微服务自动化.01etcd基本介绍
m0_60413225的博客
02-28 734
etcd 在云计算时代,如何让服务快速透明地接入到计算集群中,如何让共享配置信息快速被集群中的所有机器发现,更为重要的是,如何构建这样一套高可用、安全、易于部署以及响 应快速的服务集群,已经成为了迫切需要解决的问题。 Etcd介绍 etcd 是一个高度一致的分布式键值(key-value)存储,它提供了一种可靠的方式来存储需要由分布式系统或机器集群访问的数据。它可以优雅地处理网络分区期间的领导者选举,即使在 领导者节点中也可以容忍机器故障。 etcd 是用Go语言编写的,它具有出色的
etcdctl环境变量设置
weixin_30856725的博客
09-10 554
每次使用etcdctl,都要长长的一大串,太麻烦了,直接把变量写入文件中,就方便很多了 vi ~/.bashrc 行尾添加 export ETCDCTL_ENDPOINTS=https://127.0.0.1:2379export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crtexport ETCDCTL_CERT=/etc/kuber...
Go 版本 Etcd 客户端操作 Etcd
最新发布
03-23
在 Go 语言环境下,通过官方提供的客户端库,我们可以方便地进行 Etcd 的各种操作,如写入、读取、监听和更新元数据。本文将深入探讨如何使用 Go 语言客户端来操作 Etcd。 首先,我们要导入 Etcd 的 Go 客户端库。...
etcd manager
05-24
etcd Manager 是一款专门针对 etcd 数据库进行管理和操作的工具,它提供了用户友好的界面和高效的操作方式,使得对 etcd 的维护变得更加简单和直观。etcd 是一个分布式的键值存储系统,常用于分布式系统中的配置共享...
etcd-v3.5.9
07-04
etcd提供了一个简单的Key-Value接口,允许客户端通过HTTP/2进行CRUD(创建、读取、更新、删除)操作。这些操作具有原子性,确保了在并发访问下的数据一致性。此外,etcd还支持TTL(Time To Live)特性,可以设置键值...
etcd arm下载
01-18
- `etcdctl`: 用于控制`etcd`的命令行工具,可以进行设置、获取和删除键值等操作。 - `libEtcd.so`: 库文件,`etcd`服务运行时可能需要。 部署步骤通常包括以下几步: 1. 将解压后的`etcd`和`etcdctl`二进制文件...
Go 学习笔记(58)— Go 第三方库之 etcd/clientv3(连接客户端、PUT、GET、Lease、Op、Txn、Watch 基础概念说明)
wohu1104的专栏
09-15 1万+
1. 安装 Golang 的 Etcd 包 我们使用 v3 版本的 etcd client , 首先通过 go get 下载并编译安装 etcd clinet v3。 go get -v github.com/coreos/etcd/clientv3 该命令会将包下载到 $GOPATH/src/github.com/coreos/etcd/clientv3 中,所有相关依赖包会自动下载编译,包括protobuf、grpc等。 我们主要梳理一下使用 etcd 时经常用到的主要 API 并进行演示。 2. 连
etcd包不能导入的问题
qq_53267860的博客
02-23 276
etcd包不能导入的问题 go get go.etcd.io/etcd/clientv3 导包后去出现下面的问题 在go.mod添加 replace google.golang.org/grpc => google.golang.org/grpc v1.26.0 再导入即可: go get go.etcd.io/etcd/clientv3 package main import ( "context" "fmt" "go.etcd.io/etcd/clientv3"
Etcd基本常用操作
会哭的雨@的博客
12-25 417
查看节点列表 etcdctl --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/server.pem --key=/etc/etcd/server-key.pem --endpoints https://mcd-etcd-server-1:2379,https://mcd-etcd-server-2:2379,https://mcd-etcd-server-3:2379 member list 查看节点健康 etcdctl --cacert...
golang基础-etcd介绍与使用、etcd存取值、etcd监测数据写入
全干工程师
11-22 1万+
etcd介绍与使用 etcd测试链接 etcd存取值 etcd检测Watchetcd介绍与使用概念:高可用的分布式key-value存储,可以用于配置共享和服务发现。 类似项目:zookeeper和consul 开发语言:Go 接口:提供restful的http接口,使用简单 实现算法:基于raft算法的强一致性、高可用的服务存储目录etcd搭建 a. 下载etcd release版本:h
ETCD 十 分布式事务
weixin_42017400的博客
03-01 1532
etcd 实现了在一个事务中,原子地执行冲突检查、更新多个 keys 的值。除此之外,etcd 将底层 MVCC 机制的版本信息暴露出来,根据版本信息封装出了一套基于乐观锁的事务框架 STM,并实现了不同的隔离级别。 etcd 使用了不到四百行的代码实现了迷你事务,其对应的语法为If-Then-Else。etcd 允许用户在一次修改中批量执行多个操作,即这一组操作被绑定成一个原子操作,并共享同一个修订号。其写法类似 CAS,如下所示: Txn().If(cond1, cond2, ...).The..
Etcd的启动配置参数详解
胡伟煌的博客
05-07 1万+
目录: 1. Etcd配置参数 1.1. member flags 1.2. clustering flags 1.3. proxy flags 1.4. security flags 1.5. logging flags 1.6. unsafe flags 1.7. profiling flags 1.8. auth flags 1.9. experimental flags ...
etcd安装配置
ceclar123的专栏
07-05 1800
etcd安装配置下载安装包解压缩加入环境变量启动单机版配置单机多节点启动服务检测成功与否UI操作界面(etcd-browser和etcdkeeper) 下载安装包 选择不同系统的安装包,也可以自己编译 wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz 解压缩加...
etcd安装和使用
chenjh213的专栏
12-08 3699
etcd是一个高可用的键值存储系统,主要用于共享配置和服务发现。etcd是由CoreOS开发并维护的,灵感来自于ZooKeeper 和 Doozer,它使用Go语言编写,并通过Raft一致性算法处理日志复制以保证强一致性。Raft是一个来自Stanford的新的一致性算法,适用于分布式系统的日志复制,Raft通过选举的方式来实现一致性,在Raft中,任何一个节点都可能成为Leader。 分...
使用 etcdctl
drcwr的专栏
10-08 8260
http://www.phperz.com/article/15/0922/158727.html 发布于 2015-09-22 23:32:56 | 626 次阅读 | 评论: 0 | 来源: 网络整理etcdctl 是一个命令行客户端,它能提供一些简洁的命令,供用户直接跟 etcd 服务打交道,而无需基于 HTTP API 方式。这在某些情况下将很方便,例如用户对服务进行测试或者手动修改数据库
etcd watch操作
07-12
etcd是一个分布式键值存储系统,可以用于存储和检索数据。它支持一种称为"watch"的操作,用于在数据更改时接收通知。 使用watch操作时,客户端可以向etcd订阅一个键或一组键的更改。当订阅的键发生更改时,etcd会发送一个通知给客户端。客户端可以在收到通知后执行相应的操作,例如更新本地缓存或触发其他业务逻辑。 要使用watch操作,客户端需要建立与etcd的连接,并在连接上设置watcher。watcher可以设置对单个键的监视,也可以设置对一个范围内的键进行监视。当监视的键发生更改时,etcd会向客户端发送一个事件,事件中包含了更改的详细信息。 通过watch操作,客户端可以实现实时的数据同步和通知机制,以便及时响应数据的变化。这对于构建分布式系统或需要实时数据更新的应用程序非常有用。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值