ETCD3.5快照恢复pods

野猪佩挤

已于 2022-04-21 19:53:32 修改

阅读量517

点赞数

分类专栏： k8s 存储文章标签： etcd

于 2022-03-20 22:17:11 首次发布

本文链接：https://blog.csdn.net/weixin_42562106/article/details/123622979

版权

k8s 同时被 2 个专栏收录

91 篇文章 6 订阅

订阅专栏

存储

65 篇文章 4 订阅

订阅专栏

-首先需要一个etcd服务

工具下载不再介绍了
创建 ca 证书

tee ca-config.json<<-'EOF'

{
    "signing": {
        "default": {
            "expiry": "876000h"
        },
        "profiles": {
            "server": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            },
            "client": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF

tee ca-csr.json <<-'EOF'
{
    "CN": "etcd",
    "key": {
        "algo": "rsa",
        "size": 2048
    }
}
EOF

生成

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

生成客户端证书

tee client.json <<-'EOF'
{
    "CN": "client",
    "key": {
        "algo": "ecdsa",
        "size": 256
    }
}
EOF

生成

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json  | cfssljson -bare client -

生成server，peer证书

tee etcd.json <<'EOF'
{
    "CN": "etcd",
    "hosts": [
        "192.168.10.28",
        "192.168.10.82",
        "192.168.10.128"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "BJ",
            "ST": "BJ"
        }
    ]
}
EOF

生成

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer

证书生成完毕真麻烦没有办法
开始配置etcd

tee /lib/systemd/system/etcd.service <<-'EOF'
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=notify
#EnvironmentFile=/usr/local/tools/cfg/etcd.conf
ExecStart=/usr/local/etcd-v3.5.2-linux-amd64/etcd \
--data-dir=/data/etcd/default.etcd \
--name=etcd-0 \
--cert-file=/usr/local/tools/server.pem \
--key-file=/usr/local/tools/server-key.pem \
--peer-cert-file=/usr/local/tools/server.pem \
--peer-key-file=/usr/local/tools/server-key.pem \
--trusted-ca-file=/usr/local/tools/ca.pem \
--peer-trusted-ca-file=/usr/local/tools/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--listen-peer-urls=https://192.168.10.28:2380 \
--initial-advertise-peer-urls=https://192.168.10.28:2379 \
--listen-client-urls=https://192.168.10.28:2379 \
--advertise-client-urls=https://192.168.10.28:2379 \
--logger=zap
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd

确认可以正常访问

etcdctl --endpoints="https://192.168.10.28:2379" \
 --cacert=/usr/local/tools/ca.pem \
 --cert=/usr/local/tools/server.pem \
 --key=/usr/local/tools/server-key.pem \
member list -w table

etcdctl --endpoints="https://192.168.10.28:2379" \
 --cacert=/usr/local/tools/ca.pem \
 --cert=/usr/local/tools/server.pem \
 --key=/usr/local/tools/server-key.pem \
 endpoint status -w table

在这里插入图片描述
最后交给k8s使用

kubeadm config print init-defaults > kubeadm-config.yaml

apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 192.168.10.30 本机IP
  bindPort: 6443
nodeRegistration:
  criSocket: /run/containerd/containerd.sock
  imagePullPolicy: IfNotPresent
  name: master
  taints: null
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  external: 使用外部etcd
    endpoints:
    - https://192.168.10.28:2379 使用外部etcd
    caFile: /usr/local/tools/ca.pem
    certFile: /usr/local/tools/client.pem
    keyFile: /usr/local/tools/client-key.pem
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: 1.23.0
networking:
  dnsDomain: cluster.local
  podSubnet: 172.16.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"

初始化

kubeadm init --config=kubeadm-config.yaml

实验1

1.创建一组容器

在这里插入图片描述

2.做个etcd快照

etcdctl  --endpoints="https://192.168.10.28:2379"  \
--cacert=/usr/local/tools/ca.pem  \
--cert=/usr/local/tools/server.pem \
--key=/usr/local/tools/server-key.pem  \
snapshot save  /tmp/etcd3.db
#保存/tmp目录下

在这里插入图片描述

3.将刚才那组pods删除

在这里插入图片描述

4.再回到etcd恢复刚才那组pod

etcdctl  --endpoints="https://192.168.10.28:2379"  \
--cacert=/usr/local/tools/ca.pem  \
--cert=/usr/local/tools/server.pem \
--key=/usr/local/tools/server-key.pem  \
snapshot restore  /tmp/etcd3.db

当前会出现一个新的目录
在这里插入图片描述

将老的目录备份

mv /data/etcd/default.etcd /data/etcd/default.etcd-789
将刚才的快照移到此处即可，不用重启任何服务
mv default.etcd/ /data/etcd/

回到k8s

在这里插入图片描述

野猪佩挤

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
ETCD3.5快照恢复pods

-首先需要一个etcd服务工具下载不再介绍了创建 ca 证书tee ca-config.json<<-'EOF'{ "signing": { "default": { "expiry": "876000h" }, "profiles": { "server": { "expiry": "876000h", "usages
复制链接

扫一扫

专栏目录