kubernetes集群故障恢复
前提概要:该k8s集群为测试集群
故障报错1:
排障:
查询kube-apiserver服务状态:
可以看出cni使用了docker和cri-dockerd两种,所以涉及:unix:///run/containerd/containerd.sock unix:///var/run/cri-dockerd.sock两个
查询etcd服务状态:
etcd的数据文件损坏了,要做数据恢复,而我这是实验环境,没搞etcd备份就只能重置集群了
需要在每台机器上执行:
然后初始化集群:
在master节点执行:
[root@master ~]# kubeadm init --ignore-preflight-errors=SystemVerification --cri-socket unix:///var/run/cri-dockerd.sock I0409 07:02:10.310074 11794 version.go:256] remote version is much newer: v1.29.3; falling back to: stable-1.28 [init] Using Kubernetes version: v1.28.8 [preflight] Running pre-flight checks error execution phase preflight: [preflight] Some fatal errors occurred: [ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1 [preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...` To see the stack trace of this error execute with --v=5 or higher
如果遇到报错:
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
解决办法:# echo "1">/proc/sys/net/bridge/bridge-nf-call-iptables
当出现上面信息时,表示init初始化成功,然后在node1、node2节点进行加入到节点:
[root@master ~]# mkdir -p $HOME/.kube [root@master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [root@master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config [root@master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION master Ready control-plane 82s v1.28.2 node1 Ready <none> 17s v1.28.2 node2 Ready <none> 6s v1.28.2
但是执行kubectl apply -f kube-flannel.yml一直报错:
Error registering network: failed to acquire lease: node "master" pod cidr not assigned
报错信息是cidr没有分配,于是继续reset,然后init的时候加上该参数:
[root@master ~]# kubeadm init --ignore-preflight-errors=SystemVerification --cri-socket unix:///var/run/cri-dockerd.sock --service-cidr=10.96.0.0/16 --pod-network-cidr=10.244.0.0/16
然后node1、node2继续join:
[root@node1 ~]# kubeadm join 192.168.77.100:6443 --token caidkf.z5ygdrotujz09y1z \ > --discovery-token-ca-cert-hash sha256:a753ca9b794a43912b3bfca5e52a788ca222e672a3630879b585f2eb841fc65e --cri-socket unix:///var/run/cri-dockerd.sock [root@node2 ~]# kubeadm join 192.168.77.100:6443 --token caidkf.z5ygdrotujz09y1z \ > --discovery-token-ca-cert-hash sha256:a753ca9b794a43912b3bfca5e52a788ca222e672a3630879b585f2eb841fc65e --cri-socket unix:///var/run/cri-dockerd.sock
然后master节点做一些config配置:
[root@master ~]# rm -rf /root/.kube/* [root@master ~]# mkdir -p $HOME/.kube [root@master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [root@master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
集群状态,pod状态如下:
[root@master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION master Ready control-plane 59s v1.28.2 node1 Ready <none> 22s v1.28.2 node2 Ready <none> 27s v1.28.2
如果上述过程中出现如下报错:
[root@master ~]# kubectl get nodes Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes") [root@master ~]# kubectl get nodes Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
解决办法:
先删除config缓存,然后创建新的:
[root@master ~]# rm -rf /root/.kube/* [root@master ~]# mkdir -p $HOME/.kube [root@master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [root@master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
故障:node节点不正常,kebelet服务挂了,cri-docker服务也启动失败,docker服务启动也失败
kebelet服务依赖于cri-docker服务依赖于docker服务:
[root@node4 ~]# journalctl -u docker.service -- Logs begin at Wed 2024-07-24 10:26:44 EDT, end at Wed 2024-07-24 11:19:06 EDT. -- Jul 24 10:26:56 node4 systemd[1]: Starting Docker Application Container Engine... Jul 24 10:26:58 node4 dockerd[1102]: unable to configure the Docker daemon with file /etc/docker/daemon.json: invalid character 'ï' after object key:value pair Jul 24 10:26:58 node4 systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE Jul 24 10:26:58 node4 systemd[1]: Failed to start Docker Application Container Engine. Jul 24 10:26:58 node4 systemd[1]: Unit docker.service entered failed state. Jul 24 10:26:58 node4 systemd[1]: docker.service failed. Jul 24 10:27:00 node4 systemd[1]: docker.service holdoff time over, scheduling restart. Jul 24 10:27:00 node4 systemd[1]: Stopped Docker Application Container Engine. Jul 24 10:27:00 node4 systemd[1]: Starting Docker Application Container Engine... Jul 24 10:27:00 node4 dockerd[1462]: unable to configure the Docker daemon with file /etc/docker/daemon.json: invalid character 'ï' after object key:value pair Jul 24 10:27:00 node4 systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE Jul 24 10:27:00 node4 systemd[1]: Failed to start Docker Application Container Engine. Jul 24 10:27:00 node4 systemd[1]: Unit docker.service entered failed state. Jul 24 10:27:00 node4 systemd[1]: docker.service failed. Jul 24 10:27:02 node4 systemd[1]: docker.service holdoff time over, scheduling restart. Jul 24 10:27:02 node4 systemd[1]: Stopped Docker Application Container Engine. Jul 24 10:27:02 node4 systemd[1]: Starting Docker Application Container Engine... Jul 24 10:27:03 node4 dockerd[1469]: unable to configure the Docker daemon with file /etc/docker/daemon.json: invalid character 'ï' after object key:value pair Jul 24 10:27:03 node4 systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE Jul 24 10:27:03 node4 systemd[1]: Failed to start Docker Application Container Engine. Jul 24 10:27:03 node4 systemd[1]: Unit docker.service entered failed state. Jul 24 10:27:03 node4 systemd[1]: docker.service failed. Jul 24 10:27:05 node4 systemd[1]: docker.service holdoff time over, scheduling restart. Jul 24 10:27:05 node4 systemd[1]: Stopped Docker Application Container Engine.
从错误表示/etc/docker/daemon.json这个文件出现格式错误,如果实在不知道哪里出问题,可以参考其他节点,也可以删掉,直接清空该文件
[root@node4 ~]# systemctl daemon-reload [root@node4 ~]# systemctl start docker [root@node4 ~]# systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2024-07-24 11:20:07 EDT; 5s ago Docs: https://docs.docker.com Main PID: 4652 (dockerd) Tasks: 17 Memory: 55.9M CGroup: /system.slice/docker.service └─4652 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
docker服务启动正常后,就可以启动其他服务了
[root@node4 ~]# systemctl start cri-docker [root@node4 ~]# systemctl status cri-docker ● cri-docker.service - CRI Interface for Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/cri-docker.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2024-07-24 11:20:28 EDT; 7s ago Docs: https://docs.mirantis.com Main PID: 4864 (cri-dockerd) Tasks: 32 Memory: 119.6M CGroup: /system.slice/cri-docker.service ├─4864 /usr/bin/cri-dockerd --container-runtime-endpoint fd:// --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9 ├─5130 /opt/cni/bin/calico ├─5135 /opt/cni/bin/calico ├─5140 /opt/cni/bin/calico ├─5147 /opt/cni/bin/calico └─5151 /opt/cni/bin/calico
[root@node4 ~]# systemctl status kubelet ● kubelet.service - kubelet: The Kubernetes Node Agent Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/kubelet.service.d └─10-kubeadm.conf Active: active (running) since Wed 2024-07-24 11:20:34 EDT; 22s ago Docs: https://kubernetes.io/docs/ Main PID: 4946 (kubelet) Tasks: 11 Memory: 45.0M CGroup: /system.slice/kubelet.service └─4946 /usr/bin/kubele
参考文章:
https://zhuanlan.zhihu.com/p/646238661
https://blog.csdn.net/qq_40460909/article/details/114707380
https://blog.csdn.net/qq_21127151/article/details/120929170
