etcd
etcd 是CoreOS开发的分布式k-v 数据库。通过raft算法选举主节点
第一节集群安装
| 主机名 | 主机ip | etcd节点名称 | 版本 |
|---|---|---|---|
| etcd-1.k8s.com | 10.4.7.200/24 | etcd-1 | v.13.5.0 |
| etcd-2.k8s.com | 10.4.7.201/24 | etcd-2 | v.13.5.0 |
| etcd-3.k8s.com | 10.4.7.202/24 | etcd-3 | v.13.5.0 |
第一步生成证书
请求文件
cat etcd.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation,digitalSignature,keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 10.4.7.200 IP.2 = 10.4.7.201 IP.3 = 10.4.7.202
ca证书
openssl genrsa -out ca.key 2048 openssl req -new -key ca.key -out ca.csr -subj "/CN=etcd" openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -days 365
server证书
openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr -subj "/CN=etcd-server" -config etcd.cnf openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extensions v3_req -extfile etcd.cnf
peer证书
openssl genrsa -out peer.key 2048 openssl req -new -key peer.key -out peer.csr -subj "/CN=etcd-peer" -config etcd.cnf openssl x509 -req -in peer.csr -out peer.crt -signkey peer.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extensions v3_req -extfile etcd.cnf
第二步配置启动文件
注意
每个节点需要修改
--name
--listen-peer-urls
--initial-advertise-peer-urls
--listen-client-urls
--advertise-client-urls
#!/bin/bash # v3.4+ 可以不指定ETCDCTL_API export ETCDCTL_API=3 /opt/etcd/etcd \ --name etcd-3 \ --listen-peer-urls 'https://10.4.7.202:2380' \ --initial-advertise-peer-urls 'https://10.4.7.202:2380' \ --listen-client-urls 'https://10.4.7.202:2379,http://127.0.0.1:2379' \ --advertise-client-urls 'https://10.4.7.202:2379' \ --initial-cluster-state 'new' \ --initial-cluster-token 'etcd-cluster' \ --initial-cluster 'etcd-1=https://10.4.7.200:2380,etcd-2=https://10.4.7.201:2380,etcd-3=https://10.4.7.202:2380' \ --client-cert-auth --trusted-ca-file=./ca.crt \ --cert-file=server.crt --key-file=server.key \ --peer-client-cert-auth --peer-trusted-ca-file=./ca.crt \ --peer-cert-file=./peer.crt --peer-key-file=./peer.key
第三步启动etcd并检查
/opt/etcd/etcdctl \ --endpoints=https://10.4.7.200:2379,https://10.4.7.201:2379,https://10.4.7.202:2379 \ --cacert=./ca.crt \ --cert=peer.crt \ --key=peer.key \ member list -w table
第二节集群备份和恢复
COMMANDS: restore Restores an etcd member snapshot to an etcd directory save Stores an etcd node backend snapshot to a given file status [deprecated] Gets backend snapshot status of a given file
第一步生成测试内容
/opt/etcd/etcdctl --endpoints=https://10.4.7.200:2379 --cacert=./ca.crt --cert=peer.crt --key=peer.key put name 张三
第二步备份数据
连接到集群任意节点
/opt/etcd/etcdctl \ --endpoints=https://10.4.7.200:2379 \ --cacert=./ca.crt \ --cert=peer.crt \ --key=peer.key \ snapshot save /data/backup/2022-11-13.db
查看备份文件状态
/opt/etcd/etcdctl snapshot status /data/backup/2022-11-13.db -w table
第三步模拟破坏数据
/opt/etcd/etcdctl --endpoints=https://10.4.7.200:2379 --cacert=./ca.crt --cert=peer.crt --key=peer.key del name
第四步恢复数据
注意
- 停止集群所有节点etcd进程,备份原数据文件
- 停止所有kube-apiserver
- 集群所有节点执行恢复动作,注意修改
--name--initial-advertise-peer-urls--data-dir- 执行启动命令
ETCDCTL_API=3 /opt/etcd/etcdctl \ snapshot restore /data/backup/2022-11-13.db \ --name etcd-1 \ --initial-cluster "etcd-1=https://10.4.7.200:2380,etcd-2=https://10.4.7.201:2380,etcd-3=https://10.4.7.202:2380" \ --initial-cluster-token etcd-cluster \ --initial-advertise-peer-urls https://10.4.7.200:2380 \ --data-dir=./etcd-1.etcd
第五步启动集群
参考集群安装中启动脚本启动集群
验证恢复
[root@radius-db03 ~]# /opt/etcd/etcdctl --endpoints=https://10.4.7.200:2379 --cacert=./ca.crt --cert=peer.crt --key=peer.key get name name 张三
第三节下线节点
第一步获取节点id
/opt/etcd/etcdctl \ --endpoints=https://10.4.7.200:2379,https://10.4.7.201:2379,https://10.4.7.202:2379 \ --cacert=./ca.crt \ --cert=peer.crt \ --key=peer.key \ member list
第二步下线节点
/opt/etcd/etcdctl \ --endpoints=https://10.4.7.200:2379,https://10.4.7.201:2379,https://10.4.7.202:2379 \ --cacert=./ca.crt \ --cert=peer.crt \ --key=peer.key \ member remove 19a4c376178d5b49
Member 19a4c376178d5b49 removed from cluster d5f1887e154dc473
第四节添加节点
第一步集群中执行添加
注意
示例中
10.4.7.202需要在签证书时已经存在在etcd.cnf中
/opt/etcd/etcdctl \ --endpoints=https://10.4.7.200:2379,https://10.4.7.201:2379 \ --cacert=./ca.crt \ --cert=peer.crt \ --key=peer.key \ member add etcd-2 \ --peer-urls=https://10.4.7.202:2380
执行命令后返回值
Member 8c993ee76df9da92 added to cluster d5f1887e154dc473 ETCD_NAME="etcd-2" ETCD_INITIAL_CLUSTER="etcd-1=https://10.4.7.200:2380,etcd-2=https://10.4.7.201:2380,etcd-2=https://10.4.7.202:2380" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.4.7.202:2380" ETCD_INITIAL_CLUSTER_STATE="existing"
第二步启动新加入节点
参考集群安装中启动脚本启动集群,需要把--initial-cluster-state 'new' 修改为 --initial-cluster-state 'existing'
第五节其他指令
节点的健康状态 endpoint health
etcdctl --endpoints=10.4.7.250:2379 \ --cacert="/etc/kubernetes/ssl/ca.pem" \ --cert="/etc/kubernetes/ssl/etcd.pem" \ --key="/etc/kubernetes/ssl/etcd-key.pem" \ endpoint health --write-out=table +-----------------+--------+-------------+-------+ | ENDPOINT | HEALTH | TOOK | ERROR | +-----------------+--------+-------------+-------+ | 10.4.7.250:2379 | true | 12.901855ms | | +-----------------+--------+-------------+-------+
集群成员 member list
etcdctl member list --write-out=table +------------------+---------+-----------------+-------------------------+-------------------------+------------+ | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER | +------------------+---------+-----------------+-------------------------+-------------------------+------------+ | 5c3282345e325481 | started | etcd-10.4.7.250 | https://10.4.7.250:2380 | https://10.4.7.250:2379 | false | +------------------+---------+-----------------+-------------------------+-------------------------+------------+
节点状态endpoint status
etcdctl --endpoints=10.4.7.250:2379 \ --cacert="/etc/kubernetes/ssl/ca.pem" \ --cert="/etc/kubernetes/ssl/etcd.pem" \ --key="/etc/kubernetes/ssl/etcd-key.pem" \ endpoint status --write-out=table +-----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ | ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS | +-----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ | 10.4.7.250:2379 | 5c3282345e325481 | 3.5.0 | 2.9 MB | true | false | 2 | 216020 | 216020 | | +-----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
性能测试check perf
[root@etcd-1 ~]# etcdctl check perf 60 / 60 Booooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo! 100.00% 1m0s PASS: Throughput is 150 writes/s PASS: Slowest request took 0.017941s PASS: Stddev is 0.000807s PASS
查询
查询key 1. 拿到所有key etcdctl get / --prefix --keys-only 2. 查询指定key.值是被序列化过的,因此可能会乱码 etcdctl get /registry/storageclasses/csi-rbd-sc
增加
etcdctl put /name wang OK
查询
etcdctl get /name /name wang # watch 一直监听 /name 这个key的变动 etcdctl watch /name
删除
[root@ceph ~]# etcdctl del /name 1
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏