Kubernetes:搭建安全可靠的ETCD集群

摘要

在CentOS 7.9.2009 (Core)的怀抱中,我们建立了一个温馨的ETCD群集。每个节点都有自己的角色和个性,像是一家人一样相互依存。即使备份数据需要修复,我们也能够通过HTTPS验证来保护它们。

正文

Kubernetes-3.3:ETCD群集构建及应用(https验证 备份数据修复)

etcd群集构建

自然环境详细介绍

根据CentOS Linux release 7.9.2009 (Core)

ip hostname role
172.17.0.4 cd782d0a790b etcd1
172.17.0.3 83d43a1203f6 etcd2
172.17.0.2 99dac45f202c etcd3

 

准备充分工作中

## 先加上 yum 库房
## docker-ce
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
​
## epel
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
安裝docker-ce
yum install -y yum-utils device-mapper-persistent-data lvm2 docker-ce
安裝go,非务必(假如编译程序安裝,则要有go自然环境)
yum install golang
别的
yum -y install ansible git iproute

 

逐渐搭建etcd群集(yum 安裝)

yum -y install etcd
​
## 查询版本号
[root@cd782d0a790b data]# etcdctl -v
etcdctl version: 3.3.11
API version: 2

1、根据http协议书搭建群集

编写环境变量
cat /etc/etcd/etcd.conf

## etcd储存途径
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
​
## 用以监视群集内全部etcd通信的URL目录
ETCD_LISTEN_PEER_URLS="http://172.17.0.4:2380"
​
## 用以监视手机客户端通信的URL目录
ETCD_LISTEN_CLIENT_URLS="http://172.17.0.4:2379,http://127.0.0.1:2379"
​
## 群集名称
ETCD_NAME="etcd1"
​
## 开启快照更新到电脑硬盘的已提交事务管理的总数
ETCD_SNAPSHOT_COUNT="10000"
​
## 心率时间间隔,企业ms
ETCD_HEARTBEAT_INTERVAL="250"
​
## 大选的请求超时時间,企业ms
ETCD_ELECTION_TIMEOUT="5000"
​
## 列举该设备的通讯 URL 便于通知给群集的别的组员
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://172.17.0.4:2380"
​
## 列举该设备的手机客户端联接URL,通知给群集中的别的组员
ETCD_ADVERTISE_CLIENT_URLS="http://172.17.0.4:2379"
​
## 运行复位群集配备
ETCD_INITIAL_CLUSTER="etcd1=http://172.17.0.4:2380,etcd2=http://172.17.0.3:2380,etcd3=http://172.17.0.2:2380"
​
## 在运行期内用以 etcd 群集的复位群集标记
ETCD_INITIAL_CLUSTER_TOKEN="k8s_etcd"
​
## 复位群集情况,一般在新创建群集时填new,如果是添加某一现有的群集,则填好existing
ETCD_INITIAL_CLUSTER_STATE="new"
​
## 分销模式设定
ETCD_PROXY="off"
​
## 是不是逐渐全自动缩小,0表明关掉全自动缩小。
ETCD_AUTO_COMPACTION_RETENTION="8"
​
## METRICS插口,用以给予给监管连接的
ETCD_METRICS="basic"

留意:三个环境变量大致內容基本上类似,必须留意的是ETCD_NAME和该设备的ip详细地址要随着变更

添加systemctl管理方法
cat /usr/lib/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
​
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
User=etcd
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\""
Restart=on-failure
LimitNOFILE=65536
​
[Install]
WantedBy=multi-user.target
运行服务项目,查验身心健康情况
## 三台都运行
systemctl start etcd
​
## 查询群集
[root@cd782d0a790b /]# etcdctl member list
d02233d35f3c4b94: name=etcd3 peerURLs=http://172.17.0.2:2380 clientURLs=http://172.17.0.2:2379 isLeader=false
e302fd1dad15f911: name=etcd1 peerURLs=http://172.17.0.4:2380 clientURLs=http://172.17.0.4:2379 isLeader=true
ef7057d9f69d96ad: name=etcd2 peerURLs=http://172.17.0.3:2380 clientURLs=http://172.17.0.3:2379 isLeader=false
​
## 查验身心健康情况
[root@cd782d0a790b /]# etcdctl cluster-health
member d02233d35f3c4b94 is healthy: got healthy result from http://172.17.0.2:2379
member e302fd1dad15f911 is healthy: got healthy result from http://172.17.0.4:2379
member ef7057d9f69d96ad is healthy: got healthy result from http://172.17.0.3:2379
之上为默认设置的 API version: 2,能够将 API version 改成 3,再度查询
export ETCDCTL_API=3
HOST_1=172.17.0.2
HOST_2=172.17.0.3
HOST_3=172.17.0.4
ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
​
## 查询list
[root@cd782d0a790b /]# etcdctl --endpoints=$ENDPOINTS member list
d02233d35f3c4b94, started, etcd3, http://172.17.0.2:2380, http://172.17.0.2:2379
e302fd1dad15f911, started, etcd1, http://172.17.0.4:2380, http://172.17.0.4:2379
ef7057d9f69d96ad, started, etcd2, http://172.17.0.3:2380, http://172.17.0.3:2379
​
## 查验health
[root@cd782d0a790b /]# etcdctl --endpoints=$ENDPOINTS endpoint health
172.17.0.2:2379 is healthy: successfully committed proposal: took = 7.5093ms
172.17.0.4:2379 is healthy: successfully committed proposal: took = 5.568两米s
172.17.0.3:2379 is healthy: successfully committed proposal: took = 8.0291ms
​
## 查看status
[root@cd782d0a790b /]# etcdctl --write-out=table --endpoints=$ENDPOINTS endpoint status
 ----------------- ------------------ --------- --------- ----------- ----------- ------------ 
|    ENDPOINT     |        ID        | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX |
 ----------------- ------------------ --------- --------- ----------- ----------- ------------ 
| 172.17.0.2:2379 | d02233d35f3c4b94 |  3.3.11 |   16 kB |     false |       129 |         12 |
| 172.17.0.3:2379 | ef7057d9f69d96ad |  3.3.11 |   16 kB |     false |       129 |         12 |
| 172.17.0.4:2379 | e302fd1dad15f911 |  3.3.11 |   20 kB |      true |       129 |         12 |
 ----------------- ------------------ --------- --------- ----------- ----------- ------------ 

实际大量实际操作能够查询etcd官方网站demo:https://etcd.io/docs/v3.4/demo/

 

2、根据https搭建群集

最先必须转化成资格证书,免费下载资格证书转化成专用工具
curl -s -L -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
curl -s -L -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
curl -s -L -o /usr/local/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 
chmod  x /usr/local/bin/cfssl*
逐渐转化成资格证书
## CA组织 配备,有效期限十年
[root@cd782d0a790b cert]# cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
"字段名表明"
"ca-config.json":能够界定好几个 profiles,各自特定不一样的到期時间、应用情景等主要参数;事后在签字资格证书时应用某一 profile;
"signing":表明该资格证书可用以签字其他资格证书;转化成的 ca.pem 资格证书中 CA=TRUE;
"server auth":表明client可以用该 CA 对server给予的资格证书开展认证;
"client auth":表明server可以用该 CA 对client给予的资格证书开展认证;

## CA组织 配备,机构Comman Name,所在城市Country我国, State省, Locality市
[root@cd782d0a790b cert]# cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing"
        }
    ]
}
EOF

## 向ca机构申请办理:资格证书申请注册 (我国,北京省,北京),每一个连接点用同样的资格证书,因此要填好全部主机ip
[root@cd782d0a790b cert]# cat > server-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
      "172.17.0.2",
      "172.17.0.3",
      "172.17.0.4"
    ],
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O":"aa.com",
            "CN":"beijing.aa.com"
        }
    ]
}
EOF

要求文档所有编写好后:
## 转化成ca证书和key
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
## 转化成etcd资格证书和key,留意这儿的-profile的值务必和ca-config中的profiles的值一样
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
​
## 转化成资格证书以下
[root@cd782d0a790b ssl]# ls *.pem
ca-key.pem  ca.pem  server-key.pem  server.pem
​
## 取值读管理权限
chmod 644 *.pem

 

之上状况是手机客户端、服务器端、群集内peer通讯全是用同一个资格证书,具体情况中,能够把它分成好几个,设定不一样的作用,不一样的期满時间,比如以下:

## ca证书转化成,在这里界定了几类不一样的资格证书种类
[root@cd782d0a790b cert]# cat > ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "server": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF
"种类表明"
在这其中界定3个profile
"server" 做为网络服务器与手机客户端通讯时的服务器证书
"client" 做为网络服务器与手机客户端通讯时的客户端证书
"peer" 做为网络服务器间通信时要的资格证书,既验证网络服务器也验证手机客户端

cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing"
        }
    ]
}
EOF
 
## 这类是独立的,分别应用自身的peer资格证书,留意名称要不一样,全部的设备都需要实行一次
[root@cd782d0a790b cert]# cat > etcd1-csr.json << EOF
{
    "CN": "etcd1",
    "hosts": [
      "172.17.0.2"
    ],
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O":"aa.com",
            "CN":"beijing.aa.com"
        }
    ]
}
EOF
 
要求文档所有编写好后:
## 转化成ca证书和key
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
## 转化成etcd资格证书和key,留意这儿的-profile的值务必和ca-config中的profiles的值一样
for i in `seq 1 5`;do cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd${i}-csr.json | cfssljson -bare etcd${i};done
​
[root@cd782d0a790b ssl]# ls
ca-config.json  ca.csr          etcd1-key.pem  etcd2-csr.json  etcd2.pem       etcd3.csr       etcd4-key.pem  etcd5-csr.json  etcd5.pem
ca-csr.json     ca.pem          etcd1.csr      etcd2-key.pem   etcd3-csr.json  etcd3.pem       etcd4.csr      etcd5-key.pem   server.pem
ca-key.pem      etcd1-csr.json  etcd1.pem      etcd2.csr       etcd3-key.pem   etcd4-csr.json  etcd4.pem      etcd5.csr
​
## 取值读管理权限
chmod 644 *.pem

如果是每一个网络服务器独立的资格证书,下面etcd的配备,包含查询、查验情况时,所特定的资格证书,都特定该设备的就可以

 

改动etcd.conf配备
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.17.0.4:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.17.0.4:2379,https://127.0.0.1:2379"
ETCD_NAME="etcd1"
ETCD_SNAPSHOT_COUNT="10000"
ETCD_HEARTBEAT_INTERVAL="250"
ETCD_ELECTION_TIMEOUT="5000"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.0.4:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.17.0.4:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://172.17.0.4:2380,etcd2=https://172.17.0.3:2380,etcd3=https://172.17.0.2:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_PROXY="off"
## etcd 手机客户端与服务器端通讯的资格证书和key
ETCD_CERT_FILE="/data/cert/ssl/etcd1.pem"
ETCD_KEY_FILE="/data/cert/ssl/etcd1-key.pem"
ETCD_CLIENT_CERT_AUTH="true"

## ca证书
ETCD_TRUSTED_CA_FILE="/data/cert/ssl/ca.pem"

## etcd 群集內部通讯资格证书和key
ETCD_PEER_CERT_FILE="/data/cert/ssl/etcd1.pem"
ETCD_PEER_KEY_FILE="/data/cert/ssl/etcd1-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/data/cert/ssl/ca.pem"
ETCD_AUTO_COMPACTION_RETENTION="8"
ETCD_METRICS="basic"

将http所有更改成https,随后特定资格证书的途径的途径

重新启动服务项目
systemctl restart etcd
​
## 重新启动时,报相近不正确
request sent was ignored (cluster ID mismatch: peer[61c68880c0fd8e67]=47ca0413c1aaf745, local=755bf44e2e1770ae)
或
publish error: etcdserver: request timed out
​
## 由于以前运行过http的etcd群集,早已有数据信息储存,因为这种脏数据造成的,全部连接点所有数据删除后,重新启动就可以
rm -rf /var/lib/etcd/default.etcd/*
查验情况
export ETCDCTL_API=3
HOST_1=https://172.17.0.2
HOST_2=https://172.17.0.3
HOST_3=https://172.17.0.4
ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
​
## list
etcdctl --endpoints=$ENDPOINTS --cacert="/data/cert/ssl/ca.pem" --cert="/data/cert/ssl/etcd1.pem" --key="/data/cert/ssl/etcd1-key.pem" member list --write-out=table
 ------------------ --------- ------- ------------------------- ------------------------- 
|        ID        | STATUS  | NAME  |       PEER ADDRS        |      CLIENT ADDRS       |
 ------------------ --------- ------- ------------------------- ------------------------- 
| 37ab29a4575d84d2 | started | etcd3 | https://172.17.0.2:2380 | https://172.17.0.2:2379 |
| 3e6a29fd4717a79a | started | etcd2 | https://172.17.0.3:2380 | https://172.17.0.3:2379 |
| 653155eddc689793 | started | etcd1 | https://172.17.0.4:2380 | https://172.17.0.4:2379 |
 ------------------ --------- ------- ------------------------- ------------------------- 
​
## status
etcdctl --endpoints=$ENDPOINTS --cacert="/data/cert/ssl/ca.pem" --cert="/data/cert/ssl/etcd1.pem" --key="/data/cert/ssl/etcd1-key.pem" endpoint status --write-out=table
 ------------------------- ------------------ --------- --------- ----------- ----------- ------------ 
|        ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX |
 ------------------------- ------------------ --------- --------- ----------- ----------- ------------ 
| https://172.17.0.2:2379 | 37ab29a4575d84d2 |  3.3.11 |   20 kB |     false |      1064 |        139 |
| https://172.17.0.3:2379 | 3e6a29fd4717a79a |  3.3.11 |   20 kB |      true |      1064 |        139 |
| https://172.17.0.4:2379 | 653155eddc689793 |  3.3.11 |   20 kB |     false |      1064 |        139 |
 ------------------------- ------------------ --------- --------- ----------- ----------- ------------ 
 

 

3、ETCD群集中加上连接点

member add 加上
## add
etcdctl --endpoints=$ENDPOINTS --cacert="/data/cert/ssl/ca.pem" --cert="/data/cert/ssl/etcd1.pem" --key="/data/cert/ssl/etcd1-key.pem" member add etcd4 --peer-urls=https://172.17.0.5:2380
Member 71f4582f1c4ba901 added to cluster a89c967de8e14b61
​
ETCD_NAME="etcd4"
ETCD_INITIAL_CLUSTER="etcd3=https://172.17.0.2:2380,etcd2=https://172.17.0.3:2380,etcd1=https://172.17.0.4:2380,etcd4=https://172.17.0.5:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.0.5:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
​
## list
etcdctl --endpoints=$ENDPOINTS --cacert="/data/cert/ssl/ca.pem" --cert="/data/cert/ssl/etcd1.pem" --key="/data/cert/ssl/etcd1-key.pem" member list --write-out=table
 ------------------ ----------- ------- ------------------------- ------------------------- 
|        ID        |  STATUS   | NAME  |       PEER ADDRS        |      CLIENT ADDRS       |
 ------------------ ----------- ------- ------------------------- ------------------------- 
| 37ab29a4575d84d2 |   started | etcd3 | https://172.17.0.2:2380 | https://172.17.0.2:2379 |
| 3e6a29fd4717a79a |   started | etcd2 | https://172.17.0.3:2380 | https://172.17.0.3:2379 |
| 653155eddc689793 |   started | etcd1 | https://172.17.0.4:2380 | https://172.17.0.4:2379 |
| e321a980939fe867 | unstarted |       | https://172.17.0.5:2380 |                         |
 ------------------ ----------- ------- ------------------------- ------------------------- 

留意:加上连接点时,务必把群集情况修补结束,才可以再次加上下一个,不然出错相近:Error: etcdserver: unhealthy cluster

最后etcd4的环境变量以下
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.17.0.5:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.17.0.5:2379,https://127.0.0.1:2379"
ETCD_NAME="etcd4"
ETCD_SNAPSHOT_COUNT="10000"
ETCD_HEARTBEAT_INTERVAL="250"
ETCD_ELECTION_TIMEOUT="5000"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.0.5:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.17.0.5:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://172.17.0.4:2380,etcd2=https://172.17.0.3:2380,etcd3=https://172.17.0.2:2380,etcd4=https://172.17.0.5:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd"
ETCD_INITIAL_CLUSTER_STATE="existing"
ETCD_PROXY="off"
ETCD_CERT_FILE="/data/cert/ssl/etcd4.pem"
ETCD_KEY_FILE="/data/cert/ssl/etcd4-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/data/cert/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/data/cert/ssl/etcd4.pem"
ETCD_PEER_KEY_FILE="/data/cert/ssl/etcd4-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/data/cert/ssl/ca.pem"
ETCD_AUTO_COMPACTION_RETENTION="8"
ETCD_METRICS="basic"
运行etcd4,查询群集情况
systemctl start etcd
​
export ETCDCTL_API=3
HOST_1=https://172.17.0.2
HOST_2=https://172.17.0.3
HOST_3=https://172.17.0.4
HOST_4=https://172.17.0.5
ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379,$HOST_4:2379
​
## list
etcdctl --endpoints=$ENDPOINTS --cacert="/data/cert/ssl/ca.pem" --cert="/data/cert/ssl/etcd1.pem" --key="/data/cert/ssl/etcd1-key.pem" member list --write-out=table
 ------------------ --------- ------- ------------------------- ------------------------- 
|        ID        | STATUS  | NAME  |       PEER ADDRS        |      CLIENT ADDRS       |
 ------------------ --------- ------- ------------------------- ------------------------- 
| 37ab29a4575d84d2 | started | etcd3 | https://172.17.0.2:2380 | https://172.17.0.2:2379 |
| 3e6a29fd4717a79a | started | etcd2 | https://172.17.0.3:2380 | https://172.17.0.3:2379 |
| 653155eddc689793 | started | etcd1 | https://172.17.0.4:2380 | https://172.17.0.4:2379 |
| e321a980939fe867 | started | etcd4 | https://172.17.0.5:2380 | https://172.17.0.5:2379 |
 ------------------ --------- ------- ------------------------- ------------------------- 
​
## status
etcdctl --endpoints=$ENDPOINTS --cacert="/data/cert/ssl/ca.pem" --cert="/data/cert/ssl/etcd1.pem" --key="/data/cert/ssl/etcd1-key.pem" endpoint status --write-out=table
 ------------------------- ------------------ --------- --------- ----------- ----------- ------------ 
|        ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX |
 ------------------------- ------------------ --------- --------- ----------- ----------- ------------ 
| https://172.17.0.2:2379 | 37ab29a4575d84d2 |  3.3.11 |   20 kB |     false |      1066 |        159 |
| https://172.17.0.3:2379 | 3e6a29fd4717a79a |  3.3.11 |   20 kB |     false |      1066 |        159 |
| https://172.17.0.4:2379 | 653155eddc689793 |  3.3.11 |   20 kB |      true |      1066 |        159 |
| https://172.17.0.5:2379 | e321a980939fe867 |  3.3.11 |   20 kB |     false |      1066 |        159 |
 ------------------------- ------------------ --------- --------- ----------- ----------- ------------ 

 

4、备份数据及修复ETCD群集数据信息

备份数据
## 自然环境配备
export ETCDCTL_API=3
kubectl get nodes -o wide
HOST_1=https://10.36.234.169
HOST_2=https://10.36.234.180
HOST_3=https://10.36.235.19
ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
​
## 备份数据
etcdctl --endpoints=$ENDPOINTS --cacert="/etc/ssl/etcd/ssl/ca.pem" --cert="/etc/ssl/etcd/ssl/member-gzbh-intelmbx043.gzbh.baidu.com.pem" --key="/etc/ssl/etcd/ssl/member-gzbh-intelmbx043.gzbh.baidu.com-key.pem" snapshot save my.db
Snapshot saved at my.db
​
## 查询
[root@gzbh-intelmbx043 etcd_data]# ls
my.db
修复
## 终止etcd服务项目
systemctl stop etcd
​
## 删掉原数据信息(如原数据信息关键,还记得备份数据!)
rm -rf /var/lib/etcd
​
## 修复,如果是几台设备群集方式,每一个设备都需要导进
etcdctl --endpoints=https://10.61.187.39:2379 --cacert="/etc/ssl/etcd/ssl/ca.pem" --cert="/etc/ssl/etcd/ssl/member-yq01-aip-aikefu06e1a866.yq01.baidu.com.pem" --key="/etc/ssl/etcd/ssl/member-yq01-aip-aikefu06e1a866.yq01.baidu.com-key.pem" snapshot restore my.db --name=etcd1 --initial-cluster etcd1=https://10.61.187.39:2380 --initial-cluster-token etcd_test --initial-advertise-peer-urls https://10.61.187.39:2380 --data-dir=/var/lib/etcd/
2021-05-25 16:05:02.784608 I | mvcc: restore compact to 6104817
2021-05-25 16:05:02.802119 I | etcdserver/membership: added member 67745b5848ce7e3c [https://10.61.187.39:2380] to cluster 1256ee7f1ba66254
​
## 运行服务项目就可以
systemctl start etcd

必须留意:数据信息的备份与恢复是个比较敏感实际操作,一定要慎重!

关注不迷路

扫码下方二维码,关注宇凡盒子公众号,免费获取最新技术内幕!

温馨提示:如果您访问和下载本站资源,表示您已同意只将下载文件用于研究、学习而非其他用途。
文章版权声明 1、本网站名称:宇凡盒子
2、本站文章未经许可,禁止转载!
3、如果文章内容介绍中无特别注明,本网站压缩包解压需要密码统一是:yufanbox.com
4、本站仅供资源信息交流学习,不保证资源的可用及完整性,不提供安装使用及技术服务。点此了解
5、如果您发现本站分享的资源侵犯了您的权益,请及时通知我们,我们会在接到通知后及时处理!提交入口
0

评论0

请先

站点公告

🚀 【宇凡盒子】全网资源库转储中心

👉 注册即送VIP权限👈

👻 全站资源免费下载✅,欢迎注册!

记得 【收藏】+【关注】 谢谢!~~~

立即注册
没有账号?注册  忘记密码?

社交账号快速登录