当前位置: 首页 > article >正文

Kubernetes控制平面组件:etcd高可用集群搭建

article 2025/2/21 23:38:39

云原生学习路线导航页(持续更新中)

  • kubernetes学习系列快捷链接
    • Kubernetes架构原则和对象设计(一)
    • Kubernetes架构原则和对象设计(二)
    • Kubernetes架构原则和对象设计(三)
    • Kubernetes控制平面组件:etcd(一)
    • Kubernetes控制平面组件:etcd(二)
    • Kubernetes控制平面组件:etcd常用配置参数
    • kubectl 和 kubeconfig 基本原理
    • kubeadm 升级 k8s集群 1.17到1.20
    • Kubernetes常见问题解答
    • 查看云机器的一些常用配置
  • 本文将给出 ETCD 高可用集群的搭建方法,并演示如何进行数据备份、数据恢复、集群停机和集群重启
  • 参考链接:https://github.com/cncamp/101/blob/master/module5/etcd-ha-demo/install-ha-etcd.MD

1.etcd 高可用集群的搭建

推荐先阅读:Kubernetes控制平面组件:etcd常用配置参数,搞清楚etcd的常用参数,再阅读本节将会更加清晰

1.1.Install cfssl

# Debian/Ubuntu
apt install golang-cfssl

# 或者使用go直接安装
go install github.com/cloudflare/cfssl/cmd/cfssl@latest
go install github.com/cloudflare/cfssl/cmd/cfssljson@latest
  • 作用:安装 cfssl 工具,用于生成 TLS 证书。
  • 原因:ETCD 集群需要 TLS 证书来加密节点之间的通信,确保数据安全性。

1.2.Generate tls certs and clone etcd code

mkdir /root/go/src/github.com/etcd-io
cd /root/go/src/github.com/etcd-io
git clone https://github.com/etcd-io/etcd.git
cd etcd/hack/tls-setup
  • 作用:
    • 创建 Go 工作目录。
    • 克隆 ETCD 官方仓库。
    • 进入 TLS 证书生成脚本目录。目的是先生成证书,才能去启动etcd
  • 原因:ETCD 官方提供了 TLS 证书生成的脚本和配置文件,方便用户快速生成证书。

1.3.Edit req-csr.json and keep 127.0.0.1 and localhost only for single cluster setup.

vi config/req-csr.json
  • 作用:编辑证书签名请求(CSR)配置文件,配置文件编辑好就可以生成证书了
  • 原因:

    • etcd 的证书签名请求文件,默认会生成一些ip,我们需要把ips改成自己的etcd集群ip
      在这里插入图片描述

    • 因为我这里虽然构建3节点etcd集群,但是都在本地一台机器上,所有只需要保留 127.0.0.1 和 localhost,避免生成不必要的证书。
      在这里插入图片描述

1.4.Generate certs

export infra0=127.0.0.1
export infra1=127.0.0.1
export infra2=127.0.0.1
make
mkdir /tmp/etcd-certs
mv certs /tmp/etcd-certs
  • 作用:
    • 先设置环境变量,指定集群节点的 IP 地址。因为我们准备将etcd的三个节点分别命名为 infra0、infra1、infra2
    • 使用 make 命令生成 TLS 证书。默认证书会生成到 当前目录/certs
    • 创建证书存储目录,并将生成的证书移动到该目录。
  • 原因:
    • 环境变量用于指定集群节点的 IP 地址。
    • make 命令调用 cfssl 生成证书。
    • 将证书集中存储,便于后续使用。后续使用etcdctl时需要执行cert目录

1.5.Start etcd cluster member1

  • 创建 start-all.sh 文件,将下面的命令复制进去

    • 声明了3个etcd实例,–initial-cluster-state为new,指明cert地址、节点名称、data-dir
    • 因为我要在同一台机器上启动3个实例,所以3个实例的端口是各异的
    #
# each etcd instance name need to be unique
# x380 is for peer communication
# x379 is for client communication
# dir-data cannot be shared
#
nohup etcd --name infra0 \
--data-dir=/tmp/etcd/infra0 \
--listen-peer-urls https://127.0.0.1:3380 \
--initial-advertise-peer-urls https://127.0.0.1:3380 \
--listen-client-urls https://127.0.0.1:3379 \
--advertise-client-urls https://127.0.0.1:3379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://127.0.0.1:3380,infra1=https://127.0.0.1:4380,infra2=https://127.0.0.1:5380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--peer-cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--peer-key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem 2>&1 > /var/log/infra0.log &

nohup etcd --name infra1 \
--data-dir=/tmp/etcd/infra1 \
--listen-peer-urls https://127.0.0.1:4380 \
--initial-advertise-peer-urls https://127.0.0.1:4380 \
--listen-client-urls https://127.0.0.1:4379 \
--advertise-client-urls https://127.0.0.1:4379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://127.0.0.1:3380,infra1=https://127.0.0.1:4380,infra2=https://127.0.0.1:5380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--peer-cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--peer-key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem 2>&1 > /var/log/infra1.log &

nohup etcd --name infra2 \
--data-dir=/tmp/etcd/infra2 \
--listen-peer-urls https://127.0.0.1:5380 \
--initial-advertise-peer-urls https://127.0.0.1:5380 \
--listen-client-urls https://127.0.0.1:5379 \
--advertise-client-urls https://127.0.0.1:5379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://127.0.0.1:3380,infra1=https://127.0.0.1:4380,infra2=https://127.0.0.1:5380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--peer-cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--peer-key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem 2>&1 > /var/log/infra2.log &

  • 执行创建集群

    chmod +0777 start-all.sh
./start-all.sh

  • 执行后集群就启动了,ps -ef | grep etcd 可以看出3个etcd节点已经有了
    在这里插入图片描述

  • 常见错误

    • 如果执行报错:nohup: nohup: failed to run command ‘etcd’nohup: failed to run command ‘etcd’failed to run command ‘etcd’: No such file or directory: No such file or directory,说明还没有etcd命令,需要安装一下
      # centos中
yum install etcd
# 设置使用的etcdctl api为v3
export ETCDCTL_API=3

1.6.Member list 验证 etcd

etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem member list
  • 作用:查看 ETCD 集群的成员列表。
  • 原因:验证集群是否正常运行,并确认所有节点已成功加入集群。
  • 如果报错:flag provided but not defined: -cert,说明没有设置 etcdctl 的版本
    export ETCDCTL_API=3

2.数据备份

2.1.Insert some data

  • 插入一些数据,模拟etcd的正常使用
    • key=a value=b
    • key=/a value=/b
    • key=/a/f value=ok
# 插入3条数据
[root@VM-226-235-tencentos ~/go/src/github.com/etcd-io/etcd/hack/tls-setup]# etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem put a b
OK
[root@VM-226-235-tencentos ~/go/src/github.com/etcd-io/etcd/hack/tls-setup]# etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem put /a /b
OK
[root@VM-226-235-tencentos ~/go/src/github.com/etcd-io/etcd/hack/tls-setup]# etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem put /a/f ok
OK

# 查看所有的数据
[root@VM-226-235-tencentos ~/go/src/github.com/etcd-io/etcd/hack/tls-setup]# etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem get --prefix ""
/a
/b
/a/f
ok
a
b

2.2.Backup

  • 执行备份命令,将当前etcd集群全量备份为快照snapshot,备份生成文件snapshot.db
    etcdctl --endpoints https://127.0.0.1:3379 \
	--cert /tmp/etcd-certs/certs/127.0.0.1.pem \
	--key /tmp/etcd-certs/certs/127.0.0.1-key.pem \
	--cacert /tmp/etcd-certs/certs/ca.pem snapshot save snapshot.db
  • 执行后集群就备份了,ls 查看当前目录文件,会多出一个 snapshot.db
  • 在集群出现故障或数据丢失时,可以通过备份恢复数据。

3.销毁etcd集群,模拟故障

ps -ef | grep "/tmp/etcd/infra" | grep -v grep | awk '{print $2}'|xargs kill
  • 作用:终止所有 ETCD 节点的进程。
  • 原因:在恢复数据之前,需要停止所有 ETCD 实例。
rm -rf /tmp/etcd
  • 作用:删除 ETCD 数据目录。
  • 原因:模拟数据丢失场景,测试备份恢复功能。

4.使用快照恢复etcd集群数据

  • 创建 restore.sh 文件,将下面的命令复制进去
    • 使用 snapshot 恢复3个etcd实例,指定将数据恢复到哪里–data-dir
    export ETCDCTL_API=3
etcdctl snapshot restore snapshot.db \
  --name infra0 \
  --data-dir=/tmp/etcd/infra0 \
  --initial-cluster infra0=https://127.0.0.1:3380,infra1=https://127.0.0.1:4380,infra2=https://127.0.0.1:5380 \
  --initial-cluster-token etcd-cluster-1 \
  --initial-advertise-peer-urls https://127.0.0.1:3380

etcdctl snapshot restore snapshot.db \
    --name infra1 \
    --data-dir=/tmp/etcd/infra1 \
    --initial-cluster infra0=https://127.0.0.1:3380,infra1=https://127.0.0.1:4380,infra2=https://127.0.0.1:5380 \
    --initial-cluster-token etcd-cluster-1 \
    --initial-advertise-peer-urls https://127.0.0.1:4380

etcdctl snapshot restore snapshot.db \
  --name infra2 \
  --data-dir=/tmp/etcd/infra2 \
  --initial-cluster infra0=https://127.0.0.1:3380,infra1=https://127.0.0.1:4380,infra2=https://127.0.0.1:5380 \
  --initial-cluster-token etcd-cluster-1 \
  --initial-advertise-peer-urls https://127.0.0.1:5380
  • 执行恢复集群数据,完成后 ls /tmp/etcd 查看数据是否恢复回来了
    chmod +0777 restore.sh
./restore.sh
ls /tmp/etcd

5.重启etcd集群

  • 创建 restart-all.sh 文件,将下面的命令复制进去
    • 使用 重新启动 3个etcd实例,–data-dir指定数据目录
    nohup etcd --name infra0 \
--data-dir=/tmp/etcd/infra0 \
--listen-peer-urls https://127.0.0.1:3380 \
--listen-client-urls https://127.0.0.1:3379 \
--advertise-client-urls https://127.0.0.1:3379 \
--client-cert-auth --trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--peer-cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--peer-key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem 2>&1 > /var/log/infra0.log &

nohup etcd --name infra1 \
--data-dir=/tmp/etcd/infra1 \
--listen-peer-urls https://127.0.0.1:4380 \
--listen-client-urls https://127.0.0.1:4379 \
--advertise-client-urls https://127.0.0.1:4379 \
--client-cert-auth --trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--peer-cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--peer-key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem 2>&1 > /var/log/infra1.log &

nohup etcd --name infra2 \
--data-dir=/tmp/etcd/infra2 \
--listen-peer-urls https://127.0.0.1:5380 \
--listen-client-urls https://127.0.0.1:5379 \
--advertise-client-urls https://127.0.0.1:5379 \
--client-cert-auth --trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/tmp/etcd-certs/certs/ca.pem \
--peer-cert-file=/tmp/etcd-certs/certs/127.0.0.1.pem \
--peer-key-file=/tmp/etcd-certs/certs/127.0.0.1-key.pem 2>&1 > /var/log/infra2.log &
  • 执行重启集群,完成后 ps -ef | grep etcd 查看3个etcd节点是否都重新启动了
    ps -ef | grep etcd

6.验证数据是否恢复

  • 获取etcd的member,查看节点是否正常
    [root@VM-226-235-tencentos ~/go/src/github.com/etcd-io/etcd/hack/tls-setup]# etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem member list
1701f7e3861531d4, started, infra0, https://127.0.0.1:3380, https://127.0.0.1:3379
6a58b5afdcebd95d, started, infra1, https://127.0.0.1:4380, https://127.0.0.1:4379
84a1a2f39cda4029, started, infra2, https://127.0.0.1:5380, https://127.0.0.1:5379
  • 获取etcd的所有数据,验证数据是否恢复
    [root@VM-226-235-tencentos ~/go/src/github.com/etcd-io/etcd/hack/tls-setup]# etcdctl --endpoints https://127.0.0.1:3379 --cert /tmp/etcd-certs/certs/127.0.0.1.pem --key /tmp/etcd-certs/certs/127.0.0.1-key.pem --cacert /tmp/etcd-certs/certs/ca.pem get --prefix ""
/a
/b
/a/f
ok
a
b

http://www.kler.cn/a/549902.html

相关文章:

  • 250214-java类集框架
  • React 前端框架搭建与解析
  • 数据结构与算法学习笔记----数位统计DP
  • (6/100)每日小游戏平台系列
  • Java爬虫获取1688商品详情API接口的设计与实现
  • 解锁机器学习核心算法 | 线性回归:机器学习的基石
  • 微服务之任务调度工具
  • 五十天精通硬件设计第32天-S参数
  • 北京青蓝智慧科技:软考高项vs考研,谁更胜一筹?
  • DeepSeek人机对话使用教程(PC版)
  • llama.cpp将sensor格式的大模型转化为gguf格式
  • 麻将对对碰游戏:规则与模拟实现
  • 【系列专栏】银行IT的云原生架构-云单元架构 12
  • Apache Struts2 - 任意文件上传漏洞 - CVE-2024-53677
  • 大数据预处理中的数据清洗策略
  • SpringBoot 的核心只有几张图
  • 区块链可投会议CCF B--ICNP 2025 截止5.16 附2023录用率
  • GO语言中的结构体struct
  • 核货宝外贸订货系统:批发贸易企业出海的强劲东风
  • 开源AI智能名片2+1链动模式S2B2C商城小程序在社交价值挖掘中的应用与策略研究