rancher

https://rancher.com/docs/rancher/v2.x/en/troubleshooting/kubernetes-components/etcd/
[

](https://rancher.com/docs/rancher/v2.5/en/troubleshooting/kubernetes-components/etcd/)
https://github.com/rancher/rke/issues/2512

https://rancher.com/docs/rancher/v2.5/en/troubleshooting/kubernetes-components/etcd/

  1. [rancher@rmaster01 ~]$ docker ps -a -f=name=etcd$
  2. CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS              PORTS               NAMES
  3. cf3240f66065        rancher/coreos-etcd:v3.4.14-rancher1   "/usr/local/bin/etcd…"   8 weeks ago         Up 6 minutes                            etcd
  4. [rancher@rmaster01 ~]$ docker exec -e ETCDCTL_ENDPOINTS=$(docker exec etcd /bin/sh -c "etcdctl member list | cut -d, -f5 | sed -e 's/ //g' | paste -sd ','") etcd etcdctl endpoint status --write-out table
  5. +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
  6. |          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
  7. +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
  8. | https://192.168.6.102:2379 | 48c8f6426a43d1f1 |  3.4.14 |   92 MB |     false |      false |        49 |   18502729 |           18502729 |   |
  9. | https://192.168.6.101:2379 | e5f985c597c36724 |  3.4.14 |   91 MB |     false |      false |        49 |   18502729 |           18502729 |   |
  10. | https://192.168.6.100:2379 | f4e7ca4943b7b405 |  3.4.14 |   91 MB |      true |      false |        49 |   18502729 |           18502729 |   |
  11. +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
  12. [rancher@rmaster01 ~]$ docker exec -e ETCDCTL_ENDPOINTS=$(docker exec etcd /bin/sh -c "etcdctl member list | cut -d, -f5 | sed -e 's/ //g' | paste -sd ','") etcd etcdctl member list
  13. 48c8f6426a43d1f1, started, etcd-rmaster03, https://192.168.6.102:2380, https://192.168.6.102:2379, false
  14. e5f985c597c36724, started, etcd-rmaster02, https://192.168.6.101:2380, https://192.168.6.101:2379, false
  15. f4e7ca4943b7b405, started, etcd-rmaster01, https://192.168.6.100:2380, https://192.168.6.100:2379, false
  16. [rancher@rmaster01 ~]$

证书

  1. [rancher@rmaster01 ssl]$ pwd
  2. /etc/kubernetes/ssl
  3. [rancher@rmaster01 ssl]$ ls
  4. certs                                         kubecfg-kube-controller-manager.yaml  kube-etcd-192-168-11-102.pem
  5. kube-apiserver-key.pem                        kubecfg-kube-node.yaml                kube-node-key.pem
  6. kube-apiserver.pem                            kubecfg-kube-proxy.yaml               kube-node.pem
  7. kube-apiserver-proxy-client-key.pem           kubecfg-kube-scheduler.yaml           kube-proxy-key.pem
  8. kube-apiserver-proxy-client.pem               kube-controller-manager-key.pem       kube-proxy.pem
  9. kube-apiserver-requestheader-ca-key.pem       kube-controller-manager.pem           kube-scheduler-key.pem
  10. kube-apiserver-requestheader-ca.pem           kube-etcd-192-168-11-100-key.pem      kube-scheduler.pem
  11. kube-ca-key.pem                               kube-etcd-192-168-11-100.pem          kube-service-account-token-key.pem
  12. kube-ca.pem                                   kube-etcd-192-168-11-101-key.pem      kube-service-account-token.pem
  13. kubecfg-kube-apiserver-proxy-client.yaml      kube-etcd-192-168-11-101.pem
  14. kubecfg-kube-apiserver-requestheader-ca.yaml  kube-etcd-192-168-11-102-key.pem
  15. [rancher@rmaster01 ssl]$
  1. [rancher@rmaster01 ~]$ docker ps |grep etcd 
  2. c93210bbcacc        rancher/rke-tools:v0.1.72              "/docker-entrypoint.…"   3 weeks ago         Up 6 days                               etcd-rolling-snapshots
  3. e073d4c5266b        rancher/coreos-etcd:v3.4.13-rancher1   "/usr/local/bin/etcd…"   3 weeks ago         Up 6 days                               etcd
  4. [rancher@rmaster01 ~]$ 
  5. [rancher@rmaster01 ~]$ docker image ls |grep etcd 
  6. rancher/coreos-etcd                 v3.4.13-rancher1    7a8adaf3e7ad        7 months ago        83.8MB
  7. [rancher@rmaster01 ~]$
  1. [rancher@rmaster01 ~]$ docker exec -it  c93 bash
  2. bash-5.0#
  3. bash-5.0# etcdctl -v
  4. etcdctl version: 3.3.10
  5. API version: 2
  6. bash-5.0#
  1. [rancher@rmaster01 ~]$ docker exec -it e073 sh 
  2. # export ETCDCTL_API=3
  3. # etcdctl member list
  4. 48c8f6426a43d1f1, started, etcd-rmaster03, https://192.168.6.102:2380, https://192.168.6.102:2379, false
  5. e5f985c597c36724, started, etcd-rmaster02, https://192.168.6.101:2380, https://192.168.6.101:2379, false
  6. f4e7ca4943b7b405, started, etcd-rmaster01, https://192.168.6.100:2380, https://192.168.6.100:2379, false
  7. #
  1. [root@rmaster01 ~]# docker exec -it  e073d4c5266b sh
  2. # etcdctl endpoint health 
  3. https://127.0.0.1:2379 is healthy: successfully committed proposal: took = 31.811534ms
  4. # etcdctl member list
  5. 48c8f6426a43d1f1, started, etcd-rmaster03, https://192.168.6.102:2380, https://192.168.6.102:2379, false
  6. e5f985c597c36724, started, etcd-rmaster02, https://192.168.6.101:2380, https://192.168.6.101:2379, false
  7. f4e7ca4943b7b405, started, etcd-rmaster01, https://192.168.6.100:2380, https://192.168.6.100:2379, false
  1. # etcdctl snapshot save snapshotdb
  2. {"level":"info","ts":1616891288.2478633,"caller":"snapshot/v3_snapshot.go:119","msg":"created temporary db file","path":"snapshotdb.part"}
  3. {"level":"info","ts":"2021-03-28T00:28:08.280Z","caller":"clientv3/maintenance.go:200","msg":"opened snapshot stream; downloading"}
  4. {"level":"info","ts":1616891288.2803595,"caller":"snapshot/v3_snapshot.go:127","msg":"fetching snapshot","endpoint":"https://127.0.0.1:2379"}
  5. {"level":"info","ts":"2021-03-28T00:28:09.231Z","caller":"clientv3/maintenance.go:208","msg":"completed snapshot read; closing"}
  6. {"level":"info","ts":1616891289.5301962,"caller":"snapshot/v3_snapshot.go:142","msg":"fetched snapshot","endpoint":"https://127.0.0.1:2379","size":"23 MB","took":1.282092525}
  7. {"level":"info","ts":1616891289.5304568,"caller":"snapshot/v3_snapshot.go:152","msg":"saved","path":"snapshotdb"}
  8. Snapshot saved at snapshotdb
  9. #

kubeadm

  1. ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  2.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  3.   --key=/etc/kubernetes/pki/etcd/server.key \
  4.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  5.   member list
  7. ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  8.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  9.   --key=/etc/kubernetes/pki/etcd/server.key \
  10.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  11.  snapshot save /var/lib/backup/etcd-snapshot.db
  13. ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  14.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  15.   --key=/etc/kubernetes/pki/etcd/server.key \
  16.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  17.  --write-out=table snapshot status /var/lib/backup/etcd-snapshot.db
  19. ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  20.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  21.   --key=/etc/kubernetes/pki/etcd/server.key \
  22.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  23. snapshot restore  /var/lib/backup/etcd-snapshot.db
  30. ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  31.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  32.   --key=/etc/kubernetes/pki/etcd/server.key \
  33.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  34.   --name master \
  35.   --data-dir=/var/lib/etcd \
  36.   --skip-hash-check \
  37.   --initial-advertise-peer-urls=https://127.0.0.1:2380 \
  38.   --initial-cluster=master=https://127.0.0.1:2380 \
  39. snapshot restore /var/lib/backup/etcd-snapshot.db
  43. [root@master ~]# kubectl -n kube-system  exec -it  etcd-master sh
  44. # ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  45.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  46.   --key=/etc/kubernetes/pki/etcd/server.key \
  47.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  48.   member list> > > > 
  49. 3ced1f2dde846660, started, master, https://192.168.11.90:2380, https://192.168.11.90:2379, false
  50. #
  51. # ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
  52.   --cert=/etc/kubernetes/pki/etcd/server.crt \
  53.   --key=/etc/kubernetes/pki/etcd/server.key \
  54.   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  55.  --write-out=table snapshot status /var/lib/backup/etcd-snapshot.db> > > > 
  56. +----------+----------+------------+------------+
  57. |   HASH   | REVISION | TOTAL KEYS | TOTAL SIZE |
  58. +----------+----------+------------+------------+
  59. | bbf56722 |    34835 |       1349 |     4.5 MB |
  60. +----------+----------+------------+------------+
  61. #
  1. [root@master ~]# cat /etc/kubernetes/manifests/etcd.yaml 
  2. apiVersion: v1
  3. kind: Pod
  4. metadata:
  5.   annotations:
  6.     kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.168.11.90:2379
  7.   creationTimestamp: null
  8.   labels:
  9.     component: etcd
  10.     tier: control-plane
  11.   name: etcd
  12.   namespace: kube-system
  13. spec:
  14.   containers:
  15.   - command:
  16.     - etcd
  17.     - --advertise-client-urls=https://192.168.11.90:2379
  18.     - --cert-file=/etc/kubernetes/pki/etcd/server.crt
  19.     - --client-cert-auth=true
  20.     - --data-dir=/var/lib/etcd
  21.     - --initial-advertise-peer-urls=https://192.168.11.90:2380
  22.     - --initial-cluster=master=https://192.168.11.90:2380
  23.     - --key-file=/etc/kubernetes/pki/etcd/server.key
  24.     - --listen-client-urls=https://127.0.0.1:2379,https://192.168.11.90:2379
  25.     - --listen-metrics-urls=http://127.0.0.1:2381
  26.     - --listen-peer-urls=https://192.168.11.90:2380
  27.     - --name=master
  28.     - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
  29.     - --peer-client-cert-auth=true
  30.     - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
  31.     - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
  32.     - --snapshot-count=10000
  33.     - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
  34.     image: registry.aliyuncs.com/google_containers/etcd:3.4.3-0
  35.     imagePullPolicy: IfNotPresent
  36.     livenessProbe:
  37.       failureThreshold: 8
  38.       httpGet:
  39.         host: 127.0.0.1
  40.         path: /health
  41.         port: 2381
  42.         scheme: HTTP
  43.       initialDelaySeconds: 15
  44.       timeoutSeconds: 15
  45.     name: etcd
  46.     resources: {}
  47.     volumeMounts:
  48.     - mountPath: /var/lib/etcd
  49.       name: etcd-data
  50.     - mountPath: /etc/kubernetes/pki/etcd
  51.       name: etcd-certs
  52.   hostNetwork: true
  53.   priorityClassName: system-cluster-critical
  54.   volumes:
  55.   - hostPath:
  56.       path: /etc/kubernetes/pki/etcd
  57.       type: DirectoryOrCreate
  58.     name: etcd-certs
  59.   - hostPath:
  60.       path: /var/lib/etcd
  61.       type: DirectoryOrCreate
  62.     name: etcd-data
  63. status: {}
  64. [root@master ~]#

etcd 命令帮助

  1. # etcdctl -h
  2. NAME:
  3.     etcdctl - A simple command line client for etcd3.
  5. USAGE:
  6.     etcdctl [flags]
  8. VERSION:
  9.     3.4.3
  11. API VERSION:
  12.     3.4
  15. COMMANDS:
  16.     alarm disarm        Disarms all alarms
  17.     alarm list        Lists all alarms
  18.     auth disable        Disables authentication
  19.     auth enable        Enables authentication
  20.     check datascale        Check the memory usage of holding data for different workloads on a given server endpoint.
  21.     check perf        Check the performance of the etcd cluster
  22.     compaction        Compacts the event history in etcd
  23.     defrag            Defragments the storage of the etcd members with given endpoints
  24.     del            Removes the specified key or range of keys [key, range_end)
  25.     elect            Observes and participates in leader election
  26.     endpoint hashkv        Prints the KV history hash for each endpoint in --endpoints
  27.     endpoint health        Checks the healthiness of endpoints specified in `--endpoints` flag
  28.     endpoint status        Prints out the status of endpoints specified in `--endpoints` flag
  29.     get            Gets the key or a range of keys
  30.     help            Help about any command
  31.     lease grant        Creates leases
  32.     lease keep-alive    Keeps leases alive (renew)
  33.     lease list        List all active leases
  34.     lease revoke        Revokes leases
  35.     lease timetolive    Get lease information
  36.     lock            Acquires a named lock
  37.     make-mirror        Makes a mirror at the destination etcd cluster
  38.     member add        Adds a member into the cluster
  39.     member list        Lists all members in the cluster
  40.     member promote        Promotes a non-voting member in the cluster
  41.     member remove        Removes a member from the cluster
  42.     member update        Updates a member in the cluster
  43.     migrate            Migrates keys in a v2 store to a mvcc store
  44.     move-leader        Transfers leadership to another etcd cluster member.
  45.     put            Puts the given key into the store
  46.     role add        Adds a new role
  47.     role delete        Deletes a role
  48.     role get        Gets detailed information of a role
  49.     role grant-permission    Grants a key to a role
  50.     role list        Lists all roles
  51.     role revoke-permission    Revokes a key from a role
  52.     snapshot restore    Restores an etcd member snapshot to an etcd directory
  53.     snapshot save        Stores an etcd node backend snapshot to a given file
  54.     snapshot status        Gets backend snapshot status of a given file
  55.     txn            Txn processes all the requests in one transaction
  56.     user add        Adds a new user
  57.     user delete        Deletes a user
  58.     user get        Gets detailed information of a user
  59.     user grant-role        Grants a role to a user
  60.     user list        Lists all users
  61.     user passwd        Changes password of user
  62.     user revoke-role    Revokes a role from a user
  63.     version            Prints the version of etcdctl
  64.     watch            Watches events stream on keys or prefixes
  66. OPTIONS:
  67.       --cacert=""                verify certificates of TLS-enabled secure servers using this CA bundle
  68.       --cert=""                    identify secure client using this TLS certificate file
  69.       --command-timeout=5s            timeout for short running command (excluding dial timeout)
  70.       --debug[=false]                enable client-side debug logging
  71.       --dial-timeout=2s                dial timeout for client connections
  72.   -d, --discovery-srv=""            domain name to query for SRV records describing cluster endpoints
  73.       --discovery-srv-name=""            service name to query when using DNS discovery
  74.       --endpoints=[127.0.0.1:2379]        gRPC endpoints
  75.   -h, --help[=false]                help for etcdctl
  76.       --hex[=false]                print byte strings as hex encoded strings
  77.       --insecure-discovery[=true]        accept insecure SRV records describing cluster endpoints
  78.       --insecure-skip-tls-verify[=false]    skip server certificate verification
  79.       --insecure-transport[=true]        disable transport security for client connections
  80.       --keepalive-time=2s            keepalive time for client connections
  81.       --keepalive-timeout=6s            keepalive timeout for client connections
  82.       --key=""                    identify secure client using this TLS key file
  83.       --password=""                password for authentication (if this option is used, --user option shouldn't include password)
  84.       --user=""                    username[:password] for authentication (prompt if password is not supplied)
  85.   -w, --write-out="simple"            set the output format (fields, json, protobuf, simple, table)