kubernetes etcd数据的备份与恢复

备份与恢复

所有 Kubernetes 对象都存储在 etcd 上。 定期备份 etcd 集群数据对于在灾难场景(例如丢失所有控制平面节点)下恢复 Kubernetes 集群非常重要。 快照文件包含所有 Kubernetes 状态和关键信息。为了保证敏感的 Kubernetes 数据的安全,可以对快照文件进行加密。

备份

快照可以从使用 etcdctl snapshot save 命令的活动成员中获取。

获取 etcdctl 工具

1
2

[root<span>@m51</span> ~]<span># etcdctl</span>
-<span>bash:</span> <span>etcdctl:</span> command <span>not</span> found

通容器找到 etcdctl 工具

根据找找命令获取工具。find / -name etcdctl , 再将命令复制到/usr/bin/目录下,并进行验证。

1
2
3
4
5
6
7

[root<span>@m51</span> ~]<span># find / -name etcdctl</span>
/var/lib/docker/overlay2/d4cf2ee0ea5ba2105936897d3d478c38a23ba6fb65593dc808a559e2dc67667a/diff/usr/<span>local</span>/bin/etcdctl
...
[root<span>@m51</span> ~]<span># cp /var/lib/docker/overlay2/d4cf2ee0ea5ba2105936897d3d478c38a23ba6fb65593dc808a559e2dc67667a/diff/usr/local/bin/etcdctl /usr/bin/</span>
[root<span>@m51</span> ~]<span># etcdctl version</span>
etcdctl version: <span>3.5</span>.<span>3</span>
API version: <span>3.5</span>

使用命令进行备份

1
2
3
4
5
6
7

ETCDCTL_API=3 \
etcdctl \
-<span>-endpoints=&lt;endpoints&gt; \
</span>-<span>-cacert=&lt;trusted-ca-file&gt;  \
</span>-<span>-cert=&lt;cert-file&gt;  \
</span>-<span>-key=&lt;key-file&gt; \
</span>snapshot save &lt;backup-file-location&gt;

可以从 etcd Pod 的描述中获得 endpointstrusted-ca-filecert-filekey-file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

[root@m51 ~]# kubectl get pod etcd-m51  -n kube-system -o yaml
apiVersion: v1
kind: Pod
...
  name: etcd-m51
  namespace: kube-system
 ...
spec:
  containers:
  -<span> <span>command:</span>
</span>    -<span> etcd
</span>    -<span> --advertise-client-urls=<span>https:</span>/<span>/10.6.122.51:2379
</span></span>    -<span> --cert-file=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/server.crt
</span></span>    ...
    -<span> --key-file=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/server.key
</span></span>    ...
    -<span> --trusted-ca-file=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/ca.crt
</span></span>    ...
  • endpoints : 使用 yaml 文件中的 advertise-client-urls 值(https://10.6.122.51:2379)
  • trusted-ca-file :使用 yaml 文件中的 trusted-ca-file 值(/etc/kubernetes/pki/etcd/ca.crt)
  • cert: 使用 yaml 文件中的 cert-file 值(/etc/kubernetes/pki/etcd/server.crt)
  • key: 使用 yaml 文件中的 key-file 值(/etc/kubernetes/pki/etcd/server.key)

命令如下:

1
2
3
4
5
6
7

ETCDCTL_API=3 \
etcdctl \
-<span>-endpoints=<span>https:</span>/<span>/10.6.122.51:2379 \
</span></span>-<span>-cacert=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/ca.crt  \
</span></span>-<span>-cert=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/server.crt  \
</span></span>-<span>-key=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/server.key \
</span></span>snapshot save sn-$(date +%y-%m-%d).db

执行命令

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

[root<span>@m51</span> etcd-back]<span># ETCDCTL_API=3 \</span>
<span><span>&gt; etcdctl \
&gt;</span> --endpoints=<span>https:</span>/<span>/10.6.122.51:2379 \
&gt; --cacert=/etc</span><span>/kubernetes/pki</span><span>/etcd/ca</span>.crt  \</span>
&gt; --cert=<span>/etc/kubernetes</span><span>/pki/etcd</span><span>/server.crt  \
&gt; --key=/etc</span><span>/kubernetes/pki</span><span>/etcd/server</span>.key \
&gt; snapshot save sn-<span>$(</span>date +%y-%m-%d).db
{<span>"level"</span><span>:<span>"info"</span></span>,<span>"ts"</span><span>:<span>"2023-05-24T10:36:24.789+0800"</span></span>,<span>"caller"</span><span>:<span>"snapshot/v3_snapshot.go:65"</span></span>,<span>"msg"</span><span>:<span>"created temporary db file"</span></span>,<span>"path"</span><span>:<span>"sn-23-05-24.db.part"</span></span>}
{<span>"level"</span><span>:<span>"info"</span></span>,<span>"ts"</span><span>:<span>"2023-05-24T10:36:24.809+0800"</span></span>,<span>"logger"</span><span>:<span>"client"</span></span>,<span>"caller"</span><span>:<span>"v3/maintenance.go:211"</span></span>,<span>"msg"</span><span>:<span>"opened snapshot stream; downloading"</span></span>}
{<span>"level"</span><span>:<span>"info"</span></span>,<span>"ts"</span><span>:<span>"2023-05-24T10:36:24.809+0800"</span></span>,<span>"caller"</span><span>:<span>"snapshot/v3_snapshot.go:73"</span></span>,<span>"msg"</span><span>:<span>"fetching snapshot"</span></span>,<span>"endpoint"</span><span>:<span>"https://10.6.122.51:2379"</span></span>}
<span>Snapshot</span> saved at sn-<span>23</span>-<span>05</span>-<span>24</span>.db

<span>## 进行验证</span>
[root<span>@m51</span> etcd-back]<span># ETCDCTL_API=3 etcdctl --write-out=table snapshot status sn-23-05-24.db</span>
<span>Deprecated</span><span>:</span> <span>Use</span> `etcdutl snapshot status` instead.

+----------+-----------+------------+------------+
|   <span>HASH</span>   | <span>REVISION</span>  | <span>TOTAL</span> <span>KEYS</span> | <span>TOTAL</span> <span>SIZE</span> |
+----------+-----------+------------+------------+
| c656b4b5 | <span>184373211</span> |      <span>25273</span> |     <span>195</span> <span>MB</span> |
+----------+-----------+------------+------------+
[root<span>@m51</span> etcd-back]<span>#</span>

备份成功。

恢复

etcd 支持从 major.minor 或其他不同 patch 版本的 etcd 进程中获取的快照进行恢复。 还原操作用于恢复失败的集群的数据。

在启动还原操作之前,必须有一个快照文件。它可以是来自以前备份操作的快照文件, 也可以是来自剩余数据目录的快照文件。 例如:

恢复命令

1

ETCDCTL_API=<span>3</span> etcdctl <span>--endpoints 10.6.122.51:2379 snapshot restore sn-23-05-24.db</span>

恢复时也可以指定操作选项,–data-dir(默认目录:/var/lib/etcd/ ) 例如:

1

ETCDCTL_API=3 etcdctl snapshot <span><span>restore</span> <span>--data-dir /var/lib/etcd/ sn-23-05-24.db</span></span>

参考地址:

https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/

Licensed under CC BY-NC-SA 4.0
最后更新于 Jan 06, 2025 05:52 UTC
comments powered by Disqus
© 2020 - 2025 卡巴斯之殇
Built with Hugo
主题 StackJimmy 设计
Caret Up