LJKのBlog

安装

1

npm install json -g

使用

1
2
3
4
5

# 标准输入
<something generating JSON on stdout> | json [OPTIONS] [LOOKUPS...]

# 从文件中加载
json -f FILE [OPTIONS] [LOOKUPS...]

• -e：修改

  1 2 3 4 5 6 7

  $ echo '{"name":"trent","age":38}' | json -e 'this.age++' { "name": "trent", "age": 39 } $json -I -f tmp.json -e 'this.deploy.type="git"'

• -c：添加

  1	json -I -f tmp.json -c 'this.deploy.branch="main"'

资源清单是 yml 格式，api-server 会自动转成 json 格式

每个 API 对象都有 3 大类属性：元数据 metadata、规范 spec 和状态 status

spec 是期望状态，status 是实际状态，如果实际状态和期望状态有出入，控制器（通常是 deployment 控制器）的控制循环就会监控到差异，然后将需要做出的更改提交到 apiserver，调度器 scheduler 监控到 apiserver 中有未执行的操作，就会去找适合执行操作的 node，然后提交到 apiserver，kubelet 监控到 apiserver 中有关于自己节点的操作，就会执行操作，将执行结果返回给 apiserver，apiserver 再更新实际状态

deployment

1

HorizontalPodAutoscaler

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

kind: HorizontalPodAutoscaler
apiVersion: autoscaling/v2beta1
metadata:
  namespace: linux42
  name: tomcat-app1-podautoscaler
  labels:
    app: tomcat-app1 #自定义app标签
    version: v2beta1 #自定义version标签
spec: # 对象具体信息
  scaleTargetRef: #定义水平伸缩的目标对象：Deployment、ReplicationController/ReplicaSet
    kind: Deployment #目标对象类型为deployment
    apiVersion: apps/v1 #API版本
    name: tomcat-app1-deployment #deployment的名称
  minReplicas: 2 #最小pod数
  maxReplicas: 5 #最大pod数
  metrics: #需要安装metrics server
    - type: Resource # 类型为资源
      resource: # 定义资源
        name: cpu
        targetAverageUtilization: 80 #CPU使用率，超过80%就增加pod
    - type: Resource
      resource:
        name: memory
        targetAverageValue: 1024Mi # 内存使用量，超过1024Mi就增加pod

namespace

1
2
3
4

apiVersion: v1
kind: Namespace
metadata:
  name: test

Nginx 业务 yaml 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

kind: Deployment
apiVersion: extensions/v1beta1 # API版本
metadata: # deployment元数据
  name: nginx-deployment # deployment名称，创建后的pdo名称是这个名称加随机字符串
  namespace: test # pod的namespace，默认是default
  labels: # 自定义deployment标签
    app: nginx-deployment-label
spec: # deployment的详细信息
  replicas: 1 # 创建出的pod的副本数，即多少个pod，默认值为1
  selector: # Deployment如何查找要管理的Pods，它必须与pod模板的标签相匹配
    matchLabels: # 定义匹配Pod的标签，pod模板的标签相匹配
      app: nginx-selector # 就是下面的 template.metadata.labels.app
  template: # 定义模板，必须定义，用于描述要创建的pod
    metadata: # pod元数据
      labels: # 自定义pod的标签，主要用于service匹配
        app: nginx-selector # 自定义app标签
    spec: # pod详细信息
      containers: # pod中容器列表，可以多个，至少一个，绝大部分情况是一个，pod不能动态增减容器
        - name: nginx-container # 容器名称
          image:
            harbor.magedu.net/test/nginx-web1:v1 # 镜像地址
            # command: ["/apps/tomcat/bin/run_tomcat.sh"]     # 容器启动执行的命令或脚本
            # imagePullPolicy: IfNotPresent
          imagePullPolicy: Always # 拉取镜像策略
          ports: # 定义容器端口列表
            - name: http # 端口名称
              containerPort: 80
              protocol: TCP
            - name: https # 端口名称
              containerPort: 443
              protocol: TCP
          env: # 配置环境变量
            - name: "password" # 变量名称。必须要用引号引起来
              value: "123456"
            - name: "age"
              value: "18"
          resources: # 对资源的请求设置和限制设置
            limits: # 资源限制设置上限
              cpu: 2 # cpu的限制，单位为core数，可以写0.5或者500m等CPU压缩值
              memory: 2Gi # 内存限制，单位可以为Mib/Gib，将用于docker run --memory参数
            requests: # 资源请求的设置
              cpu: 1 # cpu请求数，容器启动的初始可用数量,可以写0.5或者500m等CPU压缩值
              memory: 512Mi # 内存请求大小，容器启动的初始可用数量，用于调度pod时候使用
---
kind: Service
apiVersion: v1 # API版本
metadata: # service元数据
  name: nginx-spec # service的名称，此名称会被DNS解析
  namespace: test # 该service隶属于的namespaces名称，即把service创建到哪个namespace里面
  labels: # 自定义service标签
    app: nginx
spec: # service的详细信息
  type: NodePort # service的类型，定义服务的访问方式，默认为ClusterIP
  ports: # 定义访问端口
    - name: http # 定义一个端口名称
      port: 80 # service 80端口
      protocol: TCP # 协议类型
      targetPort: 80 # 目标pod的端口
      nodePort: 30001 # node节点暴露的端口
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
      nodePort: 30043
  selector: # service的标签选择器，匹配Pod的标签
    app: nginx-selector # 匹配定义了app标签且值为nginx-selector的Pod

Master PDF Editor，强大的多功能 PDF 编辑器，轻松查看，创建，修改，批注，签名，扫描，OCR 和打印 PDF 文档。高级注释工具，可以添加任意便笺指示对象突出显示，加下划线和删除，而无需更改源 PDF 文件

添加目录

左键选中文字，右键添加书签

批量去除水印

VXLAN

vxlan 是属于 overlay 中的一种隧道封装技术，实际上将 L2(数据链路层)的以太网帧封装成 L4(传输层)的 UDP 数据报文，然后在 L3 网络层传输，最终实现的效果就类似于在 L2 的以太网传输报文一样，但是不受 L3 网络层限制

1
2

为什么是在L3传输？
因为传输是基于路由表，路由只涉及ip，不涉及端口

vxlan 标志位有 24 位，可以划分 2^24 个虚拟局域网

1
2
3
4
5

1. 感觉封装UDP是多余的，只靠IP也能通信
因为Vxlan的封装思维是将原始数据报文当做用户数据包，VTEP当做大二层接入，那么VTEP会依次进行传输层封装，网络层封装，以太网头部封装，如果直接进行IP封装则跳过了传输层的封装过程，会在传输的过程中遇到一些困难，很多数据中心里都会有大量的冗余链路，交换机面对多条等价路径时会进行基于五元组进行HASH,此时会出现问题；其次，在遇到NAT设备时，无法穿透也会造成影响

2. 为什么封装成UDP，而不是TCP
因为封装UDP开销比较小，至于TCP比UDP更可靠，但是依靠原始数据报文的TCP也可以实现可靠性的要求

网络模型

docker 的网络模型

• Bridge：桥接
• Host：主机
• Container：容器

kubernetes 网络模型

kubernetes 的网络模型主要用于解决四类通信需求

Pod 内通信

命名空间：linux 底层概念，在内核层实现，容器使用 namespce 技术实现容器间相互隔离

• mnt namespace：隔离根，即 chroot 技术
• ipc namespace：隔离进程间通信
• uts namespace：隔离系统信息，主机名等信息
• pid namespace：隔离进程号
• net namespace：隔离网络
• user namespce：隔离用户

运行在同一个 pod 内的容器，共享 net、ipc、uts、一组存储卷，亲密关系，同进同退

Pod 间通信 ★★★

网络模型：所有 Pod 在一个平面网络中，每个 Pod 拥有一个集群全局唯一的地址，可直接与其他 Pod 通信

k8s 设计了网络模型，但将其实现交给网络插件，主流的网络插件有：flannel、calico、kube-router 等

flannel

早期版本的 Flannel 使用 UDP 封装完成报文的跨越主机转发，其安全性及性能略有不足，现在已经废弃这种方式了，现在只能通过 vxlan 或 host-gw 进行通信

• flannel VXLAN 后端：

• flannel VXLAN Direct Routing 后端：

  Directrouting 为在同一个二层网络中的 node 节点启用直接路由机制，类似于 host-gw 模式

• host-gw 后端：

  类似 calico，通过路由表完成报文转发

calico

Calico 本身是一个三层的虚拟网络方案，它将每个节点都当作路由器（router），将每个节点的容器都当作是“节点路由器”的一个终端并为其分配一个 IP 地址，各节点路由器通过BGP（BorderGateway Protocol）学习生成路由规则，从而将不同节点上的容器连接起来

BGP 是互联网上一个核心的去中心化自治路由协议，性能非常高，需要物理路由器的支持，这也是公有云不提供 calico 的原因，因为公有云上节点连接的都是虚拟路由器

calico 核心组件：

• Felix：calico 的 agent，维护路由规则、汇报当前节点状态
• Etcd：路由规则储存在 etcd
• BGP Client：运行在每个 node 上，负责监听由 felix 生成的路由信息，然后通过 BGP 协议广播至其他 node 节点，其他 node 的 Felix 会自动更新路由规则，从而实现路由的相互学习
• Route Reflector：集中式的路由反射器，维护全网的路由规则，替换路由广播，如果节点非常多，可以考虑使用

BGP 模式下 calico 的通信过程：

1
2
3
4
5
6

# traceroute命令查看请求ip为10.10.74.193的pod
/ $ traceroute 10.10.74.193
traceroute to 10.10.74.193 (10.10.74.193), 30 hops max, 46 byte packets
 1  10.0.1.32 (10.0.1.32)  0.005 ms  0.006 ms  0.002 ms  # 当前pod所在节点的ip
 2  10.0.1.33 (10.0.1.33)  1.220 ms  0.254 ms  0.147 ms  # 对方pod所在节点的ip
 3  10.10.74.193 (10.10.74.193)  0.207 ms  0.308 ms  0.163 ms # 对方pod的ip

如果 node 需要跨网段通信，Calico 也提供了IPIP模式，IPIP 模式下，calico 会在每个节点上创建一个 tunl0 接口（TUN 类型虚拟设备）用于封装三层隧道报文。节点上每创建一个 Pod 资源，都自动创建一对虚拟以太网接口（TAP 类型的虚拟设备），其中一个附加于 Pod 的网络名称空间，另一个（名称以 cali 为前缀后跟随机字串）留置在节点的根网络名称空间，并经由 tunl0 封装或解封三层隧道报文，Calico IPIP 模式如下图：

IPIP 模式下 calico 的通信过程：

1
2
3
4
5

/ $ traceroute 10.10.58.65  # 请求ip为10.10.58.65的pod
traceroute to 10.10.58.65 (10.10.58.65), 30 hops max, 46 byte packets
 1  172.31.6.210 (172.31.6.210)  0.004 ms  0.004 ms  0.002 ms # 当前pod所在node地址
 2  10.10.58.64 (10.10.58.64)  0.003 ms  0.432 ms  0.497 ms # 对方pod所在node的tunl0地址
 3  10.10.58.65 (10.10.58.65)  0.553 ms  2.114 ms  0.775 ms # 对方pod地址

BGP 模式则直接使用物理机作为虚拟路由路（vRouter），请求直接通过路由跳转，不再创建额外的 tunnel，没有 tunnel 封装、解封的步骤，所以 BGP 的性能会比 IPIP 高很多，建议禁用 IPIP

Service 与 Pod 通信

集群外部与 Service 通信

请求流量首先到达外部负载均衡器，由其调度至某个工作节点之上，而后再由工作节点的 netfilter（kube-proxy）组件上的规则（iptables 或 ipvs）调度至某个目标 Pod 对象

集群外的流量先进入节点网络，再进入service 网络，最后进入pod 网络

网络策略

网络策略（Network Policy）是用于控制分组的 Pod 资源彼此之间如何进行通信，以及分组的 Pod 资源如何与其他网络端点进行通信的规范。它用于为 Kubernetes 实现更为精细的流量控制，实现租户隔离机制。Kubernetes 使用标准的资源对象“NetworkPolicy”供管理员按需定义网络访问控制策略

Kubernetes 的网络策略功能由其所使用的网络插件实现，Calico、Canal 及 kube-router 支持网络策略，而 flannel 不支持

etcdctl is a command line client for etcd.

The v3 API is used by default on master branch. For the v2 API, make sure to set environment variable ETCDCTL_API=2. See also READMEv2.

If using released versions earlier than v3.4, set ETCDCTL_API=3 to use v3 API.

Global flags (e.g., dial-timeout, --cacert, --cert, --key) can be set with environment variables:

1
2
3
4

ETCDCTL_DIAL_TIMEOUT=3s
ETCDCTL_CACERT=/tmp/ca.pem
ETCDCTL_CERT=/tmp/cert.pem
ETCDCTL_KEY=/tmp/key.pem

Prefix flag strings with ETCDCTL_, convert all letters to upper-case, and replace dash(-) with underscore(_). Note that the environment variables with the prefix ETCDCTL_ can only be used with the etcdctl global flags. Also, the environment variable ETCDCTL_API is a special case variable for etcdctl internal use only.

Key-value commands

PUT [options] <key> <value>

PUT assigns the specified value with the specified key. If key already holds a value, it is overwritten.

RPC: Put

Options

• lease – lease ID (in hexadecimal) to attach to the key.

• prev-kv – return the previous key-value pair before modification.

• ignore-value – updates the key using its current value.

• ignore-lease – updates the key using its current lease.

Output

OK

Examples

1
2
3
4
5
6
7

./etcdctl put foo bar --lease=1234abcd
# OK
./etcdctl get foo
# foo
# bar
./etcdctl put foo --ignore-value # to detache lease
# OK

1
2
3
4
5
6
7

./etcdctl put foo bar --lease=1234abcd
# OK
./etcdctl put foo bar1 --ignore-lease # to use existing lease 1234abcd
# OK
./etcdctl get foo
# foo
# bar1

1
2
3
4
5
6
7

./etcdctl put foo bar1 --prev-kv
# OK
# foo
# bar
./etcdctl get foo
# foo
# bar1

Remarks

If <value> isn’t given as command line argument, this command tries to read the value from standard input.

When <value> begins with ‘-‘, <value> is interpreted as a flag.
Insert ‘–’ for workaround:

1
2

./etcdctl put <key> -- <value>
./etcdctl put -- <key> <value>

Providing <value> in a new line after using carriage return is not supported and etcdctl may hang in that case. For example, following case is not supported:

1
2

./etcdctl put <key>\r
<value>

A <value> can have multiple lines or spaces but it must be provided with a double-quote as demonstrated below:

1

./etcdctl put foo "bar1 2 3"

GET [options] <key> [range_end]

GET gets the key or a range of keys [key, range_end) if range_end is given.

RPC: Range

Options

• hex – print out key and value as hex encode string

• limit – maximum number of results

• prefix – get keys by matching prefix

• order – order of results; ASCEND or DESCEND

• sort-by – sort target; CREATE, KEY, MODIFY, VALUE, or VERSION

• rev – specify the kv revision

• print-value-only – print only value when used with write-out=simple

• consistency – Linearizable(l) or Serializable(s)

• from-key – Get keys that are greater than or equal to the given key using byte compare

• keys-only – Get only the keys

Output

<key>\n<value>\n<next_key>\n<next_value>…

Examples

First, populate etcd with some keys:

1
2
3
4
5
6
7
8

./etcdctl put foo bar
# OK
./etcdctl put foo1 bar1
# OK
./etcdctl put foo2 bar2
# OK
./etcdctl put foo3 bar3
# OK

Get the key named foo:

1
2
3

./etcdctl get foo
# foo
# bar

Get all keys:

1
2
3
4
5
6
7
8
9

./etcdctl get --from-key ''
# foo
# bar
# foo1
# bar1
# foo2
# foo2
# foo3
# bar3

Get all keys with names greater than or equal to foo1:

1
2
3
4
5
6
7

./etcdctl get --from-key foo1
# foo1
# bar1
# foo2
# bar2
# foo3
# bar3

Get keys with names greater than or equal to foo1 and less than foo3:

1
2
3
4
5

./etcdctl get foo1 foo3
# foo1
# bar1
# foo2
# bar2

Remarks

If any key or value contains non-printable characters or control characters, simple formatted output can be ambiguous due to new lines. To resolve this issue, set --hex to hex encode all strings.

DEL [options] <key> [range_end]

Removes the specified key or range of keys [key, range_end) if range_end is given.

RPC: DeleteRange

Options

• prefix – delete keys by matching prefix

• prev-kv – return deleted key-value pairs

• from-key – delete keys that are greater than or equal to the given key using byte compare

Output

Prints the number of keys that were removed in decimal if DEL succeeded.

Examples

1
2
3
4
5

./etcdctl put foo bar
# OK
./etcdctl del foo
# 1
./etcdctl get foo

1
2
3
4
5
6
7

./etcdctl put key val
# OK
./etcdctl del --prev-kv key
# 1
# key
# val
./etcdctl get key

1
2
3
4
5
6
7
8
9

./etcdctl put a 123
# OK
./etcdctl put b 456
# OK
./etcdctl put z 789
# OK
./etcdctl del --from-key a
# 3
./etcdctl get --from-key a

1
2
3
4
5
6
7
8
9

./etcdctl put zoo val
# OK
./etcdctl put zoo1 val1
# OK
./etcdctl put zoo2 val2
# OK
./etcdctl del --prefix zoo
# 3
./etcdctl get zoo2

TXN [options]

TXN reads multiple etcd requests from standard input and applies them as a single atomic transaction.
A transaction consists of list of conditions, a list of requests to apply if all the conditions are true, and a list of requests to apply if any condition is false.

RPC: Txn

Options

• hex – print out keys and values as hex encoded strings.

• interactive – input transaction with interactive prompting.

Input Format

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<Txn> ::= <CMP>* "\n" <THEN> "\n" <ELSE> "\n"
<CMP> ::= (<CMPCREATE>|<CMPMOD>|<CMPVAL>|<CMPVER>|<CMPLEASE>) "\n"
<CMPOP> ::= "<" | "=" | ">"
<CMPCREATE> := ("c"|"create")"("<KEY>")" <CMPOP> <REVISION>
<CMPMOD> ::= ("m"|"mod")"("<KEY>")" <CMPOP> <REVISION>
<CMPVAL> ::= ("val"|"value")"("<KEY>")" <CMPOP> <VALUE>
<CMPVER> ::= ("ver"|"version")"("<KEY>")" <CMPOP> <VERSION>
<CMPLEASE> ::= "lease("<KEY>")" <CMPOP> <LEASE>
<THEN> ::= <OP>*
<ELSE> ::= <OP>*
<OP> ::= ((see put, get, del etcdctl command syntax)) "\n"
<KEY> ::= (%q formatted string)
<VALUE> ::= (%q formatted string)
<REVISION> ::= "\""[0-9]+"\""
<VERSION> ::= "\""[0-9]+"\""
<LEASE> ::= "\""[0-9]+\""

Output

SUCCESS if etcd processed the transaction success list, FAILURE if etcd processed the transaction failure list. Prints the output for each command in the executed request list, each separated by a blank line.

Examples

txn in interactive mode:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

./etcdctl txn -i
# compares:
mod("key1") > "0"

# success requests (get, put, delete):
put key1 "overwrote-key1"

# failure requests (get, put, delete):
put key1 "created-key1"
put key2 "some extra key"

# FAILURE

# OK

# OK

txn in non-interactive mode:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

./etcdctl txn <<<'mod("key1") > "0"

put key1 "overwrote-key1"

put key1 "created-key1"
put key2 "some extra key"

'

# FAILURE

# OK

# OK

Remarks

When using multi-line values within a TXN command, newlines must be represented as \n. Literal newlines will cause parsing failures. This differs from other commands (such as PUT) where the shell will convert literal newlines for us. For example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

./etcdctl txn <<<'mod("key1") > "0"

put key1 "overwrote-key1"

put key1 "created-key1"
put key2 "this is\na multi-line\nvalue"

'

# FAILURE

# OK

# OK

COMPACTION [options] <revision>

COMPACTION discards all etcd event history prior to a given revision. Since etcd uses a multiversion concurrency control
model, it preserves all key updates as event history. When the event history up to some revision is no longer needed,
all superseded keys may be compacted away to reclaim storage space in the etcd backend database.

RPC: Compact

Options

• physical – ‘true’ to wait for compaction to physically remove all old revisions

Output

Prints the compacted revision.

Example

1
2

./etcdctl compaction 1234
# compacted revision 1234

WATCH [options] [key or prefix] [range_end] [–] [exec-command arg1 arg2 …]

Watch watches events stream on keys or prefixes, [key or prefix, range_end) if range_end is given. The watch command runs until it encounters an error or is terminated by the user. If range_end is given, it must be lexicographically greater than key or “\x00”.

RPC: Watch

Options

• hex – print out key and value as hex encode string

• interactive – begins an interactive watch session

• prefix – watch on a prefix if prefix is set.

• prev-kv – get the previous key-value pair before the event happens.

• rev – the revision to start watching. Specifying a revision is useful for observing past events.

Input format

Input is only accepted for interactive mode.

1

watch [options] <key or prefix>\n

Output

<event>[\n<old_key>\n<old_value>]\n<key>\n<value>\n<event>\n<next_key>\n<next_value>\n…

Examples

Non-interactive

1
2
3
4

./etcdctl watch foo
# PUT
# foo
# bar

1
2
3
4

ETCDCTL_WATCH_KEY=foo ./etcdctl watch
# PUT
# foo
# bar

Receive events and execute echo watch event received:

1
2
3
4
5

./etcdctl watch foo -- echo watch event received
# PUT
# foo
# bar
# watch event received

Watch response is set via ETCD_WATCH_* environmental variables:

1
2
3
4
5
6
7
8
9

./etcdctl watch foo -- sh -c "env | grep ETCD_WATCH_"

# PUT
# foo
# bar
# ETCD_WATCH_REVISION=11
# ETCD_WATCH_KEY="foo"
# ETCD_WATCH_EVENT_TYPE="PUT"
# ETCD_WATCH_VALUE="bar"

Watch with environmental variables and execute echo watch event received:

1
2
3
4
5
6

export ETCDCTL_WATCH_KEY=foo
./etcdctl watch -- echo watch event received
# PUT
# foo
# bar
# watch event received

1
2
3
4
5
6
7

export ETCDCTL_WATCH_KEY=foo
export ETCDCTL_WATCH_RANGE_END=foox
./etcdctl watch -- echo watch event received
# PUT
# fob
# bar
# watch event received

Interactive

1
2
3
4
5
6
7
8
9

./etcdctl watch -i
watch foo
watch foo
# PUT
# foo
# bar
# PUT
# foo
# bar

Receive events and execute echo watch event received:

1
2
3
4
5
6

./etcdctl watch -i
watch foo -- echo watch event received
# PUT
# foo
# bar
# watch event received

Watch with environmental variables and execute echo watch event received:

1
2
3
4
5
6
7

export ETCDCTL_WATCH_KEY=foo
./etcdctl watch -i
watch -- echo watch event received
# PUT
# foo
# bar
# watch event received

1
2
3
4
5
6
7
8

export ETCDCTL_WATCH_KEY=foo
export ETCDCTL_WATCH_RANGE_END=foox
./etcdctl watch -i
watch -- echo watch event received
# PUT
# fob
# bar
# watch event received

LEASE <subcommand>

LEASE provides commands for key lease management.

LEASE GRANT <ttl>

LEASE GRANT creates a fresh lease with a server-selected time-to-live in seconds
greater than or equal to the requested TTL value.

RPC: LeaseGrant

Output

Prints a message with the granted lease ID.

Example

1
2

./etcdctl lease grant 60
# lease 32695410dcc0ca06 granted with TTL(60s)

LEASE REVOKE <leaseID>

LEASE REVOKE destroys a given lease, deleting all attached keys.

RPC: LeaseRevoke

Output

Prints a message indicating the lease is revoked.

Example

1
2

./etcdctl lease revoke 32695410dcc0ca06
# lease 32695410dcc0ca06 revoked

LEASE TIMETOLIVE <leaseID> [options]

LEASE TIMETOLIVE retrieves the lease information with the given lease ID.

RPC: LeaseTimeToLive

Options

• keys – Get keys attached to this lease

Output

Prints lease information.

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

./etcdctl lease grant 500
# lease 2d8257079fa1bc0c granted with TTL(500s)

./etcdctl put foo1 bar --lease=2d8257079fa1bc0c
# OK

./etcdctl put foo2 bar --lease=2d8257079fa1bc0c
# OK

./etcdctl lease timetolive 2d8257079fa1bc0c
# lease 2d8257079fa1bc0c granted with TTL(500s), remaining(481s)

./etcdctl lease timetolive 2d8257079fa1bc0c --keys
# lease 2d8257079fa1bc0c granted with TTL(500s), remaining(472s), attached keys([foo2 foo1])

./etcdctl lease timetolive 2d8257079fa1bc0c --write-out=json
# {"cluster_id":17186838941855831277,"member_id":4845372305070271874,"revision":3,"raft_term":2,"id":3279279168933706764,"ttl":465,"granted-ttl":500,"keys":null}

./etcdctl lease timetolive 2d8257079fa1bc0c --write-out=json --keys
# {"cluster_id":17186838941855831277,"member_id":4845372305070271874,"revision":3,"raft_term":2,"id":3279279168933706764,"ttl":459,"granted-ttl":500,"keys":["Zm9vMQ==","Zm9vMg=="]}

./etcdctl lease timetolive 2d8257079fa1bc0c
# lease 2d8257079fa1bc0c already expired

LEASE LIST

LEASE LIST lists all active leases.

RPC: LeaseLeases

Output

Prints a message with a list of active leases.

Example

1
2
3
4
5

./etcdctl lease grant 60
# lease 32695410dcc0ca06 granted with TTL(60s)

./etcdctl lease list
32695410dcc0ca06

LEASE KEEP-ALIVE <leaseID>

LEASE KEEP-ALIVE periodically refreshes a lease so it does not expire.

RPC: LeaseKeepAlive

Output

Prints a message for every keep alive sent or prints a message indicating the lease is gone.

Example

1
2
3
4
5

./etcdctl lease keep-alive 32695410dcc0ca0
# lease 32695410dcc0ca0 keepalived with TTL(100)
# lease 32695410dcc0ca0 keepalived with TTL(100)
# lease 32695410dcc0ca0 keepalived with TTL(100)
...

Cluster maintenance commands

MEMBER <subcommand>

MEMBER provides commands for managing etcd cluster membership.

MEMBER ADD <memberName> [options]

MEMBER ADD introduces a new member into the etcd cluster as a new peer.

RPC: MemberAdd

Options

• peer-urls – comma separated list of URLs to associate with the new member.

Output

Prints the member ID of the new member and the cluster ID.

Example

1
2
3
4
5
6
7

./etcdctl member add newMember --peer-urls=https://127.0.0.1:12345

Member ced000fda4d05edf added to cluster 8c4281cc65c7b112

ETCD_NAME="newMember"
ETCD_INITIAL_CLUSTER="newMember=https://127.0.0.1:12345,default=http://10.0.0.30:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"

MEMBER UPDATE <memberID> [options]

MEMBER UPDATE sets the peer URLs for an existing member in the etcd cluster.

RPC: MemberUpdate

Options

• peer-urls – comma separated list of URLs to associate with the updated member.

Output

Prints the member ID of the updated member and the cluster ID.

Example

1
2

./etcdctl member update 2be1eb8f84b7f63e --peer-urls=https://127.0.0.1:11112
# Member 2be1eb8f84b7f63e updated in cluster ef37ad9dc622a7c4

MEMBER REMOVE <memberID>

MEMBER REMOVE removes a member of an etcd cluster from participating in cluster consensus.

RPC: MemberRemove

Output

Prints the member ID of the removed member and the cluster ID.

Example

1
2

./etcdctl member remove 2be1eb8f84b7f63e
# Member 2be1eb8f84b7f63e removed from cluster ef37ad9dc622a7c4

MEMBER LIST

MEMBER LIST prints the member details for all members associated with an etcd cluster.

RPC: MemberList

Output

Prints a humanized table of the member IDs, statuses, names, peer addresses, and client addresses.

Examples

1
2
3
4

./etcdctl member list
# 8211f1d0f64f3269, started, infra1, http://127.0.0.1:12380, http://127.0.0.1:2379
# 91bc3c398fb3c146, started, infra2, http://127.0.0.1:22380, http://127.0.0.1:22379
# fd422379fda50e48, started, infra3, http://127.0.0.1:32380, http://127.0.0.1:32379

1
2

./etcdctl -w json member list
# {"header":{"cluster_id":17237436991929493444,"member_id":9372538179322589801,"raft_term":2},"members":[{"ID":9372538179322589801,"name":"infra1","peerURLs":["http://127.0.0.1:12380"],"clientURLs":["http://127.0.0.1:2379"]},{"ID":10501334649042878790,"name":"infra2","peerURLs":["http://127.0.0.1:22380"],"clientURLs":["http://127.0.0.1:22379"]},{"ID":18249187646912138824,"name":"infra3","peerURLs":["http://127.0.0.1:32380"],"clientURLs":["http://127.0.0.1:32379"]}]}

1
2
3
4
5
6
7
8

./etcdctl -w table member list
+------------------+---------+--------+------------------------+------------------------+
|        ID        | STATUS  |  NAME  |       PEER ADDRS       |      CLIENT ADDRS      |
+------------------+---------+--------+------------------------+------------------------+
| 8211f1d0f64f3269 | started | infra1 | http://127.0.0.1:12380 | http://127.0.0.1:2379  |
| 91bc3c398fb3c146 | started | infra2 | http://127.0.0.1:22380 | http://127.0.0.1:22379 |
| fd422379fda50e48 | started | infra3 | http://127.0.0.1:32380 | http://127.0.0.1:32379 |
+------------------+---------+--------+------------------------+------------------------+

ENDPOINT <subcommand>

ENDPOINT provides commands for querying individual endpoints.

Options

• cluster – fetch and use all endpoints from the etcd cluster member list

ENDPOINT HEALTH

ENDPOINT HEALTH checks the health of the list of endpoints with respect to cluster. An endpoint is unhealthy
when it cannot participate in consensus with the rest of the cluster.

Output

If an endpoint can participate in consensus, prints a message indicating the endpoint is healthy. If an endpoint fails to participate in consensus, prints a message indicating the endpoint is unhealthy.

Example

Check the default endpoint’s health:

1
2

./etcdctl endpoint health
# 127.0.0.1:2379 is healthy: successfully committed proposal: took = 2.095242ms

Check all endpoints for the cluster associated with the default endpoint:

1
2
3
4

./etcdctl endpoint --cluster health
# http://127.0.0.1:2379 is healthy: successfully committed proposal: took = 1.060091ms
# http://127.0.0.1:22379 is healthy: successfully committed proposal: took = 903.138µs
# http://127.0.0.1:32379 is healthy: successfully committed proposal: took = 1.113848ms

ENDPOINT STATUS

ENDPOINT STATUS queries the status of each endpoint in the given endpoint list.

Output

Simple format

Prints a humanized table of each endpoint URL, ID, version, database size, leadership status, raft term, and raft status.

JSON format

Prints a line of JSON encoding each endpoint URL, ID, version, database size, leadership status, raft term, and raft status.

Examples

Get the status for the default endpoint:

1
2

./etcdctl endpoint status
# 127.0.0.1:2379, 8211f1d0f64f3269, 3.0.0, 25 kB, false, 2, 63

Get the status for the default endpoint as JSON:

1
2

./etcdctl -w json endpoint status
# [{"Endpoint":"127.0.0.1:2379","Status":{"header":{"cluster_id":17237436991929493444,"member_id":9372538179322589801,"revision":2,"raft_term":2},"version":"3.0.0","dbSize":24576,"leader":18249187646912138824,"raftIndex":32623,"raftTerm":2}}]

Get the status for all endpoints in the cluster associated with the default endpoint:

1
2
3
4
5
6
7
8

./etcdctl -w table endpoint --cluster status
+------------------------+------------------+----------------+---------+-----------+-----------+------------+
|        ENDPOINT        |        ID        |    VERSION     | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX |
+------------------------+------------------+----------------+---------+-----------+-----------+------------+
| http://127.0.0.1:2379  | 8211f1d0f64f3269 | 3.2.0-rc.1+git |   25 kB |     false |         2 |          8 |
| http://127.0.0.1:22379 | 91bc3c398fb3c146 | 3.2.0-rc.1+git |   25 kB |     false |         2 |          8 |
| http://127.0.0.1:32379 | fd422379fda50e48 | 3.2.0-rc.1+git |   25 kB |      true |         2 |          8 |
+------------------------+------------------+----------------+---------+-----------+-----------+------------+

ENDPOINT HASHKV

ENDPOINT HASHKV fetches the hash of the key-value store of an endpoint.

Output

Simple format

Prints a humanized table of each endpoint URL and KV history hash.

JSON format

Prints a line of JSON encoding each endpoint URL and KV history hash.

Examples

Get the hash for the default endpoint:

1
2

./etcdctl endpoint hashkv
# 127.0.0.1:2379, 1084519789

Get the status for the default endpoint as JSON:

1
2

./etcdctl -w json endpoint hashkv
# [{"Endpoint":"127.0.0.1:2379","Hash":{"header":{"cluster_id":14841639068965178418,"member_id":10276657743932975437,"revision":1,"raft_term":3},"hash":1084519789,"compact_revision":-1}}]

Get the status for all endpoints in the cluster associated with the default endpoint:

1
2
3
4
5
6
7
8

./etcdctl -w table endpoint --cluster hashkv
+------------------------+------------+
|        ENDPOINT        |    HASH    |
+------------------------+------------+
| http://127.0.0.1:2379  | 1084519789 |
| http://127.0.0.1:22379 | 1084519789 |
| http://127.0.0.1:32379 | 1084519789 |
+------------------------+------------+

ALARM <subcommand>

Provides alarm related commands

ALARM DISARM

alarm disarm Disarms all alarms

RPC: Alarm

Output

alarm:<alarm type> if alarm is present and disarmed.

Examples

1

./etcdctl alarm disarm

If NOSPACE alarm is present:

1
2

./etcdctl alarm disarm
# alarm:NOSPACE

ALARM LIST

alarm list lists all alarms.

RPC: Alarm

Output

alarm:<alarm type> if alarm is present, empty string if no alarms present.

Examples

1

./etcdctl alarm list

If NOSPACE alarm is present:

1
2

./etcdctl alarm list
# alarm:NOSPACE

DEFRAG [options]

DEFRAG defragments the backend database file for a set of given endpoints while etcd is running, or directly defragments an etcd data directory while etcd is not running. When an etcd member reclaims storage space from deleted and compacted keys, the space is kept in a free list and the database file remains the same size. By defragmenting the database, the etcd member releases this free space back to the file system.

Note that defragmentation to a live member blocks the system from reading and writing data while rebuilding its states.

Note that defragmentation request does not get replicated over cluster. That is, the request is only applied to the local node. Specify all members in --endpoints flag or --cluster flag to automatically find all cluster members.

Options

• data-dir – Optional. If present, defragments a data directory not in use by etcd.

Output

For each endpoints, prints a message indicating whether the endpoint was successfully defragmented.

Example

1
2
3

./etcdctl --endpoints=localhost:2379,badendpoint:2379 defrag
# Finished defragmenting etcd member[localhost:2379]
# Failed to defragment etcd member[badendpoint:2379] (grpc: timed out trying to connect)

Run defragment operations for all endpoints in the cluster associated with the default endpoint:

1
2
3
4

./etcdctl defrag --cluster
Finished defragmenting etcd member[http://127.0.0.1:2379]
Finished defragmenting etcd member[http://127.0.0.1:22379]
Finished defragmenting etcd member[http://127.0.0.1:32379]

To defragment a data directory directly, use the --data-dir flag:

1
2
3
4

# Defragment while etcd is not running
./etcdctl defrag --data-dir default.etcd
# success (exit status 0)
# Error: cannot open database at default.etcd/member/snap/db

Remarks

DEFRAG returns a zero exit code only if it succeeded defragmenting all given endpoints.

SNAPSHOT <subcommand>

SNAPSHOT provides commands to restore a snapshot of a running etcd server into a fresh cluster.

SNAPSHOT SAVE <filename>

SNAPSHOT SAVE writes a point-in-time snapshot of the etcd backend database to a file.

Output

The backend snapshot is written to the given file path.

Example

Save a snapshot to “snapshot.db”:

1

./etcdctl snapshot save snapshot.db

SNAPSHOT RESTORE [options] <filename>

SNAPSHOT RESTORE creates an etcd data directory for an etcd cluster member from a backend database snapshot and a new cluster configuration. Restoring the snapshot into each member for a new cluster configuration will initialize a new etcd cluster preloaded by the snapshot data.

Options

The snapshot restore options closely resemble to those used in the etcd command for defining a cluster.

• data-dir – Path to the data directory. Uses <name>.etcd if none given.

• wal-dir – Path to the WAL directory. Uses data directory if none given.

• initial-cluster – The initial cluster configuration for the restored etcd cluster.

• initial-cluster-token – Initial cluster token for the restored etcd cluster.

• initial-advertise-peer-urls – List of peer URLs for the member being restored.

• name – Human-readable name for the etcd cluster member being restored.

• skip-hash-check – Ignore snapshot integrity hash value (required if copied from data directory)

Output

A new etcd data directory initialized with the snapshot.

Example

Save a snapshot, restore into a new 3 node cluster, and start the cluster:

1
2
3
4
5
6
7
8
9
10
11

./etcdctl snapshot save snapshot.db

# restore members
bin/etcdctl snapshot restore snapshot.db --initial-cluster-token etcd-cluster-1 --initial-advertise-peer-urls http://127.0.0.1:12380  --name sshot1 --initial-cluster 'sshot1=http://127.0.0.1:12380,sshot2=http://127.0.0.1:22380,sshot3=http://127.0.0.1:32380'
bin/etcdctl snapshot restore snapshot.db --initial-cluster-token etcd-cluster-1 --initial-advertise-peer-urls http://127.0.0.1:22380  --name sshot2 --initial-cluster 'sshot1=http://127.0.0.1:12380,sshot2=http://127.0.0.1:22380,sshot3=http://127.0.0.1:32380'
bin/etcdctl snapshot restore snapshot.db --initial-cluster-token etcd-cluster-1 --initial-advertise-peer-urls http://127.0.0.1:32380  --name sshot3 --initial-cluster 'sshot1=http://127.0.0.1:12380,sshot2=http://127.0.0.1:22380,sshot3=http://127.0.0.1:32380'

# launch members
bin/etcd --name sshot1 --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://127.0.0.1:2379 --listen-peer-urls http://127.0.0.1:12380 &
bin/etcd --name sshot2 --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://127.0.0.1:22379 --listen-peer-urls http://127.0.0.1:22380 &
bin/etcd --name sshot3 --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://127.0.0.1:32379 --listen-peer-urls http://127.0.0.1:32380 &

SNAPSHOT STATUS <filename>

SNAPSHOT STATUS lists information about a given backend database snapshot file.

Output

Simple format

Prints a humanized table of the database hash, revision, total keys, and size.

JSON format

Prints a line of JSON encoding the database hash, revision, total keys, and size.

Examples

1
2

./etcdctl snapshot status file.db
# cf1550fb, 3, 3, 25 kB

1
2

./etcdctl -write-out=json snapshot status file.db
# {"hash":3474280699,"revision":3,"totalKey":3,"totalSize":24576}

1
2
3
4
5
6

./etcdctl -write-out=table snapshot status file.db
+----------+----------+------------+------------+
|   HASH   | REVISION | TOTAL KEYS | TOTAL SIZE |
+----------+----------+------------+------------+
| cf1550fb |        3 |          3 | 25 kB      |
+----------+----------+------------+------------+

MOVE-LEADER <hexadecimal-transferee-id>

MOVE-LEADER transfers leadership from the leader to another member in the cluster.

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# to choose transferee
transferee_id=$(./etcdctl \
  --endpoints localhost:2379,localhost:22379,localhost:32379 \
  endpoint status | grep -m 1 "false" | awk -F', ' '{print $2}')
echo ${transferee_id}
# c89feb932daef420

# endpoints should include leader node
./etcdctl --endpoints ${transferee_ep} move-leader ${transferee_id}
# Error:  no leader endpoint given at [localhost:22379 localhost:32379]

# request to leader with target node ID
./etcdctl --endpoints ${leader_ep} move-leader ${transferee_id}
# Leadership transferred from 45ddc0e800e20b93 to c89feb932daef420

Concurrency commands

LOCK [options] <lockname> [command arg1 arg2 …]

LOCK acquires a distributed mutex with a given name. Once the lock is acquired, it will be held until etcdctl is terminated.

Options

• ttl - time out in seconds of lock session.

Output

Once the lock is acquired but no command is given, the result for the GET on the unique lock holder key is displayed.

If a command is given, it will be executed with environment variables ETCD_LOCK_KEY and ETCD_LOCK_REV set to the lock’s holder key and revision.

Example

Acquire lock with standard output display:

1
2

./etcdctl lock mylock
# mylock/1234534535445

Acquire lock and execute echo lock acquired:

1
2

./etcdctl lock mylock echo lock acquired
# lock acquired

Acquire lock and execute etcdctl put command

1
2

./etcdctl lock mylock ./etcdctl put foo bar
# OK

Remarks

LOCK returns a zero exit code only if it is terminated by a signal and releases the lock.

If LOCK is abnormally terminated or fails to contact the cluster to release the lock, the lock will remain held until the lease expires. Progress may be delayed by up to the default lease length of 60 seconds.

ELECT [options] <election-name> [proposal]

ELECT participates on a named election. A node announces its candidacy in the election by providing
a proposal value. If a node wishes to observe the election, ELECT listens for new leaders values.
Whenever a leader is elected, its proposal is given as output.

Options

• listen – observe the election.

Output

• If a candidate, ELECT displays the GET on the leader key once the node is elected election.

• If observing, ELECT streams the result for a GET on the leader key for the current election and all future elections.

Example

1
2
3

./etcdctl elect myelection foo
# myelection/1456952310051373265
# foo

Remarks

ELECT returns a zero exit code only if it is terminated by a signal and can revoke its candidacy or leadership, if any.

If a candidate is abnormally terminated, election rogress may be delayed by up to the default lease length of 60 seconds.

Authentication commands

AUTH <enable or disable>

auth enable activates authentication on an etcd cluster and auth disable deactivates. When authentication is enabled, etcd checks all requests for appropriate authorization.

RPC: AuthEnable/AuthDisable

Output

Authentication Enabled.

Examples

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

./etcdctl user add root
# Password of root:#type password for root
# Type password of root again for confirmation:#re-type password for root
# User root created
./etcdctl user grant-role root root
# Role root is granted to user root
./etcdctl user get root
# User: root
# Roles: root
./etcdctl role add root
# Role root created
./etcdctl role get root
# Role root
# KV Read:
# KV Write:
./etcdctl auth enable
# Authentication Enabled

ROLE <subcommand>

ROLE is used to specify different roles which can be assigned to etcd user(s).

ROLE ADD <role name>

role add creates a role.

RPC: RoleAdd

Output

Role <role name> created.

Examples

1
2

./etcdctl --user=root:123 role add myrole
# Role myrole created

ROLE GET <role name>

role get lists detailed role information.

RPC: RoleGet

Output

Detailed role information.

Examples

1
2
3
4
5
6

./etcdctl --user=root:123 role get myrole
# Role myrole
# KV Read:
# foo
# KV Write:
# foo

ROLE DELETE <role name>

role delete deletes a role.

RPC: RoleDelete

Output

Role <role name> deleted.

Examples

1
2

./etcdctl --user=root:123 role delete myrole
# Role myrole deleted

ROLE LIST <role name>

role list lists all roles in etcd.

RPC: RoleList

Output

A role per line.

Examples

1
2
3
4

./etcdctl --user=root:123 role list
# roleA
# roleB
# myrole

ROLE GRANT-PERMISSION [options] <role name> <permission type> <key> [endkey]

role grant-permission grants a key to a role.

RPC: RoleGrantPermission

Options

• from-key – grant a permission of keys that are greater than or equal to the given key using byte compare

• prefix – grant a prefix permission

Output

Role <role name> updated.

Examples

Grant read and write permission on the key foo to role myrole:

1
2

./etcdctl --user=root:123 role grant-permission myrole readwrite foo
# Role myrole updated

Grant read permission on the wildcard key pattern foo/* to role myrole:

1
2

./etcdctl --user=root:123 role grant-permission --prefix myrole readwrite foo/
# Role myrole updated

ROLE REVOKE-PERMISSION <role name> <permission type> <key> [endkey]

role revoke-permission revokes a key from a role.

RPC: RoleRevokePermission

Options

• from-key – revoke a permission of keys that are greater than or equal to the given key using byte compare

• prefix – revoke a prefix permission

Output

Permission of key <key> is revoked from role <role name> for single key. Permission of range [<key>, <endkey>) is revoked from role <role name> for a key range. Exit code is zero.

Examples

1
2

./etcdctl --user=root:123 role revoke-permission myrole foo
# Permission of key foo is revoked from role myrole

USER <subcommand>

USER provides commands for managing users of etcd.

USER ADD <user name or user:password> [options]

user add creates a user.

RPC: UserAdd

Options

• interactive – Read password from stdin instead of interactive terminal

Output

User <user name> created.

Examples

1
2
3
4

./etcdctl --user=root:123 user add myuser
# Password of myuser: #type password for my user
# Type password of myuser again for confirmation:#re-type password for my user
# User myuser created

USER GET <user name> [options]

user get lists detailed user information.

RPC: UserGet

Options

• detail – Show permissions of roles granted to the user

Output

Detailed user information.

Examples

1
2
3

./etcdctl --user=root:123 user get myuser
# User: myuser
# Roles:

USER DELETE <user name>

user delete deletes a user.

RPC: UserDelete

Output

User <user name> deleted.

Examples

1
2

./etcdctl --user=root:123 user delete myuser
# User myuser deleted

USER LIST

user list lists detailed user information.

RPC: UserList

Output

• List of users, one per line.

Examples

1
2
3
4

./etcdctl --user=root:123 user list
# user1
# user2
# myuser

USER PASSWD <user name> [options]

user passwd changes a user’s password.

RPC: UserChangePassword

Options

• interactive – if true, read password in interactive terminal

Output

Password updated.

Examples

1
2
3
4

./etcdctl --user=root:123 user passwd myuser
# Password of myuser: #type new password for my user
# Type password of myuser again for confirmation: #re-type the new password for my user
# Password updated

USER GRANT-ROLE <user name> <role name>

user grant-role grants a role to a user

RPC: UserGrantRole

Output

Role <role name> is granted to user <user name>.

Examples

1
2

./etcdctl --user=root:123 user grant-role userA roleA
# Role roleA is granted to user userA

USER REVOKE-ROLE <user name> <role name>

user revoke-role revokes a role from a user

RPC: UserRevokeRole

Output

Role <role name> is revoked from user <user name>.

Examples

1
2

./etcdctl --user=root:123 user revoke-role userA roleA
# Role roleA is revoked from user userA

Utility commands

MAKE-MIRROR [options] <destination>

make-mirror mirrors a key prefix in an etcd cluster to a destination etcd cluster.

Options

• dest-cacert – TLS certificate authority file for destination cluster

• dest-cert – TLS certificate file for destination cluster

• dest-key – TLS key file for destination cluster

• prefix – The key-value prefix to mirror

• dest-prefix – The destination prefix to mirror a prefix to a different prefix in the destination cluster

• no-dest-prefix – Mirror key-values to the root of the destination cluster

• dest-insecure-transport – Disable transport security for client connections

Output

The approximate total number of keys transferred to the destination cluster, updated every 30 seconds.

Examples

1
2
3

./etcdctl make-mirror mirror.example.com:2379
# 10
# 18

MIGRATE [options]

Migrates keys in a v2 store to a v3 mvcc store. Users should run migration command for all members in the cluster.

Options

• data-dir – Path to the data directory

• wal-dir – Path to the WAL directory

• transformer – Path to the user-provided transformer program (default if not provided)

Output

No output on success.

Default transformer

If user does not provide a transformer program, migrate command will use the default transformer. The default transformer transforms storev2 formatted keys into mvcc formatted keys according to the following Go program:

1
2
3
4
5
6
7
8
9
10
11
12
13

func transform(n *storev2.Node) *mvccpb.KeyValue {
 if n.Dir {
  return nil
 }
 kv := &mvccpb.KeyValue{
  Key:            []byte(n.Key),
  Value:          []byte(n.Value),
  CreateRevision: int64(n.CreatedIndex),
  ModRevision:    int64(n.ModifiedIndex),
  Version:        1,
 }
 return kv
}

User-provided transformer

Users can provide a customized 1:n transformer function that transforms a key from the v2 store to any number of keys in the mvcc store. The migration program writes JSON formatted v2 store keys to the transformer program’s stdin, reads protobuf formatted mvcc keys back from the transformer program’s stdout, and finishes migration by saving the transformed keys into the mvcc store.

The provided transformer should read until EOF and flush the stdout before exiting to ensure data integrity.

Example

1
2

./etcdctl migrate --data-dir=/var/etcd --transformer=k8s-transformer
# finished transforming keys

VERSION

Prints the version of etcdctl.

Output

Prints etcd version and API version.

Examples

1
2
3

./etcdctl version
# etcdctl version: 3.1.0-alpha.0+git
# API version: 3.1

CHECK <subcommand>

CHECK provides commands for checking properties of the etcd cluster.

CHECK PERF [options]

CHECK PERF checks the performance of the etcd cluster for 60 seconds. Running the check perf often can create a large keyspace history which can be auto compacted and defragmented using the --auto-compact and --auto-defrag options as described below.

RPC: CheckPerf

Options

• load – the performance check’s workload model. Accepted workloads: s(small), m(medium), l(large), xl(xLarge)

• prefix – the prefix for writing the performance check’s keys.

• auto-compact – if true, compact storage with last revision after test is finished.

• auto-defrag – if true, defragment storage after test is finished.

Output

Prints the result of performance check on different criteria like throughput. Also prints an overall status of the check as pass or fail.

Examples

Shows examples of both, pass and fail, status. The failure is due to the fact that a large workload was tried on a single node etcd cluster running on a laptop environment created for development and testing purpose.

1
2
3
4
5
6
7
8
9
10
11
12

./etcdctl check perf --load="s"
# 60 / 60 Booooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo! 100.00%1m0s
# PASS: Throughput is 150 writes/s
# PASS: Slowest request took 0.087509s
# PASS: Stddev is 0.011084s
# PASS
./etcdctl check perf --load="l"
# 60 / 60 Booooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo! 100.00%1m0s
# FAIL: Throughput too low: 6808 writes/s
# PASS: Slowest request took 0.228191s
# PASS: Stddev is 0.033547s
# FAIL

CHECK DATASCALE [options]

CHECK DATASCALE checks the memory usage of holding data for different workloads on a given server endpoint. Running the check datascale often can create a large keyspace history which can be auto compacted and defragmented using the --auto-compact and --auto-defrag options as described below.

RPC: CheckDatascale

Options

• load – the datascale check’s workload model. Accepted workloads: s(small), m(medium), l(large), xl(xLarge)

• prefix – the prefix for writing the datascale check’s keys.

• auto-compact – if true, compact storage with last revision after test is finished.

• auto-defrag – if true, defragment storage after test is finished.

Output

Prints the system memory usage for a given workload. Also prints status of compact and defragment if related options are passed.

Examples

1
2
3
4
5
6
7

./etcdctl check datascale --load="s" --auto-compact=true --auto-defrag=true
# Start data scale check for work load [10000 key-value pairs, 1024 bytes per key-value, 50 concurrent clients].
# Compacting with revision 18346204
# Compacted with revision 18346204
# Defragmenting "127.0.0.1:2379"
# Defragmented "127.0.0.1:2379"
# PASS: Approximate system memory used : 64.30 MB.

Exit codes

For all commands, a successful execution return a zero exit code. All failures will return non-zero exit codes.

Output formats

All commands accept an output format by setting -w or --write-out. All commands default to the “simple” output format, which is meant to be human-readable. The simple format is listed in each command’s Output description since it is customized for each command. If a command has a corresponding RPC, it will respect all output formats.

If a command fails, returning a non-zero exit code, an error string will be written to standard error regardless of output format.

Simple

A format meant to be easy to parse and human-readable. Specific to each command.

JSON

The JSON encoding of the command’s RPC response. Since etcd’s RPCs use byte strings, the JSON output will encode keys and values in base64.

Some commands without an RPC also support JSON; see the command’s Output description.

Protobuf

The protobuf encoding of the command’s RPC response. If an RPC is streaming, the stream messages will be concetenated. If an RPC is not given for a command, the protobuf output is not defined.

Fields

An output format similar to JSON but meant to parse with coreutils. For an integer field named Field, it writes a line in the format "Field" : %d where %d is go’s integer formatting. For byte array fields, it writes "Field" : %q where %q is go’s quoted string formatting (e.g., []byte{'a', '\n'} is written as "a\n").

Compatibility Support

etcdctl is still in its early stage. We try out best to ensure fully compatible releases, however we might break compatibility to fix bugs or improve commands. If we intend to release a version of etcdctl with backward incompatibilities, we will provide notice prior to release and have instructions on how to upgrade.

Input Compatibility

Input includes the command name, its flags, and its arguments. We ensure backward compatibility of the input of normal commands in non-interactive mode.

Output Compatibility

Output includes output from etcdctl and its exit code. etcdctl provides simple output format by default.
We ensure compatibility for the simple output format of normal commands in non-interactive mode. Currently, we do not ensure
backward compatibility for JSON format and the format in non-interactive mode. Currently, we do not ensure backward compatibility of utility commands.

TODO: compatibility with etcd server

service

参考：https://www.cnblogs.com/fuyuteng/p/11598768.html
kubernetes service 原理解析 - 知乎 (zhihu.com)

为什么需要 service

在 kubernetes 中，当创建带有多个副本的 deployment 时，kubernetes 会创建出多个 pod，此时即一个服务后端有多个容器，那么在 kubernetes 中负载均衡怎么做，容器漂移后 ip 也会发生变化，如何做服务发现以及会话保持？这就是 service 的作用，service 是一组具有相同 label pod 集合的抽象，集群内外的各个服务可以通过 service 进行互相通信，当创建一个 service 对象时也会对应创建一个 endpoint 对象，endpoint 是用来做容器发现的，service 只是将多个 pod 进行关联，实际的路由转发都是由 kubernetes 中的 kube-proxy 组件来实现，因此，service 必须结合 kube-proxy 使用，kube-proxy 组件可以运行在 kubernetes 集群中的每一个节点上也可以只运行在单独的几个节点上，其会根据 service 和 endpoints 的变动来改变节点上 iptables 或者 ipvs 中保存的路由规则

service 的工作原理

service 资源基于标签选择器将一组 pod 定义成一个逻辑组合，并通过自己的 ip 地址和端口调度代理请求至组内 pod 的对象之上，它向客户隐藏了真实的、处理用户请求的 pod 资源，使得客户端的请求看上去像是由 service 直接处理并进行响应一样

Service 对象的 IP 地址也称为 Cluster IP，是一种 VIP（虚拟 IP），k8s 集群内部的 VIP

service 网段不能跟机房网络、docker 网段、容器网段冲突，否则可能会导致网络不通

Service 以负载均衡的方式进行流量调度，Service 和 Pod 之间松耦合，创建 Service 和 Pod 的任务可由不同的用户分别完成

Service 通过 API Server 实时监控（watch）标签选择器匹配到的后端 Pod，不过 Service 并不直接链接至 Pod，它们中间还有一个中间层 －－Endpoints资源对象，默认情况下，创建 Service 对象时，其关联的 Endpoints 对象会自动创建

endpoints controller 是负责生成和维护所有 endpoints 对象的控制器，监听 service 和对应 pod 的变化，更新对应 service 的 endpoints 对象。当用户创建 service 后 endpoints controller 会监听 pod 的状态，当 pod 处于 running 且准备就绪时，endpoints controller 会将 pod ip 记录到 endpoints 对象中，因此，service 的容器发现是通过 endpoints 来实现的。而 kube-proxy 会监听 service 和 endpoints 的更新并调用其代理模块在主机上刷新路由转发规则

Endpoints 是一个由 IP 地址和端口组成的列表，这些 IP 和端口来自于其 Service 关联的 Pod

每个节点上的 kube-proxy 组件 watch 各 Service 及其关联的 Endpoints，如果有变动，就会实时更新当前节点上相应的 iptables 或 ipvs 规则，确保 Cluster IP 的流量能调度到 Endpoints

简单来讲，一个 Service 对象就是一个 Node 上的这些 iptables 和 ipvs 规则

service 的负载均衡

pod 之间通信，一般不会 pod 直接访问 pod，而是 pod 先访问 service，然后 service 再到 pod

关于将 Cluster IP 的流量能调度到 Endpoints，有三种方式：userspace 代理、iptables 代理、ipvs 代理

1. userspace 代理

   1.1 版本之前的默认代理模型，效率低

2. iptables 代理

   通过 iptables 进行目标地址转换和流量调度，缺点是不会在后端 Pod 资源无响应时自动进行重定向

3. ipvs 代理

   和 iptables 代理模型的区别仅在于，流量的调度功能由 ipvs 实现，其他功能仍由 iptables 完成

service 的类型

service 支持的类型也就是 kubernetes 中服务暴露的方式，默认有四种：ClusterIP、NodePort、LoadBalancer、ExternelName

ClusterIP

kubernetes 集群默认的服务暴露方式，它只能用于集群内部通信，可以被各 pod 访问，其访问方式为：

1
2
3

pod ---> ClusterIP:ServicePort --> (iptables)DNAT --> PodIP:containePort

# 集群内pod直接访问service的ip即可

NodePort

如果想要在集群外访问集群内部的服务，可以使用 NodePort 类型的 service，在集群内部署了 kube-proxy 的节点打开一个指定的端口，将访问 node 此端口的流量直接发送到这个端口，然后会被转发到 service 后端真实的服务进行访问。Nodeport 构建在 ClusterIP 上，其访问链路如下所示：

1
2
3
4

client ---> NodeIP:NodePort ---> ClusterIP:ServicePort ---> (iptables)DNAT ---> PodIP:containePort

# 外部流量请求先到node，再到service
# 只要安装了kube-proxy的node，都可以处理外部流量，有实力的话可以单独拿出几个node，打上污点，然后负载均衡只会将外部流量转发到这几个node

LoadBalancer

主要在公有云如阿里云、AWS 上使用，LoadBalancer 构建在 nodePort 基础之上，通过公有云服务商提供的负载均衡器将 k8s 集群中的服务暴露到外网，云厂商的 LoadBalancer 会给用户分配一个 IP，之后通过该 IP 的流量会转发到你的 service 上

LoadBalancer service 类型的结构如下图所示：

ExternelName

通过 CNAME 将 service 与 externalName 的值(比如：http://foo.bar.example.com)映射起来，这种方式用的比较少。

service 的服务发现

Pod 与 Service 的 DNS：https://kubernetes.io/zh/docs/concepts/services-networking/dns-pod-service/

虽然 service 的 endpoints 解决了容器发现问题，但不提前知道 service 的 Cluster IP，怎么发现 service 服务呢？service 当前支持两种类型的服务发现机制，一种是通过环境变量，另一种是通过 DNS。在这两种方案中，建议使用后者：

在集群中部署 CoreDNS 服务， 来达到集群内部的 pod 通过 DNS 的方式进行集群内部各个服务之间的通讯

当前 kubernetes 集群默认使用 CoreDNS 作为默认的 DNS 服务，主要原因是 CoreDNS 是基于 Plugin 的方式进行扩展的，简单，灵活，并且不完全被 Kubernetes 所捆绑

service 的使用

ClusterIP 方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14

apiVersion: v1
kind: Service
metadata:
  name: my-nginx #service的名称，此名称会被DNS解析
spec:
  clusterIP: 10.105.146.177
  ports:
    - port: 80 # Service的端口号
      protocol: TCP
      targetPort: 8080 # 后端目标进程的端口号或名称，名称需由Pod规范定义
  selector:
    app: my-nginx
  sessionAffinity: None
  type: ClusterIP

NodePort 方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14

apiVersion: v1
kind: Service
metadata:
  name: my-nginx
spec:
  ports:
    - nodePort: 30090 # 节点端口，kube-proxy监听本机此端口，将访问此端口的流量转发到service
      port: 80 # service端口
      protocol: TCP
      targetPort: 8080 # 目标pod端口
  selector:
    app: my-nginx
  sessionAffinity: None
  type: NodePort

Headless service(就是没有 Cluster IP 的 service )

当不需要负载均衡以及单独的 ClusterIP 时，可以通过指定 spec.clusterIP 的值为 None 来创建 Headless service，它会给一个集群内部的每个成员提供一个唯一的 DNS 域名来作为每个成员的网络标识，集群内部成员之间使用域名通信。

deployment 中对应的服务是 service，而 statefulset 中与之对应的服务就是 headless service

1
2
3
4
5
6
7
8
9
10
11
12
13

apiVersion: v1
kind: Service
metadata:
  name: my-nginx
spec:
  clusterIP: None
  ports:
    - nodePort: 30090
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: my-nginx

Ingress

https://kubernetes.io/zh/docs/concepts/services-networking/ingress/
https://kubernetes.io/zh/docs/concepts/services-networking/ingress-controllers/

上面介绍的 ClusterIP 、NodePort 、LoadBalancer 都是基于 ip 和 port 做负载均衡，属于四层负载均衡

Ingress 可以作用于多个 service，被称为 service 的 service，作为集群内部服务的入口，Ingress 其实就是七层的反向代理，可以根据不同的 url，将请求转发到不同的 service 上

Ingress 的结构如下图所示：

kube-proxy 监听 node 的指定端口，将此端口的流量转发到 ingress，然后 ingress 再转发到不同的 service

1
2
3
4
5

反正都是实现七层代理，也可以使用deployment创建一组pod，提供nginx服务，实现代替ingress的效果：

kube-proxy监听node的指定端口，将此端口的流量转发到nginx service，然后nginx在转发到不同的service，可以配置service ip，也可以使用服务发现

建议：域名多、流量大，使用nginx；反之使用ingress

其他服务类型

完全不使用 k8s 内置的 service，而是通过注册中心自动发现 pod 地址，如果开发有实力，推荐使用这种方式

网上的教程基本都给 dumpcap 设置 suid，修改 dumpcap 的属组为 wireshark，将 whoami 添加到 wireshark 附属组。其实后面的都是多余操作，只需给 dumpcap 设置 suid 即可。

1

sudo chmod u+s /usr/bin/dumpcap

什么是 k8s？

kubernetes：容器的管理和编排系统

k8s 由多个组件组成，部署在一群服务器之上，将所有服务器整合成一个资源池，然后向客户端提供各种接口， 客户端只需要调用相应接口就可以管理容器，至于底层容器具体跑在哪台服务器，不可见也不需要关心

针对各种特定的业务，尤其是比较依赖工程师经验的业务（例如数据库集群宕机后的数据恢复、各种集群的扩缩容），可以将一系列复杂操作代码化，这个代码在 k8s 中就叫 operator，只要用好各种 operator，就可以方便高效的解决各种问题，这样，运维工程师的主要工作就变成了维护 k8s，确保 k8s 自身能够良好运行

k8s 内置了各种 operator，但是这些 operator 更重视通用性，很难完全匹配实际工作需要，所以就需要对 k8s 进行二次开发，编写各种 operator，这也是 SRE 工程师的必备技能之一

operator 能单独管理应用集群，实现复杂操作；controllor：控制器，只能实现简单的容器操作

开发人员为 k8s 开发应用程序的时候，通常不会完整的部署一个分布式 k8s 集群，而是使用一个叫做 MiniKube，它可以在单机上模拟出一个完整意义上的 k8s 集群

节点

资源池中的各个服务器叫做节点，节点有两种：

• Worker Node：运行 Pod，一般称 Node
• Master Node：运行控制平面组件，不运行 pod，一般称为 Master

组件

k8s 组件分为三种： 控制平面组件、Node 组件、Addons

https://kubernetes.io/docs/concepts/overview/components/

控制平面组件

控制平面（control plane）管理 Node 和 Node 上的 Pods

控制平面组件可以分别运行在任意节点上，但是为了简单，通常会将所有控制平面组件运行在同一个节点上，还可以以副本的形式运行在多个节点上，然后禁止在这种节点上运行 pod，这种节点就叫做 Master Node（后文简称 Master），当集群中只有一个 Master 时，就是单控制平面，有多个 Master 时，就是多控制平面，生产中肯定是多控制平面，但是学习中一般只使用单控制平面

kube-apiserver

https 服务器，监听在 6443 端口，它将 k8s 集群内的一切都抽象成资源，提供 RESTful 风格的 API，对资源（对象）进行增删改查等管理操作

apiserver 是整个 k8s 系统的总线，所有组件之间，都是通过它进行协同，它是唯一可以存储 k8s 集群的状态信息的组件（储存在 Etcd）

生产中，apiserver 需要做冗余，因为无状态，所以最少部署两个 apiserver，因为是 https 服务器，所以需要做四层负载，使用 Nginx、HAProxy、LVS 均可，然后搭配 keepalived 给负载均衡做高可用

关于健康监测，分为 AH（主动监测）和 PH（被动监测或者叫异常值探测）

kube-controller-manager

控制器管理器，负责管理控制器，真正意义上让 k8s 所有功能得以实现的控制中心，controller-manager 中有很多 controller（deployment 等数十种），这些 controller 才是真正意义上的 k8s 控制中心，负责集群内的 Node、Pod 副本、服务端点（Endpoint）、命名空间（Namespace）、服务账号（ServiceAccount）、资源定额（ResourceQuota）的管理

当某个 Node 意外宕机时，Controller Manager 会及时发现并执行自动化修复流程，确保集群始终处于预期（yaml 配置文件指定）的工作状态

k8s 可以把运维人员日常重复性的工作代码化，就是将多 controller 打包起来，单一运行

默认监听本机的 10252 端口

controller loop：控制循环

kube-scheduler

调度器，调度 pod，它的核心作用就是运行应用，scheduler 时刻关注着每个节点的资源可用量，以及运行 pod 所需的资源量，让二者达到最佳匹配，让 pod 以最好的状态运行

在整个系统中起”承上启下”作用，承上：负责接收 Controller Manager 创建的新的 Pod，为其选择一个合适的 Node；启下：Node 上的 kubelet 接管 Pod 的生命周期

1
2
3
4
5
6
7
8
9
10

通过调度算法为待调度Pod列表的每个Pod从可用Node列表中选择一个最适合的Node，并将信息写入etcd中node节点上的kubelet通过API Server监听到kubernetes Scheduler产生的Pod绑定信息，然后获取对应的Pod清
单，下载Image，并启动容器

优选策略：
1.LeastRequestedPriority
优先从备选节点列表中选择资源消耗最小的节点（CPU+内存）
2.CalculateNodeLabelPriority
优先选择含有指定Label的节点。
3.BalancedResourceAllocation
优先从备选节点列表中选择各项资源使用率最均衡的节点

etcd

https://etcd.io/
https://github.com/etcd-io/etcd

第三方、非 k8s 内置，它的目标是构建一个高可用的分布式键值(key-value)数据库，为避免脑裂，通常部署 3 个或 5 个节点

1
2
3
4
5
6
7

完全复制  # 集群中的每个节点都可以使用完整的存档
高可用性  # Etcd可用于避免硬件的单点故障或网络问题
一致性   # 每次读取都会返回跨多主机的最新写入
简单     # 包括一个定义良好、面向用户的API（gRPC）
安全     # 实现了带有可选的客户端证书身份验证的自动化TLS
快速     # 每秒10000次写入的基准速度
可靠     # 使用Raft算法实现了存储的合理分布Etcd的工作原理

etcd 有多个不同的 API 访问版本，v1 版本已经废弃，etcd v2 和 v3 本质上是共享同一套 raft 协议代码的两个独立的应用，接口不一样，存储不一样，数据互相隔离。也就是说如果从 Etcd v2 升级到 Etcd v3，原来 v2 的数据还是只能用 v2 的接口访问，v3 的接口创建的数据也只能访问通过 v3 的接口访问

以下以内容以 v3 为准

etcdctl 是 etcd 的命令行客户端工具

1

etcdctl [options] command [command options] [arguments...]

管理成员

1
2
3
4
5

etcdctl member list
etcdctl member add
etcdctl member promote
etcdctl member remove
etcdctl member update

验证成员状态：

1
2
3
4
5
6
7

$etcdctl endpoint health \
    --endpoints=https://10.0.1.31:2379 \
    --cacert=/etc/kubernetes/ssl/ca.pem \
    --cert=/etc/etcd/ssl/etcd.pem \
    --key=/etc/etcd/ssl/etcd-key.pem

# 多个成员写个遍历即可

增删改查

• 增 put

  1 2 3 4 5 6 7

  etcdctl put [options] <key> <value> (<value> can also be given from stdin) [flags] $etcdctl put /testkey "test data" OK $etcdctl get --print-value-only /testkey test data

• 删 del

  1 2 3 4

  etcdctl del [options] <key> [range_end] [flags] $etcdctl del /testkey 1

• 改 put

  直接覆盖即可

  1 2	$etcdctl put /testkey "test data2" OK

• 查 get

  1 2 3 4 5 6 7 8 9 10

  etcdctl get [options] <key> [range_end] [flags] $etcdctl get --print-value-only /testkey test data2 $etcdctl get --prefix --keys-only / # 获取所有key $etcdctl get --prefix --keys-only /calico $etcdctl get --prefix --keys-only /registry $etcdctl get --prefix --keys-only /registry/services $etcdctl get /calico/ipam/v2/handle/ipip-tunnel-addr-k8s-master.ljk.local

watch 机制

etcd v3 的 watch 机制支持 watch 某个固定的 key，也支持 watch 一个范围，发生变化就主动触发通知客户端

相比 Etcd v2, Etcd v3 的一些主要变化：

1
2
3
4
5

1. 接口通过grpc提供rpc接口，放弃了v2的http接口，优势是长连接效率提升明显，缺点是使用不如以前方便，尤其对不方便维护长连接的场景。
2. 废弃了原来的目录结构，变成了纯粹的kv，用户可以通过前缀匹配模式模拟目录
3. 内存中不再保存value，同样的内存可以支持存储更多的key
4. watch机制更稳定，基本上可以通过watch机制实现数据的完全同步
5. 提供了批量操作以及事务机制，用户可以通过批量事务请求来实现Etcd v2的CAS机制（批量事务支持if条件判断）

watch 测试：

1
2
3
4
5
6

# 在 etcd node1 上watch一个key，没有此 key 也可以执行 watch，后期可以再创建
$etcdctl watch /testkey

# 在 etcd node2 修改数据，验证 etcd node1 是否能够发现数据变化
$etcdctl put /testkey "test for new"
OK

数据备份与恢复机制

v2 版本数据备份与恢复：

1
2
3
4
5

# 备份
etcdctl backup --data-dir /var/lib/etcd/ --backup-dir /opt/etcd_backup

# 恢复
etcd --data-dir=/var/lib/etcd/default.etcd --force-new-cluster &

v3 版本数据备份与恢复：

1
2
3

etcdctl snapshot <subcommand> [flags]

subcommand：save、restore、status

1
2
3
4
5
6
7
8

$etcdctl snapshot save snapshot.db  # 备份
...
Snapshot saved at snapshot.db
$file snapshot.db
snapshot.db: data

# 恢复，将数据恢复到一个新的不存在的目录中
etcdctl snapshot restore snapshot.db --data-dir=/opt/etcd-testdir

cloud-controller-manager

略…

Node 组件

Node 组件运行在所有的节点上，包括 Master

kubelet

与 api server 建立联系，监视 api server 中与自己 node 相关的 pod 的变动信息，执行指令操作

在 kubernetes 集群中，每个 Node 节点都会启动 kubelet 进程，处理 Master 节点下发到本节点的任务，管理 Pod 和其中的容器。kubelet 会在 API Server 上注册节点信息，定期向 Master 汇报节点资源使用情况，并通过 cAdvisor（顾问）监控容器和节点资源，可以把 kubelet 理解成 Server/Agent 架构中的 agent，kubelet 是 Node 上的 pod 管家

kube-porxy

https://kubernetes.io/zh/docs/concepts/services-networking/service/
https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kube-proxy/

守护进程，管理当前节点的 iptables 或 ipvs 规则，而且管理的只是和 service 相关的规则

监控 service，把集群上的每一个 service 的定义转换为本地的 ipvs 或 iptables 规则

kube-proxy 是运行在集群中的每个节点上的网络代理，实现了 Kubernetes 服务概念的一部分
kube-proxy 维护节点上的网络规则。这些网络规则允许从集群内部或外部的网络会话到 Pods 进行网络通信
kube-proxy 使用操作系统包过滤层（如果有的话）并且它是可用的。否则，kube-proxy 将自己转发流量

Container runtime

通常是 docker，其他类型的容器也支持

Addons

附加组件扩展了 Kubernetes 的功能

插件使用 Kubernetes 资源(DaemonSet, Deployment，等等)来实现集群特性。因为它们提供了集群级的特性，所以插件的命名空间资源属于 kube-system 命名空间

DNS

CoreDNS，k8s 中，DNS 是至关重要的，所有的访问都不会基于 ip，而是基于 name，name 再通过 DNS 解析成 ip

Web UI

集群监控系统

prometheus

集群日志系统

EFK、LG

Ingress Controller

入栈流量控制器，是对集群中服务的外部访问进行管理的 API 对象，典型的访问方式是 HTTP。

…

附件千千万，按需部署

CNI

CNI：Container Network Interface，容器网络接口

kubernetes 的网络插件遵从 CNI 规范的 v0.4.0 版本

网络插件有很多，最常用的是 flannel 和 Project Calico，生产环境用后者的最多

跨主机 pod 之间通信，有两种虚拟网络，有两种：overlay 和 underlay

• overlay：叠加网络 ，搭建隧道
• underlay：承载网络，设置路由表

overlay

OverLay 其实就是一种隧道技术，VXLAN，NVGRE 及 STT 是典型的三种隧道技术，它们都是通过隧道技术实现大二层网络。将原生态的二层数据帧报文进行封装后在通过隧道进行传输。总之，通过 OverLay 技术，我们在对物理网络不做任何改造的情况下，通过隧道技术在现有的物理网络上创建了一个或多个逻辑网络即虚拟网络，有效解决了物理数据中心，尤其是云数据中心存在 的诸多问题，实现了数据中心的自动化和智能化

以 flannel 为例，默认网段 10.224.1.0/16，flannel 在每个节点创建一个网卡 flannel.1，这是一个隧道，网段 10.2441.0/32 - 10.244.255/32，而每个节点上的容器的 ip 为 10.244.x.1/24 - 10.244.x.254/24，也就是说 flannel 默认支持最多 256 个节点，每个节点上又最多支持 256 个容器

underlay

UnderLay 指的是物理网络，它由物理设备和物理链路组成。常见的物理设备有交换机、路由器、防火墙、负载均衡、入侵检测、行为管理等，这些设备通过特定的链路连接起来形成了一个传统的物理网络，这样的物理网络，我们称之为 UnderLay 网络

UnderLay 是底层网络，负责互联互通而 Overlay 是基于隧道技术实现的，overlay 的流量需要跑在 underlay 之上

资源

Pod、Deployment、Service 等等，反映在 Etcd 中，就是一张张的表

kube-apiserver 以群组分区资源，群组化管理的 api 使得其可以更轻松地进行扩展，常用的 api 群组分为两类：

1. 命名群组：/apis/$GROUP_NAME/$VERSION，例如 /apis/apps/v1
2. 核心群组 core：简化了路径，/api/$VERSION，即 /api/v1

打印 kube-apiserver 支持的所有资源：

1

kubectl api-resources

对象

资源表中的每一条数据项就是一个对象，例如 Pod 表中的数据项就是 Pod 对象。所以资源表通常不叫 Pod 表、Deployment 表…，而是叫做 PodList、DeploymentList…

创建对象

三种方式

1. 命令式命令：命令，全部配置通过选项指定
2. 命令式配置文件：命令，加载配置文件
3. 声明式配置文件：声明式命令，加载配置清单，推荐使用

配置清单：

1
2
3
4
5
6
7
8
9
10
11
12

# 配置清单的规范叫做资源规范,范例：
apiVersion: v1
kind: Pod
metadata:
 name: myPod
 labels:
  app: mypod
  release: canary
spec:             # 期望状态
 containers:
 - name: demoapp
   image: ikubernetes/demoapp:v1.0

资源清单是 yml 格式，api-server 会自动转成 json 格式

如果实际状态和期望状态有出入，控制器的控制循环就会监控到差异，然后将需要做出的更改提交到 apiserver，调度器 scheduler 监控到 apiserver 中有未执行的操作，就会去找适合执行操作的 node，然后提交到 apiserver，kubelet 监控到 apiserver 中有关于自己节点的操作，就会执行操作，将执行结果返回给 apiserver，apiserver 再更新实际状态

查看对象

外部访问

1
2
3
4
5

domain:6643/apis/$GROUP_NAME/$VERSION/namespaces/$NAMESPACE/$NAME/$API_RESOURCE_NAME
domain:6643/api/$VERSION/namespaces/$NAMESPACE/$NAME/$API_RESOURCE_NAME

# 范例：
domain:6643/api/v1/namespaces/default/pods/demoapp-5f7d8f9847-tjn4v

内部访问

以下三种访问方式是一样的：

1
2
3
4
5
6
7

# 方式一，这种方式最方便
kubectl get pods net-tes1 -o json|yaml
# 方式二
kubectl get --raw /api/v1/namespaces/default/pods/net-test1
# 方式三，这种方式适用于监控
kubectl proxy # 搭建代理
curl 127.0.0.1:8001/api/v1/namespaces/default/pods/net-test1 # 另起一终端

注：1.20 之前的版本可以直接curl 127.0.0.1:8080，并且通过--insecure-port可以修改默认的 8080 端口，1.20.4 之后的版本取消了这种不安全的访问方式，只能通过以上方式三，先kubectl proxy代理一下，默认端口也改成了 8001

The kube-apiserver ability to serve on an insecure port, deprecated since v1.10, has been removed. The insecure address flags --address and --insecure-bind-address have no effect in kube-apiserver and will be removed in v1.24. The insecure port flags --port and --insecure-port may only be set to 0 and will be removed in v1.24. (#95856, @knight42, [SIG API Machinery, Node, Testing])

1
2
3
4
5
6

$kubectl get pods net-test1 -o yaml
 apiVersion: v1
 kind: Pod
>metadata:
>spec:
>status:

以上返回的数据，每个字段表示的意义可以通过 kubectl explain 查询帮助

1

kubectl explain <type>.<fieldName>[.<fieldName>]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$kubectl explain pod.apiVersion
KIND:     Pod
VERSION:  v1

FIELD:    apiVersion <string>

DESCRIPTION:
     APIVersion defines the versioned schema of this representation of an
     object. Servers should convert recognized schemas to the latest internal
     value, and may reject unrecognized values. More info:
     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

# 范例
$kubectl explain pod.kind
$kubectl explain pod.metadata
$kubectl explain pod.spec

lease 租约

lease 是分布式系统中一个常见的概念，用于代表一个分布式租约。典型情况下，在分布式系统中需要去检测一个节点是否存活的时，就需要租约机制。

上图示例中的代码示例首先创建了一个 10s 的租约，如果创建租约后不做任何的操作，那么 10s 之后，这个租约就会自动过期。接着将 key1 和 key2 两个 key value 绑定到这个租约之上，这样当租约过期时 etcd 就会自动清理掉 key1 和 key2，使得节点 key1 和 key2 具备了超时自动删除的能力。

如果希望这个租约永不过期，需要周期性的调用 KeeyAlive 方法刷新租约。比如说需要检测分布式系统中一个进程是否存活，可以在进程中去创建一个租约，并在该进程中周期性的调用 KeepAlive 的方法。如果一切正常，该节点的租约会一致保持，如果这个进程挂掉了，最终这个租约就会自动过期。

在 etcd 中，允许将多个 key 关联在同一个 lease 之上，这个设计是非常巧妙的，可以大幅减少 lease 对象刷新带来的开销。试想一下，如果有大量的 key 都需要支持类似的租约机制，每一个 key 都需要独立的去刷新租约，这会给 etcd 带来非常大的压力。通过多个 key 绑定在同一个 lease 的模式，我们可以将超时间相似的 key 聚合在一起，从而大幅减小租约刷新的开销，在不失灵活性同时能够大幅提高 etcd 支持的使用规模。

tomcat 日志

tomcat 默认的格式比较简单，包含 ip、date、method、url、status code 等信息，例如：

1
2
3
4
5
6
7
8
9
10
11
12
13

10.0.0.1 - - [06/Mar/2021:09:26:09 +0800] "GET / HTTP/1.1" 200 11156
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /tomcat.svg HTTP/1.1" 200 67795
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /tomcat.css HTTP/1.1" 200 5542
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /bg-nav.png HTTP/1.1" 200 1401
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /bg-middle.png HTTP/1.1" 200 1918
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /bg-upper.png HTTP/1.1" 200 3103
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /bg-button.png HTTP/1.1" 200 713
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /asf-logo-wide.svg HTTP/1.1" 200 27235
10.0.0.1 - - [06/Mar/2021:09:26:10 +0800] "GET /favicon.ico HTTP/1.1" 200 21630
10.0.0.1 - - [06/Mar/2021:09:26:12 +0800] "GET /manager/status HTTP/1.1" 403 3446
10.0.0.1 - - [06/Mar/2021:09:26:14 +0800] "GET /manager/html HTTP/1.1" 403 3446
10.0.0.1 - - [06/Mar/2021:09:26:19 +0800] "GET / HTTP/1.1" 200 11156
10.0.0.1 - - [06/Mar/2021:09:26:19 +0800] "GET /favicon.ico HTTP/1.1" 200 21630

1. 为了 kibana 能单独统计每个字段，需要日志记录成 json 格式，当然也可以是其他格式，只要有对应的 codec 插件可以解析就行

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

   [root@elk2-ljk conf]$pwd /usr/local/tomcat/conf [root@elk2-ljk conf]$vim server.xml # 自定义日志格式 为json格式 ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="tomcat_access_log" suffix=".log" pattern="{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot;AccessTime&quot;: &quot;%t&quot;,&quot;method&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Query?string&quot;:&quot;%q&quot;, &quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;AgentVersion&quot;:&quot;%{User-Agent}i&quot;}" /> ... # &quot; 表示双引号 [root@elk2-ljk conf]$systemctl restart tomcat.service # 重启tomcat # 查看日志，已经成功修改为json格式 [root@elk2-ljk logs]$cat ../logs/tomcat_access_log.2021-03-06.log {"clientip":"10.0.0.1","ClientUser":"-","authenticated":"-","AccessTime":"[06/Mar/2021:12:50:56 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes": "11156","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"} {"clientip":"10.0.0.1","ClientUser":"-","authenticated":"-","AccessTime":"[06/Mar/2021:12:50:56 +0800]","method":"GET /favicon.ico HTTP/1.1","status":"200", "SendBytes":"21630","Query?string":"","partner":"http://10.0.1.122:8080/","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"} {"clientip":"10.0.0.1","ClientUser":"-","authenticated":"-","AccessTime":"[06/Mar/2021:12:51:00 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes": "11156","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"}

   百度搜索 “tomcat 日志格式” 或 “apache 日志格式”，下面是部分格式说明：

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

   ％a - 远程IP地址 ％A - 本地IP地址 ％b - 发送的字节数，不包括HTTP头，或“ - ”如果没有发送字节 ％B - 发送的字节数，不包括HTTP头 ％h - 远程主机名 ％H - 请求协议 ％l (小写的L)- 远程逻辑从identd的用户名（总是返回' - '） ％m - 请求方法 ％p - 本地端口 ％q - 查询字符串（在前面加上一个“？”如果它存在，否则是一个空字符串 ％r - 第一行的要求 ％s - 响应的HTTP状态代码 ％S - 用户会话ID ％t - 日期和时间，在通用日志格式 ％u - 远程用户身份验证 ％U - 请求的URL路径 ％v - 本地服务器名 ％D - 处理请求的时间（以毫秒为单位） ％T - 处理请求的时间（以秒为单位） ％I （大写的i） - 当前请求的线程名称 ％{XXX}i xxx代表传入的头(HTTP Request) ％{XXX}o xxx代表传出​​的响应头(Http Resonse) ％{XXX}c xxx代表特定的Cookie名 ％{XXX}r xxx代表ServletRequest属性名 ％{XXX}s xxx代表HttpSession中的属性名

2. logstash 配置文件：

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

   input { file { type => "tomcat-access-log" path => "/usr/local/tomcat/logs/tomcat_access_log.*.log" start_position => "end" stat_interval => 3 codec => "json" } } output { if [type] == "tomcat-access-log" { elasticsearch { hosts => ["10.0.1.121:9200"] index => "mytest-%{type}-%{+xxxx.ww}" } } }

3. 重启 logstash，注意要以 root 用户身份启动，否则无法采集数据

   1	[root@elk2-ljk conf.d]$systemctl restart logstash.service

java 日志

基于 java 开发的应用，都会有 java 日志，java 日志会记录 java 的报错信息，但是一个报错会产生多行日志，例如：

为了方便观察，需要将一个报错的多行日志合并为一行，以 elasticsearch 为例：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

input {
    file {
        type => "elasticsearch-java-log"
        path => "/data/elasticsearch/logs/es-cluster.log"
        start_position => "beginning"
        stat_interval => 3
        codec => multiline {
            pattern => "^\["
            negate => true
            what => "previous"
        }
    }
}

output {
    elasticsearch {
        hosts => ["10.0.1.121:9200"]
        index => "mytest-%{type}-%{+yyyy.MM}"
    }
}

查看 kibana：

nginx 访问日志

和采集 tomcat 日志类似，重点是把 nginx 日志修改为 json 格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# 注意：log_format要写在server外面
[root@47105171233 vhost]$cat lujinkai.cn.conf
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';

server {
  listen 80;
  server_name lujinkai.cn;
  access_log /data/wwwlogs/lujinkai.cn_nginx.log access_json;
  rewrite / http://blog.lujinkai.cn permanent;
}

# 日志成功转为json格式
[root@47105171233 wwwlogs]$tail -f lujinkai.cn_nginx.log
{"@timestamp":"2021-03-06T18:20:13+08:00","host":"10.0.0.1","clientip":"113.120.245.191","size":162,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"lujinkai.cn","url":"/","domain":"lujinkai.cn","xff":"-","referer":"-","status":"301"}
{"@timestamp":"2021-03-06T18:20:13+08:00","host":"10.0.0.1","clientip":"113.120.245.191","size":162,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"lujinkai.cn","url":"/robots.txt","domain":"lujinkai.cn","xff":"-","referer":"-","status":"301"}

TCP/UDP 日志

场景：没有安装 logstash 的服务器（A），向安装了 logstash 的服务器（B）发送日志信息，这个场景不多

实现：A 通过 nc 命令给 B 发送日志信息，B 监听本地的对应端口，接收数据

A：客户端

1

[root@elk2-ljk ~]$nc 10.0.1.121 9889

B：服务端

1
2
3
4
5
6
7
8
9
10
11
12
13

input {
    tcp {
        port => 9889
        type => "tcplog"
        mode => "server"
    }
}

output {
    stdout {
     codec => rubydebug
    }
}

通过 rsyslog 收集 haproxy 日志

有些设备无法安装 logstash，例如 路由器、交换机，但是厂家内置了 rsyslog 功能，这里以 haproxy 为例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# 1. haproxy.cfg 定义haproxy的日志设备为local6
log 127.0.0.1 local6 info

# 2. rsyslog.conf
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")
local6.* @@10.0.1.122

# 3. 10.0.1.122主机监听本机的udp514端口，接收日志数据
input{
    syslog {
     type => "ststem-rsyslog"
    }
}
output{
    elasticsearch {
        hosts => ["10.0.1.123:9200"]
        index => "logstash-rsyslog-%{+YYYY.MM.dd}"
    }
}

filebeat 收集日志并写入 redis/kafka

考虑到 elasticsearch 的性能问题，通常不会直接往 elasticsearch 写日志，会加 redis 或 kafka 缓冲一下

• 有少数场景，需要收集多个不同格式的日志，例如有的是 syslog 格式，有的是 json 格式，所有的日志都 output 到 redis 的一个 list 中，因为 logstash 的 input 没有条件判断，只能配置一个 codec，所以 logstash 可以将不同的日志发送到 elasticsearch 的不同 index，却无法对不同的日志格式配置不同的 codec，这样的数据最后展示在 kibana 也没有意义，解决方法是在日志收集和日志缓存中间在加一个 logstash（可以共用日志提取及过滤的 logstash），将不同的日志转发到 redis 的不同 list
• 日志缓存如果用 redis，需要大内存，推荐 32G；如果用 kafka，16G 就够，因为 kafka 存储数据到磁盘

日志收集实战

从左向右看，当要访问 ELK 日志统计平台的时候，首先访问的是两台 nginx+keepalived 做的负载高可用，访问的地址是 keepalived 的 IP，当一台 nginx 代理服务器挂掉之后也不影响访问，然后 nginx 将请求转发到 kibana，kibana 再去 elasticsearch 获取数据，elasticsearch 是两台做的集群，数据会随机保存在任意一台 elasticsearch 服务器，redis 服务器做数据的临时保存，避免 web 服务器日志量过大的时候造成的数据收集与保存不一致导致的日志丢失，可以临时保存到 redis，redis 可以是集群，然后再由 logstash 服务器在非高峰时期从 redis 持续的取出即可，另外有一台 mysql 数据库服务器，用于持久化保存特定的数据，web 服务器的日志由 filebeat 收集之后发送给另外的一台 logstash，再有其写入到 redis 即可完成日志的收集，从图中可以看出，redis 服务器处于前端结合的最中间，其左右都要依赖于 redis 的正常运行，web 服务删个日志经过 filebeat 收集之后通过日志转发层的 logstash 写入到 redis 不同的 key 当中，然后提取层 logstash 再从 redis 将数据提取并安按照不同的类型写入到 elasticsearch 的不同 index 当中，用户最终通过 nginx 代理的 kibana 查看到收集到的日志的具体内容

通过坐标地图统计客户 IP 所在城市

https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html

日志写入数据库

写入数据库的目的是用于持久化保存重要数据，比如状态码、客户端 IP、客户端浏览器版本等等，用于后期按月做数据统计等

写个脚本从，定期从 elasticsearch 中获取数据，写入到 PostgreSQL

什么是 ELK

https://www.elastic.co/cn/what-is/elk-stack

ELK 全称 ELK Stack，它的更新换代产品叫 Elastic Stack

ELK = Elasticsearch + Logstash + Kibana

• Elasticsearch：搜索和分析引擎
• Logstash：服务器端数据处理管道，能够同时从多个来源采集数据，转换数据，然后将数据发送到诸如 Elasticsearch 等“存储库”中
• Kibana：让用户在 Elasticsearch 中使用图形和图表对数据进行可视化

什么是 Elasticsearch

https://www.elastic.co/cn/what-is/elasticsearch

什么是 Logstash

Logstash 是 Elastic Stack 的核心产品之一，可用来对数据进行聚合和处理，并将数据发送到 Elasticsearch。Logstash 是一个开源的服务器端数据处理管道，允许您在将数据索引到 Elasticsearch 之前同时从多个来源采集数据，并对数据进行充实和转换。

什么是 kibana

https://www.elastic.co/cn/what-is/kibana

为什么使用 ELK

ELK 组件在海量日志系统的运维中，可用于解决以下主要问题：

• 分布式日志数据统一收集，实现集中式查询和管理
• 故障排查
• 安全信息和事件管理
• 报表功能

elasticsearch

基本概念

参考博客：https://www.cnblogs.com/qdhxhz/p/11448451.html

重点理解 index 和 document 这两个概念：index（索引）类似 kafka 的 topic，oss 的 bucket，要尽量控制 index 的数量；index 中的单条数据称为 document（文档），相当于 mysql 表中的行

之前的版本中，索引和文档中间还有个 type（类型）的概念，每个索引下可以建立多个 type，document 存储时需要指定 index 和 type，因为一个 index 中的 type 并不隔离，document 不能重名，所以 type 并没有多少意义。从 7.0 版本开始，一个 index 只能建一个名为_doc 的 type，8.0.0 以后将完全取消

下面是一个 document 的源数据：

• _index：文档所属索引名称
• _type：文档所属类型名
• _id：doc 主键，写入时指定，如果不指定，则系统自动生成一个唯一的 UUID 值
• _version：doc 版本信息，保证 doc 的变更能以正确的顺序执行，避免乱序造成的数据丢失
• _seq_no：严格递增的顺序号，shard 级别严格递增，保证后写入的 doc 的_seq_no大于先写入的 doc 的_seq_no
• _primary_term：和_seq_no一样是一个整数，每当 primary shard 发生重新分配时，比如重启，primary 选举等，_primary_term 会递增 1
• found：查询的 ID 正确那么 ture, 如果 Id 不正确，就查不到数据，found 字段就是 false
• _source：文档的原始 JSON 数据

apt 安装

elasticsearch 集群中 master 与 slave 的区别：

master：统计各节点状态信息、集群状态信息统计、索引的创建和删除、索引分配的管理、关闭节点等
slave：从 master 同步数据、等待机会成为 master

1. apt 安装

   1	[root@elk2-ljk src]$dpkg -i elasticsearch-7.11.1-amd64.deb

   主要目录：

   1 2 3

   /usr/share/elasticsearch # 主目录 /etc/elasticsearch # 配置文件目录 ...

2. 修改 hosts

   1 2 3 4 5

   [root@elk2-ljk src]$vim /etc/hosts ... 10.0.1.121 elk1-ljk.local 10.0.1.122 elk2-ljk.local 10.0.1.123 elk3-ljk.local

3. 修改配置文件 elasticsearch.yml

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

   [root@elk2-ljk /]$grep '^[a-Z]' /etc/elasticsearch/elasticsearch.yml cluster.name: es-cluster # ELK的集群名称，名称相同即属于是同一个集群 node.name: node-2 # 当前节点在集群内的节点名称 path.data: /data/elasticsearch/data # ES数据保存目录 path.logs: /data/elasticsearch/logs # ES日志保存目 bootstrap.memory_lock: true # 服务启动的时候锁定足够的内存，防止数据写入swap network.host: 10.0.1.122 # 监听本机ip http.port: 9200 # 监听端口 # 集群中node节点发现列表，最好使用hostname，这里为了方便，使用ip discovery.seed_hosts: ["elk1-ljk.local", "elk2-ljk.local", "elk3-ljk.local"] # 集群初始化那些节点可以被选举为master cluster.initial_master_nodes: ["node-1", "node-2", "node-3"] gateway.recover_after_nodes: 2 # 一个集群中的 N 个节点启动后,才允许进行数据恢复处理，默认是 1 # 设置是否可以通过正则或者_all 删除或者关闭索引库，默认 true 表示必须需要显式指定索引库名称，生产环境建议设置为 true，删除索引库的时候必须指定，否则可能会误删索引库中的索引库 action.destructive_requires_name: true

4. 修改内存限制

   1 2 3

   [root@elk2-ljk src]$vim /usr/lib/systemd/system/elasticsearch.service ... LimitMEMLOCK=infinity # 无限制使用内存

   1 2 3

   [root@elk2-ljk src]$vim /usr/local/elasticsearch/config/jvm.options -Xms2g # 最小内存限制 -Xmx2g # 最大内存限制

5. 创建数据目录并修改属主

   1 2	[root@elk2-ljk src]$mkdir -p /data/elasticsearch [root@elk3-ljk src]$chown -R elasticsearch:elasticsearch /data/elasticsearch

6. 启动

   1 2 3 4 5 6

   [root@elk1-ljk src]$systemctl start elasticsearch.service # 稍等几分钟 [root@elk1-ljk ~]$curl http://10.0.1.121:9200/_cat/nodes 10.0.1.123 13 96 0 0.14 0.32 0.22 cdhilmrstw - node-3 10.0.1.122 28 97 0 0.01 0.02 0.02 cdhilmrstw * node-2 # master 10.0.1.121 26 96 2 0.13 0.07 0.03 cdhilmrstw - node-1

源码编译

启动总是失败，各种报错，解决不了…

安装 elasticsearch 插件

插件是为了完成不同的功能，官方提供了一些插件但大部分是收费的，另外也有一些开发爱好者提供的插件，可以实现对 elasticsearch 集群的状态监控与管理配置等功能

head 插件

在 elasticsearch 5.x 版本以后不再支持直接安装 head 插件，而是需要通过启动一个服务方式

github 地址：https://github.com/mobz/elasticsearch-head

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# git太慢，这里用迅雷下载zip包，然后上传
[root@elk1-ljk src]$unzip master.zip
[root@elk1-ljk src]$cd elasticsearch-head-master/
[root@elk1-ljk elasticsearch-head-master]$npm install grunt -save
[root@elk1-ljk elasticsearch-head-master]$npm install # 这一步要等很久
[root@elk1-ljk elasticsearch-head-master]$npm run start # 前台启动

# 开启跨域访问支持，每个节点都需要开启
[root@elk3-ljk ~]$vim /etc/elasticsearch/elasticsearch.yml
...
http.cors.enabled: true
http.cors.allow-origin: "*"

[root@elk2-ljk games]$systemctl restart elasticsearch.service  # 重启elasticsearch