运行etcd
执行命令etcd,即可启动server
$ etcd
2018-10-23 11:29:12.872217 I | etcdmain: etcd Version: 3.3.7
2018-10-23 11:29:12.872344 I | etcdmain: Git SHA: 56536de55
2018-10-23 11:29:12.872400 I | etcdmain: Go Version: go1.9.6
2018-10-23 11:29:12.872437 I | etcdmain: Go OS/Arch: linux/amd64
2018-10-23 11:29:12.872484 I | etcdmain: setting maximum number of CPUs to 56, total number of available CPUs is 56
2018-10-23 11:29:12.872522 W | etcdmain: no data-dir provided, using default data-dir ./default.etcd
2018-10-23 11:29:12.873433 I | embed: listening for peers on https://localhost:2380
2018-10-23 11:29:12.873741 C | etcdmain: listen tcp 127.0.0.1:2379: bind: address already in use
etcdctl
etcd最新的API版本是v3,与v2相比,v3更高效更清晰。要使用v3,设置环境变量即可。
export ETCDCTL_API=3
etcdctl version
或者每次执行的时候带着
ETCDCTL_API=3 etcdctl version
查看etcd的版本
## v2版本
etcdctl -v
## v3版本
ETCDCTL_API=3 etcdctl version
## 加密的方式
ETCDCTL_API=3 etcdctl \
--endpoints=https://172.xxx.xx.xx:2379 \
--cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem \
version
## api的方式
curl https://127.0.0.1:2379/version
查询etcd集群状态
$ ETCDCTL_API=3 etcdctl endpoint status --cluster -w table
+----------------------------+------------------+---------+---------+-----------+-----------+------------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX |
+----------------------------+------------------+---------+---------+-----------+-----------+------------+
| http://192.168.144.11:2379 | 939e974d80fa7dd5 | 3.3.13 | 20 kB | true | 2 | 12 |
| http://192.168.144.13:2379 | bd04095b49eb535c | 3.3.13 | 20 kB | false | 2 | 12 |
| http://192.168.144.12:2379 | cf7585769b2ce974 | 3.3.13 | 20 kB | false | 2 | 12 |
+----------------------------+------------------+---------+---------+-----------+-----------+------------+
常用命令
# 列表
etcdctl ls /kube-centos/network/config
# 查看
etcdctl get /kube-centos/network/config
# v2移除
etcdctl rm /kube-centos/network/config
# v3移除
ETCDCTL_API=3 etcdctl del /kube-centos/network/config
# 递归移除
etcdctl rm --recursive registry
# 修改
etcdctl mk /kube-centos/network/config "{ \"Network\": \"172.30.0.0/16\", \"Backend\": { \"Type\": \"vxlan\" } }"
# 命令将数据存到指定位置。这部分数据可以用来灾难恢复
etcdctl backup
# 健康检查
etcdctl endpoint health
命令大集合
存储:
curl http://127.0.0.1:4001/v2/keys/testkey -XPUT -d value='testvalue'
curl -s http://127.0.0.1:4001/v2/keys/message2 -XPUT -d value='hello etcd' -d ttl=5
获取:
curl http://127.0.0.1:4001/v2/keys/testkey
查看版本:
curl http://127.0.0.1:4001/version
删除:
curl -s http://127.0.0.1:4001/v2/keys/testkey -XDELETE
监视:
窗口1:curl -s http://127.0.0.1:4001/v2/keys/message2 -XPUT -d value='hello etcd 1'
curl -s http://127.0.0.1:4001/v2/keys/message2?wait=true
窗口2:
curl -s http://127.0.0.1:4001/v2/keys/message2 -XPUT -d value='hello etcd 2'
自动创建key:
curl -s http://127.0.0.1:4001/v2/keys/message3 -XPOST -d value='hello etcd 1'
curl -s 'http://127.0.0.1:4001/v2/keys/message3?recursive=true&sorted=true'
创建目录:
curl -s http://127.0.0.1:4001/v2/keys/message8 -XPUT -d dir=true
删除目录:
curl -s 'http://127.0.0.1:4001/v2/keys/message7?dir=true' -XDELETE
curl -s 'http://127.0.0.1:4001/v2/keys/message7?recursive=true' -XDELETE
查看所有key:
curl -s http://127.0.0.1:4001/v2/keys/?recursive=true
存储数据:
curl -s http://127.0.0.1:4001/v2/keys/file -XPUT --data-urlencode value@upfile
使用etcdctl客户端:
存储:
etcdctl set /liuyiling/testkey "610" --ttl '100'
--swap-with-value value
获取:
etcdctl get /liuyiling/testkey
更新:
etcdctl update /liuyiling/testkey "world" --ttl '100'
删除:
etcdctl rm /liuyiling/testkey
使用ca获取:
etcdctl --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --ca-file=/etc/etcd/ssl/ca.pem get /message
目录管理:
etcdctl mk /liuyiling/testkey "hello" 类似set,但是如果key已经存在,报错
etcdctl mkdir /liuyiling
etcdctl setdir /liuyiling
etcdctl updatedir /liuyiling
etcdctl rmdir /liuyiling
查看:
etcdctl ls --recursive
监视:
etcdctl watch mykey --forever + etcdctl update mykey "hehe"
#监视目录下所有节点的改变
etcdctl exec-watch --recursive /foo -- sh -c "echo hi"
etcdctl exec-watch mykey -- sh -c 'ls -al' + etcdctl update mykey "hehe"
etcdctl member list
列出集群内的成员以及他们当前的角色是不是leader
# 命令的方式
./etcdctl member list
# api的方式
curl -s --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kube-controller-manager.pem --key /etc/kubernetes/cert/kube-controller-manager-key.pem https://172.xx.xx.xx:2379/v2/stats/leader
put/get命令
## 设置key
$ etcdctl put msg "Hello TenxCloud"
OK
## 获取值
$ etcdctl get msg
msg
Hello TenxCloud
## 删除key
$ etcdctl del msg
1
$ etcdctl get msg
$
txn事务
txn从标准输入中读取多个请求,将它们看做一个原子性的事务执行。事务是由条件列表,条件判断成功时的执行列表(条件列表中全部条件为真表示成功)和条件判断失败时的执行列表(条件列表中有一个为假即为失败)组成的。
$ etcdctl put flag 1
OK
$ etcdctl txn -i
compares:
value("flag") = "1"
success requests (get, put, delete):
put result true
failure requests (get, put, delete):
put result false
SUCCESS
OK
$ etcdctl get result
result
true
解释:
- etcdctl put flag 1设置flag为1
- etcdctl txn -i开启事务(-i表示交互模式)
- 第2步输入命令后回车,终端显示出compares:
- 输入value("flag") = "1",此命令是比较flag的值与1是否相等
- 第4步完成后输入回车,终端会换行显示,此时可以继续输入判断条件(前面说过事务由条件列表组成),再次输入回车表示判断条件输入完毕
- 第5步连续输入两个回车后,终端显示出success requests (get, put, delete):,表示下面输入判断条件为真时要执行的命令
- 与输入判断条件相同,连续两个回车表示成功时的执行列表输入完成
- 终端显示failure requests (get, put, delete):后输入条件判断失败时的执行列表
- 为了看起来简洁,此实例中条件列表和执行列表只写了一行命令,实际可以输入多行
- 总结上面的事务,要做的事情就是flag为1时设置result为true,否则设置result为false
- 事务执行完成后查看result值为true
watch监听
watch后etcdctl阻塞,在另一个终端中执行etcdctl put flag 2后,watch会打印出相关信息
$ etcdctl watch flag
PUT
flag
2
lease租约
etcd也能为key设置超时时间,但与redis不同,etcd需要先创建lease,然后使用put命令加上参数–lease=<lease ID>来设置
$ etcdctl lease grant 100
lease 38015a3c00490513 granted with TTL(100s)
$ etcdctl put k1 v1 --lease=38015a3c00490513
OK
$ etcdctl lease timetolive 38015a3c00490513
lease 38015a3c00490513 granted with TTL(100s), remaining(67s)
$ etcdctl lease timetolive 38015a3c00490513
lease 38015a3c00490513 granted with TTL(100s), remaining(64s)
$ etcdctl lease timetolive 38015a3c00490513 --keys
lease 38015a3c00490513 granted with TTL(100s), remaining(59s), attached keys([k1])
$ etcdctl put k2 v2 --lease=38015a3c00490513
OK
$ etcdctl lease timetolive 38015a3c00490513 --keys
lease 38015a3c00490513 granted with TTL(100s), remaining(46s), attached keys([k1 k2])
$ etcdctl lease revoke 38015a3c00490513
lease 38015a3c00490513 revoked
$ etcdctl get k1
$ etcdctl get k2
$
$ etcdctl lease grant 10
lease 38015a3c0049051d granted with TTL(10s)
$ etcdctl lease keep-alive 38015a3c0049051d
lease 38015a3c0049051d keepalived with TTL(10)
lease 38015a3c0049051d keepalived with TTL(10)
lease 38015a3c0049051d keepalived with TTL(10)
lease grant <ttl>
创建lease,返回lease ID。创建的lease生存时间大于或等于ttl秒(TODO:为什么可能大于?)lease revoke <lease ID>
删除lease,并删除所有关联的keylease timetolive <lease ID>
取得lease的总时间和剩余时间lease keep-alive <lease ID>
此命令不会只更新一次lease时间,而是周期性地刷新,保证它不会过期。
集群管理命令
TODO
并发控制命令
lock <lock name>
通过指定的名字加锁。注意,只有当正常退出且释放锁后,lock命令的退出码是0,否则这个锁会一直被占用直到过期(默认60秒)
使用Ctrl+C正常退出lock命令,退出码为0,第二次能正常lock:
$ etcdctl lock test
test/38015a3fd6795e04
^C$ echo $?
0
$ etcdctl lock test
test/38015a3fd6795e0a
kill掉lock命令,退出码不为0,第二次lock被阻塞:
终端1,第一次正常锁住test:
$ etcdctl lock test
test/38015a3fd6795e11
终端2,kill掉lock命令:
ming@ming:~$ ps aux|grep 'etcdctl lock'
ming 44546 0.5 0.5 19876 11436 pts/5 Sl+ 11:42 0:00 etcdctl lock test
ming 44560 0.0 0.0 14224 1084 pts/6 S+ 11:43 0:00 grep --color=auto etcdctl lock
ming@ming:~$ kill -9 44546
终端1,退出码不为0,第二次锁test被阻塞
$ etcdctl lock test
test/38015a3fd6795e1e
Killed
$ echo $?
137
$ etcdctl lock test
elect
TODO
权限命令
user
可以为etcd创建多个用户并设置密码,子命令有:
- add 添加用户
- delete 删除用户
- get 取得用户详情
- list 列出所有用户
- passwd 修改用户密码
- grant-role 给用户分配角色
- revoke-role 给用户移除角色
role
可以为etcd创建多个角色并设置权限,子命令有:
- add 添加角色
- delete 删除角色
- get 取得角色信息
- list 列出所有角色
- grant-permission 为角色设置某个key的权限
- revoke-permission 为角色移除某个key的权限
auth
开启/关闭权限控制
示例
下面以示例来学习这三个命令
root用户存在时才能开启权限控制
$ etcdctl auth enable
Error: etcdserver: root user does not exist
$ etcdctl user add root
Password of root:
Type password of root again for confirmation:
User root created
$ etcdctl auth enable
Authentication Enabled
开启权限控制后需要用--user指定用户
$ etcdctl user list
Error: etcdserver: user name not found
$ etcdctl user list --user=root
Password:
root
$ etcdctl user get root --user=root
Password:
User: root
Roles: root
添加用户,前两个密码是新用户的,后一个密码是root的
$ etcdctl user add mengyuan --user=root
Password of mengyuan:
Type password of mengyuan again for confirmation:
Password:
User mengyuan created
使用新用户执行put命令,提示没有权限
$ etcdctl put key1 v1 --user=mengyuan
Password:
Error: etcdserver: permission denied
创建名为rw_key_的role,添加对字符串"key"做为前缀的key的读写权限,为mengyuan添加角色
$ etcdctl role add rw_key_ --user=root
Password:
Role rw_key_ created
$ etcdctl --user=root role grant-permission rw_key_ readwrite key --prefix=true
Password:
Role rw_key_ updated
$ etcdctl --user=root user grant-role mengyuan rw_key_
Password:
Role rw_key_ is granted to user mengyuan
添加权限成功后执行put key1成功,执行put k1失败(因为上面只给前缀为"key"的key添加了权限)
$ etcdctl put key1 v1 --user=mengyuan
Password:
OK
$ etcdctl put k1 v1 --user=mengyuan
Password:
Error: etcdserver: permission denied
执行user list命令失败,没有权限
$ etcdctl user list --user=mengyuan
Password:
Error: etcdserver: permission denied
为新用户添加root的角色后就能执行user list命令了,注意命令中第一个root是角色,第二个root是用户
$ etcdctl user grant-role mengyuan root --user=root
Password:
Role root is granted to user mengyuan
$ etcdctl user list --user=mengyuan
Password:
mengyuan
root
进一步
- etcdctl
-h 查看子命令的帮助(例:etcdctl watch -h) - https://play.etcd.io/play 是网页版集群环境
- etcdctl能够设置
--prefix=true来操作多个指定前缀的key
命令有点原始。。
加‘-w table’或‘--write-out=table’表格形式看就很不错
以下命令可以看到当前leader节点在哪,还有错误信息。都很重要
./etcdctl -w table endpoint --cluster statusthanks,之前回复过别人过这个
https://www.orchome.com/10139
稍后我们更新一下本篇文章。