【ETCD】ETCD常用命令 - 指南

ETCD常用命令

文章目录

ETCD常用命令

资源列表

操作系统	配置	主机名	IP
openEuler	2C4G	etcd1	192.168.93.101
openEuler	2C4G	etcd2	192.168.93.102
openEuler	2C4G	etcd3	192.168.93.103

基础环境

关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

关闭内核安全机制

setenforce 0
sed -i "s/^SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config

修改主机名

hostnamectl set-hostname etcd1
hostnamectl set-hostname etcd2
hostnamectl set-hostname etcd3

一、集群管理命令

etcd是一个命令行的客户端，它提供了一些命令，可以方便我们在对服务进行测试或者手动修改数据库内容。etcd命令基本用法如下所示：

etcdctl [global options] command [command options] [args...]

具体的命令选项可以通过etcd command --help 来获取相关帮助

二、环境变量

如果遇到使用了TLS加密的集群，通常每条指令都需要指定证书路径和etcd节点地址，可以把相关命令行参数添加在环境变量中，在.bashrc添加以下内容。
本次实验不采用TLS

[root@etcd1 ~]# cat ~/.bashrc 
HOST_1=https://192.168.93.101:2379
HOST_2=https://192.168.93.102:2379
HOST_3=https://192.168.93.103:2379
ENDPOINTS=${HOST_1},${HOST_2},${HOST_3}
# 如果需要使用原生命令，在命令开头加一个\ 例如：\etcdctl command
alias etcdctl="etcdctl --endpoints=${ENDPOINTS} --cacert=/root/cfssl/etcd/ca.pem --cert=/root/cfssl/etcd/client.pem --key=/root/cfssl/etcd/client-key.pem"
alias etcdctljson="etcdctl --endpoints=${ENDPOINTS} --cacert=/root/cfssl/etcd/ca.pem --cert=/root/cfssl/etcd/client.pem --key=/root/cfssl/etcd/client-key.pem --write-out=json"
alias etcdctltable="etcdctl --endpoints=${ENDPOINTS} --cacert=/root/cfssl/etcd/ca.pem --cert=/root/cfssl/etcd/client.pem --key=/root/cfssl/etcd/client-key.pem --write-out=table"

三、ETCD常用命令

etcd的常用命令有很多，但不限于获取、删除、查看。

3.1、查看etcd版本

[root@etcd1 ~]# etcdctl version
etcdctl version: 3.4.23
API version: 3.4

3.2、查看etcd结群节点信息

[root@etcd1 ~]# etcdctl member list -w table
+------------------+---------+-------+----------------------------+----------------------------+------------+
|        ID        | STATUS  | NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |
+------------------+---------+-------+----------------------------+----------------------------+------------+
| 3d33f92152eaee46 | started | etcd3 | http://192.168.93.103:2380 | http://192.168.93.103:2379 |      false |
| 5abc4e842d3ab1d6 | started | etcd2 | http://192.168.93.102:2380 | http://192.168.93.102:2379 |      false |
| f416c4d7e7853c3a | started | etcd1 | http://192.168.93.101:2380 | http://192.168.93.101:2379 |      false |
+------------------+---------+-------+----------------------------+----------------------------+------------+

3.3、查看集群健康状态

[root@etcd1 ~]# cat ~/.bashrc 
HOST_1=http://192.168.93.101:2379
HOST_2=http://192.168.93.102:2379
HOST_3=http://192.168.93.103:2379
ENDPOINTS=${HOST_1},${HOST_2},${HOST_3}
# 如果需要使用原生命令，在命令开头加一个\ 例如：\etcdctl command
alias etcdctl="etcdctl --endpoints=${ENDPOINTS}"

[root@etcd1 ~]# etcdctl endpoint status -w table
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   20 kB |      true |      false |         2 |          8 |                  8 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   20 kB |     false |      false |         2 |          8 |                  8 |        |
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   20 kB |     false |      false |         2 |          8 |                  8 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

[root@etcd1 ~]# etcdctl endpoint health -w table
+----------------------------+--------+------------+-------+
|          ENDPOINT          | HEALTH |    TOOK    | ERROR |
+----------------------------+--------+------------+-------+
| http://192.168.93.101:2379 |   true | 1.591124ms |       |
| http://192.168.93.103:2379 |   true | 1.987456ms |       |
| http://192.168.93.102:2379 |   true | 8.935062ms |       |
+----------------------------+--------+------------+-------+

3.4、查看告警事件

如果内部出现了问题，会触发告警，可以通过命令查看告警引起的原因，命令如下所示：

etcdctl alarm <subcommand> [flags]

常用的子命令主要有两个：

# 查看所有告警
etcdctl alarm list
# 解除所有告警
etcdctl alarm disarm

3.5、添加成员

当集群部署完成后，后续可能需要进行节点扩缩容，就可以使用member命令管理节点。先查看当前集群信息。

[root@etcd1 ~]# etcdctl endpoint status --cluster -w table
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   20 kB |     false |      false |         2 |          8 |                  8 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   20 kB |     false |      false |         2 |          8 |                  8 |        |
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   20 kB |      true |      false |         2 |          8 |                  8 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

在启动新的etcd节点前，先向etcd集群声明添加节点的peer-urls和节点名称

[root@etcd1 ~]# etcdctl member add etcd4 --peer-urls=http://192.168.93.104:2380
Member  dd2947c31edb0d2 added to cluster b59d820ff8caf3f4
ETCD_NAME="etcd4"
ETCD_INITIAL_CLUSTER="etcd4=http://192.168.93.104:2380,etcd3=http://192.168.93.103:2380,etcd2=http://192.168.93.102:2380,etcd1=http://192.168.93.101:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.93.104:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"

接下来新开启一台etcd服务器，IP地址为192.168.93.104，节点名称是etcd4.

# 以下是 etcd4 的配置文件
# 注意此时 etcd4 要加入的集群是一个已经存在的集群, 所以initial-cluster-state 字段需要设置为 existing 表示加入现有集群
[root@etcd5 ~]# cat /etc/etcd/etcd.conf
# 节点名称
name: "etcd4"
# 数据存储目录
data-dir: "/data/etcd"
# 对外公告的该节点客户端监听地址，这个值会告诉集群中其他节点
advertise-client-urls: "http://192.168.93.104:2379"
# 监听客户端请求的地址列表
listen-client-urls: "http://192.168.93.104:2379,http://127.0.0.1:2379"
# 监听URL，用于节点之间通信监听地址
listen-peer-urls: "http://192.168.93.104:2380"
# 服务端之间通讯使用的地址列表,该节点同伴监听地址，这个值会告诉集群中其他节点
initial-advertise-peer-urls: "http://192.168.93.104:2380"
# etcd启动时，etcd集群的节点地址列表
initial-cluster: "etcd1=http://192.168.93.101:2380,etcd2=http://192.168.93.102:2380,etcd3=http://192.168.93.103:2380,etcd4=http://192.168.93.104:2380"
# etcd集群的初始集群令牌
initial-cluster-token: 'etcd-cluster'
# etcd集群初始化的状态，new代表新建集群，existing表示加入现有集群
initial-cluster-state: 'existing'

# 启动 etcd4
[root@etcd4 ~]# systemctl start etcd
# etcd4 启动后, 查看集群节点信息
[root@etcd1 ~]# etcdctl endpoint status --cluster -w table
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.104:2379 |  dd2947c31edb0d2 |  3.4.23 |   20 kB |     false |      false |         2 |         12 |                 12 |        |
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   20 kB |     false |      false |         2 |         12 |                 12 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   20 kB |     false |      false |         2 |         12 |                 12 |        |
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   20 kB |      true |      false |         2 |         12 |                 12 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

3.6、更新成员

当 etcd 节点故障，启动 etcd 时报错member count is unqueal。如果有保留的数据目录吓下得文件时，可以通过使用member update命令，在保留 etcd 数据得情况下初始化集群数据，重新构建一个新的 etcd 集群节点。
模拟192.168.93.101:2380节点故障，但数据目录文件有备份，启动一个新得节点，地址为:192.168.93.105:2380。

# 停用旧节点
[root@etcd4 ~]# systemctl stop etcd.service
# 把 etcd4 得数据 scp 到 etcd5 节点
[root@etcd4 ~]# scp -r /data/ root@192.168.93.105:/

# 更新节点地址
[root@etcd5 ~]# cat /etc/etcd/etcd.conf 
# 节点名称
name: "etcd4"
# 数据存储目录
data-dir: "/data/etcd"
# 对外公告的该节点客户端监听地址，这个值会告诉集群中其他节点
advertise-client-urls: "http://192.168.93.105:2379"
# 监听客户端请求的地址列表
listen-client-urls: "http://192.168.93.105:2379,http://127.0.0.1:2379"
# 监听URL，用于节点之间通信监听地址
listen-peer-urls: "http://192.168.93.105:2380"
# 服务端之间通讯使用的地址列表,该节点同伴监听地址，这个值会告诉集群中其他节点
initial-advertise-peer-urls: "http://192.168.93.105:2380"
# etcd启动时，etcd集群的节点地址列表
initial-cluster: "etcd1=http://192.168.93.101:2380,etcd2=http://192.168.93.102:2380,etcd3=http://192.168.93.103:2380,etcd4=http://192.168.93.105:2380"
# etcd集群的初始集群令牌
initial-cluster-token: 'etcd-cluster'
# etcd集群初始化的状态，new代表新建集群，existing表示加入现有集群
initial-cluster-state: 'existing'

# 启动新节点
[root@etcd5 ~]# systemctl daemon-reload 
[root@etcd5 ~]# systemctl start etcd.service

执行更新member操作，指定新的节点地址

# ID 为 104 
[root@etcd1 ~]# etcdctl member update dd2947c31edb0d2 --peer-urls=http://192.168.93.105:2380
Member  dd2947c31edb0d2 updated in cluster b59d820ff8caf3f4

查看集群节点信息，节点信息更新完成。

[root@etcd1 ~]# etcdctl endpoint status --cluster -w table
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.105:2379 |  dd2947c31edb0d2 |  3.4.23 |   20 kB |     false |      false |         2 |         14 |                 14 |        |
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   20 kB |     false |      false |         2 |         14 |                 14 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   20 kB |     false |      false |         2 |         14 |                 14 |        |
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   20 kB |      true |      false |         2 |         14 |                 14 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

3.7、删除成员

主要用法如下所示：

etcdctl member remove <memberID> [flags]

模拟192.168.93.105:2380节点下线操作

# 停止 etcd 5的节点
[root@etcd5 ~]# systemctl stop etcd.service

执行删除操作

# dd2947c31edb0d2 为 etcd5 的 ID
[root@etcd1 ~]# etcdctl member remove dd2947c31edb0d2
Member  dd2947c31edb0d2 removed from cluster b59d820ff8caf3f4
[root@etcd1 ~]# etcdctl endpoint status --cluster -w table
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   20 kB |     false |      false |         4 |         21 |                 21 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   20 kB |     false |      false |         4 |         21 |                 21 |        |
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   20 kB |      true |      false |         4 |         21 |                 21 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

四、数据库操作命令

4.1、增加(put)

添加一个键值对，基本用法如下所示

etcdctl put [options] <key> <value> [flags]

常用参数如下所示：

参数	功能描述
–perv-kv	输出修改前的键值

注意事项：
- 其中value接受从stdin的输入内容
- 如果value是以横线-开始，将会被视为flag，如果不希望出现这种情况，可以使用两个横线代替–
- 若键已经存在，则进行更新并覆盖原有值，若不存在，则进行添加

[root@etcd1 ~]# etcdctl put name wzh
OK
[root@etcd1 ~]# etcdctl put location -- -shanghai
OK
[root@etcd1 ~]# etcdctl put foo1 bar1
OK
[root@etcd1 ~]# etcdctl put foo2 bar2
OK
[root@etcd1 ~]# etcdctl put foo3 bar3
OK

4.2、查询(get)

查询键值对，基本用法如下所示

etcdctl get [options] <key> [range_end] [flags]

常用参数如下所示

参数	功能描述
–hex	以十六进制形式输出
–limit number	设置是输出结果的最大值
–prefix	根据prefix进行匹配key
–order	对输出结果进行排序，ASCEND或DESCEND
–sort-by	按给定字段排序，CREATE,KEYMODIFY,VALUE,VERSION
–print-value-only	仅输出value值
–from-key	按byte进行比较，获取大于等于指定key的结果
–keys-only	仅获取keys

示例

# 获取键值
[root@etcd1 ~]# etcdctl get name
name
wzh
# 只获取值
[root@etcd1 ~]# etcdctl get location --print-value-only
-shanghai
# 批量取从 foo1-foo3 的值， 不包括 foo3
[root@etcd1 ~]# etcdctl get foo1 foo3 --print-value-only
bar1
bar2
# 批量获取前缀为 foo 的值
[root@etcd1 ~]# etcdctl get --prefix foo --print-value-only
bar1
bar2
bar3
# 批量获取符合前缀的两个值
[root@etcd1 ~]# etcdctl get --prefix --limit=2 foo --print-value-only
bar1
bar2
# 批量获取前缀为 foo 的值， 并排序
[root@etcd1 ~]# etcdctl get --prefix foo --print-value-only --order DESCEND
bar3
bar2
bar1

4.3、删除(del)

删除键值，基本用法如下所示

etcdctl del [options] <key> [range_end] [flags]

常用参数如下所示

参数	功能描述
–prefix	根据prefix进行匹配删除
–prev-kv	输出删除的键值
–form-key	按byte进行比较，删除大于指定key的结果

示例

# 删除name的键值
[root@etcd1 ~]# etcdctl del name
1
# 删除从foo1到foo3且不包含foo3的键值
[root@etcd1 ~]# etcdctl del foo1 foo3
2
# 删除前缀为foo的所有键值
[root@etcd1 ~]# etcdctl del --prefix foo
1

4.4、更新(put覆盖)

若键值已经存在，则进行更新并覆盖原有值，若不存在，则进行添加

4.5、查询键历史记录查询

etcd在每次键值变更时，都会记录变更信息，便于我们查看键变更记录

4.6、监听命令

watch是监听或前缀发生改变的事件流，只要用法如下所示：

etcdctl watch [options] [key or prefix] [range_end] [--] [exec-command arg1 arg2 ...] [flags]

示例如下所示:

# 对某个 key 监听操作, 当 key1 发生改变时, 会返回最新值
[root@etcd1 ~]# etcdctl watch name
# 监听 key 前缀
[root@etcd1 ~]# etcdctl watch name --prefix
# 监听到改变后执行相关操作
[root@etcd1 ~]# etcdctl watch name -- etcdctl get age

4.6、监听单个建

# 启动监听命令
[root@etcd1 ~]# etcdctl watch foo
# 另一个控制台执行新增命令
[root@etcd1 ~]# etcdctl put foo bar
OK
# 观察控制台监听输出
[root@etcd1 ~]# etcdctl watch foo
PUT
foo
bar
# 另一个控制台执行删除命令
[root@etcd1 ~]# etcdctl del foo
1
# 观察控制台监听输出
[root@etcd1 ~]# etcdctl watch foo
PUT
foo
bar
DELETE
foo

4.7、同时监听多个建

# 监听前缀为 foo 的建
[root@etcd1 ~]# etcdctl watch --prefix foo
# 另一个控制台执行操作
[root@etcd1 ~]# etcdctl put foo1 bar1
OK
[root@etcd1 ~]# etcdctl put foo2 bar2
OK
[root@etcd1 ~]# etcdctl del foo1
1
# 观察控制台输出
[root@etcd1 ~]# etcdctl watch --prefix foo
PUT
foo1
bar1
PUT
foo2
bar2
DELETE
foo1
# 监听指定的多个建
[root@etcd1 ~]# etcdctl watch -i 
watch name
watch location
# 另一个控制台执行操作
[root@etcd1 ~]# etcdctl put name wzh
OK
[root@etcd1 ~]# etcdctl del name
1
[root@etcd1 ~]# etcdctl put location shanghai
OK
# 观察控制台输出
[root@etcd1 ~]# etcdctl watch -i 
watch name
watch location
PUT
name
wzh
DELETE
name
PUT
location
shanghai

五、租约命令

租约具有生命周期，需要为租约授予一个TTL(生命周期)，将租约绑定到key上，则key的生命周期与租约一直，可续约，可撤销租约，类似于redis为建设置过期时间。其主要用法如下所示：

etcdctl lease <subcommand> [flags]

5.1、添加租约

主要用法如下所示：

etcdctl lease grant <ttl> [flags]

示例

# 设置 60 秒后过期时间
[root@etcd1 ~]# etcdctl lease grant 60
lease 3c3a9a4cb7661512 granted with TTL(60s)
# 把 foo 和租约绑定, 设置为60秒后过期
[root@etcd1 ~]# etcdctl put --lease=3c3a9a4cb7661512 foo bar
OK
# 租约期内查询键值
[root@etcd1 ~]# etcdctl get foo
foo
bar
# 租约期外查询键值(没有任何回显)
[root@etcd1 ~]# etcdctl get foo

5.2、查看租约

查看租约信息，以便租约或查看租约是否仍然存在或者已过期。
查看租约详情主要用法如下所示：

etcdctl lease timetolive <leaseID> [options] [flags]

示例

# 添加一个 50 秒的租约
[root@etcd1 ~]# etcdctl lease grant 50
lease 3c3a9a4cb7661518 granted with TTL(50s)
# 将 name 键绑定到 3c3a9a4cb7661518 租约上
[root@etcd1 ~]# etcdctl put --lease=3c3a9a4cb7661518 name wzh
OK
# 查看所有租约列表
[root@etcd1 ~]# etcdctl lease list
found 1 leases
3c3a9a4cb7661518
# 查看租约详情, remaining: 剩余时间 keys: 获取租约绑定的 key
[root@etcd1 ~]# etcdctl lease timetolive --keys 3c3a9a4cb7661518
lease 3c3a9a4cb7661518 granted with TTL(50s), remaining(16s), attached keys([name])

5.3、租约续约

通过刷新TTL值来保持续约的有效，使其不会过期。
示例如下所示：

etcdctl lease keep-alive [options] <leaseID> [flags]

示例如下所示

# 设置 60 秒后过期租约
[root@etcd1 ~]# etcdctl lease grant 60
lease 3c3a9a4cb766151c granted with TTL(60s)
# 把 name 和租约绑定, 设置成功后 60 秒后过期
[root@etcd1 ~]# etcdctl put --lease=3c3a9a4cb766151c name wzh
OK
# 自动定时执行续约, 续约成功后每次租约为 60 秒
[root@etcd1 ~]# etcdctl lease keep-alive 3c3a9a4cb766151c
lease 3c3a9a4cb766151c keepalived with TTL(60)
lease 3c3a9a4cb766151c keepalived with TTL(60)
......

5.4、删除租约

通过租约ID撤销租约，撤销租约将删除其所有绑定的key。
主要用法如下所示：

etcdctl lease revoke <leaseID> [flags]

示例如下所示

# 设置 600 秒后过期租约
[root@etcd1 ~]# etcdctl lease grant 600
lease 3c3a9a4cb766151f granted with TTL(600s)
# 把 foo 和租约绑定, 600 秒后过期
[root@etcd1 ~]# etcdctl put --lease=3c3a9a4cb766151f foo bar
OK
# 查看租约详情
[root@etcd1 ~]# etcdctl lease timetolive --keys 3c3a9a4cb766151f
lease 3c3a9a4cb766151f granted with TTL(600s), remaining(574s), attached keys([foo])
# 删除租约
[root@etcd1 ~]# etcdctl lease revoke 3c3a9a4cb766151f
lease 3c3a9a4cb766151f revoked
# 查案续约详情
[root@etcd1 ~]# etcdctl lease timetolive --keys 3c3a9a4cb766151f
lease 3c3a9a4cb766151f already expired
# 获取键值(无任何返回)
[root@etcd1 ~]# etcdctl get foo

5.5、多key同一租约

一个租约支持绑定多个key

[root@etcd1 ~]# etcdctl lease grant 60
lease 3c3a9a4cb7661525 granted with TTL(60s)
[root@etcd1 ~]# etcdctl put --lease=3c3a9a4cb7661525 foo1 bar1
OK
[root@etcd1 ~]# etcdctl put --lease=3c3a9a4cb7661525 foo2 bar2
OK
[root@etcd1 ~]# etcdctl lease timetolive --keys 3c3a9a4cb7661525
lease 3c3a9a4cb7661525 granted with TTL(60s), remaining(29s), attached keys([foo1 foo2])

租约过期后，所有key值都会被删除，因此：
- 当租约只绑定一个key时，想删除这个key，最好的办法是撤销它的租约，而不是直接删除这个key。
- 当租约没有绑定key时，应主动把它撤销掉，单纯删除key后，续约操作持续进行，会造成内存泄漏。
直接删除key的演示：

# 设置租约并绑定 zoo1
[root@etcd1 ~]# etcdctl lease grant 60
lease 3c3a9a4cb766152a granted with TTL(60s)
[root@etcd1 ~]# etcdctl --lease=3c3a9a4cb766152a put zoo1 val1
OK
[root@etcd1 ~]# etcdctl del zoo1
1
# 单纯删除 key 后, 续约操作持续进行, 会造成内存泄漏
[root@etcd1 ~]# etcdctl lease keep-alive 3c3a9a4cb766152a
lease 3c3a9a4cb766152a keepalived with TTL(60)
lease 3c3a9a4cb766152a keepalived with TTL(60)
......

撤销key的续约演示

# 设置租约并绑定 zoo1
[root@etcd1 ~]# etcdctl lease grant 60
lease 3c3a9a4cb766152e granted with TTL(60s)
[root@etcd1 ~]# etcdctl --lease=3c3a9a4cb766152e put zoo1 val1
OK
# 续约
[root@etcd1 ~]# etcdctl lease keep-alive 3c3a9a4cb766152e
lease 3c3a9a4cb766152e keepalived with TTL(60)
lease 3c3a9a4cb766152e expired or revoked.
# 另一个控制台执行
[root@etcd1 ~]# etcdctl lease revoke 3c3a9a4cb766152e
lease 3c3a9a4cb766152e revoked
# 续约撤销并退出
[root@etcd1 ~]# etcdctl lease keep-alive 3c3a9a4cb766152e
lease 3c3a9a4cb766152e keepalived with TTL(60)
lease 3c3a9a4cb766152e expired or revoked.
# 返回为空
[root@etcd1 ~]# etcdctl get zoo1

六、备份恢复命令

主要用于管理节点的快照，其主要用法如下所示：

etcdctl snapshot <subcommand> [flags]

6.1、生成快照

其主要用法如下所示：

etcdctl snapshot save <filename> [flags]

示例如下所示：

etcdctl snapshot save etcd-snapshot.db

6.2、查看快照

其主要用法如下所示：

etcdctl snapshot status <filename> [flags]

示例如下所示：

etcdctl snapshot status etcd-snapshot.db -w table

6.3、恢复快照

其主要用法如下所示：

etcdctl snapshot restore <filename> [options] [flags]

6.4、备份恢复演示

新建一个名为name 的key

[root@etcd1 ~]# etcdctl put name wzh
OK
[root@etcd1 ~]# etcdctl get name
name
wzh
[root@etcd1 ~]# etcdctl endpoint status -w table
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   33 kB |      true |      false |         2 |         45 |                 45 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   25 kB |     false |      false |         2 |         45 |                 45 |        |
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   29 kB |     false |      false |         2 |         45 |                 45 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

生成快照，创建名为snap.db的备份文件

[root@etcd1 ~]# etcdctl snapshot save snap.db --endpoints=http://192.168.93.101:2379
{"level":"info","ts":1762233834.5750756,"caller":"snapshot/v3_snapshot.go:119","msg":"created temporary db file","path":"snap.db.part"}
{"level":"info","ts":"2025-11-04T13:23:54.575+0800","caller":"clientv3/maintenance.go:200","msg":"opened snapshot stream; downloading"}
{"level":"info","ts":1762233834.5759904,"caller":"snapshot/v3_snapshot.go:127","msg":"fetching snapshot","endpoint":"http://192.168.93.101:2379"}
{"level":"info","ts":"2025-11-04T13:23:54.576+0800","caller":"clientv3/maintenance.go:208","msg":"completed snapshot read; closing"}
{"level":"info","ts":1762233834.5780404,"caller":"snapshot/v3_snapshot.go:142","msg":"fetched snapshot","endpoint":"http://192.168.93.101:2379","size":"33 kB","took":0.002909912}
{"level":"info","ts":1762233834.57811,"caller":"snapshot/v3_snapshot.go:152","msg":"saved","path":"snap.db"}

查看备份文件详情

[root@etcd1 ~]# ls -lh snap.db 
-rw------- 1 root root 33K 11月  4 13:23 snap.db
[root@etcd1 ~]# etcdctl snapshot status snap.db -w table
+--------+----------+------------+------------+
|  HASH  | REVISION | TOTAL KEYS | TOTAL SIZE |
+--------+----------+------------+------------+
| 28ac4c |       30 |         36 |      33 kB |
+--------+----------+------------+------------+

把快照文件传到其他节点

[root@etcd1 ~]# scp snap.db root@192.168.93.102:/root
[root@etcd1 ~]# scp snap.db root@192.168.93.103:/root

停止所有节点的etcd服务，并删除数据目录

# 所有节点都要执行
systemctl stop etcd
# 删除数据
rm -rf /data/etcd/

在所有节点上开始恢复数据

# etcd1
[root@etcd1 ~]# etcdctl snapshot restore snap.db --name=etcd1 --data-dir=/data/etcd --initial-cluster=etcd1=http://192.168.93.101:2380,etcd2=http://192.168.93.102:2380,etcd3=http://192.168.93.103:2380 --initial-advertise-peer-urls=http://192.168.93.101:2380
{"level":"info","ts":1762234209.7733314,"caller":"snapshot/v3_snapshot.go:296","msg":"restoring snapshot","path":"snap.db","wal-dir":"/data/etcd/member/wal","data-dir":"/data/etcd","snap-dir":"/data/etcd/member/snap"}
{"level":"info","ts":1762234209.7786083,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"3d33f92152eaee46","added-peer-peer-urls":["http://192.168.93.103:2380"]}
{"level":"info","ts":1762234209.778708,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"5abc4e842d3ab1d6","added-peer-peer-urls":["http://192.168.93.102:2380"]}
{"level":"info","ts":1762234209.7787428,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"f416c4d7e7853c3a","added-peer-peer-urls":["http://192.168.93.101:2380"]}
{"level":"info","ts":1762234209.7882888,"caller":"snapshot/v3_snapshot.go:309","msg":"restored snapshot","path":"snap.db","wal-dir":"/data/etcd/member/wal","data-dir":"/data/etcd","snap-dir":"/data/etcd/member/snap"}

# etcd2
[root@etcd2 ~]# etcdctl snapshot restore snap.db --name=etcd2 --data-dir=/data/etcd --initial-cluster=etcd1=http://192.168.93.101:2380,etcd2=http://192.168.93.102:2380,etcd3=http://192.168.93.103:2380 --initial-advertise-peer-urls=http://192.168.93.102:2380
{"level":"info","ts":1762234209.7753522,"caller":"snapshot/v3_snapshot.go:296","msg":"restoring snapshot","path":"snap.db","wal-dir":"/data/etcd/member/wal","data-dir":"/data/etcd","snap-dir":"/data/etcd/member/snap"}
{"level":"info","ts":1762234209.7921374,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"3d33f92152eaee46","added-peer-peer-urls":["http://192.168.93.103:2380"]}
{"level":"info","ts":1762234209.7922328,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"5abc4e842d3ab1d6","added-peer-peer-urls":["http://192.168.93.102:2380"]}
{"level":"info","ts":1762234209.7922487,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"f416c4d7e7853c3a","added-peer-peer-urls":["http://192.168.93.101:2380"]}
{"level":"info","ts":1762234209.7970464,"caller":"snapshot/v3_snapshot.go:309","msg":"restored snapshot","path":"snap.db","wal-dir":"/data/etcd/member/wal","data-dir":"/data/etcd","snap-dir":"/data/etcd/member/snap"}

# etcd3
[root@etcd3 ~]# etcdctl snapshot restore snap.db --name=etcd3 --data-dir=/data/etcd --initial-cluster=etcd1=http://192.168.93.101:2380,etcd2=http://192.168.93.102:2380,etcd3=http://192.168.93.103:2380 --initial-advertise-peer-urls=http://192.168.93.103:2380
{"level":"info","ts":1762234209.7737963,"caller":"snapshot/v3_snapshot.go:296","msg":"restoring snapshot","path":"snap.db","wal-dir":"/data/etcd/member/wal","data-dir":"/data/etcd","snap-dir":"/data/etcd/member/snap"}
{"level":"info","ts":1762234209.7843802,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"3d33f92152eaee46","added-peer-peer-urls":["http://192.168.93.103:2380"]}
{"level":"info","ts":1762234209.7845335,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"5abc4e842d3ab1d6","added-peer-peer-urls":["http://192.168.93.102:2380"]}
{"level":"info","ts":1762234209.7845669,"caller":"membership/cluster.go:392","msg":"added member","cluster-id":"b59d820ff8caf3f4","local-member-id":"0","added-peer-id":"f416c4d7e7853c3a","added-peer-peer-urls":["http://192.168.93.101:2380"]}
{"level":"info","ts":1762234209.7922416,"caller":"snapshot/v3_snapshot.go:309","msg":"restored snapshot","path":"snap.db","wal-dir":"/data/etcd/member/wal","data-dir":"/data/etcd","snap-dir":"/data/etcd/member/snap"}

所有节点重启etcd服务

systemctl restart etcd

查看验证

[root@etcd1 ~]# etcdctl endpoint status -w table --endpoints=http://192.168.93.101:2379,http://192.168.93.102:2379,http://192.168.93.103:2379
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| http://192.168.93.101:2379 | f416c4d7e7853c3a |  3.4.23 |   33 kB |      true |      false |         2 |          8 |                  8 |        |
| http://192.168.93.102:2379 | 5abc4e842d3ab1d6 |  3.4.23 |   33 kB |     false |      false |         2 |          8 |                  8 |        |
| http://192.168.93.103:2379 | 3d33f92152eaee46 |  3.4.23 |   33 kB |     false |      false |         2 |          8 |                  8 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

重启etcd后，仍能正常获取name的值，并且节点ID未发生改变

七、用户管理命令

etcd默认是没有开启访问控制的，如果开启外网访问etcd的话就需要考虑访问控制的问题，etcd提供了两种访问控制的方式：
- 基于身份验证的访问控制
- 基于证书的访问控制
从v3.2版本开始，如果使用参数-- client-cert-auth=true启动etcdu武器，则客户端的TLS证书红的“通用名称（CN）”字段将用作etcd用户。在这种情况下，公用名将对用户进行身份验证，并且客户端不需要密码。如果同时传递了–client-cert-auth=true且客户端提供了CN，并且客户端提供了用户名和密码，则将优先考虑基于用户名和密码的身份验证。
etcd有一个特殊用户root和一个特殊角色root：
- root用户：root用户是etcd角色的超级管理员，拥有etcd的所有权限，在开启角色认证之前必须要先建立好root用户
- root角色：具有该root角色的用户既具有全局读写访问权限，具有更新集群的身份验证配置和权限。此外，该root角色还授予常规集群维护的特权，包括修改集群成员资格，对存储进行碎片整理以及拍摄快照。
etcd的权限资源：
- Users：user用来设置身份认证（user:passwd），一个用户可以拥有多个角色，每个角色被分配一定的权限（只读、只写、可读写），用户分为root用户和非root用户。
- Roles：角色用来关联权限，角色主要三类：
  - root角色：默认创建root用户时即创建了root角色，该角色拥有所有权限；
  - guest角色：默认自动创建，主要用于非认证使用。普通角色，由root用户创建角色，并分配指定权限。
  - Permissions：权限分为只读、只写、可读写三种权限，权限即对指定目录或key的读写权限。
如果没有指定任何验证方式，即未显示指定以什么用户进行访问，那么会默认会设置为guest角色。默认情况下guest也是具有全局访问权限的。

7.1、用户管理

其主要用法如下所示：

etcdctl user <subcommand> [flags]

其主要子命令主要如下所示：

子命令	常用用法	功能描述
add	etcdctl user add < user name or user:password > [options] [flags]	添加新用户
delete	etcdctl user delete < user name > [flags]	删除用户
list	etcdctl user list [flags]	列出所有用户
get	etcdctl user get < user name [options] [flags]	获取用户详细信息
passwd	etcdctl user passwd < user name > [options] [flags]	修改密码
grant-role	etcdctl user grant-role < user name > < role name > [flags]	赋予用户角色
revoke-role	etcdctl user revoke-role < user name > < role name > [flags]

7.2、角色管理

其主要用法如下所示：

etcdctl role <subcommand> [flags]

其主要子命令主要如下所示：

子命令	常用用法	功能描述
add	etcdctl role add < role name [flags]	添加角色
delete	etcdctl role delete [flags]	删除角色
list	etcdctl role list [flags]	列出所有角色
get	etcdctl role get [flags]	获取角色详情
grant-permission	etcdctl role grant-permission [options] < role name > < permission tye > < < key > > [endkey] [flags]	把key操作权限授予一个角色
revoke-permission	etcdctl role revoke-permission < role name > < key > [endkey] [flags]

7.3、开启root身份验证

在开启身份验证后，注意事项如下所示：
- 开启身份验证：所有etcdctl命令操作都需要指定用户参数–user，参数值为用户名:密码
- 开启证书验证：所有etcdctl命令操作都需要添加证书参数–cacert
开启root身份验证的步骤如下所示：

# 添加 root 用户, 密码为 123456
[root@etcd1 ~]# etcdctl user add root:123456
User root created
# 开启身份验证, 开启为 enable, 取消为 disable
[root@etcd1 ~]# etcdctl auth enable --user=root:123456
{"level":"warn","ts":"2025-11-04T15:45:30.570+0800","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-a1a91c15-df9d-4e6f-80d3-7f388e9188f4/127.0.0.1:2379","attempt":0,"error":"rpc error: code = FailedPrecondition desc = etcdserver: authentication is not enabled"}
{"level":"warn","ts":"2025-11-04T15:45:30.575+0800","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-a1a91c15-df9d-4e6f-80d3-7f388e9188f4/127.0.0.1:2379","attempt":0,"error":"rpc error: code = FailedPrecondition desc = etcdserver: root user does not have root role"}
Authentication Enabled
# 开启身份验证后, 直接获取键值报错
[root@etcd1 ~]# etcdctl get name
{"level":"warn","ts":"2025-11-04T15:47:25.710+0800","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-09b2c5c3-3be4-45f9-8465-cb85c80dfc80/127.0.0.1:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"}
Error: etcdserver: user name is empty
# 添加用户信息访问
[root@etcd1 ~]# etcdctl get name --user=root:123456
name
wzh

7.4、角色授权

在开启了root身份验证后，就可以对普通用户和角色操作了

7.4.1、用户增删改查

# 添加普通
[root@etcd1 ~]# etcdctl user add test:123 --user=root:123456
User test created
# 用户用户信息
[root@etcd1 ~]# etcdctl user get test --user=root:123456
User: test
Roles:
# 查看所有用户
[root@etcd1 ~]# etcdctl user list --user=root:123456
root
test
# 修改用户密码
[root@etcd1 ~]# etcdctl user passwd test --user=root:123456
Password of test:
Type password of test again for confirmation:
Password updated
# 删除用户
[root@etcd1 ~]# etcdctl user delete test --user=root:123456
User test deleted

7.4.2、用户角色绑定

# 增加普通用户
[root@etcd1 ~]# etcdctl user add test:123 --user=root:123456
User test created
# 添加角色
[root@etcd1 ~]# etcdctl role add test-role --user=root:123456
Role test-role created
# 将角色绑定给指定用户
[root@etcd1 ~]# etcdctl user grant-role test test-role --user=root:123456
Role test-role is granted to user test
# 查看用户信息
[root@etcd1 ~]# etcdctl user get test --user=root:123456
User: test
Roles: test-role

7.4.3、角色授权

权限分为：只读（read），只写（write）和读写（readwrite）权限

# 使用 test 用户获取 name 值会报错, 权限拒绝
[root@etcd1 ~]# etcdctl get name --user=test:123
{"level":"warn","ts":"2025-11-04T16:00:59.605+0800","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-af949a12-8f25-4070-8fef-b7bad516d71b/127.0.0.1:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}
Error: etcdserver: permission denied
# 按 key 进行授权, test-role 角色可以读写 name
[root@etcd1 ~]# etcdctl role grant-permission test-role readwrite name --user=root:123456
Role test-role updated
# 查看角色权限详情
[root@etcd1 ~]# etcdctl role get test-role --user=root:123456
Role test-role
KV Read:
name
KV Write:
name
# 撤销角色权限
[root@etcd1 ~]# etcdctl role revoke-permission test-role name --user=root:123456
Permission of key name is revoked from role test-role
# 查看角色权限详情
[root@etcd1 ~]# etcdctl role get test-role --user=root:123456
Role test-role
KV Read:
KV Write:

posted @ 2025-12-06 13:24 clnchanpin 阅读(41) 评论(0) 收藏举报

刷新页面返回顶部