Glen Pitt-Pladdy :: BlogKubernetes to learn Part 2 | |||
So far I've built a basic Kubernetes cluster with one master and two worker (minion) nodes. This time I'm going to be looking at building on that to give us HA masters. As part of this I'm adding another two worker nodes and will use the first three nodes (original cluster) to run the HA master. There are many different approaches to this, but for simplicity here I'm using a static configuration to make etcd redundant. etcd - adding nodesGetting this working had proved problematic, and once again I suspect subtle differences between versions/distros and the way they do things. Since we've already got data in etcd on the first node, I'm going to hot-add nodes so far as possible. This isn't completely possible if you've followed the very basic config in Part 1, but if you are doing this for real from the start then the process can be made much cleaner with a little planning. It's worth noting that since all these services communicate over the network, there's no reason why etcd has to be on specific nodes - we could theoretically create an etcd cluster separate from other master services and that might make a lot of sense on a very large scale. On the other etcd nodes I'm just installing: # yum install etcd Then some basic configuration in /etc/etcd/etcd.conf to prepare: ETCD_NAME=node1 Note that now that we're putting more nodes in, having unique node names (rather than "default") becomes important. Since we'll be adding this node to an existing cluster we'll set up the other nodes that it will need awareness of and set it to join an existing cluster rather than the default of being a new cluster. Note that we only add one extra node. This is due to needing 3 nodes before the cluster is redundand, but more about that later: ETCD_INITIAL_CLUSTER="node0=http://10.146.47.100:2380,node1=http://10.146.47.110:2380" Our existing etcd node was configured (default) to only listen on localhost so we need to change that in it's /etc/etcd/etcd.conf and restart it: ETCD_LISTEN_PEER_URLS="http://10.146.47.100:2380" Since our existing etcd node has already picked up an address for peers based on the main (default route) interface, we have to change that to our private network. You won't have to do this if everything is in a flat network. # etcdctl member list Now this is the critical step that doesn't seem to be mentioned consistently - we need to explicitly tell our existing etcd node about the other cluster members before we can add them else you will get errors along the lines of "error validating peerURLs ..........: member count is unequal". This is done by adding the name and url of each on the existing etcd node with: # etcdctl member list Since etcd works on the basis that for a cluster to be working it must have N/2+1 nodes active (I won't go into the computer science why this is necessary other than to say we need to get a majority vote), adding a second node that is not running immediately stops the cluster. This is important to remember since to accommodate failure of 1 node requires at minimum 3. At this point we can start the second node: # systemctl enable etcd.service And now we should see both nodes irrespective of which node we run this on: # etcdctl member list Since we need redundancy, we need to configure our 3rd node in the same manner as above except on it's IP address and setting all 3 nodes in the configuration: ETCD_INITIAL_CLUSTER="node0=http://10.146.47.100:2380,node1=http://10.146.47.110:2380,node2=http://10.146.47.120:2380" And then add this to the cluster, but this time the cluster will not go down because we will have the 2 of 3 nodes, and this allows us to list the cluster again before we start the 3rd node: # etcdctl member list Then on the 3rd node start etcd: # systemctl enable etcd.service This should leave us with all 3 nodes running: # etcdctl member list At this point we have a 3 node etcd cluster which can tolerate the failure of 1 node. That's far from our multi-master setup being complete, but a good step forward. It is probably a good idea to align the configuration across all 3 nodes for consistency, even though it's not altogether necessary with the way that etcd works. This is more to be clear to any humans looking at the configuration of one node what is going on across the lot. If things go wrongThe problem you might hit here is if there is a problem with your 2nd node when you only have 2 nodes in the cluster, or you break 2 out of the 3 node cluster. This will take the cluster down. While etcd tries to elect between nodes, if you need to re-create nodes this will be a problem since you could get yourself in a situation where you need to go back to a single node when experimenting. Beware that the process here needs to be treated cautously since we are deliberately stripping the cluster back to one node, deleting data on other nodes and re-adding them. This could result in data loss so ensure you have taken precautions to be able to recover. This can be done by ensuring that all nodes are down, and setting this line temporarily in /etc/etcd/etc.conf to tell it to start as if it's the only node again: ETCD_FORCE_NEW_CLUSTER="true" Then start up this node. You should see in the member list that there is only this node. Immediately remove this config so it doesn't get used again. If the single node is working as exected (eg. test with "etcdctl ls" to see if there's data in it still), you can remove the data on the next node we are going to add to the cluster: # rm -rf /var/lib/etcd/default.etcd/ And then go through the process of re-adding. You can repeat this for further nodes until the cluster is fully running again. Using the etcd clusterWhile we have a cluster, services are still all pointing everything to the single etcd node. We need to change the configuration to point to multiple nodes. In /etc/kubernetes/apiserver set all nodes and restart the service: KUBE_ETCD_SERVERS="--etcd-servers=http://10.146.47.100:2379,http://10.146.47.110:2379,http://10.146.47.120:2379" For all worker nodes we need to set flannel to use all the etcd endpoints in /etc/sysconfig/flanneld with in a similar way and restart the service: FLANNEL_ETCD_ENDPOINTS="http://10.146.47.100:2379,http://10.146.47.110:2379,http://10.146.47.120:2379" BackupsWhile HA is good for keeping things up, the last safety-net when everything goes bad is to have a backup. With etcd we can explicitly tell it to make a backup specifying the data path with: # etcdctl backup --data-dir /var/lib/etcd/default.etcd/ This will create a backup in the current directory, else you can use the --backup-dir option to specify another location. This should work by creating a replica snapshot of the data directory, however watch out for permissions since the files will be created owned by the user who ran etcdctl (eg. root) and the real files have ownership etcd.etcd which obviously is important. All going to plan these files could be replaced with a backup on a single node and started up as described under "If things go wrong" above to bring up the first node in a cluster. This is something that should be tested routinely to ensure your backups can be fully restored. There is further information on this in the CoreOS Admin Guide ThoughtsAt this point our etcd should be capable of tolerating a failure of a single node. Other master services (eg. apiserver) are not yet redundant so that will be the next thing we look at. While there's lots of information available, sometimes getting the particular information that's relevant is not so easy. That's made getting this setup a lot harder work than it strictly needed to be. |
|||
|
Disclaimer: This is a load of random thoughts, ideas and other nonsense and is not intended to be taken seriously. I have no idea what I am doing with most of this so if you are stupid and naive enough to believe any of it, it is your own fault and you can live with the consequences. More importantly this blog may contain substances such as humor which have not yet been approved for human (or machine) consumption and could seriously damage your health if taken seriously. If you still feel the need to litigate (or whatever other legal nonsense people have dreamed up now), then please address all complaints and other stupidity to yourself as you clearly "don't get it".
Copyright Glen Pitt-Pladdy 2008-2023
|
|||
Comments: