skip to content
Alvin Lucillo

Backing up etcd

/ 1 min read

k8s

Suppose you need to back up ETCD at the location /opt/etcd-backup.db on the controlplane node.

  1. Check the static pod manifest for the etcd: cat /etc/kubernetes/manifests/etcd.yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.168.104.53:2379
  creationTimestamp: null
  labels:
    component: etcd
    tier: control-plane
  name: etcd
  namespace: kube-system
spec:
  containers:
    - command:
        - etcd
        - --advertise-client-urls=https://192.168.104.53:2379
        - --cert-file=/etc/kubernetes/pki/etcd/server.crt
        - --client-cert-auth=true
        - --data-dir=/var/lib/etcd
        - --experimental-initial-corrupt-check=true
        - --experimental-watch-progress-notify-interval=5s
        - --initial-advertise-peer-urls=https://192.168.104.53:2380
        - --initial-cluster=controlplane=https://192.168.104.53:2380
        - --key-file=/etc/kubernetes/pki/etcd/server.key
        - --listen-client-urls=https://127.0.0.1:2379,https://192.168.104.53:2379
        - --listen-metrics-urls=http://127.0.0.1:2381
        - --listen-peer-urls=https://192.168.104.53:2380
        - --name=controlplane
        - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
        - --peer-client-cert-auth=true
        - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
        - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
        - --snapshot-count=10000
        - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
      image: registry.k8s.io/etcd:3.5.16-0
      imagePullPolicy: IfNotPresent
      livenessProbe:
        failureThreshold: 8
        httpGet:
          host: 127.0.0.1
          path: /livez
          port: 2381
          scheme: HTTP
        initialDelaySeconds: 10
  1. Take note these values of these parameters used in etcd command in the manifest:
  • - --listen-client-urls=https://127.0.0.1:2379,https://192.168.104.53:2379
  • --cert-file=/etc/kubernetes/pki/etcd/server.crt
  • --key-file=/etc/kubernetes/pki/etcd/server.key
  • --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
  1. Use the values from the manifest in etcdctl command:
sudo ETCDCTL_API=3 etcdctl \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /opt/etcd-backup.db
Snapshot saved at /opt/etcd-backup.db