Dear, I would like to get some clarity on etcd backup and restore. I have a setu . . .

Munish Kumar Anand:
Dear, I would like to get some clarity on etcd backup and restore. I have a setup in my lab. We have one master, one worker and one director node (from where we can run all k8s commands including etcdctl). Scenario is that we have etcd running in master node. We have to take backup of etcd from director. there are cert files provided in director node. so taking backup is easy by following etcdctl snapshot save --cacert= --cert= --key= --endpoints=<ip-of-master>:2379 But we have an old backup provided in director node and we have to restore that backup to master. But I am not sure if we have to use cert files provided in director node or have to use the same cert files already used in etcd.yaml file for running etcdctl backup restore command. Because path of certs in etcd.yaml and the ones in director node are different. If anyone can throw some light on this, it would be great.

Deirdre Rodgers:
yes I agree this is confusing. I would all like some clarification

Broc:
“I don’t know which cert to use for backup and restore” ----> You have to use the certificate that was generated for etcd server.

“I don’t know which certs are generated for etcd server” ----------> Open the cert to find the “subject name”. You should probably see the etcd term in it. But it depends on the naming convention you provide.

But if you see human names like ‘john’ ‘user1’ kind, then that certificate most likely given to you to run kubectl command from director node. It’s a cert authentication. You probably would have created kubeconfig with that.

Or You can just run the etcdctl command to show the member list with the certs you are uncertain about.

I believe you are having cluster components running as pod. It should probably be the location mentioned in the etcd.yaml file you quoted. But that’s my hunch. I cannot confirm untill i see the setup.

Munish Kumar Anand:
Hi Broc, thanks for reply. But my question was but different, sorry for confusion. Let me rephrase my question pls. In director node, i have provided with certs like /opt/cert. this directory has key, cert, ca-cert files and I have to use these to take etcd back. It is simple task, I can do it using etcdctl snapshot save and passing these dir structure to required cert. My main confusion is about restore. There is some old backup in director node under /opt/backup/ which i have to use for restore. When I checked the etcd.yaml file in master node, i see that cert part, cacert path and keyfile path is different like /var/lib/k8s/. Now during the backup restore, i have to run etcdctl snapshot restore with cacert, cert, key and some other arguments. My question is that during backup, do i need to use /var/lib/kbs/ or /opt/ path because it is not clear that during backup which certs to be used. i.e should I use existing certs which are present in etcd.yaml or the ones I used during backup.

Deepak Ladwa:
You can try to copy the restore directory to the master node and then issue a restore command without cert (from master node only). And finally change the etcd configuration to point to the restore path.

Deepak Ladwa:
the step is with assumption that the etcdctl utility is also available in master node

Mrudul Palvankar:
I do not think you have /var/lib/k8s/ on director node so you will not be able to use the certs from /var/lib/k8s/ for restore command on director node.

Mrudul Palvankar:
Hence there are two options - 1. use certs from /opt/cert for restore command or 2. as suggested by Deepak copy the backup to master node and run the restore command from master without certs.

Mrudul Palvankar:
And if you do not have etcdctl utility on master node install the same with apt install etcd-client

Munish Kumar Anand:
Thanks @Deepak Ladwa and @Mrudul Palvankar for your comments. I will try and provide my feedback…Thnx again

Deepak Ladwa:
@Munish Kumar Anand Thanks for trying this scenario in local setup. For sure this will help.

Deepak Ladwa:
@Munish Kumar Anand any luck in the restoration procedure? Just curious to know :thinking_face: