https://wiki.sanxian.tech/api.php?action=feedcontributions&feedformat=atom&user=Admin
三线的随记 - 用户贡献 [zh-cn]
2026-04-09T11:07:10Z
用户贡献
MediaWiki 1.41.0
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E5%8C%96freessl-acme.sh%E6%9B%B4%E6%96%B0nginx%E5%AE%9E%E7%8E%B0https%E8%AF%81%E4%B9%A6%E8%87%AA%E5%8A%A8%E7%BB%AD%E6%9C%9F&diff=1694
容器化freessl-acme.sh更新nginx实现https证书自动续期
2026-04-09T09:19:51Z
<p>Admin:</p>
<hr />
<div>'''⚠️ 注意:freessl目前acme地址已经更改为litessl.com。下述内容并没有跟进此更新,仅供参考'''<br />
<br />
=== 赘述 ===<br />
由于有一定的OS环境洁癖,所以不打算直接在Linux OS环境中直接安装acme.sh,采用容器化的方式安装acme.sh<br />
<br />
acme.sh官方其实有做好的docker images,但是由于太闲了所以又重新写了一份(班门弄斧)<br />
<br />
=== 正题1: 制作能自签域名证书的镜像 ===<br />
先构建一个带有 acme.sh 基础镜像<br />
cat <<\EOF > acme.sh.Dockerfile<br />
FROM alpine:3.15.3<br />
RUN apk --no-cache add curl wget openssl && \<br />
rm -rf /var/cache/apk && \<br />
curl -s <nowiki>https://get.acme.sh</nowiki> | sh -s email=my@example.com<br />
WORKDIR /root/.acme.sh<br />
ENTRYPOINT ["/usr/sbin/crond", "-f", "-S","/dev/stdout"]<br />
EOF<br />
<br />
docker build -f acme.sh.Dockerfile -t san3xian/freessl_acme.sh:v2 .<br />
然后到<nowiki/>https://freessl.cn/acme-deploy 注册登陆<br />
<br />
并在该站点的 [https://freessl.cn/acme-deploy acme页面中]添加域名,完成域名的DCV预检测(即配置CNAME,域名解析状态可以在这里查询: https://myssl.com/dns_check.html)<br />
<br />
获取token (即ACME 地址中 ****/directory/ 后的字符串)<br />
<br />
接着根据实际需求构建域名专属acme镜像用于签发证书,安装证书以及触发 容器化或者节点直接部署运行的nginx reload(后面按需运行的时候修改该容器pid mode和reloadcmd即可)<br />
<br />
这里 <code>--issue</code> 命令中由于没有带--days参数,所以默认签的是60天的证书<br />
<br />
将下述内容按需修改存于Dockerfile中<br />
FROM san3xian/freessl_acme.sh:v2<br />
<br />
ARG acme_token="your_token" \<br />
acme_domain="your_domain"<br />
RUN /root/.acme.sh/acme.sh --issue -d ${acme_domain} --dns dns_dp \<br />
--server <nowiki>https://acme.freessl.cn/v2/DV90/directory/${acme_token}</nowiki> && \<br />
mkdir -pv /certs && \<br />
/root/.acme.sh/acme.sh --install-cert -d ${acme_domain} \<br />
--key-file /certs/${acme_domain}_key.pem \<br />
--fullchain-file /certs/${acme_domain}_cert.pem \<br />
--reloadcmd "/bin/kill -s HUP 1"<br />
使用docker build构建镜像<br />
docker build -t san3xian/freessl_acme.sh:yourdomain .<br />
如果上述步骤都没错的话,在构建这个带有域名证书信息的镜像的时候,就能看到申请下来的证书会被打印输出到控制台<br />
<br />
并且根据回显内容可知,申请下来的证书保存在了 <code>/root/.acme.sh/${acme_domain}/</code> 路径下,而且证书会被拷贝一份到 <code>/certs</code> 路径下(此路径按实际需求在Dockerfile中修改即可)<br />
<br />
在freessl.cn的acme页面中也能看到相应的客户端ID信息<br />
<br />
证书的相关配置信息(如install-path和ReloadCmd)在<code>/root/.acme.sh/${acme_domain}/${acme_domain}.conf</code> 文件中<br />
<br />
到这里acme.sh自动签证书的步骤就已经基本做完了<br />
<br />
acme.sh配置参考: https://blog.freessl.cn/acme-quick-start/<br />
<br />
<br />
=== 正题2: 适配实际的tls证书使用环境 ===<br />
如前所述,本文是为了用容器化的freessl acme.sh向容器化的nginx进行证书自签,所以下面还会有docker-compose的内容,当然实际操作中用docker run 直接运行容器也可以<br />
<br />
前提展开: 由于我这里nginx容器是使用常规镜像启动的,所以我的nginx master的pid在容器的PID namespace就会是1,遂在上文的reloadcmd 中写死了pid<br />
<br />
然后我的docker-compose.yml是在server文件夹下的,所以docekr-compose拉起的容器默认会带 <code>server_</code> 前缀,即如docker-compose help中所述:<br />
docker-compose --help <br />
-p, --project-name NAME Specify an alternate project name<br />
(default: directory name)<br />
docker-compose.yml内容,部分内容按实际需求修改<br />
version: "2"<br />
<br />
services:<br />
nginx:<br />
restart: always<br />
image: nginx:1.21-alpine<br />
volumes:<br />
- "/var/lib/nginx/conf.d:/etc/nginx/conf.d"<br />
- "/var/lib/nginx/nginx.conf:/etc/nginx/nginx.conf"<br />
- "/var/lib/nginx/certs:/etc/nginx/certs"<br />
- "/var/lib/nginx/sites-enabled:/etc/nginx/sites-enabled"<br />
ports: <br />
- "80:80" # http port for private network<br />
- "443:443" # https port for private network<br />
freessl:<br />
restart: always<br />
image: san3xian/freessl_acme.sh:yourdomain #修改为你在上文实际打出来的容器镜像<br />
volumes:<br />
- "/var/lib/nginx/certs:/certs"<br />
tty: true # alpine下不分配伪tty的话BusyBox crond会有的日志不输出到stdout<br />
pid: container:server_nginx_1 # 与nginx共享同一个PID namespace, 这里暂时没有找到在docker-compose文件中关联其它container的写法,所以只能完全写死容器名了<br />
可见freessl 和 nginx 容器都挂载了同一个/var/lib/nginx/certs目录,这样nginx就能读到由freessl acme.sh自签下发的tls证书<br />
<br />
接着docker-compose up -d 启动了相应的容器后<br />
<br />
由于在前文签证书的时候,freessl acme.sh容器中/certs路径还没挂载到节点上,所以此时还需要重新拷贝/签一份证书到certs路径下<br />
docker exec server_freessl_1 "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --force<br />
如果上述步骤都没错的话,此时nginx也会被触发reload,可以docker logs server_nginx_1 看相关信息,按照实际修改nginx的配置以让tls证书生效即可<br />
<br />
由于freessl acme.sh容器中还有crond的守护进程运行着,所以acme.sh也会被定时触发,可以通过docker logs server_freessl_1看相关日志<br />
<br />
crontab -l 也可以看到相关任务定时触发配置信息,建议按需将acme.sh触发命令的重定向( <code>> /dev/null</code> )去除以方便查看acme.sh的cron日志<br />
[root@localhost server]# docker exec server_freessl_1 crontab -l<br />
# do daily/weekly/monthly maintenance<br />
# min hour day month weekday command<br />
*/15 * * * * run-parts /etc/periodic/15min<br />
0 * * * * run-parts /etc/periodic/hourly<br />
0 2 * * * run-parts /etc/periodic/daily<br />
0 3 * * 6 run-parts /etc/periodic/weekly<br />
0 5 1 * * run-parts /etc/periodic/monthly<br />
<br />
1 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null<br />
<br />
如果需要添加多个域名的话,可以直接在freessl容器中运行命令<br />
/root/.acme.sh/acme.sh --issue -d ${acme_domain} --dns dns_dp --server <nowiki>https://acme.freessl.cn/v2/DV90/directory/${acme_token}</nowiki><br />
和<br />
/root/.acme.sh/acme.sh --install-cert -d ${acme_domain} --key-file /certs/${acme_domain}_key.pem --fullchain-file /certs/${acme_domain}_cert.pem --reloadcmd "/bin/kill -s HUP 1"<br />
即可,这样下一次acme.sh的cron任务触发的时候,多个域名都会被执行证书更新检查<br />
[[分类:Linux]]<br />
[[分类:Docker]]<br />
[[分类:Docker-compose]]<br />
{{DEFAULTSORT:docker容器化freessl_acme.sh配合nginx实现https证书自动续期}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E5%8C%96freessl-acme.sh%E6%9B%B4%E6%96%B0nginx%E5%AE%9E%E7%8E%B0https%E8%AF%81%E4%B9%A6%E8%87%AA%E5%8A%A8%E7%BB%AD%E6%9C%9F&diff=1693
容器化freessl-acme.sh更新nginx实现https证书自动续期
2026-04-09T08:32:22Z
<p>Admin:</p>
<hr />
<div>注意:freessl目前acme地址已经更改为litessl.com。下述内容并没有跟进此更新,仅供参考<br />
<br />
=== 赘述 ===<br />
由于有一定的OS环境洁癖,所以不打算直接在Linux OS环境中直接安装acme.sh,采用容器化的方式安装acme.sh<br />
<br />
acme.sh官方其实有做好的docker images,但是由于太闲了所以又重新写了一份(班门弄斧)<br />
<br />
=== 正题1: 制作能自签域名证书的镜像 ===<br />
先构建一个带有 acme.sh 基础镜像<br />
cat <<\EOF > acme.sh.Dockerfile<br />
FROM alpine:3.15.3<br />
RUN apk --no-cache add curl wget openssl && \<br />
rm -rf /var/cache/apk && \<br />
curl -s <nowiki>https://get.acme.sh</nowiki> | sh -s email=my@example.com<br />
WORKDIR /root/.acme.sh<br />
ENTRYPOINT ["/usr/sbin/crond", "-f", "-S","/dev/stdout"]<br />
EOF<br />
<br />
docker build -f acme.sh.Dockerfile -t san3xian/freessl_acme.sh:v2 .<br />
然后到<nowiki/>https://freessl.cn/acme-deploy 注册登陆<br />
<br />
并在该站点的 [https://freessl.cn/acme-deploy acme页面中]添加域名,完成域名的DCV预检测(即配置CNAME,域名解析状态可以在这里查询: https://myssl.com/dns_check.html)<br />
<br />
获取token (即ACME 地址中 ****/directory/ 后的字符串)<br />
<br />
接着根据实际需求构建域名专属acme镜像用于签发证书,安装证书以及触发 容器化或者节点直接部署运行的nginx reload(后面按需运行的时候修改该容器pid mode和reloadcmd即可)<br />
<br />
这里 <code>--issue</code> 命令中由于没有带--days参数,所以默认签的是60天的证书<br />
<br />
将下述内容按需修改存于Dockerfile中<br />
FROM san3xian/freessl_acme.sh:v2<br />
<br />
ARG acme_token="your_token" \<br />
acme_domain="your_domain"<br />
RUN /root/.acme.sh/acme.sh --issue -d ${acme_domain} --dns dns_dp \<br />
--server <nowiki>https://acme.freessl.cn/v2/DV90/directory/${acme_token}</nowiki> && \<br />
mkdir -pv /certs && \<br />
/root/.acme.sh/acme.sh --install-cert -d ${acme_domain} \<br />
--key-file /certs/${acme_domain}_key.pem \<br />
--fullchain-file /certs/${acme_domain}_cert.pem \<br />
--reloadcmd "/bin/kill -s HUP 1"<br />
使用docker build构建镜像<br />
docker build -t san3xian/freessl_acme.sh:yourdomain .<br />
如果上述步骤都没错的话,在构建这个带有域名证书信息的镜像的时候,就能看到申请下来的证书会被打印输出到控制台<br />
<br />
并且根据回显内容可知,申请下来的证书保存在了 <code>/root/.acme.sh/${acme_domain}/</code> 路径下,而且证书会被拷贝一份到 <code>/certs</code> 路径下(此路径按实际需求在Dockerfile中修改即可)<br />
<br />
在freessl.cn的acme页面中也能看到相应的客户端ID信息<br />
<br />
证书的相关配置信息(如install-path和ReloadCmd)在<code>/root/.acme.sh/${acme_domain}/${acme_domain}.conf</code> 文件中<br />
<br />
到这里acme.sh自动签证书的步骤就已经基本做完了<br />
<br />
acme.sh配置参考: https://blog.freessl.cn/acme-quick-start/<br />
<br />
<br />
=== 正题2: 适配实际的tls证书使用环境 ===<br />
如前所述,本文是为了用容器化的freessl acme.sh向容器化的nginx进行证书自签,所以下面还会有docker-compose的内容,当然实际操作中用docker run 直接运行容器也可以<br />
<br />
前提展开: 由于我这里nginx容器是使用常规镜像启动的,所以我的nginx master的pid在容器的PID namespace就会是1,遂在上文的reloadcmd 中写死了pid<br />
<br />
然后我的docker-compose.yml是在server文件夹下的,所以docekr-compose拉起的容器默认会带 <code>server_</code> 前缀,即如docker-compose help中所述:<br />
docker-compose --help <br />
-p, --project-name NAME Specify an alternate project name<br />
(default: directory name)<br />
docker-compose.yml内容,部分内容按实际需求修改<br />
version: "2"<br />
<br />
services:<br />
nginx:<br />
restart: always<br />
image: nginx:1.21-alpine<br />
volumes:<br />
- "/var/lib/nginx/conf.d:/etc/nginx/conf.d"<br />
- "/var/lib/nginx/nginx.conf:/etc/nginx/nginx.conf"<br />
- "/var/lib/nginx/certs:/etc/nginx/certs"<br />
- "/var/lib/nginx/sites-enabled:/etc/nginx/sites-enabled"<br />
ports: <br />
- "80:80" # http port for private network<br />
- "443:443" # https port for private network<br />
freessl:<br />
restart: always<br />
image: san3xian/freessl_acme.sh:yourdomain #修改为你在上文实际打出来的容器镜像<br />
volumes:<br />
- "/var/lib/nginx/certs:/certs"<br />
tty: true # alpine下不分配伪tty的话BusyBox crond会有的日志不输出到stdout<br />
pid: container:server_nginx_1 # 与nginx共享同一个PID namespace, 这里暂时没有找到在docker-compose文件中关联其它container的写法,所以只能完全写死容器名了<br />
可见freessl 和 nginx 容器都挂载了同一个/var/lib/nginx/certs目录,这样nginx就能读到由freessl acme.sh自签下发的tls证书<br />
<br />
接着docker-compose up -d 启动了相应的容器后<br />
<br />
由于在前文签证书的时候,freessl acme.sh容器中/certs路径还没挂载到节点上,所以此时还需要重新拷贝/签一份证书到certs路径下<br />
docker exec server_freessl_1 "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --force<br />
如果上述步骤都没错的话,此时nginx也会被触发reload,可以docker logs server_nginx_1 看相关信息,按照实际修改nginx的配置以让tls证书生效即可<br />
<br />
由于freessl acme.sh容器中还有crond的守护进程运行着,所以acme.sh也会被定时触发,可以通过docker logs server_freessl_1看相关日志<br />
<br />
crontab -l 也可以看到相关任务定时触发配置信息,建议按需将acme.sh触发命令的重定向( <code>> /dev/null</code> )去除以方便查看acme.sh的cron日志<br />
[root@localhost server]# docker exec server_freessl_1 crontab -l<br />
# do daily/weekly/monthly maintenance<br />
# min hour day month weekday command<br />
*/15 * * * * run-parts /etc/periodic/15min<br />
0 * * * * run-parts /etc/periodic/hourly<br />
0 2 * * * run-parts /etc/periodic/daily<br />
0 3 * * 6 run-parts /etc/periodic/weekly<br />
0 5 1 * * run-parts /etc/periodic/monthly<br />
<br />
1 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null<br />
<br />
如果需要添加多个域名的话,可以直接在freessl容器中运行命令<br />
/root/.acme.sh/acme.sh --issue -d ${acme_domain} --dns dns_dp --server <nowiki>https://acme.freessl.cn/v2/DV90/directory/${acme_token}</nowiki><br />
和<br />
/root/.acme.sh/acme.sh --install-cert -d ${acme_domain} --key-file /certs/${acme_domain}_key.pem --fullchain-file /certs/${acme_domain}_cert.pem --reloadcmd "/bin/kill -s HUP 1"<br />
即可,这样下一次acme.sh的cron任务触发的时候,多个域名都会被执行证书更新检查<br />
[[分类:Linux]]<br />
[[分类:Docker]]<br />
[[分类:Docker-compose]]<br />
{{DEFAULTSORT:docker容器化freessl_acme.sh配合nginx实现https证书自动续期}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=VMware%E4%B8%8D%E5%85%B3%E6%9C%BA%E6%89%A9%E5%AE%B9linux%E7%A3%81%E7%9B%98&diff=1692
VMware不关机扩容linux磁盘
2026-04-09T07:36:32Z
<p>Admin:</p>
<hr />
<div>__FORCETOC__<br />
<br />
=== 在虚拟化平台对磁盘扩容后 fdisk -l 识别不到分区 (partition丢失,GPT分区表不建议使用fdisk) ===<br />
注意在部分OS下,可能在扩容前 Disk 的相关 partition 信息在fdisk中是可以正常识别的,但是在 vsphere / esxi 对磁盘进行扩容以后<br />
<br />
就发现 partition 丢了【fdisk -l /dev/sda 看不到某些分区】(特别是centos7.9 + fdisk -l + GPT)<br />
<br />
这时候可以直接 <code>parted /dev/sda</code> <br />
<br />
进入以后应该就会提示<br />
Error: The backup GPT table is not at the end of the disk, as it should be. This might mean that<br />
another operating system believes the disk is smaller. Fix, by moving the backup to the end (and<br />
removing the old backup)?<br />
直接进行Fix并扩容即可<br />
<br />
也可以找到原本的扇区记录,然后进入fdisk ,修改 partition table 为 GPT,根据相关扇区记录,把分区重新建立回来即可<br />
<br />
=== lvm类型的分区扩容 ===<br />
<br />
==== 利用fdisk - 传统步骤扩容分区(旧版本fdisk对GPT兼容不好,GPT分区表建议使用parted) ====<br />
磁盘名sda, vg名 cl, lv名 root 等自行根据实际情况修改!<br />
# vsphere(虚拟化平台)层面完成磁盘扩容<br />
# 进入系统 shell 中,执行命令 lsblk 查看对应的磁盘是否有感知到新的容量。有时候会碰到 os 无法感知到 disk 容量变化的情况出现,这时候需要手动rescan一下<code>echo 1 > /sys/class/block/sda/device/rescan</code><br />
# <code>fdisk -l /dev/sda</code> 确认相关分区及扇区信息<br />
# 使用<code>fdisk /dev/sda</code> 进入交互式操作删除重建需要扩容的分区(增大分区容量,保留原本的LVM2_member signature, 起始扇区与原本一致) <br />
# <code>partprobe /dev/sda </code><br />
# <code>pvresize /dev/sda3 </code><br />
# <code>lvextend /dev/cl/root /dev/sda3 </code><br />
# <code>xfs_growfs /dev/mapper/cl-root </code><br />
# 完成<br />
<br />
==== 利用parted工具一行命令直接扩容第三分区到100% ====<br />
磁盘名sda, vg名 cl, lv名 root 等自行根据实际情况修改!<br />
parted /dev/sda --script -- resizepart 3 100%<br />
<br />
pvresize /dev/sda3 && lvextend -l +100%FREE /dev/ol/root && xfs_growfs /<br />
<br />
=== 非lvm类型虚拟磁盘扩容(磁盘直接作为了挂载点) ===<br />
磁盘名sda, vg名 cl, lv名 root 等自行根据实际情况修改!<br />
# vm层面完成磁盘扩容<br />
# 同样手动rescan一下让os感知磁盘容量变化<code>echo 1 > /sys/class/block/sda/device/rescan</code><br />
#根据文件系统类型执行fs扩容,如<code>xfs_growfs</code> / <code>resize2fs</code><br />
#例如⬇️<br />
[root@192-168-157-39 ~]# lsblk /dev/sdb<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
sdb 8:16 0 150G 0 disk /var/lib/containers<br />
<br />
[root@192-168-157-39 ~]# echo 1 > /sys/class/block/sdb/device/rescan<br />
<br />
[root@192-168-157-39 ~]# lsblk /dev/sdb<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
sdb 8:16 0 155G 0 disk /var/lib/containers<br />
<br />
[root@192-168-157-39 ~]# cat /etc/fstab |grep cont<br />
/dev/sdb /var/lib/containers xfs defaults,pquota 0 0<br />
<br />
[root@192-168-157-39 ~]# xfs_growfs /dev/sdb<br />
meta-data=/dev/sdb isize=512 agcount=4, agsize=9830400 blks<br />
= sectsz=512 attr=2, projid32bit=1<br />
= crc=1 finobt=0 spinodes=0<br />
data = bsize=4096 blocks=39321600, imaxpct=25<br />
= sunit=0 swidth=0 blks<br />
naming =version 2 bsize=4096 ascii-ci=0 ftype=1<br />
log =internal bsize=4096 blocks=19200, version=2<br />
= sectsz=512 sunit=0 blks, lazy-count=1<br />
realtime =none extsz=4096 blocks=0, rtextents=0<br />
data blocks changed from 39321600 to 40632320<br />
<br />
[root@192-168-157-39 ~]# df -h /var/lib/containers<br />
Filesystem Size Used Avail Use% Mounted on<br />
/dev/sdb 155G 19G 137G 12% /var/lib/containers<br />
<br />
[root@192-168-157-39 ~]# lsblk<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
sda 8:0 0 50G 0 disk<br />
├─sda1 8:1 0 1019M 0 part /boot<br />
└─sda2 8:2 0 49G 0 part<br />
└─centos-root 253:0 0 49G 0 lvm /<br />
sdb 8:16 0 155G 0 disk /var/lib/containers<br />
sr0 11:0 1 9.5G 0 rom<br />
<br /><br />
额外延伸:[https://www.2daygeek.com/scan-detect-luns-scsi-disks-on-redhat-centos-oracle-linux/ How to scan\detect new LUN’s & SCSI disks in Linux?]<br />
<br />
通过命令 <code>lsscsi -g</code> 能看 vmware 磁盘和 OS disk 的对照关系<br />
[[category: Linux]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Fish_shell%E6%88%96bash_shell%E4%B8%8B%E7%9A%84ssh-agent%E7%8E%B0%E6%9C%89%E4%BC%9A%E8%AF%9D%E6%8E%A2%E6%B5%8B%E8%84%9A%E6%9C%AC&diff=1691
Fish shell或bash shell下的ssh-agent现有会话探测脚本
2026-02-27T17:23:37Z
<p>Admin:</p>
<hr />
<div>一个随便糊的用于发现设备上现有的ssh-agent会话脚本,方便在不同的terminal tab中复用一个ssh-agent<br />
<br />
适配: <br />
<br />
=== macOS + fish shell (macos v26.3+) ===<br />
#!/usr/bin/env fish<br />
<br />
#######################################################<br />
# Author: SanXian<br />
# To find the exists ssh-agent connection or create <br />
# a new ssh-agent connection for macOS with fish shell<br />
# version: 1.5<br />
#######################################################<br />
<br />
#set base_dir "/var/folders/4w/hx1kgdwd2ll9chvbzv6y70r80000gn/T"<br />
# Linux<br />
# /tmp/ssh-*/agent.*<br />
<br />
# macOS-new version:<br />
# set base_dir "$TMPDIR/ssh-*/agent.*"<br />
set base_dir "~/.ssh/agent/*agent.*"<br />
for i in (sh -c "ls -1 --color=never $base_dir 2>/dev/null")<br />
set agent_file (echo -n $i | grep --color=never -Eo "agent.*")<br />
echo "found: $agent_file"<br />
#set PID (echo -n $agent_file | awk -F . '{print $2 + 1}')<br />
set PID (lsof -n $i | awk '/ssh-agent/{print $2}')<br />
echo PID: $PID<br />
export SSH_AGENT_PID=$PID<br />
export SSH_AUTH_SOCK=$i<br />
env | grep -i ssh_<br />
exit<br />
end<br />
<br />
# ssh agent sock not found<br />
echo "ssh agent sock file not found, creating"<br />
eval (ssh-agent -c -t 4h)<br />
#ssh-add -t 0<br />
ssh-add -t 360d<br />
<br />
=== Linux bash: ===<br />
#!/usr/bin/env bash<br />
<br />
#######################################################<br />
# Author: SanXian<br />
# To find the exists ssh-agent connection or create<br />
# a new ssh-agent connection for macOS with fish shell<br />
# version: 1.5<br />
#######################################################<br />
<br />
#set base_dir "/var/folders/4w/hx1kgdwd2ll9chvbzv6y70r80000gn/T"<br />
# Linux<br />
base_dir=/tmp/ssh-*/agent.*<br />
<br />
# macOS<br />
#set base_dir $TMPDIR/ssh-*/agent.*<br />
agent_paths=`sh -c "ls -1 --color=never $base_dir 2>/dev/null"`<br />
for i in $agent_paths<br />
do<br />
agent_file=`echo -n $i | grep --color=never -Eo "agent.*"`<br />
echo "found: $agent_file"<br />
PID=`echo -n $agent_file | awk -F . '{print $2 + 1}'`<br />
echo PID: $PID<br />
export SSH_AGENT_PID=$PID<br />
export SSH_AUTH_SOCK=$i<br />
env | grep -i ssh_<br />
done<br />
<br />
if <nowiki>[[ -z $agent_paths ]]</nowiki><br />
then<br />
# ssh agent sock not found<br />
echo "ssh agent sock file not found, creating"<br />
eval `ssh-agent -t 4h`<br />
#ssh-add -t 0<br />
ssh-add -t 360d<br />
fi<br />
<br />
=== 食用方法 ===<br />
执行:<br />
source ssh-search<br />
或<br />
. ssh-search<br />
<br />
<br />
扩展阅读:<br />
<br />
[[SSH-add脚本化载入带密码(passphrase)的私钥]]<br />
[[分类:Linux]]<br />
[[分类:MacOS]]<br />
[[分类:SSH]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Etcd%E5%91%BD%E4%BB%A4%E9%9A%8F%E8%AE%B0&diff=1690
Etcd命令随记
2026-02-02T09:49:39Z
<p>Admin:</p>
<hr />
<div>=== 切换 ETCDCTL API version ===<br />
<br />
==== with docker exec ====<br />
docker exec -e "ETCDCTL_API=2" etcd_container_name_or_id etcdctl --help<br />
<br />
==== env ====<br />
export ETCDCTL_API=2<br />
<br />
=== 排障相关命令 ===<br />
<br />
* 如果etcd是基于k8s manifest启动的,且该manifest初始化了ETCDCTL_ENDPOINTS变量,在指定endpoints只能通过环境变量指定,或者在bash环境下unset "ETCDCTL_ENDPOINTS" 取消环境变量定义然后再通过参数传入,不然会提示配置冲突:<br />
<br />
2021-10-19 03:25:28.520086 C | pkg/flags: conflicting environment variable "ETCDCTL_ENDPOINTS" is shadowed by corresponding command-line flag (either unset environment variable or disable flag)<br />
<br />
==== etcdctl v3 related ====<br />
etcdctl v3可用的环境变量可见文档 https://github.com/etcd-io/etcd/blob/main/etcdctl/README.md<br />
<br />
其中常见的包括<br />
export ETCDCTL_ENDPOINTS=<nowiki>https://127.0.0.1:2379,https://10.255.251.102:2379,https://10.255.251.103:2379</nowiki><br />
export ETCDCTL_CACERT=/etc/kubernetes/ssl/etcd/ca.crt<br />
export ETCDCTL_CERT=/etc/kubernetes/ssl/etcd/peer.crt<br />
export ETCDCTL_KEY=/etc/kubernetes/ssl/etcd/peer.key<br />
<br />
===== k8s 的 etcd 可以通过下述命令直接在k8s controller shell 上初始化 etcdctl 环境变量 =====<br />
export ETCD_PEER_PORT=2379<br />
eval "$(kubectl get pods -n kube-system -o custom-columns='name:.metadata.name,ip:.status.podIP' --no-headers | awk '/etcd/{ eps = eps (eps?",":"") "https://" $2 ":<nowiki>''</nowiki>$ETCD_PEER_PORT" } END { print "export ETCDCTL_ENDPOINTS=\"" eps "\"" }')"<br />
export ETCDCTL_CACERT=/etc/kubernetes/ssl/etcd/ca.crt<br />
export ETCDCTL_CERT=/etc/kubernetes/ssl/etcd/peer.crt<br />
export ETCDCTL_KEY=/etc/kubernetes/ssl/etcd/peer.key<br />
<br />
<br />
etcdctl member list -w table<br />
etcdctl endpoint status -w table<br />
<br />
===== etcd member list (v3 API) =====<br />
* etcdctl member list<br />
<br />
[root@test kubelet]# docker exec -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.150.12:12379,https://192.168.150.13:12379,https://192.168.150.14:12379</nowiki>" `docker ps | awk '/etcd /{print $1}'` etcdctl member list -w table<br />
+------------------+---------+-------------------------+-----------------------------+------------------------------+------------+<br />
| ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER |<br />
+------------------+---------+-------------------------+-----------------------------+------------------------------+------------+<br />
| 8a8a69237e3e00ef | started | dce-etcd-192.168.150.12 | <nowiki>http://192.168.150.12:12380</nowiki> | <nowiki>https://192.168.150.12:12379</nowiki> | false |<br />
| d58cc05313738455 | started | dce-etcd-192.168.150.13 | <nowiki>http://192.168.150.13:12380</nowiki> | <nowiki>https://192.168.150.13:12379</nowiki> | false |<br />
| ed2566e796a749a6 | started | dce-etcd-192.168.150.14 | <nowiki>http://192.168.150.14:12380</nowiki> | <nowiki>https://192.168.150.14:12379</nowiki> | false |<br />
+------------------+---------+-------------------------+-----------------------------+------------------------------+------------+<br />
<br />
===== etcd endpoint health (v3 API) =====<br />
*etcdctl endpoint health<br />
<br />
docker exec -e "ETCDCTL_API=3" -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.155.22:12379,https://192.168.155.23:12379,https://192.168.155.24:12379</nowiki>" etcd_container_name_or_id etcdctl endpoint health -w table<br />
<br />
+------------------------------+--------+--------------+-------+<br />
| ENDPOINT | HEALTH | TOOK | ERROR |<br />
+------------------------------+--------+--------------+-------+<br />
| <nowiki>https://192.168.155.23:12379</nowiki> | true | 14.2308ms | |<br />
| <nowiki>https://192.168.155.22:12379</nowiki> | true | 14.572283ms | |<br />
| <nowiki>https://192.168.155.24:12379</nowiki> | true | 351.572429ms | |<br />
+------------------------------+--------+--------------+-------+<br />
<br />
===== etcd endpoint status (v3 API) =====<br />
<br />
* etcdctl endpoint status<br />
<br />
docker exec -e "ETCDCTL_API=3" -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.155.22:12379,https://192.168.155.23:12379,https://192.168.155.24:12379</nowiki>" etcd_container_name_or_id etcdctl endpoint status -w table<br />
<br />
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+<br />
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |<br />
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+<br />
| <nowiki>https://192.168.155.22:12379</nowiki> | 5710b6824446f271 | 3.4.1 | 35 MB | false | false | 52 | 7925759 | 7925759 | |<br />
| <nowiki>https://192.168.155.23:12379</nowiki> | 2a8509b66bfae6b6 | 3.4.1 | 35 MB | true | false | 52 | 7925759 | 7925759 | |<br />
| <nowiki>https://192.168.155.24:12379</nowiki> | 72f4884011f8a2b | 3.4.1 | 35 MB | false | false | 52 | 7925760 | 7925760 | |<br />
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+<br />
<br />
==== etcd cluster-health (v2 API) ====<br />
etcdctl v2可用的环境变量可见文档 https://github.com/etcd-io/etcd/blob/main/etcdctl/READMEv2.md<br />
<br />
etcdctl v2常用的环境变量<br />
ETCDCTL_ENDPOINT <br />
ETCDCTL_CA_FILE<br />
ETCDCTL_KEY_FILE<br />
ETCDCTL_CERT_FILE<br />
* etcdctl cluster-health<br />
<br />
docker exec -e "ETCDCTL_API=2" -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.155.22:12379,https://192.168.155.23:12379,https://192.168.155.24:12379</nowiki>" etcd_container_name_or_id etcdctl cluster-health<br />
member 72f4884011f8a2b is healthy: got healthy result from <nowiki>https://192.168.155.24:12379</nowiki><br />
member 2a8509b66bfae6b6 is healthy: got healthy result from <nowiki>https://192.168.155.23:12379</nowiki><br />
member 5710b6824446f271 is healthy: got healthy result from <nowiki>https://192.168.155.22:12379</nowiki><br />
cluster is healthy<br />
<br />
docker exec -it -e ETCDCTL_API=2 `docker ps | awk '/etcd /{print $1}'` etcdctl cluster-health<br />
<br />
=== 磁盘/网络性能要求相关 ===<br />
[https://etcd.io/docs/v3.5/op-guide/hardware/ official documentation]<blockquote>etcd is very sensitive to disk write latency. Typically 50 sequential IOPS (e.g., a 7200 RPM disk) is required. For heavily loaded clusters, 500 sequential IOPS (e.g., a typical local SSD or a high performance virtualized block device) is recommended. Note that most cloud providers publish concurrent IOPS rather than sequential IOPS; the published concurrent IOPS can be 10x greater than the sequential IOPS. To measure actual sequential IOPS, we suggest using a disk benchmarking tool such as diskbench or fio.<br />
<br />
</blockquote>[https://access.redhat.com/documentation/zh-cn/openshift_container_platform/4.10/html-single/scalability_and_performance/index#recommended-etcd-practices_recommended-host-practices openshift_container_platform 推荐的 etcd 实践]<blockquote>就延迟而言,应该在一个可最少以 50 IOPS 按顺序写入 8000 字节的块设备上运行。也就是说,当有一个 20ms 的延迟时,使用 fdatasync 来同步 WAL 中的写入操作。对于高负载的集群,建议使用 8000 字节的连续 500 IOPS (2 毫秒)。要测量这些数字,您可以使用基准测试工具,如 fio。<br />
<br />
</blockquote>[https://www.jianshu.com/p/f31ef5e7bdd0 简书 - etcd 性能测试与调优]<br />
<br />
<br />
[https://bbs.pceva.com.cn/thread-24244-1-1.html 对硬盘性能的深度解析之二]<blockquote>IO延迟与Queue Depth(队列深度)/Queue Length (队列长度)<br />
<br />
IO延迟是指控制器将IO指令发出之后,直到IO完成的过程中总共花费的时间。早前业界不成文的规定为,只要IO延迟在20ms内,IO性能对于应用程序来说都是可以接受的,但是如果大于20ms,应用程序的性能将会受到较大影响。(JMF602的小文件随机写入IOPS是个位数,所以你们觉得卡)<br />
<br />
这样算下来,存储设备应当满足最低的IOPS要求应该为1S/20ms=50IOPS,所以只要区区50IOPS就可以满足这个要求了。单块机械硬盘的IOPS一般在80附近(7200转),固态硬盘的话就比较夸张了,对于大型的存储设备,通过并行N个IO通道工作,达到几十万甚至几百万IOPS都不是问题。<br />
<br />
然而不能总以最低标准来要求存储设备。当接收到的IO很少的时候,IO延迟也会很小。比如一块Intel X25-M Gen2 34nm 80G固态硬盘,即使延迟平均在0.1ms的话,每个IO通道的IOPS=1000/0.1=10000,但是这块固态硬盘被厂家标称35000的读取IOPS,这里就引出另一个概念:Queue Depth(队列深度,也可以叫队列长度)<br />
<br />
控制器向存储设备发起的指令,不是一条条发送的,而是一批批的发送,存储目标设备批量执行IO,然后把数据和结果返回控制器。只要存储设备肚量和消化能力足够强,在IO比较少的时候,处理一条指令和同时处理多条指令将会消耗几乎相同的时间。控制器发出的批量指令的最大条数,由控制器上的Queue Depth(队列深度)决定。(一般好的固态硬盘主控,队列深度都支持到32了)<br />
<br />
如果给出队列深度,IOPS,IO延迟三者中的任意两者,则可以推算出第三者,公式:IOPS=(队列深度)/ (IO延迟)。实际上,随着队列深度的增加,IO延迟也在增加,二者是互相促进的关系,所以,随着IO数目的增多,将很快达到存储设备提供的最大IOPS处理能力,此时IO延迟将会陡峭升高,而IOPS则增加缓慢。(消化不良)</blockquote>[https://etcd.io/docs/v3.5/faq/#what-does-the-etcd-warning-failed-to-send-out-heartbeat-on-time-mean wal_fsync_duration_seconds 官方建议] <blockquote>Usually this issue is caused by a slow disk. Before the leader sends heartbeats attached with metadata, it may need to persist the metadata to disk. The disk could be experiencing contention among etcd and other applications, or the disk is too simply slow (e.g., a shared virtualized disk). To rule out a slow disk from causing this warning, monitor wal_fsync_duration_seconds (p99 duration should be less than 10ms) to confirm the disk is reasonably fast. If the disk is too slow, assigning a dedicated disk to etcd or using faster disk will typically solve the problem. To tell whether a disk is fast enough for etcd, a benchmarking tool such as fio can be used. Read here for an example.</blockquote><br />
[[分类:Linux]]<br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Etcd%E5%91%BD%E4%BB%A4%E9%9A%8F%E8%AE%B0&diff=1689
Etcd命令随记
2026-02-02T09:32:33Z
<p>Admin:</p>
<hr />
<div>=== 切换 ETCDCTL API version ===<br />
<br />
==== with docker exec ====<br />
docker exec -e "ETCDCTL_API=2" etcd_container_name_or_id etcdctl --help<br />
<br />
==== env ====<br />
export ETCDCTL_API=2<br />
<br />
=== 排障相关命令 ===<br />
<br />
* 如果etcd是基于k8s manifest启动的,且该manifest初始化了ETCDCTL_ENDPOINTS变量,在指定endpoints只能通过环境变量指定,或者在bash环境下unset "ETCDCTL_ENDPOINTS" 取消环境变量定义然后再通过参数传入,不然会提示配置冲突:<br />
<br />
2021-10-19 03:25:28.520086 C | pkg/flags: conflicting environment variable "ETCDCTL_ENDPOINTS" is shadowed by corresponding command-line flag (either unset environment variable or disable flag)<br />
<br />
==== etcdctl v3 related ====<br />
etcdctl v3可用的环境变量可见文档 https://github.com/etcd-io/etcd/blob/main/etcdctl/README.md<br />
<br />
其中常见的包括<br />
export ETCDCTL_ENDPOINTS=<nowiki>https://127.0.0.1:2379,https://10.255.251.102:2379,https://10.255.251.103:2379</nowiki><br />
export ETCDCTL_CACERT=/etc/kubernetes/ssl/etcd/ca.crt<br />
export ETCDCTL_CERT=/etc/kubernetes/ssl/etcd/peer.crt<br />
export ETCDCTL_KEY=/etc/kubernetes/ssl/etcd/peer.key<br />
<br />
===== k8s 的 etcd 可以通过下述命令直接在k8s controller shell 上初始化 etcdctl 环境变量 =====<br />
export ETCD_PEER_PORT=2379<br />
eval $(kubectl get pods -n kube-system -o custom-columns="name:.metadata.name,ip:.status.podIP" --no-headers|awk '/etcd/{printf "https://&#x22;$2":'$ETCD_PEER_PORT',"}'|awk '{gsub(",$","");print "export ETCDCTL_ENDPOINTS=\""$1"\""}')<br />
export ETCDCTL_CACERT=/etc/kubernetes/ssl/etcd/ca.crt<br />
export ETCDCTL_CERT=/etc/kubernetes/ssl/etcd/peer.crt<br />
export ETCDCTL_KEY=/etc/kubernetes/ssl/etcd/peer.key<br />
<br />
<br />
etcdctl member list -w table<br />
etcdctl endpoint status -w table<br />
<br />
===== etcd member list (v3 API) =====<br />
* etcdctl member list<br />
<br />
[root@test kubelet]# docker exec -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.150.12:12379,https://192.168.150.13:12379,https://192.168.150.14:12379</nowiki>" `docker ps | awk '/etcd /{print $1}'` etcdctl member list -w table<br />
+------------------+---------+-------------------------+-----------------------------+------------------------------+------------+<br />
| ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER |<br />
+------------------+---------+-------------------------+-----------------------------+------------------------------+------------+<br />
| 8a8a69237e3e00ef | started | dce-etcd-192.168.150.12 | <nowiki>http://192.168.150.12:12380</nowiki> | <nowiki>https://192.168.150.12:12379</nowiki> | false |<br />
| d58cc05313738455 | started | dce-etcd-192.168.150.13 | <nowiki>http://192.168.150.13:12380</nowiki> | <nowiki>https://192.168.150.13:12379</nowiki> | false |<br />
| ed2566e796a749a6 | started | dce-etcd-192.168.150.14 | <nowiki>http://192.168.150.14:12380</nowiki> | <nowiki>https://192.168.150.14:12379</nowiki> | false |<br />
+------------------+---------+-------------------------+-----------------------------+------------------------------+------------+<br />
<br />
===== etcd endpoint health (v3 API) =====<br />
*etcdctl endpoint health<br />
<br />
docker exec -e "ETCDCTL_API=3" -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.155.22:12379,https://192.168.155.23:12379,https://192.168.155.24:12379</nowiki>" etcd_container_name_or_id etcdctl endpoint health -w table<br />
<br />
+------------------------------+--------+--------------+-------+<br />
| ENDPOINT | HEALTH | TOOK | ERROR |<br />
+------------------------------+--------+--------------+-------+<br />
| <nowiki>https://192.168.155.23:12379</nowiki> | true | 14.2308ms | |<br />
| <nowiki>https://192.168.155.22:12379</nowiki> | true | 14.572283ms | |<br />
| <nowiki>https://192.168.155.24:12379</nowiki> | true | 351.572429ms | |<br />
+------------------------------+--------+--------------+-------+<br />
<br />
===== etcd endpoint status (v3 API) =====<br />
<br />
* etcdctl endpoint status<br />
<br />
docker exec -e "ETCDCTL_API=3" -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.155.22:12379,https://192.168.155.23:12379,https://192.168.155.24:12379</nowiki>" etcd_container_name_or_id etcdctl endpoint status -w table<br />
<br />
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+<br />
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |<br />
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+<br />
| <nowiki>https://192.168.155.22:12379</nowiki> | 5710b6824446f271 | 3.4.1 | 35 MB | false | false | 52 | 7925759 | 7925759 | |<br />
| <nowiki>https://192.168.155.23:12379</nowiki> | 2a8509b66bfae6b6 | 3.4.1 | 35 MB | true | false | 52 | 7925759 | 7925759 | |<br />
| <nowiki>https://192.168.155.24:12379</nowiki> | 72f4884011f8a2b | 3.4.1 | 35 MB | false | false | 52 | 7925760 | 7925760 | |<br />
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+<br />
<br />
==== etcd cluster-health (v2 API) ====<br />
etcdctl v2可用的环境变量可见文档 https://github.com/etcd-io/etcd/blob/main/etcdctl/READMEv2.md<br />
<br />
etcdctl v2常用的环境变量<br />
ETCDCTL_ENDPOINT <br />
ETCDCTL_CA_FILE<br />
ETCDCTL_KEY_FILE<br />
ETCDCTL_CERT_FILE<br />
* etcdctl cluster-health<br />
<br />
docker exec -e "ETCDCTL_API=2" -e "ETCDCTL_ENDPOINTS=<nowiki>https://192.168.155.22:12379,https://192.168.155.23:12379,https://192.168.155.24:12379</nowiki>" etcd_container_name_or_id etcdctl cluster-health<br />
member 72f4884011f8a2b is healthy: got healthy result from <nowiki>https://192.168.155.24:12379</nowiki><br />
member 2a8509b66bfae6b6 is healthy: got healthy result from <nowiki>https://192.168.155.23:12379</nowiki><br />
member 5710b6824446f271 is healthy: got healthy result from <nowiki>https://192.168.155.22:12379</nowiki><br />
cluster is healthy<br />
<br />
docker exec -it -e ETCDCTL_API=2 `docker ps | awk '/etcd /{print $1}'` etcdctl cluster-health<br />
<br />
=== 磁盘/网络性能要求相关 ===<br />
[https://etcd.io/docs/v3.5/op-guide/hardware/ official documentation]<blockquote>etcd is very sensitive to disk write latency. Typically 50 sequential IOPS (e.g., a 7200 RPM disk) is required. For heavily loaded clusters, 500 sequential IOPS (e.g., a typical local SSD or a high performance virtualized block device) is recommended. Note that most cloud providers publish concurrent IOPS rather than sequential IOPS; the published concurrent IOPS can be 10x greater than the sequential IOPS. To measure actual sequential IOPS, we suggest using a disk benchmarking tool such as diskbench or fio.<br />
<br />
</blockquote>[https://access.redhat.com/documentation/zh-cn/openshift_container_platform/4.10/html-single/scalability_and_performance/index#recommended-etcd-practices_recommended-host-practices openshift_container_platform 推荐的 etcd 实践]<blockquote>就延迟而言,应该在一个可最少以 50 IOPS 按顺序写入 8000 字节的块设备上运行。也就是说,当有一个 20ms 的延迟时,使用 fdatasync 来同步 WAL 中的写入操作。对于高负载的集群,建议使用 8000 字节的连续 500 IOPS (2 毫秒)。要测量这些数字,您可以使用基准测试工具,如 fio。<br />
<br />
</blockquote>[https://www.jianshu.com/p/f31ef5e7bdd0 简书 - etcd 性能测试与调优]<br />
<br />
<br />
[https://bbs.pceva.com.cn/thread-24244-1-1.html 对硬盘性能的深度解析之二]<blockquote>IO延迟与Queue Depth(队列深度)/Queue Length (队列长度)<br />
<br />
IO延迟是指控制器将IO指令发出之后,直到IO完成的过程中总共花费的时间。早前业界不成文的规定为,只要IO延迟在20ms内,IO性能对于应用程序来说都是可以接受的,但是如果大于20ms,应用程序的性能将会受到较大影响。(JMF602的小文件随机写入IOPS是个位数,所以你们觉得卡)<br />
<br />
这样算下来,存储设备应当满足最低的IOPS要求应该为1S/20ms=50IOPS,所以只要区区50IOPS就可以满足这个要求了。单块机械硬盘的IOPS一般在80附近(7200转),固态硬盘的话就比较夸张了,对于大型的存储设备,通过并行N个IO通道工作,达到几十万甚至几百万IOPS都不是问题。<br />
<br />
然而不能总以最低标准来要求存储设备。当接收到的IO很少的时候,IO延迟也会很小。比如一块Intel X25-M Gen2 34nm 80G固态硬盘,即使延迟平均在0.1ms的话,每个IO通道的IOPS=1000/0.1=10000,但是这块固态硬盘被厂家标称35000的读取IOPS,这里就引出另一个概念:Queue Depth(队列深度,也可以叫队列长度)<br />
<br />
控制器向存储设备发起的指令,不是一条条发送的,而是一批批的发送,存储目标设备批量执行IO,然后把数据和结果返回控制器。只要存储设备肚量和消化能力足够强,在IO比较少的时候,处理一条指令和同时处理多条指令将会消耗几乎相同的时间。控制器发出的批量指令的最大条数,由控制器上的Queue Depth(队列深度)决定。(一般好的固态硬盘主控,队列深度都支持到32了)<br />
<br />
如果给出队列深度,IOPS,IO延迟三者中的任意两者,则可以推算出第三者,公式:IOPS=(队列深度)/ (IO延迟)。实际上,随着队列深度的增加,IO延迟也在增加,二者是互相促进的关系,所以,随着IO数目的增多,将很快达到存储设备提供的最大IOPS处理能力,此时IO延迟将会陡峭升高,而IOPS则增加缓慢。(消化不良)</blockquote>[https://etcd.io/docs/v3.5/faq/#what-does-the-etcd-warning-failed-to-send-out-heartbeat-on-time-mean wal_fsync_duration_seconds 官方建议] <blockquote>Usually this issue is caused by a slow disk. Before the leader sends heartbeats attached with metadata, it may need to persist the metadata to disk. The disk could be experiencing contention among etcd and other applications, or the disk is too simply slow (e.g., a shared virtualized disk). To rule out a slow disk from causing this warning, monitor wal_fsync_duration_seconds (p99 duration should be less than 10ms) to confirm the disk is reasonably fast. If the disk is too slow, assigning a dedicated disk to etcd or using faster disk will typically solve the problem. To tell whether a disk is fast enough for etcd, a benchmarking tool such as fio can be used. Read here for an example.</blockquote><br />
[[分类:Linux]]<br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Kubectl%E9%9A%8F%E8%AE%B0&diff=1688
Kubectl随记
2026-01-28T06:33:30Z
<p>Admin:</p>
<hr />
<div>=== kubectl set default editor ===<br />
export KUBE_EDITOR=/usr/bin/vim<br />
<br />
===kubectl completion bash not working 排障随记===<br />
需要已经安装 bash-completion <br />
<br />
如果提示 <code>_get_comp_words_by_ref: command not found</code> 错误的话,需要执行<br />
source /usr/share/bash-completion/bash_completion<br />
执行命令 <code>set</code> 看一下当前环境的相关配置有没有kube相关项<br />
set | grep -i kube<br />
没有的话需要执行<br />
source <(kubectl completion bash)<br />
<br />
正常的话,打开 kubectl debug<br />
__kubectl_debug() {<br />
if [[ -n ${BASH_COMP_DEBUG_FILE} ]]; then<br />
echo "$*" >> "${BASH_COMP_DEBUG_FILE}"<br />
fi<br />
}<br />
<br />
export BASH_COMP_DEBUG_FILE=****<br />
根据debug file里面的记录去排查出错点<br />
<br />
=== kubectl to get all api-resource and filter by verbs ===<br />
kubectl api-resources -o name --cached --request-timeout=5s --verbs=get<br />
<br />
kubectl api-resources --api-group=networking.k8s.io<br />
<br />
==== get groupVersion when a resource exists in multiple api groups ====<br />
<br />
==== explain api-resource with sprcific api version ====<br />
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress<br />
<br />
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"<br />
<br />
=== get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret ===<br />
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d<br />
<br />
=== Check k8s account privilege / k8s 对象权限相关 ===<br />
kubectl options:<br />
--as=: Username to impersonate for the operation<br />
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.<br />
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令<br />
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount<br />
<br />
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]<br />
<br />
# Check to see if I can do everything in my current namespace ("*" means all)<br />
kubectl auth can-i '*' '*'<br />
<br />
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods<br />
yes<br />
PS: 在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果<br />
<br />
原因: [[K8s-rbac关于子资源授权的一些记录]]<br />
<br />
===kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)===<br />
<br />
=====通过custom-columns只输出pod所在租户,pod名字和pod uid=====<br />
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'<br />
<br />
=====通过custom-columns只输出namespace名字和ns annotation中定义的node selector=====<br />
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"<br />
按照节点输出基础统计信息及CPU&内存信息<br />
kubectl get nodes -o custom-columns='NAME:.metadata.name,STATUS:.status.conditions[?(@.type=="Ready")].status,AGE:.metadata.creationTimestamp,VERSION:.status.nodeInfo.kubeletVersion,INTERNAL-IP:.status.addresses[?(@.type=="InternalIP")].address,OS-IMAGE:.status.nodeInfo.osImage,KERNEL-VERSION:.status.nodeInfo.kernelVersion,CONTAINER-RUNTIME:.status.nodeInfo.containerRuntimeVersion,CPU-CAPACITY:.status.capacity.cpu,MEMORY-CAPACITY:.status.capacity.memory'<br />
<br />
===Get node info order by node ip address / 根据ip地址排序获取节点信息===<br />
kubectl get nodes -owide --sort-by status.addresses[0].address<br />
<br />
===Get pods order by running node name / 根据pod运行节点排序获取pod信息===<br />
kubectl get pods -owide --sort-by .spec.nodeName<br />
<br />
kubectl get pods -owide --sort-by spec.nodeName<br />
===Get pod order by pod create time / 根据pod创建时间排序获取pod===<br />
kubectl get pods -n efk-system --sort-by status.startTime<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac<br />
<br />
=== GET Pod Volumes / 获取某个租户下所有pod所绑定的volumes (依赖jq) ===<br />
过滤了 POD 所挂载的 k8s service account token<br />
kubectl get pods -n ${your_name_space} -o json | jq -r '.items[] | [<br />
.metadata.name,<br />
([.spec.volumes[] | select(.name | startswith("kube-api-access") | not)] | tostring)<br />
] | @tsv' | column -t<br />
<br />
* @tsv是为了将输出格式化成两列,column命令在这里起到对齐的作用<br />
如果需要过滤configmap和secret,也可以用命令<br />
kubectl get pods -n ${your_name_space} -o json | jq -r '.items[] | [<br />
.metadata.name,<br />
([.spec.volumes[] | <br />
select( (.name | startswith("kube-api-access") | not) <br />
and (.configMap == null) <br />
and (.secret == null) )] | tostring)<br />
] | @tsv' | column -t<br />
<br />
===kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)===<br />
<br />
====Deployments - image / 只获取deployment名字和image====<br />
<nowiki>kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
稍微格式化输出,输出deployment名字 + container名字 + 对应的image<br />
kubectl get deployments.apps -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{range .spec.template.spec.containers}}</nowiki><nowiki>{{.name}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{.image}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
====Pods - image / 只获取pod名字和image====<br />
<nowiki>kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
====Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址====<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'</nowiki><br />
====Get node taints / 只获取节点名字和taints====<br />
<nowiki>kubectl get nodes -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
==== Get node labels and format output / 只获取节点名字和labels并格式化输出 ====<br />
kubectl get node -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{range $key, $value := .metadata.labels}}</nowiki><nowiki>{{"\t\t"}}</nowiki><nowiki>{{$key}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{$value}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
==== 获取namespace名字和ns annotation中定义的node selector ====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===== 稍微处理一下,格式化对齐输出 =====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{else}}</nowiki> <nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件===<br />
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}<br />
<br />
===kubectl get event sort by lastTime / 根据事件最后触发时间进行排序===<br />
kubectl get event -n kube-system --sort-by=.lastTimestamp<br />
<br />
=== kubectl patch ===<br />
[[K8s的patch命令随记]]<br />
<br />
kubectl patch 调整 annotation<br />
<nowiki>kubectl patch ns demo -p '{"metadata":{"annotations":{"scheduler.alpha.kubernetes.io/node-selector": "kubernetes.io/hostname=node1"}}}'</nowiki><br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Kubectl%E9%9A%8F%E8%AE%B0&diff=1687
Kubectl随记
2025-11-12T11:03:01Z
<p>Admin:</p>
<hr />
<div>=== kubectl set default editor ===<br />
export KUBE_EDITOR=/usr/bin/vim<br />
<br />
===kubectl completion bash not working 排障随记===<br />
需要已经安装 bash-completion <br />
<br />
如果提示 <code>_get_comp_words_by_ref: command not found</code> 错误的话,需要执行<br />
source /usr/share/bash-completion/bash_completion<br />
执行命令 <code>set</code> 看一下当前环境的相关配置有没有kube相关项<br />
set | grep -i kube<br />
没有的话需要执行<br />
source <(kubectl completion bash)<br />
<br />
正常的话,打开 kubectl debug<br />
__kubectl_debug() {<br />
if [[ -n ${BASH_COMP_DEBUG_FILE} ]]; then<br />
echo "$*" >> "${BASH_COMP_DEBUG_FILE}"<br />
fi<br />
}<br />
<br />
export BASH_COMP_DEBUG_FILE=****<br />
根据debug file里面的记录去排查出错点<br />
<br />
=== kubectl to get all api-resource and filter by verbs ===<br />
kubectl api-resources -o name --cached --request-timeout=5s --verbs=get<br />
<br />
kubectl api-resources --api-group=networking.k8s.io<br />
<br />
==== get groupVersion when a resource exists in multiple api groups ====<br />
<br />
==== explain api-resource with sprcific api version ====<br />
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress<br />
<br />
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"<br />
<br />
=== get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret ===<br />
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d<br />
<br />
=== Check k8s account privilege / k8s 对象权限相关 ===<br />
kubectl options:<br />
--as=: Username to impersonate for the operation<br />
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.<br />
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令<br />
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount<br />
<br />
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]<br />
<br />
# Check to see if I can do everything in my current namespace ("*" means all)<br />
kubectl auth can-i '*' '*'<br />
<br />
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods<br />
yes<br />
PS: 在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果<br />
<br />
原因: [[K8s-rbac关于子资源授权的一些记录]]<br />
<br />
===kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)===<br />
<br />
=====通过custom-columns只输出pod所在租户,pod名字和pod uid=====<br />
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'<br />
<br />
=====通过custom-columns只输出namespace名字和ns annotation中定义的node selector=====<br />
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"<br />
<br />
===Get node info order by node ip address / 根据ip地址排序获取节点信息===<br />
kubectl get nodes -owide --sort-by status.addresses[0].address<br />
<br />
===Get pods order by running node name / 根据pod运行节点排序获取pod信息===<br />
kubectl get pods -owide --sort-by .spec.nodeName<br />
<br />
kubectl get pods -owide --sort-by spec.nodeName<br />
===Get pod order by pod create time / 根据pod创建时间排序获取pod===<br />
kubectl get pods -n efk-system --sort-by status.startTime<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac<br />
<br />
=== GET Pod Volumes / 获取某个租户下所有pod所绑定的volumes (依赖jq) ===<br />
过滤了 POD 所挂载的 k8s service account token<br />
kubectl get pods -n ${your_name_space} -o json | jq -r '.items[] | [<br />
.metadata.name,<br />
([.spec.volumes[] | select(.name | startswith("kube-api-access") | not)] | tostring)<br />
] | @tsv' | column -t<br />
<br />
* @tsv是为了将输出格式化成两列,column命令在这里起到对齐的作用<br />
如果需要过滤configmap和secret,也可以用命令<br />
kubectl get pods -n ${your_name_space} -o json | jq -r '.items[] | [<br />
.metadata.name,<br />
([.spec.volumes[] | <br />
select( (.name | startswith("kube-api-access") | not) <br />
and (.configMap == null) <br />
and (.secret == null) )] | tostring)<br />
] | @tsv' | column -t<br />
<br />
===kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)===<br />
<br />
====Deployments - image / 只获取deployment名字和image====<br />
<nowiki>kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
稍微格式化输出,输出deployment名字 + container名字 + 对应的image<br />
kubectl get deployments.apps -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{range .spec.template.spec.containers}}</nowiki><nowiki>{{.name}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{.image}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
====Pods - image / 只获取pod名字和image====<br />
<nowiki>kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
====Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址====<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'</nowiki><br />
====Get node taints / 只获取节点名字和taints====<br />
<nowiki>kubectl get nodes -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
==== Get node labels and format output / 只获取节点名字和labels并格式化输出 ====<br />
kubectl get node -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{range $key, $value := .metadata.labels}}</nowiki><nowiki>{{"\t\t"}}</nowiki><nowiki>{{$key}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{$value}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
==== 获取namespace名字和ns annotation中定义的node selector ====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===== 稍微处理一下,格式化对齐输出 =====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{else}}</nowiki> <nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件===<br />
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}<br />
<br />
===kubectl get event sort by lastTime / 根据事件最后触发时间进行排序===<br />
kubectl get event -n kube-system --sort-by=.lastTimestamp<br />
<br />
=== kubectl patch ===<br />
[[K8s的patch命令随记]]<br />
<br />
kubectl patch 调整 annotation<br />
<nowiki>kubectl patch ns demo -p '{"metadata":{"annotations":{"scheduler.alpha.kubernetes.io/node-selector": "kubernetes.io/hostname=node1"}}}'</nowiki><br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Kubectl%E9%9A%8F%E8%AE%B0&diff=1686
Kubectl随记
2025-11-12T10:40:36Z
<p>Admin:</p>
<hr />
<div>=== kubectl set default editor ===<br />
export KUBE_EDITOR=/usr/bin/vim<br />
<br />
===kubectl completion bash not working 排障随记===<br />
需要已经安装 bash-completion <br />
<br />
如果提示 <code>_get_comp_words_by_ref: command not found</code> 错误的话,需要执行<br />
source /usr/share/bash-completion/bash_completion<br />
执行命令 <code>set</code> 看一下当前环境的相关配置有没有kube相关项<br />
set | grep -i kube<br />
没有的话需要执行<br />
source <(kubectl completion bash)<br />
<br />
正常的话,打开 kubectl debug<br />
__kubectl_debug() {<br />
if [[ -n ${BASH_COMP_DEBUG_FILE} ]]; then<br />
echo "$*" >> "${BASH_COMP_DEBUG_FILE}"<br />
fi<br />
}<br />
<br />
export BASH_COMP_DEBUG_FILE=****<br />
根据debug file里面的记录去排查出错点<br />
<br />
=== kubectl to get all api-resource and filter by verbs ===<br />
kubectl api-resources -o name --cached --request-timeout=5s --verbs=get<br />
<br />
kubectl api-resources --api-group=networking.k8s.io<br />
<br />
==== get groupVersion when a resource exists in multiple api groups ====<br />
<br />
==== explain api-resource with sprcific api version ====<br />
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress<br />
<br />
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"<br />
<br />
=== get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret ===<br />
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d<br />
<br />
=== Check k8s account privilege / k8s 对象权限相关 ===<br />
kubectl options:<br />
--as=: Username to impersonate for the operation<br />
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.<br />
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令<br />
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount<br />
<br />
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]<br />
<br />
# Check to see if I can do everything in my current namespace ("*" means all)<br />
kubectl auth can-i '*' '*'<br />
<br />
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods<br />
yes<br />
PS: 在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果<br />
<br />
原因: [[K8s-rbac关于子资源授权的一些记录]]<br />
<br />
===kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)===<br />
<br />
=====通过custom-columns只输出pod所在租户,pod名字和pod uid=====<br />
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'<br />
<br />
=====通过custom-columns只输出namespace名字和ns annotation中定义的node selector=====<br />
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"<br />
<br />
===Get node info order by node ip address / 根据ip地址排序获取节点信息===<br />
kubectl get nodes -owide --sort-by status.addresses[0].address<br />
<br />
===Get pods order by running node name / 根据pod运行节点排序获取pod信息===<br />
kubectl get pods -owide --sort-by .spec.nodeName<br />
<br />
kubectl get pods -owide --sort-by spec.nodeName<br />
===Get pod order by pod create time / 根据pod创建时间排序获取pod===<br />
kubectl get pods -n efk-system --sort-by status.startTime<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac<br />
<br />
=== GET Pod Volumes / 获取某个租户下所有pod所绑定的volumes (依赖jq) ===<br />
过滤了 POD 所挂载的 k8s service account token<br />
kubectl get pods -n ${your-name-space} -o json | jq -r '.items[] | [<br />
.metadata.name,<br />
([.spec.volumes[] | select(.name | startswith("kube-api-access") | not)] | tostring)<br />
] | @tsv' | column -t<br />
<br />
* @tsv是为了将输出格式化成两列,column命令在这里起到对齐的作用<br />
<br />
===kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)===<br />
<br />
====Deployments - image / 只获取deployment名字和image====<br />
<nowiki>kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
稍微格式化输出,输出deployment名字 + container名字 + 对应的image<br />
kubectl get deployments.apps -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{range .spec.template.spec.containers}}</nowiki><nowiki>{{.name}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{.image}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
====Pods - image / 只获取pod名字和image====<br />
<nowiki>kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
====Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址====<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'</nowiki><br />
====Get node taints / 只获取节点名字和taints====<br />
<nowiki>kubectl get nodes -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
==== Get node labels and format output / 只获取节点名字和labels并格式化输出 ====<br />
kubectl get node -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{range $key, $value := .metadata.labels}}</nowiki><nowiki>{{"\t\t"}}</nowiki><nowiki>{{$key}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{$value}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
==== 获取namespace名字和ns annotation中定义的node selector ====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===== 稍微处理一下,格式化对齐输出 =====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{else}}</nowiki> <nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件===<br />
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}<br />
<br />
===kubectl get event sort by lastTime / 根据事件最后触发时间进行排序===<br />
kubectl get event -n kube-system --sort-by=.lastTimestamp<br />
<br />
=== kubectl patch ===<br />
[[K8s的patch命令随记]]<br />
<br />
kubectl patch 调整 annotation<br />
<nowiki>kubectl patch ns demo -p '{"metadata":{"annotations":{"scheduler.alpha.kubernetes.io/node-selector": "kubernetes.io/hostname=node1"}}}'</nowiki><br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Docker%E6%8B%89%E5%8F%96%E9%95%9C%E5%83%8F%E8%AE%A4%E8%AF%81%E6%8A%A5%E6%96%87%E7%AE%80%E6%9E%90&diff=1685
Docker拉取镜像认证报文简析
2025-10-28T08:52:40Z
<p>Admin:</p>
<hr />
<div>有时候会有一些奇怪的镜像操作需要用到curl等工具去实现,遂有了本篇记录<br />
<br />
这里主要记录集中与registry API交互过程中,auth -> get manifest info部分<br />
<br />
=== 针对 hub.docker.com 例子 ===<br />
" 一个 docker pull 指令会拉两部分,一部分是 manifest,一部分是 layer,前者指定了一个 image 相关的信息和 layer 的信息(一个 JSON 文件),后者就是一些大文件(layer)"<br />
<br />
会用到的关联域名:<br />
<br />
Location of Docker index: <nowiki>https://index.docker.io/</nowiki><br />
<br />
Location of the remote repository: <nowiki>https://registry-1.docker.io</nowiki><br />
<br />
实现:<br />
<br />
假设需要拉取的镜像为alpine:3.17.0_rc1 即:<br />
➤ docker pull alpine:3.17.0_rc1<br />
那么在curl中的实现即为(是的,他有个library!):<br />
➤ curl <nowiki>https://registry-1.docker.io/v2/library/alpine/manifests/3.17.0_rc1</nowiki><br />
这时候直接请求是会401的,要根据返回的www-authenticate header去进行认证<br />
* Mark bundle as not supporting multiuse<br />
< HTTP/1.1 401 Unauthorized<br />
< content-type: application/json<br />
< docker-distribution-api-version: registry/2.0<br />
< www-authenticate: Bearer realm="<nowiki>https://auth.docker.io/token</nowiki>",service="registry.docker.io",scope="repository:library/alpine:pull"<br />
< date: Sun, 20 Nov 2022 09:08:33 GMT<br />
< content-length: 157<br />
< strict-transport-security: max-age=31536000<br />
< docker-ratelimit-source: 8.210.192.22<br />
<<br />
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}<br />
* Connection #1 to host registry-1.docker.io left intact<br />
根据回显进行认证(匿名认证):<br />
<br />
注意这里的service也是需要一一对应的,scope value可以不进行URL编码<br />
➤ curl "<nowiki>https://auth.docker.io/token?scope=repository%3Alibrary%2Falpine%3Apull&service=registry.docker.io</nowiki>"<br />
{"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDK1RDQ0FwK2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0U1RVbEdPbEZNUmpRNlEwZFFNenBSTWtWYU9sRklSRUk2VkVkRlZUcFZTRlZNT2taTVZqUTZSMGRXV2pwQk5WUkhPbFJMTkZNNlVVeElTVEFlRncweU1qQXhNVEF5TWpJeE5EbGFGdzB5TXpBeE1qVXlNakl4TkRsYU1FWXhSREJDQmdOVkJBTVRPMUJaUTFJNlNWQmFRanBJUWxGWE9qZE1SVms2UWtGV1FqcEhTRGRhT2xWSVZ6TTZVa3RMVWpwRE4wNHpPbGxOTkZJNlNWaE5TRHBLVkZCQ01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbE5JOGFtMlBERnZzNndOeVl2d0dkZWZXVXJXQWdMZ3N2MzA2MnZycG5VNkN0WUpEZDZ2K2NEVG1FN1FlTllEaFMyaU1wU3djZkRCL2RFclEwdnhIZE4ycDIvODZmZy9TeWlIMnhmMGFVTjlDV1dud0JPaTIvS3hLditpbFNlQ01HYXRwRlg3SmYxcWI4N0Q5NUxOVDBvOU9OTmYxT3RidjY5ck9tL1RIVFh3clUvV3dTZlUyWktUbEw4SVRXRkRXN09ZK3hXdUJ0WUpteVhqcVpsaWRBbUNTdTdHY0Y0MVB5em9KTFFTMnJCdXJwOXc0cWgxMFk1bUNIcWdsaEI1Rk9aOUs0T2pUaVhUUHJFUk5WcnArUFVIR3JBYVRPRTBwQzgyUHBuWVZhNzNDUkdsMEdDdC9RckJwVjRpdmswdzF0eEtkV1NiSDNnRmtqZ2g1N0tOcDhRSURBUUFCbzRHeU1JR3ZNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVBCZ05WSFNVRUNEQUdCZ1JWSFNVQU1FUUdBMVVkRGdROUJEdFFXVU5TT2tsUVdrSTZTRUpSVnpvM1RFVlpPa0pCVmtJNlIwZzNXanBWU0Zjek9sSkxTMUk2UXpkT016cFpUVFJTT2tsWVRVZzZTbFJRUWpCR0JnTlZIU01FUHpBOWdEdFNUVWxHT2xGTVJqUTZRMGRRTXpwUk1rVmFPbEZJUkVJNlZFZEZWVHBWU0ZWTU9rWk1WalE2UjBkV1dqcEJOVlJIT2xSTE5GTTZVVXhJU1RBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlFQTdIY1VyVm1namo1cE01MXhZVHd2eGE1VnRqd2hub0dRZjFxTU52UGVHeVlDSUFwYm4vWFkvS1F5WWFWRnRjMWtsb0lmZzd4L3hlbkZhbkp4L0F2cURGdFgiXX0.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImxpYnJhcnkvYWxwaW5lIiwiYWN0aW9ucyI6WyJwdWxsIl0sInBhcmFtZXRlcnMiOnsicHVsbF9saW1pdCI6IjEwMCIsInB1bGxfbGltaXRfaW50ZXJ2YWwiOiIyMTYwMCJ9fV0sImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5pbyIsImV4cCI6MTY2ODkzNTY5MiwiaWF0IjoxNjY4OTM1MzkyLCJpc3MiOiJhdXRoLmRvY2tlci5pbyIsImp0aSI6ImRja3JfanRpX19FanZUOWtRS041YVJSZXUybE51WWROQU84VT0iLCJuYmYiOjE2Njg5MzUwOTIsInN1YiI6IiJ9.WcwQ-5wGEUUXsET0cqfWGwk-zAxx5HCSdRPNKi47oM04qeybNolZQejeFYsH-yiEEnQU8X0qoYSrJoy77xMaOAfTw_k2V4bYdKNct16g1WKpkQadd5hubIWShL59JblIhC21gfO30KcVcbsoZiepRKfCwCJ5vVm_Zt8BLsqIySTLnV-Vfyd_jCvSuNNpnOpC2r7ChTGTeUslRfMl2ZK4UGzCIy6rYwgcp4at5d_GLVyjZtS50WAmPlb9xBcawCZE3ulzGc7H9-OcmAtP04GV5exkQ9G34cfGdPvjKmwA1PkD6dQf2nsDE31LxeGqJcWdw7cYyGo31yPFHGJmQ905xQ","access_token":"xxxxxxxxxxxxxxx","expires_in":300,"issued_at":"2022-11-20T09:09:52.106027636Z"}<br />
拿到需要的token,在http header中带上token,重新请求manifests信息<br />
<br />
注意这里的实例是一种application/vnd.docker.distribution.manifest.v1+prettyjws类型的manifests信息(具体返回的是什么类型的镜像格式同样可以在http response header: content-type 看出来)<br />
➤ curl <nowiki>https://registry-1.docker.io/v2/library/alpine/manifests/3.17.0_rc1</nowiki> -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDK1RDQ0FwK2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0U1RVbEdPbEZNUmpRNlEwZFFNenBSTWtWYU9sRklSRUk2VkVkRlZUcFZTRlZNT2taTVZqUTZSMGRXV2pwQk5WUkhPbFJMTkZNNlVVeElTVEFlRncweU1qQXhNVEF5TWpJeE5EbGFGdzB5TXpBeE1qVXlNakl4TkRsYU1FWXhSREJDQmdOVkJBTVRPMUJaUTFJNlNWQmFRanBJUWxGWE9qZE1SVms2UWtGV1FqcEhTRGRhT2xWSVZ6TTZVa3RMVWpwRE4wNHpPbGxOTkZJNlNWaE5TRHBLVkZCQ01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbE5JOGFtMlBERnZzNndOeVl2d0dkZWZXVXJXQWdMZ3N2MzA2MnZycG5VNkN0WUpEZDZ2K2NEVG1FN1FlTllEaFMyaU1wU3djZkRCL2RFclEwdnhIZE4ycDIvODZmZy9TeWlIMnhmMGFVTjlDV1dud0JPaTIvS3hLditpbFNlQ01HYXRwRlg3SmYxcWI4N0Q5NUxOVDBvOU9OTmYxT3RidjY5ck9tL1RIVFh3clUvV3dTZlUyWktUbEw4SVRXRkRXN09ZK3hXdUJ0WUpteVhqcVpsaWRBbUNTdTdHY0Y0MVB5em9KTFFTMnJCdXJwOXc0cWgxMFk1bUNIcWdsaEI1Rk9aOUs0T2pUaVhUUHJFUk5WcnArUFVIR3JBYVRPRTBwQzgyUHBuWVZhNzNDUkdsMEdDdC9RckJwVjRpdmswdzF0eEtkV1NiSDNnRmtqZ2g1N0tOcDhRSURBUUFCbzRHeU1JR3ZNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVBCZ05WSFNVRUNEQUdCZ1JWSFNVQU1FUUdBMVVkRGdROUJEdFFXVU5TT2tsUVdrSTZTRUpSVnpvM1RFVlpPa0pCVmtJNlIwZzNXanBWU0Zjek9sSkxTMUk2UXpkT016cFpUVFJTT2tsWVRVZzZTbFJRUWpCR0JnTlZIU01FUHpBOWdEdFNUVWxHT2xGTVJqUTZRMGRRTXpwUk1rVmFPbEZJUkVJNlZFZEZWVHBWU0ZWTU9rWk1WalE2UjBkV1dqcEJOVlJIT2xSTE5GTTZVVXhJU1RBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlFQTdIY1VyVm1namo1cE01MXhZVHd2eGE1VnRqd2hub0dRZjFxTU52UGVHeVlDSUFwYm4vWFkvS1F5WWFWRnRjMWtsb0lmZzd4L3hlbkZhbkp4L0F2cURGdFgiXX0.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImxpYnJhcnkvYWxwaW5lIiwiYWN0aW9ucyI6WyJwdWxsIl0sInBhcmFtZXRlcnMiOnsicHVsbF9saW1pdCI6IjEwMCIsInB1bGxfbGltaXRfaW50ZXJ2YWwiOiIyMTYwMCJ9fV0sImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5pbyIsImV4cCI6MTY2ODkzNTY5MiwiaWF0IjoxNjY4OTM1MzkyLCJpc3MiOiJhdXRoLmRvY2tlci5pbyIsImp0aSI6ImRja3JfanRpX19FanZUOWtRS041YVJSZXUybE51WWROQU84VT0iLCJuYmYiOjE2Njg5MzUwOTIsInN1YiI6IiJ9.WcwQ-5wGEUUXsET0cqfWGwk-zAxx5HCSdRPNKi47oM04qeybNolZQejeFYsH-yiEEnQU8X0qoYSrJoy77xMaOAfTw_k2V4bYdKNct16g1WKpkQadd5hubIWShL59JblIhC21gfO30KcVcbsoZiepRKfCwCJ5vVm_Zt8BLsqIySTLnV-Vfyd_jCvSuNNpnOpC2r7ChTGTeUslRfMl2ZK4UGzCIy6rYwgcp4at5d_GLVyjZtS50WAmPlb9xBcawCZE3ulzGc7H9-OcmAtP04GV5exkQ9G34cfGdPvjKmwA1PkD6dQf2nsDE31LxeGqJcWdw7cYyGo31yPFHGJmQ905xQ"<br />
{<br />
<nowiki> </nowiki> "schemaVersion": 1,<br />
<nowiki> </nowiki> "name": "library/alpine",<br />
<nowiki> </nowiki> "tag": "3.17.0_rc1",<br />
<nowiki> </nowiki> "architecture": "amd64",<br />
<nowiki> </nowiki> "fsLayers": [<br />
<nowiki> </nowiki> {<br />
<nowiki> </nowiki> "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"<br />
<nowiki> </nowiki> },<br />
<nowiki> </nowiki> {<br />
<nowiki> </nowiki> "blobSum": "sha256:7b26c2f269ea232d8dd57ee7696652248b61fda9653d7c7f06a9fea2bd2f009e"<br />
<nowiki> </nowiki> }<br />
<nowiki> </nowiki> ],<br />
<nowiki> </nowiki> "history": [<br />
<nowiki> </nowiki> {<br />
<nowiki> </nowiki> "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"Image\":\"sha256:118ada46def154efd2774e3211fef3356ad1f268e143dba1136af919d7670b0b\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container\":\"bcb0af1ba8750c9284eb4ae69a2d444d288ccc718e2f9d329f34bbbd06deaad5\",\"container_config\":{\"Hostname\":\"bcb0af1ba875\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) \",\"CMD [\\\"/bin/sh\\\"]\"],\"Image\":\"sha256:118ada46def154efd2774e3211fef3356ad1f268e143dba1136af919d7670b0b\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2022-11-16T22:19:19.655513526Z\",\"docker_version\":\"20.10.12\",\"id\":\"fecb21f6263ecee0ce8a3d6c50c432b455c23f8afb7ebe929d54f6ca520b032b\",\"os\":\"linux\",\"parent\":\"f163dc23345785e0ac6ebc8d6c6262f19f2565ca420f0cd194c09e1029317881\",\"throwaway\":true}"<br />
<nowiki> </nowiki> },<br />
<nowiki> </nowiki> {<br />
<nowiki> </nowiki> "v1Compatibility": "{\"id\":\"f163dc23345785e0ac6ebc8d6c6262f19f2565ca420f0cd194c09e1029317881\",\"created\":\"2022-11-16T22:19:19.533331062Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:a7bed337c392105c21fe1c7067e51f5d0dedbc488b2be5daf17a18783fa29d04 in / \"]}}"<br />
<nowiki> </nowiki> }<br />
<nowiki> </nowiki> ],<br />
<nowiki> </nowiki> "signatures": [<br />
<nowiki> </nowiki> {<br />
<nowiki> </nowiki> "header": {<br />
<nowiki> </nowiki> "jwk": {<br />
<nowiki> </nowiki> "crv": "P-256",<br />
<nowiki> </nowiki> "kid": "GLVQ:OCEF:4TWE:RS63:BQJ5:VXYZ:EK7Y:DZQG:QNIT:4ZN3:PLT5:CBSK",<br />
<nowiki> </nowiki> "kty": "EC",<br />
<nowiki> </nowiki> "x": "Z4i5ZWH8GizJjOrkPpUAPT1lZH8frbh6XVlZZ6rwXtA",<br />
<nowiki> </nowiki> "y": "EuvtBs7t1sKcHzX2t5WOsXAyT8jnuetPK_IsojxGb0E"<br />
<nowiki> </nowiki> },<br />
<nowiki> </nowiki> "alg": "ES256"<br />
<nowiki> </nowiki> },<br />
<nowiki> </nowiki> "signature": "gJk_3VSshExIjeBeaLhprRpriQMANg5C-5inX-mBexjGHiAKTRjeg2c-JOcHnFpku_rdQFAEJdyLfCBkTFDKeA",<br />
<nowiki> </nowiki> "protected": "eyJmb3JtYXRMZW5ndGgiOjIxMDEsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMi0xMS0yMFQwOToxMzoxNVoifQ"<br />
<nowiki> </nowiki> }<br />
<nowiki> </nowiki> ]<br />
}<br />
ps: 对于不存在的tag, hub.docker.com返回的是(http code: 404)<br />
{"errors":[{"code":"MANIFEST_UNKNOWN","message":"manifest unknown","detail":"unknown tag=3.17.0_rc2"}]}<br />
<br />
=== 题外话: 手动认证请求registry的 /_catalog接口的例子 ===<br />
PS: 注意,有的镜像仓库<code>_catalog</code> 接口认证实现不一样,例如harbor,访问<code>_catalog</code>接口的时候,返回的401请求header里面包含了一个信息<code>www-authenticate: Basic realm="harbor"</code> 这意味着,在harbor中,这个接口只能通过harbor用户密码进行basic认证,而不是token认证。<br />
<br />
先匿名请求接口,遇到401<br />
# curl 10.10.217.241/v2/_catalog -v<br />
<br />
* About to connect() to 10.10.217.241 port 80 (#0)<br />
* Trying 10.10.217.241...<br />
* Connected to 10.10.217.241 (10.10.217.241) port 80 (#0)<br />
> GET /v2/_catalog HTTP/1.1<br />
> User-Agent: curl/7.29.0<br />
> Host: 10.10.217.241<br />
> Accept: */*<br />
><br />
< HTTP/1.1 401 Unauthorized<br />
< Server: nginx<br />
< Date: Wed, 24 May 2023 10:32:57 GMT<br />
< Content-Type: application/json; charset=utf-8<br />
< Content-Length: 145<br />
< Connection: keep-alive<br />
< Docker-Distribution-Api-Version: registry/2.0<br />
< Www-Authenticate: Bearer realm="<nowiki>http://10.10.217.241/registry/token</nowiki>",service="BUILDIN-REGISTRY",scope="registry:catalog:*"<br />
< X-Content-Type-Options: nosniff<br />
< Docker-Distribution-Api-Version: registry/2.0<br />
<<br />
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}<br />
* Connection #0 to host 10.10.217.241 left intact<br />
获取token:<br />
<br />
注意这里的service也是需要一一对应的,scope value可以不进行URL编码<br />
# curl "<nowiki>http://10.10.217.241/registry/token?service=BUILDIN-REGISTRY&scope=registry:catalog:*</nowiki>" -u admin:password-password<br />
<br />
{<br />
"token":"xxxx-token-x"<br />
}<br />
带上token,成功请求:<br />
# curl 10.10.217.241/v2/_catalog -H "Authorization: Bearer xxxx-token-x"<br />
<br />
{"repositories":[xxxxxxxxxxxxxx]}<br />
<br />
=== Related articles ===<br />
<br />
* [https://mp.weixin.qq.com/s?__biz=MzI3MTI2NzkxMA==&mid=2247493326&idx=1&sn=3e7415f94e8f4f99e0165ab2c089dee9 奇妙的Linux世界 - Docker Hub 镜像拉取有限制?手把手教你破解它!]<br />
<br />
* [https://docs.docker.com/registry/spec/auth/token/ docker official doc: Token Authentication Specification]<br />
<br />
__强显目录__<br />
[[分类:Linux]]<br />
[[分类:Docker]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E8%BF%9B%E7%A8%8B%E5%9B%A0io%E5%AF%BC%E8%87%B4cacheMemory%E8%BE%83%E9%AB%98%E5%A4%84%E7%90%86%E9%9A%8F%E8%AE%B0&diff=1684
容器进程因io导致cacheMemory较高处理随记
2025-10-22T10:20:17Z
<p>Admin:</p>
<hr />
<div>就好像harbor的registry容器,因为经常有io,所以比较容易触发这种现象。 <br />
<br />
或者频繁追加写日志到文件的进程,也会触发这种现象 <br />
<br />
如果是cgroup2,就可以用cgroup2 的memory.high处理。找到相应的cgroup2路径,配置memory.high即可 <br />
<br />
以harbor为例<br />
<br />
<br />
nerdctl ps | awk '/registry-photon/{print "nerdctl inspect --mode native -f \"<nowiki>{{json .Spec.linux.cgroupsPath}}</nowiki>\" "$1}' | sh |cut -c 2-|cut -c -144|awk 'BEGIN{FS=":"};{print "cat /sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/"$1"/"$2"-"$3".scope/memory.high"}'<br />
<br />
<br />
nerdctl ps | awk '/registry-photon/{print "nerdctl inspect --mode native -f \"<nowiki>{{json .Spec.linux.cgroupsPath}}</nowiki>\" "$1}' | sh |cut -c 2-|cut -c -144|awk 'BEGIN{FS=":"};{print "echo 2G > /sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/"$1"/"$2"-"$3".scope/memory.high"}'<br />
<br />
<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:container容器进程因io导致cacheMemory较高处理随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E8%BF%9B%E7%A8%8B%E5%9B%A0io%E5%AF%BC%E8%87%B4cacheMemory%E8%BE%83%E9%AB%98%E5%A4%84%E7%90%86%E9%9A%8F%E8%AE%B0&diff=1683
容器进程因io导致cacheMemory较高处理随记
2025-10-22T10:20:02Z
<p>Admin:</p>
<hr />
<div>就好像harbor的registry容器,因为经常有io,所以比较容易触发这种现象。 <br />
<br />
或者频繁追加写日志到文件的进程,也会触发这种现象 <br />
<br />
如果是cgroup2,就可以用cgroup2 的mem.high处理。找到相应的cgroup2路径,配置mem.high即可 <br />
<br />
以harbor为例<br />
<br />
<br />
nerdctl ps | awk '/registry-photon/{print "nerdctl inspect --mode native -f \"<nowiki>{{json .Spec.linux.cgroupsPath}}</nowiki>\" "$1}' | sh |cut -c 2-|cut -c -144|awk 'BEGIN{FS=":"};{print "cat /sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/"$1"/"$2"-"$3".scope/memory.high"}'<br />
<br />
<br />
nerdctl ps | awk '/registry-photon/{print "nerdctl inspect --mode native -f \"<nowiki>{{json .Spec.linux.cgroupsPath}}</nowiki>\" "$1}' | sh |cut -c 2-|cut -c -144|awk 'BEGIN{FS=":"};{print "echo 2G > /sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/"$1"/"$2"-"$3".scope/memory.high"}'<br />
<br />
<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:container容器进程因io导致cacheMemory较高处理随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E8%BF%9B%E7%A8%8B%E5%9B%A0io%E5%AF%BC%E8%87%B4cacheMemory%E8%BE%83%E9%AB%98%E5%A4%84%E7%90%86%E9%9A%8F%E8%AE%B0&diff=1682
容器进程因io导致cacheMemory较高处理随记
2025-10-22T10:19:17Z
<p>Admin:</p>
<hr />
<div>就好像harbor的registry容器,因为经常有io,所以比较容易触发这种现象。 <br />
<br />
或者频繁追加写日志到文件的进程,也会触发这种现象 <br />
<br />
如果是cgroup2,就可以用cgroup2 的mem.high处理。找到相应的cgroup2路径,配置mem.high即可 <br />
<br />
以harbor为例<br />
<br />
<nowiki><br />
nerdctl ps|grep registry-photon|awk '{print "nerdctl inspect --mode native -f \"{{json .Spec.linux.cgroupsPath}}\" "$1}'|sh|cut -c 2-|cut -c -144|awk 'BEGIN{FS=":"};{print "cat /sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/"$1"/"$2"-"$3".scope/memory.high"}'<br />
<br />
<br />
nerdctl ps|grep registry-photon|awk '{print "nerdctl inspect --mode native -f \"{{json .Spec.linux.cgroupsPath}}\" "$1}'|sh|cut -c 2-|cut -c -144|awk 'BEGIN{FS=":"};{print "echo 2G > /sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/"$1"/"$2"-"$3".scope/memory.high"}'<br />
</nowiki><br />
<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:container容器进程因io导致cacheMemory较高处理随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E8%BF%9B%E7%A8%8B%E5%9B%A0io%E5%AF%BC%E8%87%B4cacheMemory%E8%BE%83%E9%AB%98%E5%A4%84%E7%90%86%E9%9A%8F%E8%AE%B0&diff=1681
容器进程因io导致cacheMemory较高处理随记
2025-10-22T10:18:45Z
<p>Admin:创建页面,内容为“就好像harbor的registry容器,因为经常有io,所以比较容易触发这种现象。 或者频繁追加写日志到文件的进程,也会触发这种现象 如果是cgroup2,就可以用cgroup2 的mem.high处理。找到相应的cgroup2路径,配置mem.high即可 以harbor为例 ffffff 分类:K8s {{DEFAULTSORT:container容器进程因io导致cacheMemory较高处理随记}}”</p>
<hr />
<div>就好像harbor的registry容器,因为经常有io,所以比较容易触发这种现象。 <br />
<br />
或者频繁追加写日志到文件的进程,也会触发这种现象 <br />
<br />
如果是cgroup2,就可以用cgroup2 的mem.high处理。找到相应的cgroup2路径,配置mem.high即可 <br />
<br />
以harbor为例<br />
<br />
ffffff<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:container容器进程因io导致cacheMemory较高处理随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch%E7%9A%84%E4%B8%80%E4%BA%9Bapi%E9%9A%8F%E8%AE%B0&diff=1680
Elasticsearch的一些api随记
2025-10-21T03:27:52Z
<p>Admin:</p>
<hr />
<div>===Health===<br />
/_cat/health<br />
<br />
/_cluster/health<br />
<br />
===Indices health===<br />
按条件查看索引状态<br />
/_cat/indices?help<br />
/_cat/indices?health=red&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=yellow&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=green&v&s=store.size:desc,index<br />
注意在配合 * 通配符搜索/操作索引的时候,如果涉及隐藏的datastream / 隐藏的index,默认不会匹配命中,必须指定 <code>expand_wildcards=all</code> 参数<br />
<br />
-> https://www.elastic.co/guide/en/elasticsearch/reference/7.16/multi-index.html#hidden<br />
<br />
===Nodes===<br />
/_cat/nodes?v<br />
查看es各节点磁盘空间占用、分片数目等<br />
/_cat/allocation?v<br />
<br />
/_cat/nodeattrs<br />
<br />
===Get master node===<br />
/_cat/master?v<br />
<br />
===Cluster allocation explain related===<br />
可以用于定位分片状态以及分片为何故障<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
/_cluster/allocation/explain<br />
<br />
===Shards===<br />
粗略查看分片情况,特别是查看分片分布节点或大小/状态<br />
GET /_cat/shards<br />
<br />
GET /_cat/shards?index=index_name<br />
<br />
GET /_cat/shards?index=index_na*<br />
查看分片分配失败原因<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
==== Recovery API ====<br />
Returns information about ongoing and completed shard recoveries, similar to the index recovery API.<br />
<br />
For data streams, the API returns information about the stream’s backing indices<br />
<br />
可以查看当前正在 relocating 的分片,也能查到各分片处理进度百分比<br />
GET /_cat/recovery?active_only=true&s=index&v<br />
<br />
=== Adds a data stream or index to an alias, and sets the write index or data stream for the alias ===<br />
为别名设置可写索引或数据流<br />
<br />
If the alias doesn’t exist, the <code>add</code> action creates it.<br />
POST /_aliases <br />
{<br />
"actions": [<br />
{<br />
"add": {<br />
"index": "es-k8s-logs-000020", <br />
"alias": "es-k8s-logs-alias", <br />
"is_write_index": true <br />
}<br />
}<br />
]<br />
}<br />
<br />
===Thread pool related===<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-thread-pool.html<br />
/_cluster/settings?pretty&include_defaults=true | grep processors<br />
<br />
====Get maximum number of threads info====<br />
curl "127.1:9200/_cat/thread_pool?v&h=ip,node_name,id,name,max,size,queue_size,queue,active,rejected&pretty"<br />
<br />
=== Tasks ===<br />
概览<br />
GET /_cat/tasks?v&s=action,node,start_time<br />
tasks 详情<br />
GET /_tasks<br />
<br />
GET /_tasks?group_by=parents&actions=*forcemerge*&detailed=true<br />
<br />
=== Templates 模板 ===<br />
/_cat/templates?v<br />
⚠️ /_template/${template_name} is legacy index templates, which are deprecated and will be replaced by the composable templates introduced in Elasticsearch 7.8.<br />
<br />
新版本中使用 <code>/_index_template</code> 取代<br />
GET/PUT /_template/${template_name}<br />
但是 index_template 对比 legacy template有个很明显的差异就是,legacy template可以直接根据priority进行叠加覆盖,而index_template哪个template priority高,就只有哪个生效 https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html<blockquote>If a new data stream or index matches more than one index template, the index template with the highest priority is used.</blockquote><br />
<br />
==== Use template to change the replicas settings of all indexes (Legacy index template) ====<br />
Multiple index templates can potentially match an index, in this case, both the settings and mappings are merged into the final configuration of the index. <br />
<br />
The order of the merging can be controlled using the <code>order</code> parameter, with lower order being applied first, '''and higher orders overriding them.''' <br />
<br />
legacy es template 中, 取值范围为 0 - 2^31-1 (0~2147483647)<br />
PUT /_template/${template_name}<br />
{<br />
"order": 2147483647,<br />
"index_patterns": [<br />
"*"<br />
],<br />
"settings": {<br />
"index": {<br />
"number_of_replicas": "0"<br />
}<br />
}<br />
}<br />
[[使用jq批量修改es index template的lifecycle配置]]<br />
<br />
=== ILM (index lifecycle policy) 索引生命周期 ===<br />
顾名思义,ilm另外也可用于做ES集群的冷热温架构。<br />
<br />
不同的阶段(phase)能做哪些事可以在这个 [https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-index-lifecycle.html Document] 查看<br />
<br />
比较难受的是,ilm目前没有类似 <code>_cat/templates</code> 的接口一次性只查看这个集群已配置的 ILM 策略名字,只能一次性获取全部策略具体定义 (不过可以利用浏览器的F12 json preview折叠来曲线救国)<br />
GET /_ilm/policy<br />
<br />
==== Get specific ilm policy detail 获取特定ILM策略定义 ====<br />
GET /_ilm/policy/${ilm_name}<br />
<br />
PUT /_ilm/policy/ilm-30d-delete<br />
{<br />
"policy": {<br />
"phases": {<br />
"delete": {<br />
"min_age": "30d",<br />
"actions": {<br />
"delete": {<br />
"delete_searchable_snapshot": true<br />
}<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
==== Get index's ilm status 获取索引当前 ILM 状态 ====<br />
GET /${index_name}/_ilm/explain<br />
<br />
GET /${index_name}/_ilm/explain?human<br />
<br />
==== Move index's ilm to step 修改索引的ILM阶段状态(人为触发ILM action执行) ====<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-move-to-step.html<br />
POST _ilm/move/my-index-000001<br />
{<br />
"current_step": { <br />
"phase": "new",<br />
"action": "complete",<br />
"name": "complete"<br />
},<br />
"next_step": { <br />
"phase": "warm",<br />
"action": "forcemerge", <br />
"name": "forcemerge" <br />
}<br />
}<br />
<br />
==== Manually create an index that is managed by template and ILM (including rollover operations by day) ====<br />
<br />
===== 手动创建原本应由template和ilm管控的索引,且索引名内包含日期(动态索引名) =====<br />
⚠️ 这种索引不能直接粗暴地 <code>PUT /index-name-2022.10.23-000022</code> 以创建索引,否则手动创建出来的索引,在rollover滚动 (例如rollover-max_age:1d)的时候,创建出来的新索引名字仍然是创建索引时定义的日期,而不是当天轮滚发生时的日期(如 <code>index-name-2022.10.23-000023</code>)<br />
<br />
这个现象可以通过判断 <code>GET /index-name/_settings</code> 中 <code>index.provided_name</code> 属性看出来<br />
<br />
解法:<br />
PUT %3Cindex-name-%7Bnow%2Fd%7D-000099%3E<br />
注意在kibana-Dev Tools中不要做URL Decode,他就是这样的需要编码一下(解码后就是: <code><index-name-{now/d}-000099></code>)<br />
<br />
ps: 如果怕创建错名字的话,可以使用 <code>GET %3Cindex-name-%7Bnow%2Fd%7D-000099%3E/_settings</code> 预览一下生成的索引名效果<br />
<br />
对于索引最后的这个序号,[https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-rollover-index.html#increment-index-names-for-alias 无论前一个索引的名称是什么,该编号始终为 6 个字符,且为零填充]。即使手动创建的索引结尾是<code>-00001</code>,在rollover发生以后,索引后缀序号依然会变成<code>-000002</code><br />
<br />
==== 故障处理: 有的时候对现有的索引修改了其引用的 ilm policy 为别的 policy,或者修改了其引用的 ilm policy中的 phase 定义。会导致索引ilm故障 ====<br />
有可能导致他的ilm处理会出问题(不记得怎么告警),没记错的话通过 <code>GET {index_name}/_ilm/explain</code> 能看到 error 信息,能看到卡在某个 phase 失败<br />
<br />
这时候需要人为修改 index 的 ilm phase 修复,如<br />
POST _ilm/move/insight-es-k8s-logs-dce5-aliyun-default-prd-2024.01.16<br />
{<br />
"current_step": { <br />
"phase": "hot",<br />
"action": "rollover",<br />
"name": "ERROR"<br />
},<br />
"next_step": { <br />
"phase": "cold"<br />
}<br />
}<br />
或者尝试通过 <code>POST {index_name}/_ilm/retry</code> 接口重试 <br />
<br />
===Cluster setting related ES集群参数设置===<br />
/_cluster/settings?include_defaults=true&pretty<br />
<br />
/_cluster/settings?include_defaults=true<br />
<br />
==== Wildcard expressions or all indices are not allowed ====<br />
<br />
===== 允许泛匹配删除索引 =====<br />
PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"action": {<br />
"destructive_requires_name": "false"<br />
}<br />
}<br />
}<br />
<br />
====primaries recovery settings ====<br />
=====控制索引恢复或者relocating的并发数=====<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 10,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_outgoing_recoveries": null,<br />
"node_concurrent_recoveries": 20<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": null,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": null<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 30,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": 10<br />
}<br />
}<br />
}<br />
}<br />
}<br />
cluster.routing.allocation.node_concurrent_recoveries: A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code>.<br />
# PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_concurrent_recoveries": 8<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
<br />
=== recovery.max_bytes_per_sec [https://www.elastic.co/guide/en/elasticsearch/reference/7.17/recovery.html 修改relocating时并发传输数据量] ===<br />
加大此数值可以有效缩短es relocating index的耗时<br />
<br />
indices.recovery.max_bytes_per_sec: Limits total inbound and outbound recovery traffic for each node. Applies to both peer recoveries as well as snapshot recoveries (i.e., restores from a snapshot). Defaults to <code>40mb</code> unless the node is a dedicated cold or frozen node, in which case the default relates to the total memory available to the node.<br /><br />
<br />
===Index settings===<br />
<br />
====modify the number of replicas in bulk====<br />
<br />
===== 批量/单个 设置索引副本数 =====<br />
PUT /index_name*/_settings<br />
{<br />
"index": {<br />
"number_of_replicas": 1<br />
}<br />
}<br />
<br />
=== Search Documents ===<br />
通过指定 <code>_source</code> 可以控制结果只保留某些字段<br />
<br />
==== match_all 搜索 ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match_all": {}<br />
},<br />
"size": 1<br />
}<br />
<br />
==== 单字段排序匹配搜索(match) ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match": {<br />
"segment_id": "b7bb26fae59e4f45b101346cb83ff796.69.16946808855979526"<br />
}<br />
},<br />
"sort": [<br />
{<br />
"start_time": {<br />
"order": "desc"<br />
}<br />
}<br />
],<br />
"size": 1<br />
}<br />
<br />
==== 对某个字段的值进行聚合(查询该字段有多少种类型的值) ====<br />
GET /.monitoring-es-7-2024.12.13/_search<br />
{<br />
"size": 0,<br />
"aggs": {<br />
"unique_types": {<br />
"terms": {<br />
"field": "type",<br />
"size": 10<br />
}<br />
}<br />
}<br />
}<br />
<br />
==== 对某个字段的值进行计数统计(查询该字段排名前10的值) ====<br />
(top_10_endpoints 可以自定义, 自定义的聚合名)<br />
GET sw_segment-20251021/_search<br />
{<br />
"size": 0, <br />
"aggs": {<br />
"top_10_endpoints": {<br />
"terms": {<br />
"field": "endpoint_id",<br />
"size": 10,<br />
"order": {<br />
"_count": "desc"<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
=== Elastic Cloud on Kubernetes (ECK / Elastic operator) ===<br />
ECK operator下管理的Elasticsearch如果要修改<code>cluster.routing.allocation.exclude</code> 的参数配置,需要先为 elasticsearch 实例配置annotation: 'eck.k8s.elastic.co/managed=false',不然会配置一会就会被刷回原状<br />
<br />
<br />
===Other===<br />
<br />
====对于有大量索引的刚重启的es集群====<br />
(主分片在1w-2w)<br />
<br />
=====加快es集群恢复速度=====<br />
结合es节点资源监控图,观测节点cpu压力,以及cpu IO wait<br />
<br />
适当通过update cluster settings接口动态增加node_initial_primaries_recoveries (Defaults to <code>4</code>) <br />
<br />
和 node_concurrent_recoveries <br />
<br />
(A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code> <br />
<br />
Defaults to <code>2</code>)数值<br />
<br />
通过使用 cluster settings + include_defaults=true 筛选查到当前配置值<br />
<br />
<br />
减少集群从red状态到yellow状态的耗时:增加索引副本数量,增加node_initial_primaries_recoveries值<br />
<br />
<br />
减少集群从yellow状态到green状态的耗时:增加 node_concurrent_recoveries 值<br />
<br />
<br />
通过访问 <code>/_cluster/allocation/explain</code> 接口查到阻碍集群 to green(yellow)的原因<br />
<br />
=====在es集群恢复期间因节点内存压力大(node was low on resources: memory.)而被k8s Evicted=====<br />
调整缩小 jvm 配置值,尽量不超配(requests 和 limit尽量一致或提高requests值)<br />
<br />
=== Error ===<br />
<br />
==== 集群分片数达到maximum错误 ====<br />
集群分片数达到maximum错误会有如下log信息,但是集群的健康状态不会改变<br />
2022-11-10T10:26:03.643184618Z org.elasticsearch.common.ValidationException: Validation Failed: 1: this action would add [3] shards, but this cluster currently has [1999]/[2000] maximum normal shards open;<br />
解决:<br />
<br />
调整index ilm 策略或者调整集群的max_shards_per_node配置<br />
<br />
临时生效配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"transient": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
永久更改性配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"persistent": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
[[分类:Elasticsearch]]<br />
{{DEFAULTSORT:api随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch%E7%9A%84%E4%B8%80%E4%BA%9Bapi%E9%9A%8F%E8%AE%B0&diff=1679
Elasticsearch的一些api随记
2025-10-21T03:20:29Z
<p>Admin:</p>
<hr />
<div>===Health===<br />
/_cat/health<br />
<br />
/_cluster/health<br />
<br />
===Indices health===<br />
按条件查看索引状态<br />
/_cat/indices?help<br />
/_cat/indices?health=red&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=yellow&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=green&v&s=store.size:desc,index<br />
注意在配合 * 通配符搜索/操作索引的时候,如果涉及隐藏的datastream / 隐藏的index,默认不会匹配命中,必须指定 <code>expand_wildcards=all</code> 参数<br />
<br />
-> https://www.elastic.co/guide/en/elasticsearch/reference/7.16/multi-index.html#hidden<br />
<br />
===Nodes===<br />
/_cat/nodes?v<br />
查看es各节点磁盘空间占用、分片数目等<br />
/_cat/allocation?v<br />
<br />
/_cat/nodeattrs<br />
<br />
===Get master node===<br />
/_cat/master?v<br />
<br />
===Cluster allocation explain related===<br />
可以用于定位分片状态以及分片为何故障<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
/_cluster/allocation/explain<br />
<br />
===Shards===<br />
粗略查看分片情况,特别是查看分片分布节点或大小/状态<br />
GET /_cat/shards<br />
<br />
GET /_cat/shards?index=index_name<br />
<br />
GET /_cat/shards?index=index_na*<br />
查看分片分配失败原因<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
==== Recovery API ====<br />
Returns information about ongoing and completed shard recoveries, similar to the index recovery API.<br />
<br />
For data streams, the API returns information about the stream’s backing indices<br />
<br />
可以查看当前正在 relocating 的分片,也能查到各分片处理进度百分比<br />
GET /_cat/recovery?active_only=true&s=index&v<br />
<br />
=== Adds a data stream or index to an alias, and sets the write index or data stream for the alias ===<br />
为别名设置可写索引或数据流<br />
<br />
If the alias doesn’t exist, the <code>add</code> action creates it.<br />
POST /_aliases <br />
{<br />
"actions": [<br />
{<br />
"add": {<br />
"index": "es-k8s-logs-000020", <br />
"alias": "es-k8s-logs-alias", <br />
"is_write_index": true <br />
}<br />
}<br />
]<br />
}<br />
<br />
===Thread pool related===<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-thread-pool.html<br />
/_cluster/settings?pretty&include_defaults=true | grep processors<br />
<br />
====Get maximum number of threads info====<br />
curl "127.1:9200/_cat/thread_pool?v&h=ip,node_name,id,name,max,size,queue_size,queue,active,rejected&pretty"<br />
<br />
=== Tasks ===<br />
概览<br />
GET /_cat/tasks?v&s=action,node,start_time<br />
tasks 详情<br />
GET /_tasks<br />
<br />
GET /_tasks?group_by=parents&actions=*forcemerge*&detailed=true<br />
<br />
=== Templates 模板 ===<br />
/_cat/templates?v<br />
⚠️ /_template/${template_name} is legacy index templates, which are deprecated and will be replaced by the composable templates introduced in Elasticsearch 7.8.<br />
<br />
新版本中使用 <code>/_index_template</code> 取代<br />
GET/PUT /_template/${template_name}<br />
但是 index_template 对比 legacy template有个很明显的差异就是,legacy template可以直接根据priority进行叠加覆盖,而index_template哪个template priority高,就只有哪个生效 https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html<blockquote>If a new data stream or index matches more than one index template, the index template with the highest priority is used.</blockquote><br />
<br />
==== Use template to change the replicas settings of all indexes (Legacy index template) ====<br />
Multiple index templates can potentially match an index, in this case, both the settings and mappings are merged into the final configuration of the index. <br />
<br />
The order of the merging can be controlled using the <code>order</code> parameter, with lower order being applied first, '''and higher orders overriding them.''' <br />
<br />
legacy es template 中, 取值范围为 0 - 2^31-1 (0~2147483647)<br />
PUT /_template/${template_name}<br />
{<br />
"order": 2147483647,<br />
"index_patterns": [<br />
"*"<br />
],<br />
"settings": {<br />
"index": {<br />
"number_of_replicas": "0"<br />
}<br />
}<br />
}<br />
[[使用jq批量修改es index template的lifecycle配置]]<br />
<br />
=== ILM (index lifecycle policy) 索引生命周期 ===<br />
顾名思义,ilm另外也可用于做ES集群的冷热温架构。<br />
<br />
不同的阶段(phase)能做哪些事可以在这个 [https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-index-lifecycle.html Document] 查看<br />
<br />
比较难受的是,ilm目前没有类似 <code>_cat/templates</code> 的接口一次性只查看这个集群已配置的 ILM 策略名字,只能一次性获取全部策略具体定义 (不过可以利用浏览器的F12 json preview折叠来曲线救国)<br />
GET /_ilm/policy<br />
<br />
==== Get specific ilm policy detail 获取特定ILM策略定义 ====<br />
GET /_ilm/policy/${ilm_name}<br />
<br />
PUT /_ilm/policy/ilm-30d-delete<br />
{<br />
"policy": {<br />
"phases": {<br />
"delete": {<br />
"min_age": "30d",<br />
"actions": {<br />
"delete": {<br />
"delete_searchable_snapshot": true<br />
}<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
==== Get index's ilm status 获取索引当前 ILM 状态 ====<br />
GET /${index_name}/_ilm/explain<br />
<br />
GET /${index_name}/_ilm/explain?human<br />
<br />
==== Move index's ilm to step 修改索引的ILM阶段状态(人为触发ILM action执行) ====<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-move-to-step.html<br />
POST _ilm/move/my-index-000001<br />
{<br />
"current_step": { <br />
"phase": "new",<br />
"action": "complete",<br />
"name": "complete"<br />
},<br />
"next_step": { <br />
"phase": "warm",<br />
"action": "forcemerge", <br />
"name": "forcemerge" <br />
}<br />
}<br />
<br />
==== Manually create an index that is managed by template and ILM (including rollover operations by day) ====<br />
<br />
===== 手动创建原本应由template和ilm管控的索引,且索引名内包含日期(动态索引名) =====<br />
⚠️ 这种索引不能直接粗暴地 <code>PUT /index-name-2022.10.23-000022</code> 以创建索引,否则手动创建出来的索引,在rollover滚动 (例如rollover-max_age:1d)的时候,创建出来的新索引名字仍然是创建索引时定义的日期,而不是当天轮滚发生时的日期(如 <code>index-name-2022.10.23-000023</code>)<br />
<br />
这个现象可以通过判断 <code>GET /index-name/_settings</code> 中 <code>index.provided_name</code> 属性看出来<br />
<br />
解法:<br />
PUT %3Cindex-name-%7Bnow%2Fd%7D-000099%3E<br />
注意在kibana-Dev Tools中不要做URL Decode,他就是这样的需要编码一下(解码后就是: <code><index-name-{now/d}-000099></code>)<br />
<br />
ps: 如果怕创建错名字的话,可以使用 <code>GET %3Cindex-name-%7Bnow%2Fd%7D-000099%3E/_settings</code> 预览一下生成的索引名效果<br />
<br />
对于索引最后的这个序号,[https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-rollover-index.html#increment-index-names-for-alias 无论前一个索引的名称是什么,该编号始终为 6 个字符,且为零填充]。即使手动创建的索引结尾是<code>-00001</code>,在rollover发生以后,索引后缀序号依然会变成<code>-000002</code><br />
<br />
==== 故障处理: 有的时候对现有的索引修改了其引用的 ilm policy 为别的 policy,或者修改了其引用的 ilm policy中的 phase 定义。会导致索引ilm故障 ====<br />
有可能导致他的ilm处理会出问题(不记得怎么告警),没记错的话通过 <code>GET {index_name}/_ilm/explain</code> 能看到 error 信息,能看到卡在某个 phase 失败<br />
<br />
这时候需要人为修改 index 的 ilm phase 修复,如<br />
POST _ilm/move/insight-es-k8s-logs-dce5-aliyun-default-prd-2024.01.16<br />
{<br />
"current_step": { <br />
"phase": "hot",<br />
"action": "rollover",<br />
"name": "ERROR"<br />
},<br />
"next_step": { <br />
"phase": "cold"<br />
}<br />
}<br />
或者尝试通过 <code>POST {index_name}/_ilm/retry</code> 接口重试 <br />
<br />
===Cluster setting related ES集群参数设置===<br />
/_cluster/settings?include_defaults=true&pretty<br />
<br />
/_cluster/settings?include_defaults=true<br />
<br />
==== Wildcard expressions or all indices are not allowed ====<br />
<br />
===== 允许泛匹配删除索引 =====<br />
PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"action": {<br />
"destructive_requires_name": "false"<br />
}<br />
}<br />
}<br />
<br />
====primaries recovery settings ====<br />
=====控制索引恢复或者relocating的并发数=====<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 10,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_outgoing_recoveries": null,<br />
"node_concurrent_recoveries": 20<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": null,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": null<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 30,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": 10<br />
}<br />
}<br />
}<br />
}<br />
}<br />
cluster.routing.allocation.node_concurrent_recoveries: A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code>.<br />
# PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_concurrent_recoveries": 8<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
<br />
=== recovery.max_bytes_per_sec [https://www.elastic.co/guide/en/elasticsearch/reference/7.17/recovery.html 修改relocating时并发传输数据量] ===<br />
加大此数值可以有效缩短es relocating index的耗时<br />
<br />
indices.recovery.max_bytes_per_sec: Limits total inbound and outbound recovery traffic for each node. Applies to both peer recoveries as well as snapshot recoveries (i.e., restores from a snapshot). Defaults to <code>40mb</code> unless the node is a dedicated cold or frozen node, in which case the default relates to the total memory available to the node.<br /><br />
<br />
===Index settings===<br />
<br />
====modify the number of replicas in bulk====<br />
<br />
===== 批量/单个 设置索引副本数 =====<br />
PUT /index_name*/_settings<br />
{<br />
"index": {<br />
"number_of_replicas": 1<br />
}<br />
}<br />
<br />
=== Search Documents ===<br />
通过指定 <code>_source</code> 可以控制结果只保留某些字段<br />
<br />
==== match_all 搜索 ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match_all": {}<br />
},<br />
"size": 1<br />
}<br />
<br />
==== 单字段排序匹配搜索(match) ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match": {<br />
"segment_id": "b7bb26fae59e4f45b101346cb83ff796.69.16946808855979526"<br />
}<br />
},<br />
"sort": [<br />
{<br />
"start_time": {<br />
"order": "desc"<br />
}<br />
}<br />
],<br />
"size": 1<br />
}<br />
<br />
==== 对某个字段的值进行聚合(查询该字段有多少种类型的值) ====<br />
GET /.monitoring-es-7-2024.12.13/_search<br />
{<br />
"size": 0,<br />
"aggs": {<br />
"unique_types": {<br />
"terms": {<br />
"field": "type",<br />
"size": 10<br />
}<br />
}<br />
}<br />
}<br />
<br />
=== Elastic Cloud on Kubernetes (ECK / Elastic operator) ===<br />
ECK operator下管理的Elasticsearch如果要修改<code>cluster.routing.allocation.exclude</code> 的参数配置,需要先为 elasticsearch 实例配置annotation: 'eck.k8s.elastic.co/managed=false',不然会配置一会就会被刷回原状<br />
<br />
<br />
===Other===<br />
<br />
====对于有大量索引的刚重启的es集群====<br />
(主分片在1w-2w)<br />
<br />
=====加快es集群恢复速度=====<br />
结合es节点资源监控图,观测节点cpu压力,以及cpu IO wait<br />
<br />
适当通过update cluster settings接口动态增加node_initial_primaries_recoveries (Defaults to <code>4</code>) <br />
<br />
和 node_concurrent_recoveries <br />
<br />
(A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code> <br />
<br />
Defaults to <code>2</code>)数值<br />
<br />
通过使用 cluster settings + include_defaults=true 筛选查到当前配置值<br />
<br />
<br />
减少集群从red状态到yellow状态的耗时:增加索引副本数量,增加node_initial_primaries_recoveries值<br />
<br />
<br />
减少集群从yellow状态到green状态的耗时:增加 node_concurrent_recoveries 值<br />
<br />
<br />
通过访问 <code>/_cluster/allocation/explain</code> 接口查到阻碍集群 to green(yellow)的原因<br />
<br />
=====在es集群恢复期间因节点内存压力大(node was low on resources: memory.)而被k8s Evicted=====<br />
调整缩小 jvm 配置值,尽量不超配(requests 和 limit尽量一致或提高requests值)<br />
<br />
=== Error ===<br />
<br />
==== 集群分片数达到maximum错误 ====<br />
集群分片数达到maximum错误会有如下log信息,但是集群的健康状态不会改变<br />
2022-11-10T10:26:03.643184618Z org.elasticsearch.common.ValidationException: Validation Failed: 1: this action would add [3] shards, but this cluster currently has [1999]/[2000] maximum normal shards open;<br />
解决:<br />
<br />
调整index ilm 策略或者调整集群的max_shards_per_node配置<br />
<br />
临时生效配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"transient": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
永久更改性配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"persistent": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
[[分类:Elasticsearch]]<br />
{{DEFAULTSORT:api随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1678
Nexus3-运维随记
2025-09-29T09:15:10Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
一些orientdb SQL操作记录<br />
<br />
=== 基础登陆 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
=== 按照repository 统计空间占用 ===<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 (AI生成) ===<br />
在仓库级别统计<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;<br />
<br />
=== Maven 仓库:按 <code>Name</code>(artifactId) 汇总 (AI生成) ===<br />
在全局下按名字统计并过滤仓库:<br />
SELECT repo, gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT bucket.repository_name AS repo, attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE bucket.repository_name = ''''upload-snapshot'''<nowiki/>' AND attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY repo, gid, aid ORDER BY bytes DESC LIMIT 200;<br />
<br />
在全局下按名字统计并且不过滤仓库:<br />
SELECT repo, gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT bucket.repository_name AS repo, attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY repo, gid, aid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1677
Nexus3-运维随记
2025-09-29T09:13:46Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
一些orientdb SQL操作记录<br />
<br />
=== 基础登陆 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
=== 按照repository 统计空间占用 ===<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 (AI生成) ===<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;<br />
<br />
=== Maven 仓库:按 <code>Name</code>(artifactId) 汇总 (AI生成) ===<br />
按名字统计并过滤仓库:<br />
SELECT repo, gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT bucket.repository_name AS repo, attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE bucket.repository_name = ''''upload-snapshot'''<nowiki/>' AND attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY repo, gid, aid ORDER BY bytes DESC LIMIT 200;<br />
<br />
<br />
按名字统计并且不过滤仓库:<br />
SELECT repo, gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT bucket.repository_name AS repo, attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY repo, gid, aid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1676
Nexus3-运维随记
2025-09-29T09:01:08Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
一些orientdb SQL操作记录<br />
<br />
=== 基础登陆 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
=== 按照repository 统计空间占用 ===<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 (AI生成) ===<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;<br />
<br />
=== Maven 仓库:按 <code>Name</code>(artifactId) 汇总 (AI生成) ===<br />
SELECT gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY gid, aid ORDER BY bytes DESC LIMIT 200;<br />
<br />
SELECT bucket, gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT bucket, attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket) AND attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY gid, aid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1675
Nexus3-运维随记
2025-09-29T08:58:27Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
一些orientdb SQL操作记录<br />
<br />
=== 基础登陆 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
=== 按照repository 统计空间占用 ===<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 (AI生成) ===<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;<br />
<br />
=== Maven 仓库:按 <code>Name</code>(artifactId) 汇总 (AI生成) ===<br />
SELECT gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY gid, aid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1674
Nexus3-运维随记
2025-09-29T04:02:24Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
一些orientdb SQL操作记录<br />
<br />
=== 基础登陆 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
=== 按照repository 统计空间占用 ===<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 (AI生成) ===<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;<br />
<br />
=== Maven 仓库:按 <code>Name</code>(artifactId) 汇总 (AI生成) ===<br />
SELECT gid, aid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, attributes.maven2.artifactId AS aid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL AND attributes.maven2.artifactId IS NOT NULL ) GROUP BY gid, aid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1673
Nexus3-运维随记
2025-09-29T03:49:15Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
一些orientdb SQL操作记录<br />
<br />
=== 基础登陆 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
=== 按照repository 统计空间占用 ===<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 ===<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1672
Nexus3-运维随记
2025-09-26T11:27:06Z
<p>Admin:</p>
<hr />
<div>sonatype nexus3<br />
<br />
=== 按照repository 统计空间占用 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;<br />
<br />
=== Maven 仓库:按 <code>groupId</code> 汇总 ===<br />
SELECT gid, SUM(size) AS bytes, COUNT(*) AS files FROM ( SELECT attributes.maven2.groupId AS gid, size FROM asset WHERE bucket IN (SELECT @rid FROM bucket WHERE repository_name = 'upload-snapshot') AND attributes.maven2.groupId IS NOT NULL ) GROUP BY gid ORDER BY bytes DESC LIMIT 200;</div>
Admin
https://wiki.sanxian.tech/index.php?title=Nexus3-%E8%BF%90%E7%BB%B4%E9%9A%8F%E8%AE%B0&diff=1671
Nexus3-运维随记
2025-09-26T10:41:51Z
<p>Admin:创建页面,内容为“sonatype nexus3 === 按照repository 统计空间占用 === java -jar ./lib/support/nexus-orient-console.jar CONNECT PLOCAL:/nexus-data/db/component admin admin select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;”</p>
<hr />
<div>sonatype nexus3<br />
<br />
=== 按照repository 统计空间占用 ===<br />
java -jar ./lib/support/nexus-orient-console.jar<br />
<br />
CONNECT PLOCAL:/nexus-data/db/component admin admin<br />
<br />
<br />
select bucket.repository_name as repository,sum(size) as bytes from asset group by bucket.repository_name order by bytes desc limit 10;</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E4%B8%BB%E5%8A%A8%E5%9B%9E%E6%94%B6cache-memory%E9%9A%8F%E8%AE%B0&diff=1670
容器主动回收cache-memory随记
2025-09-22T07:38:45Z
<p>Admin:</p>
<hr />
<div>暂记,待详细测试<br />
<br />
通过修改cgroup2 的memory.high 可以触发系统到达特定值时回收内存<br />
<br />
影响面待评估。<br />
<br />
对那种因为操作文件读写带来的cache memory占用,特别使用,如harbor 的 registry 进程<br />
<br />
有意思的文章,关于memory.* : https://support.huaweicloud.com/usermanual-hce/hce_02_0072.html<br />
<br />
<br />
<br />
需要更进一步的测试:<br />
<br />
在不人为干预memory.high 的情况下,如果一个容器cache memory 非常高,rss非常低,到达99系统是否会回收?为什么回收?什么参数控制?<br />
<br />
内核参数 <code>vm.min_free_kbytes</code> 和 <code>vm.watermark_scale_factor</code> ?<br />
<br />
<br />
PS: <code>echo 3 > /proc/sys/vm/drop_caches</code> 也可以触发回收,不过是节点级别,不是容器级别,会影响该主机全部进程<br />
<br />
<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:Memory容器主动回收cache-memory随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%AE%B9%E5%99%A8%E4%B8%BB%E5%8A%A8%E5%9B%9E%E6%94%B6cache-memory%E9%9A%8F%E8%AE%B0&diff=1669
容器主动回收cache-memory随记
2025-09-22T07:35:33Z
<p>Admin:创建页面,内容为“暂记,待详细测试 通过修改cgroup2 的memory.high 可以触发系统到达特定值时回收内存 影响面待评估。 对那种因为操作文件读写带来的cache memory占用,特别使用,如harbor 的 registry 进程 需要更进一步的测试: 在不人为干预memory.high 的情况下,如果一个容器cache memory 非常高,rss非常低,到达99系统是否会回收?为什么回收?什么参数控制? 内核参数 <c…”</p>
<hr />
<div>暂记,待详细测试<br />
<br />
通过修改cgroup2 的memory.high 可以触发系统到达特定值时回收内存<br />
<br />
影响面待评估。<br />
<br />
对那种因为操作文件读写带来的cache memory占用,特别使用,如harbor 的 registry 进程<br />
<br />
<br />
需要更进一步的测试:<br />
<br />
在不人为干预memory.high 的情况下,如果一个容器cache memory 非常高,rss非常低,到达99系统是否会回收?为什么回收?什么参数控制?<br />
<br />
内核参数 <code>vm.min_free_kbytes</code> 和 <code>vm.watermark_scale_factor</code> ?<br />
<br />
<br />
PS: <code>echo 3 > /proc/sys/vm/drop_caches</code> 也可以触发回收,不过是节点级别,不是容器级别,会影响该主机全部进程<br />
<br />
<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:Memory容器主动回收cache-memory随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=K8s%E7%9A%84%E4%B8%80%E4%BA%9B%E5%B0%8F%E5%9D%91%E6%88%96%E8%80%85bug%E7%AE%80%E8%A6%81%E8%AE%B0%E5%BD%95&diff=1668
K8s的一些小坑或者bug简要记录
2025-09-18T08:47:52Z
<p>Admin:</p>
<hr />
<div>__TOC__<br />
=== kubectl===<br />
<br />
==== kubectl rollout history====<br />
kubectl rollout history 在 v1.26之前,如果带上-o yaml或者-o json之类的-o 参数,输出的内容会是错误的版本内容<br />
<br />
相关Issue https://github.com/kubernetes/kubectl/issues/598#issuecomment-1230824762<br />
<br />
==== kubectl apply 在特定情况下可能有bug或者非预期行为====<br />
前提提要: kubectl apply 的工作涉及到了计算行为 [https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-apply-calculates-differences-and-merges-changes How apply calculates differences and merges changes]<br />
<br />
例如如果在kubectl 1.18,kubectl apply操作hostAliases的时候可能是追加而不是替换 [[在使用kubectl apply操作workload产生的非预期行为|在使用kubectl_apply操作hostalias产生的非预期行为]]<br />
<br />
还有一个修改probe配置,apply会有异常的,这个基本也是跟apply计算实现有关(只出现在1.18,不是很记得怎么复现,有缘再补)<br />
<br />
kubernetes中apply命令执行的全过程源码解析:https://juejin.cn/post/6968106028642598949<br />
<br />
=== kubelet===<br />
<br />
==== kubelet 1.27前串行拉取容器镜像====<br />
https://kubernetes.io/docs/concepts/containers/images/#serial-and-parallel-image-pulls<br />
<br />
By default, kubelet pulls images serially. In other words, kubelet sends only one image pull request to the image service at a time. Other image pull requests have to wait until the one being processed is complete.<br />
<br />
kubernetes 节点上kubelet在1.27版本之前对于容器镜像是串行拉取的,串行值为1,这在拉公网镜像的时候会有可能导致其它容器镜像一直处在拉取状态,在1.27中改成了并行镜像拉取<br />
<br />
==== kubelet 不断刷大量的 'Path "/var/lib/kubelet/pods/${pod_ID}/volumes" does not exist' 日志报错 ====<br />
关联原因Issue里面介绍是runc cgroup GC异常<br />
<br />
issue:<br />
<br />
https://github.com/kubernetes/kubernetes/issues/112124<br />
<br />
底部有cgroup清理脚本,但是KUBE_POD_IDS的取值逻辑要根据实际环境调整,而且就算改完了,rmdir cgroup directory会提示Device or resource busy错误<br />
<br />
继续关联issue:<br />
<br />
https://github.com/kubernetes/kubernetes/issues/112151#issuecomment-1285261341<br />
<br />
issue解释诱因: 磁盘IO<br />
<br />
==== kubelet 刷 vol_data.json: no such file or directory 日志 ====<br />
报错日志样式: <br />
<br />
operationExecutor.UnmountVolume failed<br />
<br />
failed to open volume data file [/var/lib/kubelet/pods/${pod_id}/volumes/kubernetes.io~csi/${pvc_id}/vol_data.json]: open /var/lib/kubelet/pods/${pod_id}/volumes/kubernetes.io~csi/${pvc_id}/vol_data.json: no such file or directory<br />
<br />
Issue:<br />
<br />
https://github.com/kubernetes/kubernetes/issues/85280<br />
<br />
里面issue creator有提及: <blockquote>When there is something wrong to execute os.Remove(volPath), volume path is left on node. However, mount path and vol_data.json is deleted.</blockquote>这时候实践下来,可以手动umount,重启kubelet错误即可解除<br />
<br />
其他issue中有提及<nowiki/>https://github.com/kubernetes/kubernetes/issues/116847#issuecomment-1721540974<blockquote>Alright one last update. If anyone is running into problems like these, make sure your CSI driver implements <code>NodeUnpublish</code> correctly at very minimum and idempotent. This issue imo is almost entirely caused by problematic CSI driver implementations.</blockquote><br />
<br />
==== k8s-1.18 subPath & configmap 在 configmap 修改以后 ,对应的容器会无法重启 ====<br />
https://github.com/kubernetes/kubernetes/issues/68211<br />
<br />
=== kube-proxy ===<br />
自k8s '''1.24'''开始,kube-proxy不再会默认对service占用的 nodeport进行tcp socket监听,而会全权交给iptables/ipvs负责相应的流量处理。'''所以不要再单纯依靠ss -nplt / netstat -antl 来判定一个svc是否监听正常。可以依靠tcpdump等手段判定流量已经进入到了本节点'''<br />
<br />
https://github.com/kubernetes/kubernetes/pull/108496<br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Kubectl%E9%9A%8F%E8%AE%B0&diff=1667
Kubectl随记
2025-08-22T10:49:27Z
<p>Admin:</p>
<hr />
<div>=== kubectl set default editor ===<br />
export KUBE_EDITOR=/usr/bin/vim<br />
<br />
===kubectl completion bash not working 排障随记===<br />
需要已经安装 bash-completion <br />
<br />
如果提示 <code>_get_comp_words_by_ref: command not found</code> 错误的话,需要执行<br />
source /usr/share/bash-completion/bash_completion<br />
执行命令 <code>set</code> 看一下当前环境的相关配置有没有kube相关项<br />
set | grep -i kube<br />
没有的话需要执行<br />
source <(kubectl completion bash)<br />
<br />
正常的话,打开 kubectl debug<br />
__kubectl_debug() {<br />
if [[ -n ${BASH_COMP_DEBUG_FILE} ]]; then<br />
echo "$*" >> "${BASH_COMP_DEBUG_FILE}"<br />
fi<br />
}<br />
<br />
export BASH_COMP_DEBUG_FILE=****<br />
根据debug file里面的记录去排查出错点<br />
<br />
=== kubectl to get all api-resource and filter by verbs ===<br />
kubectl api-resources -o name --cached --request-timeout=5s --verbs=get<br />
<br />
kubectl api-resources --api-group=networking.k8s.io<br />
<br />
==== get groupVersion when a resource exists in multiple api groups ====<br />
<br />
==== explain api-resource with sprcific api version ====<br />
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress<br />
<br />
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"<br />
<br />
=== get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret ===<br />
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d<br />
<br />
=== Check k8s account privilege / k8s 对象权限相关 ===<br />
kubectl options:<br />
--as=: Username to impersonate for the operation<br />
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.<br />
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令<br />
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount<br />
<br />
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]<br />
<br />
# Check to see if I can do everything in my current namespace ("*" means all)<br />
kubectl auth can-i '*' '*'<br />
<br />
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods<br />
yes<br />
PS: 在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果<br />
<br />
原因: [[K8s-rbac关于子资源授权的一些记录]]<br />
<br />
===kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)===<br />
<br />
=====通过custom-columns只输出pod所在租户,pod名字和pod uid=====<br />
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'<br />
<br />
=====通过custom-columns只输出namespace名字和ns annotation中定义的node selector=====<br />
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"<br />
<br />
===Get node info order by node ip address / 根据ip地址排序获取节点信息===<br />
kubectl get nodes -owide --sort-by status.addresses[0].address<br />
<br />
===Get pods order by running node name / 根据pod运行节点排序获取pod信息===<br />
kubectl get pods -owide --sort-by .spec.nodeName<br />
<br />
kubectl get pods -owide --sort-by spec.nodeName<br />
===Get pod order by pod create time / 根据pod创建时间排序获取pod===<br />
kubectl get pods -n efk-system --sort-by status.startTime<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat<br />
<br />
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac<br />
<br />
<br />
===kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)===<br />
<br />
====Deployments - image / 只获取deployment名字和image====<br />
<nowiki>kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
稍微格式化输出,输出deployment名字 + container名字 + 对应的image<br />
kubectl get deployments.apps -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{range .spec.template.spec.containers}}</nowiki><nowiki>{{.name}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{.image}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
====Pods - image / 只获取pod名字和image====<br />
<nowiki>kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'</nowiki><br />
====Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址====<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'</nowiki><br />
====Get node taints / 只获取节点名字和taints====<br />
<nowiki>kubectl get nodes -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki><br />
<br />
==== Get node labels and format output / 只获取节点名字和labels并格式化输出 ====<br />
kubectl get node -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{range $key, $value := .metadata.labels}}</nowiki><nowiki>{{"\t\t"}}</nowiki><nowiki>{{$key}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{$value}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
==== 获取namespace名字和ns annotation中定义的node selector ====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===== 稍微处理一下,格式化对齐输出 =====<br />
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{else}}</nowiki> <nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'<br />
<br />
===kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件===<br />
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}<br />
<br />
===kubectl get event sort by lastTime / 根据事件最后触发时间进行排序===<br />
kubectl get event -n kube-system --sort-by=.lastTimestamp<br />
<br />
=== kubectl patch ===<br />
[[K8s的patch命令随记]]<br />
<br />
kubectl patch 调整 annotation<br />
<nowiki>kubectl patch ns demo -p '{"metadata":{"annotations":{"scheduler.alpha.kubernetes.io/node-selector": "kubernetes.io/hostname=node1"}}}'</nowiki><br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E4%BD%BF%E7%94%A8jq%E6%89%B9%E9%87%8F%E4%BF%AE%E6%94%B9es_index_template%E7%9A%84lifecycle%E9%85%8D%E7%BD%AE&diff=1666
使用jq批量修改es index template的lifecycle配置
2025-08-22T08:56:07Z
<p>Admin:</p>
<hr />
<div>aka: use jq tool to modify es index template lifecycle setting in bulk<br />
<br />
新版本的es index template不支持通过结合索引匹配+优先级配置的方式来叠加批量修改已存在的索引模版(legacy template 支持),只支持通过compose实现类似用法,部分场景会带来大量的搬砖成本(例如修改skywalking的索引模板中的生命周期配置或者索引副本数配置)<br />
<br />
引入脚本:<pre><br />
<nowiki><br />
#!/bin/bash<br />
#set -exu<br />
set -ue<br />
host="127.0.0.1:9200"<br />
username="elastic"<br />
password="elastic"<br />
ilm_name="sw-default-ilm"<br />
<br />
curl_options=(<br />
"-u" "$username:$password"<br />
"-s"<br />
)<br />
<br />
es_sw_templates=`curl ${curl_options[@]} "$host/_cat/templates/sw*?s=name" | awk '{print $1}'`<br />
# bak<br />
curl ${curl_options[@]} "${host}/_index_template?pretty" > es-${host}-index-templates_`date +%F%T`.bak.json<br />
<br />
for template in ${es_sw_templates[@]}<br />
do<br />
if [[ $template == "sw_segment" ]]<br />
then<br />
continue<br />
fi<br />
echo PUT /_index_template/${template}<br />
new_template=""<br />
new_template=`curl ${curl_options[@]} "${host}/_index_template/${template}" | jq '.index_templates[0].index_template | .template.settings.index.lifecycle.name |= "'${ilm_name}'"'`<br />
curl -X PUT -H "Content-Type: application/json" ${curl_options[@]} "${host}/_index_template/${template}" -d "${new_template}"<br />
echo<br />
done<br />
</nowiki></pre><br />
[[分类:Elasticsearch]]<br />
[[分类:Linux]]<br />
也可以将修改 lifecycle.name 改为修改 compose 以及修改 refresh_interval<br />
new_template=`curl ${curl_options[@]} "${host}/_index_template/${template}" | jq '.index_templates[0].index_template | .composed_of = ["sw_default_ilm"] | .template.settings.index.refresh_interval = "180s"'`<br />
{{DEFAULTSORT:jq}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Ansible%E9%9A%8F%E8%AE%B0&diff=1665
Ansible随记
2025-08-06T06:42:04Z
<p>Admin:</p>
<hr />
<div>For linux and kubernetes<br />
<br />
<br /><br />
<br />
===Hosts config===<br />
[cluster1_controller]<br />
10.219.235.210<br />
10.219.235.213<br />
10.219.235.214<br />
<br />
[cluster1_compute]<br />
10.219.235.[215:219]<br />
<br />
[cluster1_nodes:children]<br />
cluster1_controller<br />
cluster1_compute<br />
<br />
[cluster1_nodes:vars]<br />
ansible_ssh_user=guest2admin<br />
ansible_ssh_pass=@users<br />
ansible_python_interpreter=/usr/bin/python<br />
ansible_ssh_common_args=-c aes256-cbc -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null<br />
ansible_connection=ssh<br />
ansible_become_password=root@root@su<br />
ansible_become_method=su<br />
ansible_become_exe=sudo su -<br />
<br />
#############################################<br />
<br />
[k8s]<br />
k8s-node-1 ansible_ssh_host=172.16.139.102<br />
k8s-node-2 ansible_ssh_host=172.16.139.103<br />
k8s-node-3 ansible_ssh_host=172.16.139.104<br />
<br />
[test]<br />
192.168.1.250 ansible_ssh_port=1234<br />
192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy<br />
<br />
<br />
[other-test]<br />
192.168.1.250:1234<br />
<br />
<br /><br />
<br />
===Ansible command parameters===<br />
-f 'FORKS', --forks 'FORKS'<br />
specify number of parallel processes to use (default=5)<br />
<br /><br />
===Module===<br />
<br />
====authorized_key 模块实现节点批量免密====<br />
<br />
===== module 简要参数说明: =====<br />
user=root : 将密钥推送到远程主机的哪个用户下<br />
<br />
key=’<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub )<br />
<br />
path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys] <br />
<br />
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no<br />
<br />
exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no] <br />
<br />
state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present] <br />
<br />
-k : 本次操作通过密码认证节点<br />
<br />
<br />
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False (ssh-keyscan 中 -H参数代表将相关指纹和主机名结果都进行哈希化加密)<br />
<br />
===== command line example: =====<br />
ansible all -m authorized_key -a "user=root key='<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>' path='/root/.ssh/authorized_keys' manage_dir=no" -k<br />
<br /><br />
====selinux====<br />
ansible k8s -m selinux -m selinux -a state=disabled<br />
https://my.oschina.net/ozakilsc/blog/693023<br />
<br /><br />
====shell====<br />
ansible k8s -m shell -a getenforce<br />
<br />
ansible k8s -m shell -a hostname<br />
<br />
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"<br />
<br />
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"<br />
<br />
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status"<br />
<br />
ansible all -m shell -a "rpm -Uvh <nowiki>http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm</nowiki>"<br />
<br />
ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt"<br />
<br />
ansible all -m shell -a "grub2-set-default 0"<br />
自动切到root用户(-b)<br />
ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json"<br />
如果需要强制指定 shell 为 bash shell,可以如下<br />
ansible all -m shell -e 'ansible_shell_executable=/usr/bin/bash' -a "ls"<br />
<br />
====ping====<br />
(用于判断远程客户端是否在线)<br />
ansible k8s -m ping<br />
<br />
<br />
====command====<br />
(ansible default module)<br /><br />
<br />
<br /><br />
<br />
====yum====<br />
(default state:installed)<br />
ansible k8s -m yum -a 'name=vim state=installed'<br />
<br />
ansible k8s -m yum -a 'name=vim'<br />
<br />
ansible k8s -m yum -a 'name=vim, httpd'<br />
<br />
ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"<br />
<br />
ansible k8s -m yum -a 'name=vsftpd state=removed'<br />
<br />
ansible k8s -m yum -a "name=bridge-utils"<br />
<br />
ansible all -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed"<br />
<br /><br />
<br />
====service====<br />
ansible k8s -m service -a " name='nginx' enabled=yes"<br />
<br />
ansible k8s -m service -a "name=httpd state=started"<br />
<br />
ansible k8s -m service -a "name=firewalld state=stopped enabled=no"<br />
<br />
ansible k8s -km service -a "name=postfix state=stopped enabled=no"<br />
<br />
ansible k8s -m service -a "name=chronyd enabled=yes state=started"<br />
<br />
<br />
====copy====<br />
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"<br />
<br />
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k<br />
<br />
<br />
====file====<br />
ansible k8s -m file -a "path=/opt/k8s/bin state=directory"<br />
<br />
ansible k8s -m file -a "path=/opt/k8s/work state=directory"<br />
<br />
ansible k8s -m file -a "path=/opt/k8s/work state=absent"<br />
<br />
<br />
====others====<br />
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"<br />
<br />
<br />
===Playbook===<br />
<br />
====copy====<br />
---<br />
- hosts: all<br />
<nowiki> </nowiki> tasks:<br />
<nowiki> </nowiki> - name: copy kubernetes server executeable file to master node<br />
<nowiki> </nowiki> copy:<br />
<nowiki> </nowiki> src: '<nowiki>{{ item.src }}</nowiki>'<br />
<nowiki> </nowiki> dest: '<nowiki>{{item.dest}}</nowiki>'<br />
<nowiki> </nowiki> mode: '0744'<br />
<nowiki> </nowiki> with_items:<br />
<nowiki> </nowiki> - {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kubeadm', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-apiserver', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-controller-manager', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kubectl', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kubelet', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-proxy', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-scheduler', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './mounter', dest: '/opt/k8s/bin/'}<br />
<br />
[[分类:Linux]]<br />
<br /><br />
<br />
===Other operations===<br />
<br />
====use the passphrase protected ssh private key without input the password====<br />
使用带密码保护的私钥并且避免每次都要输入私钥密码(本次会话生效)<br />
$ eval `ssh-agent` # you might have agent already running so this might not be needed<br />
$ ssh-add ~/.ssh/id_rsa<br />
<br /><br />
__无编辑段落__<br />
__无新段落链接__</div>
Admin
https://wiki.sanxian.tech/index.php?title=Ansible%E9%9A%8F%E8%AE%B0&diff=1664
Ansible随记
2025-08-06T06:41:40Z
<p>Admin:</p>
<hr />
<div>For linux and kubernetes<br />
<br />
<br /><br />
<br />
===Hosts config===<br />
[cluster1_controller]<br />
10.219.235.210<br />
10.219.235.213<br />
10.219.235.214<br />
<br />
[cluster1_compute]<br />
10.219.235.[215:219]<br />
<br />
[cluster1_nodes:children]<br />
cluster1_controller<br />
cluster1_compute<br />
<br />
[cluster1_nodes:vars]<br />
ansible_ssh_user=guest2admin<br />
ansible_ssh_pass=@users<br />
ansible_python_interpreter=/usr/bin/python<br />
ansible_ssh_common_args=-c aes256-cbc -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null<br />
ansible_connection=ssh<br />
ansible_become_password=root@root@su<br />
ansible_become_method=su<br />
ansible_become_exe=sudo su -<br />
<br />
#############################################<br />
<br />
[k8s]<br />
k8s-node-1 ansible_ssh_host=172.16.139.102<br />
k8s-node-2 ansible_ssh_host=172.16.139.103<br />
k8s-node-3 ansible_ssh_host=172.16.139.104<br />
<br />
[test]<br />
192.168.1.250 ansible_ssh_port=1234<br />
192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy<br />
<br />
<br />
[other-test]<br />
192.168.1.250:1234<br />
<br />
<br /><br />
<br />
===Ansible command parameters===<br />
-f 'FORKS', --forks 'FORKS'<br />
specify number of parallel processes to use (default=5)<br />
<br /><br />
===Module===<br />
<br />
====authorized_key 模块实现节点批量免密====<br />
<br />
===== module 简要参数说明: =====<br />
user=root : 将密钥推送到远程主机的哪个用户下<br />
<br />
key=’<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub )<br />
<br />
path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys] <br />
<br />
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no<br />
<br />
exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no] <br />
<br />
state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present] <br />
<br />
-k : 本次操作通过密码认证节点<br />
<br />
<br />
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False (ssh-keyscan 中 -H参数代表将相关指纹和主机名结果都进行哈希化加密)<br />
<br />
===== command line example: =====<br />
ansible all -m authorized_key -a "user=root key='<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>' path='/root/.ssh/authorized_keys' manage_dir=no" -k<br />
<br /><br />
====selinux====<br />
ansible k8s -m selinux -m selinux -a state=disabled<br />
https://my.oschina.net/ozakilsc/blog/693023<br />
<br /><br />
====shell====<br />
ansible k8s -m shell -a getenforce<br />
<br />
ansible k8s -m shell -a hostname<br />
<br />
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"<br />
<br />
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"<br />
<br />
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status"<br />
<br />
ansible all -m shell -a "rpm -Uvh <nowiki>http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm</nowiki>"<br />
<br />
ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt"<br />
<br />
ansible all -m shell -a "grub2-set-default 0"<br />
自动切到root用户(-b)<br />
ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json"<br />
如果需要强制指定 shell 为 bash shell,可以如下<br />
ansible all -e 'ansible_shell_executable=/usr/bin/bash' -a "ls"<br />
<br />
====ping====<br />
(用于判断远程客户端是否在线)<br />
ansible k8s -m ping<br />
<br />
<br />
====command====<br />
(ansible default module)<br /><br />
<br />
<br /><br />
<br />
====yum====<br />
(default state:installed)<br />
ansible k8s -m yum -a 'name=vim state=installed'<br />
<br />
ansible k8s -m yum -a 'name=vim'<br />
<br />
ansible k8s -m yum -a 'name=vim, httpd'<br />
<br />
ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"<br />
<br />
ansible k8s -m yum -a 'name=vsftpd state=removed'<br />
<br />
ansible k8s -m yum -a "name=bridge-utils"<br />
<br />
ansible all -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed"<br />
<br /><br />
<br />
====service====<br />
ansible k8s -m service -a " name='nginx' enabled=yes"<br />
<br />
ansible k8s -m service -a "name=httpd state=started"<br />
<br />
ansible k8s -m service -a "name=firewalld state=stopped enabled=no"<br />
<br />
ansible k8s -km service -a "name=postfix state=stopped enabled=no"<br />
<br />
ansible k8s -m service -a "name=chronyd enabled=yes state=started"<br />
<br />
<br />
====copy====<br />
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"<br />
<br />
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k<br />
<br />
<br />
====file====<br />
ansible k8s -m file -a "path=/opt/k8s/bin state=directory"<br />
<br />
ansible k8s -m file -a "path=/opt/k8s/work state=directory"<br />
<br />
ansible k8s -m file -a "path=/opt/k8s/work state=absent"<br />
<br />
<br />
====others====<br />
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"<br />
<br />
<br />
===Playbook===<br />
<br />
====copy====<br />
---<br />
- hosts: all<br />
<nowiki> </nowiki> tasks:<br />
<nowiki> </nowiki> - name: copy kubernetes server executeable file to master node<br />
<nowiki> </nowiki> copy:<br />
<nowiki> </nowiki> src: '<nowiki>{{ item.src }}</nowiki>'<br />
<nowiki> </nowiki> dest: '<nowiki>{{item.dest}}</nowiki>'<br />
<nowiki> </nowiki> mode: '0744'<br />
<nowiki> </nowiki> with_items:<br />
<nowiki> </nowiki> - {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kubeadm', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-apiserver', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-controller-manager', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kubectl', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kubelet', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-proxy', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './kube-scheduler', dest: '/opt/k8s/bin/'}<br />
<nowiki> </nowiki> - {src: './mounter', dest: '/opt/k8s/bin/'}<br />
<br />
[[分类:Linux]]<br />
<br /><br />
<br />
===Other operations===<br />
<br />
====use the passphrase protected ssh private key without input the password====<br />
使用带密码保护的私钥并且避免每次都要输入私钥密码(本次会话生效)<br />
$ eval `ssh-agent` # you might have agent already running so this might not be needed<br />
$ ssh-add ~/.ssh/id_rsa<br />
<br /><br />
__无编辑段落__<br />
__无新段落链接__</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E4%B8%80%E4%BA%9Brouteros-script%E6%8A%98%E8%85%BE%E9%9A%8F%E8%AE%B0&diff=1663
一些routeros-script折腾随记
2025-07-28T07:18:08Z
<p>Admin:Admin移动页面一些mikrotik-routeros-script折腾随记至一些routeros-script折腾随记,不留重定向</p>
<hr />
<div>{{DISPLAYTITLE:routeros-script折腾随记}}<br />
<br />
第三方cn docs: https://mikrotik-doc-cn.readthedocs.io/zh/latest/source/Scripts/content.html<br />
<br />
=== 常用操作: ===<br />
变量定义: 可以通过 <code>:local</code> 或者 <code>:global</code> 定义,区别就是作用域不一样<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
<code>:put</code> 可以将定义好的变量输出到console,但是不能输出到log<br />
<br />
<br />
一般情况下,Scripts 在运行的时候,如果出现异常,不会有异常信息,只有简单的一句话:<blockquote>script,error executing script script-test from xxxxxxx failed, please check it manually</blockquote>可以通过类似以下方式把 exception (e) 打到log中方便排查<br />
:onerror e {<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
[/interface/pppoe-client/monitor $pppoeInterface once do={:set pppoeUptime $uptime} ]<br />
:log info "PPPoE interface uptime: $pppoeUptime"<br />
<br />
} do {:log info "script running error: $e"}<br />
<br />
<br />
some example:<br />
<br />
用于判断 pppoe 连接时间,如果不在 3-5 点,就运行指定的脚本<br />
:onerror e {<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
:local pppoeUptimeHour<br />
:local dayPos<br />
:local hourSemicolonPos<br />
:local timeCutPosStart 0<br />
<br />
<br />
[/interface/pppoe-client/monitor $pppoeInterface once do={:set pppoeUptime $uptime} ]<br />
:log info "PPPoE interface uptime: $pppoeUptime"<br />
<br />
:set dayPos [:find $pppoeUptime "d"]<br />
:if ($dayPos >0) do={<br />
:set timeCutPosStart ($dayPos + 1)<br />
#:log debug "day pos found."<br />
}<br />
:log info "timeCutPosStart: $timeCutPosStart"<br />
<br />
:set hourSemicolonPos [:find $pppoeUptime ":"]<br />
:set pppoeUptimeHour [:pick $pppoeUptime $timeCutPosStart $hourSemicolonPos]<br />
:log info "pppoeUptimeHour: $pppoeUptimeHour"<br />
<br />
:if ( $pppoeUptimeHour > 5 or $pppoeUptimeHour < 3 ) do={<br />
:log info "PPPOE connection uptime not as expected! will be restarted..."<br />
/interface/pppoe-client/disable $pppoeInterface<br />
:log info "$pppoeInterface disabled"<br />
delay 3<br />
/interface/pppoe-client/enable $pppoeInterface<br />
:log info "$pppoeInterface enabled"<br />
}<br />
<br />
} do {:log info "script running error: $e"}<br />
<br />
<br />
<br />
关联关键词: mikrotik<br />
[[分类:Router]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E4%B8%80%E4%BA%9Brouteros-script%E6%8A%98%E8%85%BE%E9%9A%8F%E8%AE%B0&diff=1662
一些routeros-script折腾随记
2025-07-28T07:17:10Z
<p>Admin:</p>
<hr />
<div>{{DISPLAYTITLE:routeros-script折腾随记}}<br />
<br />
第三方cn docs: https://mikrotik-doc-cn.readthedocs.io/zh/latest/source/Scripts/content.html<br />
<br />
=== 常用操作: ===<br />
变量定义: 可以通过 <code>:local</code> 或者 <code>:global</code> 定义,区别就是作用域不一样<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
<code>:put</code> 可以将定义好的变量输出到console,但是不能输出到log<br />
<br />
<br />
一般情况下,Scripts 在运行的时候,如果出现异常,不会有异常信息,只有简单的一句话:<blockquote>script,error executing script script-test from xxxxxxx failed, please check it manually</blockquote>可以通过类似以下方式把 exception (e) 打到log中方便排查<br />
:onerror e {<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
[/interface/pppoe-client/monitor $pppoeInterface once do={:set pppoeUptime $uptime} ]<br />
:log info "PPPoE interface uptime: $pppoeUptime"<br />
<br />
} do {:log info "script running error: $e"}<br />
<br />
<br />
some example:<br />
<br />
用于判断 pppoe 连接时间,如果不在 3-5 点,就运行指定的脚本<br />
:onerror e {<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
:local pppoeUptimeHour<br />
:local dayPos<br />
:local hourSemicolonPos<br />
:local timeCutPosStart 0<br />
<br />
<br />
[/interface/pppoe-client/monitor $pppoeInterface once do={:set pppoeUptime $uptime} ]<br />
:log info "PPPoE interface uptime: $pppoeUptime"<br />
<br />
:set dayPos [:find $pppoeUptime "d"]<br />
:if ($dayPos >0) do={<br />
:set timeCutPosStart ($dayPos + 1)<br />
#:log debug "day pos found."<br />
}<br />
:log info "timeCutPosStart: $timeCutPosStart"<br />
<br />
:set hourSemicolonPos [:find $pppoeUptime ":"]<br />
:set pppoeUptimeHour [:pick $pppoeUptime $timeCutPosStart $hourSemicolonPos]<br />
:log info "pppoeUptimeHour: $pppoeUptimeHour"<br />
<br />
:if ( $pppoeUptimeHour > 5 or $pppoeUptimeHour < 3 ) do={<br />
:log info "PPPOE connection uptime not as expected! will be restarted..."<br />
/interface/pppoe-client/disable $pppoeInterface<br />
:log info "$pppoeInterface disabled"<br />
delay 3<br />
/interface/pppoe-client/enable $pppoeInterface<br />
:log info "$pppoeInterface enabled"<br />
}<br />
<br />
} do {:log info "script running error: $e"}<br />
<br />
<br />
<br />
关联关键词: mikrotik<br />
[[分类:Router]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E4%B8%80%E4%BA%9Brouteros-script%E6%8A%98%E8%85%BE%E9%9A%8F%E8%AE%B0&diff=1661
一些routeros-script折腾随记
2025-07-28T07:14:59Z
<p>Admin:Admin移动页面一些routeros-script折腾随记至一些mikrotik-routeros-script折腾随记,不留重定向</p>
<hr />
<div>{{DISPLAYTITLE:routeros-script折腾随记}}<br />
<br />
第三方cn docs: https://mikrotik-doc-cn.readthedocs.io/zh/latest/source/Scripts/content.html<br />
<br />
=== 常用操作: ===<br />
变量定义: 可以通过 <code>:local</code> 或者 <code>:global</code> 定义,区别就是作用域不一样<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
<code>:put</code> 可以将定义好的变量输出到console,但是不能输出到log<br />
<br />
<br />
一般情况下,Scripts 在运行的时候,如果出现异常,不会有异常信息,只有简单的一句话:<blockquote>script,error executing script script-test from xxxxxxx failed, please check it manually</blockquote>可以通过类似以下方式把 exception (e) 打到log中方便排查<br />
:onerror e {<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
[/interface/pppoe-client/monitor $pppoeInterface once do={:set pppoeUptime $uptime} ]<br />
:log info "PPPoE interface uptime: $pppoeUptime"<br />
<br />
} do {:log info "script running error: $e"}<br />
<br />
<br />
some example:<br />
<br />
用于判断 pppoe 连接时间,如果不在 3-5 点,就运行指定的脚本<br />
:onerror e {<br />
:local pppoeInterface "pppoe-sfp-telecom"<br />
:local pppoeUptime<br />
:local pppoeUptimeHour<br />
:local dayPos<br />
:local hourSemicolonPos<br />
:local timeCutPosStart 0<br />
<br />
<br />
[/interface/pppoe-client/monitor $pppoeInterface once do={:set pppoeUptime $uptime} ]<br />
:log info "PPPoE interface uptime: $pppoeUptime"<br />
<br />
:set dayPos [:find $pppoeUptime "d"]<br />
:if ($dayPos >0) do={<br />
:set timeCutPosStart ($dayPos + 1)<br />
#:log debug "day pos found."<br />
}<br />
:log info "timeCutPosStart: $timeCutPosStart"<br />
<br />
:set hourSemicolonPos [:find $pppoeUptime ":"]<br />
:set pppoeUptimeHour [:pick $pppoeUptime $timeCutPosStart $hourSemicolonPos]<br />
:log info "pppoeUptimeHour: $pppoeUptimeHour"<br />
<br />
:if ( $pppoeUptimeHour > 5 or $pppoeUptimeHour < 3 ) do={<br />
:log info "PPPOE connection uptime not as expected! will be restarted..."<br />
/interface/pppoe-client/disable $pppoeInterface<br />
:log info "$pppoeInterface disabled"<br />
delay 3<br />
/interface/pppoe-client/enable $pppoeInterface<br />
:log info "$pppoeInterface enabled"<br />
}<br />
<br />
} do {:log info "script running error: $e"}<br />
[[分类:Router]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Kubectl_edit%E6%88%96get_cm%E6%A0%BC%E5%BC%8F%E6%B7%B7%E4%B9%B1&diff=1660
Kubectl edit或get cm格式混乱
2025-07-24T11:24:48Z
<p>Admin:</p>
<hr />
<div>configmap中的内容需要 同时 满足以下条件以后,在kubectl edit/get cm yaml下才不会被二次转义编码 <br />
<br />
# 换行前不要有空白字符 <pre>:%s/\\s\\n/\\n/g</pre><br />
# 没有tab键(\t) <pre>:%s/\\t/ /g</pre><br />
# 文尾没有换行符或空白字符(整个data object的最后一个字符不能是\n)<br />
<br />
<br />
PS: 通过 <code>kubectl get cm xxxx -o jsonpath={.data}</code> 也可以避免输出的内容 被二次转义编码<br />
[[分类:K8s]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch%E7%9A%84%E4%B8%80%E4%BA%9Bapi%E9%9A%8F%E8%AE%B0&diff=1659
Elasticsearch的一些api随记
2025-07-01T03:52:05Z
<p>Admin:</p>
<hr />
<div>===Health===<br />
/_cat/health<br />
<br />
/_cluster/health<br />
<br />
===Indices health===<br />
按条件查看索引状态<br />
/_cat/indices?help<br />
/_cat/indices?health=red&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=yellow&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=green&v&s=store.size:desc,index<br />
注意在配合 * 通配符搜索/操作索引的时候,如果涉及隐藏的datastream / 隐藏的index,默认不会匹配命中,必须指定 <code>expand_wildcards=all</code> 参数<br />
<br />
-> https://www.elastic.co/guide/en/elasticsearch/reference/7.16/multi-index.html#hidden<br />
<br />
===Nodes===<br />
/_cat/nodes?v<br />
查看es各节点磁盘空间占用、分片数目等<br />
/_cat/allocation?v<br />
<br />
/_cat/nodeattrs<br />
<br />
===Get master node===<br />
/_cat/master?v<br />
<br />
===Cluster allocation explain related===<br />
可以用于定位分片状态以及分片为何故障<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
/_cluster/allocation/explain<br />
<br />
===Shards===<br />
粗略查看分片情况,特别是查看分片分布节点或大小/状态<br />
GET /_cat/shards<br />
<br />
GET /_cat/shards?index=index_name<br />
<br />
GET /_cat/shards?index=index_na*<br />
查看分片分配失败原因<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
==== Recovery API ====<br />
Returns information about ongoing and completed shard recoveries, similar to the index recovery API.<br />
<br />
For data streams, the API returns information about the stream’s backing indices<br />
<br />
可以查看当前正在 relocating 的分片,也能查到各分片处理进度百分比<br />
GET /_cat/recovery?active_only=true&s=index&v<br />
<br />
=== Adds a data stream or index to an alias, and sets the write index or data stream for the alias ===<br />
为别名设置可写索引或数据流<br />
<br />
If the alias doesn’t exist, the <code>add</code> action creates it.<br />
POST /_aliases <br />
{<br />
"actions": [<br />
{<br />
"add": {<br />
"index": "es-k8s-logs-000020", <br />
"alias": "es-k8s-logs-alias", <br />
"is_write_index": true <br />
}<br />
}<br />
]<br />
}<br />
<br />
===Thread pool related===<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-thread-pool.html<br />
/_cluster/settings?pretty&include_defaults=true | grep processors<br />
<br />
====Get maximum number of threads info====<br />
curl "127.1:9200/_cat/thread_pool?v&h=ip,node_name,id,name,max,size,queue_size,queue,active,rejected&pretty"<br />
<br />
=== Tasks ===<br />
概览<br />
GET /_cat/tasks?v&s=action,node,start_time<br />
tasks 详情<br />
GET /_tasks<br />
<br />
GET /_tasks?group_by=parents&actions=*forcemerge*&detailed=true<br />
<br />
=== Templates 模板 ===<br />
/_cat/templates?v<br />
⚠️ /_template/${template_name} is legacy index templates, which are deprecated and will be replaced by the composable templates introduced in Elasticsearch 7.8.<br />
<br />
新版本中使用 <code>/_index_template</code> 取代<br />
GET/PUT /_template/${template_name}<br />
但是 index_template 对比 legacy template有个很明显的差异就是,legacy template可以直接根据priority进行叠加覆盖,而index_template哪个template priority高,就只有哪个生效 https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html<blockquote>If a new data stream or index matches more than one index template, the index template with the highest priority is used.</blockquote><br />
<br />
==== Use template to change the replicas settings of all indexes (Legacy index template) ====<br />
Multiple index templates can potentially match an index, in this case, both the settings and mappings are merged into the final configuration of the index. <br />
<br />
The order of the merging can be controlled using the <code>order</code> parameter, with lower order being applied first, '''and higher orders overriding them.''' <br />
<br />
legacy es template 中, 取值范围为 0 - 2^31-1 (0~2147483647)<br />
PUT /_template/${template_name}<br />
{<br />
"order": 2147483647,<br />
"index_patterns": [<br />
"*"<br />
],<br />
"settings": {<br />
"index": {<br />
"number_of_replicas": "0"<br />
}<br />
}<br />
}<br />
[[使用jq批量修改es index template的lifecycle配置]]<br />
<br />
=== ILM (index lifecycle policy) 索引生命周期 ===<br />
顾名思义,ilm另外也可用于做ES集群的冷热温架构。<br />
<br />
不同的阶段(phase)能做哪些事可以在这个 [https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-index-lifecycle.html Document] 查看<br />
<br />
比较难受的是,ilm目前没有类似 <code>_cat/templates</code> 的接口一次性只查看这个集群已配置的 ILM 策略名字,只能一次性获取全部策略具体定义 (不过可以利用浏览器的F12 json preview折叠来曲线救国)<br />
GET /_ilm/policy<br />
<br />
==== Get specific ilm policy detail 获取特定ILM策略定义 ====<br />
GET /_ilm/policy/${ilm_name}<br />
<br />
PUT /_ilm/policy/ilm-30d-delete<br />
{<br />
"policy": {<br />
"phases": {<br />
"delete": {<br />
"min_age": "30d",<br />
"actions": {<br />
"delete": {<br />
"delete_searchable_snapshot": true<br />
}<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
==== Get index's ilm status 获取索引当前 ILM 状态 ====<br />
GET /${index_name}/_ilm/explain<br />
<br />
GET /${index_name}/_ilm/explain?human<br />
<br />
==== Move index's ilm to step 修改索引的ILM阶段状态(人为触发ILM action执行) ====<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-move-to-step.html<br />
POST _ilm/move/my-index-000001<br />
{<br />
"current_step": { <br />
"phase": "new",<br />
"action": "complete",<br />
"name": "complete"<br />
},<br />
"next_step": { <br />
"phase": "warm",<br />
"action": "forcemerge", <br />
"name": "forcemerge" <br />
}<br />
}<br />
<br />
==== Manually create an index that is managed by template and ILM (including rollover operations by day) ====<br />
<br />
===== 手动创建原本应由template和ilm管控的索引,且索引名内包含日期(动态索引名) =====<br />
⚠️ 这种索引不能直接粗暴地 <code>PUT /index-name-2022.10.23-000022</code> 以创建索引,否则手动创建出来的索引,在rollover滚动 (例如rollover-max_age:1d)的时候,创建出来的新索引名字仍然是创建索引时定义的日期,而不是当天轮滚发生时的日期(如 <code>index-name-2022.10.23-000023</code>)<br />
<br />
这个现象可以通过判断 <code>GET /index-name/_settings</code> 中 <code>index.provided_name</code> 属性看出来<br />
<br />
解法:<br />
PUT %3Cindex-name-%7Bnow%2Fd%7D-000099%3E<br />
注意在kibana-Dev Tools中不要做URL Decode,他就是这样的需要编码一下(解码后就是: <code><index-name-{now/d}-000099></code>)<br />
<br />
ps: 如果怕创建错名字的话,可以使用 <code>GET %3Cindex-name-%7Bnow%2Fd%7D-000099%3E/_settings</code> 预览一下生成的索引名效果<br />
<br />
对于索引最后的这个序号,[https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-rollover-index.html#increment-index-names-for-alias 无论前一个索引的名称是什么,该编号始终为 6 个字符,且为零填充]。即使手动创建的索引结尾是<code>-00001</code>,在rollover发生以后,索引后缀序号依然会变成<code>-000002</code><br />
<br />
==== 故障处理: 有的时候对现有的索引修改了其引用的 ilm policy 为别的 policy,或者修改了其引用的 ilm policy中的 phase 定义。会导致索引ilm故障 ====<br />
有可能导致他的ilm处理会出问题(不记得怎么告警),没记错的话通过 <code>GET {index_name}/_ilm/explain</code> 能看到 error 信息,能看到卡在某个 phase 失败<br />
<br />
这时候需要人为修改 index 的 ilm phase 修复,如<br />
POST _ilm/move/insight-es-k8s-logs-dce5-aliyun-default-prd-2024.01.16<br />
{<br />
"current_step": { <br />
"phase": "hot",<br />
"action": "rollover",<br />
"name": "ERROR"<br />
},<br />
"next_step": { <br />
"phase": "cold"<br />
}<br />
}<br />
或者尝试通过 <code>POST {index_name}/_ilm/retry</code> 接口重试 <br />
<br />
===Cluster setting related ES集群参数设置===<br />
/_cluster/settings?include_defaults=true&pretty<br />
<br />
/_cluster/settings?include_defaults=true<br />
<br />
==== Wildcard expressions or all indices are not allowed ====<br />
<br />
===== 允许泛匹配删除索引 =====<br />
PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"action": {<br />
"destructive_requires_name": "false"<br />
}<br />
}<br />
}<br />
<br />
====primaries recovery settings ====<br />
=====控制索引恢复或者relocating的并发数=====<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 10,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_outgoing_recoveries": null,<br />
"node_concurrent_recoveries": 20<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": null,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": null<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 30,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": 10<br />
}<br />
}<br />
}<br />
}<br />
}<br />
cluster.routing.allocation.node_concurrent_recoveries: A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code>.<br />
# PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_concurrent_recoveries": 8<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
<br />
=== recovery.max_bytes_per_sec [https://www.elastic.co/guide/en/elasticsearch/reference/7.17/recovery.html 修改relocating时并发传输数据量] ===<br />
加大此数值可以有效缩短es relocating index的耗时<br />
<br />
indices.recovery.max_bytes_per_sec: Limits total inbound and outbound recovery traffic for each node. Applies to both peer recoveries as well as snapshot recoveries (i.e., restores from a snapshot). Defaults to <code>40mb</code> unless the node is a dedicated cold or frozen node, in which case the default relates to the total memory available to the node.<br /><br />
<br />
===Index settings===<br />
<br />
====modify the number of replicas in bulk====<br />
<br />
===== 批量/单个 设置索引副本数 =====<br />
PUT /index_name*/_settings<br />
{<br />
"index": {<br />
"number_of_replicas": 1<br />
}<br />
}<br />
<br />
=== Search Documents ===<br />
<br />
==== match_all 搜索 ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match_all": {}<br />
},<br />
"size": 1<br />
}<br />
<br />
==== 单字段排序匹配搜索(match) ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match": {<br />
"segment_id": "b7bb26fae59e4f45b101346cb83ff796.69.16946808855979526"<br />
}<br />
},<br />
"sort": [<br />
{<br />
"start_time": {<br />
"order": "desc"<br />
}<br />
}<br />
],<br />
"size": 1<br />
}<br />
<br />
==== 对某个字段的值进行聚合(查询该字段有多少种类型的值) ====<br />
GET /.monitoring-es-7-2024.12.13/_search<br />
{<br />
"size": 0,<br />
"aggs": {<br />
"unique_types": {<br />
"terms": {<br />
"field": "type",<br />
"size": 10<br />
}<br />
}<br />
}<br />
}<br />
<br />
=== Elastic Cloud on Kubernetes (ECK / Elastic operator) ===<br />
ECK operator下管理的Elasticsearch如果要修改<code>cluster.routing.allocation.exclude</code> 的参数配置,需要先为 elasticsearch 实例配置annotation: 'eck.k8s.elastic.co/managed=false',不然会配置一会就会被刷回原状<br />
<br />
<br />
===Other===<br />
<br />
====对于有大量索引的刚重启的es集群====<br />
(主分片在1w-2w)<br />
<br />
=====加快es集群恢复速度=====<br />
结合es节点资源监控图,观测节点cpu压力,以及cpu IO wait<br />
<br />
适当通过update cluster settings接口动态增加node_initial_primaries_recoveries (Defaults to <code>4</code>) <br />
<br />
和 node_concurrent_recoveries <br />
<br />
(A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code> <br />
<br />
Defaults to <code>2</code>)数值<br />
<br />
通过使用 cluster settings + include_defaults=true 筛选查到当前配置值<br />
<br />
<br />
减少集群从red状态到yellow状态的耗时:增加索引副本数量,增加node_initial_primaries_recoveries值<br />
<br />
<br />
减少集群从yellow状态到green状态的耗时:增加 node_concurrent_recoveries 值<br />
<br />
<br />
通过访问 <code>/_cluster/allocation/explain</code> 接口查到阻碍集群 to green(yellow)的原因<br />
<br />
=====在es集群恢复期间因节点内存压力大(node was low on resources: memory.)而被k8s Evicted=====<br />
调整缩小 jvm 配置值,尽量不超配(requests 和 limit尽量一致或提高requests值)<br />
<br />
=== Error ===<br />
<br />
==== 集群分片数达到maximum错误 ====<br />
集群分片数达到maximum错误会有如下log信息,但是集群的健康状态不会改变<br />
2022-11-10T10:26:03.643184618Z org.elasticsearch.common.ValidationException: Validation Failed: 1: this action would add [3] shards, but this cluster currently has [1999]/[2000] maximum normal shards open;<br />
解决:<br />
<br />
调整index ilm 策略或者调整集群的max_shards_per_node配置<br />
<br />
临时生效配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"transient": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
永久更改性配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"persistent": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
[[分类:Elasticsearch]]<br />
{{DEFAULTSORT:api随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Java%E5%AE%B9%E5%99%A8%E7%9B%B8%E5%85%B3%E5%8F%82%E6%95%B0%E9%9A%8F%E8%AE%B0&diff=1658
Java容器相关参数随记
2025-06-24T08:36:22Z
<p>Admin:</p>
<hr />
<div>[[Java动态参数随记|Java动态参数随记(注入运行时参数)]]<br />
<br />
[[Java命令参数随记]]<br />
<br />
=== 命令随记 ===<br />
查看系统中有哪些java进程,命令 <code>jps</code><br />
<br />
查看指定java进程占用的内存情况,命令 <code>jmap -heap ${PID}</code><br />
<br />
查看系统或容器配置,命令 <code>java -XshowSettings:system -version</code><br />
<br />
查看JVM的相关配置,命令 <code>java -XshowSettings:vm -version</code><br />
<br />
查看支持的java参数列表 <code>java -XX:+PrintFlagsFinal -version</code>,视情况需要加上<code>-XX:+UnlockExperimentalVMOptions</code>和<code>-XX:+UnlockDiagnosticVMOptions</code> 参数<br />
<br />
查看是否支持<code>UseCGroupMemoryLimitForHeap</code>参数 <code>java -XX:+UnlockDiagnosticVMOptions -XX:+UnlockExperimentalVMOptions -XX:+PrintFlagsFinal -version |grep -i UseCGroupMemoryLimitForHeap</code><br />
<br />
=== JVM参数 ===<br />
<br />
==== -XX:+UnlockExperimentalVMOptions ====<br />
用于解锁实验性参数<br />
<br />
==== -XX:+UnlockDiagnosticVMOptions ====<br />
用于解锁一些诊断性的JVM选项。这些选项通常用于调试和诊断JVM的问题。<br />
<br />
当JVM运行时,某些选项可能会被禁用以提高安全性和稳定性。UnlockDiagnosticVMOptions参数可以用于解锁这些选项,以便可以在运行时使用它们来进行调试和诊断。<br />
<br />
==== -XX:+UseCGroupMemoryLimitForHeap ====<br />
实验性参数,用于让Xmx感知docker的memory limit<br />
<br />
这个参数自JDK8u121加入,在java8,9,10中都可用,不过由于在JDK8u191后新增了容器支持开关-XX:UseContainerSupport,并且默认开启,建议使用UseContainerSupport参数<br />
<br />
java11正式移除UseCGroupMemoryLimitForHeap,代码改动见8194086: Remove deprecated experimental flag UseCGroupMemoryLimitForHeap<br />
<br />
==== 其他参数 ====<br />
<br />
JDK8u191增加了这些参数:<br />
<br />
* MaxRAMPercentage 堆的最大值百分比。<br />
<br />
* InitialRAMPercentage 堆的初始化的百分比。<br />
<br />
* MinRAMPercentage 堆的最小值的百分比。<br />
<br />
如果使用了-Xmx参数,则直接将MaxHeapSize(最大堆大小)等同于我们设置的-Xmx。<br />
<br />
=== cgroup 与 java ===<br />
1. jvm当前生效感知的CPU 内存限制<br />
<br />
* 自 openjdk 8u131 起,有参数 -XX:+UseCGroupMemoryLimitForHeap 感知内存限制,8u191 起 XX:+UseContainerSupport 参数来支持 JVM 容器化。<br />
<br />
* 在 CGroup V2 下,需要 8u372、11.0.16、15 及以上才能正常感知到 (https://bugs.openjdk.org/browse/JDK-8230305) <br />
<br />
2. Oracle 相关 jdk/jre (8uxxx) yum 可以在 <nowiki>https://www.oracle.com/java/technologies/javase/javase8u211-later-archive-downloads.html</nowiki> 获取<br />
<br />
<br />
<br />
COPY FROM: <br />
<br />
* [https://blog.kelu.org/tech/2018/05/30/running-a-jvm-in-a-container-without-getting-killed.html 防止容器因 jvm 占用资源过多被杀死而频繁重启]<br />
* [https://jvm-argument-for-docker.teaho.net/ 容器环境下的相关JVM参数]<br />
* [https://cloud.tencent.com/developer/article/1340356 聊聊新版JDK对docker容器的支持]<br />
* [https://blog.csdn.net/Thousa_Ho/article/details/77278656 JVM 参数使用总结]<br />
<br />
[[分类:Java]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E4%BD%BF%E7%94%A8jq%E6%89%B9%E9%87%8F%E4%BF%AE%E6%94%B9es_index_template%E7%9A%84lifecycle%E9%85%8D%E7%BD%AE&diff=1657
使用jq批量修改es index template的lifecycle配置
2025-06-19T08:19:04Z
<p>Admin:</p>
<hr />
<div>aka: use jq tool to modify es index template lifecycle setting in bulk<br />
<br />
新版本的es index template不支持通过结合索引匹配+优先级配置的方式来叠加批量修改已存在的索引模版(legacy template 支持),只支持通过compose实现类似用法,部分场景会带来大量的搬砖成本(例如修改skywalking的索引模板中的生命周期配置或者索引副本数配置)<br />
<br />
引入脚本:<pre><br />
<nowiki><br />
#!/bin/bash<br />
#set -exu<br />
set -ue<br />
host="127.0.0.1:9200"<br />
username="elastic"<br />
password="elastic"<br />
ilm_name="sw-default-ilm"<br />
<br />
curl_options=(<br />
"-u" "$username:$password"<br />
"-s"<br />
)<br />
<br />
es_sw_templates=`curl ${curl_options[@]} "$host/_cat/templates/sw*?s=name" | awk '{print $1}'`<br />
# bak<br />
curl ${curl_options[@]} "${host}/_index_template?pretty" > es-${host}-index-templates_`date +%F%T`.bak.json<br />
<br />
for template in ${es_sw_templates[@]}<br />
do<br />
if [[ $template == "sw_segment" ]]<br />
then<br />
continue<br />
fi<br />
echo PUT /_index_template/${template}<br />
new_template=""<br />
new_template=`curl ${curl_options[@]} "${host}/_index_template/${template}" | jq '.index_templates[0].index_template | .template.settings.index.lifecycle.name |= "'${ilm_name}'"'`<br />
curl -X PUT -H "Content-Type: application/json" ${curl_options[@]} "${host}/_index_template/${template}" -d "${new_template}"<br />
echo<br />
done<br />
</nowiki></pre><br />
[[分类:Elasticsearch]]<br />
[[分类:Linux]]<br />
{{DEFAULTSORT:jq}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E4%BD%BF%E7%94%A8jq%E6%89%B9%E9%87%8F%E4%BF%AE%E6%94%B9es_index_template%E7%9A%84lifecycle%E9%85%8D%E7%BD%AE&diff=1656
使用jq批量修改es index template的lifecycle配置
2025-06-19T08:17:57Z
<p>Admin:</p>
<hr />
<div>aka: use jq tool to modify es index template lifecycle setting in bulk<br />
<br />
新版本的es index template不支持通过结合索引匹配+优先级配置的方式来叠加批量修改已存在的索引模版(legacy template 支持),只支持通过compose实现类似用法,部分场景会带来大量的搬砖成本(例如修改skywalking的索引模板中的生命周期配置或者索引副本数配置)<br />
<br />
引入脚本:<pre><br />
<nowiki><br />
#!/bin/bash<br />
#set -exu<br />
set -ue<br />
host="127.0.0.1:9200"<br />
username="elastic"<br />
password="elastic"<br />
ilm_name="sw-default-ilm"<br />
<br />
curl_options=(<br />
"-u" "$username:$password"<br />
"-s"<br />
)<br />
<br />
es_sw_templates=`curl ${curl_options[@]} "$host/_cat/templates/sw*?s=name" | awk '{print $1}'`<br />
# bak<br />
curl ${curl_options[@]} "${host}/_index_template?pretty" > es-${host}-index-templates_`date +%F%T`.bak.json<br />
<br />
for template in ${es_sw_templates[@]}<br />
do<br />
<br />
if [[ $template == "sw_segment" ]]<br />
then<br />
continue<br />
fi<br />
echo PUT /_index_template/${template}<br />
new_template=""<br />
new_template=`curl ${curl_options[@]} "${host}/_index_template/${template}" | jq '.index_templates[0].index_template | .template.settings.index.lifecycle.name |= "'${ilm_name}'"'`<br />
curl -X PUT -H "Content-Type: application/json" ${curl_options[@]} "${host}/_index_template/${template}" -d "${new_template}"<br />
echo<br />
done <br />
</nowiki></pre><br />
[[分类:Elasticsearch]]<br />
[[分类:Linux]]<br />
{{DEFAULTSORT:jq}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch7%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C%E7%9A%84%E6%97%B6%E5%80%99%E6%98%AF%E6%80%8E%E4%B9%88%E6%84%9F%E7%9F%A5%E5%88%B0%E5%86%85%E5%AD%98limit%E7%84%B6%E5%90%8E%E4%BC%A0%E9%80%92%E7%BB%99java%E7%9A%84xms%E5%92%8Cxmx%E5%8F%82%E6%95%B0&diff=1655
Elasticsearch7在容器中运行的时候是怎么感知到内存limit然后传递给java的xms和xmx参数
2025-06-19T05:49:29Z
<p>Admin:</p>
<hr />
<div>首先,看一下elasticsearch容器的启动命令,避免被<code>exec</code> 迷惑<br />
[root@gzu1 ~]# docker inspect 1.1.1.1/library/elasticsearch:7.17.5| jq '.[].ContainerConfig | {Cmd,Entrypoint} '<br />
{<br />
"Cmd": [<br />
"/bin/sh",<br />
"-c",<br />
"#(nop) ",<br />
"CMD [\"eswrapper\"]"<br />
],<br />
"Entrypoint": [<br />
"/bin/tini",<br />
"--",<br />
"/usr/local/bin/docker-entrypoint.sh"<br />
]<br />
}<br />
进入到 es 容器中确认,与1号进程是预期一致的<br />
[root@gzu1 ~]# kubectl exec -it -n es-system es-data-0 -- bash<br />
root@es-data-0:/usr/share/elasticsearch# '''ps auxwwww'''<br />
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND<br />
root '''1''' 0.0 0.0 2500 540 ? Ss Mar27 3:07 '''<u>/bin/tini -- /usr/local/bin/docker-entrypoint.sh eswrapper</u>'''<br />
elastic+ 7 103 4.7 103849888 18890788 ? Sl Mar27 124591:05 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Djava.security.manager=allow -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-2689440660253749261 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Des.cgroups.hierarchy.override=/ '''<u>-Xms16384m -Xmx16384m</u>''' -XX:MaxDirectMemorySize=8589934592 -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=25 -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=default -Des.distribution.type=docker -Des.bundled_jdk=true -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch<br />
elastic+ 224 0.0 0.0 108392 4636 ? Sl Mar27 0:00 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller<br />
root 50256 0.0 0.0 4244 2324 pts/0 Ss+ 04:05 0:00 bash<br />
root 64422 0.3 0.0 4376 2328 pts/1 Ss 05:22 0:00 bash<br />
root 64430 0.0 0.0 5900 1492 pts/1 R+ 05:22 0:00 ps auxwwww<br />
<br />
'''<br />可以看到这里实际的运行 elasticsearch 的 java 命令中,居然有Xms 和Xmx,而且是 pod 内存限制的一半'''<br />
<br />
而在当前pod yaml中,并没有指定这些参数:<br />
[root@gzu1 ~]# kubectl get pods -n es-system es-data-0 -o json | jq '.spec.containers[].resources'<br />
{<br />
"limits": {<br />
"cpu": "8",<br />
"memory": "'''32Gi'''"<br />
},<br />
"requests": {<br />
"cpu": "4",<br />
"memory": "'''32Gi'''"<br />
}<br />
}<br />
[root@gzu1 ~]# kubectl get pods -n es-system es-data-0 -o json | jq '.spec.containers[].env'<br />
[<br />
{<br />
"name": "POD_IP",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "status.podIP"<br />
}<br />
}<br />
},<br />
{<br />
"name": "POD_NAME",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "metadata.name"<br />
}<br />
}<br />
},<br />
{<br />
"name": "NODE_NAME",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "spec.nodeName"<br />
}<br />
}<br />
},<br />
{<br />
"name": "NAMESPACE",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "metadata.namespace"<br />
}<br />
}<br />
},<br />
{<br />
"name": "PROBE_PASSWORD_PATH",<br />
"value": "/mnt/elastic-internal/probe-user/elastic-internal-probe"<br />
},<br />
{<br />
"name": "PROBE_USERNAME",<br />
"value": "elastic-internal-probe"<br />
},<br />
{<br />
"name": "READINESS_PROBE_PROTOCOL",<br />
"value": "http"<br />
},<br />
{<br />
"name": "HEADLESS_SERVICE_NAME",<br />
"value": "dmp-es-data"<br />
},<br />
{<br />
"name": "NSS_SDB_USE_CACHE",<br />
"value": "no"<br />
}<br />
]<br />
[root@gzu1 ~]# kubectl get pods -n es-system es-data-0 -o json | jq '.spec.containers[]'|grep -i env # 确认没有通过configmap等其他形式挂入env<br />
"env": [<br />
[root@gzu1 ~]#<br />
<br />
这时候打开 <code>/usr/local/bin/docker-entrypoint.sh</code> 脚本开始检查 该 elasticsearch 的初始化过程,能发现<br />
<br />
<code>/usr/local/bin/docker-entrypoint.sh</code> 经过一些简单的初始化以后,还会按需通过读取一些文件,转化为本文暂时不关注的环境变量,最后会调用 <code>/usr/share/elasticsearch/bin/elasticsearch</code><br />
<br />
而 <code>/usr/share/elasticsearch/bin/elasticsearch</code> ,众所周知,他还是一个脚本<br />
<br />
在该脚本中,他会执行 <code>source "`dirname "$0"`"/elasticsearch-env</code> ,也就是通过 <code>/usr/share/elasticsearch/bin/elasticsearch-env</code> 做一些环境初始化, 例如定义<code>ES_JAVA_HOME</code> 环境变量,以及决定用内置<code>jdk</code>还是通过<code>env</code>指定的<code>jdk</code>。还会按需通过读取一些文件,转化为本文暂时不关注的环境变量<br />
<br />
然后在指定完需要用哪个 <code>java</code> 以后,回到<code>/usr/share/elasticsearch/bin/elasticsearch</code><br />
<br />
可以看到存在一些不起眼的代码<br />
# CONTROLLING STARTUP:<br />
#<br />
# This script relies on a few environment variables to determine startup<br />
# behavior, those variables are:<br />
#<br />
# ES_PATH_CONF -- Path to config directory<br />
# ES_JAVA_OPTS -- External Java Opts on top of the defaults set<br />
#<br />
# '''Optionally, exact memory values can be set using the `ES_JAVA_OPTS`'''. Example<br />
# values are "512m", and "10g".<br />
#<br />
# ES_JAVA_OPTS="-Xms8g -Xmx8g" ./bin/elasticsearch<br />
<br />
........<br />
<br />
if [ -z "$ES_TMPDIR" ]; then<br />
ES_TMPDIR=`"$JAVA" "$XSHARE" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.TempDirectory`<br />
fi<br />
<br />
.......<br />
<br />
# The JVM options parser produces the final JVM options to start Elasticsearch.<br />
# It does this by incorporating JVM options in the following way:<br />
# '''- first, system JVM options are applied (these are hardcoded options in the'''<br />
# '''parser)'''<br />
# - second, JVM options are read from jvm.options and jvm.options.d/*.options<br />
# - third, JVM options from ES_JAVA_OPTS are applied<br />
# - fourth, ergonomic JVM options are applied<br />
'''ES_JAVA_OPTS=`export ES_TMPDIR; "$JAVA" "$XSHARE" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.JvmOptionsParser "$ES_PATH_CONF" "$ES_HOME/plugins"`'''<br />
我们在 elasticsearch 容器中同样执行这些代码看看效果:<br />
root@es-data-0:/usr/share/elasticsearch# /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -cp "/usr/share/elasticsearch/lib/*" org.elasticsearch.tools.launchers.TempDirectory<br />
/tmp/elasticsearch-9132815636720135492<br />
<br />
root@es-data-0:/usr/share/elasticsearch# export ES_TMPDIR=/tmp/elasticsearch-9132815636720135492<br />
<br />
root@es-data-0:/usr/share/elasticsearch# '''/usr/share/elasticsearch/jdk/bin/java -Xshare:auto -cp "/usr/share/elasticsearch/lib/*" <u>org.elasticsearch.tools.launchers.JvmOptionsParser</u> /usr/share/elasticsearch/config /usr/share/elasticsearch/plugins'''<br />
-Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Djava.security.manager=allow -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-9132815636720135492 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m '''<u>-Xms16384m -Xmx16384m</u>''' -XX:MaxDirectMemorySize=8589934592 -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=25<br />
在这里找到了Xms 和 Xmx的定义,也就是说 <code>/usr/share/elasticsearch/bin/elasticsearch</code> 脚本会通过执行 <code>org.elasticsearch.tools.launchers.TempDirectory</code> 产生一个临时文件夹,然后继续执行 <code>org.elasticsearch.tools.launchers.JvmOptionsParser</code> 产生合适的 Xms 及 Xmx 参数<br />
<br />
而如果我们在环境变量中预先定义了 <code>ES_JAVA_OPTS</code> ,就会有如下效果(在该脚本注释中也有提到)<br />
root@es-data-0:/usr/share/elasticsearch# '''export ES_JAVA_OPTS="-Xms8g -Xmx8g"'''<br />
<br />
root@es-data-0:/usr/share/elasticsearch# '''/usr/share/elasticsearch/jdk/bin/java -Xshare:auto -cp "/usr/share/elasticsearch/lib/*" org.elasticsearch.tools.launchers.JvmOptionsParser /usr/share/elasticsearch/config /usr/share/elasticsearch/plugins'''<br />
-Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Djava.security.manager=allow -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-9132815636720135492 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m '''<u>-Xms8g -Xmx8g</u>''' -XX:MaxDirectMemorySize=4294967296 -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=25<br />
[[分类:Elasticsearch]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch7%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C%E7%9A%84%E6%97%B6%E5%80%99%E6%98%AF%E6%80%8E%E4%B9%88%E6%84%9F%E7%9F%A5%E5%88%B0%E5%86%85%E5%AD%98limit%E7%84%B6%E5%90%8E%E4%BC%A0%E9%80%92%E7%BB%99java%E7%9A%84xms%E5%92%8Cxmx%E5%8F%82%E6%95%B0&diff=1654
Elasticsearch7在容器中运行的时候是怎么感知到内存limit然后传递给java的xms和xmx参数
2025-06-19T05:46:33Z
<p>Admin:创建页面,内容为“首先,看一下elasticsearch容器的启动命令,避免被<code>exec</code> 迷惑 [root@gzu1 ~]# docker inspect 1.1.1.1/library/elasticsearch:7.17.5| jq '.[].ContainerConfig | {Cmd,Entrypoint} ' { "Cmd": [ "/bin/sh", "-c", "#(nop) ", "CMD [\"eswrapper\"]" ], "Entrypoint": [ "/bin/tini", "--", "/usr/local/bin/docker-entrypoint.sh" ] } 进入到 es 容器中确认,与1号进程是预期一致的 [root@gz…”</p>
<hr />
<div>首先,看一下elasticsearch容器的启动命令,避免被<code>exec</code> 迷惑<br />
[root@gzu1 ~]# docker inspect 1.1.1.1/library/elasticsearch:7.17.5| jq '.[].ContainerConfig | {Cmd,Entrypoint} '<br />
{<br />
"Cmd": [<br />
"/bin/sh",<br />
"-c",<br />
"#(nop) ",<br />
"CMD [\"eswrapper\"]"<br />
],<br />
"Entrypoint": [<br />
"/bin/tini",<br />
"--",<br />
"/usr/local/bin/docker-entrypoint.sh"<br />
]<br />
}<br />
进入到 es 容器中确认,与1号进程是预期一致的<br />
[root@gzu1 ~]# kubectl exec -it -n es-system es-data-0 -- bash<br />
root@es-data-0:/usr/share/elasticsearch# '''ps auxwwww'''<br />
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND<br />
root '''1''' 0.0 0.0 2500 540 ? Ss Mar27 3:07 '''<u>/bin/tini -- /usr/local/bin/docker-entrypoint.sh eswrapper</u>'''<br />
elastic+ 7 103 4.7 103849888 18890788 ? Sl Mar27 124591:05 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Djava.security.manager=allow -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-2689440660253749261 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Des.cgroups.hierarchy.override=/ '''<u>-Xms16384m -Xmx16384m</u>''' -XX:MaxDirectMemorySize=8589934592 -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=25 -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=default -Des.distribution.type=docker -Des.bundled_jdk=true -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch<br />
elastic+ 224 0.0 0.0 108392 4636 ? Sl Mar27 0:00 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller<br />
root 50256 0.0 0.0 4244 2324 pts/0 Ss+ 04:05 0:00 bash<br />
root 64422 0.3 0.0 4376 2328 pts/1 Ss 05:22 0:00 bash<br />
root 64430 0.0 0.0 5900 1492 pts/1 R+ 05:22 0:00 ps auxwwww<br />
<br />
<br />
可以看到这里实际的运行 elasticsearch 的java命令中,居然有Xms 和Xmx,而且是pod 内存限制的一半<br />
<br />
而在当前pod yaml中,并没有指定这些参数:<br />
[root@gzu1 ~]# kubectl get pods -n es-system es-data-0 -o json | jq '.spec.containers[].resources'<br />
{<br />
"limits": {<br />
"cpu": "8",<br />
"memory": "'''32Gi'''"<br />
},<br />
"requests": {<br />
"cpu": "4",<br />
"memory": "'''32Gi'''"<br />
}<br />
}<br />
[root@gzu1 ~]# kubectl get pods -n es-system es-data-0 -o json | jq '.spec.containers[].env'<br />
[<br />
{<br />
"name": "POD_IP",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "status.podIP"<br />
}<br />
}<br />
},<br />
{<br />
"name": "POD_NAME",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "metadata.name"<br />
}<br />
}<br />
},<br />
{<br />
"name": "NODE_NAME",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "spec.nodeName"<br />
}<br />
}<br />
},<br />
{<br />
"name": "NAMESPACE",<br />
"valueFrom": {<br />
"fieldRef": {<br />
"apiVersion": "v1",<br />
"fieldPath": "metadata.namespace"<br />
}<br />
}<br />
},<br />
{<br />
"name": "PROBE_PASSWORD_PATH",<br />
"value": "/mnt/elastic-internal/probe-user/elastic-internal-probe"<br />
},<br />
{<br />
"name": "PROBE_USERNAME",<br />
"value": "elastic-internal-probe"<br />
},<br />
{<br />
"name": "READINESS_PROBE_PROTOCOL",<br />
"value": "http"<br />
},<br />
{<br />
"name": "HEADLESS_SERVICE_NAME",<br />
"value": "dmp-es-data"<br />
},<br />
{<br />
"name": "NSS_SDB_USE_CACHE",<br />
"value": "no"<br />
}<br />
]<br />
[root@gzu1 ~]# kubectl get pods -n es-system es-data-0 -o json | jq '.spec.containers[]'|grep -i env # 确认没有通过configmap等其他形式挂入env<br />
"env": [<br />
[root@gzu1 ~]#<br />
<br />
<br />
<br />
这时候打开 <code>/usr/local/bin/docker-entrypoint.sh</code> 脚本开始检查 该 elasticsearch 的初始化过程,能发现<br />
<br />
<code>/usr/local/bin/docker-entrypoint.sh</code> 经过一些简单的初始化以后,还会按需通过读取一些文件,转化为本文暂时不关注的环境变量,最后会调用 <code>/usr/share/elasticsearch/bin/elasticsearch</code><br />
<br />
而 <code>/usr/share/elasticsearch/bin/elasticsearch</code> 总所周知,他还是一个脚本<br />
<br />
在该脚本中,他会执行 <code>source "`dirname "$0"`"/elasticsearch-env</code> ,也就是通过 <code>/usr/share/elasticsearch/bin/elasticsearch-env</code> 做一些环境初始化, 例如定义<code>ES_JAVA_HOME</code> 环境变量,以及决定用内置<code>jdk</code>还是通过<code>env</code>指定的<code>jdk</code>。还会按需通过读取一些文件,转化为本文暂时不关注的环境变量<br />
<br />
然后在指定完需要用哪个 <code>java</code> 以后,回到<code>/usr/share/elasticsearch/bin/elasticsearch</code><br />
<br />
可以看到存在一些不起眼的代码<br />
# CONTROLLING STARTUP:<br />
#<br />
# This script relies on a few environment variables to determine startup<br />
# behavior, those variables are:<br />
#<br />
# ES_PATH_CONF -- Path to config directory<br />
# ES_JAVA_OPTS -- External Java Opts on top of the defaults set<br />
#<br />
# '''Optionally, exact memory values can be set using the `ES_JAVA_OPTS`'''. Example<br />
# values are "512m", and "10g".<br />
#<br />
# ES_JAVA_OPTS="-Xms8g -Xmx8g" ./bin/elasticsearch<br />
<br />
........<br />
<br />
if [ -z "$ES_TMPDIR" ]; then<br />
ES_TMPDIR=`"$JAVA" "$XSHARE" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.TempDirectory`<br />
fi<br />
<br />
.......<br />
<br />
# The JVM options parser produces the final JVM options to start Elasticsearch.<br />
# It does this by incorporating JVM options in the following way:<br />
# '''- first, system JVM options are applied (these are hardcoded options in the'''<br />
# '''parser)'''<br />
# - second, JVM options are read from jvm.options and jvm.options.d/*.options<br />
# - third, JVM options from ES_JAVA_OPTS are applied<br />
# - fourth, ergonomic JVM options are applied<br />
'''ES_JAVA_OPTS=`export ES_TMPDIR; "$JAVA" "$XSHARE" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.JvmOptionsParser "$ES_PATH_CONF" "$ES_HOME/plugins"`'''<br />
我们在 elasticsearch 容器中同样执行这些代码看看效果:<br />
root@es-data-0:/usr/share/elasticsearch# /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -cp "/usr/share/elasticsearch/lib/*" org.elasticsearch.tools.launchers.TempDirectory<br />
/tmp/elasticsearch-9132815636720135492<br />
<br />
root@es-data-0:/usr/share/elasticsearch# export ES_TMPDIR=/tmp/elasticsearch-9132815636720135492<br />
<br />
root@es-data-0:/usr/share/elasticsearch# '''/usr/share/elasticsearch/jdk/bin/java -Xshare:auto -cp "/usr/share/elasticsearch/lib/*" <u>org.elasticsearch.tools.launchers.JvmOptionsParser</u> /usr/share/elasticsearch/config /usr/share/elasticsearch/plugins'''<br />
-Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Djava.security.manager=allow -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-9132815636720135492 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m '''<u>-Xms16384m -Xmx16384m</u>''' -XX:MaxDirectMemorySize=8589934592 -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=25<br />
在这里找到了Xms 和 Xmx的定义,也就是说 <code>/usr/share/elasticsearch/bin/elasticsearch</code> 脚本会通过执行 <code>org.elasticsearch.tools.launchers.TempDirectory</code> 产生一个临时文件夹,然后继续执行 <code>org.elasticsearch.tools.launchers.JvmOptionsParser</code> 产生合适的 Xms 及 Xmx 参数<br />
<br />
而如果我们在环境变量中预先定义了 <code>ES_JAVA_OPTS</code> ,就会有如下效果(在该脚本注释中也有提到)<br />
root@es-data-0:/usr/share/elasticsearch# '''export ES_JAVA_OPTS="-Xms8g -Xmx8g"'''<br />
<br />
root@es-data-0:/usr/share/elasticsearch# '''/usr/share/elasticsearch/jdk/bin/java -Xshare:auto -cp "/usr/share/elasticsearch/lib/*" org.elasticsearch.tools.launchers.JvmOptionsParser /usr/share/elasticsearch/config /usr/share/elasticsearch/plugins'''<br />
-Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Djava.security.manager=allow -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-9132815636720135492 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m '''<u>-Xms8g -Xmx8g</u>''' -XX:MaxDirectMemorySize=4294967296 -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=25<br />
[[分类:Elasticsearch]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch%E7%9A%84%E4%B8%80%E4%BA%9Bapi%E9%9A%8F%E8%AE%B0&diff=1653
Elasticsearch的一些api随记
2025-06-06T18:46:32Z
<p>Admin:</p>
<hr />
<div>===Health===<br />
/_cat/health<br />
<br />
/_cluster/health<br />
<br />
===Indices health===<br />
按条件查看索引状态<br />
/_cat/indices?help<br />
/_cat/indices?health=red&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=yellow&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=green&v&s=store.size:desc,index<br />
注意在配合 * 通配符搜索/操作索引的时候,如果涉及隐藏的datastream / 隐藏的index,默认不会匹配命中,必须指定 <code>expand_wildcards=all</code> 参数<br />
<br />
-> https://www.elastic.co/guide/en/elasticsearch/reference/7.16/multi-index.html#hidden<br />
<br />
===Nodes===<br />
/_cat/nodes?v<br />
查看es各节点磁盘空间占用、分片数目等<br />
/_cat/allocation?v<br />
<br />
/_cat/nodeattrs<br />
<br />
===Get master node===<br />
/_cat/master?v<br />
<br />
===Cluster allocation explain related===<br />
可以用于定位分片状态以及分片为何故障<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
/_cluster/allocation/explain<br />
<br />
===Shards===<br />
粗略查看分片情况,特别是查看分片分布节点或大小/状态<br />
GET /_cat/shards<br />
<br />
GET /_cat/shards?index=index_name<br />
<br />
GET /_cat/shards?index=index_na*<br />
查看分片分配失败原因<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
==== Recovery API ====<br />
Returns information about ongoing and completed shard recoveries, similar to the index recovery API.<br />
<br />
For data streams, the API returns information about the stream’s backing indices<br />
<br />
可以查看当前正在 relocating 的分片,也能查到各分片处理进度百分比<br />
GET /_cat/recovery?active_only=true&s=index&v<br />
<br />
=== Adds a data stream or index to an alias, and sets the write index or data stream for the alias ===<br />
为别名设置可写索引或数据流<br />
<br />
If the alias doesn’t exist, the <code>add</code> action creates it.<br />
POST /_aliases <br />
{<br />
"actions": [<br />
{<br />
"add": {<br />
"index": "es-k8s-logs-000020", <br />
"alias": "es-k8s-logs-alias", <br />
"is_write_index": true <br />
}<br />
}<br />
]<br />
}<br />
<br />
===Thread pool related===<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-thread-pool.html<br />
/_cluster/settings?pretty&include_defaults=true | grep processors<br />
<br />
====Get maximum number of threads info====<br />
curl "127.1:9200/_cat/thread_pool?v&h=ip,node_name,id,name,max,size,queue_size,queue,active,rejected&pretty"<br />
<br />
=== Templates 模板 ===<br />
/_cat/templates?v<br />
⚠️ /_template/${template_name} is legacy index templates, which are deprecated and will be replaced by the composable templates introduced in Elasticsearch 7.8.<br />
<br />
新版本中使用 <code>/_index_template</code> 取代<br />
GET/PUT /_template/${template_name}<br />
但是 index_template 对比 legacy template有个很明显的差异就是,legacy template可以直接根据priority进行叠加覆盖,而index_template哪个template priority高,就只有哪个生效 https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html<blockquote>If a new data stream or index matches more than one index template, the index template with the highest priority is used.</blockquote><br />
<br />
==== Use template to change the replicas settings of all indexes (Legacy index template) ====<br />
Multiple index templates can potentially match an index, in this case, both the settings and mappings are merged into the final configuration of the index. <br />
<br />
The order of the merging can be controlled using the <code>order</code> parameter, with lower order being applied first, '''and higher orders overriding them.''' <br />
<br />
legacy es template 中, 取值范围为 0 - 2^31-1 (0~2147483647)<br />
PUT /_template/${template_name}<br />
{<br />
"order": 2147483647,<br />
"index_patterns": [<br />
"*"<br />
],<br />
"settings": {<br />
"index": {<br />
"number_of_replicas": "0"<br />
}<br />
}<br />
}<br />
[[使用jq批量修改es index template的lifecycle配置]]<br />
<br />
=== ILM (index lifecycle policy) 索引生命周期 ===<br />
顾名思义,ilm另外也可用于做ES集群的冷热温架构。<br />
<br />
不同的阶段(phase)能做哪些事可以在这个 [https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-index-lifecycle.html Document] 查看<br />
<br />
比较难受的是,ilm目前没有类似 <code>_cat/templates</code> 的接口一次性只查看这个集群已配置的 ILM 策略名字,只能一次性获取全部策略具体定义 (不过可以利用浏览器的F12 json preview折叠来曲线救国)<br />
GET /_ilm/policy<br />
<br />
==== Get specific ilm policy detail 获取特定ILM策略定义 ====<br />
GET /_ilm/policy/${ilm_name}<br />
<br />
PUT /_ilm/policy/ilm-30d-delete<br />
{<br />
"policy": {<br />
"phases": {<br />
"delete": {<br />
"min_age": "30d",<br />
"actions": {<br />
"delete": {<br />
"delete_searchable_snapshot": true<br />
}<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
==== Get index's ilm status 获取索引当前 ILM 状态 ====<br />
GET /${index_name}/_ilm/explain<br />
<br />
GET /${index_name}/_ilm/explain?human<br />
<br />
==== Move index's ilm to step 修改索引的ILM阶段状态(人为触发ILM action执行) ====<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-move-to-step.html<br />
POST _ilm/move/my-index-000001<br />
{<br />
"current_step": { <br />
"phase": "new",<br />
"action": "complete",<br />
"name": "complete"<br />
},<br />
"next_step": { <br />
"phase": "warm",<br />
"action": "forcemerge", <br />
"name": "forcemerge" <br />
}<br />
}<br />
<br />
==== Manually create an index that is managed by template and ILM (including rollover operations by day) ====<br />
<br />
===== 手动创建原本应由template和ilm管控的索引,且索引名内包含日期(动态索引名) =====<br />
⚠️ 这种索引不能直接粗暴地 <code>PUT /index-name-2022.10.23-000022</code> 以创建索引,否则手动创建出来的索引,在rollover滚动 (例如rollover-max_age:1d)的时候,创建出来的新索引名字仍然是创建索引时定义的日期,而不是当天轮滚发生时的日期(如 <code>index-name-2022.10.23-000023</code>)<br />
<br />
这个现象可以通过判断 <code>GET /index-name/_settings</code> 中 <code>index.provided_name</code> 属性看出来<br />
<br />
解法:<br />
PUT %3Cindex-name-%7Bnow%2Fd%7D-000099%3E<br />
注意在kibana-Dev Tools中不要做URL Decode,他就是这样的需要编码一下(解码后就是: <code><index-name-{now/d}-000099></code>)<br />
<br />
ps: 如果怕创建错名字的话,可以使用 <code>GET %3Cindex-name-%7Bnow%2Fd%7D-000099%3E/_settings</code> 预览一下生成的索引名效果<br />
<br />
对于索引最后的这个序号,[https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-rollover-index.html#increment-index-names-for-alias 无论前一个索引的名称是什么,该编号始终为 6 个字符,且为零填充]。即使手动创建的索引结尾是<code>-00001</code>,在rollover发生以后,索引后缀序号依然会变成<code>-000002</code><br />
<br />
==== 故障处理: 有的时候对现有的索引修改了其引用的 ilm policy 为别的 policy,或者修改了其引用的 ilm policy中的 phase 定义。会导致索引ilm故障 ====<br />
有可能导致他的ilm处理会出问题(不记得怎么告警),没记错的话通过 <code>GET {index_name}/_ilm/explain</code> 能看到 error 信息,能看到卡在某个 phase 失败<br />
<br />
这时候需要人为修改 index 的 ilm phase 修复,如<br />
POST _ilm/move/insight-es-k8s-logs-dce5-aliyun-default-prd-2024.01.16<br />
{<br />
"current_step": { <br />
"phase": "hot",<br />
"action": "rollover",<br />
"name": "ERROR"<br />
},<br />
"next_step": { <br />
"phase": "cold"<br />
}<br />
}<br />
或者尝试通过 <code>POST {index_name}/_ilm/retry</code> 接口重试 <br />
<br />
===Cluster setting related ES集群参数设置===<br />
/_cluster/settings?include_defaults=true&pretty<br />
<br />
/_cluster/settings?include_defaults=true<br />
<br />
==== Wildcard expressions or all indices are not allowed ====<br />
<br />
===== 允许泛匹配删除索引 =====<br />
PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"action": {<br />
"destructive_requires_name": "false"<br />
}<br />
}<br />
}<br />
<br />
====primaries recovery settings ====<br />
=====控制索引恢复或者relocating的并发数=====<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 10,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_outgoing_recoveries": null,<br />
"node_concurrent_recoveries": 20<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": null,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": null<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 30,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": 10<br />
}<br />
}<br />
}<br />
}<br />
}<br />
cluster.routing.allocation.node_concurrent_recoveries: A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code>.<br />
# PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_concurrent_recoveries": 8<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
<br />
=== recovery.max_bytes_per_sec [https://www.elastic.co/guide/en/elasticsearch/reference/7.17/recovery.html 修改relocating时并发传输数据量] ===<br />
加大此数值可以有效缩短es relocating index的耗时<br />
<br />
indices.recovery.max_bytes_per_sec: Limits total inbound and outbound recovery traffic for each node. Applies to both peer recoveries as well as snapshot recoveries (i.e., restores from a snapshot). Defaults to <code>40mb</code> unless the node is a dedicated cold or frozen node, in which case the default relates to the total memory available to the node.<br /><br />
<br />
===Index settings===<br />
<br />
====modify the number of replicas in bulk====<br />
<br />
===== 批量/单个 设置索引副本数 =====<br />
PUT /index_name*/_settings<br />
{<br />
"index": {<br />
"number_of_replicas": 1<br />
}<br />
}<br />
<br />
=== Search Documents ===<br />
<br />
==== match_all 搜索 ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match_all": {}<br />
},<br />
"size": 1<br />
}<br />
<br />
==== 单字段排序匹配搜索(match) ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match": {<br />
"segment_id": "b7bb26fae59e4f45b101346cb83ff796.69.16946808855979526"<br />
}<br />
},<br />
"sort": [<br />
{<br />
"start_time": {<br />
"order": "desc"<br />
}<br />
}<br />
],<br />
"size": 1<br />
}<br />
<br />
==== 对某个字段的值进行聚合(查询该字段有多少种类型的值) ====<br />
GET /.monitoring-es-7-2024.12.13/_search<br />
{<br />
"size": 0,<br />
"aggs": {<br />
"unique_types": {<br />
"terms": {<br />
"field": "type",<br />
"size": 10<br />
}<br />
}<br />
}<br />
}<br />
<br />
=== Elastic Cloud on Kubernetes (ECK / Elastic operator) ===<br />
ECK operator下管理的Elasticsearch如果要修改<code>cluster.routing.allocation.exclude</code> 的参数配置,需要先为 elasticsearch 实例配置annotation: 'eck.k8s.elastic.co/managed=false',不然会配置一会就会被刷回原状<br />
<br />
<br />
===Other===<br />
<br />
====对于有大量索引的刚重启的es集群====<br />
(主分片在1w-2w)<br />
<br />
=====加快es集群恢复速度=====<br />
结合es节点资源监控图,观测节点cpu压力,以及cpu IO wait<br />
<br />
适当通过update cluster settings接口动态增加node_initial_primaries_recoveries (Defaults to <code>4</code>) <br />
<br />
和 node_concurrent_recoveries <br />
<br />
(A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code> <br />
<br />
Defaults to <code>2</code>)数值<br />
<br />
通过使用 cluster settings + include_defaults=true 筛选查到当前配置值<br />
<br />
<br />
减少集群从red状态到yellow状态的耗时:增加索引副本数量,增加node_initial_primaries_recoveries值<br />
<br />
<br />
减少集群从yellow状态到green状态的耗时:增加 node_concurrent_recoveries 值<br />
<br />
<br />
通过访问 <code>/_cluster/allocation/explain</code> 接口查到阻碍集群 to green(yellow)的原因<br />
<br />
=====在es集群恢复期间因节点内存压力大(node was low on resources: memory.)而被k8s Evicted=====<br />
调整缩小 jvm 配置值,尽量不超配(requests 和 limit尽量一致或提高requests值)<br />
<br />
=== Error ===<br />
<br />
==== 集群分片数达到maximum错误 ====<br />
集群分片数达到maximum错误会有如下log信息,但是集群的健康状态不会改变<br />
2022-11-10T10:26:03.643184618Z org.elasticsearch.common.ValidationException: Validation Failed: 1: this action would add [3] shards, but this cluster currently has [1999]/[2000] maximum normal shards open;<br />
解决:<br />
<br />
调整index ilm 策略或者调整集群的max_shards_per_node配置<br />
<br />
临时生效配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"transient": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
永久更改性配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"persistent": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
[[分类:Elasticsearch]]<br />
{{DEFAULTSORT:api随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch%E7%9A%84%E4%B8%80%E4%BA%9Bapi%E9%9A%8F%E8%AE%B0&diff=1652
Elasticsearch的一些api随记
2025-05-08T09:35:05Z
<p>Admin:</p>
<hr />
<div>===Health===<br />
/_cat/health<br />
<br />
/_cluster/health<br />
<br />
===Indices health===<br />
按条件查看索引状态<br />
/_cat/indices?help<br />
/_cat/indices?health=red&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=yellow&v&s=store.size:desc,index<br />
<br />
/_cat/indices?health=green&v&s=store.size:desc,index<br />
注意在配合 * 通配符搜索/操作索引的时候,如果涉及隐藏的datastream / 隐藏的index,默认不会匹配命中,必须指定 <code>expand_wildcards=all</code> 参数<br />
<br />
-> https://www.elastic.co/guide/en/elasticsearch/reference/7.16/multi-index.html#hidden<br />
<br />
===Nodes===<br />
/_cat/nodes?v<br />
查看es各节点磁盘空间占用、分片数目等<br />
/_cat/allocation?v<br />
<br />
/_cat/nodeattrs<br />
<br />
===Get master node===<br />
/_cat/master?v<br />
<br />
===Cluster allocation explain related===<br />
可以用于定位分片状态以及分片为何故障<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
/_cluster/allocation/explain<br />
<br />
===Shards===<br />
粗略查看分片情况,特别是查看分片分布节点或大小/状态<br />
GET /_cat/shards<br />
<br />
GET /_cat/shards?index=index_name<br />
<br />
GET /_cat/shards?index=index_na*<br />
查看分片分配失败原因<br />
/_cat/shards/index_name-*?v&s=state,index&h=index,shard,prirep,state,docs,store,ip,node,unassigned.reason<br />
<br />
==== Recovery API ====<br />
Returns information about ongoing and completed shard recoveries, similar to the index recovery API.<br />
<br />
For data streams, the API returns information about the stream’s backing indices<br />
<br />
可以查看当前正在 relocating 的分片,也能查到各分片处理进度百分比<br />
GET /_cat/recovery?active_only=true&s=index&v<br />
<br />
=== Adds a data stream or index to an alias, and sets the write index or data stream for the alias ===<br />
为别名设置可写索引或数据流<br />
<br />
If the alias doesn’t exist, the <code>add</code> action creates it.<br />
POST /_aliases <br />
{<br />
"actions": [<br />
{<br />
"add": {<br />
"index": "es-k8s-logs-000020", <br />
"alias": "es-k8s-logs-alias", <br />
"is_write_index": true <br />
}<br />
}<br />
]<br />
}<br />
<br />
===Thread pool related===<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-thread-pool.html<br />
/_cluster/settings?pretty&include_defaults=true | grep processors<br />
<br />
====Get maximum number of threads info====<br />
curl "127.1:9200/_cat/thread_pool?v&h=ip,node_name,id,name,max,size,queue_size,queue,active,rejected&pretty"<br />
<br />
=== Templates 模板 ===<br />
/_cat/templates?v<br />
⚠️ /_template/${template_name} is legacy index templates, which are deprecated and will be replaced by the composable templates introduced in Elasticsearch 7.8.<br />
<br />
新版本中使用 <code>/_index_template</code> 取代<br />
GET/PUT /_template/${template_name}<br />
<br />
==== Use template to change the replicas settings of all indexes (Legacy index template) ====<br />
Multiple index templates can potentially match an index, in this case, both the settings and mappings are merged into the final configuration of the index. <br />
<br />
The order of the merging can be controlled using the <code>order</code> parameter, with lower order being applied first, '''and higher orders overriding them.''' <br />
<br />
legacy es template 中, 取值范围为 0 - 2^31-1 (0~2147483647)<br />
PUT /_template/${template_name}<br />
{<br />
"order": 2147483647,<br />
"index_patterns": [<br />
"*"<br />
],<br />
"settings": {<br />
"index": {<br />
"number_of_replicas": "0"<br />
}<br />
}<br />
}<br />
[[使用jq批量修改es index template的lifecycle配置]]<br />
<br />
=== ILM (index lifecycle policy) 索引生命周期 ===<br />
顾名思义,ilm另外也可用于做ES集群的冷热温架构。<br />
<br />
不同的阶段(phase)能做哪些事可以在这个 [https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-index-lifecycle.html Document] 查看<br />
<br />
比较难受的是,ilm目前没有类似 <code>_cat/templates</code> 的接口一次性只查看这个集群已配置的 ILM 策略名字,只能一次性获取全部策略具体定义 (不过可以利用浏览器的F12 json preview折叠来曲线救国)<br />
GET /_ilm/policy<br />
<br />
==== Get specific ilm policy detail 获取特定ILM策略定义 ====<br />
GET /_ilm/policy/${ilm_name}<br />
<br />
PUT /_ilm/policy/ilm-30d-delete<br />
{<br />
"policy": {<br />
"phases": {<br />
"delete": {<br />
"min_age": "30d",<br />
"actions": {<br />
"delete": {<br />
"delete_searchable_snapshot": true<br />
}<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
==== Get index's ilm status 获取索引当前 ILM 状态 ====<br />
GET /${index_name}/_ilm/explain<br />
<br />
GET /${index_name}/_ilm/explain?human<br />
<br />
==== Move index's ilm to step 修改索引的ILM阶段状态(人为触发ILM action执行) ====<br />
https://www.elastic.co/guide/en/elasticsearch/reference/current/ilm-move-to-step.html<br />
POST _ilm/move/my-index-000001<br />
{<br />
"current_step": { <br />
"phase": "new",<br />
"action": "complete",<br />
"name": "complete"<br />
},<br />
"next_step": { <br />
"phase": "warm",<br />
"action": "forcemerge", <br />
"name": "forcemerge" <br />
}<br />
}<br />
<br />
==== Manually create an index that is managed by template and ILM (including rollover operations by day) ====<br />
<br />
===== 手动创建原本应由template和ilm管控的索引,且索引名内包含日期(动态索引名) =====<br />
⚠️ 这种索引不能直接粗暴地 <code>PUT /index-name-2022.10.23-000022</code> 以创建索引,否则手动创建出来的索引,在rollover滚动 (例如rollover-max_age:1d)的时候,创建出来的新索引名字仍然是创建索引时定义的日期,而不是当天轮滚发生时的日期(如 <code>index-name-2022.10.23-000023</code>)<br />
<br />
这个现象可以通过判断 <code>GET /index-name/_settings</code> 中 <code>index.provided_name</code> 属性看出来<br />
<br />
解法:<br />
PUT %3Cindex-name-%7Bnow%2Fd%7D-000099%3E<br />
注意在kibana-Dev Tools中不要做URL Decode,他就是这样的需要编码一下(解码后就是: <code><index-name-{now/d}-000099></code>)<br />
<br />
ps: 如果怕创建错名字的话,可以使用 <code>GET %3Cindex-name-%7Bnow%2Fd%7D-000099%3E/_settings</code> 预览一下生成的索引名效果<br />
<br />
对于索引最后的这个序号,[https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-rollover-index.html#increment-index-names-for-alias 无论前一个索引的名称是什么,该编号始终为 6 个字符,且为零填充]。即使手动创建的索引结尾是<code>-00001</code>,在rollover发生以后,索引后缀序号依然会变成<code>-000002</code><br />
<br />
==== 故障处理: 有的时候对现有的索引修改了其引用的 ilm policy 为别的 policy,或者修改了其引用的 ilm policy中的 phase 定义。会导致索引ilm故障 ====<br />
有可能导致他的ilm处理会出问题(不记得怎么告警),没记错的话通过 <code>GET {index_name}/_ilm/explain</code> 能看到 error 信息,能看到卡在某个 phase 失败<br />
<br />
这时候需要人为修改 index 的 ilm phase 修复,如<br />
POST _ilm/move/insight-es-k8s-logs-dce5-aliyun-default-prd-2024.01.16<br />
{<br />
"current_step": { <br />
"phase": "hot",<br />
"action": "rollover",<br />
"name": "ERROR"<br />
},<br />
"next_step": { <br />
"phase": "cold"<br />
}<br />
}<br />
或者尝试通过 <code>POST {index_name}/_ilm/retry</code> 接口重试 <br />
<br />
===Cluster setting related ES集群参数设置===<br />
/_cluster/settings?include_defaults=true&pretty<br />
<br />
/_cluster/settings?include_defaults=true<br />
<br />
==== Wildcard expressions or all indices are not allowed ====<br />
<br />
===== 允许泛匹配删除索引 =====<br />
PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"action": {<br />
"destructive_requires_name": "false"<br />
}<br />
}<br />
}<br />
<br />
====primaries recovery settings ====<br />
=====控制索引恢复或者relocating的并发数=====<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 10,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_outgoing_recoveries": null,<br />
"node_concurrent_recoveries": 20<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"transient": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": null,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": null<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_initial_primaries_recoveries": 30,<br />
"node_concurrent_incoming_recoveries": null,<br />
"node_concurrent_recoveries": 10<br />
}<br />
}<br />
}<br />
}<br />
}<br />
cluster.routing.allocation.node_concurrent_recoveries: A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code>.<br />
# PUT /_cluster/settings<br />
{<br />
"persistent": {<br />
"cluster": {<br />
"routing": {<br />
"allocation": {<br />
"node_concurrent_recoveries": 8<br />
}<br />
}<br />
}<br />
}<br />
}<br />
<br />
<br />
=== recovery.max_bytes_per_sec [https://www.elastic.co/guide/en/elasticsearch/reference/7.17/recovery.html 修改relocating时并发传输数据量] ===<br />
加大此数值可以有效缩短es relocating index的耗时<br />
<br />
indices.recovery.max_bytes_per_sec: Limits total inbound and outbound recovery traffic for each node. Applies to both peer recoveries as well as snapshot recoveries (i.e., restores from a snapshot). Defaults to <code>40mb</code> unless the node is a dedicated cold or frozen node, in which case the default relates to the total memory available to the node.<br /><br />
<br />
===Index settings===<br />
<br />
====modify the number of replicas in bulk====<br />
<br />
===== 批量/单个 设置索引副本数 =====<br />
PUT /index_name*/_settings<br />
{<br />
"index": {<br />
"number_of_replicas": 1<br />
}<br />
}<br />
<br />
=== Search Documents ===<br />
<br />
==== match_all 搜索 ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match_all": {}<br />
},<br />
"size": 1<br />
}<br />
<br />
==== 单字段排序匹配搜索(match) ====<br />
GET /sw_segment-20230914/_search<br />
{<br />
"query": {<br />
"match": {<br />
"segment_id": "b7bb26fae59e4f45b101346cb83ff796.69.16946808855979526"<br />
}<br />
},<br />
"sort": [<br />
{<br />
"start_time": {<br />
"order": "desc"<br />
}<br />
}<br />
],<br />
"size": 1<br />
}<br />
<br />
==== 对某个字段的值进行聚合(查询该字段有多少种类型的值) ====<br />
GET /.monitoring-es-7-2024.12.13/_search<br />
{<br />
"size": 0,<br />
"aggs": {<br />
"unique_types": {<br />
"terms": {<br />
"field": "type",<br />
"size": 10<br />
}<br />
}<br />
}<br />
}<br />
<br />
=== Elastic Cloud on Kubernetes (ECK / Elastic operator) ===<br />
ECK operator下管理的Elasticsearch如果要修改<code>cluster.routing.allocation.exclude</code> 的参数配置,需要先为 elasticsearch 实例配置annotation: 'eck.k8s.elastic.co/managed=false',不然会配置一会就会被刷回原状<br />
<br />
<br />
===Other===<br />
<br />
====对于有大量索引的刚重启的es集群====<br />
(主分片在1w-2w)<br />
<br />
=====加快es集群恢复速度=====<br />
结合es节点资源监控图,观测节点cpu压力,以及cpu IO wait<br />
<br />
适当通过update cluster settings接口动态增加node_initial_primaries_recoveries (Defaults to <code>4</code>) <br />
<br />
和 node_concurrent_recoveries <br />
<br />
(A shortcut to set both <code>cluster.routing.allocation.node_concurrent_incoming_recoveries</code> and <code>cluster.routing.allocation.node_concurrent_outgoing_recoveries</code> <br />
<br />
Defaults to <code>2</code>)数值<br />
<br />
通过使用 cluster settings + include_defaults=true 筛选查到当前配置值<br />
<br />
<br />
减少集群从red状态到yellow状态的耗时:增加索引副本数量,增加node_initial_primaries_recoveries值<br />
<br />
<br />
减少集群从yellow状态到green状态的耗时:增加 node_concurrent_recoveries 值<br />
<br />
<br />
通过访问 <code>/_cluster/allocation/explain</code> 接口查到阻碍集群 to green(yellow)的原因<br />
<br />
=====在es集群恢复期间因节点内存压力大(node was low on resources: memory.)而被k8s Evicted=====<br />
调整缩小 jvm 配置值,尽量不超配(requests 和 limit尽量一致或提高requests值)<br />
<br />
=== Error ===<br />
<br />
==== 集群分片数达到maximum错误 ====<br />
集群分片数达到maximum错误会有如下log信息,但是集群的健康状态不会改变<br />
2022-11-10T10:26:03.643184618Z org.elasticsearch.common.ValidationException: Validation Failed: 1: this action would add [3] shards, but this cluster currently has [1999]/[2000] maximum normal shards open;<br />
解决:<br />
<br />
调整index ilm 策略或者调整集群的max_shards_per_node配置<br />
<br />
临时生效配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"transient": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
永久更改性配置:<br />
<nowiki>curl -H "content-type: application/json" -X PUT "127.0.0.1:9200/_cluster/settings" -d '{"persistent": {"cluster.max_shards_per_node": "5000"}}'</nowiki><br />
[[分类:Elasticsearch]]<br />
{{DEFAULTSORT:api随记}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E5%9C%A8%E4%BD%BF%E7%94%A8kubectl_apply%E6%93%8D%E4%BD%9Cworkload%E4%BA%A7%E7%94%9F%E7%9A%84%E9%9D%9E%E9%A2%84%E6%9C%9F%E8%A1%8C%E4%B8%BA&diff=1651
在使用kubectl apply操作workload产生的非预期行为
2025-05-07T10:44:20Z
<p>Admin:</p>
<hr />
<div>=== 简述 ===<br />
<br />
* kubectl apply 对于之前本身就是 apply 或者 create --save-config 产生的resources,可能存在非预期行为( kubectl.kubernetes.io/last-applied-configuration ),例如修改原有的workload probe settings(bug at 1.18.x), 或者修改hostAlias(修改原有的 hostalias 的 ip)<br />
<br />
=== hostalias复现: ===<br />
先通过<code>kubectl create -f</code> 创建一个普通的deployment(不要用 <code>kubectl apply -f</code> 来创建,不然就绕过这个bug了~)<br />
apiVersion: apps/v1<br />
kind: Deployment<br />
metadata:<br />
labels:<br />
sit.k8s.io/app: yaml-test<br />
name: yaml-test<br />
spec:<br />
replicas:0<br />
selector:<br />
matchLabels:<br />
sit.k8s.io/app: yaml-test<br />
strategy:<br />
rollingUpdate:<br />
maxSurge: 25%<br />
maxUnavailable: 25%<br />
type: RollingUpdate<br />
template:<br />
metadata:<br />
labels:<br />
sit.k8s.io/app: yaml-test<br />
name: yaml-test<br />
spec:<br />
hostAliases:<br />
- hostnames:<br />
- testaaaa.com<br />
- testbbb.com<br />
ip: 1.1.1.7<br />
containers:<br />
- image: 192.168.150.181/test/nginx-2048:latest<br />
imagePullPolicy: IfNotPresent<br />
name: yaml-test<br />
readinessProbe:<br />
httpGet:<br />
path: /<br />
port: 80<br />
scheme: HTTP<br />
initialDelaySeconds: 10<br />
timeoutSeconds: 1<br />
periodSeconds: 10<br />
successThreshold: 1<br />
failureThreshold: 3<br />
resources:<br />
limits:<br />
cpu: "1"<br />
memory: "64Mi"<br />
requests:<br />
cpu: 64m<br />
memory: "64Mi"<br />
dnsPolicy: ClusterFirst<br />
restartPolicy: Always<br />
<br />
然后修改一下hostAliases的值(例如下面这样),执行<code>kubectl apply -f xxx.yaml --dry-run=server -oyaml</code><br />
apiVersion: apps/v1<br />
kind: Deployment<br />
metadata:<br />
labels:<br />
sit.k8s.io/app: yaml-test<br />
name: yaml-test<br />
spec:<br />
replicas: 0<br />
selector:<br />
matchLabels:<br />
sit.k8s.io/app: yaml-test<br />
strategy:<br />
rollingUpdate:<br />
maxSurge: 25%<br />
maxUnavailable: 25%<br />
type: RollingUpdate<br />
template:<br />
metadata:<br />
labels:<br />
sit.k8s.io/app: yaml-test<br />
name: yaml-test<br />
spec:<br />
hostAliases:<br />
- hostnames:<br />
- testaaaa.com<br />
- testbbb.com<br />
ip: 1.1.1.8<br />
containers:<br />
- image: 192.168.150.181/test/nginx-2048:latest<br />
imagePullPolicy: IfNotPresent<br />
name: yaml-test<br />
readinessProbe:<br />
httpGet:<br />
path: /<br />
port: 80<br />
scheme: HTTP<br />
initialDelaySeconds: 10<br />
timeoutSeconds: 1<br />
periodSeconds: 10<br />
successThreshold: 1<br />
failureThreshold: 3<br />
resources:<br />
limits:<br />
cpu: "1"<br />
memory: "64Mi"<br />
requests:<br />
cpu: 64m<br />
memory: "64Mi"<br />
dnsPolicy: ClusterFirst<br />
restartPolicy: Always<br />
<br />
<br />
<br />
会发现apply以后的结果hostAliases字段非预期(1.1.1.8直接被追加了进去,而不是替换)<br />
<br />
[[文件:Kubectl apply merge.png|无框|400x400像素]]<br />
<br />
或者一开始使用apply创建资源,然后删除kubectl.kubernetes.io/last-applied-configuration: ,再修改ip,再apply<br />
<br />
如果一开始是用<code>kubectl apply -f xxxx</code>创建资源,然后用<code>apply -f</code>更新资源,则不会复现<br />
<br />
==== 这个也是跟k8s apply的实现方式有关系 ====<br />
主要跟 kubectl.kubernetes.io/last-applied-configuration 这个annotation有关系<br />
<br />
[https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-apply-calculates-differences-and-merges-changes How apply calculates differences and merges changes]<br />
<br />
[[文件:Kubectl apply patch strategy.png|无框|900x900像素]] <br />
<br />
<br />
Related article: [[K8s的一些小坑或者bug简要记录]]<br />
<br />
[[分类:K8s]]<br />
{{DEFAULTSORT:apply}}</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E6%96%87%E4%BB%B6:Kubectl_apply_patch_strategy.png&diff=1650
文件:Kubectl apply patch strategy.png
2025-05-07T10:42:11Z
<p>Admin:</p>
<hr />
<div>kubectl_apply_patch_strategy</div>
Admin
https://wiki.sanxian.tech/index.php?title=%E6%96%87%E4%BB%B6:Kubectl_apply_merge.png&diff=1649
文件:Kubectl apply merge.png
2025-05-07T10:39:49Z
<p>Admin:</p>
<hr />
<div>kubectl_apply_merge</div>
Admin
https://wiki.sanxian.tech/index.php?title=Keycloak%E8%AE%BE%E7%BD%AEhttp%E4%BB%A3%E7%90%86proxy&diff=1648
Keycloak设置http代理proxy
2025-04-29T09:56:49Z
<p>Admin:</p>
<hr />
<div>=== keycloak 开启log debug: ===<br />
环境变量 KC_LOG_LEVEL debug<br />
<br />
如果不生效,还可以考虑 ROOT_LOGLEVEL debug<br />
<br />
=== 为keycloak发起的访问请求设置http代理(Proxy settings for keycloak outgoing requests) ===<br />
<br />
==== Official document ====<br />
https://www.keycloak.org/docs/latest/server_installation/#_proxymappings<br />
<br /><br />
<br />
==== Related configuration file path ====<br />
<blockquote>There are some things you’ll need to configure in <code>standalone.xml</code>, <code>standalone-ha.xml</code>, or <code>domain.xml</code>. The location of this file depends on your operating mode.</blockquote>/opt/jboss/keycloak/standalone/configuration/****<br />
<br />
eg: /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml<br />
<br /><br />
<spi name="connectionsHttpClient"><br />
<provider name="default" enabled="true"><br />
<properties><br />
<property name="proxy-mappings" value="[&amp;quot;.*\\.(microsoft|microsoftonline)\\.com;<nowiki>http://your-proxy-address.net:8080</nowiki>&amp;quot;]"/><br />
</properties><br />
</provider><br />
</spi><br />
<br />
====ps====<br />
需要注意的是 &amp;quot; 是 " 的实体字符<br />
Note that one needs to encode <code>"</code> characters with <code>&amp;quot;</code>.<br />
[[分类:Softwares]]<br />
<br />
[[分类:Other]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch7%E7%B3%BB%E5%88%97%E4%B8%8B%E5%90%8C%E7%B4%A2%E5%BC%95%E4%B8%BB%E5%88%86%E7%89%87%E5%88%86%E5%B8%83%E4%B8%8D%E5%9D%87%E8%A1%A1%E6%80%9D%E8%80%83&diff=1647
Elasticsearch7系列下同索引主分片分布不均衡思考
2025-04-28T16:23:05Z
<p>Admin:</p>
<hr />
<div>es版本: 7.17.5<br />
<br />
现象:<br />
> GET /_cat/shards/sw_segment-20250429?v&s=shard,prirep > es-shard-status-sw_segment-20250428<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-0|wc -l<br />
26<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-1|wc -l<br />
27<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-2|wc -l<br />
72<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-3|wc -l<br />
29<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-4|wc -l<br />
26<br />
可以看到 sw_segment-20250428 这个索引在不同节点上,主分片分布非常不均衡,如果这个索引写入量/数据量很大的话,很容易导致 IO 相对其他实例有很大的差异<br />
<br />
但是经过查询后发现,在整个集群所有分片中,主分片在所有es 实例中分布较为均衡<br />
<br />
<br />
而es7系列原生自带的 balance 行为不支持针对同 index 的 primary shard 进行干预 (8.12 有 <code>cluster.routing.allocation.balance.write_load</code> 的权重配置)<br />
<br />
这时候可以利用index <code>total_shards_per_node</code>选项来进行较为'''十分不灵活不优雅<u>不可靠</u>'''的干预,先将索引副本数设置为0,然后在索引初始化前设置该配置,以强制约束每一个es实例分布一样数量的分片数量。等到全部主分片都调度初始化好了,再根据需要把副本数调整回来,把 <code>total_shards_per_node</code> 也根据<code>(该索引的分片数 * 副本数)</code>进行合适的调整。<br />
<br />
也可以为了长期打算,将<code>total_shards_per_node</code>数量配置为 <code>(该索引的分片数 * 副本数) / (集群中可调度该索引分片的es实例数 - 1)</code><br />
<br />
当然,也可以像社区issue中提到那样,用现成的工具 / 开发工具,利用<code>reroute</code>等api接口进行实时干预,并将相关shard进行统计监控<br />
<br />
<br />
<br />
相关社区issue: https://github.com/elastic/elasticsearch/issues/41543<br />
[[分类:Elasticsearch]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch7%E7%B3%BB%E5%88%97%E4%B8%8B%E5%90%8C%E7%B4%A2%E5%BC%95%E4%B8%BB%E5%88%86%E7%89%87%E5%88%86%E5%B8%83%E4%B8%8D%E5%9D%87%E8%A1%A1%E6%80%9D%E8%80%83&diff=1646
Elasticsearch7系列下同索引主分片分布不均衡思考
2025-04-28T16:22:49Z
<p>Admin:</p>
<hr />
<div>es版本: 7.17.5<br />
<br />
现象:<br />
> GET /_cat/shards/sw_segment-20250429?v&s=shard,prirep > es-shard-status-sw_segment-20250428<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | greep es-data-ssd-0|wc -l<br />
26<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-1|wc -l<br />
27<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-2|wc -l<br />
72<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-3|wc -l<br />
29<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-4|wc -l<br />
26<br />
可以看到 sw_segment-20250428 这个索引在不同节点上,主分片分布非常不均衡,如果这个索引写入量/数据量很大的话,很容易导致 IO 相对其他实例有很大的差异<br />
<br />
但是经过查询后发现,在整个集群所有分片中,主分片在所有es 实例中分布较为均衡<br />
<br />
<br />
而es7系列原生自带的 balance 行为不支持针对同 index 的 primary shard 进行干预 (8.12 有 <code>cluster.routing.allocation.balance.write_load</code> 的权重配置)<br />
<br />
这时候可以利用index <code>total_shards_per_node</code>选项来进行较为'''十分不灵活不优雅<u>不可靠</u>'''的干预,先将索引副本数设置为0,然后在索引初始化前设置该配置,以强制约束每一个es实例分布一样数量的分片数量。等到全部主分片都调度初始化好了,再根据需要把副本数调整回来,把 <code>total_shards_per_node</code> 也根据<code>(该索引的分片数 * 副本数)</code>进行合适的调整。<br />
<br />
也可以为了长期打算,将<code>total_shards_per_node</code>数量配置为 <code>(该索引的分片数 * 副本数) / (集群中可调度该索引分片的es实例数 - 1)</code><br />
<br />
当然,也可以像社区issue中提到那样,用现成的工具 / 开发工具,利用<code>reroute</code>等api接口进行实时干预,并将相关shard进行统计监控<br />
<br />
<br />
<br />
相关社区issue: https://github.com/elastic/elasticsearch/issues/41543<br />
[[分类:Elasticsearch]]</div>
Admin
https://wiki.sanxian.tech/index.php?title=Elasticsearch7%E7%B3%BB%E5%88%97%E4%B8%8B%E5%90%8C%E7%B4%A2%E5%BC%95%E4%B8%BB%E5%88%86%E7%89%87%E5%88%86%E5%B8%83%E4%B8%8D%E5%9D%87%E8%A1%A1%E6%80%9D%E8%80%83&diff=1645
Elasticsearch7系列下同索引主分片分布不均衡思考
2025-04-28T16:22:37Z
<p>Admin:</p>
<hr />
<div>es版本: 7.17.5<br />
<br />
现象:<br />
> GET /_cat/shards/sw_segment-20250429?v&s=shard,prirep > es-shard-status-sw_segment-20250428<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | greep es-data-ssd-0|wc -l<br />
26<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-1|wc -l<br />
27<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " | grep es-data-ssd-2|wc -l<br />
72<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " |grep es-data-ssd-3|wc -l<br />
29<br />
<br />
> cat es-shard-status-sw_segment-20250428 | grep " p " |grep es-data-ssd-4|wc -l<br />
26<br />
可以看到 sw_segment-20250428 这个索引在不同节点上,主分片分布非常不均衡,如果这个索引写入量/数据量很大的话,很容易导致 IO 相对其他实例有很大的差异<br />
<br />
但是经过查询后发现,在整个集群所有分片中,主分片在所有es 实例中分布较为均衡<br />
<br />
<br />
而es7系列原生自带的 balance 行为不支持针对同 index 的 primary shard 进行干预 (8.12 有 <code>cluster.routing.allocation.balance.write_load</code> 的权重配置)<br />
<br />
这时候可以利用index <code>total_shards_per_node</code>选项来进行较为'''十分不灵活不优雅<u>不可靠</u>'''的干预,先将索引副本数设置为0,然后在索引初始化前设置该配置,以强制约束每一个es实例分布一样数量的分片数量。等到全部主分片都调度初始化好了,再根据需要把副本数调整回来,把 <code>total_shards_per_node</code> 也根据<code>(该索引的分片数 * 副本数)</code>进行合适的调整。<br />
<br />
也可以为了长期打算,将<code>total_shards_per_node</code>数量配置为 <code>(该索引的分片数 * 副本数) / (集群中可调度该索引分片的es实例数 - 1)</code><br />
<br />
当然,也可以像社区issue中提到那样,用现成的工具 / 开发工具,利用<code>reroute</code>等api接口进行实时干预,并将相关shard进行统计监控<br />
<br />
<br />
<br />
相关社区issue: https://github.com/elastic/elasticsearch/issues/41543<br />
[[分类:Elasticsearch]]</div>
Admin