You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

41 lines
2.0 KiB

  1. # Recovering the control plane
  2. To recover from broken nodes in the control plane use the "recover\-control\-plane.yml" playbook.
  3. Examples of what broken means in this context:
  4. * One or more bare metal node(s) suffer from unrecoverable hardware failure
  5. * One or more node(s) fail during patching or upgrading
  6. * Etcd database corruption
  7. * Other node related failures leaving your control plane degraded or nonfunctional
  8. __Note that you need at least one functional node to be able to recover using this method.__
  9. ## Runbook
  10. * Backup what you can
  11. * Provision new nodes to replace the broken ones
  12. * Copy any broken etcd nodes into the "broken\_etcd" group, make sure the "etcd\_member\_name" variable is set.
  13. * Copy any broken control plane nodes into the "broken\_kube\_control\_plane" group.
  14. * Place the surviving nodes of the control plane first in the "etcd" and "kube\_control\_plane" groups
  15. * Add the new nodes below the surviving control plane nodes in the "etcd" and "kube\_control\_plane" groups
  16. Then run the playbook with ```--limit etcd,kube_control_plane``` and increase the number of ETCD retries by setting ```-e etcd_retries=10``` or something even larger. The amount of retries required is difficult to predict.
  17. When finished you should have a fully working control plane again.
  18. ## Recover from lost quorum
  19. The playbook attempts to figure out it the etcd quorum is intact. If quorum is lost it will attempt to take a snapshot from the first node in the "etcd" group and restore from that. If you would like to restore from an alternate snapshot set the path to that snapshot in the "etcd\_snapshot" variable.
  20. ```-e etcd_snapshot=/tmp/etcd_snapshot```
  21. ## Caveats
  22. * The playbook has only been tested with fairly small etcd databases.
  23. * There may be disruptions while running the playbook.
  24. * There are absolutely no guarantees.
  25. If possible try to break a cluster in the same way that your target cluster is broken and test to recover that before trying on the real target cluster.