etcd is a distributed key-value store that provides reliable storage for the most critical data in distributed systems. Kubernetes uses etcd as its backing store for all cluster state. Every pod, service, config map, and secret lives in etcd. Beyond Kubernetes, etcd handles service discovery, distributed locking, leader election, and configuration management in production systems at companies like Google, Amazon, and CloudFlare.
This guide covers installing etcd 3.5 on Rocky Linux 10 and AlmaLinux 10, setting it up as a systemd service, and performing basic operations with etcdctl. The same steps work on RHEL 10.
Prerequisites
- Rocky Linux 10 or AlmaLinux 10 with root or sudo access
- Ports 2379 (client) and 2380 (peer) open if running a multi-node cluster
Install etcd from GitHub Releases
etcd is not available in the Rocky Linux 10 default repositories. Download the latest stable release binary from GitHub. At the time of writing, etcd 3.5.21 is the latest stable version:
ETCD_VER=v3.5.21
curl -sLO https://github.com/etcd-io/etcd/releases/download/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gzExtract the archive and copy the binaries to /usr/local/bin:
tar xzf etcd-${ETCD_VER}-linux-amd64.tar.gz
sudo cp etcd-${ETCD_VER}-linux-amd64/etcd* /usr/local/bin/
rm -rf etcd-${ETCD_VER}-linux-amd64*Verify the installation:
etcd --versionOutput confirming etcd 3.5.21:
etcd Version: 3.5.21
Git SHA: a17edfd
Go Version: go1.23.7
Go OS/Arch: linux/amd64Also verify the client tool:
etcdctl versionConfigure etcd as a systemd Service
Create a dedicated system user and data directory for etcd:
sudo useradd -r -s /sbin/nologin etcd
sudo mkdir -p /var/lib/etcd
sudo chown etcd:etcd /var/lib/etcdCreate the systemd unit file:
sudo vi /etc/systemd/system/etcd.serviceAdd the following service definition:
[Unit]
Description=etcd key-value store
After=network.target
[Service]
User=etcd
Type=notify
ExecStart=/usr/local/bin/etcd \
--data-dir=/var/lib/etcd \
--name=node1 \
--listen-client-urls=http://0.0.0.0:2379 \
--advertise-client-urls=http://localhost:2379
Restart=always
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.targetFor a single-node setup, --listen-client-urls=http://0.0.0.0:2379 makes etcd accessible from other hosts. Change to http://127.0.0.1:2379 if you only need local access.
Start and enable the service:
sudo systemctl daemon-reload
sudo systemctl enable --now etcdVerify etcd is running:
sudo systemctl status etcdCheck the listening ports:
ss -tlnp | grep -E '2379|2380'You should see etcd listening on port 2379 (client) and 2380 (peer).
Basic etcdctl Operations
etcdctl is the command-line client for interacting with etcd. Here are the essential operations.
Store and retrieve a key
etcdctl put mykey "Hello from etcd"
etcdctl get mykeyThe output shows the key and its value:
mykey
Hello from etcdList all keys with a prefix
etcdctl get "" --prefix --keys-onlyDelete a key
etcdctl del mykeyWatch for changes
In one terminal, start watching a key:
etcdctl watch mykeyIn another terminal, update the key. The watcher instantly shows the change. This is the foundation of how Kubernetes watches for resource changes.
Check cluster health
etcdctl endpoint healthA healthy single-node cluster returns:
127.0.0.1:2379 is healthy: successfully committed proposal: took = 1.022229msList cluster members
etcdctl member listBackup and Restore
etcd data is critical. Losing it means losing your cluster state. Create regular snapshots:
etcdctl snapshot save /tmp/etcd-backup.dbVerify the snapshot is valid:
etcdctl snapshot status /tmp/etcd-backup.db --write-out=tableTo restore from a snapshot, stop etcd first, then restore to a new data directory:
sudo systemctl stop etcd
etcdctl snapshot restore /tmp/etcd-backup.db --data-dir=/var/lib/etcd-restoredUpdate the systemd service to point to the restored directory, fix ownership, and start etcd:
sudo chown -R etcd:etcd /var/lib/etcd-restored
sudo systemctl start etcdSchedule automated backups with cron for production systems:
0 */6 * * * /usr/local/bin/etcdctl snapshot save /backups/etcd-$(date +\%Y\%m\%d-\%H\%M).dbFirewall Configuration
For multi-node clusters or remote client access, open the etcd ports:
sudo firewall-cmd --permanent --add-port=2379/tcp
sudo firewall-cmd --permanent --add-port=2380/tcp
sudo firewall-cmd --reloadetcd Ports Reference
| Port | Protocol | Purpose |
|---|---|---|
| 2379 | TCP | Client communication (etcdctl, API clients, Kubernetes) |
| 2380 | TCP | Peer communication (cluster member-to-member sync) |
Conclusion
etcd is running on your Rocky Linux 10 / AlmaLinux 10 server as a single-node instance. For production etcd clusters, deploy three or five nodes for fault tolerance – etcd uses the Raft consensus protocol and needs a majority of nodes alive to accept writes. Refer to the official etcd documentation for multi-node cluster setup, TLS authentication, and performance tuning.
