kubernetes實踐之一:kubernetes二進位包安裝

来源:https://www.cnblogs.com/521football/archive/2019/03/20/10563847.html
-Advertisement-
Play Games

kubernetes二進位部署 1、環境規劃 軟體 版本 Linux操作系統 CentOS Linux release 7.6.1810 (Core) Kubernetes 1.9 Docker 18.09.3 etcd 3.3.10 角色 IP 組件 推薦配置 k8s_master etcd01 ...


    

 

 

    

 

 

kubernetes二進位部署

1、環境規劃 

軟體

版本

Linux操作系統

CentOS Linux release 7.6.1810 (Core)

Kubernetes

1.9

Docker

18.09.3

etcd

3.3.10

 

 

角色

IP

組件

推薦配置

k8s_master

etcd01

192.168.1.153

kube-apiserver

kube-controller-manager

kube-scheduler

etcd

CPU 2核+ 2G記憶體+

k8s_node01

etcd02

192.168.1.154

kubelet

kube-proxy

docker

flannel

etcd

 

k8s_node02

etcd03

192.168.1.155

kubelet

kube-proxy

docker

flannel

etcd

 

2、 單Master集群架構

          

 

 

3、 系統常規參數配置

3.1 關閉selinux

                   sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

                   setenforce 0         

3.2 文件數調整

      sed -i '/*          soft    nproc     4096/d' /etc/security/limits.d/20-nproc.conf

      echo '*  -  nofile  65536' >> /etc/security/limits.conf

      echo '*       soft    nofile  65535' >> /etc/security/limits.conf

      echo '*       hard    nofile  65535' >> /etc/security/limits.conf

      echo 'fs.file-max = 65536' >> /etc/sysctl.conf

3.3 防火牆關閉

                   systemctl disable firewalld.service

                   systemctl stop firewalld.service

3.4 常用工具安裝及時間同步

                   yum -y install vim telnet iotop openssh-clients openssh-server ntp net-tools.x86_64 wget

                   ntpdate time.windows.com

3.5 hosts文件配置(3個節點)

                   vim /etc/hosts

                   192.168.1.153 k8s_master

       192.168.1.154 k8s_node01

       192.168.1.155 k8s_node02

3.6 伺服器之間免密鑰登錄

                  ssh-keygen

                  ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

                  ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

4、 自簽ssl證書

     

 

 4.1 etcd生成證書

                  

cfssl.sh   

etcd-cert.sh

etcd.sh

 

4.1.1 安裝cfssl工具(cfssl.sh)

      cd /home/k8s_install/ssl_etcd

      chmod +x cfssl.sh

      ./cfssl.sh

                  

                  內容如下:

                  curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

      curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

      curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

      chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo

4.1.2 生成etcd 自簽ca證書(etcd-cert.sh)

      chmod +x etcd-cert.sh

      ./etcd-cert.sh

內容如下:

cat > ca-config.json <<EOF

{

  "signing": {

    "default": {

      "expiry": "87600h"

    },

    "profiles": {

      "www": {

         "expiry": "87600h",

         "usages": [

            "signing",

            "key encipherment",

            "server auth",

            "client auth"

        ]

      }

    }

  }

}

EOF

 

cat > ca-csr.json <<EOF

{

    "CN": "etcd CA",

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "L": "Beijing",

            "ST": "Beijing"

        }

    ]

}

EOF

 

cfssl gencert -initca ca-csr.json | cfssljson -bare ca –

    

#-----------------------

 

cat > server-csr.json <<EOF                                                                                                                                

{                                                                                                                                                          

    "CN": "etcd",                                                                                                                                          

    "hosts": [                                                                                                                                             

    "192.168.1.153",                                                                                                                                       

    "192.168.1.154",                                                                                                                                       

    "192.168.1.155",                                                                                                                                         

    "192.168.1.156",                                                                                                                                         

    "192.168.1.157"                                                                                                                                        

    ],                                                                                                                                                     

    "key": {                                                                                                                                               

        "algo": "rsa",                                                                                                                                     

        "size": 2048                                                                                                                                       

    },                                                                                                                                                     

    "names": [                                                                                                                                             

        {                                                                                                                                                  

            "C": "CN",                                                                                                                                     

            "L": "BeiJing",                                                                                                                                

            "ST": "BeiJing"                                                                                                                                

        }                                                                                                                                                 

    ]                                                                                                                                                      

}                                                                                                                                                          

EOF                                                                                                                                                        

                                                                                                                                                           

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

註意:hosts一定要包含所有節點,可以多部署幾個預留節點以便後續擴容,否則還需要重新生成

4.1.3 etcd二進位包安裝

                   #存放配置文件,可執行文件,證書文件

                   mkdir /opt/etcd/{cfg,bin,ssl} -p

                   #ssl 證書切記複製到/opt/etcd/ssl/

                   cp {ca,server-key,server}.pem /opt/etcd/ssl/

                 

                   #部署etcd以及增加etcd服務(etcd.sh)

                   cd /home/k8s_install/soft/

                   tar -zxvf etcd-v3.3.10-linux-amd64.tar.gz

                   cd etcd-v3.3.10-linux-amd64

                   mv etcd etcdctl /opt/etcd/bin/

 

                   cd /home/k8s_install/ssl_etcd

                   chmod +x etcd.sh

                   參數說明:1.etcd名稱 2.本機ip 3.其他兩個etcd名稱以及地址

                   ./etcd.sh etcd01 192.168.1.153 etcd02=https://192.168.1.154:2380,etcd03=https://192.168.1.155:2380

                   執行後會卡住實際是在等待其他兩個節點加入

 

                  其他兩個node節點部署etcd:

                  scp -r /opt/etcd/ k8s_node01:/opt/

      scp -r /opt/etcd/ k8s_node02:/opt/

      scp /usr/lib/systemd/system/etcd.service k8s_node01:/usr/lib/systemd/system/

      scp /usr/lib/systemd/system/etcd.service k8s_node02:/usr/lib/systemd/system/

 

      #修改node節點配置文件(2個節點都需要更改)

      ssh k8s_node01

      vim /opt/etcd/cfg/etcd

      ETCD_NAME以及ip地址

       

      systemctl daemon-reload

      systemctl start etcd.service

 

etcd.sh腳本內容如下:

#!/bin/bash

 

ETCD_NAME=$1

ETCD_IP=$2

ETCD_CLUSTER=$3

 

WORK_DIR=/opt/etcd

 

cat <<EOF >$WORK_DIR/cfg/etcd

#[Member]

ETCD_NAME="${ETCD_NAME}"

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"

ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

 

#[Clustering]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"

ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_INITIAL_CLUSTER_STATE="new"

EOF

 

cat <<EOF >/usr/lib/systemd/system/etcd.service

[Unit]

Description=Etcd Server

After=network.target

After=network-online.target

Wants=network-online.target

 

[Service]

Type=notify

EnvironmentFile=${WORK_DIR}/cfg/etcd

ExecStart=${WORK_DIR}/bin/etcd \

--name=\${ETCD_NAME} \

--data-dir=\${ETCD_DATA_DIR} \

--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \

--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \

--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \

--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \

--initial-cluster=\${ETCD_INITIAL_CLUSTER} \

--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \                                                                                                  

--initial-cluster-state=new \                                                                                                                              

--cert-file=${WORK_DIR}/ssl/server.pem \                                                                                                                  

--key-file=${WORK_DIR}/ssl/server-key.pem \                                                                                                                

--peer-cert-file=${WORK_DIR}/ssl/server.pem \                                                                                                              

--peer-key-file=${WORK_DIR}/ssl/server-key.pem \                                                                                                          

--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \                                                                                                                 

--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem                                                                                                             

Restart=on-failure                                                                                                                                         

LimitNOFILE=65536                                                                                                                                          

                                                                                                                                                          

[Install]                                                                                                                                                  

WantedBy=multi-user.target                                                                                                                                 

EOF                                                                                                                                                        

                                                                                                                                                           

systemctl daemon-reload                                                                                                                                   

systemctl enable etcd                                                                                                                                      

systemctl restart etcd

4.1.4 查看etcd集群健康情況

                   cd /opt/etcd/ssl

                   /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem  --endpoints="https://192.168.1.153:2379,https://192.168.1.154:2379,https://192.168.1.155:2379"  cluster-health

           

5、 安裝Docker(node 節點)

5.1 安裝依賴包

                   yum install -y yum-utils \ device-mapper-persistent-data \ lvm2

5.2 配置官方源(替換為阿裡源)

                   yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

5.3 更新並安裝Docker-CE

                   yum makecache fast

                   yum install docker-ce -y

5.4 配置docker加速器

                   curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io

5.5 啟動docker

                   systemctl restart docker.service

                   systemctl enable docker.service

6、部署Flannel網路

Overlay Network:覆蓋網路,在基礎網路上疊加的一種虛擬網路技術模式,該網路中的主機通過虛擬鏈路連接起來。 VXLAN:將源數據包封裝到UDP中,並使用基礎網路的IP/MAC作為外層報文頭進行封裝,然後在乙太網上傳輸,到達目的地後由隧道端點解封裝並將數據發送給目標地址。 Flannel:是Overlay網路的一種,也是將源數據包封裝在另一種網路包裡面進行路由轉發和通信,目前已經支持UDP、VXLAN、AWS VPC和GCE路由等數據轉發方式。 多主機容器網路通信其他主流方案:隧道方案( Weave、OpenvSwitch ),路由方案(Calico)等。

 

 

 

6.1 寫入分配的子網段到etcd,供flanneld使用(master)

         /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem  --endpoints=https://192.168.1.153:2379,https://192.168.1.154:2379,https://192.168.1.155:2379  set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'

6.2 二進位包安裝Flannel(node節點 flannel.sh)

         下載地址:https://github.com/coreos/flannel/releases/download/

         #

         mkdir /opt/kubernetes/{bin,cfg,ssl} -p

         cd /home/k8s_install/flannel_install/

         tar -zxvf flannel-v0.10.0-linux-amd64.tar.gz

         mv {flanneld,mk-docker-opts.sh} /opt/kubernetes/bin/

         cd /home/k8s_install/flannel_install

         chmod +x flannel.sh

   chmod +x /opt/kubernetes/bin/{flanneld,mk-docker-opts.sh}

         ./flannel.sh https://192.168.1.153:2379,https://192.168.1.154:2379,https://192.168.1.155:2379

        

腳本內容如下:

#!/bin/bash

 

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

 

cat <<EOF >/opt/kubernetes/cfg/flanneld

 

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \

-etcd-cafile=/opt/etcd/ssl/ca.pem \

-etcd-certfile=/opt/etcd/ssl/server.pem \

-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

 

EOF

 

cat <<EOF >/usr/lib/systemd/system/flanneld.service

[Unit]

Description=Flanneld overlay address etcd agent

After=network-online.target network.target

Before=docker.service

 

[Service]

Type=notify

EnvironmentFile=/opt/kubernetes/cfg/flanneld

ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS

ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env

Restart=on-failure

 

[Install]

WantedBy=multi-user.target

 

EOF

 

cat <<EOF >/usr/lib/systemd/system/docker.service

 

[Unit]

Description=Docker Application Container Engine

Documentation=https://docs.docker.com

After=network-online.target firewalld.service

Wants=network-online.target

 

[Service]

Type=notify

EnvironmentFile=/run/flannel/subnet.env

ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS                                                                                                        

ExecReload=/bin/kill -s HUP \$MAINPID                                                                                                                     

LimitNOFILE=infinity                                                                                                                                       

LimitNPROC=infinity                                                                                                                                       

LimitCORE=infinity                                                                                                                                        

TimeoutStartSec=0                                                                                                                                          

Delegate=yes                                                                                                                                              

KillMode=process                                                                                  &nb

您的分享是我們最大的動力!

-Advertisement-
Play Games
更多相關文章
  • 導師1614003187 大家好,今天為大家揭秘為什麼玩一分鐘大發快三總是輸,大發快三回血要怎麼回如果你是新手那麼你現在可以先停止投註,想回血我們要先找到技巧只要你學會了,就不需要再一直百度搜索大發快三求人帶回血了記住一點倍投,就是一條看不到終點的泥潭。如果你一直堅持倍投,那麼你總會與心跳離不開,如 ...
  • 今天朋友問到如何選購伺服器,並提到有哪些主流的雲伺服器廠商,仔細梳理了下,主流的雲伺服器廠商主要有阿裡雲、騰訊雲、百度雲、華為雲、京東雲、西部數據、網易雲、浪潮雲、金山雲、滴滴雲等幾個大廠商,此外除了上述幾個雲伺服器廠商,國內還有其他小廠商伺服器。國外的雲伺服器一般用的多就是亞馬遜雲伺服器、搬瓦工V ...
  • 隨著時間的推移,Winform也算是能夠堅持下來最久的技術之一了,它的昔日輝煌和現今的依舊活躍,導致了它依舊擁有者很龐大的用戶群體,雖然目前很多技術日新月異的,曾經的ASP、ASP.NET WebForm、Asp.NET MVC、WPF等技術基本上淡出了視野,而迎來了.NET Core、UWP等技術... ...
  • 使用步驟: 1.vscode 安裝restclient 擴展 2.創建 .http 或 .rest 文件 ,編寫相應內容 同一個文件內 可以通過 ### 分割多個請求 可以通過 @hostname = api.example.com 來定義變數, 以及 在GET時 {{hostname}}來進行使用 ...
  • Kubernetes可視WEBUI Dashboard搭建 支持瀏覽器:火狐 一.Dashboard下載地址 git clone https://github.com/kubernetes/kubernetes/ 二.部署Dashboard需要文件 [root@k8s_master ui]# ll ...
  • Linux 用腳本編寫搭建yum本地倉庫 源碼如下: 執行腳本 sh yum.sh 或者先賦予腳本執行許可權 chmod +x yum.sh,然後再運行腳本./yum.sh 測試: 1.用yum list查看 2.安裝一個服務測試,這裡以DNS服務為例 最後出現軟體出現Complete!說明httpd ...
  • 最近開始做研究生畢設,有一部分因為沒有什麼好的思路,就把以前用過的PCL點雲搬出來,重新用源碼裝了一遍PCL,一開始裝的過程中沒什麼大問題,在後面用的時候碰到了很多小問題,特此記錄。 1.PCL版本問題 如果你用ROS的話,安裝的時候會自帶PCL的1.7版本,不過本著用源碼安裝的習慣,我們還是從gi ...
  • 最近為了學 DevOps,自己動手在 virtualbox 上安裝 ubuntu 系統,安裝完後發現好坑,沒辦法用 XShell 連接。線上安裝 openssh-server 又發現沒有配置軟體源,手工把源地址敲上去,這個想法有點瘋狂,最後決定利用 virtualbox 的共用文件夾功能來實現拷貝, ...
一周排行
    -Advertisement-
    Play Games
  • 移動開發(一):使用.NET MAUI開發第一個安卓APP 對於工作多年的C#程式員來說,近來想嘗試開發一款安卓APP,考慮了很久最終選擇使用.NET MAUI這個微軟官方的框架來嘗試體驗開發安卓APP,畢竟是使用Visual Studio開發工具,使用起來也比較的順手,結合微軟官方的教程進行了安卓 ...
  • 前言 QuestPDF 是一個開源 .NET 庫,用於生成 PDF 文檔。使用了C# Fluent API方式可簡化開發、減少錯誤並提高工作效率。利用它可以輕鬆生成 PDF 報告、發票、導出文件等。 項目介紹 QuestPDF 是一個革命性的開源 .NET 庫,它徹底改變了我們生成 PDF 文檔的方 ...
  • 項目地址 項目後端地址: https://github.com/ZyPLJ/ZYTteeHole 項目前端頁面地址: ZyPLJ/TreeHoleVue (github.com) https://github.com/ZyPLJ/TreeHoleVue 目前項目測試訪問地址: http://tree ...
  • 話不多說,直接開乾 一.下載 1.官方鏈接下載: https://www.microsoft.com/zh-cn/sql-server/sql-server-downloads 2.在下載目錄中找到下麵這個小的安裝包 SQL2022-SSEI-Dev.exe,運行開始下載SQL server; 二. ...
  • 前言 隨著物聯網(IoT)技術的迅猛發展,MQTT(消息隊列遙測傳輸)協議憑藉其輕量級和高效性,已成為眾多物聯網應用的首選通信標準。 MQTTnet 作為一個高性能的 .NET 開源庫,為 .NET 平臺上的 MQTT 客戶端與伺服器開發提供了強大的支持。 本文將全面介紹 MQTTnet 的核心功能 ...
  • Serilog支持多種接收器用於日誌存儲,增強器用於添加屬性,LogContext管理動態屬性,支持多種輸出格式包括純文本、JSON及ExpressionTemplate。還提供了自定義格式化選項,適用於不同需求。 ...
  • 目錄簡介獲取 HTML 文檔解析 HTML 文檔測試參考文章 簡介 動態內容網站使用 JavaScript 腳本動態檢索和渲染數據,爬取信息時需要模擬瀏覽器行為,否則獲取到的源碼基本是空的。 本文使用的爬取步驟如下: 使用 Selenium 獲取渲染後的 HTML 文檔 使用 HtmlAgility ...
  • 1.前言 什麼是熱更新 游戲或者軟體更新時,無需重新下載客戶端進行安裝,而是在應用程式啟動的情況下,在內部進行資源或者代碼更新 Unity目前常用熱更新解決方案 HybridCLR,Xlua,ILRuntime等 Unity目前常用資源管理解決方案 AssetBundles,Addressable, ...
  • 本文章主要是在C# ASP.NET Core Web API框架實現向手機發送驗證碼簡訊功能。這裡我選擇是一個互億無線簡訊驗證碼平臺,其實像阿裡雲,騰訊雲上面也可以。 首先我們先去 互億無線 https://www.ihuyi.com/api/sms.html 去註冊一個賬號 註冊完成賬號後,它會送 ...
  • 通過以下方式可以高效,並保證數據同步的可靠性 1.API設計 使用RESTful設計,確保API端點明確,並使用適當的HTTP方法(如POST用於創建,PUT用於更新)。 設計清晰的請求和響應模型,以確保客戶端能夠理解預期格式。 2.數據驗證 在伺服器端進行嚴格的數據驗證,確保接收到的數據符合預期格 ...