通過RKE 安裝kubernetes
作者: 張首富
時間: 2019-02-13
個人博客: www.zhangshoufu.com
QQ羣: 895291458
集羣節點說明
我們這邊需要4臺機器,系統全都是centos7.5
10.0.0.99 MKE.kuber.com
10.0.0.100 master.kuber.com
10.0.0.101 node101.kuber.com
10.0.0.102 node102.kuber.com
安裝前參數調整(所有機器上操作)
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config # 關閉selinux
systemctl stop firewalld.service && systemctl disable firewalld.service # 關閉防火牆
echo 'LANG="en_US.UTF-8"' >> /etc/profile;source /etc/profile #修改系統語言
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # 修改時區(如果需要修改)
# 添加hosts文件
# 性能調優
cat >> /etc/sysctl.conf<<EOF
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-iptables=1
net.ipv4.neigh.default.gc_thresh1=4096
net.ipv4.neigh.default.gc_thresh2=6144
net.ipv4.neigh.default.gc_thresh3=8192
EOF
sysctl –p
配置相關轉發
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF
sysctl --system
配置kubernetes源(所有機器上操作)
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
配置docker源,安裝docker(所有機器上操作)
yum -y install yum-utils
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y device-mapper-persistent-data lvm2
sudo yum makecache fast
yum -y remove container-selinux.noarch
yum install https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm -y
yum install docker-ce-17.03.0.ce -y (安裝17.03,要不然會出現問題)
systemctl start docker && systemctl enable docker
配置docker鏡像加速
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://ll9gv5j9.mirror.aliyuncs.com","exec-opts": ["native.cgroupdriver=systemd"]]
}
EOF
配置鏡像加速地址
可以配置多條,以數組的形式編寫,地址需要添加協議頭。編輯/etc/docker/daemon.json加入以下內容
{
"registry-mirrors": ["https://z34wtdhg.mirror.aliyuncs.com","https://$IP:$PROT"]
}
配置私有倉庫 (可選)
Docker默認只信任TLS加密的倉庫地址(https),所有非https倉庫默認無法登陸也無法拉取鏡像。insecure-registries字面意思爲不安全的倉庫,通過添加這個參數對非https倉庫進行授信。可以設置多個insecure-registries地址,以數組形式書寫,地址不能添加協議頭(http)。編輯/etc/docker/daemon.json加入以下內容:
{
"insecure-registries":["harbor.httpshop.com","bh-harbor.suixingpay.com"]
}
配置Docker存儲驅動(可選)
存儲驅動有很多種,例如:overlay、overlay2、devicemapper等,前兩者是OverlayFS類型的,是一個新一代的聯合文件系統,類似於AUFS,但速度更快,更加穩定。這裏推薦新版的overlay2。
要求:
overlay2: Linux內核版本4.0或更高版本,或使用內核版本3.10.0-514+的RHEL或CentOS
支持的磁盤文件系統:ext4(僅限RHEL 7.1),xfs(RHEL7.2及更高版本),需要啓用d_type=true
編輯/etc/docker/daemon.json加入以下內容
{
"storage-driver": "overlay2",
"storage-opts": ["overlay2.override_kernel_check=true"]
}
配置日誌驅動(可選)
容器在運行時會產生大量日誌文件,很容易佔滿磁盤空間。通過配置日誌驅動來限制文件大小與文件的數量。 >限制單個日誌文件爲100M,最多產生3個日誌文件
{
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
}
}
daemon.json的樣例
{
"registry-mirrors": ["https://z34wtdhg.mirror.aliyuncs.com"],
"insecure-registries":["harbor.httpshop.com","bh-harbor.suixingpay.com"],
"storage-driver": "overlay2",
"storage-opts": ["overlay2.override_kernel_check=true"]
}
{
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
}
}
創建docker用戶(所有節點上) 這一步特別重要,我們後面起的服務全部都要在docker這個用戶下啓動
[root@RKE ~]# grep ^docker /etc/group 如果有docker組就不需要創建
docker:x:994:
useradd -g docker docker
echo "1" | passwd --stdin docker
在RKE上分發祕鑰
ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
安裝nginx,爲了我們能在外面訪問(多master負載使用,在MKE安裝)
nginx的配置文件如下
[docker@MKE ~]$ cat /etc/nginx/nginx.conf
worker_processes auto;
pid /run/nginx.pid;
events {
use epoll;
worker_connections 65536;
accept_mutex off;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$upstream_addr" "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 900;
# keepalive_timeout 0;
keepalive_requests 100;
types_hash_max_size 2048;
server {
listen 80;
return 301 https://$host$request_uri;
}
}
stream {
upstream rancher_servers {
least_conn;
server 10.0.0.100:443 max_fails=3 fail_timeout=5s;
}
server {
listen 443;
proxy_pass rancher_servers;
}
}
啓動docker服務:
docker run -d --restart=unless-stopped \
-p 80:80 -p 443:443 \
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf \
nginx:1.14
RKE 安裝kubernetes(在MKE機器上操作)
下載RKE wget https://github.com/rancher/rke/releases/download/v0.1.11/rke_linux-amd64 (不建議在不能×××的機器上安裝,我們可以下載下來傳上去)
寫集羣yaml文件,先切換到docker用戶
nodes:
- address: 10.0.0.100
user: docker
ssh_key_path: ~/.ssh/id_rsa
role: [controlplane,worker,etcd]
- address: 10.0.0.101
user: docker
role: [worker,etcd]
- address: 10.0.0.102
user: docker
role: [worker,etcd]
services:
etcd:
snapshot: true
creation: 6h
retention: 24h
- address : 集羣節點的地址
- user : 使用哪個用戶執行安裝命令
- ssh_key_path : 私鑰地址(如果祕鑰生成不是默認的名稱就需要指定)
- role : 這個節點充當什麼角色
......剩下https://www.cnrancher.com/docs/rke/v0.1.x/cn/example-yamls/cluster/ 看這個
安裝kubectl 檢查集羣
yum -y install kubectl
檢查集羣節點:
[docker@MKE ~]$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.0.0.100 Ready controlplane,etcd,worker 2h v1.11.3
10.0.0.101 Ready etcd,worker 2h v1.11.3
10.0.0.102 Ready etcd,worker 2h v1.11.3
檢查pod狀態
[docker@MKE ~]$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
ingress-nginx default-http-backend-797c5bc547-j7577 1/1 Running 0 2h
ingress-nginx nginx-ingress-controller-69s9g 1/1 Running 0 2h
ingress-nginx nginx-ingress-controller-8gw74 1/1 Running 0 2h
ingress-nginx nginx-ingress-controller-xgzzw 1/1 Running 0 2h
kube-system canal-5nf7c 3/3 Running 0 2h
kube-system canal-nzgx4 3/3 Running 0 2h
kube-system canal-t5m9d 3/3 Running 0 2h
kube-system kube-dns-7588d5b5f5-s5f99 3/3 Running 0 2h
kube-system kube-dns-autoscaler-5db9bbb766-62rxm 1/1 Running 0 2h
kube-system metrics-server-97bc649d5-9h2g4 1/1 Running 0 2h
kube-system rke-ingress-controller-deploy-job-rwzgq 0/1 Completed 0 2h
kube-system rke-kubedns-addon-deploy-job-mvmzj 0/1 Completed 0 2h
kube-system rke-metrics-addon-deploy-job-52gp4 0/1 Completed 0 2h
kube-system rke-network-plugin-deploy-job-jckhc 0/1 Completed 0 2h
Pods
的STATUS
是Completed
爲run-one Jobs,這些pods READY應該爲0/1。
配置kubectl命令補全
yum -y install bash-completion.noarch
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc
Helm 安裝rancher dashboard(儀表盤)
創建helm的RBAC(Role-based Access Control,基於角色的訪問控制)
# 在kube-system這個命令空間裏面創建一個 tiller的服務賬號
kubectl -n kube-system create serviceaccount tiller
# 把tiller綁定到哪個集羣角色上面,服務賬號是什麼
kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
二進制安裝helm
下載安裝包的地址爲 : https://github.com/helm/helm/releases
[docker@MKE ~]$ tar xf helm-v2.12.2-linux-amd64.tar.gz
[root@MKE ~]# cp -a -t /usr/local/bin/ /home/docker/linux-amd64/helm /home/docker/linux-amd64/tiller
[root@MKE ~]# su - docker
添加helm 鏡像源
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
Rancher 中安裝 Tiller
默認使用的版本是V2.12.3
helm init --service-account tiller --tiller-image \
registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.12.3 \
--stable-repo-url https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
升級Tiller(可選)
安裝證書管理器
helm install stable/cert-manager \
--name cert-manager \
--namespace kube-system
如果報錯,在後面添加--set createCustomResource=true
選擇SSL配置方式並安裝Rancher server
helm install rancher-stable/rancher \
--name rancher \
--namespace cattle-system \
--set hostname=rancher.zsf.com
修改hosts文件,瀏覽器訪問測試
我們在hosts文件裏面加入對應的域名解析,因爲我們的域名是假的
cat /etc/hosts
10.0.0.99 rancher.zsf.com
瀏覽器登錄訪問
登錄的時候需要注意,使用https協議訪問,這個過程的長短根據你的機器配置來的,
備份與恢復
集羣備份(對於新手來說,強烈建議集羣搭建成功後拍攝一個快照)
注意:
- 需要RKE v0.1.7以上版本纔可以
手動創建快照:
當你即將升級Rancher或將其恢復到以前的快照時,你應該對數據手動創建快照,以便數據異常時可供恢復。
在RKE機器上執行下面命令
./rke_linux-amd64 etcd snapshot-save --name <SNAPSHOT.db> --config rancher-cluster.yml
SNAPSHOT.db
: 這個是保存etcd的快照名字rancher-cluster.yml
: 這個是創建集羣的時候指定的配置文件,如果使用的是默認的cluster.yml
就可以不指定
RKE會獲取每個etcd節點的快照,並保存在每個etcd節點的/opt/rke/etcd-snapshots目錄下;
測試:
[docker@MKE ~]$ pwd
/home/docker
[docker@MKE ~]$ ls
cluster.yml kube_config_cluster.yml linux-amd64 rke_linux-amd64
[docker@MKE ~]$ ./rke_linux-amd64 etcd snapshot-save --name initialization_status_20190213 --config cluster.yml
INFO[0000] Starting saving snapshot on etcd hosts
INFO[0000] [dialer] Setup tunnel for host [10.0.0.100]
INFO[0000] [dialer] Setup tunnel for host [10.0.0.101]
INFO[0000] [dialer] Setup tunnel for host [10.0.0.102]
INFO[0000] [etcd] Saving snapshot [initialization_status_20190213] on host [10.0.0.100]
INFO[0000] [etcd] Successfully started [etcd-snapshot-once] container on host [10.0.0.100]
INFO[0000] [etcd] Saving snapshot [initialization_status_20190213] on host [10.0.0.101]
INFO[0001] [etcd] Successfully started [etcd-snapshot-once] container on host [10.0.0.101]
INFO[0001] [etcd] Saving snapshot [initialization_status_20190213] on host [10.0.0.102]
INFO[0001] [etcd] Successfully started [etcd-snapshot-once] container on host [10.0.0.102]
INFO[0002] [certificates] Successfully started [rke-bundle-cert] container on host [10.0.0.100]
INFO[0002] [certificates] Successfully started [rke-bundle-cert] container on host [10.0.0.102]
INFO[0002] [certificates] Successfully started [rke-bundle-cert] container on host [10.0.0.101]
INFO[0002] [certificates] successfully saved certificate bundle [/opt/rke/etcd-snapshots//pki.bundle.tar.gz] on host [10.0.0.101]
INFO[0002] [certificates] successfully saved certificate bundle [/opt/rke/etcd-snapshots//pki.bundle.tar.gz] on host [10.0.0.100]
INFO[0002] [certificates] successfully saved certificate bundle [/opt/rke/etcd-snapshots//pki.bundle.tar.gz] on host [10.0.0.102]
INFO[0002] Finished saving snapshot [initialization_status_20190213] on all etcd hosts
到節點上去看
[docker@master etcd-snapshots]$ ll -d /opt/rke/etcd-snapshots/initialization_status_20190213
-rw-r--r-- 1 root root 9052192 Feb 13 10:25 /opt/rke/etcd-snapshots/initialization_status_20190213
定時自動創建快照
定時自動創建快照服務是RKE附帶的服務,默認沒有開啓。可以通過在rancher-cluster.yml
中添加配置來啓用etcd-snapshot(定時自動創建快照)服務。
在cluster.yml文件裏面添加如下代碼
services:
etcd:
snapshot: true # 是否啓用快照功能,默認false;
creation: 6h0s # 快照創建間隔時間,不加此參數,默認5分鐘;
retention: 24h # 快照有效期,此時間後快照將被刪除;
運行命令./rke_linux-amd64 up --config cluster.yml
結果:
RKE會在每個etcd節點上定時獲取快照,並將快照將保存到每個etcd節點的:/opt/rke/etcd-snapshots/目錄下