BlueXIII's Blog

热爱技术,持续学习

0%

Posted on

RPM包安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# 联网环境
# 添加谷歌源(需扶墙)
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF

# 添加阿里源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

# 准备RPM包
yumdownloader --assumeyes --destdir=/root/pkg/k8s --resolve yum-utils kubeadm-1.18.* kubelet-1.18.* kubectl-1.18.* ebtables

# 离线环境,安装RPM包。若提示缺少RPM包,按提示使用yum安装即可(需提前配置yum源)
yum install -y libxml2-python python-kitchen
yum install -y --cacheonly --disablerepo=* /root/pkg/k8s/*.rpm

下载K8S镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# 查看镜像列表
kubeadm config images list
k8s.gcr.io/kube-apiserver:v1.18.4
k8s.gcr.io/kube-controller-manager:v1.18.4
k8s.gcr.io/kube-scheduler:v1.18.4
k8s.gcr.io/kube-proxy:v1.18.4
k8s.gcr.io/pause:3.2
k8s.gcr.io/etcd:3.4.3-0
k8s.gcr.io/coredns:1.6.7

# 在线环境,镜像下载脚本
vi img_save.sh
images=(
    kube-apiserver:v1.18.4
    kube-controller-manager:v1.18.4
    kube-scheduler:v1.18.4
    kube-proxy:v1.18.4
    pause:3.2
    etcd:3.4.3-0
    coredns:1.6.7
)

for imageName in ${images[@]} ; do
    docker pull registry.aliyuncs.com/google_containers/$imageName
    docker tag  registry.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
    docker rmi  registry.aliyuncs.com/google_containers/$imageName
    docker save k8s.gcr.io/$imageName > $imageName.tar
done

# 离线环境,镜像导入脚本
vi img_load.sh
images=(
    kube-apiserver:v1.18.4
    kube-controller-manager:v1.18.4
    kube-scheduler:v1.18.4
    kube-proxy:v1.18.4
    pause:3.2
    etcd:3.4.3-0
    coredns:1.6.7
)

for imageName in ${images[@]} ; do
    docker load < $imageName.tar
done

下载Flannel镜像

1
2
3
4
5
6
7
8
9
10
# 下载yml(需翻墙)
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

# 在线环境,下载镜像
docker pull quay.io/coreos/flannel:v0.13.0-rc2
docker save quay.io/coreos/flannel:v0.13.0-rc2 > flannel_v0.13.0-rc2.tar

# 离线环境,导入镜像
docker load < flannel_v0.13.0-rc2.tar

下载IngressNginx镜像

1
2
3
4
5
6
7
8
9
10
# 在线环境,下载yml
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/namespace.yaml
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/rbac.yaml

# 在线环境,下载镜像
docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
docker save quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 > nginx-ingress-controller_0.30.0.tar

# 离线环境,导入镜像
docker load < nginx-ingress-controller_0.30.0.tar

主节点部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 注意版本号为之前下载镜像的版本 
kubeadm init --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.18.4

# 复制配置文件
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# 安装Flannel
kubectl apply -f kube-flannel.yml

# 解决Flannel NodePort网络慢问题
ethtool --offload flannel.1 rx off tx off


# 检查节点状态
kubectl get nodes -o wide
kubectl get pods --all-namespaces

# 主节点允许部署pod(可选)
kubectl taint nodes --all node-role.kubernetes.io/master-

工作节点部署

1
2
3
4
5
6
# 加入集群
kubeadm join 10.10.51.78:6443 --token cb3tj7.fvnovftkepaghkeq \
  --discovery-token-ca-cert-hash sha256:093dc747b9a22551ee029b325078e49170b680ee885e869ffbe665cdf53e4d8e

# 若token过期,需要在主节点重新生成
kubeadm token create --print-join-command --ttl=0

其它常规操作

查看报错日志

1
journalctl -u kubelet

删除节点

1
2
kubectl delete node ubuntu103  #on master
kubeadm reset  #on slave

重置

1
2
3
4
5
6
7
8
9
10
11
12
# 重置k8s
kubeadm reset
rm -rf /etc/cni/net.d

# 清理路由
iptables -L
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X

# 清理网卡
modprobe -r ipip
ip link delete cni0
ip link delete flannel.1

参考文档

Posted on

安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 初始化
/usr/pgsql-9.6/bin/postgresql96-setup initdb

# 启动服务
systemctl start postgresql-9.6.service
systemctl enable postgresql-9.6.service

# 修改密码
su postgres
psql
ALTER USER postgres WITH PASSWORD 'yourpassword';
\q

# 开启远程访问
vi /var/lib/pgsql/9.6/data/postgresql.conf
修改#listen_addresses = 'localhost' 为 listen_addresses='*'

vi /var/lib/pgsql/9.6/data/pg_hba.conf
host    all             all             0.0.0.0/0            md5

初始配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
-- 创建用户
CREATE ROLE business LOGIN PASSWORD 'yourpassword';

-- 创建表空间
su - postgres
cd /var/lib/pgsql/9.6/data/pg_tblspc
mkdir ts_business

CREATE TABLESPACE ts_business OWNER business LOCATION '/var/lib/pgsql/9.6/data/pg_tblspc/ts_business';

-- 创建数据库
CREATE DATABASE yourdb WITH TEMPLATE = template0 ENCODING = 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' TABLESPACE = ts_business;
ALTER DATABASE yourdb OWNER TO business;

数据导入

1
2
3
4
5
6
7
8
# 本地方式导出导入
su - postgres
pg_dump --dbname yourdb --file dump.sql
psql --dbname yourdb --file dump.sql

# 远程方式导出导入
pg_dump --host 10.10.71.53 --port 5432 --dbname yourdb --username postgres --file dump.sql
psql --host 10.10.51.76 --port 5432  --dbname yourdb --username postgres  --file dump.sql

Posted on

服务端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 安装
yum -y install nfs-utils
rpcinfo -p localhost

# 创建共享目录
mkdir /nfs

# 修改配置
cat <<EOF > /etc/exports
/nfs *(rw,sync,no_root_squash,no_subtree_check)
EOF

# 使配置生效
exportfs -r

# 启用服务
systemctl enable rpcbind
systemctl start rpcbind
systemctl enable nfs-server
systemctl start nfs-server

# 测试挂载
showmount -e localhost
mkdir /mnt/nfs
mount -t nfs 127.0.0.1:/nfs /mnt/nfs

客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 安装
yum -y install nfs-utils

# 启用服务
systemctl enable rpcbind
systemctl start rpcbind

# 临时挂载
showmount -e 10.10.51.77
mkdir /mnt/nfs
mount -t nfs 10.10.51.77:/nfs /mnt/nfs

# 永久挂载
sudo vi /etc/fstab
10.10.51.77:/nfs     /data                   nfs     defaults        0 0

systemctl daemon-reload
mount

参考文档

Posted on

所有主机

1
2
3
4
5
6
# 安装
yum install -y ntp

# 启用服务 
systemctl start ntpd
systemctl enable ntpd

服务端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 修改配置
vi /etc/ntp.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0 
fudge  127.127.1.0 stratum 0

# 重启服务 
systemctl restart ntpd

# 查看状态
ntpq -p
ntpstat

客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 修改配置
vi /etc/ntp.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 10.10.51.77
fudge 10.10.51.77 stratum 0
restrict 10.10.51.77 nomodify notrap noquery

# 重启服务 
systemctl restart ntpd

# 手工同步时间
ntpdate -u 10.10.51.77

# 查看状态
ntpq -p
ntpstat

Posted on

步骤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 安装
yum -y install dnsmasq

## 配置文件
vi /etc/dnsmasq.conf

# 配置正向解析
vi /etc/hosts
注意先配置一条hostname的记录  

# 启用服务
systemctl start dnsmasq
systemctl enable dnsmasq

# 客户端配置
vi /etc/sysconfig/network-scripts/ifcfg-ens192
DNS1=10.10.51.77

systemctl restart network

# 测试
ping registry.yourcompany.com

Posted on

下载离线安装包

https://github.com/goharbor/harbor/releases

开始安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 解压
tar -zxvf harbor-offline-installer-v2.1.0.tgz
cd harbor 
cp harbor.yml.tmpl harbor.yml

# 修改配置文件
vi harbor.yml
hostname: harbor.yourcompany.com
harbor_admin_password = yourpassword

#开始安装
./install.sh

# 开机自启
docker-compose stop
docker-compose up -d

# 卸载
docker-compose down -v

# 检查
docker ps

# 查看日志
cd /var/log/harbor

图形界面配置

1
2
3
4
5
6
7
8
9
# 浏览器访问
http://10.10.51.77/
admin/yourpassword

# 新建用户
operator/yourpassword

# 新建项目
yourproject

客户端配置

1
2
3
4
5
6
7
8
9
10
11
12
# 允许HTTP访问
vi /etc/docker/daemon.json
{ "insecure-registries":["10.10.51.77:80"] }
systemctl daemon-reload 
systemctl restart docker

# docker登录
docker login -u operator -p yourpassword 10.10.51.77:80

# Push镜像
docker images tag nginx 10.10.51.77:80/yourproject/nginx
docker push 10.10.51.77:80/yourproject/nginx

配置SSL(可选)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# 创建自签名CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=CA" 
openssl x509 -in ca.crt -noout -text
# 签发证书
openssl genrsa -out harbor.key 2048
openssl req -new -sha256 -key harbor.key -out harbor.csr -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=yourcompany.com"
cat <<EOF > harbor.cnf
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:10.10.51.77,DNS:harbor.yourcompany.com
EOF
openssl x509 -req -sha256 -days 3650 -in harbor.csr -out harbor.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile harbor.cnf
openssl x509 -in harbor.crt -noout -text

# 修改harbor.yml
certificate: /root/cert/harbor.crt
private_key: /root/cert/harbor.key

# 重新安装
docker-compose down -v
./install.sh

# 修改hosts
vi /etc/hosts
10.10.51.77    harbor.yourcompany.com

# 浏览器访问
https://harbor.yourcompany.com

# docker信任证书
cp /root/cert/ca.crt /etc/pki/ca-trust/source/anchors
update-ca-trust extract
systemctl restart docker

Posted on

Rigistry

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 在线环境
docker pull docker.io/registry
docker save -o registry.tar registry

# 离线环境
docker load -i registry.tar

# 启动
docker run \
 -d \
 -p 5000:5000 \
 -v /var/lib/registry:/var/lib/registry \
 --restart=always \
 --name docker-registry \
 registry

# 允许HTTP访问
vi /etc/docker/daemon.json
{ "insecure-registries":["10.10.51.77:5000","registry.yourcompany.com:5000"] }

systemctl daemon-reload & systemctl restart docker

# Push镜像
docker pull nginx
docker tag nginx 10.10.51.77:5000/nginx
docker push 10.10.51.77:5000/nginx

UI

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 在线环境
docker pull konradkleine/docker-registry-frontend:v2
docker save -o docker-registry-frontend.tar konradkleine/docker-registry-frontend:v2

# 离线环境
docker load -i docker-registry-frontend.tar

# 启动
docker run \
  -d \
  -e ENV_DOCKER_REGISTRY_HOST=10.10.51.77 \
  -e ENV_DOCKER_REGISTRY_PORT=5000 \
  -p 8080:80 \
  --restart=always \
  --name docker-registry-frontend \
  konradkleine/docker-registry-frontend:v2
  
# 浏览器访问
http://10.10.51.77:8080

迁移

1
2
3
# 打包整个目录
cd /var/lib/registry
tar -zcvf docker.tar.gz docker

Posted on

Docker

1
2
3
4
5
6
7
8
9
10
# 联网环境,准备RPM包
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yumdownloader --assumeyes --destdir=/root/pkg/docker-ce --resolve docker-ce
yumdownloader --assumeyes --destdir=/root/pkg/docker-compose --resolve docker-compose

# 离线环境,安装RPM包
yum install -y --cacheonly --disablerepo=* /root/pkg/docker-ce/*.rpm
systemctl enable docker
systemctl start docker

DockerCompose(可选)

1
2
3
4
5
6
7
8
# 下载二进制
https://github.com/docker/compose/releases

# 拷贝
cp docker-compose-Linux-x86_64 /usr/local/bin/docker-compose

# 赋权
chmod +x /usr/local/bin/docker-compose

Posted on

服务端配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 在线环境,准备httpd安装包
yum install -y yum-utils
yumdownloader --assumeyes --destdir=/root/pkg/httpd --resolve httpd

# 离线环境,安装httpd
yum install -y --cacheonly --disablerepo=* /root/pkg/httpd/*.rpm
systemctl start httpd
systemctl enable httpd

# 配置httpd端口
vi /etc/httpd/conf/httpd.conf
Listen 8001
systemctl stop httpd & systemctl start httpd

# 挂载镜像
mkdir -p /var/www/html/centos77
mount -o loop /root/iso/CentOS-7-x86_64-DVD-1908.iso /var/www/html/centos77/

# 测试
http://10.10.51.77:8001/centos77

客户端配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cd /etc/yum.repos.d/

mkdir bak
mv CentOS* bak

cat <<EOF > rhel77.repo
[rhel77]
name=rhel77 repo
baseurl=http://10.10.51.77:8001/centos77
enable=1
gpgcheck=0
priority=1
EOF

yum clean all
yum makecache

Posted on

通用配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 配置网络
nmtui

# 配置hostname
hostnamectl set-hostname uat-native.yourcompany.com

# 关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service

# 关闭SELINUX
getenforce
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

# 关闭Swap
swapoff -a
vi /etc/fstab 
注释掉swap行

K8S特殊配置

1
2
3
4
5
6
7
8
9
10
# iptables不处理bridge数据
cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

# 打开kubectl自动完成
echo "source <(kubectl completion bash)" >> ~/.bashrc
yum -y install bash-completion