Appearance
Rancher 安装和配置
公共配置
磁盘分区
fdisk /dev/sda
n--新建
t--8e
w--保存退出
#更新分区表,能够看到sda3
partprobe
pvcreate /dev/sda3
vgextend centos /dev/sda3
lvextend -L +459G /dev/centos/root
xfs_growfs /dev/mapper/centos-root关闭防火墙
安装k8s需要关闭防火墙
systemctl stop firewalld
systemctl disable firewalldNTP同步
yum install -y ntp ntpdate
vi /etc/ntp.conf修改原有的server为
server ntp.aliyun.com iburst
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst最后保存重启服务
systemctl start ntpd
systemctl enable ntpd禁用swap
第一步 关闭swap分区:
swapoff -a第二步修改配置文件
vi /etc/fstab删除swap相关行 /mnt/swap swap swap defaults 0 0 这一行或者注释掉这一行
第三步确认swap已经关闭
free -m若swap行都显示 0 则表示关闭成功
第四步调整 swappiness 参数
# 临时生效
echo 0 > /proc/sys/vm/swappiness
# 永久生效
vi /etc/sysctl.conf
#修改 vm.swappiness 的修改为 0
vm.swappiness=0
# 使配置生效
sysctl -p修改主机名称
相同集群里面必须保证主机名称是唯一的,以下命令可以设置主机名称
hostnamectl set-hostname name-01禁用ipv6
vi /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 =1
net.ipv6.conf.default.disable_ipv6 =1sysctl -p
K3S 安装
安装k3s需要有互联网环境
安装master节点
bash
curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_VERSION=v1.21.8+k3s1 sh -
curl https://mirrors.aliyun.com/repo/epel-7.repo -o /etc/yum.repos.d/epel.repo
echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> ~/.bash_profile注意, 如果需要使用docker作为后端引擎,需要修改参数为sh -s - --docker
高可用集群安装
高可用集群可以使用mysql做的集群存储
bash
curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_VERSION=v1.21.8+k3s1 sh -s - server --datastore-endpoint="mysql://rancher:password@tcp(localhost:3306)/rancher"安装agent节点
首先获取master节点的配置信息, K3S_TOKEN在/var/lib/rancher/k3s/server/node-token下 通过以下命令安装节点,需求修改K3S_URL和K3S_TOKEN
curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_VERSION=v1.21.8+k3s1 K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -
kubectl label node bigdata-02 node-role.kubernetes.io/worker=worker如果中文镜像地址不行,可以尝试用内网的安装脚本
curl -sfL https://gitlab.tineco.com/rancher/server-config/k3s/-/raw/main/k3s-install.sh | INSTALL_K3S_VERSION=v1.21.8+k3s1 K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -
对master启用NoSchedule
为了防止master负载工作任务,需要执行以下命令
kubectl taint nodes master-node-01 node-role.kubernetes.io/master=:NoSchedulek3s卸载
bash
cd /usr/local/bin/
./k3s-uninstall.sh
./k3s-agent-uninstall.sh安装Rancher
安装Helm
source ~/.bash_profile
#
yum install -y wget
#yum update -y
#yum install -y snapd
#systemctl start snapd
#ln -s /var/lib/snapd/snap /snap
#snap install helm --classic
#export PATH=$PATH:/var/lib/snapd/snap/bin/
wget https://mirrors.huaweicloud.com/helm/v3.7.2/helm-v3.7.2-linux-amd64.tar.gz
tar -zxvf helm-v3.7.2-linux-amd64.tar.gz
cp linux-amd64/helm /usr/bin安装Cert Manager
安装以下命令安装cert manager
bash
helm repo add rancher-stable http://rancher-mirror.oss-cn-beijing.aliyuncs.com/server-charts/stable
wget https://github.com/jetstack/cert-manager/releases/download/v1.5.5/cert-manager.crds.yaml
kubectl apply -f cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.5.5安装Rancher
运行以下命令安装rancher,注意需要修改hostname参数,该参数是一个可以指向rancher的域名
kubectl create namespace cattle-system
helm install rancher rancher-stable/rancher --namespace cattle-system --set hostname=rancher.10.108.6.28.nip.io --set replicas=1 --version v2.5.16升级rancher
helm repo update
helm fetch rancher-stable/rancher --version=v2.5.8
helm get values rancher -n cattle-system -o yaml > values.yaml
helm upgrade rancher rancher-stable/rancher --namespace cattle-system -f values.yaml --version v2.5.15特殊配置
安装docker引擎
以下脚本由于安装docker
#curl -sSL https://get.daocloud.io/docker | sh
#systemctl enable docker
#systemctl start docker
#curl -L https://get.daocloud.io/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
#chmod +x /usr/local/bin/docker-compose
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sudo yum install docker-ce docker-ce-cli containerd.io
systemctl enable docker
systemctl start docker
curl -L https://get.daocloud.io/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose获取外部Ip
如果程序需要获取客户端Ip,需要参考获取真实Ip文档 如果是多节点的,需要克隆一个traefik的deployment为daemon-set,从而保证每个节点有一个traefik服务
如果修改externalTrafficPolicy: Local值,推荐执行以下命令,复制一份配置,并且修改复制后的配置文件,再修改k3s的启动命令。
cp /var/lib/rancher/k3s/server/manifests/traefik.yaml /var/lib/rancher/k3s/server/manifests/traefik-local.yaml修改配置
vi /var/lib/rancher/k3s/server/manifests/traefik-local.yaml
修改启动命令
vi /etc/systemd/system/k3s.service
修改启动命令
如果集群有前置nginx,需要把前置的nginx的ip设置到信任列表里面。
# https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers
# 修改traefik pod的启动参数,添加
--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.108.0.1/16
--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.108.0.1/16修改保留端口
k3s默认node port端口范围是30000-32767,如果需要修改范围,需要修改service配置,位置在/etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
server \
--kube-apiserver-arg service-node-port-range=10000-32767修改后需要重启k3s服务
systemctl daemon-reload
systemctl restart k3s外置存储
默认rancher的本地存储会在/var/lib/rancher/k3s/storage, 我们可以通过建立快捷方式将存储外置到其他存储位置。
mkdir -p /home/tineco/storage
ln -s /home/tineco/storage /var/lib/rancher/k3s/storagedocker清理
如果使用docker引擎部署,可以选择使用下面命令清理未使用的镜像和存储卷
docker system prune --volumesLonghorn驱动安装
如果启用了Longhorn, 需要安装额外驱动
yum install -y iscsi-initiator-utils nfs-utils自定义域名解析
如果集群需要添加自定义域名解析,需要修改cattle-system下的coredns配置,添加NodeHosts, 添加完重启即可。
证书轮换
默认情况下,K3s 的证书在 12 个月内过期。 如果证书已经过期或剩余的时间不足 90 天,则在 K3s 重启时轮换证书。 自动轮换需要重启k3s服务,命令如下。
bash
#关闭时间自动同步
timedatectl set-ntp no
#查看当前证书过期时间
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
#删除内部通信证书
kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving
# 删除证书描述文件
rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json
# 重启k3s
systemctl restart k3s
# 重新部署rancher
kubectl scale -n cattle-system deployment rancher --replicas 0
kubectl scale -n cattle-system deployment rancher --replicas 1
#查看过期时间
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
### Webhook证书过期
kubectl delete secret -n cattle-system cattle-webhook-tls
kubectl delete pod -n cattle-system -l app=rancher-webhook
# 验证工作节点证书
for i in `ls /var/lib/rancher/k3s/agent/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
#启用ntp
timedatectl set-ntp yes证书更新会导致节点重启,可能会重新应用,故需要在服务器维护期间执行,需要申请停机时间。
脚本
#!/bin/bash
################################
#### k3s 证书升级脚本 ####
################################
kubectl --insecure-skip-tls-verify=true delete secret k3s-serving -n kube-system
rm -rf /var/lib/rancher/k3s/server/tls/dynamic-cert.json
systemctl restart k3s
################################
#### agent 证书升级脚本 ####
################################
systemctl restart k3s-agent
################################
#### rancher 证书升级脚本 ####
################################
kubectl --insecure-skip-tls-verify delete secret serving-cert -n cattle-system
kubectl --insecure-skip-tls-verify delete secret cattle-webhook-tls -n cattle-system
kubectl rollout restart deploy rancher -n cattle-system
kubectl rollout restart deploy rancher-webhook -n cattle-system国内镜像
新建/etc/rancher/k3s/registries.yaml
内容
mirrors:
docker.io:
endpoint:
- "https://tf7xatgj.mirror.aliyuncs.com"Traefik配置
强制https
添加middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
namespace: default
spec:
redirectScheme:
permanent: true
scheme: https修改Ingress的annotation
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirectscheme@kubernetescrdnfs安装
服务端
yum install -y nfs-utils
systemctl start rpcbind
systemctl start nfs
systemctl enable rpcbind
systemctl enable nfs配置共享
echo "/root/k3s 10.0.0.0/8(rw,sync,no_root_squash)" >> /etc/exports
exportfs -r
exportfs -v
showmount -e客户端
yum install -y nfs-utils
showmount -e 10.108.224.27客户端挂载
mount -t nfs -o nolock,rsize=8196,wsize=8196,timeo=15,intr 10.108.224.27:/root/k3s /share/k3s永久挂载
yum install -y autofs
echo "k3s -fstype=nfs,nolock,rsize=8196,wsize=8196,timeo=15,intr 10.108.224.27:/root/k3s" > /etc/nfs.misc添加
vi /etc/auto.master
/share /etc/nfs.misc生效
systemctl start autofs
systemctl enable autofsS3文件系统挂载
永久挂载
yum install -y autofs
echo "* -fstype=fuse,passwd_file=/root/.passwd-s3fs,url=https://cloud-minio-test.tineco.com,allow_other,no_check_certificate,use_path_request_style,umask=000 :s3fs\#ibu" > /etc/minio.misc修改配置
echo user:pass > /root/.passwd-s3fs
vi /etc/auto.master
/minio /etc/minio.misc生效
systemctl start autofs
systemctl enable autofs