环境信息
-
架构图
-
IP及主机名规划
-
组件安装
-
内核升级
所有主机升级Centos 7.6内核到4.x,以便docker容器更好的使用overlay功能等,Centos 7.6内核升级 -
安装常用软件包
yum -y install bridge-utils chrony ipvsadm ipset sysstat conntrack libseccomp wget tcpdump screen vim nfs-utils bind-utils wget socat telnet sshpass net-tools sysstat lrzsz yum-utils device-mapper-persistent-data lvm2 tree nc lsof strace nmon iptraf iftop rpcbind mlocate ipvsadm
- 信任建立(非必须,方便后面scp包)
使用这两个命令ssh-keygen、ssh-copy-id,操作过程略,请自行百度或Google。
主机配置修改
- 设置主机名
# 登录远程主机,执行下面命令,示例如下
hostnamectl set-hostname node01.k8s.com
- 修改hosts
# 把以下内容追加到/etc/hosts中
192.168.16.101 etcd01 etcd01.k8s.vip
192.168.16.102 etcd02 etcd02.k8s.vip
192.168.16.103 etcd03 etcd03.k8s.vip
192.168.16.104 master01 master01.k8s.vip
192.168.16.105 master02 master02.k8s.vip
192.168.16.106 master03 master03.k8s.vip
192.168.16.107 node01 node01.k8s.vip
192.168.16.108 nginx01 nginx01.k8s.vip
192.168.16.108 nginx02 nginx02.k8s.vip
192.168.16.253 api.k8s.vip
- 设置时区
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
- 时间同步(如果未安装chrony,请先安装)
[root@master01 ~]# grep -viP "^$|^#" /etc/chrony.conf
server time4.aliyun.com iburst
server 1.centos.pool.ntp.org iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony
[root@master01 ~]#
# 设置开机自启
[root@master01 ~]# systemctl enable chronyd
[root@master01 ~]# systemctl restart chronyd
[root@master01 ~]#
# 查看时间同步情况,当看到IP地址前面有个*号,表示同步成功,如下
[root@master01 ~]# chronyc sources
210 Number of sources = 2
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 203.107.6.88 2 6 17 41 +18us[ +176us] +/- 14ms
^- electrode.felixc.at 3 6 7 32 -8468us[-8468us] +/- 188ms
[root@master01 ~]#
- 关闭防火墙、selinux、swap、NetworkManager
[root@master01 ~]# systemctl stop firewalld
[root@master01 ~]# systemctl disable firewalld
[root@master01 ~]# iptables -F && iptables -X && [root@master01 ~]# iptables -F -t nat && iptables -X -t nat
[root@master01 ~]# iptables -P FORWARD ACCEPT
[root@master01 ~]# swapoff -a
[root@master01 ~]# sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
[root@master01 ~]# setenforce 0
[root@master01 ~]# sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
# 关闭自带网络管理
[root@master01 ~]# systemctl stop NetworkManager
[root@master01 ~]# systemctl disable NetworkManager
- 修改资源限制
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536" >> /etc/security/limits.conf
echo "* hard nproc 65536" >> /etc/security/limits.conf
echo "* soft memlock unlimited" >> /etc/security/limits.conf
echo "* hard memlock unlimited" >> /etc/security/limits.conf
- 加载内核模块ipvs
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules
bash /etc/sysconfig/modules/ipvs.modules
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
- 内核优化
cat > /etc/sysctl.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
sysctl -p /etc/sysctl.conf
- 创建目录并加入环境变量
脚本名为env.sh,把脚本分发到所有主机/data/k8s/bin/目录下面,方便后续使用;
mkdir -p /data/k8s/{bin,work,k8s} /etc/{kubernetes,etcd}/cert
echo 'PATH=/data/k8s/bin:$PATH' >>/etc/profile
source /etc/profile
- 脚本定义(根据实际情况修改)
#!/bin/bash
# 生成 EncryptionConfig 所需的加密 key
export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
# 集群各机器 IP 数组
export NODE_IPS=( 192.168.16.104 192.168.16.105 192.168.16.106 192.168.16.107 )
# 集群各 IP 对应的主机名数组
export NODE_NAMES=( master01 master02 master03 node01 )
# 集群MASTER机器 IP 数组
export MASTER_IPS=( 192.168.16.104 192.168.16.105 192.168.16.106 )
# 集群所有的master Ip对应的主机
export MASTER_NAMES=( master01 master02 master03 )
# etcd 集群服务地址列表
export ETCD_ENDPOINTS="https://etcd01.k8s.vip:2379,https://etcd02.k8s.vip:2379,https://etcd03.k8s.vip:2379"
# etcd 集群间通信的 IP 和端口
export ETCD_NODES="etcd01=https://etcd01.k8s.vip:2380,etcd02=https://etcd02.k8s.vip:2380,etcd03=https://etcd03.k8s.vip:2380"
# etcd 集群各 主机名 数组
export ETCD_NAMES=( etcd01 etcd02 etcd03 )
# etcd 集群所有node ip
export ETCD_IPS=( 192.168.16.101 192.168.16.102 192.168.16.103 )
# kube-apiserver 的反向代理(kube-nginx)地址端口
export KUBE_APISERVER="https://api.k8s.vip:8443"
# 节点间互联网络接口名称
export IFACE="eth0"
# etcd 数据目录
export ETCD_DATA_DIR="/data/etcd/data"
# etcd WAL 目录
export ETCD_WAL_DIR="/data/etcd/wal"
# k8s 各组件数据目录
export K8S_DIR="/data/k8s/k8s"
# 服务网段,部署前路由不可达,部署后集群内路由可达(kube-proxy 保证)
SERVICE_CIDR="10.254.0.0/16"
# Pod 网段,建议 /16 段地址,部署前路由不可达,部署后集群内路由可达(flanneld 保证)
CLUSTER_CIDR="172.19.0.0/16"
# 服务端口范围 (NodePort Range)
export NODE_PORT_RANGE="1024-32767"
# flanneld 网络配置前缀
export FLANNEL_ETCD_PREFIX="/kubernetes/network"
# kubernetes 服务 IP (一般是 SERVICE_CIDR 中第一个IP)
export CLUSTER_KUBERNETES_SVC_IP="10.254.0.1"
# 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)
export CLUSTER_DNS_SVC_IP="10.254.0.2"
# 集群 DNS 域名(末尾不带点号)
export CLUSTER_DNS_DOMAIN="cluster.local"
总结
本文主要是完成kubernetes二进制安装前的环境准备,从IP地址规划、架构图、时区、hosts、依赖软件包、防火墙、内核参数以及把后续安装过程中使用到的变量写成脚本的形式,方便后续调用等。