實驗環境:
架構圖:
主機環境:
操作系統:因docker對內核需要,本次部署操作系統全部采用centos7.6(需要內核3.8以上)
VM :2C 2G 50G * 5 PS:因后面實驗需要向k8s交付java服務,所以運算節點直接4c8g,如果不交付服務,全部2c2g即可。
IP及服務規划:
安裝步驟:
所有機器上安裝epel源:
#yum -y install epel-release
關閉防火牆以及selinux:
# systemctl stop firewalld
# systemctl disable firewalld
#setenforce 1
vi /etc/selinux/config
SELINUX=disabled
hdss7-11上安裝bind9:
#yum -y install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
#yum install bind -y
配置bind:
#vi /etc/named.conf
修改以下配置項:
注意此服務對配置文件格式要求比較嚴格
listen-on port 53 { 127.0.0.1; }; ----> listen-on port 53 { 10.4.7.11; }; #將127.0.0.1修改為當前主機IP
allow-query { localhost; }; ----> allow-query { any; }; #為哪些服務器提供解析服務
dnssec-enable yes; ----> dnssec-enable no; # 是否支持DNSSEC開關 PS:dnssec作用:1.為DNS數據提供來源驗證 2.為數據提供完整性性驗證 3.為查詢提供否定存在驗證
dnssec-validation yes; ----> dnssec-validation no; #是否進行DNSSEC確認開關
添加以下配置項:
forwarders { 10.4.7.1; }; #用來指定上一層DNS地址,一般指定網關,確保服務能夠訪問公網
如果不適用IPV6,可以將以下配置刪除:
listen-on-v6 port 53 { ::1; };
配置文件截圖:(僅粘貼修改部分)
檢查配置文件:
#named-checkconf
修改zons文件:
#vi /etc/named.rfc1912.zones
在文件最后,添加本次需要用到的兩個dns域:
zone "host.com" IN { type master; file "host.com.zone"; allow-update { 10.4.7.11; }; }; zone "od.com" IN { type master; file "od.com.zone"; allow-update { 10.4.7.11; }; };
編輯剛剛添加的兩個域的配置文件:將用到的DNS域解析A記錄添加到配置文件
# vi /var/named/host.com.zone
$ORIGIN host.com. $TTL 600 ; 10 minutes @ IN SOA dns.host.com. dnsadmin.host.com. ( 2019111001 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.host.com. $TTL 60 ; 1 minute dns A 10.4.7.11 HDSS7-11 A 10.4.7.11 HDSS7-12 A 10.4.7.12 HDSS7-21 A 10.4.7.21 HDSS7-22 A 10.4.7.22 HDSS7-200 A 10.4.7.200
#vi /var/named/od.com.zone
$ORIGIN od.com. $TTL 600 ; 10 minutes @ IN SOA dns.od.com. dnsadmin.od.com. ( 2019111001 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.od.com. $TTL 60 ; 1 minute dns A 10.4.7.11
harbor A 10.4.7.200
修改主機dns:將nameserver 修改為bind9搭建的服務器地址(所有主機都要修改)
vim /etc/resolv.conf
search host.com nameserver 10.4.7.11
修改網卡配置:PS:如果網卡指定了DNS1配置
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.4.7.11
重啟網卡(所有主機),重啟named服務(bind主機)
#systemctl restart network
# systemctl enable named #10.4.7.11上執行
# systemctl restart named #10.4.7.11上執行
驗證是否可以訪問公網,以及是否是走的我們自己搭建的dns服務:
#nslookup www.baidu.com
PS:如果虛擬機vm的宿主機在自己的windows或者mac上,將宿主機的dns指向10.4.7.11,方便一會使用瀏覽器驗證內容
配置CA證書服務:
使用cfssl
在主機hdss7-200上操作:
# cd /usr/bin
# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl # wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json # wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
給執行權限:
# chmod +x /usr/bin/cfssl*
創建證書存放位置(可自己設置):
# mkdir /opt/certs
# cd /opt/certs
創建證書申請文件:
# vi /opt/certs/ca-csr.json
文件內容:#這里注意"expiry": "175200h",key,如果使用kubeadmin安裝,默認證書有效期是1年,我們這里手動部署為20年,這里如果證書失效,會導致整個k8s集群癱瘓。
{ "CN": "OldboyEdu", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ], "ca": { "expiry": "175200h" } }
申請證書:
# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
申請成功:
PS:我們后面的所有證書,都是基於這套ca證書簽發的。
接下來繼續在hdss7-21,hdss7-22,hdss-7-200服務器上安裝docker,配置私有倉庫harbor(hdss7-200):
# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
編輯docker配置文件:
# mkdir /etc/docker
# mkdir /data/docker
# vi /etc/docker/daemon.json
{ "graph": "/data/docker", "storage-driver": "overlay2", "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"], "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], "bip": "172.7.21.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true }
啟動docker並添加開機啟動:
# systemctl start docker
# systemctl enable docker
在opt下創建安裝包存放目錄:hdss7-200上
# mkdir /opt/src
# cd /opt/src
下面開始安裝harbor私有倉庫:
下載地址:
我這里使用的是最新版本:1.9.2
# wget https://github.com/goharbor/harbor/releases/download/v1.9.2/harbor-offline-installer-v1.9.2.tgz
# tar -zxf harbor-offline-installer-v1.9.2.tgz -C /opt/
# cd /opt/
# mv harbor harbor-1.9.2
# ln -s /opt/harbor-1.9.2 /opt/harbor #方便版本管理
編輯harbor配置文件:
# vim /opt/harbor/harbor.yml
修改成如下:
hostname: harbor.od.com #這里添加的是我們開始在hdss7-11的自建dns上添加的域名解析
port: 180 #避免和nginx端口沖突
data_volume: /data/harbor
location: /data/harbor/logs
創建數據目錄和日志目錄:
# mkdir -p /data/harbor/logs
接下來安裝docker-compose:
docker-compose介紹:
Docker Compose是 docker 提供的一個命令行工具,用來定義和運行由多個容器組成的應用。使用 compose,我們可以通過 YAML 文件聲明式的定義應用程序的各個服務,並由單個命令完成應用的創建和啟動。
簡書鏈接:
https://www.jianshu.com/p/ca1623ac7723
#yum install docker-compose -y #根據網絡情況不同,可能需要一些時間
執行harbor腳本:
# sh /opt/harbor/install.sh #根據網絡情況不同,可能需要一些時間
進入到harbor目錄執行以下命令:如果報以下錯誤,請檢查目錄
# cd /opt/harbor
# docker-compose ps
全是up表示正常:
安裝nginx:
# yum install nginx -y #可是直接yum,也可以安裝源碼安裝
編輯nginx配置文件:
# vi /etc/nginx/conf.d/harbor.od.com.conf
反代harbor:
server { listen 80; server_name harbor.od.com; client_max_body_size 1000m; location / { proxy_pass http://127.0.0.1:180; } }
啟動nginx並設置開機啟動:
# systemctl start nginx
# systemctl enable nginx
檢查harbor端口及nginx端口:
試着訪問harbor,使用宿主機瀏覽器打開harbor.od.com,如果訪問不了,檢查dns是否是10.4.7.11,也就是部署bind服務的服務器IP,也可以做host解析:
harbor.od.com
默認賬號:admin
默認密碼:Harbor12345
登錄后創建一個新的倉庫,一會測試用:
使用docker下載一個nginx,測試私有倉庫:
# docker pull nginx:1.7.9
# docker login harbor.od.com
# docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9
# docker push harbor.od.com/public/nginx:v1.7.9
然后去私有倉庫上看下:
看到我們的鏡像已經上傳到私有倉庫了
現在正式開始部署etcd組件:
首先申請證書,我們所有申請證書的操作,都在hdss7-200上操作
# cd /opt/certs
# vi /opt/certs/ca-config.json
{ "signing": { "default": { "expiry": "175200h" }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
# vi etcd-peer-csr.json
{ "CN": "k8s-etcd", "hosts": [ "10.4.7.11", "10.4.7.12", "10.4.7.21", "10.4.7.22" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
執行簽發證書命令:
# cd /opt/certs
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
按照架構設計,在hdss7-12,hdss7-21, hdss7-22三台上部署etcd服務:
首先創建etcd用戶:
# useradd -s /sbin/nologin -M etcd
創建應用包存放目錄
# mkdir -p /opt/src
# cd /opt/src
下載etcd組件:
地址:https://github.com/etcd-io/etcd/tags
# wget https://github.com/etcd-io/etcd/releases/download/v3.2.28/etcd-v3.2.28-linux-amd64.tar.gz
# tar -zxf etcd-v3.2.28-linux-amd64.tar.gz -C ../
# ln -s /opt/etcd-v3.2.28-linux-amd64/ /opt/etcd
# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
編輯etcd啟動腳本:
# vim /opt/etcd/etcd-server-startup.sh
標紅處在另外兩台服務器上需要修改成對應自己的ip地址:
#!/bin/sh ./etcd --name etcd-server-7-12 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls https://10.4.7.12:2380 \ --listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls https://10.4.7.12:2380 \ --advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \ --initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout
添加執行權限:
# chmod +x /opt/etcd/etcd-server-startup.sh
創建證書存放目錄:
# mkdir /opt/etcd/certs
# cd /opt/etcd/certs
拷貝證書:
# scp hdss7-200:/opt/certs/ca.pem ./ # scp hdss7-200:/opt/certs/etcd-peer.pem ./ # scp hdss7-200:/opt/certs/etcd-peer-key.pem ./
給目錄授權:
# chown -R etcd.etcd /opt/etcd/certs /data/etcd /data/logs/etcd-server
安裝supervisor管理服務:
# yum install supervisor -y
啟動服務:
# systemctl start supervisord
# systemctl enable supervisord
編輯etcd啟動腳本:紅色部分根據主機修改
# vi /etc/supervisord.d/etcd-server.ini
[program:etcd-server-7-12] command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
更新supervisord
# supervisorctl update
檢查狀態:
# supervisorctl status
檢查etcd集群狀態:
# cd /opt/etcd/
# ./etcdctl member list
etcd服務搭建完成后,里面其實存儲了很多的key,如何查看和管理這些key,需要使用一個小工具,叫做etcdkeeper:
原文鏈接:https://www.cnblogs.com/gytangyao/p/11407205.html
下載etcd,在etcd節點選一台
# cd /opt/src # wget https://github.com/evildecay/etcdkeeper/releases/download/v0.7.5/etcdkeeper-v0.7.5-linux_x86_64.zip ##解開壓縮包,需安裝unzip: yum install unzip -y # unzip etcdkeeper-*-linux_x86_64.zip # rm etcdkeeper-*-linux_x86_64.zip # mv etcdkeeper ../etcdkeeper-0.7.5
# ln -s /opt/etcdkeeper-0.7.5/ /opt/etcdkeeper
# cd /opt/etcdkeeper # chmod +x etcdkeeper
編寫一個服務文件
該服務文件主要用於在后台運行etcd程序,用以提供http服務
# cd /lib/systemd/system
# vim etcdkeeper.service
[Unit] Description=etcdkeeper service After=network.target [Service] Type=simple ExecStart=/opt/etcdkeeper/etcdkeeper -h 10.4.7.12 -p 8800 ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure PrivateTmp=true [Install] WantedBy=multi-user.target
-h 指定etcdkeeper http監聽的地址,這里監聽的是IPV4地址10.4.7.12
-p 指定etcdkeeper http監聽的端口
服務的控制
# systemctl start etcdkeeper 啟動etcdkeeper服務
# systemctl stop etcdkeeper 停止etcdkeeper服務
# systemctl enable etcdkeeper.service 設置開機自啟動
# systemctl disable etcdkeeper.service 停止開機自啟動
訪問安全
如果啟用了etcd自身的授權,無需特別關心
如果沒有自動,可以考慮使用Nginx反代,使用base auth授權.
遺留的問題
當發布到公網環境時,v2可以查看到數據,v3查看不到數據。 目前沒查到原因.
測試訪問
http://10.4.7.12:8800
至此,etcd服務集群已經搭建完成了,接下來部署kube-apiserver服務,etcd屬於服務端,kube-apiserver屬於客戶端,搭建kube-apiserver的過程將在下個章節。