k3s集群环境准备
#分布式外部数据库高可用集群
- 中文官网
- https://docs.k3s.io/zh
主机 | |
---|---|
192.168.6.63 | sever节点 |
192.168.6.64 | sever节点 |
192.168.6.65 | sever节点 |
192.168.6.68 | mysql节点 |
环境准备
#下载常用命令
yum install iptables container-selinux git wget curl net-tools nfs-utils lrzsz vim container-selinux ntpdate selinux-policy-base https://rpm.rancher.io/k3s/stable/common/centos/7/noarch/k3s-selinux-0.2-1.el7_8.noarch.rpm -y
#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#关闭selinux
sed -i "s/SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
#添加环境配置
echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> /etc/profile && source /etc/profile
#添加定时任务
(echo "*/3 * * * * /usr/sbin/ntpdate 0.cn.pool.ntp.org" ; crontab -l )| crontab
# 假设内核升级后,之前软件模块是不可兼容的, 需重新编译后才能够再次被调用,甚至可能导致在启动过程中因为无法加载该模块而无法启用某种系统文件而无法正常启用电脑,需现场修复用这个方法自动升级过程忽略 kernel 自动更新
yum --exclude=kernel* update -y
#更改内核最大进程id|将系统中的虚拟内存交换机机制的swappiness值设置为0
cat >> /etc/sysctl.conf << EOF
kernel.pid_max=4194303
vm.swappiness = 0
EOF
sysctl -p
#设置磁盘的预读缓存
echo "8192" > /sys/block/sda/queue/read_ahead_kb
#IO支持的调度算法
echo "deadline" > /sys/block/sda/queue/scheduler
echo "noop" > /sys/block/sda/queue/scheduler
#清除缓存更换yum源
yum clean all
rm -rf /etc/yum.repos.d/*.repo
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
sed -i '/aliyuncs/d' /etc/yum.repos.d/CentOS-Base.repo
sed -i '/aliyuncs/d' /etc/yum.repos.d/epel.repo
#添加hosts
cat >> /etc/hosts <<'EOF'
192.168.6.63 k8s1
192.168.6.64 k8s2
192.168.6.65 k8s3
192.168.6.68 k8s6
EOF
# 升级centos7内核,已经升级的话可以不用做
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
- 更新openssl
# 下载openssl
mkdir -p /server/tools
cd /server/tools
wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1q.tar.gz
mv /usr/bin/openssl{,.bak}
#解压openssl
tar xf openssl-1.1.1q.tar.gz
cd openssl-1.1.1q/
mkdir -p /app/tools
#编译安装openssl
./config --prefix=/app/tools/openssl
make && make install
# 替换原openssl
ln -s /app/tools/openssl/bin/openssl /usr/bin/openssl
#ln -s /app/tools/openssl/include/openssl /usr/include/openssl
#修改动态链接库
echo "/app/tools/openssl/lib" >> /etc/ld.so.conf
ldconfig
# 查看升级版本openssl
openssl version -a
openssl version
- 创建数据库
#容器起一个数据库
docker run -p 3306:3306 --name mysql-5.7 --restart=always --privileged=true \
-v /data/mysql/log:/var/log/mysql \
-v /data/mysql/data:/var/lib/mysql \
-v /data/mysql/conf/my.cnf:/etc/my.cnf \
-v /etc/localtime:/etc/localtime:ro \
-e MYSQL_ROOT_PASSWORD='test123' -d mysql:5.7.40
#my.cnf配置
cat > /data/mysql/conf/my.cnf << 'EOF'
[mysqld]
skip-host-cache
skip-name-resolve
datadir=/var/lib/mysql
socket=/var/run/mysqld/mysqld.sock
secure-file-priv=/var/lib/mysql-files
user=mysql
symbolic-links=0
#log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
[client]
socket=/var/run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
EOF
#创建k3s库
docker exec -it mysql-5.7 mysql -uroot -p
create database k3s;
sever节点安装
参考官网
https://docs.k3s.io/zh/datastore/ha
#k3s节点安装每一个节点
# 创建脚本目录
mkdir -p /data/k3s/ && cd /data/k3s
#下载需要的安装包
#安装脚本(两个方法)
https://get.k3s.io
wget https://rancher-mirror.rancher.cn/k3s/k3s-install.sh --no-check-certificate
#镜像
wget https://github.com/k3s-io/k3s/releases/download/v1.27.5-rc2%2Bk3s1/k3s-airgap-images-amd64.tar --no-check-certificate
#启动命令
wget https://github.com/k3s-io/k3s/releases/download/v1.27.5-rc2%2Bk3s1/k3s --no-check-certificate
chmod -R 755 /data/k3s/
#复制依赖
mkdir -p /var/lib/rancher/k3s/agent/images/
cp k3s /usr/local/bin/k3s
cp k3s-airgap-images-amd64.tar /var/lib/rancher/k3s/agent/images/
⚠️仅第一次安装集群可用,保证数据库中的k3s库里没有内容
##创建ca证书设置100年期限(证书默认位置)在第一个节点创建证书即可
#参考:https://forums.rancher.cn/t/k3s-ca-10/331
mkdir -p /var/lib/rancher/k3s/server/tls
cd /var/lib/rancher/k3s/server/tls
openssl genrsa -out client-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl genrsa -out request-header-ca.key 2048
openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 36500 -out client-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-client-ca'
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'
openssl req -x509 -new -nodes -key request-header-ca.key -sha256 -days 36500 -out request-header-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-request-header-ca'
#sever节点安装命令。每一个节点安装脚本下启动
INSTALL_K3S_SKIP_DOWNLOAD=true K3S_DATASTORE_ENDPOINT='mysql://root:test123@tcp(192.168.6.68:3306)/k3s' K3S_TOKEN=cluster INSTALL_K3S_EXEC='server --service-node-port-range=0-60000' ./k3s-install.sh
#INSTALL_K3S_EXEC
--service-node-port-range “选项会限制创建的pod或服务所使用的端口,超出范围会报错,规划时需要注意”
--data-dir “自定义rancher的路径如果想指定路径注意证书位置也需要更换”
#查看证书年限
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
安装可视化界面
#安装面板
kubectl apply -f https://addons.kuboard.cn/kuboard/kuboard-v3.yaml
#面板pod查看
kubectl get -n kuboard po
#页面
http://192.168.6.63:30080
用户名: admin
密码: Kuboard123
#面板卸载方法
kubectl delete -f https://addons.kuboard.cn/kuboard/kuboard-v3.yaml