k8s on OCI Ubantu优化

1、禁止系统防火墙 disable iptables and ufw

iptables -F

systemctl disable iptables

systemctl disable ufw

2. 增加主机名解释 /etc/hosts

192.168.3.209 oci-node03

192.168.3.186 oci-node02

192.168.3.245 oci-node01

3. 关闭虚拟内存

swapoff -a

4. 优化哪和参数  /etc/sysctl.conf

vm.swappiness = 0

vm.overcommit_memory = 1

vm.max_map_count = 655360

vm.panic_on_oom=0

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.unknown_nmi_panic = 0

kernel.sysrq = 1

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

kernel.pid_max = 4194303

net.core.netdev_max_backlog = 32768

net.core.rmem_default = 8388608

net.core.rmem_max= 16777216

net.core.wmem_max= 16777216

net.core.somaxconn = 32768

net.core.wmem_default = 8388608

net.core.bpf_jit_enable=1

net.core.bpf_jit_harden=1

net.core.bpf_jit_kallsyms=1

net.core.dev_weight_tx_bias=1

net.ipv4.conf.all.arp_ignore = 0

net.ipv4.conf.lo.arp_announce = 0

net.ipv4.conf.lo.arp_ignore = 0

net.ipv4.ip_local_port_range = 5000 65000

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_intvl = 30

net.ipv4.tcp_keepalive_probes = 10

net.ipv4.tcp_keepalive_time = 600

net.ipv4.tcp_max_orphans = 3276800

net.ipv4.tcp_max_syn_backlog = 65536

net.ipv4.tcp_max_tw_buckets = 32768

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle= 1

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.neigh.default.gc_thresh1 = 2048

net.ipv4.neigh.default.gc_thresh2 = 4096

net.ipv4.neigh.default.gc_thresh3 = 8192

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6=1

net.ipv6.conf.default.disable_ipv6=1

net.ipv6.conf.lo.disable_ipv6=1

net.nf_conntrack_max = 1000000

net.netfilter.nf_conntrack_max= 10485760

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30

net.netfilter.nf_conntrack_tcp_timeout_established=300

net.netfilter.nf_conntrack_buckets=655360

net.bridge.bridge-nf-call-ip6tables=1

net.bridge.bridge-nf-call-iptables=1

net.bridge.bridge-nf-call-arptables=1

fs.inotify.max_user_instances=8192

fs.inotify.max_user_watches=524288

fs.inotify.max_queued_events = 327679

fs.file-max = 2097152

5. 安装docker引擎

apt install docker.io

docker --version

systemctl enable docker

systemctl start docker

sudo usermod -a -G docker ${USER}

newgrp docker

6. 升级操作系统补丁包

apt-get update && apt-get install -y apt-transport-https

7. 重启操作系统

reboot

8 安装rancher v2.5.16

docker run --privileged -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher:v2.5.16

等待rancher安装完毕，admin登录

9、部署K8s

sudo docker run -d --privileged --restart=unless-stopped --net=host -v /etc/kubernetes:/etc/kubernetes -v /var/run:/var/run rancher/rancher-agent:v2.5.16 --server https://168.138.203.138 --token 8w88rt6jgpf2kgxbksd4gjfvl6gpng8vhxpsfgp5xjj6hkgnwxxbnr --ca-checksum 3bc2afb3f0b13529a5dde1d2be630520a370f2391addc6bc4feb6bf4a6d66542 --worker

10、安装kubectl命令工具

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

11. 禁止Ubuntu自动更新
/etc/apt/apt.conf.d/10periodic 和 /etc/apt/apt.conf.d/20auto-upgrades

$ sudo systemctl stop apt-daily.service

$ sudo systemctl stop apt-daily.timer

$ sudo systemctl stop apt-daily-upgrade.service

$ sudo systemctl stop apt-daily-upgrade.timer

$ sudo systemctl disable apt-daily.service

$ sudo systemctl disable apt-daily.timer

$ sudo systemctl disable apt-daily-upgrade.service

$ sudo systemctl disable apt-daily-upgrade.timer

12. 禁止docker自动更新

apt-mark hold docker-io