217. k8s_v1.15二进制部署【上】

1、本次部署架构规划2、部署前热身2.1 系统优化[所有节点执行]1.yum源准备# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/

寻花之梦~~

537人浏览 · 2020-06-21 19:18:47

寻花之梦~~ · 2020-06-21 19:18:47 发布

文章目录

1、部署架构规划

网络规划：
在这里插入图片描述
K8S架构图

2、部署前热身

2.1 系统优化[all]

1.yum源优化
# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# yum makecache

2.关墙
# systemctl stop firewalld  && systemctl disable firewalld

# sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config
# reboot

# getenforce 
Disabled

3.安装Ops必备包
# yum install tree nmap dos2unix lrzsz nc lsof  psmisc net-tools bash-completion bash-completion-extras vim-enhanced \
wget tcpdump unzip htop iftop iotop sysstat nethogs telnet nmap sysstat lrzsz dos2unix bind-utils vim less -y

2.2 安装DNS服务

创建主机域host.com--------业务域od.com
主辅同步(10.4.7.11主、10.4.7.12辅)
客户端配置指向自建DNS
安装Bind9服务

1. k8s7-11 安装bind9软件
[root@k8s7-11 ~]# yum install bind -y

2.配置
[root@k8s7-11 ~]# cat /etc/named.conf  			#主配置文件
  listen-on port 53 { 10.4.7.11; };				#DNS服务器地址
  directory   "/var/named";
  allow-query     { any; };						#指所有客户端都可查询
  forwarders      { 10.4.7.254; };				#上级DNS地址（网关）
  recursion yes;								#采用递归算法查询
  dnssec-enable no;
  dnssec-validation no;

3.k8s7-11.host.com 配置区域文件
# 增加两个zone配置，od.com为业务域，host.com.zone为主机域

[root@k8s7-11 ~]# vim /etc/named.rfc1912.zones  
zone "host.com" IN {
        type  master;
        file  "host.com.zone";
        allow-update { 10.4.7.11; };
};

zone "od.com" IN {
        type  master;
        file  "od.com.zone";
        allow-update { 10.4.7.11; };
};

4.k8s7-11.host.com 配置主机域文件
# line6中时间需要修改为当前时间

[root@k8s7-11 ~]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600  ; 10 minutes
@       IN SOA  dns.host.com. dnsadmin.host.com. (
        2020062101 ; serial
        10800      ; refresh (3 hours)
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
      NS   dns.host.com.
$TTL 60 ; 1 minute
dns               A    10.4.7.11
K8S7-11           A    10.4.7.11
K8S7-12           A    10.4.7.12
K8S7-21           A    10.4.7.21
K8S7-22           A    10.4.7.22
K8S7-200          A    10.4.7.200

5.k8s7-11.host.com 配置业务域文件
[root@k8s7-11 ~]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600  ; 10 minutes
@       IN SOA  dns.od.com. dnsadmin.od.com. (
        2020062101 ; serial
        10800      ; refresh (3 hours)
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
        NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    10.4.7.11

6.k8s7-11.host.com 启动bind服务，并测试
[root@k8s7-11 ~]# named-checkconf  # 检查配置文件
[root@k8s7-11 ~]# systemctl start named && systemctl enable named.service
[root@k8s7-11 ~]# netstat -lntup |grep 53
tcp        0      0 10.4.7.11:53            0.0.0.0:*               LISTEN      24139/named         
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      24139/named         
tcp6       0      0 ::1:53                  :::*                    LISTEN      24139/named         
tcp6       0      0 ::1:953                 :::*                    LISTEN      24139/named         
udp        0      0 10.4.7.11:53            0.0.0.0:*                           24139/named         
udp6       0      0 ::1:53                  :::*                                24139/named   

验证解析：
[root@k8s7-11 ~]# dig -t A k8s7-21.host.com @10.4.7.11 +short
10.4.7.21

[root@k8s7-11 ~]# host k8s7-200.host.com 10.4.7.11
Using domain server:
Name: 10.4.7.11
Address: 10.4.7.11#53
Aliases: 

K8S7-200.host.com has address 10.4.7.200

7.修改主机DNS
修改所有主机的dns服务器地址
[root@k8s7-11 ~]# sed -i '/DNS1/s/10.4.7.254/10.4.7.11/' /etc/sysconfig/network-scripts/ifcfg-eth0
[root@k8s7-11 ~]# systemctl restart network
[root@k8s7-11 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 10.4.7.11

[root@k8s7-11 ~]# ping k8s7-200
PING k8S7-200.host.com (10.4.7.200) 56(84) bytes of data.
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=1 ttl=64 time=0.738 ms
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=2 ttl=64 time=2.16 ms

本次实验环境使用的是虚拟机，因此也要对windows宿主机NAT网卡DNS进行修改
在这里插入图片描述

3、准备签发证书环境

安装CFSSL工具
1.k8s7-200 下载工具
[root@k8s7-200 ~]# curl -s -L -o /usr/bin/cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl_1.6.0_linux_amd64
[root@k8s7-200 ~]# curl -s -L -o /usr/bin/cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssljson_1.6.0_linux_amd64
[root@k8s7-200 ~]# curl -s -L -o /usr/bin/cfssl-certinfo https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl-certinfo_1.6.0_linux_amd64
[root@k8s7-200 ~]# chmod +x /usr/bin/cfssl*

2.k8s7-200 签发根证书
[root@k8s7-200 ~]# mkdir /opt/certs/ && cd /opt/certs/
# 根证书配置：
# CN 一般写域名，浏览器会校验
# names 为地区和公司信息
# expiry 为过期时间

[root@k8s7-200 certs]# vim /opt/certs/ca-csr.json
{
    "CN": "Datacloak",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "shanghai",
            "L": "shanghai",
            "O": "od",
            "OU": "ops"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}

[root@k8s7-200 certs]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca 

查看签发的证书，生成ca.pem、ca.csr、ca-key.pem(CA私钥,需妥善保管)
[root@k8s7-200 certs]# ls -l ca*
-rw-r--r-- 1 root root  985 Jun 22 16:17 ca.csr
-rw-r--r-- 1 root root  322 Jun 22 16:14 ca-csr.json
-rw------- 1 root root 1675 Jun 22 16:17 ca-key.pem
-rw-r--r-- 1 root root 1330 Jun 22 16:17 ca.pem

4、部署Docker

k8s7-200.host.com，k8s7-21.host.com，k8s7-22.host.com 主机操作：

[root@k8s7-21 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@k8s7-21 ~]# yum install -y docker-ce
[root@k8s7-21 ~]# mkdir /etc/docker/  /data/docker  -p
# 不安全的registry中增加了harbor地址
# 各个机器上bip网段不一致，bip中间两段与宿主机最后两段相同，目的是方便定位问题 
要是只配一个daemon.json  我把你头打偏尼

[root@k8s7-21 ~]# vim /etc/docker/daemon.json
{
  "graph": "/data/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
  "registry-mirrors": ["https://registry.docker-cn.com"],
  "bip": "172.7.21.1/24",
  "exec-opts": ["native.cgroupdriver=systemd"],
  "live-restore": true
}

[root@k8s7-21 ~]# systemctl start docker && systemctl enable docker
~]# docker version/info 进行验证

5、部署私有仓库Harbor

参考地址：https://www.yuque.com/duduniao/trp3ic/ohrxds#9Zpxx
官方地址：https://goharbor.io/
Github地址：https://github.com/goharbor/harbor/releases

1.k8s7-200 安装harbor
# 目录说明：
# /opt/src : 源码、文件下载目录
# /opt/release : 各个版本软件存放位置

~]# cd /opt
~]# wget https://github.com/goharbor/harbor/releases/download/v2.1.0/harbor-offline-installer-v2.1.0.tgz
~]# tar xf harbor-offline-installer-v2.1.0.tgz -C /opt/
~]# mv harbor harbor-v2.1.0
~]# ln -s /opt/harbor-v2.1.0/  /opt/harbor

# 实验环境仅修改以下配置项，生产环境建议修改密码
~]# vim /opt/harbor/harbor.yml.tmpl
hostname: harbor.od.com
http:
  port: 180
data_volume: /data/harbor
location: /data/harbor/logs

~]# cp -a harbor.yml.tmpl harbor.yml
~]# mkdir -p /data/harbor /data/harbor/logs

[root@k8s7-200 ]# yum install -y docker-compose
[root@k8s7-200 harbor]# ./install.sh 
。。。。。。。。
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://harbor.od.com. 
For more details, please visit https://github.com/goharbor/harbor .

检查harbor启动情况
[root@k8s7-200 harbor]# docker-compose ps 
      Name                     Command               State             Ports          
--------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up                               
harbor-db           /docker-entrypoint.sh            Up      5432/tcp                 
harbor-jobservice   /harbor/harbor_jobservice  ...   Up                               
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up      8080/tcp                 
nginx               nginx -g daemon off;             Up      0.0.0.0:180->8080/tcp    
redis               redis-server /etc/redis.conf     Up      6379/tcp                 
registry            /entrypoint.sh /etc/regist ...   Up      5000/tcp                 
registryctl         /harbor/start.sh                 Up    

2.配置harbor开机启动
[root@k8s7-200 harbor]# vim /etc/rc.d/rc.local  # 增加以下内容
# start harbor
cd /opt/harbor
/usr/bin/docker-compose stop
/usr/bin/docker-compose start

6、部署Nginx[200]

1.安装配置Nginx反向代理harbor
# 当前机器中Nginx功能较少，使用yum安装即可。如有多个harbor考虑源码编译且配置健康检查
[root@k8s7-200 harbor]# yum install nginx -y
----------------------------------------------------------
[root@k8s7-200 ssl_key]# mkdir -p /etc/nginx/ssl_key
[root@k8s7-200 ssl_key]# openssl genrsa -idea -out server.key 2048
[root@k8s7-200 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
---------------------------------------------------------
[root@k8s7-200 harbor]# cat /etc/nginx/conf.d/harbor.conf
server {
    listen       80;
    server_name  harbor.od.com;
    # 避免出现上传失败的情况
    client_max_body_size 1000m;

    location / {
        proxy_pass http://127.0.0.1:180;
    }
}

[root@k8s7-200 ssl_key]# systemctl start nginx
[root@k8s7-200 ssl_key]# netstat -lntup|grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      74186/nginx: master 

[root@k8s7-200 ssl_key]# systemctl enable nginx

2.k8s7-11 配置DNS解析
[root@k8s7-11 ~]# vim /var/named/od.com.zone  # 序列号需要滚动一个
$ORIGIN od.com.
$TTL 600	; 10 minutes
@   		IN SOA	dns.od.com. dnsadmin.od.com. (
				2020010502 ; serial
				10800      ; refresh (3 hours)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
				NS   dns.od.com.
$TTL 60	; 1 minute
dns                A    10.4.7.11
harbor             A    10.4.7.200

[root@k8s7-11 ~]# systemctl restart named.service  
[root@k8s7-11 ~]# host harbor.od.com
harbor.od.com has address 10.4.7.200

将本地宿主机的DNS指向10.4.7.11

访问http://harbor.od.com
在这里插入图片描述
新建项目

测试harbor：

[root@k8s7-21 ~]# docker image tag nginx:latest harbor.od.com/public/nginx:latest
[root@k8s7-21 ~]# docker login -u admin harbor.od.com
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@k8s7-21 ~]# docker  push harbor.od.com/public/alpine:test 
The push refers to repository [harbor.od.com/public/alpine]
1bfeebd65323: Pushed 
test: digest: sha256:57334c50959f26ce1ee025d08f136c2292c128f84e7b229d1b0da5dac89e9866 size: 528
[root@k8s7-21 ~]# docker logout

在这里插入图片描述

K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 | 韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号前言台湾作家林清玄在接受记者采访的时候，如此评价自己 30 多年写作生涯：“第一个十年我才华横溢，‘贼光闪现’，令周边黯然失色；第二个十年，我终于‘宝光现形’，不再去抢风头，反而与身边的美丽相得益彰；进入第三个十年，繁华落尽见真醇，我进入了‘醇光初现’的阶段，真正体味到了境界之美”。长夜有穷，真水无香。领略过了 K8s“身在江

K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台？

作者 | 孙健波（天元）导读：当前云原生 DevOps 体系现状如何？面临哪些挑战？如何通过 OAM 解决云原生 DevOps 场景下的诸多问题？云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答，并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps？为什么基于 Kub