Rancher高可用搭建
初始化系统
每台机器都要操作
# 关闭防火墙systemctl stop firewalld.servicesystemctl disable firewalldfirewall-cmd --reload# 关闭selinuxsetenforce 0 # 临时sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久# 关闭swapswapoff -a # 临时sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久# 将桥接的IPv4流量传递到iptables的链cat > /etc/sysctl.d/k8s.conf << EOFnet.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1EOFsysctl --system # 生效#安装chronyyum -y install chrony#修改同步服务器地址为阿里云sed -i.bak '3,6d' /etc/chrony.conf && sed -i '3cserver ntp1.aliyun.com iburst' \/etc/chrony.conf# 启动chronyd及加入开机自启systemctl start chronyd && systemctl enable chronyd#查看同步结果chronyc sources
安装docker
每台机器都要操作
# 下载docker压缩包https://download.docker.com/linux/static/stable/x86_64/docker-19.03.11.tgz# 解压二进制包、移动加压文件tar zxvf docker-19.03.11.tgzmv docker/* /usr/bin# systemd管理dockercat > /usr/lib/systemd/system/docker.service << EOF[Unit]Description=Docker Application Container EngineDocumentation=https://docs.docker.comAfter=network-online.target firewalld.serviceWants=network-online.target[Service]Type=notifyExecStart=/usr/bin/dockerdExecReload=/bin/kill -s HUP $MAINPIDLimitNOFILE=infinityLimitNPROC=infinityLimitCORE=infinityTimeoutStartSec=0Delegate=yesKillMode=processRestart=on-failureStartLimitBurst=3StartLimitInterval=60s[Install]WantedBy=multi-user.targetEOF#创建配置文件mkdir /etc/dockercat > /etc/docker/daemon.json << EOF{"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],"insecure-registries": ["172.18.69.205:80"],"log-opts": {"max-size":"2g", "max-file":"100"}}EOF#启动并设置开机启动systemctl daemon-reloadsystemctl start dockersystemctl enable docker
新增rancher操作用户
每台机器都要操作
新建用户groupadd dockeruseradd rancher -G docker#设置es用户的密码为5W3R1gjHfgpasswd ranchervi /etc/sudoers# 增加一行记录rancher ALL=(ALL) NOPASSWD: ALL# 生效sysctl --system
选择一台机器特色处理
选择一台机器安装rke,kubectl,helm,对其他机器免密登录
# 免密登录su - rancherssh-keygenssh-copy-id rancher@外网ip1ssh-copy-id rancher@外网ip2ssh-copy-id rancher@外网ip3# root用户下,执行如下操作:# 1、下载rke文件并移动到/usr/sbinwget https://github.com/rancher/rke/releases/download/v1.1.2/rke_linux-amd64 \&& chmod +x rke_linux-amd64 \&& mv rke_linux-amd64 /usr/bin/rke# 2、安装kubectlwget https://docs.rancher.cn/download/kubernetes/linux-amd64-v1.18.3-kubectl \&& chmod +x linux-amd64-v1.18.3-kubectl \&& mv linux-amd64-v1.18.3-kubectl /usr/bin/kubectl# 3、安装helmwget https://docs.rancher.cn/download/helm/helm-v3.0.3-linux-amd64.tar.gz \&& tar xf helm-v3.0.3-linux-amd64.tar.gz \&& cd linux-amd64 \&& mv helm /usr/sbin/
在/home/rancher目录设置rancher-cluster.yml配置文件
nodes:- address: ip地址internal_address: ip地址user: rancherrole: [controlplane, worker, etcd]port: 22- address: ip地址internal_address: ip地址user: rancherrole: [controlplane, worker, etcd]port: 22- address: ip地址internal_address: ip地址user: rancherrole: [controlplane, worker, etcd]port: 22services:etcd:snapshot: truecreation: 6hretention: 24hignore_docker_version: truecluster_name: myclusteringress:provider: nginxoptions:use-forwarded-headers: "true"
rke部署k8s
rancher用户下执行:cd /home/rancherrke up --config ./rancher-cluster.yml# 新生成的集群文件,用来执行kubectlmkdir -p /home/rancher/.kubecp kube_config_rancher-cluster.yml $HOME/.kube/config# 检查kubectl get nodeskubectl get pods --all-namespaces
安装 cert-manager
# 安装 CustomResourceDefinition 资源kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml# **重要:**# 如果您正在运行 Kubernetes v1.15 或更低版本,# 则需要在上方的 kubectl apply 命令中添加`--validate=false`标志,# 否则您将在 cert-manager 的 CustomResourceDefinition 资源中收到与# x-kubernetes-preserve-unknown-fields 字段有关的验证错误。# 这是一个良性错误,是由于 kubectl 执行资源验证的方式造成的。# 为 cert-manager 创建命名空间kubectl create namespace cert-manager# 添加 Jetstack Helm 仓库helm repo add jetstack https://charts.jetstack.io# 更新本地 Helm chart 仓库缓存helm repo update# 安装 cert-manager Helm charthelm install \cert-manager jetstack/cert-manager \--namespace cert-manager \--version v0.15.0
安装完 cert-manager 后,您可以通过检查 cert-manager 命名空间中正在运行的 Pod 来验证它是否已正确部署:
kubectl get pods --namespace cert-managerNAME READY STATUS RESTARTS AGEcert-manager-5c6866597-zw7kh 1/1 Running 0 2mcert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2mcert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m
通过helm安装 Rancher
# 添加helm仓库helm repo add rancher-stable https://releases.rancher.com/server-charts/stable# 创建命名空间kubectl create namespace cattle-systemhelm install rancher rancher-stable/rancher \--namespace cattle-system \--set hostname=rancher.demo.comkubectl -n cattle-system rollout status deploy/rancherkubectl -n cattle-system get deploy rancher
新增nginx
docker pull nginx:1.15mkdir -p /opt/nginx/cert# 生成证书cd /opt/nginx/certchmod +x create_self-signed-cert.sh./create_self-signed-cert.sh --ssl-domain=demo.jmj1995.com --ssl-trusted-ip=8.129.116.194 --ssl-size=2048 --ssl-date=3650docker run --name nginx01 -d -p 80:80 -p 443:443 nginx:1.15docker cp nginx01:/etc/nginx /optdocker rm -f nginx01docker exec -it nginx01 /bin/bash# 修改default.confupstream rancher {server 8.129.69.137:80;server 8.129.145.169:80;server 8.129.115.152:80;}map $http_upgrade $connection_upgrade {default Upgrade;'' close;}server {listen 443 ssl http2;server_name rancher.jmj1995.com;ssl_certificate /etc/nginx/cert/tls.crt;ssl_certificate_key /etc/nginx/cert/tls.key;location / {proxy_set_header Host $host;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Port $server_port;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_pass http://rancher;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection $connection_upgrade;# 这里将允许您在 Rancher UI 中打开命令行窗口时,窗口可以保留最多15分钟。没有这个参数时,默认值为1分钟,一分钟后在Rancher>中的shell会自动关闭。proxy_read_timeout 900s;proxy_buffering off;}}server {listen 80;server_name rancher.jmj1995.com;return 301 https://$server_name$request_uri;}# 运行nginxdocker run -it -d --name mynginx -p 80:80 -p 443:443 -v /opt/nginx/:/etc/nginx/ -v /opt/nginx/logs:/var/log/nginx nginx:1.15
今天药忘吃喽~
本是古典 何须时尚
超、凢脫俗
忘是亡心i
野性酷女
我会带着你远行
还没有评论,来说两句吧...