Rancher高可用搭建

我不是女神ヾ 2022-10-30 13:22 285阅读 0赞

# 初始化系统 #

**每台机器都要操作**

# 关闭防火墙
    systemctl stop firewalld.service
    systemctl disable firewalld
    firewall-cmd --reload
    
    # 关闭selinux
    setenforce 0  # 临时
    sed -i 's/enforcing/disabled/' /etc/selinux/config  # 永久
    
    
    # 关闭swap
    swapoff -a  # 临时
    sed -ri 's/.*swap.*/#&/' /etc/fstab    # 永久
    
    
    # 将桥接的IPv4流量传递到iptables的链
    cat > /etc/sysctl.d/k8s.conf << EOF
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    EOF
    sysctl --system  # 生效
    
    
    
    
    #安装chrony
    yum -y install chrony
    #修改同步服务器地址为阿里云
    sed -i.bak '3,6d' /etc/chrony.conf && sed -i '3cserver ntp1.aliyun.com iburst' \
    /etc/chrony.conf
    # 启动chronyd及加入开机自启
    systemctl start chronyd && systemctl enable chronyd
    #查看同步结果
    chronyc sources

# 安装docker #

**每台机器都要操作**

# 下载docker压缩包
    https://download.docker.com/linux/static/stable/x86_64/docker-19.03.11.tgz
    
    # 解压二进制包、移动加压文件
    tar zxvf docker-19.03.11.tgz
    mv docker/* /usr/bin
    
    
    # systemd管理docker
    cat > /usr/lib/systemd/system/docker.service << EOF
    [Unit]
    Description=Docker Application Container Engine
    Documentation=https://docs.docker.com
    After=network-online.target firewalld.service
    Wants=network-online.target
    
    [Service]
    Type=notify
    ExecStart=/usr/bin/dockerd
    ExecReload=/bin/kill -s HUP $MAINPID
    LimitNOFILE=infinity
    LimitNPROC=infinity
    LimitCORE=infinity
    TimeoutStartSec=0
    Delegate=yes
    KillMode=process
    Restart=on-failure
    StartLimitBurst=3
    StartLimitInterval=60s
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    
    
    #创建配置文件   
    mkdir /etc/docker
    
    cat > /etc/docker/daemon.json << EOF
    {
      "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
      "insecure-registries": ["172.18.69.205:80"],
      "log-opts": {"max-size":"2g", "max-file":"100"}
    }
    EOF
    
    #启动并设置开机启动
    systemctl daemon-reload
    systemctl start docker
    systemctl enable docker

# 新增rancher操作用户 #

**每台机器都要操作**

新建用户 
    groupadd docker
    useradd rancher -G docker
    #设置es用户的密码为5W3R1gjHfg
    passwd  rancher 
    
    
    vi /etc/sudoers
    # 增加一行记录
    rancher ALL=(ALL)       NOPASSWD: ALL
    # 生效  
    sysctl --system

# 选择一台机器特色处理 #

选择一台机器安装rke，kubectl，helm，对其他机器免密登录

# 免密登录
    su - rancher
    ssh-keygen
    
    ssh-copy-id rancher@外网ip1
    ssh-copy-id rancher@外网ip2
    ssh-copy-id rancher@外网ip3
    
    
    # root用户下，执行如下操作：
    
    # 1、下载rke文件并移动到/usr/sbin
    wget https://github.com/rancher/rke/releases/download/v1.1.2/rke_linux-amd64 \
    && chmod +x rke_linux-amd64 \
    && mv rke_linux-amd64 /usr/bin/rke
    
    # 2、安装kubectl
    wget https://docs.rancher.cn/download/kubernetes/linux-amd64-v1.18.3-kubectl \
    &&  chmod +x linux-amd64-v1.18.3-kubectl \
    &&  mv linux-amd64-v1.18.3-kubectl /usr/bin/kubectl
    
    # 3、安装helm
    wget https://docs.rancher.cn/download/helm/helm-v3.0.3-linux-amd64.tar.gz \
    &&   tar xf helm-v3.0.3-linux-amd64.tar.gz  \
    &&   cd linux-amd64 \
    &&   mv helm  /usr/sbin/

# 在/home/rancher目录设置rancher-cluster.yml配置文件 #

nodes:
      - address: ip地址
        internal_address: ip地址
        user: rancher
        role: [controlplane, worker, etcd]
        port: 22
      - address: ip地址
        internal_address: ip地址
        user: rancher
        role: [controlplane, worker, etcd]
        port: 22
      - address: ip地址
        internal_address: ip地址
        user: rancher
        role: [controlplane, worker, etcd]
        port: 22
    
    services:
      etcd:
        snapshot: true
        creation: 6h
        retention: 24h
    
    ignore_docker_version: true
    cluster_name: mycluster
    ingress:
      provider: nginx
      options:
        use-forwarded-headers: "true"

# rke部署k8s #

rancher用户下执行：
    
    cd /home/rancher
    rke up --config ./rancher-cluster.yml
    
    # 新生成的集群文件，用来执行kubectl
    mkdir -p /home/rancher/.kube
    cp kube_config_rancher-cluster.yml  $HOME/.kube/config
    
    # 检查
    kubectl get nodes
    kubectl get pods --all-namespaces

# 安装 cert-manager #

# 安装 CustomResourceDefinition 资源
    
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml
    
    # **重要：**
    # 如果您正在运行 Kubernetes v1.15 或更低版本，
    # 则需要在上方的 kubectl apply 命令中添加`--validate=false`标志，
    # 否则您将在 cert-manager 的 CustomResourceDefinition 资源中收到与
    # x-kubernetes-preserve-unknown-fields 字段有关的验证错误。
    # 这是一个良性错误，是由于 kubectl 执行资源验证的方式造成的。
    
    # 为 cert-manager 创建命名空间
    
    kubectl create namespace cert-manager
    
    # 添加 Jetstack Helm 仓库
    
    helm repo add jetstack https://charts.jetstack.io
    
    # 更新本地 Helm chart 仓库缓存
    
    helm repo update
    
    # 安装 cert-manager Helm chart
    
    helm install \
     cert-manager jetstack/cert-manager \
     --namespace cert-manager \
     --version v0.15.0

安装完 cert-manager 后，您可以通过检查 cert-manager 命名空间中正在运行的 Pod 来验证它是否已正确部署：

kubectl get pods --namespace cert-manager
    
    NAME READY STATUS RESTARTS AGE
    cert-manager-5c6866597-zw7kh 1/1 Running 0 2m
    cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2m
    cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m

# 通过helm安装 Rancher #

# 添加helm仓库
    helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
    
    # 创建命名空间
    kubectl create namespace cattle-system
    
    helm install rancher rancher-stable/rancher \
     --namespace cattle-system \
     --set hostname=rancher.demo.com
    
    
    kubectl -n cattle-system rollout status deploy/rancher
    
    kubectl -n cattle-system get deploy rancher

# 新增nginx #

docker pull nginx:1.15
    mkdir -p /opt/nginx/cert
    
    # 生成证书
    cd /opt/nginx/cert
    
    chmod +x create_self-signed-cert.sh
     ./create_self-signed-cert.sh --ssl-domain=demo.jmj1995.com --ssl-trusted-ip=8.129.116.194 --ssl-size=2048 --ssl-date=3650
     
    
    docker run --name nginx01 -d   -p 80:80 -p 443:443  nginx:1.15
    docker cp nginx01:/etc/nginx /opt
    docker rm -f nginx01
    docker exec -it nginx01 /bin/bash
    
    # 修改default.conf
    
    upstream rancher {
        
            server 8.129.69.137:80;
            server 8.129.145.169:80;
            server 8.129.115.152:80;
        }
    
    map $http_upgrade $connection_upgrade {
        
        default Upgrade;
        ''      close;
    }
    
    server {
        
        listen 443 ssl http2;
        server_name rancher.jmj1995.com;
        ssl_certificate /etc/nginx/cert/tls.crt;
        ssl_certificate_key /etc/nginx/cert/tls.key;
    
        location / {
        
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://rancher;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            # 这里将允许您在 Rancher UI 中打开命令行窗口时，窗口可以保留最多15分钟。没有这个参数时，默认值为1分钟，一分钟后在Rancher>中的shell会自动关闭。
            proxy_read_timeout 900s;
            proxy_buffering off;
        }
    }
    
    server {
        
        listen 80;
        server_name rancher.jmj1995.com;
        return 301 https://$server_name$request_uri;
    }
    
    
    
    #  运行nginx
    docker run -it -d --name mynginx -p 80:80 -p 443:443 -v /opt/nginx/:/etc/nginx/   -v /opt/nginx/logs:/var/log/nginx  nginx:1.15