2. 程式人生 > >使用kuberspay部署高可用kubernetes叢集

使用kuberspay部署高可用kubernetes叢集

阿新 發佈:2018-12-27

0 環境

環境:

主機名 IP
k8s-node01 172.16.120.151
k8s-node02 172.16.120.152
k8s-node03 172.16.120.153
ansible-client

==mac os x固定vware虛擬機器IP
sudo vi /Library/Preferences/VMware\ Fusion/vmnet8/dhcpd.conf
在檔案末尾新增==

host CentOS01{
    hardware ethernet 00:0C:29:15:5C:F1;
    fixed-address
 
 172.16.120.151;
}
host CentOS02{
    hardware ethernet 00:0C:29:D1:C4:9A;
    fixed-address 172.16.120.152;
}
host CentOS03{
    hardware ethernet 00:0C:29:C2:A6:93;
    fixed-address 172.16.120.153;
}
  • centos01為固定ip虛擬機器的名稱
  • hardware ethernet 硬體地址
  • fixed-address 固定ip地址

ip地址取值範圍必須在hdcpd.conf給定的範圍內,配置完成後重啟vware。

設定主機名:

hostnamectl --static set-hostname  k8s-node01
hostnamectl --static set-hostname  k8s-node02
hostnamectl --static set-hostname  k8s-node03

關閉防火牆:

systemctl disable firewalld
systemctl stop firewalld
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

使用阿里雲yum映象,docker安裝速度快

#docker yum源
 

cat >> /etc/yum.repos.d/docker.repo <<EOF
[docker-repo]
name=Docker Repository
baseurl=http://mirrors.aliyun.com/docker-engine/yum/repo/main/centos/7
enabled=1
gpgcheck=0
EOF

同時配置好阿里雲加速器

mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://5md0553g.mirror.aliyuncs.com"]
}
EOF

手動安裝docker:

#檢視docker版本
yum list docker-engine –showduplicates
#安裝docker
yum install -y docker-engine-1.13.1-1.el7.centos.x86_64

1 安裝 ansible

在ansible的控制伺服器ansible-client上安裝ansible。

# 安裝 python 及 epel
yum install -y epel-release python-pip python34 python34-pip
# 安裝 ansible(必須先安裝 epel 源再安裝 ansible)
yum install -y ansible

託管節點python的版本需要大於2.5。

ansible不支援windows,其他系統的安裝方式可以查閱ansible官方網站。

2 設定免密登入

在ansible-client執行 ssh-keygen -t rsa 生成金鑰對

ssh-keygen -t rsa -P ''

將~/.ssh/id_rsa.pub複製到其他所有節點,這樣ansible-client到其他所有節點可以免密登入

IP=(172.16.120.151 172.16.120.152 172.16.120.153)
for x in ${IP[*]}; do ssh-copy-id -i ~/.ssh/id_rsa.pub $x; done

要使用root許可權執行上面操作。

3 下載kuberspay原始碼

可以從主分支下載:

git clone https://github.com/kubernetes-incubator/kubespray.git

也可以下載釋出版本:

wget https://github.com/kubernetes-incubator/kubespray/archive/v2.1.2.tar.gz

本文采用v2.1.2 釋出版本安裝。

4 將grc.io和quay.io的映象上傳到阿里雲

kuberspay涉及到的映象。

quay.io/coreos/hyperkube:v1.7.3_coreos.0
quay.io/coreos/etcd:v3.2.4
quay.io/calico/ctl:v1.4.0
quay.io/calico/node:v2.4.1
quay.io/calico/cni:v1.10.0
quay.io/kube-policy-controller:v0.7.0
quay.io/calico/routereflector:v0.3.0
quay.io/coreos/flannel:v0.8.0
quay.io/coreos/flannel-cni:v0.2.0
quay.io/l23network/k8s-netchecker-agent:v1.0
quay.io/l23network/k8s-netchecker-server:v1.0
weaveworks/weave-kube:2.0.1
weaveworks/weave-npc:2.0.1
gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.3
gcr.io/google_containers/cluster-proportional-autoscaler-amd64:1.1.1
gcr.io/google_containers/fluentd-elasticsearch:1.22
gcr.io/google_containers/kibana:v4.6.1
gcr.io/google_containers/elasticsearch:v2.4.1
gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.2
gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.2
gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.2
gcr.io/google_containers/pause-amd64:3.0
gcr.io/kubernetes-helm/tiller:v2.2.2
gcr.io/google_containers/heapster-grafana-amd64:v4.4.1
gcr.io/google_containers/heapster-amd64:v1.4.0
gcr.io/google_containers/heapster-influxdb-amd64:v1.1.1
gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
gcr.io/google_containers/defaultbackend:1.3

通過grc.io的到阿里雲:

#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail

kubednsautoscaler_version=1.1.1
dns_version=1.14.2
kube_pause_version=3.0
dashboard_version=v1.6.3
fluentd_es_version=1.22
kibana_version=v4.6.1
elasticsearch_version=v2.4.1
heapster_version=v1.4.0
heapster_grafana_version=v4.4.1
heapster_influxdb_version=v1.1.1
nginx_ingress_version=0.9.0-beta.11
defaultbackend_version=1.3

GCR_URL=gcr.io/google_containers
ALIYUN_URL=registry.cn-hangzhou.aliyuncs.com/szss_k8s

images=(
cluster-proportional-autoscaler-amd64:${kubednsautoscaler_version}
k8s-dns-sidecar-amd64:${dns_version}
k8s-dns-kube-dns-amd64:${dns_version}
k8s-dns-dnsmasq-nanny-amd64:${dns_version}
pause-amd64:${kube_pause_version}
kubernetes-dashboard-amd64:${dashboard_version}
fluentd-elasticsearch:${fluentd_es_version}
kibana:${kibana_version}
elasticsearch:${elasticsearch_version}
fluentd-elasticsearch:${fluentd_es_version}
kibana:${kibana_version}
heapster-amd64:${heapster_version}
heapster-grafana-amd64:${heapster_grafana_version}
heapster-influxdb-amd64:${heapster_influxdb_version}
nginx-ingress-controller:${nginx_ingress_version}
defaultbackend:${defaultbackend_version}
)

for imageName in ${images[@]} ; do
  docker pull $GCR_URL/$imageName
  docker tag $GCR_URL/$imageName $ALIYUN_URL/$imageName
  docker push $ALIYUN_URL/$imageName
  docker rmi $ALIYUN_URL/$imageName
done

通過quay.io的映象到阿里雲:

QUAY_URL=quay.io
ALIYUN_URL=registry.cn-hangzhou.aliyuncs.com/szss_quay_io

# master分支
#images=(
#coreos/hyperkube:v1.7.3_coreos.0
#coreos/etcd:v3.2.4
#coreos/flannel:v0.8.0
#coreos/flannel-cni:v0.2.0
#calico/kube-policy-controller:v0.7.0
#calico/ctl:v1.4.0
#calico/node:v2.4.1
#calico/cni:v1.10.0
#calico/routereflector:v0.3.0
#l23network/k8s-netchecker-agent:v1.0
#l23network/k8s-netchecker-server:v1.0
#)
# kuberspay v2.1.2版本
images=(
coreos/hyperkube:v1.6.7_coreos.0
coreos/etcd:v3.2.4
coreos/flannel:v0.8.0
coreos/flannel-cni:v0.2.0
calico/kube-policy-controller:v0.5.4
calico/ctl:v1.1.3
calico/node:v1.1.3
calico/cni:v1.8.0
calico/routereflector:v0.3.0
l23network/k8s-netchecker-agent:v1.0
l23network/k8s-netchecker-server:v1.0
)

for imageName in ${images[@]} ; do
  docker pull $QUAY_URL/$imageName
  docker tag $QUAY_URL/$imageName $ALIYUN_URL/${imageName/\//-}
  docker push $ALIYUN_URL/${imageName/\//-}
  docker rmi $ALIYUN_URL/${imageName/\//-}
done

5 映象替換

在kuberspay原始碼原始碼中搜索包含 gcr.io/google_containers 和 quay.io 映象的檔案,並替換為我們之前已經上傳到阿里雲的進行,替換腳步如下:

grc_image_files=(
./kubespray/extra_playbooks/roles/dnsmasq/templates/dnsmasq-autoscaler.yml
./kubespray/extra_playbooks/roles/download/defaults/main.yml
./kubespray/extra_playbooks/roles/kubernetes-apps/ansible/defaults/main.yml
./kubespray/roles/download/defaults/main.yml
./kubespray/roles/dnsmasq/templates/dnsmasq-autoscaler.yml
./kubespray/roles/kubernetes-apps/ansible/defaults/main.yml
)

for file in ${grc_image_files[@]} ; do
    sed -i 's/gcr.io\/google_containers/registry.cn-hangzhou.aliyuncs.com\/szss_k8s/g' $file
done

quay_image_files=(
./kubespray/extra_playbooks/roles/download/defaults/main.yml
./kubespray/roles/download/defaults/main.yml
)

for file in ${quay_image_files[@]} ; do
    sed -i 's/quay.io\/coreos\//registry.cn-hangzhou.aliyuncs.com\/szss_quay_io\/coreos-/g' $file
    sed -i 's/quay.io\/calico\//registry.cn-hangzhou.aliyuncs.com\/szss_quay_io\/calico-/g' $file
    sed -i 's/quay.io\/l23network\//registry.cn-hangzhou.aliyuncs.com\/szss_quay_io\/l23network-/g' $file
done

如果在mac os x執行指令碼,需要在sed -i 後面新增一個空字串,例如sed -i ” ‘s/a/b/g’ file

6 配置檔案內容

可以對basic_auth的密碼進行修改,網路外掛預設calico,可替換成weave或flannel,還可以配置是否安裝helm和efk。

下面的的配置為kuberspay 2.1.2的配置。

$vi ~/kubespray/inventory/group_vars/k8s-cluster.yml

# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# the kubernetes normally puts in /srv/kubernets.
# This puts them in a sane location and namespace.
# Editting those values will almost surely break something.
kube_config_dir: /etc/kubernetes
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
system_namespace: kube-system

# Logging directory (sysvinit systems)
kube_log_dir: "/var/log/kubernetes"

# This is where all the cert scripts and certs will be located
kube_cert_dir: "{{ kube_config_dir }}/ssl"

# This is where all of the bearer tokens will be stored
kube_token_dir: "{{ kube_config_dir }}/tokens"

# This is where to save basic auth file
kube_users_dir: "{{ kube_config_dir }}/users"

kube_api_anonymous_auth: false

## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.6.7

# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"
# Random shifts for retrying failed ops like pushing/downloading
retry_stagger: 5

# This is the group that the cert creation scripts chgrp the
# cert files to. Not really changable...
kube_cert_group: kube-cert

# Cluster Loglevel configuration
kube_log_level: 2

# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "changeme"
kube_users:
  kube:
    pass: "{{kube_api_pwd}}"
    role: admin
  root:
    pass: "{{kube_api_pwd}}"
    role: admin
    # groups:
    #   - system:masters



## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
#kube_basic_auth: false
#kube_token_auth: false


## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)

# kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes
## Optional settings for OIDC
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# kube_oidc_username_claim: sub
# kube_oidc_groups_claim: groups


# Choose network plugin (calico, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico

# weave's network password for encryption
# if null then no network encryption
# you can use --extra-vars to pass the password in command line
weave_password: EnterPasswordHere

# Weave uses consensus mode by default
# Enabling seed mode allow to dynamically add or remove hosts
# https://www.weave.works/docs/net/latest/ipam/
weave_mode_seed: false

# This two variable are automatically changed by the weave's role, do not manually change these values
# To reset values :
# weave_seed: uninitialized
# weave_peers: uninitialized
weave_seed: uninitialized
weave_peers: uninitialized

# Enable kubernetes network policies
enable_network_policy: false

# Kubernetes internal network for services, unused block of space.
kube_service_addresses: 10.233.0.0/18

# internal network. When used, it will assign IP
# addresses from this range to individual pods.
# This network must be unused in your network infrastructure!
kube_pods_subnet: 10.233.64.0/18

# internal network node size allocation (optional). This is the size allocated
# to each node on your network.  With these defaults you should have
# room for 4096 nodes with 254 pods per node.
kube_network_node_prefix: 24

# The port the API Server will be listening on.
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
kube_apiserver_port: 6443 # (https)
kube_apiserver_insecure_port: 8080 # (http)

# DNS configuration.
# Kubernetes cluster name, also will be used as DNS domain
cluster_name: cluster.local
# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
ndots: 2
# Can be dnsmasq_kubedns, kubedns or none
dns_mode: kubedns
# Can be docker_dns, host_resolvconf or none
resolvconf_mode: docker_dns
# Deploy netchecker app to verify DNS resolve as an HTTP service
deploy_netchecker: false
# Ip address of the kubernetes skydns service
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
dns_domain: "{{ cluster_name }}"

# Path used to store Docker data
docker_daemon_graph: "/var/lib/docker"

## A string of extra options to pass to the docker daemon.
## This string should be exactly as you wish it to appear.
## An obvious use case is allowing insecure-registry access
## to self hosted registries like so:

docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }}  {{ docker_log_opts }}"
docker_bin_dir: "/usr/bin"

# Settings for containerized control plane (etcd/kubelet/secrets)
etcd_deployment_type: docker
kubelet_deployment_type: docker
cert_management: script
vault_deployment_type: docker

# K8s image pull policy (imagePullPolicy)
k8s_image_pull_policy: IfNotPresent

# Monitoring apps for k8s
efk_enabled: false

# Helm deployment
helm_enabled: false

# dnsmasq
# dnsmasq_upstream_dns_servers:
#  - /resolvethiszone.with/10.0.4.250
#  - 8.8.8.8

#  Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
# kubelet_cgroups_per_qos: true

# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
# Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
# kubelet_enforce_node_allocatable: pods

7 生成叢集配置

yum install -y python-pip python34 python34-pip
# 定義叢集IP
IP=(
172.16.120.151
172.16.120.152
172.16.120.153
)
# 利用kubespray自帶的python指令碼生成配置
CONFIG_FILE=./kubespray/inventory/inventory.cfg python3 ./kubespray/contrib/inventory_builder/inventory.py ${IP[*]}

叢集配置如下:

$cat ./kubespray/inventory/inventory.cfg 
[all]
node1    ansible_host=172.16.120.151 ip=172.16.120.151
node2    ansible_host=172.16.120.152 ip=172.16.120.152
node3    ansible_host=172.16.120.153 ip=172.16.120.153

[kube-master]
node1    
node2    

[kube-node]
node1    
node2    
node3    

[etcd]
node1    
node2    
node3    

[k8s-cluster:children]
kube-node    
kube-master      

[calico-rr]

[vault]
node1    
node2    
node3

8 安裝叢集

cd kubespray
ansible-playbook -i inventory/inventory.cfg cluster.yml -b -v --private-key=~/.ssh/id_rsa

9 troubles shooting

錯誤1:在安裝過程中報錯:

fatal: [node1]: FAILED! => {"failed": true, "msg": "The ipaddr filter requires python-netaddr be installed on the ansible controller"}

需要安裝 python-netaddr,安裝命令pip install netaddr。

錯誤2:在安裝過程中報錯:

{"failed": true, "msg": "The conditional check '{%- set certs = {'sync': False} -%}\n{% if gen_node_certs[inventory_hostname] or\n  (not etcdcert_node.results[0].stat.exists|default(False)) or\n    (not etcdcert_node.results[1].stat.exists|default(False)) or\n      (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr(\"path\", \"equalto\", etcdcert_node.results[1].stat.path)|map(attribute=\"checksum\")|first|default('')) -%}\n        {%- set _ = certs.update({'sync': True}) -%}\n{% endif %}\n{{ certs.sync }}' failed. The error was: no test named 'equalto'\n\nThe error appears to have been in '/root/kubespray/roles/etcd/tasks/check_certs.yml': line 57, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"Check_certs | Set 'sync_certs' to true\"\n  ^ here\n"}

10 安裝失敗清理

rm -rf /etc/kubernetes/
rm -rf /var/lib/kubelet
rm -rf /var/lib/etcd
rm -rf /usr/local/bin/kubectl
rm -rf /etc/systemd/system/calico-node.service
rm -rf /etc/systemd/system/kubelet.service
systemctl stop etcd.service
systemctl disable etcd.service
systemctl stop calico-node.service
systemctl disable calico-node.service
docker stop $(docker ps -q)
docker rm $(docker ps -a -q)
service docker restart

11 參考

相關推薦

使用kuberspay部署可用kubernetes叢集

0 環境 環境: 主機名 IP k8s-node01 172.16.120.151 k8s-node02 172.16.120.152 k8s-node03 172.16.120.153

使用kubespray部署可用kubernetes叢集

0 環境環境:主機名IPk8s-node01172.16.120.151k8s-node02172.16.120.152k8s-node03172.16.120.153ansible-client設定主機名:hostnamectl --static set-hostname

可用 kubernetes 叢集部署實踐

前言 Kubernetes(k8s) 憑藉著其優良的架構,靈活的擴充套件能力,豐富的應用編排模型,成為了容器編排領域的事實標準

使用kubeadm安裝安全可用kubernetes叢集

安裝包地址 如非高可用安裝請忽略此教程,直接看產品頁的三步安裝。 單個master流程:  單master視訊教程 解壓後在master 上 cd shell && sh init.sh ,然後sh master.sh(注意因為指令碼用的相

kubespray -- 快速部署可用k8s叢集

主機      系統版本      配置       ip Mater、Node,ansible Cent

一鍵部署可用etcd叢集(TLS,ubuntu)(freetoo、碼客、盧益貴)

一鍵部署高可用etcd叢集(TLS,ubuntu)(freetoo、碼客、盧益貴)   這是一個便捷高效的部署高可用etcd叢集(TLS)的指令碼工具。 下載連結: https://download.csdn.net/download/guestcode/1079847

基於saltstack自動化部署可用kubernetes集群

內核模塊 .com state.sls nio nginx 插件 perl oot mono SaltStack自動化部署HA-Kubernetes 本項目在GitHub上,會不定期更新,大家也可以提交ISSUE,地址為:https://github.com/skym

僅需60秒,使用k3sup快速部署可用K3s叢集

> 作者簡介 > > Dmitriy > Akulov,連續創業者,16歲時搭建了開源CDN公共服務jsDelivr的v1版本。目前是邊緣託管平臺appfleet創始人。 >原文連結: > >https://ma.ttias.be/deploying-highl

Kubernetes叢集部署可用Harbor映象倉庫

一、實驗環境 harbor的工作節點 10.142.71.120 paasm1 10.142.71.121 paasm2 10.142.71.123 paashar 作業系統:CentOS Linux release 7.2.1511 (Core)

kubernetes叢集部署可用Postgresql的Stolon方案

目錄 前言 ....前言 本文選用Stolon的方式搭建Postgresql高可用方案,主要為Harbor提供高可用資料庫,Harbor搭建可檢視kubernetes搭建Harbor無坑及Harbor倉庫同步,之後會提供redis高可用及Harbor高可用方案搭建 方案比較 幾種postgresql高可用方案

kubeadm部署可用叢集Kubernetes 1.14.1版本

 Kubernetes高可用叢集部署 部署架構: Master 元件: kube-apiserver Kubernetes API,叢集的統一入口,各元件協調者,以HTTP API提供介面服務,所有物件資源的增刪改查和監聽操作都交給APIServer處理後再提交給Etcd儲存。

多節點可用Eureka叢集配置與部署

前言 上一節講的是動態擴容Eureka服務,說實話,一般情況這種操作並不多,一般多用在,由於大量服務節點部署後給Eureka造成壓力突然積增,而解決的辦法。這節講的是一次啟動或部署,直接就是叢集多節點的,多用於服務節點相對穩定的場景。還有筆者這裡有實際部署和應用的經驗分享給大家,就是,我目前25

Kubeadm建立可用Kubernetes v1.12.0叢集 (轉)

節點規劃 主機名 IP Role k8s-master01 10.3.1.20 etcd、Master、Node、keepalived k8s-master02 10.3.1.21 etcd、Master、Node、keepa

Saltstack自動化運維工具(一鍵部署可用負載均衡叢集

在上篇部落格中我們利用salt推送了一臺主機上的haproxy為了實現高可用和負載均衡,我們再使用一臺虛擬機器server4搭建叢集 server1和server4組成高可用和負載均衡叢集 在server4 做好底層配置: 在server4上安裝minion,更改配置檔

利用saltstack一鍵部署可用負載均衡叢集

實驗環境: Server1 172.25.254.1 maseter/minion keepalived/haproxy Server2 172.25.254.2 minion httpd Server3 172.25.254.3 minion

部署可用的Redis叢集架構

如果正在連線的master不可用時,客戶端會先丟擲redis.exceptions.ConnectionError異常(此時還未開始failover),然後丟擲redis.sentinel.MasterNotFoundError異常(failover進行中),在sentinel正常failover之後,例項正

Redis實踐(二)可用叢集+哨兵部署

  進入後,輸入shutdown   注意這裡需要新增-h引數,如果不新增此引數,會報告如下異常:   Could not connect to Redis at 127.0.0.1:6379: Connection refused   原因就是在conf檔案中,我們配置 bind 引數   info  命令

keepalive軟體部署 可用叢集(HA)

使用keepalive軟體部署 高可用叢集(HA) keepalived軟體可以做任意單點故障節點的高可用叢集 把網站伺服器66和67配置為HA叢集,正在被使用者訪問的主機66做主,67做備份伺服器 使用目標:當網站伺服器64宕機後,網站伺服器65自動響應客戶端訪問網站

spark--2.部署可用的Spark叢集

這裡已經假設部署了hadoop2.6.0 HA叢集: 節點安排如下: 節點名稱 角色 itcast01、itcast02 Namenode和zkfc itcast03、itcast04 ResourceManager

SaltStack一鍵自動化部署可用負載均衡叢集

本節內容涉及的saltstack配置以及各服務的安裝包和配置檔案均打包上傳到了百度雲,可自由下載使用 實驗環境(rhel6.5 x86_64bit virtual machine) 172.25.5.91 salt-master rhel65-lockey1