Winse Blog

走走停停都是风景, 熙熙攘攘都向最好, 忙忙碌碌都为明朝, 何畏之.

K8s Harbor Config

为了对比,还是想写写在centos7上面安装Harbor:太简单了,想想当初在6上面安装那酸爽($.$)。。。

环境说明

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

[root@cu2 kube-deploy]# yum install -y redhat-lsb
[root@cu2 kube-deploy]# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description:    CentOS Linux release 7.3.1611 (Core) 
Release:        7.3.1611
Codename:       Core

[root@cu2 kube-deploy]# docker version
Client:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:20:01 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:20:01 2017
 OS/Arch:      linux/amd64

使用docker-multinode搭建的环境

1
2
3

[root@cu2 kube-deploy]# kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.6", GitCommit:"114f8911f9597be669a747ab72787e0bd74c9359", GitTreeState:"clean", BuildDate:"2017-03-28T13:36:31Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.6", GitCommit:"114f8911f9597be669a747ab72787e0bd74c9359", GitTreeState:"clean", BuildDate:"2017-03-28T13:36:31Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

安装配置

  • 证书准备
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

[root@cu2 ~]# cd /data/kubernetes/
[root@cu2 kubernetes]# cd kube-deploy/
[root@cu2 kube-deploy]# cat easy-rsa.sh 
#!/bin/sh

# cd /data/kubernetes
cd ..

git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3

echo "# ======  CA  ======= #"
./easyrsa init-pki
./easyrsa build-ca #记住输入的密码,下面颁发证书还会用到

echo "# ======  CERT  ======= #"
./easyrsa gen-req cu nopass
./easyrsa sign-req server cu #commonName填将要用到的域名咯
  • 下载离线镜像

harbor-offline-installer-0.5.0.tgz,加载harbor.0.5.0.tgz里面的镜像

1
2
3
4
5
6
7

[root@cu2 harbor-make]# docker images 
REPOSITORY                                            TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-jobservice                              0.5.0               1700fbe602a0        3 months ago        148.4 MB
vmware/harbor-ui                                      0.5.0               6db5718f2012        3 months ago        209.6 MB
vmware/harbor-db                                      0.5.0               c401344852c6        3 months ago        326.8 MB
nginx                                                 1.11.5              cc16e49f1304        4 months ago        181.4 MB
registry                                              2.5.0               44a8766d1758        8 months ago        33.28 MB
  • 修改配置和yaml配置的镜像名称
1
2
3
4
5
6
7
8
9
10
11
12
13

[root@cu2 harbor-make]# vi harbor.cfg

hostname = cu.esw.cn
ui_url_protocol = https
ssl_cert = /data/kubernetes/easy-rsa/easyrsa3/pki/issued/cu.crt
ssl_cert_key = /data/kubernetes/easy-rsa/easyrsa3/pki/private/cu.key 

[root@cu2 harbor-make]# find kubernetes/ -name "*.rc.yaml" 
kubernetes/nginx/nginx.rc.yaml
kubernetes/mysql/mysql.rc.yaml
kubernetes/registry/registry.rc.yaml
kubernetes/ui/ui.rc.yaml
kubernetes/jobservice/jobservice.rc.yaml
  • 启动

k8s启动的配置用github上最新的,不要用release下面的!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

[root@cu2 harbor-make]# cd kubernetes/
[root@cu2 kubernetes]# python prepare 

[root@cu2 kubernetes]# cat kube.sh 
#!/bin/sh

OP=${1:-"apply"}

kubectl $OP -f pv/

kubectl $OP -f jobservice/jobservice.cm.yaml
kubectl $OP -f mysql/mysql.cm.yaml
kubectl $OP -f nginx/nginx.cm.yaml
kubectl $OP -f registry/registry.cm.yaml
kubectl $OP -f ui/ui.cm.yaml

kubectl $OP -f jobservice/jobservice.svc.yaml
kubectl $OP -f mysql/mysql.svc.yaml
kubectl $OP -f nginx/nginx.svc.yaml
kubectl $OP -f registry/registry.svc.yaml
kubectl $OP -f ui/ui.svc.yaml

kubectl $OP -f registry/registry.rc.yaml 
kubectl $OP -f mysql/mysql.rc.yaml 
kubectl $OP -f jobservice/jobservice.rc.yaml 
kubectl $OP -f ui/ui.rc.yaml 
kubectl $OP -f nginx/nginx.rc.yaml

客户端CA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

[root@cu2 kube-deploy]# cat rsync-deploy.sh 
#!/bin/sh

SERVICES="$@"
HOSTS=$(echo cu{1..5} )

#########
# Harbor
if echo "$SERVICES" | grep harbor >/dev/null ; then 

  sed -i '/cu.esw.cn/d' /etc/hosts

  cat >>/etc/hosts <<EOF
$( kubectl get service nginx -n default -o jsonpath="{..clusterIP}" ) cu.esw.cn
EOF
  echo "Updated Local Hosts"

  for h in $HOSTS ; do
    if [[ $h != "$(hostname)" ]] ; then
      rsync -az /etc/hosts $h:/etc/
    fi

    ssh $h "mkdir -p /etc/docker/certs.d/cu.esw.cn/"
    rsync -az /data/kubernetes/easy-rsa/easyrsa3/pki/ca.crt $h:/etc/docker/certs.d/cu.esw.cn/

    ssh $h "docker login -u admin -p Harbor12345 cu.esw.cn"
  done
  echo "Harbor Rsync Succeeded"

fi

搞定,上传下载一个镜像试试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

[root@cu1 dev]# docker build -t cu.esw.cn/library/codis:3.2 codis/
[root@cu1 dev]# docker push cu.esw.cn/library/codis:3.2

[root@cu2 ~]# docker pull cu.esw.cn/library/codis:3.2
3.2: Pulling from library/codis
386a066cd84a: Already exists 
a3ed95caeb02: Pull complete 
b1d31257c103: Pull complete 
0e627f083b66: Pull complete 
83912002f3f9: Pull complete 
fc5e0ef7d361: Pull complete 
47fe51a74a06: Pull complete 
08dacccac43c: Pull complete 
ec5a5e8fd71b: Pull complete 
83f9da97d228: Pull complete 
d4735c06cafa: Pull complete 
3a4dc262a84d: Pull complete 
bcf78ab0a1a9: Pull complete 
7ac5a6fd0bf8: Pull complete 
Digest: sha256:1c9280840222d736b7419b7e896b6286709d08e53890ae9e3d18062d61a9ad58
Status: Downloaded newer image for cu.esw.cn/library/codis:3.2

[root@cu3 ~]# docker pull cu.esw.cn/library/codis:3.2
...
layers from manifest don't match image configuration 暂时不清楚啥问题,临时解决。。。囧
[root@cu2 data]# docker save cu.esw.cn/library/codis:3.2 | ssh cu3 docker load

小结

高版本的docker和k8s对环境变量和config volumes都支持,配置相对就很简单。

–END

Codis使用进阶

去年年中的时刻有安装过codis。当时因为任务紧就使用jedis的ShardedJedisPool功能粗略的解决,由于是自己手动路由和管理,维护起来太难,特别是当初设置的实例数不够用时,相当麻烦。

年初项目各种测试,于是有些闲暇的时间,重新弄一弄redis cluster。算是搭建一个环境来测试:

版本:

  • codis-3.2
  • centos6

测试环境编译安装

现在的版本已经有了全部的依赖,直接编译即可。(centos6和官网提供的编译版本不兼容)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

tar zxvf go1.6.2.linux-amd64.tar.gz 

/etc/profile
export GOROOT=/opt/go
export GOPATH=/opt/gopath
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH

-

[root@cu2 CodisLabs]# pwd
/opt/go/src/github.com/CodisLabs

# @2017-06-05
# 如果下载的是tar.gz,直接在CodisLabs目录下解压,然后做个软链接
# cd $GOPATH ; mkdir -p src/github.com/CodisLabs/
# cd src/github.com/CodisLabs/; ln -s codis-3.2-rc2 codis
[root@cu2 CodisLabs]# git clone --branch release3.2  https://github.com/CodisLabs/codis.git 

[root@cu2 CodisLabs]# cd codis/

# 安装一些依赖
# # ./autogen.sh: line 5: autoconf: command not found
# yum install autoconf 
[root@cu2 codis]# make 

[root@cu2 codis]# ll bin/
total 101292
drwxr-xr-x 4 root root     4096 Mar 15 12:58 assets
-rwxr-xr-x 1 root root 21036930 Mar 15 12:58 codis-admin
-rwxr-xr-x 1 root root 22343059 Mar 15 12:58 codis-dashboard
-rwxr-xr-x 1 root root 18378506 Mar 15 12:58 codis-fe
-rwxr-xr-x 1 root root 22675153 Mar 15 12:58 codis-proxy
-rwxr-xr-x 1 root root  7982967 Mar 15 12:58 codis-server
-rwxr-xr-x 1 root root  5580431 Mar 15 12:58 redis-benchmark
-rwxr-xr-x 1 root root  5712419 Mar 15 12:58 redis-cli
-rw-r--r-- 1 root root      170 Mar 15 12:58 version
[root@cu2 codis]# cat bin/version 
version = 2017-03-15 00:40:41 +0800 @be9ee25c63a64396b5fb0076447be560497b909d @3.2-beta-10-gbe9ee25
compile = 2017-03-15 12:58:23 +0800 by go version go1.6.2 linux/amd64

# 生成默认配置
[root@cu2 codis]# bin/codis-dashboard --default-config | tee dashboard.toml
[root@cu2 codis]# bin/codis-proxy --default-config | tee proxy.toml

生产部署

把测试环境的GOPATH和GOROOT全部拷贝到生产即可。这里上面已经生成了dashboard和proxy的配置了哦!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

[ud@cu-ud6 opt]$ ll
drwxrwxr-x.  2 ud   ud   4096 3月  18 00:10 bin
drwxr-xr-x. 11 ud   ud   4096 4月  20 2016 go
drwxr-xr-x.  4 ud   ud   4096 3月  15 12:58 gopath
drwxr-xr-x.  8 ud   ud   4096 3月  17 20:13 jdk1.8.0_92
drwxr-xr-x. 10 ud   ud   4096 2月  20 2014 zookeeper-3.4.6

[ud@cu-ud6 opt]$ ll bin
总用量 24
-rw-rw-r--. 1 ud ud 234 3月  17 20:36 codis.profile
lrwxrwxrwx. 1 ud ud  54 3月  17 20:34 redis-cli -> ../gopath/src/github.com/CodisLabs/codis/bin/redis-cli
-rwxrwxr-x. 1 ud ud 487 3月  17 20:54 start-codis-dashboard.sh
-rwxrwxr-x. 1 ud ud 310 3月  18 00:10 start-codis-proxy.sh
-rwxrwxr-x. 1 ud ud 335 3月  17 21:17 start-redis.sh
-rwxrwxr-x. 1 ud ud 323 3月  17 20:55 start-zoo.sh

[ud@cu-ud6 opt]$ for f in $( find bin -type f ) ; do echo " =============== $f ================= "; cat "$f" ; done
 =============== bin/codis.profile ================= 
#!/bin/sh

export GOROOT=/opt/go
export GOPATH=/opt/gopath
export CODIS_HOME=$GOPATH/src/github.com/CodisLabs/codis/
export LOG_DIR=/var/log

export JAVA_HOME=/opt/jdk1.8.0_92

export PATH=$JAVA_HOME/bin:$GOPATH/bin:$GOROOT/bin:$PATH

 =============== bin/start-zoo.sh ================= 
#!/bin/sh

CODIS_BIN="${BASH_SOURCE-$0}"
CODIS_BIN="$(dirname "${CODIS_BIN}")"
CODIS_BINDIR="$(cd "${CODIS_BIN}"; pwd)"

source $CODIS_BINDIR/codis.profile

export ZOO_LOG_DIR=$LOG_DIR

cd /opt/zookeeper-3.4.6
sed 's@dataDir=/tmp/zookeeper@dataDir=/data/zookeeper@' conf/zoo_sample.cfg >conf/zoo.cfg

bin/zkServer.sh start

 =============== bin/start-codis-dashboard.sh ================= 
#!/bin/sh

CODIS_BIN="${BASH_SOURCE-$0}"
CODIS_BIN="$(dirname "${CODIS_BIN}")"
CODIS_BINDIR="$(cd "${CODIS_BIN}"; pwd)"

source $CODIS_BINDIR/codis.profile

cd $CODIS_HOME
nohup bin/codis-dashboard \
  --ncpu=4 \
  --config=dashboard.toml \
  --log=$LOG_DIR/codis_dashboard.log \
  --log-level=INFO \
  >/dev/null 2>&1 &

nohup bin/codis-fe \
  --ncpu=4 \
  --zookeeper=127.0.0.1:2181 \
  --listen=0.0.0.0:28080 \
  --log=$LOG_DIR/codis_fe.log \
  --log-level=INFO \
  >/dev/null 2>&1 &

 =============== bin/start-codis-proxy.sh ================= 
#!/bin/sh

CODIS_BIN="${BASH_SOURCE-$0}"
CODIS_BIN="$(dirname "${CODIS_BIN}")"
CODIS_BINDIR="$(cd "${CODIS_BIN}"; pwd)"

source $CODIS_BINDIR/codis.profile

cd $CODIS_HOME
nohup bin/codis-proxy \
  --ncpu=24 \
  --config=proxy.toml \
  --log=$LOG_DIR/codis_proxy.log \
  --log-level=INFO \
  >/dev/null 2>&1 &

 =============== bin/start-redis.sh ================= 
#!/bin/sh

CODIS_BIN="${BASH_SOURCE-$0}"
CODIS_BIN="$(dirname "${CODIS_BIN}")"
CODIS_BINDIR="$(cd "${CODIS_BIN}"; pwd)"

source $CODIS_BINDIR/codis.profile

PORT=${1:-6379}

cd $CODIS_HOME
bin/codis-server --daemonize yes --port $PORT --pidfile /var/run/redis_$PORT.pid --logfile $LOG_DIR/redis_$PORT.log --save "" --bind $(hostname)

环境:

  • zookeeper: cu-ud6
  • dashboard: cu-ud6
  • fa: cu-ud6
  • proxy: cu-ud6/7/8
  • redis: cu-ud6/7/8:6378/6379
  • nginx代理: cu-ud9

web界面添加步骤:

  • 界面上添加proxy : cu6/7/8:11080
  • 再添加group,填数字: ½/¾/5/6
  • 然后添加server : cu-ud6/7/8:6378/6379
  • 最后分配slots

nginx1.11新版本已经支持tcp的代理,可以实现proxy的负载均衡:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

# 编译Nginx
./configure --with-stream --with-http_ssl_module --with-pcre=src/pcre --with-zlib=src/zlib --prefix=/usr/local/nginx
make && make install

[ud@cu-ud9 nginx]$ cat conf/nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
error_log  /var/log/nginx_error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

stream {
  upstream proxy {
    hash   $remote_addr;
    server cu-ud6:19000;
    server cu-ud7:19000;
    server cu-ud8:19000;
  }
  
  server {
    listen cu-ud9:19000;
    proxy_timeout 600s;
    proxy_pass proxy;
  }
}

# 测试获取数据
[ud@cu-ud6 opt]$ bin/redis-cli -h cu-ud6 -p 6379 scan 0 # 样本Key
[ud@cu-ud6 opt]$ bin/redis-cli -h cu-ud9 -p 19000
> get XXX

重置统计量:

1

[ud@cu-ud6 codis]$ bin/codis-admin --proxy=cu-ud6:11080 --reset-stats

问题

pipeline量太大,修改proxy的 backend_max_pipeline/session_max_pipeline 。同时在客户端代码里面执行一定量的pipe后执行sync。

1
2
3

2017/03/18 00:01:23 session.go:79: [INFO] session [0xc839888d80] create: {"ops":0,"create":1489766483,"remote":"192.168.32.182:57029"}
2017/03/18 00:01:24 session.go:86: [INFO] session [0xc834a06d80] closed: {"ops":39601,"create":1489766483,"lastop":1489766484,"remote":"192.168.32.182:57028"}, error: too many pipelined r
equests

sync还是会超时,修改nginx的proxy_timeout以及客户端初始化的timeout参数。

1

new JedisPool(new GenericObjectPoolConfig(), "cu-ud9", 19000, 10 * 60 * 1000)

W:感觉proxy还是会有停顿,sync后有时会出现几分钟时间没响应。

–END

K8s Harbor Config on Centos6

前传

前面有写在 centos6 安装k8s的文章,后来重启一台worker节点后该节点的网络就不通了 connect: Invalid argument 。更新到最新的0.7.0后worker节点重启网络都能正常连通。

言归正传,来说说harbor的安装。想的是安装一个类似maven私服的功能(原来都是一台机一台机的save/load,麻烦):

  • 本来安装registry就好了,每次都要加端口很烦有没有!!!
  • 弄了个service整到80端口,还得加 –insecure-registry 参数。还行吧,但是没有图形界面
  • 好了,看到有人用nexus3做docker私服。主要吧真没弄通,第二nexus3不会用!反正就是没搭成功了。
  • 本来前面有看到过vmware harbor,但是官网说是要docker1.10+的,差点就打消念头了,但是nexus3实在是搞不懂,只能硬着头皮尝试下harbor。

这hardor是一坑货啊,功能是狠牛逼但是文档版本都对不上的!!!

这里还是在 centos6 上面安装。并且老版本k8s-1.2各种配置不能用,一个个坑填的好苦!行,先爽一把,看看修改后的简单的安装操作流程:

简单配置

版本信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

[root@cu2 ~]# lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.8 (Final)
Release:        6.8
Codename:       Final
[root@cu2 ~]# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d/1.7.1
OS/Arch (server): linux/amd64
  • 创建CA和证书
1
2
3
4
5
6
7
8
9

[root@cu2 kubernetes]# git clone https://github.com/OpenVPN/easy-rsa.git

[root@cu2 easyrsa3]# ./easyrsa init-pki
[root@cu2 easyrsa3]# ./easyrsa build-ca #记住输入的密码,下面颁发证书还会用到

[root@cu2 easyrsa3]# ./easyrsa gen-req cu nopass
[root@cu2 easyrsa3]# ./easyrsa sign-req server cu #commonName填将要用到的域名咯

生成的key和证书在pki/private和pki/issued下
  • 下载配置
1
2

git clone https://github.com/winse/docker-hadoop.git
cd docker-hadoop/k8s-centos6/containers/harbor-make/
  • 修改harbor.cfg配置

域名证书路径 修改成自己的。

  • 生成ConfigMaps配置
1
2

scl enable python27 bash
python2.7 kubernetes/prepare
  • 创建服务和容器

这里需要先下载官网的离线包harbor-offline-installer-0.5.0.tgz,加载harbor.0.5.0.tgz里面的镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

[root@cu2 harbor]# docker images 
REPOSITORY                                            TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
gcr.io/google_containers/heapster-grafana-amd64       v4.0.2              74d2c72849cc        7 weeks ago         131.5 MB
gcr.io/google_containers/heapster-influxdb-amd64      v1.1.1              55d63942e2eb        7 weeks ago         11.59 MB
gcr.io/google_containers/heapster-amd64               v1.3.0-beta.1       026fb02eca65        7 weeks ago         101.3 MB
quay.io/coreos/flannel                                v0.7.0-amd64        072e88d50780        8 weeks ago         73.75 MB
gcr.io/google_containers/kubernetes-dashboard-amd64   v1.5.1              9af7d5c61ccf        8 weeks ago         103.6 MB
vmware/harbor-log                                     0.5.0               5cccdd11efe0        3 months ago        190.5 MB
vmware/harbor-jobservice                              0.5.0               573d0bbd91ee        3 months ago        169.4 MB
vmware/harbor-ui                                      0.5.0               990d3476bf93        3 months ago        233 MB
vmware/harbor-db                                      0.5.0               9a595c26d6bc        3 months ago        326.8 MB
nginx                                                 1.11.5              98f8314de615        4 months ago        181.4 MB
gcr.io/google_containers/hyperkube-amd64              v1.2.7              1dd7250ed1b3        4 months ago        231.4 MB
quay.io/coreos/flannel                                v0.6.1-amd64        ef86f3a53de0        6 months ago        27.89 MB
gcr.io/google_containers/etcd-amd64                   3.0.4               ef5e89d609f1        7 months ago        39.62 MB
registry                                              2.5.0               8cc599785872        7 months ago        33.28 MB
gcr.io/google_containers/kube2sky-amd64               1.15                f93305484d65        10 months ago       29.16 MB
gcr.io/google_containers/etcd-amd64                   2.2.5               a6752fb962b5        11 months ago       30.45 MB
gcr.io/google_containers/skydns-amd64                 1.0                 a925f95d080a        11 months ago       15.57 MB
gcr.io/google_containers/exechealthz-amd64            1.0                 5b9ac190b20c        11 months ago       7.116 MB
gcr.io/google_containers/pause                        2.0                 9981ca1bbdb5        17 months ago       350.2 kB

---

cd kubernetes/
sh apply.sh
  • 手动修复容器的配置文件
1

sh config.sh

CentOS6-K8S上面麻烦点,在CentOS7-K8S_V1.5+上面ConfigMap Volumn是可以用的,就不需要自己手动拷贝配置了。

  • 使用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

[root@cu2 easyrsa3]# kubectl get services 
NAME         CLUSTER-IP   EXTERNAL-IP   PORT(S)             AGE
jobservice   10.0.0.154   <none>        80/TCP              1d
kubernetes   10.0.0.1     <none>        443/TCP             2d
mysql        10.0.0.176   <none>        3306/TCP            1d
nginx        10.0.0.78    <none>        80/TCP,443/TCP      1d
registry     10.0.0.46    <none>        5000/TCP,5001/TCP   1d
ui           10.0.0.11    <none>        80/TCP              1d

# 域名
[root@cu3 ~]# vi /etc/hosts
10.0.0.78 cu.esw.cn

# 证书
[root@cu3 ~]# mkdir -p /etc/docker/certs.d/cu.esw.cn/

[root@cu2 pki]# scp ca.crt cu3:/etc/docker/certs.d/cu.esw.cn/

# 登录
[root@cu3 certs.d]# docker login cu.esw.cn
Username: admin
Password: Harbor12345
Email: 1
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

# https://cu.esw.cn 通过WEB页面创建项目 google_containers

# PUSH
[root@cu3 certs.d]# docker tag gcr.io/google_containers/pause:2.0 cu.esw.cn/google_containers/pause:2.0

[root@cu3 certs.d]# docker push cu.esw.cn/google_containers/pause:2.0
The push refers to a repository [cu.esw.cn/google_containers/pause] (len: 1)
9981ca1bbdb5: Image already exists 
6995a49b90f2: Image successfully pushed 
Digest: sha256:139471770ffc22a2f15ae2ad8e3a0b3b9cbd620ad32400c7e8024a3d09ebec7d

—— 下面是记流水账内容 ——

简单搭建配置

参考阅读

简略步骤:

  • 下载0.5.0的离线压缩包 harbor-offline-installer-0.5.0.tgz
  • 把镜像加载到本地(解压offline后在目录下有tgz的镜像压缩包) docker load -i harbor.0.5.0.tgz
  • 下载github主干的源码 harbor-master.zip ,对是主干,不是release页面的源码!!!(香菇,release源码包里面的k8s配置文件尽然是不配套的,那打什么版本咯!!文档也不说明下。非常非常感谢 www.zoues.com 博主,这才是明灯啊)
  • 安装python2.7(prepare脚本需要) yum install centos-release-scl; yum install -y python27
  • 解压进入到 harbor-master/make 目录
  • 修改harbor.cfg文件配置。(这里我就改了域名而已,会有https的问题。先不管跑起来先,后面在讲https的处理)
  • 执行prepare脚本,用于生成配置键值对cm文件(ConfigMaps)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

[root@cu2 make]# python kubernetes/prepare 
Traceback (most recent call last):
  File "kubernetes/prepare", line 145, in <module>
    pkey = subprocess.check_output(['openssl','genrsa','4096'], stderr=devnull)
AttributeError: 'module' object has no attribute 'check_output'

> Python should be version 2.7 or higher. Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default

https://github.com/h2oai/h2o-2/wiki/installing-python-2.7-on-centos-6.3.-follow-this-sequence-exactly-for-centos-machine-only
https://gist.github.com/dalegaspi/dec44117fa5e7597a559  我按这个小写的安装的
[root@cu2 make]# yum install centos-release-scl
[root@cu2 make]# yum install -y python27

[root@cu2 make]# scl enable python27 bash
[root@cu2 make]# /opt/rh/python27/root/usr/bin/python -V
Python 2.7.8

[root@cu2 make]# less harbor.cfg 

[root@cu2 make]# /opt/rh/python27/root/usr/bin/python kubernetes/prepare 
Warning: Key(ldap_searchdn) is not existing. Use empty string as default
Warning: Key(ldap_search_pwd) is not existing. Use empty string as default
Warning: Key(ldap_filter) is not existing. Use empty string as default
  • 然后就是愉快的执行apply就好:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

kubectl apply -f pv/

kubectl apply -f jobservice/jobservice.cm.yaml
kubectl apply -f mysql/mysql.cm.yaml
kubectl apply -f nginx/nginx.cm.yaml
kubectl apply -f registry/registry.cm.yaml
kubectl apply -f ui/ui.cm.yaml

kubectl apply -f jobservice/jobservice.svc.yaml
kubectl apply -f mysql/mysql.svc.yaml
kubectl apply -f nginx/nginx.svc.yaml
kubectl apply -f registry/registry.svc.yaml
kubectl apply -f ui/ui.svc.yaml

kubectl apply -f registry/registry.rc.yaml
kubectl apply -f mysql/mysql.rc.yaml
kubectl apply -f jobservice/jobservice.rc.yaml
kubectl apply -f ui/ui.rc.yaml
kubectl apply -f nginx/nginx.rc.yaml

由于ConfigMaps方式不能正确的创建文件需要把配置文件拷贝到对应容器的config目录下:

1

sh config.sh

除了nginx报https的证书问题外,其他都正常跑起来了。把nginx.conf的https server部分先删掉,先查看效果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

[root@cu2 kubernetes]# kubectl get rc
NAME            DESIRED   CURRENT   AGE
jobservice-rc   1         1         4h
mysql-rc        1         1         4h
nginx-rc        1         1         4h
registry-rc     1         1         4h
ui-rc           1         1         4h
[root@cu2 kubernetes]# kubectl get pods
NAME                       READY     STATUS    RESTARTS   AGE
jobservice-rc-3hhea        1/1       Running   0          4h
k8s-master-192.168.0.214   4/4       Running   28         2d
k8s-proxy-192.168.0.214    1/1       Running   4          2d
mysql-rc-nyk6z             1/1       Running   0          4h
nexus-3126345715-mfteg     1/1       Running   0          2d # 这个是maven私服
nginx-rc-93cdr             1/1       Running   15         4h
registry-rc-qbdfk          1/1       Running   12         4h
ui-rc-7e76i                1/1       Running   10         4h

[root@cu2 kubernetes]# kubectl get services nginx
NAME      CLUSTER-IP   EXTERNAL-IP   PORT(S)          AGE
nginx     10.0.0.78    <none>        80/TCP,443/TCP   1d

访问nginx:

安装完了后,使用harbor.cfg配置文件里面的admin和密码进行登录。然后看看官网的操作文档 https://github.com/vmware/harbor/blob/master/docs/user_guide.md

现在PUSH要加 --insecure-registry 参数,还得重启docker太麻烦了。等下先弄https,搞好后添加证书直接push比较爽。

修改配置过程中遇到的一些问题

pvc在v1.2的时刻不支持selector。使用volumeName属性来代替。

巨坑,键名对不能用下划线、不能大写字母,到1.4才修复。

configmap~volumn用于创建volumns好像有问题,没有创建对应文件。

在1.5.3上面是可以生成的。。。囧,相比puppet的文档,k8s的文档真的差了十万八千里啊!!!

1
2
3
4

[root@k8s kube-deploy]# kubectl logs nginx-rc-fr52v
https.crt
https.key
nginx.conf

后面看到nginx的v1.2用了secrets修改后也不行。

其实就是docker版本老的不支持shared,其实在kubelet的容器里面是创建了对应的文件的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# docker logs
I0316 08:22:19.729825   13206 volumes.go:279] Used volume plugin "kubernetes.io/configmap" to mount config
I0316 08:22:19.729860   13206 configmap.go:118] Setting up volume config for pod cfe8b3f6-09fb-11e7-bdde-020047eb000e at /var/lib/kubelet/pods/cfe8b3f6-09fb-11e7-bdde-020047eb000e/volumes/kubernetes.io~configmap/config
I0316 08:22:19.729915   13206 volumes.go:279] Used volume plugin "kubernetes.io/empty-dir" to mount wrapped_config
...
I0316 08:22:19.733309   13206 configmap.go:145] Received configMap default/harbor-ui-config containing (30) pieces of data, 3739 total bytes
I0316 08:22:19.733470   13206 atomic_writer.go:316] /var/lib/kubelet/pods/cfe8b3f6-09fb-11e7-bdde-020047eb000e/volumes/kubernetes.io~configmap/config: current paths:   [app.conf private_key.pem]
I0316 08:22:19.733493   13206 atomic_writer.go:328] /var/lib/kubelet/pods/cfe8b3f6-09fb-11e7-bdde-020047eb000e/volumes/kubernetes.io~configmap/config: new paths:       [app.conf private_key.pem]
I0316 08:22:19.733502   13206 atomic_writer.go:331] /var/lib/kubelet/pods/cfe8b3f6-09fb-11e7-bdde-020047eb000e/volumes/kubernetes.io~configmap/config: paths to remove: map[]
I0316 08:22:19.733552   13206 atomic_writer.go:136] pod default/ui-rc-psjzs volume config: no update required for target directory /var/lib/kubelet/pods/cfe8b3f6-09fb-11e7-bdde-020047eb000e/volumes/kubernetes.io~configmap/config

[root@cu3 config]# docker exec -ti b34c51260dda bash
root@cu3:/# ls -al /var/lib/kubelet/pods/cfe8b3f6-09fb-11e7-bdde-020047eb000e/volumes/kubernetes.io~configmap/config
total 4
drwxrwxrwt 3 root root  120 Mar 16 04:08 .
drwxr-xr-x 3 root root 4096 Mar 16 04:08 ..
drwxr-xr-x 2 root root   80 Mar 16 04:08 ..3983_16_03_04_08_50.565987072
lrwxrwxrwx 1 root root   31 Mar 16 04:08 ..data -> ..3983_16_03_04_08_50.565987072
lrwxrwxrwx 1 root root   15 Mar 16 04:08 app.conf -> ..data/app.conf
lrwxrwxrwx 1 root root   22 Mar 16 04:08 private_key.pem -> ..data/private_key.pem

最后放弃了,直接用脚本来创建文件,然后把文件拷贝到对应的机器。

1
2

[root@cu2 kubernetes]# cd harbor-make/kubernetes/
[root@cu2 kubernetes]# sh config.sh

HTTPS

生成CA和证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

[root@cu2 kubernetes]# git clone https://github.com/OpenVPN/easy-rsa.git

https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md

[root@cu2 easyrsa3]# ll
total 56
-rwxr-xr-x 1 root root 35253 Mar 13 01:04 easyrsa
-rw-r--r-- 1 root root  4560 Mar 13 01:04 openssl-1.0.cnf
-rw-r--r-- 1 root root  8126 Mar 13 01:04 vars.example
drwxr-xr-x 2 root root  4096 Mar 13 01:04 x509-types
[root@cu2 easyrsa3]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /data/kubernetes/easy-rsa/easyrsa3/pki

[root@cu2 easyrsa3]# ./easyrsa build-ca
Generating a 2048 bit RSA private key
.............................+++
..............................................+++
writing new private key to '/data/kubernetes/easy-rsa/easyrsa3/pki/private/ca.key.Nj5oHgfZC5'
Enter PEM pass phrase: 123456
Verifying - Enter PEM pass phrase: 123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:esw.cn

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/data/kubernetes/easy-rsa/easyrsa3/pki/ca.crt


[root@cu2 easyrsa3]# ./easyrsa gen-req cu nopass
Generating a 2048 bit RSA private key
..........+++
.................................+++
writing new private key to '/data/kubernetes/easy-rsa/easyrsa3/pki/private/cu.key.LQX3Dr2jG3'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [cu]:cu.esw.cn

Keypair and certificate request completed. Your files are:
req: /data/kubernetes/easy-rsa/easyrsa3/pki/reqs/cu.req
key: /data/kubernetes/easy-rsa/easyrsa3/pki/private/cu.key

[root@cu2 easyrsa3]# ./easyrsa sign-req server cu


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = cu.esw.cn


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /data/kubernetes/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /data/kubernetes/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'cu.esw.cn'
Certificate is to be certified until Mar 10 23:36:42 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /data/kubernetes/easy-rsa/easyrsa3/pki/issued/cu.crt


[root@cu2 easyrsa3]# 

这里得用签发server端证书,如果是client使用时会报错: v2 ping attempt failed with error: Get https://cu.esw.cn/v2/: x509: certificate specifies an incompatible key usage


[root@cu2 easyrsa3]# tree .
.
├── easyrsa
├── openssl-1.0.cnf
├── pki
│   ├── ca.crt
│   ├── certs_by_serial
│   │   └── 01.pem
│   ├── index.txt
│   ├── index.txt.attr
│   ├── index.txt.old
│   ├── issued
│   │   └── cu.crt
│   ├── private
│   │   ├── ca.key
│   │   └── cu.key
│   ├── reqs
│   │   └── cu.req
│   ├── serial
│   └── serial.old
├── vars.example
└── x509-types
    ├── ca
    ├── client
    ├── COMMON
    └── server

6 directories, 18 files

重新执行以下上面的步骤,配置关联比较多。https和http请求地址会有冲突。

重新配置后,把ca.cert拷贝到docker节点,然后登录、创建项目、提交项目即可。最开始有帖操作的代码,这里不重复了。

–END

k8s在Centos6部署实践

2017-3-17 08:33:56 折腾了大半个月,写点小结。在centos6 + docker-1.7 + k8s-1.2 是能用起来,安装了dashboard、nexus2、harbor,但是对于一些新的东西不能用,并且k8s官网文档不分版本并且没讲明白docker兼容的版本(至少官网文档),感觉在人家那就是行,到自己这里就不行,各种折腾后然后发现是版本问题。

docker和k8s在容器大热的当前,版本更新太快了,docker都到1.17了。综上,如果在centos6上面玩玩了解了k8s的概况还是好的,但是真的要用还是升级centos7吧。

configmap-volumes真是好东西,没办法docker-1.7不支持shared volume。

centos6系统比较”老”啊,既没有systemd,也没有docker-engine。网上各种资料要么是原始安装(非bootstrap docker),要么就是在centos7上装的。不太想在系统上做安装,这里按照kube-deploy的docker-multinode的脚本来进行修改然后安装,由于版本不兼容需要开推土机填各种坑:centos6上面的docker才1.7还不能用kubernetes-1.3,dashboard也需要自己安装。

环境描述:

  • cu2: bootstrap(etcd, flannel), main(hyperkube, pause, kubernetes-dashboard)
  • cu4、cu5: bootstrap(flannel), main(hyperkube, pause)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

[root@cu2 ~]# docker -H unix:///var/run/docker-bootstrap.sock ps | grep -v IMAGE | awk '{print $2}' | sort -u
gcr.io/google_containers/etcd-amd64:3.0.4
quay.io/coreos/flannel:v0.6.1-amd64
[root@cu4 ~]# docker -H unix:///var/run/docker-bootstrap.sock ps | grep -v IMAGE | awk '{print $2}' | sort -u
quay.io/coreos/flannel:v0.6.1-amd64

[root@cu2 kubernetes]# docker images
REPOSITORY                                            TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
bigdata                                               v1                  9e30d146824b        38 hours ago        457.2 MB
gcr.io/google_containers/heapster-grafana-amd64       v4.0.2              74d2c72849cc        6 weeks ago         131.5 MB
gcr.io/google_containers/heapster-influxdb-amd64      v1.1.1              55d63942e2eb        6 weeks ago         11.59 MB
gcr.io/google_containers/heapster-amd64               v1.3.0-beta.1       026fb02eca65        6 weeks ago         101.3 MB
gcr.io/google_containers/kubernetes-dashboard-amd64   v1.5.1              9af7d5c61ccf        7 weeks ago         103.6 MB
gcr.io/google_containers/hyperkube-amd64              v1.2.7              1dd7250ed1b3        4 months ago        231.4 MB
quay.io/coreos/flannel                                v0.6.1-amd64        ef86f3a53de0        6 months ago        27.89 MB
gcr.io/google_containers/etcd-amd64                   3.0.4               ef5e89d609f1        6 months ago        39.62 MB
gcr.io/google_containers/kube2sky-amd64               1.15                f93305484d65        10 months ago       29.16 MB
gcr.io/google_containers/etcd-amd64                   2.2.5               a6752fb962b5        10 months ago       30.45 MB
gcr.io/google_containers/skydns-amd64                 1.0                 a925f95d080a        11 months ago       15.57 MB
gcr.io/google_containers/exechealthz-amd64            1.0                 5b9ac190b20c        11 months ago       7.116 MB
gcr.io/google_containers/pause                        2.0                 9981ca1bbdb5        17 months ago       350.2 kB
  • etcd,flannel,和kubernetes-dashboard用的是docker-multinode时的版本。
  • kubelet是1.2的最新版v1.2.7。
  • pause:2.0是启动apiserver、controller容器时自动下载的版本。
  • 新增DNS镜像(2017-3-6 02:07:14)
  • 新增heapster镜像(2017-3-6 17:00:48)

最好每台机器都load提前加载所有镜像。

准备

1
2
3

export NO_PROXY="localhost,127.0.0.1,10.0.0.0/8"
export https_proxy=http://localhost:8118/
export http_proxy=http://localhost:8118/

先看操作和效果(看了菜单再看吃不吃)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

## 下载部署脚本 
# https://github.com/winse/docker-hadoop/tree/master/k8s-centos6/docker-multinode

## 防火墙,关闭selinux
# 或者最后面增加 iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -I INPUT 1 -s 10.0.0.0/8 -j ACCEPT

## 先把镜像全部下载下来 git pull ...
* 在master节点
[root@cu2 ~]# docker images
REPOSITORY                                            TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
bigdata                                               v1                  9e30d146824b        2 days ago          457.2 MB
redis                                                 3.2.8               c30a7507ec4d        6 days ago          182.9 MB
gcr.io/google_containers/heapster-grafana-amd64       v4.0.2              74d2c72849cc        6 weeks ago         131.5 MB
gcr.io/google_containers/heapster-influxdb-amd64      v1.1.1              55d63942e2eb        6 weeks ago         11.59 MB
gcr.io/google_containers/heapster-amd64               v1.3.0-beta.1       026fb02eca65        6 weeks ago         101.3 MB
gcr.io/google_containers/kubernetes-dashboard-amd64   v1.5.1              9af7d5c61ccf        7 weeks ago         103.6 MB
gcr.io/google_containers/hyperkube-amd64              v1.2.7              1dd7250ed1b3        4 months ago        231.4 MB
quay.io/coreos/flannel                                v0.6.1-amd64        ef86f3a53de0        6 months ago        27.89 MB
gcr.io/google_containers/etcd-amd64                   3.0.4               ef5e89d609f1        6 months ago        39.62 MB
gcr.io/google_containers/kube2sky-amd64               1.15                f93305484d65        10 months ago       29.16 MB
gcr.io/google_containers/etcd-amd64                   2.2.5               a6752fb962b5        10 months ago       30.45 MB
gcr.io/google_containers/skydns-amd64                 1.0                 a925f95d080a        11 months ago       15.57 MB
gcr.io/google_containers/exechealthz-amd64            1.0                 5b9ac190b20c        11 months ago       7.116 MB
gcr.io/google_containers/pause                        2.0                 9981ca1bbdb5        17 months ago       350.2 kB

## 下载kubectl
https://storage.googleapis.com/kubernetes-release/release/v1.2.7/bin/linux/amd64/kubectl 
# https://kubernetes.io/docs/user-guide/prereqs/
# https://kubernetes.io/docs/user-guide/kubectl/kubectl_version/

## 环境变量
# https://kubernetes.io/docs/user-guide/kubeconfig-file/
export KUBECONFIG=/var/lib/kubelet/kubeconfig/kubeconfig.yaml
export PATH=...加kubectl所在文件夹

## 启动MASTER
./master.sh

## 测试效果
curl -fsSL http://localhost:2379/health
curl -s http://localhost:8080/healthz
curl -s http://localhost:8080/api
kubectl get ns
kubectl create namespace kube-system

* 在worker节点
[root@cu3 ~]# docker images
...

## 启动WORKER
MASTER_IP=cu2 ./worker.sh

小状况:在第一次启动master脚本会有点问题:setup-files容器运行不正常:需要从googleapi下载easy-rsa.tar.gz,可以先手动下载到/root/kube目录,然后运行setup-files.sh脚本。如果不急的话等上一段时间多run几次后好像也能跑起来(囧)

1
2
3
4
5

[root@cu2 ~]# docker exec -ti kube_kubelet_624b2 bash
root@cu2:/# /setup-files.sh IP:10.0.0.1,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local

然后再次提交dashboard:
[root@cu2 docker-multinode-centos6]# ./dashboard.sh

然后启动应用,测试多节点的情况下启动的容器网络能否互通:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

## 运行查看容器
[root@cu2 ~]# kubectl run redis --image=bigdata:v1 -r 5 --command -- /usr/sbin/sshd -D

[root@cu2 ~]# kubectl get pods -o wide
NAME                       READY     STATUS    RESTARTS   AGE       NODE
k8s-master-192.168.0.214   4/4       Running   22         1h        192.168.0.214
k8s-proxy-192.168.0.214    1/1       Running   0          1h        192.168.0.214
redis-2212193268-1789v     1/1       Running   0          1h        192.168.0.174
redis-2212193268-1j4ej     1/1       Running   0          1h        192.168.0.174
redis-2212193268-8dbmq     1/1       Running   0          1h        192.168.0.30
redis-2212193268-a447n     1/1       Running   0          1h        192.168.0.30
redis-2212193268-tu5fl     1/1       Running   0          1h        192.168.0.214

https://kubernetes.io/docs/user-guide/jsonpath/
[root@cu2 ~]# kubectl get pods -o wide -l run=redis -o jsonpath={..podIP}
10.1.75.2 10.1.75.3 10.1.58.3 10.1.58.2 10.1.33.3

## 登录容器
# 用ssh登录
[root@cu2 ~]# kubectl describe pods redis-2212193268-tu5fl | grep IP
IP:             10.1.33.3
[root@cu2 ~]# ssh 10.1.33.3
The authenticity of host '10.1.33.3 (10.1.33.3)' can't be established.
RSA key fingerprint is e5:58:ae:3b:54:c9:bb:0d:4c:9b:bc:fd:04:fe:be:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.33.3' (RSA) to the list of known hosts.
root@10.1.33.3's password: 
Last login: Sat Mar  4 18:17:51 2017 from 10.1.61.1
[root@redis-2212193268-tu5fl ~]# exit
logout
Connection to 10.1.33.3 closed.

# exec登录
[root@cu2 ~]# kubectl exec -ti redis-2212193268-tu5fl bash
[root@redis-2212193268-tu5fl /]# 

## ping五台机器全部节点的机器都是互通的
[root@redis-2212193268-tu5fl /]# ping 10.1.75.2
PING 10.1.75.2 (10.1.75.2) 56(84) bytes of data.
64 bytes from 10.1.75.2: icmp_seq=1 ttl=60 time=1.15 ms
...
[root@redis-2212193268-tu5fl /]# ping 10.1.75.3
PING 10.1.75.3 (10.1.75.3) 56(84) bytes of data.
64 bytes from 10.1.75.3: icmp_seq=1 ttl=60 time=1.23 ms
...
[root@redis-2212193268-tu5fl /]# ping 10.1.58.3
PING 10.1.58.3 (10.1.58.3) 56(84) bytes of data.
64 bytes from 10.1.58.3: icmp_seq=1 ttl=60 time=1.60 ms
...
[root@redis-2212193268-tu5fl /]# ping 10.1.58.2
PING 10.1.58.2 (10.1.58.2) 56(84) bytes of data.
64 bytes from 10.1.58.2: icmp_seq=1 ttl=60 time=1.39 ms
...
[root@redis-2212193268-tu5fl /]# ping 10.1.33.3         
PING 10.1.33.3 (10.1.33.3) 56(84) bytes of data.
64 bytes from 10.1.33.3: icmp_seq=1 ttl=64 time=0.036 ms
...

全部启动好后dashboard的效果图:

深入学习启动脚本

官网这份Creating a Custom Cluster from Scratch 看的糊里糊涂,真不是给入门级的我来看的。需要有一定的实践经验才能看的懂。

另辟蹊径,根据 docker-multi 的启动脚本来拆分学习然后模拟动手实践。

在根据 Portable Multi-Node Cluster 文档学习操作的时刻不理解bootstrap docker以及main docker的含义。这次通过单独运行提取每个函数运行后才明白一点了,其实就相当于跑两个docker应用程序,互相不影响。

1
2
3
4

[root@cu2 ~]# ps aux|grep docker
root      5310  0.0  0.2 645128 19180 pts/1    Sl   13:14   0:01 docker -d -H unix:///var/run/docker-bootstrap.sock -p /var/run/docker-bootstrap.pid --iptables=false --ip-masq=false --bridge=none --graph=/var/lib/docker-bootstrap --exec-root=/var/run/docker-bootstrap
root      5782  1.1  0.5 2788284 43620 pts/1   Sl   13:14   0:23 /usr/bin/docker -d --mtu=1464 --bip=10.1.33.1/24
root     10935  0.0  0.0 103316   896 pts/1    S+   13:47   0:00 grep docker

bootstrap docker启动后,容器etcd和flannel启动都很顺利。

以下的问题都是在自己虚拟机操作是遇到的,解决好后再部署到测试环境。

  • 问题1: 执行docker0网卡重置失败
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

[root@bigdata1 data]# ip link set docker0 down
[root@bigdata1 data]# ip link del docker0
RTNETLINK answers: Operation not supported

[root@bigdata1 data]# ip addr 

删不掉,但是可以修改ip地址来实现相似的效果

ifconfig docker0 ${FLANNEL_SUBNET}
或者 
[root@bigdata1 data]# ip link set dev docker0 mtu 1460
[root@bigdata1 data]# ip addr del 172.17.42.1/16 dev docker0
[root@bigdata1 data]# ip addr add ${FLANNEL_SUBNET} dev docker0
[root@bigdata1 data]# ip link set dev docker0 up
[root@bigdata1 data]# ifconfig # 查看重新分配的IP

先添加参数在前端运行
[root@bigdata1 data]# docker -d --mtu=1472 --bip=10.1.42.1/24

启动
[root@bigdata1 data]# sed -i 's/other_args=/other_args="--mtu=1472 --bip=10.1.42.1/24"/' /etc/sysconfig/docker
[root@bigdata1 data]# service docker start
Starting docker:                                           [确定]
[root@bigdata1 data]# service docker status
docker (pid  4542) 正在运行...
  • 问题2:volumns mount不支持shared
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

[root@bigdata1 data]# echo $KUBELET_MOUNTS
-v /sys:/sys:rw -v /var/run:/var/run:rw -v /run:/run:rw -v /var/lib/docker:/var/lib/docker:rw -v /var/lib/kubelet:/var/lib/kubelet:shared -v /var/log/containers:/var/log/containers:rw

[root@bigdata1 data]# mkdir -p /var/lib/kubelet
[root@bigdata1 data]# mount --bind /var/lib/kubelet /var/lib/kubelet
[root@bigdata1 data]# mount --make-shared /var/lib/kubelet

[root@bigdata1 data]# docker run -d \
>     --net=host \
>     --pid=host \
>     --privileged \
>     --name kube_kubelet_$(kube::helpers::small_sha) \
>     ${KUBELET_MOUNTS} \
>     gcr.io/google_containers/hyperkube-${ARCH}:${K8S_VERSION} \
>     /hyperkube kubelet \
>       --allow-privileged \
>       --api-servers=http://localhost:8080 \
>       --config=/etc/kubernetes/manifests-multi \
>       --cluster-dns=10.0.0.10 \
>       --cluster-domain=cluster.local \
>       ${CNI_ARGS} \
>       ${CONTAINERIZED_FLAG} \
>       --hostname-override=${IP_ADDRESS} \
>       --v=2
Error response from daemon: invalid mode for volumes-from: shared

# 改成z # -- 2017-3-16 19:15:57 不支持shared,后面会遇到volume的问题!
    KUBELET_MOUNT="-v /var/lib/kubelet:/var/lib/kubelet:z"
  
[root@bigdata1 ~]# echo $KUBELET_MOUNTS
-v /sys:/sys:rw -v /var/run:/var/run:rw -v /run:/run:rw -v /var/lib/docker:/var/lib/docker:rw -v /var/lib/kubelet:/var/lib/kubelet:z -v /var/log/containers:/var/log/containers:rw
  • 问题3:cgroup问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Error: failed to run Kubelet: failed to get mounted cgroup subsystems: failed to find cgroup mounts
failed to run Kubelet: failed to get mounted cgroup subsystems: failed to find cgroup mounts

centos7 
[root@k8s docker.service.d]# ll /sys/fs/cgroup/
blkio/            cpuacct/          cpuset/           freezer/          memory/           net_cls,net_prio/ perf_event/       systemd/          
cpu/              cpu,cpuacct/      devices/          hugetlb/          net_cls/          net_prio/         pids/             

centos6
http://wushank.blog.51cto.com/3489095/1203545
[root@bigdata1 bin]# ls /cgroup/
blkio  cpu  cpuacct  cpuset  devices  freezer  memory  net_cls

把/cgroup加入到卷映射路径
  KUBELET_MOUNTS="\
    ${ROOTFS_MOUNT} \
    -v /sys:/sys:rw \
    -v /cgroup:/cgroup:rw \
    -v /var/run:/var/run:rw \
    -v /run:/run:rw \
    -v /var/lib/docker:/var/lib/docker:rw \
    ${KUBELET_MOUNT} \
    -v /var/log/containers:/var/log/containers:rw"
  • 问题4:再说版本,v1.3+的版本在centos6上运行kubelet报错:
1
2
3

[root@bigdata1 ~]# docker logs 7a2f7aec2239
...
E0228 10:56:05.408129    2516 kubelet.go:2049] Container runtime sanity check failed: container runtime version is older than 1.21

1.3以上的版本都会报这个错。kubernetes用1.2.7的版本即可。

  • 问题5:dashboard/dns配置注意点

  • imagePullPolicy 就是个坑啊!改成IfNotPresent https://kubernetes.io/docs/user-guide/images/

  • namespace 不能改,好像会写数据库然后指定的namespace就是kube-system
  • apiserver 由于没有addon-manager的支持,暂时使用http获取数据(DNS的问题确认了很久,kube2sky容器日志有报错,修改server地址为http方式才解决)
1
2
3
4
5
6
7

[root@cu2 docker-multinode-centos6]# docker exec -ti 193863bc646b bash
[root@redis-2212193268-0ovu7 /]# nslookup kubernetes.default
Server:         10.0.0.10
Address:        10.0.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.0.0.1

处理完以上问题,K8S集群就跑起来了,然后整合成开始用的脚本。当然后续还有很多工作,不仅仅是怎么用,还有一些其他辅助的软件需要配置和安装。

监控

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

可以通过4194访问cAdvisor  <http://www.dockone.io/article/page-46>
http://cu2:4194/containers/

[root@cu2 influxdb]# kubectl create -f ./
deployment "monitoring-grafana" created
service "monitoring-grafana" created
deployment "heapster" created
service "heapster" created
deployment "monitoring-influxdb" created
service "monitoring-influxdb" created

[root@cu2 influxdb]# kubectl get pods --namespace=kube-system -o wide
NAME                                    READY     STATUS             RESTARTS   AGE       NODE
heapster-2621086088-s77cl               0/1       CrashLoopBackOff   2          37s       192.168.0.148
kube-dns-v8-00p5h                       4/4       Running            1          5h        192.168.0.174
kubernetes-dashboard-2845140353-l7o8o   1/1       Running            0          5h        192.168.0.30
monitoring-grafana-1501214244-kw3im     1/1       Running            0          37s       192.168.0.148
monitoring-influxdb-3498630124-241tx    1/1       Running            0          37s       192.168.0.30

第一次启动heapster失败,定位机器查看日志
[root@cu3 ~]# docker logs aad68dd07ff8
I0306 09:06:25.611251       1 heapster.go:71] /heapster --source=kubernetes:https://kubernetes.default --sink=influxdb:http://monitoring-influxdb:8086
I0306 09:06:25.611523       1 heapster.go:72] Heapster version v1.3.0-beta.1
F0306 09:06:25.611555       1 heapster.go:174] Failed to create source provide: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

https://github.com/kubernetes/heapster/blob/master/docs/source-configuration.md 改成http

重新加载
[root@cu2 influxdb]# for file in * ; do sed -e "s|MASTER_IP|${IP_ADDRESS}|g" $file | kubectl apply -f - ; done
deployment "monitoring-grafana" configured
service "monitoring-grafana" configured
deployment "heapster" configured
service "heapster" configured
deployment "monitoring-influxdb" configured
service "monitoring-influxdb" configured

[root@cu2 influxdb]# kubectl get service --namespace=kube-system -o wide
NAME                   CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE       SELECTOR
heapster               10.0.0.54    <none>        80/TCP          8m        k8s-app=heapster
kube-dns               10.0.0.10    <none>        53/UDP,53/TCP   6h        k8s-app=kube-dns
kubernetes-dashboard   10.0.0.181   nodes         80/TCP          6h        app=kubernetes-dashboard
monitoring-grafana     10.0.0.220   <none>        80/TCP          8m        k8s-app=grafana
monitoring-influxdb    10.0.0.223   <none>        8086/TCP        8m        k8s-app=influxdb

浏览器访问grafana 登录:admin/admin
http://10.0.0.220/

安装好监控后,dashboard也有图标了。

某机器数据不显示问题定位

原来是三台机器的,后面增加了148的机器进来。添加heapster监控后,就148机器图形显示不出来。并且dashboard的 148 Node 页面的 Conditions - Last heartbeat time 没显示内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

[root@cu2 ~]# kubectl get services --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE
default       kubernetes             10.0.0.1     <none>        443/TCP         1d
kube-system   heapster               10.0.0.196   <none>        80/TCP          12m
kube-system   kube-dns               10.0.0.10    <none>        53/UDP,53/TCP   21h
kube-system   kubernetes-dashboard   10.0.0.181   nodes         80/TCP          21h
kube-system   monitoring-grafana     10.0.0.215   <none>        80/TCP          12m
kube-system   monitoring-influxdb    10.0.0.226   <none>        8086/TCP        12m

查看接口
https://github.com/kubernetes/heapster/blob/master/docs/debugging.md

  http://10.0.0.196/metrics

  这里没有148机器的key
  http://10.0.0.196/api/v1/model/debug/allkeys

  http://192.168.0.30:10255/stats/container/

https://github.com/kubernetes/heapster/blob/master/docs/sink-configuration.md

等到heapster机器运行命令,改下端口,日志输出详细点
/ # /heapster --source=kubernetes:http://192.168.0.214:8080?inClusterConfig=false --sink=log --heapster-port=8083 -v 10

  http://192.168.0.214:8080/api/v1/nodes
  Node
  Pod
  Namespace

148机器的10255和4194端口都正常运行,heapster从148也获取到数据了。但是最后log输出的时刻没有148机器。系统时间?抱着尝试的心态改了一下,148的机器快了几分钟。

果不其然啊!!同步时间后监控图就显示出来了。

后续学习操作

阿里云的镜像加速还是很赞的,由于我域名是在万网注册的本来就有账号,登录就能看到加速的地址,非常的方便。科技大学的加速镜像也很赞!

1
2
3
4
5

[root@cu1 ~]# cat /etc/sysconfig/docker
...
#other_args=" --registry-mirror=https://us69kjun.mirror.aliyuncs.com "
other_args=" --registry-mirror=https://docker.mirrors.ustc.edu.cn "
...

有趣的命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

https://kubernetes.io/docs/user-guide/jsonpath/
[root@cu2 ~]# kubectl get pods -o wide -l run=redis -o jsonpath={..podIP}
10.1.75.2 10.1.75.3 10.1.58.3 10.1.58.2 10.1.33.3

修改启动entry,以及网络共用
docker run -ti --entrypoint=sh --net=container:8e9f21956469f4ef7e5b9d91798788ab83f380795d2825cdacae0ed28f5ba03b gcr.io/google_containers/skydns-amd64:1.0

https://kubernetes.io/docs/tasks/kubectl/list-all-running-container-images/
[root@cu2 ~]# kubectl get pods --all-namespaces -o jsonpath="{..image}" |\
> tr -s '[[:space:]]' '\n' |\
> sort |\
> uniq -c
      2 gcr.io/google_containers/etcd-amd64:2.2.5
      2 gcr.io/google_containers/exechealthz-amd64:1.0
      2 gcr.io/google_containers/heapster-amd64:v1.3.0-beta.1
      2 gcr.io/google_containers/heapster-grafana-amd64:v4.0.2
      2 gcr.io/google_containers/heapster-influxdb-amd64:v1.1.1
     10 gcr.io/google_containers/hyperkube-amd64:v1.2.7
      2 gcr.io/google_containers/kube2sky-amd64:1.15
      2 gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1
      2 gcr.io/google_containers/skydns-amd64:1.0
      2 redis:3.2.8

kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}"

[root@cu2 ~]# export POD_COL="custom-columns=NAME:.metadata.name,RESTARTS:.status.containerStatuses[*].restartCount,CONTAINERS:.spec.containers[*].name,IP:.status.podIP,HOST:.spec.nodeName"
[root@cu2 ~]# kubectl get pods -o $POD_COL 

# 加label
[root@cu2 ~]# cat /etc/hosts | grep -E "\scu[0-9]\s" | awk '{print "kubectl label nodes "$1" hostname="$2}' | while read line ; do sh -c "$line" ; done

[root@cu2 kubernetes]# kubectl run redis --image=redis:3.2.8 
[root@cu2 kubernetes]# kubectl scale --replicas=9 deployment/redis

其他参考

纯手动安装,所有应用都作为服务启动 * http://chenguomin.blog.51cto.com/8794192/1828905 网络使用flannel、DNS的安装配置 * http://www.pangxie.space/docker/618 * https://xuxinkun.github.io/2016/03/27/k8s-service/ service是在防火墙做的跳转 => iptables -S -t nat

介绍 * http://www.infoq.com/cn/articles/kubernetes-and-cloud-native-applications-part01 * http://www.codingwater.org/2016/08/25/Docker-Kubernetes-Intro/ * https://github.com/kubernetes/kubernetes/tree/v1.0.1/cluster/addons/dns

–END

K8s集群部署

更新:2019-4-8 已经不适应了,参考使用kubeadm安装!!!

前面讲了在本机windows安装方式,最近在linux多机器上尝试部署并操作。

先看官网的文档Portable Multi-Node Cluster。这里根据文章进行实际操作记录下来,k8s是真的好用管理起来很方便。

安装docker(on centos7)

不正确的打开方式

不要用这种方式安装

1
2
3
4

[root@k8s ~]# yum install docker

[root@k8s ~]# docker -v
Docker version 1.12.5, build 047e51b/1.12.5

否则运行报错的daemon语句,报错:

1
2

[root@k8s docker-multinode]# docker daemon -H unix:///var/run/docker-bootstrap.sock -p /var/run/docker-bootstrap.pid --iptables=false --ip-masq=false --bridge=none --graph=/var/lib/docker-bootstrap --exec-root=/var/run/docker-bootstrap
exec: "dockerd": executable file not found in $PATH

先清理旧的软件

1
2
3

yum remove docker -y
yum remove container-selinux -y
yum remove docker-common -y

安装docker的正确姿势

变化很快,直接按官网的操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

[root@k8s ~]# yum install -y yum-utils

[root@k8s ~]# yum-config-manager --add-repo https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
Loaded plugins: fastestmirror, langpacks
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
adding repo from: https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
grabbing file https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo to /etc/yum.repos.d/docker.repo
repo saved to /etc/yum.repos.d/docker.repo

[root@k8s ~]# yum makecache fast
[root@k8s ~]# yum -y install docker-engine

# 把保存数据的目录转移到大磁盘下面去
先启动服务来产生docker目录
[root@k8s ~]# service docker start
[root@k8s ~]# service docker stop

[root@k8s ~]# rm -rf /var/lib/docker/
[root@k8s ~]# ln -s /data/var/lib/docker /var/lib/

安装k8s

准备

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

# 删除旧的容器
[root@k8s docker-multinode]# docker rm -f `docker ps -a | grep -v IMAGE | awk '{print $1}'`
[root@k8s docker-multinode]# docker ps -a

# 下载部署的工具
[root@k8s ~]# yum install git -y
[root@k8s ~]# git clone https://github.com/kubernetes/kube-deploy

# kubectl安装,需要代理你懂得 
export NO_PROXY="localhost,127.0.0.1,10.0.0.0/8"
export https_proxy=http://k8s:8118/
export http_proxy=http://k8s:8118/

[root@k8s ~]# curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 48.0M  100 48.0M    0     0  1692k      0  0:00:29  0:00:29 --:--:-- 2351k
[root@k8s ~]# chmod +x kubectl 
[root@k8s ~]# mkdir ~/bin
[root@k8s ~]# mv ./kubectl ~/bin/

[root@k8s ~]# source <(kubectl completion bash)
[root@k8s ~]# echo "source <(kubectl completion bash)" >> ~/.bashrc
== 修改成下面的语句,不然你scp、rsync就不能用了: https://my.oschina.net/leejun2005/blog/342865
== export PATH=~/bin:$PATH
== [[ $- == *i* ]] && source <(kubectl completion bash)

启动master

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

[root@k8s ~]# cd kube-deploy/docker-multinode/
[root@k8s docker-multinode]# ./master.sh 
+++ [0206 19:07:23] K8S_VERSION is set to: v1.5.2
+++ [0206 19:07:23] ETCD_VERSION is set to: 3.0.4
+++ [0206 19:07:23] FLANNEL_VERSION is set to: v0.6.1
+++ [0206 19:07:23] FLANNEL_IPMASQ is set to: true
+++ [0206 19:07:23] FLANNEL_NETWORK is set to: 10.1.0.0/16
+++ [0206 19:07:23] FLANNEL_BACKEND is set to: udp
+++ [0206 19:07:23] RESTART_POLICY is set to: unless-stopped
+++ [0206 19:07:23] MASTER_IP is set to: localhost
+++ [0206 19:07:23] ARCH is set to: amd64
+++ [0206 19:07:23] IP_ADDRESS is set to: 192.168.1.112
+++ [0206 19:07:23] USE_CNI is set to: false
+++ [0206 19:07:23] USE_CONTAINERIZED is set to: false
+++ [0206 19:07:23] --------------------------------------------
+++ [0206 19:07:23] Killing docker bootstrap...
+++ [0206 19:07:24] Killing all kubernetes containers...
Do you want to clean /var/lib/kubelet? [Y/n] y
+++ [0206 19:07:27] Launching docker bootstrap...
+++ [0206 19:07:28] Launching etcd...
3ff0f0fd7a08282930449b2f496f786b9857f6290698d612cebc2086d1a1765c
+++ [0206 19:07:31] Launching flannel...
{"action":"set","node":{"key":"/coreos.com/network/config","value":"{ \"Network\": \"10.1.0.0/16\", \"Backend\": {\"Type\": \"udp\"}}","modifiedIndex":4,"createdIndex":4}}
3651d077f453900a898ce6ad9fe67a7422f0c8084ec86b6e6a1a2ab6b9b1c629
+++ [0206 19:07:33] FLANNEL_SUBNET is set to: 10.1.42.1/24
+++ [0206 19:07:33] FLANNEL_MTU is set to: 1472
+++ [0206 19:07:33] Restarting main docker daemon...
+++ [0206 19:07:38] Restarted docker with the new flannel settings
+++ [0206 19:07:38] Launching Kubernetes master components...
d10130677853022fe37742437e39b21b3fcfbb90b3f24075457f469e238b0712
+++ [0206 19:07:42] Done. It may take about a minute before apiserver is up.

[root@k8s docker-multinode]# docker ps -a
...一堆容器列表

如果有问题基本就是防火墙的问题(我遇到过的啊,下载镜像和本地firewall设置的问题)。

上面安装kubectl时已经配置了代理地址。如果部署master的时刻pull镜像出错,那还得需要给docker配置代理增加配置 /etc/systemd/system/docker.service.d/http-proxy.conf / /usr/lib/systemd/system/docker.service 参考 https://docs.docker.com/engine/admin/systemd/#http-proxy 。具体错误详情及处理查看下面的【问题及处理】部分

安装启动好后,就可以通过浏览器图形界面来管理集群了(dashboard启动有问题的话查看后面的问题处理): http://k8s:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=default

启动worker

下载安装软件的工作这里就不帖了,和master一样的:安装git、clone kube-deploy、docker。

防火墙配置,master/slaves之间互通

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

centos7 firewall的add-source不知道怎么用的,反正加了地址也没效果;后面通过rule规则来实现。
[root@bigdata-dev ~]# vi /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <rule family="ipv4">
    <source address="192.168.1.112/32"/>
    <accept/>
  </rule>
  <service name="ssh"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="6379"/>
  <port protocol="tcp" port="8080"/>
</zone>
[root@bigdata-dev ~]# firewall-cmd --complete-reload
success
[root@bigdata-dev ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: p4p1
  sources: 
  services: ssh
  ports: 80/tcp 6379/tcp 8080/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.1.112/32" accept

[root@k8s ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <rule family="ipv4">
    <source address="192.168.1.248"/>
    <accept/>
  </rule>
  <service name="ssh"/>
  <port protocol="tcp" port="6443"/>
  <port protocol="tcp" port="2379"/>
  <port protocol="tcp" port="8118"/>
</zone>

加载已经下载的镜像。从master拷贝过来(save/load)不要浪费VPN流量啦:

1

[root@bigdata-dev docker-multinode]# docker load <k8s.tar

运行worker启动脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# 设置代理。如果有docker镜像下载失败的话再配置docker环境变量
export NO_PROXY="localhost,127.0.0.1,10.0.0.0/8"
export https_proxy=http://k8s:8118/
export http_proxy=http://k8s:8118/

[root@bigdata-dev docker-multinode]# export MASTER_IP=192.168.1.112 
[root@bigdata-dev docker-multinode]# ./worker.sh 
+++ [0208 08:59:37] K8S_VERSION is set to: v1.5.2
+++ [0208 08:59:37] ETCD_VERSION is set to: 3.0.4
+++ [0208 08:59:37] FLANNEL_VERSION is set to: v0.6.1
+++ [0208 08:59:37] FLANNEL_IPMASQ is set to: true
+++ [0208 08:59:37] FLANNEL_NETWORK is set to: 10.1.0.0/16
+++ [0208 08:59:37] FLANNEL_BACKEND is set to: udp
+++ [0208 08:59:37] RESTART_POLICY is set to: unless-stopped
+++ [0208 08:59:37] MASTER_IP is set to: 192.168.1.112
+++ [0208 08:59:37] ARCH is set to: amd64
+++ [0208 08:59:37] IP_ADDRESS is set to: 192.168.1.248
+++ [0208 08:59:37] USE_CNI is set to: false
+++ [0208 08:59:37] USE_CONTAINERIZED is set to: false
+++ [0208 08:59:37] --------------------------------------------
+++ [0208 08:59:37] Killing all kubernetes containers...
+++ [0208 08:59:37] Launching docker bootstrap...
+++ [0208 08:59:38] Launching flannel...
+++ [0208 08:59:39] FLANNEL_SUBNET is set to: 10.1.42.1/24
+++ [0208 08:59:39] FLANNEL_MTU is set to: 1472
+++ [0208 08:59:39] Restarting main docker daemon...
+++ [0208 08:59:43] Restarted docker with the new flannel settings
+++ [0208 08:59:43] Launching Kubernetes worker components...
1ce6ee6af709485668c9f170b1bc234b34d55d18e53116295c887c88046ca231
+++ [0208 08:59:44] Done. After about a minute the node should be ready.

查看集群状态

安装好了后,需要学习基本的管理操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

[root@k8s ~]# kubectl cluster-info
Kubernetes master is running at http://localhost:8080
KubeDNS is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/kube-dns
kubernetes-dashboard is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

[root@k8s ~]# kubectl get service
NAME         CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   10.0.0.1     <none>        443/TCP   16d

[root@k8s ~]# kubectl get nodes
NAME            STATUS    AGE
192.168.1.112   Ready     16d
192.168.1.248   Ready     16d

[root@k8s ~]# kubectl get pods --namespace=kube-system
NAME                                    READY     STATUS    RESTARTS   AGE
k8s-master-192.168.1.112                4/4       Running   9          1d
k8s-proxy-v1-4hp8c                      1/1       Running   0          1d
k8s-proxy-v1-htrrf                      1/1       Running   0          1d
kube-addon-manager-192.168.1.112        2/2       Running   0          1d
kube-dns-4101612645-q0kcw               4/4       Running   0          1d
kubernetes-dashboard-3543765157-hsls9   1/1       Running   0          1d

dashboard运行正常的话,就可以通过浏览器查看以及管理集群
== https://kubernetes.io/docs/user-guide/ui/
== 走socks5代理
http://k8s:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=default

问题及处理

镜像或者启动失败的问题可以 set -x 输出脚本调试信息,获取到出错位置的命令单独重新执行来定位。

另一种情况,脚本启动完成后,服务不能正常运行。重启机器,再次运行master后就不能访问dashboard了,把master机器的防火墙关闭就行了。github上有同样的一个问题https://github.com/kubernetes/dashboard/issues/916

处理定位问题步骤如下:

清理所有重新弄,无济于事

1
2
3
4
5
6
7
8

docker kill $(docker ps -q)
docker rm $(docker ps -aq)
[reboot]
sudo rm -R /var/lib/kubelet
sudo rm -R /var/run/kubernetes

./turndown.sh & ./master.sh 
kubectl get pods --namespace=kube-system # 显示的dashboard容器启动总是失败,可以通过kubectl logs/docker logs查看。

重新定位问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

既然关闭防火墙能正常运行,下面通过拦截日志查看封堵日志
[root@k8s ~]# firewall-cmd --set-log-denied=all

[root@k8s ~]# less /var/log/messages
Feb 25 00:04:30 k8s kernel: XFS (dm-32): Unmounting Filesystem
Feb 25 00:04:30 k8s kernel: XFS (dm-32): Mounting V5 Filesystem
Feb 25 00:04:30 k8s kernel: XFS (dm-32): Ending clean mount
Feb 25 00:04:32 k8s kernel: FINAL_REJECT: IN=docker0 OUT= PHYSIN=veth2fd9745 MAC=02:42:cf:c5:2c:da:02:42:0a:01:49:03:08:00 SRC=10.1.73.3 DST=192.168.1.112 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11531 DF PROTO=TCP SPT=38734 DPT=6443 WINDOW=28640 RES=0x00 SYN URGP=0 
Feb 25 00:04:33 k8s kernel: FINAL_REJECT: IN=docker0 OUT= PHYSIN=veth2fd9745 MAC=02:42:cf:c5:2c:da:02:42:0a:01:49:03:08:00 SRC=10.1.73.3 DST=192.168.1.112 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11532 DF PROTO=TCP SPT=38734 DPT=6443 WINDOW=28640 RES=0x00 SYN URGP=0 
Feb 25 00:04:33 k8s dockerd: time="2017-02-25T00:04:33.935301481+08:00" level=error msg="containerd: deleting container" error="exit status 1: \"container dcb4a44031b96470eaef50eb8ac4ee2b9f958906702d94645c3a45c4852b6335 does not exist\\none or more of the container deletions failed\\n\""
Feb 25 00:04:34 k8s kernel: XFS (dm-32): Unmounting Filesystem
Feb 25 00:04:35 k8s systemd-udevd: inotify_add_watch(7, /dev/dm-32, 10) failed: No such file or directory
Feb 25 00:04:36 k8s systemd-udevd: inotify_add_watch(7, /dev/dm-32, 10) failed: No such file or directory
Feb 25 00:04:36 k8s dockerd: time="2017-02-25T00:04:36.406470062+08:00" level=error msg="Handler for GET /v1.25/containers/5bd86339f0dcd513da632ec300d4235d8a09c3f9546f751ac8874de411de3c10/json returned error: No such container: 5bd86339f0dcd513da632ec300d4235d8a09c3f9546f751ac8874de411de3c10"
可以看出访问的端口6443被拦截了

开放6443端口dashboard启动成功(直接把放开ip段也行)。通过浏览器能正常访问

1
2
3
4
5
6
7
8
9
10
11
12
13

[root@k8s ~]# firewall-cmd --zone=public --add-port=6443/tcp --permanent
success
[root@k8s ~]# firewall-cmd --reload
success

[root@k8s ~]# kubectl get pods --namespace=kube-system
NAME                                    READY     STATUS    RESTARTS   AGE
k8s-master-192.168.1.112                4/4       Running   1          9m
k8s-proxy-v1-nzkgt                      1/1       Running   0          9m
kube-addon-manager-192.168.1.112        2/2       Running   0          8m
kube-dns-4101612645-k4j0s               4/4       Running   4          9m
kubernetes-dashboard-3543765157-h5g5f   1/1       Running   6          9m
等所有都Running才能通过dashboard查看

使用

使用已有镜像(网上、本地)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[root@k8s ~]# kubectl run hello-nginx --image=nginx --port=80

[root@k8s ~]# kubectl get pods
NAME                           READY     STATUS    RESTARTS   AGE
hello-nginx-2471083592-94pm7   1/1       Running   0          19m
[root@k8s ~]# kubectl describe pod hello-nginx-2471083592-94pm7
Name:           hello-nginx-2471083592-94pm7
Namespace:      default
Node:           192.168.1.248/192.168.1.248
Start Time:     Fri, 24 Feb 2017 12:37:30 +0800
Labels:         pod-template-hash=2471083592
                run=hello-nginx
Status:         Running
IP:             10.1.42.3
Controllers:    ReplicaSet/hello-nginx-2471083592

查看到pod的ip,登录Node对应的机器就可以直接通过IP访问了。IP与flannel0网卡在同一网段。

定制镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

[root@k8s ~]# docker pull centos:centos5
[root@k8s ~]# docker pull centos:centos6
[root@k8s ~]# docker pull centos:centos7

把最新的修改提交保存为行的镜像。
登录centos6,安装sshd后,启动sshd服务(产生key)。清理yum缓冲、临时文件/tmp、以及history等。写Dockerfile减小镜像的大小: https://hui.lu/reduce-docker-image-size/  
[root@k8s ~]# docker run -t -i centos:centos6 
...yum install -y openssh-server openssh-clients ; service sshd start ; yum clean all ; history -c ; rm -rf /tmp/*

提交的名字一定要打标签tag
[root@k8s ~]# docker ps -a
[root@k8s ~]# docker commit CONTAINER_ID bigdata:v1
查看下版本的历史
[root@k8s ~]# docker history bigdata:v1

[root@k8s ~]# docker images
[root@k8s ~]# docker save centos:centos5 centos:centos6 centos:centos7 bigdata:v1 >bigdata.tar

拷贝
[root@bigdata-dev ~]# scp k8s:~/bigdata.tar ./
centos.tar                                                                                                                                               100%  668MB  11.1MB/s   01:00    
[root@bigdata-dev ~]# docker load <bigdata.tar
[root@bigdata-dev ~]# docker images
 
真正的跑自己的镜像
[root@k8s ~]# kubectl run hadoop --image=bigdata:v1 --command -- /usr/sbin/sshd -D
deployment "hadoop" created

查看运行情况以及一些简单操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

[root@k8s ~]# kubectl get pods
NAME                      READY     STATUS    RESTARTS   AGE
hadoop-2607718808-cqx2n   1/1       Running   0          2h
[root@k8s ~]# kubectl describe pods hadoop-2607718808-cqx2n
通过输出信息中Node和IP即可通过登录主机(IP与flannel0网卡在同一网段)

也可以通过kubectl来登录
[root@k8s ~]# kubectl exec hadoop-2607718808-cqx2n -i -t -- bash 
[root@hadoop-2607718808-cqx2n /]# 
[root@hadoop-2607718808-cqx2n /]# ifconfig 
eth0      Link encap:Ethernet  HWaddr 02:42:0A:01:49:02  
          inet addr:10.1.73.2  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::42:aff:fe01:4902/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1472  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:648 (648.0 b)  TX bytes:648 (648.0 b)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@k8s ~]# kubectl scale --replicas=4 deployment/hadoop
[root@k8s ~]# kubectl get pods
NAME                      READY     STATUS    RESTARTS   AGE
hadoop-2607718808-0dzm6   1/1       Running   0          15s
hadoop-2607718808-9twzq   1/1       Running   0          15s
hadoop-2607718808-cqx2n   1/1       Running   0          6h
hadoop-2607718808-k243d   1/1       Running   0          15s

登上以及启动的机器
[root@k8s ~]# kubectl exec hadoop-2607718808-cqx2n -i -t -- bash
[root@hadoop-2607718808-cqx2n /]# 

改变部署实例个数
[root@k8s ~]# kubectl scale --replicas=2 deployment/hadoop
deployment "hadoop" scaled
[root@k8s ~]# kubectl get pods
NAME                      READY     STATUS    RESTARTS   AGE
hadoop-2607718808-cqx2n   1/1       Running   0          6h
hadoop-2607718808-k243d   1/1       Running   0          9m

小结

通过脚本来安装其实不难,就是要翻墙以及一些防火墙的设置需要特别的注意。

–END