服务器优化及内核升级
0
文章目录
-
- 1、配置主机
- 2、配置阿里源
- 3、必备工具安装
- 4、关闭防火墙
- 5、关闭swap分区
- 6、时间同步(公有云跳过)
- 7、文件描述符限制
- 8、免密登录
- 9、升级系统
- 10、安装ipvsadm
- 11、修改内核参数
1、配置主机
cat >> /etc/hosts << EOF
192.168.1.9 k8s-master-lb
192.168.1.10 k8s-master01
192.168.1.11 k8s-master02
192.168.1.12 k8s-master03
192.168.1.101 k8s-node01
EOF
2、配置阿里源
yum源(阿里云服务器跳过)
[root@localhost ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo #替换阿里源
docker源
[root@localhost ~]# yum install -y yum-utils #安装所需的软件包: yum-utils提供了yum-config-manager,用于管理yum仓库
[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # 添加阿里源仓库
k8s源
[root@localhost ~]# cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-> > key.gpg
EOF
阿里云ECS用户会出现无法解析host 'mirrors.cloud.aliyuncs.com’信息,不影响使用。也修改相关配置:
[root@localhost ~]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
重新生成缓存
[root@localhost ~]# yum clean all # 清理缓存
[root@localhost ~]# yum makecache # 重新生成缓存
[root@localhost ~]# yum repolist # 查看仓库
3、必备工具安装
[root@localhost ~]# yum install wget jq psmisc vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git -y
4、关闭防火墙
关闭,防火墙自动关闭服务,并设为主动不
[root@localhost ~]# systemctl stop firewalld && systemctl disable firewalld
# systemctl disable --now dnsmasq(云平台不需要)
# systemctl disable --now NetworkManager(确定需要关这个?)
[root@localhost ~]# setenforce 0 &&
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux &&
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
[root@localhost ~]# systemctl status firewalld.service #查看是否关闭防火墙
5、关闭swap分区
[root@localhost ~]# swapoff -a && sysctl -w vm.swappiness=0 # 关闭swap分区,如果开启了 swap 分区,kubelet 会启动失败
[root@localhost ~]# sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab # 防止开机自动挂载 swap 分区,注释 /etc/fstab 中相应的条目
6、时间同步(公有云跳过)
安装ntpdate
rpm -ivh http://mirrors.wlnmp.com/centos/wlnmp-release-centos.noarch.rpm
yum install ntpdate crontab -y
所有节点同步时间。时间同步配置如下:
date -R # 查看时区
[root@localhost ~]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # 更改为上海时区
[root@localhost ~]# echo 'Asia/Shanghai' >/etc/timezone
[root@localhost ~]# ntpdate time2.aliyun.com # 同步
定时同步
[root@localhost ~]# crontab -e
*/5 * * * * /usr/sbin/ntpdate time2.aliyun.com
[root@localhost ~]# systemctl restart crond
7、文件描述符限制
调高文件描述符限制
[root@localhost ~]# ulimit -n # 查看
[root@localhost ~]# ulimit -SHn 65535 # 临时配置
永久生效
[root@localhost ~]# vim /etc/security/limits.conf # 末尾添加如下内容
-----------------------------------------------------
* soft nofile 65536
* hard nofile 131072
* soft nproc 65535
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited
8、免密登录
[root@localhost ~]# cd ~ # 返回home
[root@localhost ~]# ssh-keygen -t rsa # 连续敲三次回车则默认生成密钥文件id_rsa(私钥)、id_rsa.pub(公钥)
[root@localhost ~]# cd .ssh # 查看密钥文件
[root@localhost .ssh]# for i in k8s-master01 k8s-master02 k8s-master03 k8s-node01;do ssh-copy-id -i ~/.ssh/id_rsa.pub $i;done # 传输到免密机器上
[root@localhost ~]# mkdir -p /root/.ssh/authorized_keys #登陆到需要免密登陆服务器上创建
[root@localhost ~]# cat /root/.ssh/id_rsa.pub>>/root/.ssh/authorized_keys #将id_rsa.pub的内容写进authorized_keys
如果私钥没设置密码则直接可以访问免密登陆的设备
9、升级系统
[root@localhost /]# uname -a #内核查询版本
[root@localhost /]# yum update -y --exclude=kernel* #更新组件(不包括内核)
更新内核
[root@localhost ~]# cd /root
[root@localhost ~]# wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm # 下载内核
[root@localhost ~]# wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm # 下载内核
[root@localhost ~]# for i in k8s-master01 k8s-master02 k8s-master03 k8s-node01 ;do scp kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm $i:/root/ ; done # 传到其他节点
[root@localhost ~]# cd /root && yum localinstall -y kernel-ml* # 安装内核
[root@localhost ~]# grub2-editenv list # 查看当前默认内核启动项
saved_entry=CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core)
[root@localhost ~]# grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg # 更改内核启动顺序
[root@localhost ~]# grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
10、安装ipvsadm
安装
yum install ipvsadm ipset sysstat conntrack libseccomp -y
配置ipvs模块
在内核4.19+版本nf_conntrack_ipv49+版本已经改为nf_conntrack,4.18以下使用nf_conntrack_ipv4即可
modprobe -- ip_vs &&
modprobe -- ip_vs_rr &&
modprobe -- ip_vs_wrr &&
modprobe -- ip_vs_sh &&
modprobe -- nf_conntrack
[root@localhost ~]# cat > /etc/modules-load.d/ipvs.conf << EOF
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF
[root@localhost ~]# systemctl enable systemd-modules-load.service #开机启动
待后续配置完内核参数重启后再验证
[root@localhost ~]# systemctl status systemd-modules-load.service
11、修改内核参数
开启一些k8s团中必须的内核参数
[root@localhost ~]# cat > /etc/sysctl.d/k8s.conf <
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
fs.may_detach_mounts = 1
net.ipv4.conf.all.route_localnet = 1
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.netfilter.nf_conntrack_max=2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.ip_conntrack_max = 65536
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
EOF
手动加载配置
[root@localhost ~]# sysctl --system
重启服务器,并验证内核是否正确加载
[root@localhost ~]# reboot #重启
[root@localhost ~]# lsmod | grep --color=auto -e ip_vs -e nf_conntrack