Rancher高可用搭建
初始化系统
每台机器都要操作
# 关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld
firewall-cmd --reload
# 关闭selinux
setenforce 0 # 临时
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
# 关闭swap
swapoff -a # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
# 将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system # 生效
#安装chrony
yum -y install chrony
#修改同步服务器地址为阿里云
sed -i.bak '3,6d' /etc/chrony.conf && sed -i '3cserver ntp1.aliyun.com iburst' \
/etc/chrony.conf
# 启动chronyd及加入开机自启
systemctl start chronyd && systemctl enable chronyd
#查看同步结果
chronyc sources
安装docker
每台机器都要操作
# 下载docker压缩包
https://download.docker.com/linux/static/stable/x86_64/docker-19.03.11.tgz
# 解压二进制包、移动加压文件
tar zxvf docker-19.03.11.tgz
mv docker/* /usr/bin
# systemd管理docker
cat > /usr/lib/systemd/system/docker.service << EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
#创建配置文件
mkdir /etc/docker
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"insecure-registries": ["172.18.69.205:80"],
"log-opts": {"max-size":"2g", "max-file":"100"}
}
EOF
#启动并设置开机启动
systemctl daemon-reload
systemctl start docker
systemctl enable docker
新增rancher操作用户
每台机器都要操作
新建用户
groupadd docker
useradd rancher -G docker
#设置es用户的密码为5W3R1gjHfg
passwd rancher
vi /etc/sudoers
# 增加一行记录
rancher ALL=(ALL) NOPASSWD: ALL
# 生效
sysctl --system
选择一台机器特色处理
选择一台机器安装rke,kubectl,helm,对其他机器免密登录
# 免密登录
su - rancher
ssh-keygen
ssh-copy-id rancher@外网ip1
ssh-copy-id rancher@外网ip2
ssh-copy-id rancher@外网ip3
# root用户下,执行如下操作:
# 1、下载rke文件并移动到/usr/sbin
wget https://github.com/rancher/rke/releases/download/v1.1.2/rke_linux-amd64 \
&& chmod +x rke_linux-amd64 \
&& mv rke_linux-amd64 /usr/bin/rke
# 2、安装kubectl
wget https://docs.rancher.cn/download/kubernetes/linux-amd64-v1.18.3-kubectl \
&& chmod +x linux-amd64-v1.18.3-kubectl \
&& mv linux-amd64-v1.18.3-kubectl /usr/bin/kubectl
# 3、安装helm
wget https://docs.rancher.cn/download/helm/helm-v3.0.3-linux-amd64.tar.gz \
&& tar xf helm-v3.0.3-linux-amd64.tar.gz \
&& cd linux-amd64 \
&& mv helm /usr/sbin/
在/home/rancher目录设置rancher-cluster.yml配置文件
nodes:
- address: ip地址
internal_address: ip地址
user: rancher
role: [controlplane, worker, etcd]
port: 22
- address: ip地址
internal_address: ip地址
user: rancher
role: [controlplane, worker, etcd]
port: 22
- address: ip地址
internal_address: ip地址
user: rancher
role: [controlplane, worker, etcd]
port: 22
services:
etcd:
snapshot: true
creation: 6h
retention: 24h
ignore_docker_version: true
cluster_name: mycluster
ingress:
provider: nginx
options:
use-forwarded-headers: "true"
rke部署k8s
rancher用户下执行:
cd /home/rancher
rke up --config ./rancher-cluster.yml
# 新生成的集群文件,用来执行kubectl
mkdir -p /home/rancher/.kube
cp kube_config_rancher-cluster.yml $HOME/.kube/config
# 检查
kubectl get nodes
kubectl get pods --all-namespaces
安装 cert-manager
# 安装 CustomResourceDefinition 资源
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml
# **重要:**
# 如果您正在运行 Kubernetes v1.15 或更低版本,
# 则需要在上方的 kubectl apply 命令中添加`--validate=false`标志,
# 否则您将在 cert-manager 的 CustomResourceDefinition 资源中收到与
# x-kubernetes-preserve-unknown-fields 字段有关的验证错误。
# 这是一个良性错误,是由于 kubectl 执行资源验证的方式造成的。
# 为 cert-manager 创建命名空间
kubectl create namespace cert-manager
# 添加 Jetstack Helm 仓库
helm repo add jetstack https://charts.jetstack.io
# 更新本地 Helm chart 仓库缓存
helm repo update
# 安装 cert-manager Helm chart
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v0.15.0
安装完 cert-manager 后,您可以通过检查 cert-manager 命名空间中正在运行的 Pod 来验证它是否已正确部署:
kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5c6866597-zw7kh 1/1 Running 0 2m
cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2m
cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m
通过helm安装 Rancher
# 添加helm仓库
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
# 创建命名空间
kubectl create namespace cattle-system
helm install rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=rancher.demo.com
kubectl -n cattle-system rollout status deploy/rancher
kubectl -n cattle-system get deploy rancher
新增nginx
docker pull nginx:1.15
mkdir -p /opt/nginx/cert
# 生成证书
cd /opt/nginx/cert
chmod +x create_self-signed-cert.sh
./create_self-signed-cert.sh --ssl-domain=demo.jmj1995.com --ssl-trusted-ip=8.129.116.194 --ssl-size=2048 --ssl-date=3650
docker run --name nginx01 -d -p 80:80 -p 443:443 nginx:1.15
docker cp nginx01:/etc/nginx /opt
docker rm -f nginx01
docker exec -it nginx01 /bin/bash
# 修改default.conf
upstream rancher {
server 8.129.69.137:80;
server 8.129.145.169:80;
server 8.129.115.152:80;
}
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name rancher.jmj1995.com;
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# 这里将允许您在 Rancher UI 中打开命令行窗口时,窗口可以保留最多15分钟。没有这个参数时,默认值为1分钟,一分钟后在Rancher>中的shell会自动关闭。
proxy_read_timeout 900s;
proxy_buffering off;
}
}
server {
listen 80;
server_name rancher.jmj1995.com;
return 301 https://$server_name$request_uri;
}
# 运行nginx
docker run -it -d --name mynginx -p 80:80 -p 443:443 -v /opt/nginx/:/etc/nginx/ -v /opt/nginx/logs:/var/log/nginx nginx:1.15