1 更新系统
sudo apt update
sudo apt upgrade
参考输出:
更新完成后,提示(Which services should be restarted?)哪些服务需要重新启动
这里输入8不用重启
2 安装 ifconfig、vim
sudo apt install net-tools
sudo apt-get install vim-gtk
同样,提示(Which services should be restarted?)哪些服务需要重新启动,输入8不用重启
3 查看IP
ifconfig
参考输出:
4 开启root用户登录,给root账户设置密码
在当前普通用户界面下输入命令:
sudo passwd root
然后按提示两次输入密码即可。
参考输出:
5 修改sshd配置,开启ssh登录访问
sudo vim /etc/ssh/sshd_config
按i进入编辑模式,
删掉Port前面的#,找到#PermitRootLogin prohibit-password,直接在下面添加一行PermitRootLogin yes。
全部修改如下:
Port 22
PermitRootLogin yes
PasswordAuthentication yes
然后按esc,输入:wq保存并退出。
重启sshd服务
sudo systemctl restart sshd
#或
systemctl restart ssh.service
查看服务器端口
netstat -ntulp |grep 22
参考输出:
启动ssh命令(不执行,仅记录)
service ssh start
#或
/etc/init.d/ssh start
设置开机自启
sudo update-rc.d ssh enable
参考输出:
6 ssh登录软件登录
打开xshell等类似ssh登录软件,新建一个会话。
配置连接参数和
用户身份验证
保存,连接,如果弹出秘钥警告,选择
接受并保存:
打印如下表示连接成功:
7 修改IP
sudo vim /etc/netplan/00-installer-config.yaml
备注:编辑yaml 配置文件,注意缩进,否则后面应用就会报错
参考输入:
network:
ethernets:
ens18:
dhcp4: no
dhcp6: no
addresses:
- 192.168.3.101/24
routes:
- to: default
via: 192.168.3.1
nameservers:
addresses:
- 192.168.3.1
- 8.8.8.8
- 114.114.114.114
version: 2
renderer: networkd
其中
ens18 是网卡名字
192.168.3.101是ip4的ip地址
子网掩码是via。
DNS是addresses。
应用配置生效:
sudo netplan apply
然后重新调整xshell配置的masterServer1的属性,改为配置的ip。
重新连接即可。
8 创建5个服务器(节点)
还剩其他4个,这里使用proxmox的克隆即可。
id和名称还剩可以随便取,保持和原版本设置不一致即可。
依次操作4次,最后构建如下:
9 调整每台服务器的ip地址,并用ssh打开。
在控制台将每一个服务器打开运行。
以其中一个为例,修改其ip配置:
运行命令:
sudo vim /etc/netplan/00-installer-config.yaml
应用配置生效:
sudo netplan apply
检查是否配置成功。
xshell验证连接:
如上,每一个都连接成功。
10 系统设置
10.1 主机名
主机名必须每个节点不一样,并保证所有点之间可以通过hostname互相访问。
# 查看主机名
hostname
# 修改主机名
hostnamectl set-hostname <your_hostname>
# 配置host,使所有节点之间可以通过hostname互相访问
vim /etc/hosts
# <node-ip> <node-hostname>
以masterServer1服务器为例,参考输出:
root@bobokaka:~# hostname
bobokaka
root@bobokaka:~# hostnamectl set-hostname masterServer1
root@bobokaka:~# hostname
masterServer1
root@bobokaka:~# vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 bobokaka
192.168.3.101 masterServer1
192.168.3.102 masterServer2
192.168.3.103 masterServer3
192.168.3.104 backend1
192.168.3.105 backend2
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@bobokaka:~#
检查配置host是否正确
cat /etc/hosts
参考输出:
root@bobokaka:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 bobokaka
192.168.3.101 masterServer1
192.168.3.102 masterServer2
192.168.3.103 masterServer3
192.168.3.104 backend1
192.168.3.105 backend2
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@bobokaka:~#
10.2 安装依赖包
到这一步,最好把5个服务器都重启一下。
reboot
重启后,仍然以masterServer1服务器为例,5台服务器都需要运行:
apt-get update
apt-get upgrade
apt-get install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp-dev
PS:注:ipvs 依赖 ipset
参考输出:
root@masterServer1:~# apt-get install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.81.0-1ubuntu1.6).
curl set to manually installed.
The following additional packages will be installed:
libip6tc2 libipset13 libjq1 libnetfilter-conntrack3 libnfnetlink0 libnftnl11 libnl-3-200
libnl-genl-3-200 libonig5 libsensors-config libsensors5
Suggested packages:
nftables firewalld heartbeat keepalived ldirectord seccomp lm-sensors isag
The following NEW packages will be installed:
conntrack ipset iptables ipvsadm jq libip6tc2 libipset13 libjq1 libnetfilter-conntrack3 libnfnetlink0
libnftnl11 libnl-3-200 libnl-genl-3-200 libonig5 libseccomp-dev libsensors-config libsensors5 sysstat
0 upgraded, 18 newly installed, 0 to remove and 0 not upgraded.
Need to get 1814 kB of archives.
After this operation, 7459 kB of additional disk space will be used.
Get:1 https://repo.huaweicloud.com/ubuntu jammy/main amd64 libip6tc2 amd64 1.8.7-1ubuntu5 [20.2 kB]
Get:2 https://repo.huaweicloud.com/ubuntu jammy/main amd64 libnfnetlink0 amd64 1.0.1-3build3 [14.6 kB]
......
Get:18 https://repo.huaweicloud.com/ubuntu jammy/main amd64 ipvsadm amd64 1:1.31-1build2 [42.2 kB]
Fetched 1814 kB in 4s (479 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libip6tc2:amd64.
(Reading database ... 84207 files and directories currently installed.)
Preparing to unpack .../00-libip6tc2_1.8.7-1ubuntu5_amd64.deb ...
Unpacking libip6tc2:amd64 (1.8.7-1ubuntu5) ...
Selecting previously unselected package libnfnetlink0:amd64.
Preparing to unpack .../01-libnfnetlink0_1.0.1-3build3_amd64.deb ...
Unpacking libnfnetlink0:amd64 (1.0.1-3build3) ...
......
debconf: falling back to frontend: Readline
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@masterServer1:~#
10.3 关闭防火墙、swap,重置iptables
仍然以masterServer1服务器为例,5台服务器都需要运行:
# 关闭防火墙
systemctl stop firewalld && systemctl disable firewalld
# 重置iptables(清空防火墙规则)
iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat && iptables -P FORWARD ACCEPT
# 关闭swap
# 如果开启了 swap 分区,kubelet 会启动失败
# (可以通过将参数 --fail-swap-on 设置为false 来忽略 swap on)
# 故需要在每台机器上关闭 swap 分区
# 为了防止开机自动挂载 swap 分区,可以注释 /etc/fstab 中相应得到条目
swapoff -a
sed -i '/swap/s/^\(.*\)$/#\1/g' /etc/fstab
# 关闭 SELinux
# 关闭SELinux,否则后续 K8S 挂载目录时可能报错 Permission denied :
setenforce 0
# 如果报错:-bash: setenforce: command not found,执行如下安装:
apt install selinux-utils
# 关闭dnsmasq
# linux 系统开启了 dnsmasq 后(如 GUI 环境),将系统 DNS Server 设置为 127.0.0.1,这会导致 docker 容器无法解析域名,需要关闭它
service dnsmasq stop && systemctl disable dnsmasq
参考输出:
root@masterServer1:~# systemctl stop firewalld && systemctl disable firewalld
Failed to stop firewalld.service: Unit firewalld.service not loaded.
root@masterServer1:~# iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat && iptables -P FORWARD ACCEPT
root@masterServer1:~# swapoff -a
root@masterServer1:~# sed -i '/swap/s/^\(.*\)$/#\1/g' /etc/fstab
root@masterServer1:~# setenforce 0
-bash: setenforce: command not found
root@masterServer1:~# apt install selinux-utils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
......
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@masterServer1:~# setenforce 0
setenforce: SELinux is disabled
root@masterServer1:~# service dnsmasq stop && systemctl disable dnsmasq
Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.
root@masterServer1:~#
10.4 设置系统参数
10.4.1 添加加载的内核模块
以下代码,全部复制粘贴运行。
tee /etc/modules-load.d/containerd.conf<<EOF
overlay
br_netfilter
EOF
参考输出:
root@masterServer1:/opt/kubernetes/docker# tee /etc/modules-load.d/containerd.conf<<EOF
overlay
br_netfilter
EOF
overlay
br_netfilter
root@masterServer1:/opt/kubernetes/docker#
10.4.2 加载内核模块
modprobe overlay
modprobe br_netfilter
参考输出:
root@masterServer1:~# modprobe br_netfilter
root@masterServer1:~# modprobe ip_conntrack
root@masterServer1:~#
10.4.3 制作配置文件
以下代码,全部复制粘贴运行。
cat > /etc/sysctl.d/kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
生效文件
sysctl -p /etc/sysctl.d/kubernetes.conf
PS:tcp_tw_recycle 和 Kubernetes 的 NAT 冲突,必须关闭 ,否则会导致服务不通;
关闭不使用的 IPV6 协议栈,防止触发 docker BUG;
参考输出:
root@masterServer1:~# cat > /etc/sysctl.d/kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
root@masterServer1:~# sysctl -p /etc/sysctl.d/kubernetes.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.ipv6.conf.all.disable_ipv6 = 1
net.netfilter.nf_conntrack_max = 2310720
root@masterServer1:~#
说明
# 二层的网桥在转发包时也会被iptables的FORWARD规则所过滤,这样有时会出现L3层的iptables rules去过滤L2的帧的问题
net.bridge.bridge-nf-call-iptables=1
# 是否在ip6tables链中过滤IPv6包
net.bridge.bridge-nf-call-ip6tables=1
# 如果将Linux系统作为路由或者VPN服务就必须要开启IP转发功能。0表示不开启,为1表示开启。
net.ipv4.ip_forward=1
# 表示开启TCP链接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。linux4.12之后被废弃,所以4.12之后的内核,不能配置这个参数
net.ipv4.tcp_tw_recycle=0
# 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.swappiness=0
# 不检查物理内存是否够用
vm.overcommit_memory=1
# 开启 OOM
vm.panic_on_oom=0
# 同一用户同时可以添加的watch数目,默认8192。
fs.inotify.max_user_watches=89100
# 文件描述符的最大值
fs.file-max=52706963
#设置最大微博号打开数
fs.nr_open=52706963
#禁用IPv6,修为0为启用IPv6
net.ipv6.conf.all.disable_ipv6=1
# 连接跟踪表的大小,建议根据内存计算该值CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32),并满足nf_conntrack_max=4*nf_conntrack_buckets,默认262144
net.netfilter.nf_conntrack_max=2310720
可能的更为详尽的参数(当下未配置这么多):
net.ipv4.tcp_keepalive_time=600 #此参数表示TCP发送keepalive探测消息的间隔时间(秒)
net.ipv4.tcp_keepalive_intvl=30 #tcp检查间隔时间(keepalive探测包的发送间隔)
net.ipv4.tcp_keepalive_probes=10 #tcp检查次数(如果对方不予应答,探测包的发送次数)
net.ipv6.conf.all.disable_ipv6=1 #禁用IPv6,修为0为启用IPv6
net.ipv6.conf.default.disable_ipv6=1 #禁用IPv6,修为0为启用IPv6
net.ipv6.conf.lo.disable_ipv6=1 #禁用IPv6,修为0为启用IPv6
net.ipv4.neigh.default.gc_stale_time=120 #ARP缓存条目超时
net.ipv4.conf.all.rp_filter=0 #默认为1,系统会严格校验数据包的反向路径,可能导致丢包
net.ipv4.conf.default.rp_filter=0 #不开启源地址校验
net.ipv4.conf.default.arp_announce=2 #始终使用与目的IP地址对应的最佳本地IP地址作为ARP请求的源IP地址
net.ipv4.conf.lo.arp_announce=2 #始终使用与目的IP地址对应的最佳本地IP地址作为ARP请求的源IP地址
net.ipv4.conf.all.arp_announce=2 #始终使用与目的IP地址对应的最佳本地IP地址作为ARP请求的源IP地址
net.ipv4.ip_local_port_range= 45001 65000 # 定义网络连接可用作其源(本地)端口的最小和最大端口的限制,同时适用于TCP和UDP连接。
net.ipv4.ip_forward=1 # 其值为0,说明禁止进行IP转发;如果是1,则说明IP转发功能已经打开。
net.ipv4.tcp_max_tw_buckets=6000 #配置服务器 TIME_WAIT 数量
net.ipv4.tcp_syncookies=1 #此参数应该设置为1,防止SYN Flood
net.ipv4.tcp_synack_retries=2 #表示回应第二个握手包(SYN+ACK包)给客户端IP后,如果收不到第三次握手包(ACK包),进行重试的次数(默认为5)
net.bridge.bridge-nf-call-ip6tables=1 # 是否在ip6tables链中过滤IPv6包
net.bridge.bridge-nf-call-iptables=1 # 二层的网桥在转发包时也会被iptables的FORWARD规则所过滤,这样有时会出现L3层的iptables rules去过滤L2的帧的问题
net.netfilter.nf_conntrack_max=2310720 #连接跟踪表的大小,建议根据内存计算该值CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32),并满足nf_conntrack_max=4*nf_conntrack_buckets,默认262144
net.ipv6.neigh.default.gc_thresh1=8192
net.ipv6.neigh.default.gc_thresh2=32768
net.ipv6.neigh.default.gc_thresh3=65536
#gc_thresh3 是表大小的绝对限制
#gc_thresh2 设置为等于系统的最大预期邻居条目数的值
#在这种情况下,gc_thresh3 应该设置为一个比 gc_thresh2 值高的值,例如,比 gc_thresh2 高 25%-50%,将其视为浪涌容量。
#gc_thresh1 提高到较大的值;此设置的作用是,如果表包含的条目少于 gc_thresh1,内核将永远不会删除(超时)过时的条目。
net.core.netdev_max_backlog=16384 # 每CPU网络设备积压队列长度
net.core.rmem_max = 16777216 # 所有协议类型读写的缓存区大小
net.core.wmem_max = 16777216 # 最大的TCP数据发送窗口大小
net.ipv4.tcp_max_syn_backlog = 8096 # 第一个积压队列长度
net.core.somaxconn = 32768 # 第二个积压队列长度
fs.inotify.max_user_instances=8192 # 表示每一个real user ID可创建的inotify instatnces的数量上限,默认128.
fs.inotify.max_user_watches=524288 # 同一用户同时可以添加的watch数目,默认8192。
fs.file-max=52706963 # 文件描述符的最大值
fs.nr_open=52706963 #设置最大微博号打开数
kernel.pid_max = 4194303 #最大进程数
net.bridge.bridge-nf-call-arptables=1 #是否在arptables的FORWARD中过滤网桥的ARP包
vm.swappiness=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.overcommit_memory=1 # 不检查物理内存是否够用
vm.panic_on_oom=0 # 开启 OOM
vm.max_map_count = 262144
10.4.3 用内核参数
sysctl --system
参考输出:
root@masterServer1:/opt/kubernetes/docker# sysctl --system
* Applying /etc/sysctl.d/10-console-messages.conf ...
kernel.printk = 4 4 1 7
* Applying /etc/sysctl.d/10-ipv6-privacy.conf ...
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
* Applying /etc/sysctl.d/10-kernel-hardening.conf ...
kernel.kptr_restrict = 1
* Applying /etc/sysctl.d/10-magic-sysrq.conf ...
kernel.sysrq = 176
* Applying /etc/sysctl.d/10-network-security.conf ...
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
* Applying /etc/sysctl.d/10-ptrace.conf ...
kernel.yama.ptrace_scope = 1
* Applying /etc/sysctl.d/10-zeropage.conf ...
vm.mmap_min_addr = 65536
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument
net.ipv4.conf.default.promote_secondaries = 1
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
kernel.pid_max = 4194304
* Applying /usr/lib/sysctl.d/99-protect-links.conf ...
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/kubernetes.conf ...
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.ipv6.conf.all.disable_ipv6 = 1
net.netfilter.nf_conntrack_max = 2310720
* Applying /etc/sysctl.conf ...
root@masterServer1:/opt/kubernetes/docker#