微服务开启之路——环境篇01
|
微服务
|
35

563 字
|
40 分钟
本文最后更新于8 天前,其中的信息可能已经过时,如有错误请发送邮件到2647369456@qq.com

kubectl

k8s初识这是一片介绍k8s的文章,更加详细的视频请点击抖音网页版

高可用部署安装K8s+Rancher 副本

系统预配置

推荐使用Debian12系统

关闭防火墙

systemctl stop firewalld
systemctl disable firewalld
systemctl stop ufw
systemctl disable ufw

配置内核参数

#!/bin/bash
# Debian 12 系统优化一键脚本
# 请以 root 权限运行

set -e  # 遇到错误立即退出

echo "安装 sudo 工具(如未安装)..."
apt -y install sudo

echo "写入并优化 sysctl 内核参数..."

# 追加常用内核参数到 /etc/sysctl.conf
sudo tee -a /etc/sysctl.conf > /dev/null <<EOF
# 优化 TCP 拥塞算法与队列规则
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

# TCP Fast Open 支持
net.ipv4.tcp_fastopen=3

# 文件系统与描述符限制
fs.aio-max-nr=1048576
fs.file-max=52706963
fs.nr_open=52706963

# inotify 优化,提升监控能力
fs.inotify.max_queued_events=1048576
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=524288

# 内存最大映射数
vm.max_map_count=262144

# 伪终端数提升
kernel.pty.max=8192

# 关闭交换分区,提高性能
vm.swappiness=0

# PID 最大值提升,支持更多进程
kernel.pid_max=4194304

# 网络缓冲与连接优化
net.core.rmem_max=33554432
net.core.wmem_max=33554432
net.ipv4.tcp_rmem=4096 87380 33554432
net.ipv4.tcp_wmem=4096 65536 33554432
net.core.netdev_max_backlog=250000
net.core.somaxconn=65535
net.ipv4.tcp_max_syn_backlog=65535
net.ipv4.ip_local_port_range=1024 65535
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.ipv4.ip_forward=1

# 为容器网络优化,支持iptables规则与IP转发
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

# 低权限端口启用
net.ipv4.ip_unprivileged_port_start=1

# SYN Cookie 关闭
net.ipv4.tcp_syncookies=0
EOF

echo "应用 sysctl 配置..."
sudo sysctl -p

echo "优化文件描述符限制..."

# 提高所有用户和 root 的文件描述符限制
sudo tee -a /etc/security/limits.conf > /dev/null <<EOF
* soft nofile 1048576
* hard nofile 1048576
root soft nofile 1048576
root hard nofile 1048576
EOF

# 提升 systemd 的文件描述符限制(全局与用户)
sudo tee -a /etc/systemd/system.conf > /dev/null <<EOF
DefaultLimitNOFILE=1048576
EOF

sudo tee -a /etc/systemd/user.conf > /dev/null <<EOF
DefaultLimitNOFILE=1048576
EOF

echo "配置内核模块 br_netfilter..."

# 设置开机自动加载 br_netfilter 内核模块
sudo tee /etc/modules-load.d/br_netfilter.conf > /dev/null <<EOF
br_netfilter
EOF

# 立即加载该模块
modprobe br_netfilter

echo "重启 systemd 以应用文件描述符限制..."
sudo systemctl daemon-reexec

echo "Debian12 优化已完成!请重启系统以确保所有更改生效。"

重置系统UUID

确保主机ID唯一

rm -f /etc/machine-id
systemd-machine-id-setup

Hosts

#!/bin/bash

# 检查是否有 root 权限
if [ "$(id -u)" -ne 0 ]; then
    echo "请使用 root 权限运行此脚本"
    exit 1
fi

# 备份 hosts 文件
cp /etc/hosts /etc/hosts.bak

# 定义要添加的内容
HOSTS_CONTENT="
1.1.1.1 node1
1.1.1.1 node2
1.1.1.1 node3
1.1.1.1 node4
1.1.1.1 node5
1.1.1.1 node6
"

for line in "$HOSTS_CONTENT"; do

        echo "$line" >> /etc/hosts

done

echo "已成功写入 /etc/hosts 文件"

部署RKE2、chrony、kubectl、helm脚本

#!/bin/bash

set -e

# 检查是否为 root 用户
if [ "$EUID" -ne 0 ]
then 
  echo "请以 root 用户运行此脚本!"
  exit 1
fi

# 更新系统
echo "更新系统软件包..."
apt update && apt upgrade -y

# 安装依赖
echo "安装所需依赖..."
apt install -y apt-transport-https ca-certificates curl gnupg lsb-release software-properties-common

# 临时禁用 Swap(当前会话有效)
swapoff -a

# 永久禁用 Swap
sed -i '/swap/d' /etc/fstab

# 安装 chrony
apt update && apt install -y chrony

# 启动并启用 chrony 服务
systemctl enable chrony
systemctl start chrony

# 验证时间同步状态
sudo timedatectl set-timezone UTC
chronyc tracking

# ======================
# 安装 RKE2
# ======================
echo "安装 RKE2..."
apt install -y iptables
if ! command -v rke2 &> /dev/null; then
  curl -sfL https://get.rke2.io | sh -
  systemctl enable rke2-server
  # 不自动启动,让用户自行配置 /etc/rancher/rke2/config.yaml 后再启动
  # systemctl start rke2-server
  ln -sf /usr/local/bin/rke2 /usr/bin/rke2
  # 配置 kubectl 软链,方便使用
  ln -sf /var/lib/rancher/rke2/bin/kubectl /usr/local/bin/rke2-kubectl
  echo "RKE2 安装完成!"
  echo "请根据实际需求编辑 /etc/rancher/rke2/config.yaml 后执行:systemctl start rke2-server"
else
  echo "RKE2 已安装,跳过。"
fi

# ======================
# 安装 kubectl
# ======================
echo "安装 kubectl..."

if ! command -v kubectl &> /dev/null; then
  KUBECTL_VERSION=$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)
  curl -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
  install -m 755 kubectl /usr/local/bin/kubectl
  rm -f kubectl
  echo "kubectl 安装完成!"
else
  echo "kubectl 已安装,跳过。"
fi

# ======================
# 安装 Helm
# ======================
echo "安装 Helm..."

if ! command -v helm &> /dev/null; then
  curl https://baltocdn.com/helm/signing.asc | gpg --dearmor -o /usr/share/keyrings/helm.gpg
  echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
  apt update
  apt install -y helm
  echo "Helm 安装完成!"
else
  echo "Helm 已安装,跳过。"
fi

echo -e "\n所有组件安装完成!"
echo "RKE 版本: $(rke --version)"
echo -n "kubectl 版本: "
kubectl version --client=true
echo "Helm 版本: $(helm version --short)"

RKE2 配置——采用canal(ipvs+kube-proxy)方案

server 配置路径/etc/rancher/rke2/config.yaml

  1. 首台Server:
token: aaaaaaaaaaaaaaaaaaaxxxxxxxxxxxxxxx
tls-san:
  - node1
  - node3
  - node5
cluster-cidr: 10.42.0.0/16
service-cidr: 10.43.0.0/16
cluster-dns: 10.43.0.10
cluster-domain: cluster.local
cni: canal
write-kubeconfig-mode: "0644"
kube-proxy-arg:
  - 'proxy-mode=ipvs'
  - 'ipvs-min-sync-period=5s'
  - 'ipvs-sync-period=5s'
  - 'ipvs-scheduler=rr'
  1. 其他Server:
server: https://node1:9345
token: aaaaaaaaaaaaaaaaaaaxxxxxxxxxxxxxxx
tls-san:
  - node1
  - node3
  - node5
cluster-cidr: 10.42.0.0/16
service-cidr: 10.43.0.0/16
cluster-dns: 10.43.0.10
cluster-domain: cluster.local
cni: canal
write-kubeconfig-mode: "0644"
kube-proxy-arg:
  - 'proxy-mode=ipvs'
  - 'ipvs-min-sync-period=5s'
  - 'ipvs-sync-period=5s'
  - 'ipvs-scheduler=rr'

启动命令 systemctl enable --now rke2-server

agent 配置路径/etc/rancher/rke2/config.yaml

token: aaaaaaaaaaaaaaaaaaaxxxxxxxxxxxxxxx
server: https://node5:9345
kube-proxy-arg:
  - 'proxy-mode=ipvs'
  - 'ipvs-min-sync-period=5s'
  - 'ipvs-sync-period=5s'
  - 'ipvs-scheduler=rr'
# 如有VIP或LB IP,使用 VIP/LB 地址

启动命令 systemctl enable --now rke2-agent

集群交互 kubectl

mkdir -p ~/.kube
cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
chmod 700 ~/.kube
chmod 600 ~/.kube/config
chown $(id -u):$(id -g) ~/.kube/config
export KUBECONFIG=~/.kube/config

kubectl get nodes

安装Rancher

#!/bin/bash

set -e

# ==== 配置区 ====
RANCHER_NAMESPACE="cattle-system"
RANCHER_HOSTNAME="rancher.aaa.net"   # 替换为你的域名/IP.nip.io
LETSENCRYPT_EMAIL="admin@aaa.net"         # 替换为你自己的邮箱
RANCHER_REPLICAS=3                       # 生产建议3,测试1
HELM_RANCHER_REPO="https://releases.rancher.com/server-charts/latest"
RANCHER_ADMIN_PASSWORD="aaa" # 你想要的初始admin密码,明文
apt -y install apache2-utils
# ==== 检查依赖 ====
if ! command -v helm &>/dev/null; then
  echo "错误:Helm 未安装,请先安装 Helm。"
  exit 1
fi

if ! command -v kubectl &>/dev/null; then
  echo "错误:kubectl 未安装,请先安装 kubectl。"
  exit 1
fi

if ! command -v htpasswd &>/dev/null; then
  echo "错误:htpasswd 未安装,请先安装(如:apt install apache2-utils 或 yum install httpd-tools)。"
  exit 1
fi

# ==== 添加 Helm 仓库 ====
helm repo add rancher-latest ${HELM_RANCHER_REPO}
helm repo update

# ==== 安装 cert-manager ====
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml

for deploy in cert-manager cert-manager-webhook cert-manager-cainjector; do
  echo "等待 cert-manager 组件 ${deploy} 启动中..."
  kubectl -n cert-manager rollout status deploy/${deploy}
done

# ==== 创建 Rancher 命名空间 ====
kubectl create namespace ${RANCHER_NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -

# ==== 生成 bcrypt 密码并创建 bootstrap-secret ====
BCRYPT_PASS=$(htpasswd -bnBC 10 "" "${RANCHER_ADMIN_PASSWORD}" | tr -d ':\n' | sed 's/^ //')
kubectl -n ${RANCHER_NAMESPACE} delete secret bootstrap-secret --ignore-not-found
kubectl -n ${RANCHER_NAMESPACE} create secret generic bootstrap-secret --from-literal=bootstrapPassword="${BCRYPT_PASS}"

echo "已设置初始 admin 密码。"

# ==== 安装 Rancher ====
helm upgrade --install rancher rancher-latest/rancher \
  --namespace ${RANCHER_NAMESPACE} \
  --set hostname=${RANCHER_HOSTNAME} \
  --set replicas=${RANCHER_REPLICAS} \
  --set ingress.tls.source=letsEncrypt \
  --set letsEncrypt.email=${LETSENCRYPT_EMAIL}

echo "等待 rancher pod 启动..."
kubectl -n ${RANCHER_NAMESPACE} rollout status deploy/rancher

# ==== 输出访问信息 ====
echo
echo "✅ Rancher 安装完成!"
echo "请用浏览器访问:https://${RANCHER_HOSTNAME}"
echo "初始 admin 用户名:admin"
echo "初始 admin 密码:${RANCHER_ADMIN_PASSWORD}"

网络清理

#!/bin/bash

echo "开始清理残留的网络接口..."

# 删除 docker0 接口
if ip link show docker0 &>/dev/null; then
  echo "删除 docker0 接口..."
  ip link delete docker0
else
  echo "docker0 接口不存在,无需删除。"
fi

# 删除 flannel.1 接口
if ip link show flannel.1 &>/dev/null; then
  echo "删除 flannel.1 接口..."
  ip link delete flannel.1
else
  echo "flannel.1 接口不存在,无需删除。"
fi

# 检查并删除其他残留接口
for iface in cni0 vxlan0 weave; do
  if ip link show $iface &>/dev/null; then
    echo "删除 $iface 接口..."
    ip link delete $iface
  else
    echo "$iface 接口不存在,无需删除。"
  fi
done

# 重启网络服务
echo "重启网络服务以应用更改..."
systemctl restart networking || systemctl restart network

# 检查最终网络状态
echo "最终网络状态:"
ip addr show
ip route show

echo "网络清理完成!"
文末附加内容
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
微服务开启之路–day0

							
							

							
微服务开启之路——日志收集服务

							
							

							
微服务开启之路——链路追踪

							
							

							
微服务开启之路——分布式数据库tidb

							
							

							
微服务开启之路——拆分