设为首页收藏本站
开启辅助访问

从零开始基于Archlinux 安装 containerd + k8s

 您所在的位置:网站首页 bin文件iso 从零开始基于Archlinux 安装 containerd + k8s

从零开始基于Archlinux 安装 containerd + k8s

2023-05-06 04:39| 来源: 网络整理| 查看: 265

下载ISO文件:https://mirrors.tuna.tsinghua.edu.cn/archlinux/iso/latest/

k8s: v1.26.4; calico: 3.25.1; dashboard:v2.7.0

目录1. 准备工作2. 磁盘管理2.1 磁盘分区2.2 磁盘格式化2.3 磁盘挂载3. 安装系统3.1 安装系统文件3.2 配置fstab3.3 配置系统3.4 安装引导程序3.5 安装OpenSSH3.6 主机名3.7 设置root密码3.8 网络配置3.9 重启系统,并从硬盘引导3.10 本地化配置3.11 时区配置3.12 硬件时间设置3.13 安装DNS服务4. 安装k8s4.1 配置containerd4.2 拉取k8s镜像4.3 创建k8s集群4.4 加入control-plane节点4.5 加入worker节点4.6 安装CNI:Calico4.7 安装Dashboard4.8 查看k8s集群附录包签名错误

1. 准备工作

以虚拟机VMWare为例。

使用EFI 非默认BIOS启动。如果不使用EFI,那么后续安装引导时也使用非EFI。

Controller-Panel节点(master)

节点列表:

hostname ip k8s-master1 10.0.2.101/24 k8s-master2 10.0.2.102/24 k8s-master3 10.0.2.103/24

CPU设置:2Core

内存设置:2GB

磁盘:20GB

网卡设置:网卡1(ens33)为自定义NAT

Worker节点

节点列表:

hostname ip k8s-worker1 10.0.2.111/24 k8s-worker2 10.0.2.112/24 k8s-worker3 10.0.2.113/24

CPU设置:2Core

内存设置:4GB

磁盘:20GB

网卡设置:网卡1(ens33)为自定义NAT

2. 磁盘管理 2.1 磁盘分区

使用GUID分区表,分2个区:

1)EFI System(EF00),Last sector: +500M (500MB)

2)Linux filesystem(8300) ,Last sector:(为剩余容量)

gdisk /dev/sda 2.2 磁盘格式化 mkfs.vfat -F32 /dev/sda1 # ESP分区 挂载 /boot mkfs.ext4 /dev/sda2 # LFS分区 挂载 / 2.3 磁盘挂载 mount /dev/sda2 /mnt # 挂载root分区 mkdir /mnt/boot # 创建 /boot 目录 mount /dev/sda2 /mnt/boot # 挂载boot分区 lsblk # 查看分区挂载情况 3. 安装系统 3.1 安装系统文件 vim /etc/pacman.d/mirrorlist # 在顶部添加如下镜像服务器 Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch #Server = https://mirrors.aliyun.com/archlinux/$repo/os/$arch # 安装系统 pacstrap /mnt base base-devel 3.2 配置fstab genfstab -U /mnt > /mnt/etc/fstab # 生成分区挂载表

编辑 fstab

vim /mnt/etc/fstab # SSD的追加options “discard,noatime” 3.3 配置系统

编辑 /mnt/etc/pacman.conf文件,加入下面的内容:

[archlinuxcn] Server = https://mirrors.tuna.tsinghua.edu.cn/archlinuxcn/$arch #Server = https://mirrors.aliyun.com/archlinuxcn/$arch

切换root目录到新系统

arch-chroot /mnt /bin/bash

现在可以全面升级系统:

pacman -Syy # 切换了root目录,因此需要重新更新软件包缓存 pacman -S archlinuxcn-keyring pacman -S vim bash-completion yay fakeroot ln -s /usr/bin/vim /usr/bin/vi 3.4 安装引导程序 # 安装linux内核 pacman -S linux-lts linux-firmware # 安装 Micro Code pacman -S amd-ucode # intel安装 intel-ucode bootctl install # boot-loader vim /boot/loader/entries/arch.conf title Arch Linux linux /vmlinuz-linux-lts initrd /amd-ucode.img # intel的为 /intel-ucode.img initrd /initramfs-linux-lts.img options root=/dev/sda2 rw vim /boot/loader/entries/arch-fallback.conf title Arch Linux (fallback initramfs) linux /vmlinuz-linux-lts initrd /amd-ucode.img # intel的为 /intel-ucode.img initrd /initramfs-linux-lts-fallback.img options root=/dev/sda2 rw vim /boot/efi/loader/loader.conf default arch.conf timeout 2 console-mode max editor no # 验证文件路径是否正确 bootctl list bootctl status 3.5 安装OpenSSH pacman -S openssh sed -i 's/#PermitRootLogin\ prohibit-passwd/PermitRootLogin yes/g' /etc/ssh/sshd_config systemctl enable sshd 3.6 主机名 echo > /etc/hostname 3.7 设置root密码 passwd 3.8 网络配置

使用 systemd-networkd

VMWare 网络配置: NAT模式 网段:10.0.2.0/24 DHCP:10.0.2.200 - 10.0.2.254 网关:10.0.2.2 (不要设置为10.0.2.1,否则会导致无法访问外网) vim /etc/systemd/network/20-wired.network [Match] Name=ens33 [Network] #DHCP=ipv4 # 使用dhcp时启用 Address=10.0.2.101/24 Gateway=10.0.2.2 DNS=223.5.5.5 DNS=223.6.6.6 systemctl enable systemd-networkd systemctl enable systemd-resolved 3.9 重启系统,并从硬盘引导 exit # 退出chroot reboot # 重启后重新引导进入已安装的系统 3.10 本地化配置 vim /etc/locale.gen en_US.UTF-8 UTF-8 zh_CN.GBK GBK zh_CN.UTF-8 UTF-8 zh_CN GB2312 locale-gen # 生成locale echo 'LANG=en_US.UTF-8' > /etc/locale.conf # 设置默认的 locale 3.11 时区配置 ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 3.12 硬件时间设置 # date -s '2022-7-5 16:49:45' hwclock --systohc --utc #采用UTC,将系统时间写入硬件时钟 # hwclock --hctosys --utc #采用UTC,将硬件时钟写入系统时间 3.13 安装DNS服务 pacman -S bind # 参见: https://wiki.archlinux.org/title/BIND 4. 安装k8s

使用kubeadm安装: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/

pacman -S kubeadm kubelet kubectl containerd systemctl enable containerd systemctl start containerd systemctl enable kubelet systemctl start kubelet 4.1 配置containerd

创建 /etc/modules-load.d/containerd.conf 配置文件:

cat /etc/modules-load.d/containerd.conf overlay br_netfilter EOF

修改 containerd 配置:

# 修改配置 mkdir -p /etc/containerd if [ ! -f /etc/containerd/config.toml ]; then containerd config default > /etc/containerd/config.toml fi # 设置 systemd_cgroup 为 true sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml sed -i 's/k8s.gcr.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.toml sed -i 's/registry.k8s.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.toml

配置mirrors镜像:

vim /etc/containerd/config.toml # 查找 [plugins."io.containerd.grpc.v1.cri".registry.mirrors],在其后添加如下: [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://docker.mirrors.ustc.edu.cn"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"] endpoint = ["https://registry.aliyuncs.com/google_containers"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"] endpoint = ["https://registry.aliyuncs.com/google_containers"]

重启containerd,并检查状态:

systemctl restart containerd # 确保containerd 的cgroup 为 SystemdCgroup crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock info | grep SystemdCgroup | awk -F ': ' '{ print $2 }' true

设置crictl别名:

echo 'alias docker="crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock"' > /etc/profile.d/containerd.sh source /etc/profile.d/containerd.sh 4.2 拉取k8s镜像

通过参数 --image-repository 指定k8s镜像的仓库地址

kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.26.4 4.3 创建k8s集群 # 应搭建负载均衡后,使用负载均衡IP,此处用自建DNS服务来实现: 10.0.2.101 cluster.berkaroad.com # 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数 sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env # 初始化k8s集群 kubeadm init --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.26.4 --control-plane-endpoint=cluster.berkaroad.com --apiserver-advertise-address=10.0.2.101 --pod-network-cidr=10.100.0.0/16 --service-cidr=10.101.0.0/16 --service-dns-domain=cluster.berkaroad.com --upload-certs --v=5 # 执行成功后,根据提示,配置 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config # 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z # You can now join any number of the control-plane node running the following command on each as root: kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \ --control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44 # 如果 --certificate-key 过期了,执行如下: kubeadm init phase upload-certs --upload-certs # Then you can join any number of worker nodes by running the following on each as root: kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 # 如果token过期了,可以执行如下: kubeadm token create --print-join-command # 如果失败,检查 cgroup 是否一致(docker或者containerd 和 kubelet) # 查看 kubeadm 使用的 CRI 为 containerd 还是 docker cat /var/lib/kubelet/kubeadm-flags.env KUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9" # 查看 kubelet 的 cgroup driver cat /var/lib/kubelet/config.yaml | grep cgroupDriver | awk -F ': ' '{ print $2 }' systemd 4.4 加入control-plane节点 # 应搭建负载均衡后,使用负载均衡IP echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts # 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数 sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env # 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z # You can now join any number of the control-plane node running the following command on each as root: kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \ --control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44 # 如果 --certificate-key 过期了,执行如下: kubeadm init phase upload-certs --upload-certs # 如果token过期了,可以执行如下: kubeadm token create --print-join-command # 执行成功后,根据提示,配置 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config 4.5 加入worker节点 # 应搭建负载均衡后,使用负载均衡IP echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts # 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数 sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env # 执行成功后,根据提示,配置 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config # 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z # Then you can join any number of worker nodes by running the following on each as root: kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 # 如果token过期了,可以执行如下: kubeadm token create --print-join-command 4.6 安装CNI:Calico kubectl apply -f https://projectcalico.docs.tigera.io/archive/v3.25/manifests/calico.yaml 4.7 安装Dashboard kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

新建 dashboard-admin.yaml

cat dashboard-admin.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: dashboard-admin namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dashboard-admin-cluster-role roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: dashboard-admin namespace: kubernetes-dashboard EOF kubectl apply -f dashboard-admin.yaml

新建 dashboard-admin-token.yaml

cat dashboard-admin-token.yaml apiVersion: v1 kind: Secret metadata: annotations: kubernetes.io/service-account.name: dashboard-admin labels: k8s-app: kubernetes-dashboard name: dashboard-admin-token namespace: kubernetes-dashboard type: kubernetes.io/service-account-token EOF kubectl apply -f dashboard-admin-token.yaml

获取登录用的token:

kubectl -n kubernetes-dashboard describe secret dashboard-admin-token | grep 'token:' | awk -F ' ' '{print $2}'

访问Dashboard:

# 方法一:开启proxy kubectl proxy --address --port=8001 --accept-hosts='^*$' # 打开浏览器,访问 http://:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ # 方法二:设置NodePort kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort", "ports":[{"nodePort":30443, "port":443}]}}' -n kubernetes-dashboard # 打开浏览器,访问 https://:30443/ 4.8 查看k8s集群

节点信息:

kubectl get no -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME k8s-master1 Ready control-plane 23m v1.26.3 10.0.2.101 Arch Linux 6.1.25-1-lts containerd://1.7.0 k8s-master2 Ready control-plane 22m v1.26.3 10.0.2.102 Arch Linux 6.1.25-1-lts containerd://1.7.0 k8s-master3 Ready control-plane 22m v1.26.3 10.0.2.103 Arch Linux 6.1.25-1-lts containerd://1.7.0 k8s-worker1 Ready 20m v1.26.3 10.0.2.111 Arch Linux 6.1.25-1-lts containerd://1.7.0 k8s-worker2 Ready 18m v1.26.3 10.0.2.112 Arch Linux 6.1.25-1-lts containerd://1.7.0 k8s-worker3 Ready 17m v1.26.3 10.0.2.113 Arch Linux 6.1.25-1-lts containerd://1.7.0

pod信息:

kubectl get po -n kube-system calico-kube-controllers-57b57c56f-g62jv 1/1 Running 0 120m calico-node-2b5f9 1/1 Running 0 120m calico-node-flbmt 1/1 Running 0 120m calico-node-hwtvh 1/1 Running 0 120m calico-node-j6dkp 1/1 Running 0 120m calico-node-jqcfg 1/1 Running 0 120m calico-node-lrq7q 1/1 Running 0 120m coredns-5bbd96d687-fd9j7 1/1 Running 0 139m coredns-5bbd96d687-kd48v 1/1 Running 0 139m etcd-k8s-master1 1/1 Running 0 139m etcd-k8s-master2 1/1 Running 0 139m etcd-k8s-master3 1/1 Running 0 137m kube-apiserver-k8s-master1 1/1 Running 0 139m kube-apiserver-k8s-master2 1/1 Running 0 139m kube-apiserver-k8s-master3 1/1 Running 0 139m kube-controller-manager-k8s-master1 1/1 Running 0 139m kube-controller-manager-k8s-master2 1/1 Running 0 137m kube-controller-manager-k8s-master3 1/1 Running 0 136m kube-proxy-6v7b9 1/1 Running 0 132m kube-proxy-7dnmx 1/1 Running 0 136m kube-proxy-c2cdd 1/1 Running 0 137m kube-proxy-k4l4c 1/1 Running 0 134m kube-proxy-rjw8j 1/1 Running 0 139m kube-proxy-zrcvw 1/1 Running 0 137m kube-scheduler-k8s-master1 1/1 Running 0 139m kube-scheduler-k8s-master2 1/1 Running 0 139m kube-scheduler-k8s-master3 1/1 Running 0 139m kubectl get po -n kubernetes-dashboard NAME READY STATUS RESTARTS AGE dashboard-metrics-scraper-7bc864c59-flhzz 1/1 Running 0 13m kubernetes-dashboard-6c7ccbcf87-8qgmg 1/1 Running 0 13m 附录 包签名错误 error: libcap: signature from "David Runge " is marginal trust :: File /var/cache/pacman/pkg/libcap-2.65-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n] Y error: failed to commit transaction (invalid or corrupted package) Errors occurred, no packages were upgraded.

更新pacman key证书

pacman -S gnupg pacman -Sy archlinux-keyring pacman-key --populate archlinux pacman-key --refresh-keys pacman -Syux


【本文地址】


今日新闻

推荐新闻

    CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3