• 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏吧

二进制方式安装K8S环境

互联网 diligentman 5天前 8次浏览

1. 实验环境

二进制方式安装K8S环境

二进制方式安装K8S环境

二进制方式安装K8S环境

2. 安装前准备

2.1 环境准备

   所有机器都需要执行

[root@yong7-11 ~]# systemctl stop firewalld
[root@yong7-11 ~]# systemctl disable firewalld
[root@yong7-11 ~]# setenforce 0
[root@yong7-11 ~]# sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config

[root@yong7-11 ~]# yum install -y epel-release
[root@yong7-11 ~]# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils vim less

2.2. bind安装

2.2.1  在yong7-11上安装bind

    [root@yong7-11 ~]# yum install -y bind

2.2.2 在yong7-11上配置bind

a,主配置文件

[root@yong7-11 ~]# vim /etc/named.conf  # 确保以下配置正确
  listen-on port 53 { 10.4.7.11; };
	directory 	"/var/named";
	allow-query     { any; };
  forwarders      { 10.4.7.254; };
  recursion yes;
  dnssec-enable no;
  dnssec-validation no;

  b, 在 yong7-11.host.com 配置区域文件

# 增加两个zone配置,od.com为业务域,host.com.zone为主机域
[root@yong7-11 ~]# vim /etc/named.rfc1912.zones  
zone "host.com" IN {
        type  master;
        file  "host.com.zone";
        allow-update { 10.4.7.11; };
};

zone "od.com" IN {
        type  master;
        file  "od.com.zone";
        allow-update { 10.4.7.11; };
};

c. 在 hdss7-11.host.com 配置主机域文件

# line6中时间需要修改
[root@yong7-11 ~]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600	; 10 minutes
@       IN SOA	dns.host.com. dnsadmin.host.com. (
				20201119001 ; serial
				10800      ; refresh (3 hours)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS   dns.host.com.
$TTL 60	; 1 minute
dns                A    10.4.7.11
yong7-11           A    10.4.7.11
yong7-12           A    10.4.7.12
yong7-21           A    10.4.7.21
yong7-22           A    10.4.7.22
yong7-200          A    10.4.7.200

d, 在 yong7-11.host.com 配置业务域文件

[root@yong7-11 ~]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600	; 10 minutes
@   		IN SOA	dns.od.com. dnsadmin.od.com. (
				20201119001 ; serial
				10800      ; refresh (3 hours)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
				NS   dns.od.com.
$TTL 60	; 1 minute
dns                A    10.4.7.11

e. 在 yong7-11.host.com 启动bind服务,并测试

[root@yong7-11 ~]# named-checkconf  //检查named配置文件
[root@yong7-11 ~]# systemctl start named
[root@yong7-11 ~]# netstat -alntp |grep 53
tcp        0      0 10.4.7.11:53            0.0.0.0:*               LISTEN      2135/named          
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      2135/named          
tcp        0      0 10.4.7.11:42576         202.12.27.33:53         TIME_WAIT   -          
[root@yong7-11 ~]# dig -t A yong7-200.host.com @10.4.7.11 +short
10.4.7.200

f. 本次实验环境使用的是虚拟机,因此也要对windows宿主机NAT网卡DNS进行修改

二进制方式安装K8S环境

二进制方式安装K8S环境

2.3. 根证书准备

a,在yong7-200上下载以下工具

[root@yong7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
[root@yong7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssl-json
[root@yong7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
[root@yong7-200 ~]# chmod u+x /usr/local/bin/cfssl*

b,在yong7-200上签发证书

[root@yong7-200 ~]# mkdir /opt/certs/ ; cd /opt/certs/
# 根证书配置:
# CN 一般写域名,浏览器会校验
# names 为地区和公司信息
# expiry 为过期时间
[root@yong7-200 certs]# vim /opt/certs/ca-csr.json
{
    "CN": "OldboyEdu",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}
[root@yong7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/11/19 15:24:50 [INFO] generating a new CA key and certificate from CSR
2020/11/19 15:24:50 [INFO] generate received request
2020/11/19 15:24:50 [INFO] received CSR
2020/11/19 15:24:50 [INFO] generating key: rsa-2048
2020/11/19 15:24:50 [INFO] encoded CSR
2020/11/19 15:24:50 [INFO] signed certificate with serial number 481761414666375431327527786064573321082871194540
[root@yong7-200 certs]# ll 
总用量 16
-rw-r--r--. 1 root root  993 11月 19 15:24 ca.csr
-rw-r--r--. 1 root root  328 11月 19 15:24 ca-csr.json
-rw-------. 1 root root 1679 11月 19 15:24 ca-key.pem
-rw-r--r--. 1 root root 1346 11月 19 15:24 ca.pem

2.4. docker环境准备

需要安装docker的机器:yong7-21 yong7-22 yong7-200,以yong7-21为例

[root@yong7-21 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@yong7-21 ~]# yum install -y docker-ce
或者一键安装:curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
[root@yong7-21 ~]# mkdir /etc/docker
# 不安全的registry中增加了harbor地址
# 各个机器上bip网段不一致,bip中间两段与宿主机最后两段相同,目的是方便定位问题 
[root@yong7-21 ~]# vi  /etc/docker/daemon.json
{
  "graph": "/data/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
  "registry-mirrors": ["https://registry.docker-cn.com"],
  "bip": "172.7.21.1/24",
  "exec-opts": ["native.cgroupdriver=systemd"],
  "live-restore": true
}
[root@yong7-21 ~]# ^C
[root@yong7-21 ~]# mkdir -p /data/docker
[root@yong7-21 ~]# systemctl start docker
[root@yong7-21 ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@yong7-21 ~]# docker --version
Docker version 19.03.13, build 4484c46d9d

2.5.部署docker镜像私有仓库harbor 在yong7-200上部署

2.5.1.下载软件并解压

harbor官网github地址
https://github.com/goharbor/harbor
[root@yong7-200 src]# tar xf harbor-offline-installer-v1.9.4.tgz -C /opt/
[root@yong7-200 src]# cd ..
[root@yong7-200 opt]# ll
总用量 0
drwxr-xr-x. 2 root root  71 11月 19 15:24 certs
drwx--x--x. 4 root root  28 11月 19 16:30 containerd
drwxr-xr-x. 2 root root 100 11月 19 17:27 harbor
drwxr-xr-x. 2 root root  49 11月 19 17:25 src
[root@yong7-200 opt]# mv harbor/ harbor-v1.9.4
[root@yong7-200 opt]# ll
总用量 0
drwxr-xr-x. 2 root root  71 11月 19 15:24 certs
drwx--x--x. 4 root root  28 11月 19 16:30 containerd
drwxr-xr-x. 2 root root 100 11月 19 17:27 harbor-v1.9.4
drwxr-xr-x. 2 root root  49 11月 19 17:25 src
[root@yong7-200 opt]# ln -s /opt/harbor-v1.9.4/ harbor
[root@yong7-200 opt]# ll
总用量 0
drwxr-xr-x. 2 root root  71 11月 19 15:24 certs
drwx--x--x. 4 root root  28 11月 19 16:30 containerd
lrwxrwxrwx. 1 root root  19 11月 19 17:28 harbor -> /opt/harbor-v1.9.4/
drwxr-xr-x. 2 root root 100 11月 19 17:27 harbor-v1.9.4
drwxr-xr-x. 2 root root  49 11月 19 17:25 src

2.5.2.配置

[root@yong7-200 opt]# vi /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
  port: 180
 harbor_admin_password:Harbor12345
data_volume: /data/harbor
log:
    level:  info
    rotate_count:  50
    rotate_size:200M
    location: /data/harbor/logs

[root@yong7-200 opt]# mkdir -p /data/harbor/logs

2.5.3.安装docker-compose

[root@yong7-200 opt]# yum install docker-compose -y

2.5.4.安装harbor

[root@yong7-200 harbor]# sh install.sh 
[Step 0]: checking installation environment ...

Note: docker version: 19.03.13

Note: docker-compose version: 1.18.0

[Step 1]: loading Harbor images ...
....

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://harbor.od.com . 
For more details, please visit https://github.com/goharbor/harbor .

2.5.5.检查harbor启动情况

[root@yong7-200 harbor]# docker-compose ps
[root@yong7-200 harbor]# docker ps -a

2.5.6.配置harbor的dns内网解析

[root@yong7-11 ~]# vi /var/named/od.com.zone
20201119002 ; serial
harbor             A    10.4.7.200
[root@yong7-11 ~]# systemctl restart named
[root@yong7-11 ~]# dig -t A harbor.od.com +short
10.4.7.200

2.5.7.安装NGINX并配置

[root@yong7-200 harbor]# yum install nginx -y
[root@hdss7-200 harbor]# vi /etc/nginx/conf.d/harbor.od.com.conf
server {
    listen       80;
    server_name  harbor.od.com;

    client_max_body_size 1000m;

    location / {
        proxy_pass http://127.0.0.1:180;
    }
}
[root@yong7-200 harbor]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@yong7-200 harbor]# systemctl start nginx 
[root@yong7-200 harbor]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@yong7-200 harbor]# 

2.5.8.浏览器打开harbor.od.com并测试

[root@yong7-11 ~]# curl harbor.od.com

1、浏览器输入:harbor.od.com 用户名:admin 密码:Harbor12345

2、新建项目:public 访问级别:公开

3、下载镜像并给镜像打tag

[root@yong7-200 harbor]# docker pull nginx:1.7.9
[root@yong7-200 harbor]# docker images |grep 1.7.9
[root@yong7-200 harbor]# docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9

4、登录harbor并上传到仓库

[root@hdss7-200 harbor]# docker login harbor.od.com
[root@hdss7-200 harbor]# docker push harbor.od.com/public/nginx:v1.7.9

2.5.9.检查

可以看到NGINX镜像已经上传到public下


喜欢 (0)