Kubernetes 1.15高可用集群部署之模板机优化
模板机准备
查看目前模板机的信息
主机名
[[email protected] ~]# hostname
mobanji
主机IP
[[email protected] ~]# ip addr|sed -nr 's#^.*inet (.*)/24.*$#\1#gp'
20.0.0.5 <---net 模式的IP
10.0.0.5 <---host 模式的IP
主机版本
[[email protected] ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
内核版本
[[email protected] ~]# uname -r
3.10.0-957.10.1.el7.x86_64
主机内存
[[email protected] ~]# free -h
total used free shared buff/cache available
Mem: 1.9G 87M 1.7G 9.5M 105M 1.7G
Swap: 3.0G 0B 3.0G
CPU个数
[[email protected] ~]# grep 'physical id' /proc/cpuinfo | sort -u | wc -l
2
每个CPU核数
[[email protected] ~]# grep 'core id' /proc/cpuinfo | sort -u | wc -l
2
内核升级
原因:
CentOS 7.x系统自带的3.10.x内核存在一些Bugs,导致运行的Docker、Kubernetes不稳定,例如:
-> 高版本的 docker(1.13 以后) 启用了3.10 kernel实验支持的kernel memory account功能(无法关闭),当节点压力大如频繁启动和停止容器时会导致 cgroup memory leak;
-> 网络设备引用计数泄漏,会导致类似于报错:"kernel:unregister_netdevice: waiting for eth0 to become free. Usage count = 1";
解决方案如下:
-> 升级内核到 4.4.X 以上;
-> 或者,手动编译内核,disable CONFIG_MEMCG_KMEM 特性;
-> 或者安装修复了该问题的 Docker 18.09.1 及以上的版本。但由于 kubelet 也会设置 kmem(它 vendor 了 runc),所以需要重新编译 kubelet 并指定 GOFLAGS="-tags=nokmem";
这里选择升级内核:
升级内核之前先给模板机做快照
[[email protected] ~]# init 0
图1 升级内核前的快照
升级内核
升级Centos 7.X内核,启用elrepo
大多数现代发行版提供了一种使用 yum 等包管理系统和官方支持的仓库升级内核的方法
增加epel仓库
升级内核需要先导入elrepo的钥匙,然后安装elrepo的源:
[[email protected] ~]# rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
[[email protected] ~]# rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
获取http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
警告:/var/tmp/rpm-tmp.bpj6uB: 头V4 DSA/SHA1 Signature, ** ID baadae52: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:elrepo-release-7.0-3.el7.elrepo ################################# [100%]
使用下面的命令列出可用的系统内核相关包:
[[email protected] ~]# yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
已加载插件:fastestmirror
Determining fastest mirrors
* elrepo-kernel: mirrors.tuna.tsinghua.edu.cn
elrepo-kernel | 2.9 kB 00:00:00
elrepo-kernel/primary_db | 1.8 MB 00:00:00
可安装的软件包
kernel-lt.x86_64 4.4.185-1.el7.elrepo elrepo-kernel <---长期维护版本
kernel-lt-devel.x86_64 4.4.185-1.el7.elrepo elrepo-kernel
kernel-lt-doc.noarch 4.4.185-1.el7.elrepo elrepo-kernel
kernel-lt-headers.x86_64 4.4.185-1.el7.elrepo elrepo-kernel
kernel-lt-tools.x86_64 4.4.185-1.el7.elrepo elrepo-kernel
kernel-lt-tools-libs.x86_64 4.4.185-1.el7.elrepo elrepo-kernel
kernel-lt-tools-libs-devel.x86_64 4.4.185-1.el7.elrepo elrepo-kernel
kernel-ml.x86_64 5.2.0-1.el7.elrepo elrepo-kernel <---最新主线稳定版
kernel-ml-devel.x86_64 5.2.0-1.el7.elrepo elrepo-kernel
kernel-ml-doc.noarch 5.2.0-1.el7.elrepo elrepo-kernel
kernel-ml-headers.x86_64 5.2.0-1.el7.elrepo elrepo-kernel
kernel-ml-tools.x86_64 5.2.0-1.el7.elrepo elrepo-kernel
kernel-ml-tools-libs.x86_64 5.2.0-1.el7.elrepo elrepo-kernel
kernel-ml-tools-libs-devel.x86_64 5.2.0-1.el7.elrepo elrepo-kernel
perf.x86_64 5.2.0-1.el7.elrepo elrepo-kernel
python-perf.x86_64 5.2.0-1.el7.elrepo elrepo-kerne
安装最新的主线稳定内核
[[email protected] ~]# yum --enablerepo=elrepo-kernel install kernel-ml -y
已安装:
kernel-ml.x86_64 0:5.2.0-1.el7.elrepo
完毕!
设置 GRUB 默认的内核版本
为了让新安装的内核成为默认启动选项
需要如下修改 GRUB 配置,打开并编辑 /etc/default/grub 并设置 GRUB_DEFAULT=0
意思是 GRUB 初始化页面的第一个内核将作为默认内核.
通过命令查看默认启动顺序:
[[email protected] ~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
CentOS Linux (5.2.0-1.el7.elrepo.x86_64) 7 (Core)
CentOS Linux (3.10.0-957.10.1.el7.x86_64) 7 (Core)
CentOS Linux (3.10.0-957.el7.x86_64) 7 (Core)
CentOS Linux (0-rescue-cd43e647a4aa4f0081ae548bf9fbc043) 7 (Core)
由上面可以看出新内核(5.1.16)目前位置在0,原来的内核(3.10.0)目前位置在1,所以如果想生效最新的内核,还需要我们修改内核的启动顺序为0
编辑/etc/default/grub文件
[[email protected] ~]# cp /etc/default/grub{,.bak}
[[email protected] ~]# vim /etc/default/grub
[[email protected] ~]# diff /etc/default/grub{,.bak}
3c3
< GRUB_DEFAULT=0
---
> GRUB_DEFAULT=saved
运行grub2-mkconfig命令来重新创建内核配置
[[email protected] ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.2.0-1.el7.elrepo.x86_64
Found initrd image: /boot/initramfs-5.2.0-1.el7.elrepo.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-957.10.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-957.10.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-957.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-957.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-cd43e647a4aa4f0081ae548bf9fbc043
Found initrd image: /boot/initramfs-0-rescue-cd43e647a4aa4f0081ae548bf9fbc043.img
done
重启系统并查看系统内核
[[email protected] ~]# reboot
[[email protected] ~]# uname -r
5.2.0-1.el7.elrepo.x86_64
更新yum源仓库
[[email protected] ~]# yum -y update
环境初始化准备
安装依赖包
[[email protected] ~]# yum install -y epel-release [[email protected] ~]# yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget lsof telnet
查询开机启动项服务
[[email protected] ~]# systemctl list-unit-files |grep "enabled" [email protected] enabled crond.service enabled [email protected] enabled irqbalance.service enabled ntpd.service enabled rhel-autorelabel.service enabled rhel-configure.service enabled rhel-dmesg.service enabled rhel-domainname.service enabled rhel-import-state.service enabled rhel-loadmodules.service enabled rhel-readonly.service enabled rsyslog.service enabled sshd.service enabled sysstat.service enabled systemd-readahead-collect.service enabled systemd-readahead-drop.service enabled systemd-readahead-replay.service enabled tuned.service enabled default.target enabled multi-user.target enabled remote-fs.target enabled runlevel2.target enabled runlevel3.target enabled runlevel4.target enabled
如果存在无关的服务可以关闭
关闭防火墙
关闭防火墙,清理防火墙规则,设置默认转发策略
[[email protected] ~]# systemctl stop firewalld [[email protected] ~]# systemctl disable firewalld [[email protected] ~]# iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat [[email protected] ~]# iptables -P FORWARD ACCEPT [[email protected] ~]# firewall-cmd --state not running
关闭SElinux
关闭SELinux,否则后续K8S挂载目录时可能报错 Permission denied:
[[email protected] ~]# setenforce 0 setenforce: SELinux is disabled [[email protected] ~]# sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
设置系统时区
调整系统 TimeZone [[email protected] ~]# timedatectl set-timezone Asia/Shanghai 将当前的 UTC 时间写入硬件时钟 [[email protected] ~]# timedatectl set-local-rtc 0 重启依赖于系统时间的服务 [[email protected] ~]# systemctl restart rsyslog [[email protected] ~]# systemctl restart crond
设置rsyslogd 和systemd journald
systemd 的 journald 是 Centos 7 缺省的日志记录工具,它记录了所有系统、内核、Service Unit 的日志。相比 systemd,journald 记录的日志有如下优势:
-> 可以记录到内存或文件系统;(默认记录到内存,对应的位置为 /run/log/jounal);
-> 可以限制占用的磁盘空间、保证磁盘剩余空间;
-> 可以限制日志文件大小、保存的时间;
-> journald 默认将日志转发给 rsyslog,这会导致日志写了多份,/var/log/messages 中包含了太多无关日志,不方便后续查看,同时也影响系统性能。
[[email protected] ~]# mkdir /var/log/journal <---#持久化保存日志的目录 [[email protected] ~]# mkdir /etc/systemd/journald.conf.d [[email protected] ~]# cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF [Journal] # 持久化保存到磁盘 Storage=persistent # 压缩历史日志 Compress=yes SyncIntervalSec=5m RateLimitInterval=30s RateLimitBurst=1000 # 最大占用空间 10G SystemMaxUse=10G # 单日志文件最大 200M SystemMaxFileSize=200M # 日志保存时间 2 周 MaxRetentionSec=2week # 不将日志转发到 syslog ForwardToSyslog=no EOF [[email protected] ~]# systemctl restart systemd-journald
关闭NUMA
numa主要是和swap有关。具体请看:https://www.cnblogs.com/wjoyxt/p/4804081.html
[[email protected] ~]# cp /etc/default/grub{,.bak01} [[email protected] ~]# vim /etc/default/grub [[email protected] ~]# diff /etc/default/grub{,.bak01} 6c6 < GRUB_CMDLINE_LINUX="biosdevname=0 net.ifnames=0 rhgb quiet numa=off" --- > GRUB_CMDLINE_LINUX="biosdevname=0 net.ifnames=0 rhgb quiet"
重新生成grub2配置文件
[[email protected] ~]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-5.2.0-1.el7.elrepo.x86_64 Found initrd image: /boot/initramfs-5.2.0-1.el7.elrepo.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-957.21.3.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-957.21.3.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-957.10.1.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-957.10.1.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-957.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-957.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-cd43e647a4aa4f0081ae548bf9fbc043 Found initrd image: /boot/initramfs-0-rescue-cd43e647a4aa4f0081ae548bf9fbc043.img done
创建科学目录
脚本目录 [[email protected] ~]# mkdir /service/scripts -p 数据目录 [[email protected] ~]# mkdir /data