引言
rancher2.5有很多新特性,而且現在網上相關資料不多,是以進行操作的時候踩過一些坑,是以記錄下來,希望能幫到大家。
配置Docker鏡像站
[root@rancher1 ~]# docker pull rancher/rancher
Using default tag: latest
Error response from daemon: Head https://registry-1.docker.io/v2/rancher/rancher/manifests/latest: net/http: TLS handshake timeout
通過docker拉取rancher最新版的鏡像,daemon報錯了。怎麼辦,修改為國内的即可。
建議自己去https://www.daocloud.io/mirror免費注冊個賬号,就可以使用它的加速器了。
點選火箭圖示就可以跳到鏡像加速器頁面:
拷貝以上腳本到linux執行即可。
然後加載配置檔案,重新開機docker
systemctl daemon-reload
systemctl restart docker
其他虛拟機也要執行此操作
通過Docker安裝Rancher
拉取最新rancher鏡像
[root@rancher1 ~]# docker pull rancher/rancher
Using default tag: latest
latest: Pulling from rancher/rancher
f22ccc0b8772: Pull complete
3cf8fb62ba5f: Pull complete
e80c964ece6a: Pull complete
177bd5a25689: Pull complete
5ef514666185: Pull complete
9f884f75efba: Pull complete
d8a8a5ffce76: Pull complete
cfe7056f2841: Pull complete
f6d1920bc49d: Pull complete
f2e351c1c82e: Pull complete
c064b742b19f: Pull complete
d579b1c0565a: Pull complete
da4b2066f9a5: Pull complete
5c4756ef132d: Pull complete
b23d13f73f55: Pull complete
a48189cc9c45: Pull complete
2eaa76006605: Pull complete
87ebe97e8a3c: Pull complete
1793d4f21083: Pull complete
2e9b10fe3352: Pull complete
Digest: sha256:961980e4d64e2c9b4c6830f61b0a75b6b86695516303a2fc5e053d642e91e958
Status: Downloaded newer image for rancher/rancher:latest
docker.io/rancher/rancher:latest
自簽名證書
Rancher中證書很重要,之前沒有安裝證書踩了很多坑,是以這裡先生成自簽名證書,用在内網中。
一鍵生成 ssl 自簽名證書腳本
#!/bin/bash -e
help ()
{
echo ' ================================================================ '
echo ' --ssl-domain: 生成ssl證書需要的主域名,如不指定則預設為www.rancher.local,如果是ip通路服務,則可忽略;'
echo ' --ssl-trusted-ip: 一般ssl證書隻信任域名的通路請求,有時候需要使用ip去通路server,那麼需要給ssl證書添加擴充IP,多個IP用逗号隔開;'
echo ' --ssl-trusted-domain: 如果想多個域名通路,則添加擴充域名(SSL_TRUSTED_DOMAIN),多個擴充域名用逗号隔開;'
echo ' --ssl-size: ssl加密位數,預設2048;'
echo ' --ssl-cn: 國家代碼(2個字母的代号),預設CN;'
echo ' 使用示例:'
echo ' ./create_self-signed-cert.sh --ssl-domain=www.test.com --ssl-trusted-domain=www.test2.com \ '
echo ' --ssl-trusted-ip=1.1.1.1,2.2.2.2,3.3.3.3 --ssl-size=2048 --ssl-date=3650'
echo ' ================================================================'
}
case "$1" in
-h|--help) help; exit;;
esac
if [[ $1 == '' ]];then
help;
exit;
fi
CMDOPTS="$*"
for OPTS in $CMDOPTS;
do
key=$(echo ${OPTS} | awk -F"=" '{print $1}' )
value=$(echo ${OPTS} | awk -F"=" '{print $2}' )
case "$key" in
--ssl-domain) SSL_DOMAIN=$value ;;
--ssl-trusted-ip) SSL_TRUSTED_IP=$value ;;
--ssl-trusted-domain) SSL_TRUSTED_DOMAIN=$value ;;
--ssl-size) SSL_SIZE=$value ;;
--ssl-date) SSL_DATE=$value ;;
--ca-date) CA_DATE=$value ;;
--ssl-cn) CN=$value ;;
esac
done
# CA相關配置
CA_DATE=${CA_DATE:-3650}
CA_KEY=${CA_KEY:-cakey.pem}
CA_CERT=${CA_CERT:-cacerts.pem}
CA_DOMAIN=cattle-ca
# ssl相關配置
SSL_CONFIG=${SSL_CONFIG:-$PWD/openssl.cnf}
SSL_DOMAIN=${SSL_DOMAIN:-'www.rancher.local'}
SSL_DATE=${SSL_DATE:-3650}
SSL_SIZE=${SSL_SIZE:-2048}
## 國家代碼(2個字母的代号),預設CN;
CN=${CN:-CN}
SSL_KEY=$SSL_DOMAIN.key
SSL_CSR=$SSL_DOMAIN.csr
SSL_CERT=$SSL_DOMAIN.crt
echo -e "\033[32m ---------------------------- \033[0m"
echo -e "\033[32m | 生成 SSL Cert | \033[0m"
echo -e "\033[32m ---------------------------- \033[0m"
if [[ -e ./${CA_KEY} ]]; then
echo -e "\033[32m ====> 1. 發現已存在CA私鑰,備份"${CA_KEY}"為"${CA_KEY}"-bak,然後重新建立 \033[0m"
mv ${CA_KEY} "${CA_KEY}"-bak
openssl genrsa -out ${CA_KEY} ${SSL_SIZE}
else
echo -e "\033[32m ====> 1. 生成新的CA私鑰 ${CA_KEY} \033[0m"
openssl genrsa -out ${CA_KEY} ${SSL_SIZE}
fi
if [[ -e ./${CA_CERT} ]]; then
echo -e "\033[32m ====> 2. 發現已存在CA憑證,先備份"${CA_CERT}"為"${CA_CERT}"-bak,然後重新建立 \033[0m"
mv ${CA_CERT} "${CA_CERT}"-bak
openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}"
else
echo -e "\033[32m ====> 2. 生成新的CA憑證 ${CA_CERT} \033[0m"
openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}"
fi
echo -e "\033[32m ====> 3. 生成Openssl配置檔案 ${SSL_CONFIG} \033[0m"
cat > ${SSL_CONFIG} <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
if [[ -n ${SSL_TRUSTED_IP} || -n ${SSL_TRUSTED_DOMAIN} ]]; then
cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
IFS=","
dns=(${SSL_TRUSTED_DOMAIN})
dns+=(${SSL_DOMAIN})
for i in "${!dns[@]}"; do
echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
done
if [[ -n ${SSL_TRUSTED_IP} ]]; then
ip=(${SSL_TRUSTED_IP})
for i in "${!ip[@]}"; do
echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
done
fi
fi
echo -e "\033[32m ====> 4. 生成服務SSL KEY ${SSL_KEY} \033[0m"
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE}
echo -e "\033[32m ====> 5. 生成服務SSL CSR ${SSL_CSR} \033[0m"
openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/C=${CN}/CN=${SSL_DOMAIN}" -config ${SSL_CONFIG}
echo -e "\033[32m ====> 6. 生成服務SSL CERT ${SSL_CERT} \033[0m"
openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} \
-CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
-days ${SSL_DATE} -extensions v3_req \
-extfile ${SSL_CONFIG}
echo -e "\033[32m ====> 7. 證書制作完成 \033[0m"
echo
echo -e "\033[32m ====> 8. 以YAML格式輸出結果 \033[0m"
echo "----------------------------------------------------------"
echo "ca_key: |"
cat $CA_KEY | sed 's/^/ /'
echo
echo "ca_cert: |"
cat $CA_CERT | sed 's/^/ /'
echo
echo "ssl_key: |"
cat $SSL_KEY | sed 's/^/ /'
echo
echo "ssl_csr: |"
cat $SSL_CSR | sed 's/^/ /'
echo
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/ /'
echo
echo -e "\033[32m ====> 9. 附加CA憑證到Cert檔案 \033[0m"
cat ${CA_CERT} >> ${SSL_CERT}
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/ /'
echo
echo -e "\033[32m ====> 10. 重命名服務證書 \033[0m"
echo "cp ${SSL_DOMAIN}.key tls.key"
cp ${SSL_DOMAIN}.key tls.key
echo "cp ${SSL_DOMAIN}.crt tls.crt"
cp ${SSL_DOMAIN}.crt tls.crt
将該腳本拷貝到虛拟機的
create_certs.sh
中,執行:
mkdir -p /host/certs
vim create_certs.sh # 建立檔案,複制腳本内容
sh create_certs.sh --ssl-trusted-domain=rancher1 --ssl-trusted-ip=192.168.1.201,192.168.1.202,192.168.1.203 #生成證書
檢視生成的證書:
[root@rancher1 ~]# ll
total 48
-rw-------. 1 root root 1261 Mar 22 11:15 anaconda-ks.cfg
-rw-r--r--. 1 root root 1131 Mar 23 10:41 cacerts.pem
-rw-r--r--. 1 root root 17 Mar 23 10:41 cacerts.srl
-rw-r--r--. 1 root root 1675 Mar 23 10:41 cakey.pem
-rw-r--r--. 1 root root 5219 Mar 23 10:38 create_certs.sh
-rw-r--r--. 1 root root 387 Mar 23 10:41 openssl.cnf
-rw-r--r--. 1 root root 2319 Mar 23 10:41 tls.crt
-rw-r--r--. 1 root root 1679 Mar 23 10:41 tls.key
-rw-r--r--. 1 root root 2319 Mar 23 10:41 www.rancher.local.crt
-rw-r--r--. 1 root root 1098 Mar 23 10:41 www.rancher.local.csr
-rw-r--r--. 1 root root 1679 Mar 23 10:41 www.rancher.local.key
關閉并禁用防火牆
[root@rancher1 ~]# systemctl stop firewalld.service
[root@rancher1 ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
安裝Rancher
docker run -d --privileged --restart=unless-stopped \
-p 80:80 -p 443:443 \
-e NO_PROXY="localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,192.168.1.0/24" \
-v /host/certs:/container/certs \
-e SSL_CERT_DIR="/container/certs" \
rancher/rancher:latest
執行結果:
[root@rancher1 ~]# docker run -d --privileged --restart=unless-stopped -p 80:80 -p 443:443 -e NO_PROXY="localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,192.168.1.0/24" -v /host/certs:/container/certs -e SSL_CERT_DIR="/container/certs" rancher/rancher:latest
b18465c9c9dec3baecdbc0fddb344f6196d9e4ddf15bcbe72754392ed20494a8
稍等片刻,在浏覽器輸入該虛拟機IP位址:
點選繼續
設定密碼,勾選我同意。
然後預設确定即可。
就進入了Rancher的管理頁面,我們點選添加叢集。
選擇現有的節點(自己的虛拟機)。
輸入名稱,選擇k8s版本。
跳到該頁面,在多網卡的情況下,要點選顯示進階選項,需要配置Public Address來指定IP。
由于咱們的虛拟機隻有一個網卡,是以設不設定無所謂。
先勾全部勾選,拷貝下面的指令在本機(201)執行。
然後取消勾選etcd,在其他機器上執行。
然後等待叢集變成Active,中間出現了紅字不要緊張,是正常的。但是如果卡在某個點,就要注意了。
可以檢視rancher的日志:
[root@rancher1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
59c6b4bebd7e rancher/rancher-agent:v2.5.5 "run.sh --server htt…" About a minute ago Up About a minute mystifying_thompson
b18465c9c9de rancher/rancher:latest "entrypoint.sh" 21 minutes ago Up 5 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp priceless_merkle
[root@rancher1 ~]# docker logs -f b18465c9c9de # rancher/rancher:latest 對應的容器ID
下面介紹如何處理常見錯誤
Etcd Cluster is not healthy
需要在每台虛拟機進行時間同步。
yum install ntpdate -y
ntpdate time.windows.com
Pre-pulling kubernetes images
如果卡在
Pre-pulling kubernetes images
上,需要檢視是否能拉rancher相關鏡像。
[root@rancher1 ~]# docker pull rancher/hyperkube
Using default tag: latest
Error response from daemon: manifest for rancher/hyperkube:latest not found: manifest unknown: manifest unknown
通過helm安裝rancher
基于Kubernetes入門——從零搭建k8s叢集中rke安裝的k8s環境來安裝rancher。
、
helm
等工具的安裝也請參考這篇文章。
kubectl
這種方式也稱為高可用安裝
看一下hosts配置:
yjw@rancher1:~/temp$ vim create_self-signed-cert.sh #上節中的生成證書腳本
yjw@rancher1:~/temp$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.6 rancher1
192.168.1.7 rancher2
192.168.1.6 rancher.my.com
# 生成證書
/bin/bash create_self-signed-cert.sh --ssl-domain=rancher.my.com --ssl-trusted-ip=192.168.1.6,192.168.1.7
# 添加helm倉庫
helm repo add rancher-stable http://rancher-mirror.oss-cn
# 更新倉庫
helm repo update
# 建立命名空間
kubectl create namespace rancher
# 使用自己的證書來安裝rancher,剛才生成的證書中有這兩個檔案
kubectl create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key --namespace rancher
# 通過helm安裝rancher
helm install rancher rancher-stable/rancher --namespace rancher --set hostname=rancher.my.com --set ingress.tls.source=tls-rancher-ingress
輸出
yjw@rancher1:~/temp$ helm install rancher rancher-stable/rancher --namespace rancher --set hostname=rancher.my.com --set ingress.tls.source=tls-rancher-ingress
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/yjw/.kube/config
NAME: rancher
LAST DEPLOYED: Sun Apr 4 04:51:09 2021
NAMESPACE: rancher
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Rancher Server has been installed.
NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.
Check out our docs at https://rancher.com/docs/rancher/v2.x/en/
Browse to https://rancher.my.com
Happy Containering!
檢視部署是否完成
kubectl -n rancher rollout status deploy/rancher
yjw@rancher1:~/temp$ kubectl -n rancher rollout status deploy/rancher
Waiting for deployment "rancher" rollout to finish: 0 of 3 updated replicas are available...
Waiting for deployment "rancher" rollout to finish: 1 of 3 updated replicas are available...
Waiting for deployment spec update to be observed...
Waiting for deployment "rancher" rollout to finish: 1 of 3 updated replicas are available...
Waiting for deployment "rancher" rollout to finish: 2 of 3 updated replicas are available...
deployment "rancher" successfully rolled out
耐心等待,直到出現`deployment “rancher” successfully rolled out``說明安裝成功了。
如果過了很久還未出現,那麼可以執行
kubectl -n cattle-system describe pod
檢視是否有報錯資訊。
如果在windows通路rancher ui的話,還需要把
192.168.1.6 rancher.my.com
參考
- Rancher Docs
- Rancher中文文檔