1、環境準備
IP位址 | 主機 | 角色 | 系統 |
192.168.100.101 | master-101 | K8S叢集主節點 | Ubuntu2004 |
192.168.100.102 | master-102 | K8S叢集主節點 | Ubuntu2004 |
192.168.100.103 | master-103 | K8S叢集主節點 | Ubuntu2004 |
192.168.100.104 | node-104 | K8S叢集從節點 | Ubuntu2004 |
192.168.100.105 | node-105 | K8S叢集從節點 | Ubuntu2004 |
192.168.100.111 | wang.cluster.k8s | VIP |
1-1、關閉防火牆
~]#ufw disable
~]#ufw status
1-2、時間同步
~]#apt install -y chrony
~]#systemctl restart chrony
~]#systemctl status chrony
~]#chronyc sources
1-3、主機名互相解析
~]#vim /etc/hosts
192.168.100.101 master-101
192.168.100.102 master-102
192.168.100.103 master-103
192.168.100.104 node-104
192.168.100.105 node-105
192.168.100.111 wang.cluster.k8s
1-4、禁用swap
~]#swapoff -a && sed -i 's|^/swap.img|#/swap.ing|g' /etc/fstab
1-5、驗證每個節點上IP、MAC 位址和 product_uuid 的唯一性
~]#ifconfig -a
~]#sudo cat /sys/class/dmi/id/product_uuid # 檢視 product_uuid
1-6、系統核心參數調整
#如果已經調整,請忽略:
~]#echo "vm.swappiness = 0" >> /etc/sysctl.conf
~]#echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
~]#echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
~]#echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
1-7、安裝ipvs子產品
~]#apt -y install ipvsadm ipset sysstat conntrack
# 鎖定版本
~]#apt-mark hold ipvsadm
#将子產品加載到核心中(開機自動設定-需要重新開機機器生效)
~]#tee /etc/modules-load.d/k8s.conf <<'EOF'
br_netfilter
overlay
nf_conntrack
ip_vs
ip_vs_lc
ip_vs_lblc
ip_vs_lblcr
ip_vs_rr
ip_vs_wrr
ip_vs_sh
ip_vs_dh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_tables
ip_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
xt_set
EOF
#加載子產品到核心中
~]#mkdir -pv /etc/modules.d
~]#tee /etc/modules.d/k8s.modules <<EOF
#!/bin/bash
modprobe -- br_netfilter
modprobe -- overlay
modprobe -- nf_conntrack
modprobe -- ip_vs
modprobe -- ip_vs_lc
modprobe -- ip_vs_lblc
modprobe -- ip_vs_lblcr
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- ip_vs_dh
modprobe -- ip_vs_fo
modprobe -- ip_vs_nq
modprobe -- ip_vs_sed
modprobe -- ip_vs_ftp
modprobe -- ip_tables
modprobe -- ip_set
modprobe -- ipt_set
modprobe -- ipt_rpfilter
modprobe -- ipt_REJECT
modprobe -- ipip
modprobe -- xt_set
EOF
~]#chmod 755 /etc/modules.d/k8s.modules && bash /etc/modules.d/k8s.modules && lsmod | grep -e ip_vs -e nf_conntrack
~]#sysctl --system
溫馨提示: 在 kernel 4.19 版本及以上将使用 nf_conntrack 子產品, 則在 4.18 版本以下則需使用nf_conntrack_ipv4 子產品
2、安裝Haproxy、Keepalived
描述: 由于是測試學習環境, 是以直接采用master節點機器,如果是正式環境建議獨立出來。
2-1、下載下傳安裝
#所有master節點執行:
#安裝下載下傳 haproxy (HA代理健康檢測) 與 keepalived (虛拟路由協定-主從)
[root@master-101 ~]#apt-cache madison haproxy keepalived
[root@master-101 ~]#apt install -y haproxy=2.0.13-2 keepalived
[root@master-101 ~]#apt-mark hold haproxy keepalived
#所有master節點執行:
#配置HAproxy
[root@master-101 ~]#tee /etc/haproxy/haproxy.cfg<<'EOF'
global
user haproxy
group haproxy
maxconn 2000
daemon
log /dev/log local0
log /dev/log local1 err
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 15s
timeout http-keep-alive 15s
# 注意: 管理HAproxy (可選)
# frontend monitor-in
# bind *:33305
# mode http
# option httplog
# monitor-uri /monitor
# 注意: 基于四層代理, 1644 3為VIP的 ApiServer 控制平面端口, 由于是與master節點在一起是以不能使用6443端口.
frontend k8s-master
bind 0.0.0.0:16443
bind 127.0.0.1:16443
mode tcp
option tcplog
tcp-request inspect-delay 5s
default_backend k8s-master
# 注意: Master 節點的預設 Apiserver 是6443端口
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server master-101 192.168.100.101:6443 check
server master-102 192.168.100.102:6443 check
server master-103 192.168.100.103:6443 check
EOF
#所有master節點執行:
#配置Keepalived
[root@master-101 ~]#mkdir /etc/keepalived
[root@master-101 ~]#tee /etc/keepalived/keepalived.conf <<'EOF'
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
script_user root
enable_script_security
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER #另外兩個節點是backup
interface enp1s0 #注意網口名稱
mcast_src_ip 224.8.8.8 #各節點都一樣
virtual_router_id 51
priority 101
advert_int 2
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
192.168.100.111 #各節點vip都一樣
}
}
EOF
#所有master節點執行:
# KeepAlived 健康檢查腳本
[root@master-101 ~]#tee /etc/keepalived/check_apiserver.sh <<'EOF'
#!/bin/bash
err=0
for k in $(seq 1 3)
do
check_code=$(pgrep haproxy)
if [[ $check_code == "" ]]; then
err=$(expr $err + 1)
sleep 1
continue
else
err=0
break
fi
done
if [[ $err != "0" ]]; then
echo "systemctl stop keepalived"
/usr/bin/systemctl stop keepalived
exit 1
else
exit 0
fi
EOF
[root@master-101 ~]#chmod +x /etc/keepalived/check_apiserver.sh
[root@master-101 ~]#systemctl daemon-reload && systemctl enable --now haproxy keepalived
[root@master-101 ~]#systemctl status haproxy keepalived
#測試一下vip是否能漂移,此處略
3、部署etcd
3-1、簽發etcd證書
#master-101執行:
#建立一個配置與相關檔案存放的目錄, 以及下載下傳擷取cfssl工具進行CA憑證制作與簽發
[root@master-101 ~]#mkdir -pv /app/k8s-init
[root@master-101 ~]#cd /app/k8s-init
#windows下載下傳cfssl相關工具,下載下傳位址:
https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o /usr/local/bin/cfssl
https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o /usr/local/bin/cfssljson
https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64 -o /usr/local/bin/cfssl-certinfo
#把下載下傳的檔案上傳到該目錄:
[root@master-101 k8s-init]#cp cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
[root@master-101 k8s-init]#cp cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson
[root@master-101 k8s-init]#cp cfssl-certinfo_1.6.1_linux_amd64 /usr/local/bin/cfssl-certinfo
[root@master-101 k8s-init]#chmod +x /usr/local/bin/cfssl*
[root@master-101 k8s-init]#cfssl version
溫馨提示:
cfssl : CFSSL 指令行工具
cfssljson : 用于從cfssl程式中擷取JSON輸出并将證書、密鑰、證書簽名請求檔案CSR和Bundle寫入到檔案中
cfssl-certinfo: 可以檢視證書資訊
#master-101執行:
#建立ca證書:
[root@master-101 k8s-init]#cfssl print-defaults csr > ca-csr.json
[root@master-101 k8s-init]#tee ca-csr.json <<'EOF'
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "beijing",
"ST": "beijing",
"O": "k8s",
"OU": "System"
}
],
"ca": {
"expiry": "87600h"
}
}
EOF
#關鍵參數解析:
CN: Common Name,浏覽器使用該字段驗證網站是否合法,一般寫的是域名,非常重要。浏覽器使用該字段驗證網站是否合法
key:生成證書的算法
hosts:表示哪些主機名(域名)或者IP可以使用此csr申請的證書,為空或者""表示所有的都可以使用(本例中沒有`"hosts": [""]`字段)
names:常見屬性設定
* C: Country, 國家
* ST: State,州或者是省份
* L: Locality Name,地區,城市
* O: Organization Name,組織名稱,公司名稱(在k8s中常用于指定Group,進行RBAC綁定)
* OU: Organization Unit Name,組織機關名稱,公司部門
溫馨提示: 如果将 expiry 設定為87600h 表示證書過期時間為十年。
==============================================================================================
#CA 證書政策配置檔案
[root@master-101 k8s-init]#cfssl print-defaults config > ca-config.json
[root@master-101 k8s-init]#tee ca-config.json <<'EOF'
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
# 關鍵參數解析:
default 預設政策,指定了證書的預設有效期是10年(87600h)
profile 自定義政策配置
* kubernetes:表示該配置(profile)的用途是為kubernetes生成證書及相關的校驗工作
* signing:表示該證書可用于簽名其它證書;生成的 ca.pem 證書中 CA=TRUE
* server auth:表示可以該CA 對 server 提供的證書進行驗證
* client auth:表示可以用該 CA 對 client 提供的證書進行驗證
* expiry:也表示過期時間,如果不寫以default中的為準
========================================================================================
# 利用CA憑證簽名請求配置檔案 ca-csr.json 生成CA憑證和CA私鑰和CSR(證書簽名請求):
[root@master-101 k8s-init]#cfssl gencert -initca ca-csr.json | cfssljson -bare ca
#檢視證書資訊:
[root@master-101 k8s-init]#openssl x509 -in ca.pem -text -noout | grep "Not"
#master-101執行:
#配置ETCD證書相關檔案以及生成其證書
[root@master-101 k8s-init]#tee etcd-csr.json <<'EOF'
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.100.101",
"192.168.100.102",
"192.168.100.103",
"etcd1",
"etcd2",
"etcd3"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "beijing",
"ST": "beijing",
"O": "etcd",
"OU": "System"
}
]
}
EOF
========================================================================================
#用ca證書簽發生成etcd證書
[root@master-101 k8s-init]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
[root@master-101 k8s-init]#openssl x509 -in etcd.pem -text -noout | grep "X509v3" -A1
3-2、部署etcd
#所有Master節點主機執行:
#下載下傳etcd軟體包
下載下傳位址:https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gz
#windows下載下傳後上傳
[root@master-101 ~]#tar xf etcd-v3.5.4-linux-amd64.tar.gz
[root@master-101 ~]#cd etcd-v3.5.4-linux-amd64/
[root@master-101 etcd-v3.5.4-linux-amd64]#cp -a etcd* /usr/local/bin/
[root@master-101 ~]#mkdir -pv /etc/etcd/pki
[root@master-101 ~]#cd /app/k8s-init/
[root@master-101 k8s-init]#cp *.pem /etc/etcd/pki/
[root@master-101 k8s-init]#scp /etc/etcd/pki/* 192.168.100.102:
[root@master-101 k8s-init]#scp /etc/etcd/pki/* 192.168.100.103:
#192.168.100.101執行:
[root@master-101 ~]#tee /etc/etcd/etcd.conf <<'EOF'
# [成員配置]
# member 名稱
ETCD_NAME=etcd1
# 存儲資料的目錄(注意需要建立)
ETCD_DATA_DIR="/var/lib/etcd/data"
# 用于監聽用戶端etcdctl或者curl連接配接
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.101:2379,https://127.0.0.1:2379"
# 用于監聽叢集中其它member的連接配接
ETCD_LISTEN_PEER_URLS="https://192.168.100.101:2380"
# [證書配置]
# ETCD_CERT_FILE=/etc/etcd/pki/etcd.pem
# ETCD_KEY_FILE=/etc/etcd/pki/etcd-key.pem
# ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem
# ETCD_CLIENT_CERT_AUTH=true
# ETCD_PEER_CLIENT_CERT_AUTH=true
# ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd.pem
# ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd-key.pem
# ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem
# [叢集配置]
# 本機位址用于通知用戶端,用戶端通過此IPs與叢集通信;
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.101:2379"
# 本機位址用于通知叢集member與member通信
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.101:2380"
# 描述叢集中所有節點的資訊,本member根據此資訊去聯系其他member
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
# 叢集狀态建立叢集時候設定為new,若是想加入某個已經存在的叢集設定為existing
ETCD_INITIAL_CLUSTER_STATE=new
EOF
#192.168.100.102執行:
[root@master-102 ~]#tee /etc/etcd/etcd.conf <<'EOF'
# [成員配置]
# member 名稱
ETCD_NAME=etcd2
# 存儲資料的目錄(注意需要建立)
ETCD_DATA_DIR="/var/lib/etcd/data"
# 用于監聽用戶端etcdctl或者curl連接配接
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.102:2379,https://127.0.0.1:2379"
# 用于監聽叢集中其它member的連接配接
ETCD_LISTEN_PEER_URLS="https://192.168.100.102:2380"
# [叢集配置]
# 本機位址用于通知用戶端,用戶端通過此IPs與叢集通信;
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.102:2379"
# 本機位址用于通知叢集member與member通信
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.102:2380"
# 描述叢集中所有節點的資訊,本member根據此資訊去聯系其他member
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
# 叢集狀态建立叢集時候設定為new,若是想加入某個已經存在的叢集設定為existing
ETCD_INITIAL_CLUSTER_STATE=new
EOF
#192.168.100.103執行:
[root@master-103 ~]#tee /etc/etcd/etcd.conf <<'EOF'
# [成員配置]
# member 名稱
ETCD_NAME=etcd3
# 存儲資料的目錄(注意需要建立)
ETCD_DATA_DIR="/var/lib/etcd/data"
# 用于監聽用戶端etcdctl或者curl連接配接
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.103:2379,https://127.0.0.1:2379"
# 用于監聽叢集中其它member的連接配接
ETCD_LISTEN_PEER_URLS="https://192.168.100.103:2380"
# [叢集配置]
# 本機位址用于通知用戶端,用戶端通過此IPs與叢集通信;
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.103:2379"
# 本機位址用于通知叢集member與member通信
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.103:2380"
# 描述叢集中所有節點的資訊,本member根據此資訊去聯系其他member
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
# 叢集狀态建立叢集時候設定為new,若是想加入某個已經存在的叢集設定為existing
ETCD_INITIAL_CLUSTER_STATE=new
EOF
#所有master節點執行:
#建立etcd的service檔案,便于systemd管理:
[root@master-101 ~]#mkdir -pv /var/lib/etcd
[root@master-101 ~]#cat > /usr/lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd-io/etcd
After=network.target
After=network-online.target
wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
--client-cert-auth \
--trusted-ca-file /etc/etcd/pki/ca.pem \
--cert-file /etc/etcd/pki/etcd.pem \
--key-file /etc/etcd/pki/etcd-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file /etc/etcd/pki/ca.pem \
--peer-cert-file /etc/etcd/pki/etcd.pem \
--peer-key-file /etc/etcd/pki/etcd-key.pem
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
LimitNPROC=65535
[Install]
WantedBy=multi-user.target
EOF
[root@master-101 ~]#systemctl daemon-reload && systemctl enable --now etcd.service
[root@master-101 ~]#systemctl status etcd.service
#檢視etcd是否正常以及健康狀态:
# 利用 etcdctl 工具檢視叢集成員資訊
export ETCDCTL_API=3
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=table member list
# 叢集節點資訊
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=table endpoint status
# 叢集節點健康狀态
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=table endpoint health
# 叢集節點性能測試
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=tableendpoint check perf
4、部署containerd
#所有節點執行:
#下載下傳位址:https://github.com/containerd/containerd/releases/download/v1.6.4/cri-containerd-cni-1.6.4-linux-amd64.tar.gz
#windows下載下傳後上傳
[root@master-101 local]#mkdir cri-containerd-cni
[root@master-101 local]#tar xf cri-containerd-cni-1.6.4-linux-amd64.tar.gz -C cri-containerd-cni
[root@master-101 local]#tree cri-containerd-cni
/usr/local/cri-containerd-cni/
├── etc
│ ├── cni
│ │ └── net.d
│ │ └── 10-containerd-net.conflist
│ ├── crictl.yaml
│ └── systemd
│ └── system
│ └── containerd.service
├── opt
│ ├── cni
│ │ └── bin
│ │ ├── bandwidth
│ │ ├── bridge
│ │ ├── dhcp
│ │ ├── firewall
│ │ ├── host-device
│ │ ├── host-local
│ │ ├── ipvlan
│ │ ├── loopback
│ │ ├── macvlan
│ │ ├── portmap
│ │ ├── ptp
│ │ ├── sbr
│ │ ├── static
│ │ ├── tuning
│ │ ├── vlan
│ │ └── vrf
│ └── containerd
│ └── cluster
│ ├── gce
│ │ ├── cloud-init
│ │ │ ├── master.yaml
│ │ │ └── node.yaml
│ │ ├── cni.template
│ │ ├── configure.sh
│ │ └── env
│ └── version
└── usr
└── local
├── bin
│ ├── containerd
│ ├── containerd-shim
│ ├── containerd-shim-runc-v1
│ ├── containerd-shim-runc-v2
│ ├── containerd-stress
│ ├── crictl
│ ├── critest
│ ├── ctd-decoder
│ └── ctr
└── sbin
└── runc
#在所有節點上複制到上述檔案夾到對應目錄中
[root@master-101 local]#cd cri-containerd-cni/
[root@master-101 cri-containerd-cni]#cp -r etc/ /
[root@master-101 cri-containerd-cni]#cp -r opt/ /
[root@master-101 cri-containerd-cni]#cp -r usr/ /
#所有節點執行:
#配置建立并修改 config.toml
[root@master-101 ~]#mkdir -pv /etc/containerd
[root@master-101 ~]#containerd config default >/etc/containerd/config.toml
[root@master-101 ~]#ls /etc/containerd/config.toml
# pause 鏡像源
[root@master-101 ~]#sed -i "s#k8s.gcr.io/pause#registry.cn-hangzhou.aliyuncs.com/google_containers/pause#g" /etc/containerd/config.toml
# 使用 SystemdCgroup
[root@master-101 ~]#sed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml
# docker.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."docker.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://xlx9erfu.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml
# gcr.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml
# k8s.gcr.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."k8s.gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/","https://registry.cn-hangzhou.aliyuncs.com/google_containers/"]' /etc/containerd/config.toml
# quay.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."quay.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://quay.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml
#所有節點執行:
# 配置檔案設定永久生效
[root@master-101 ~]#cat <<EOF > /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF
[root@master-101 ~]#systemctl daemon-reload && systemctl enable --now containerd.service
[root@master-101 ~]#systemctl status containerd.service
[root@master-101 ~]#ctr version
[root@master-101 ~]#runc -v
#溫馨提示: 當預設 runc 執行提示 runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond 時,由于上述軟體包中包含的runc對系統依賴過多,是以建議單獨下載下傳安裝 runc 二進制項目(https://github.com/opencontainers/runc/),如下:
wget https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.amd64
# 執行權限賦予
chmod +x runc.amd64
# 替換掉 /usr/local/sbin/ 路徑原軟體包中的 runc
mv runc.amd64 /usr/local/sbin/runc