1.3 基本配置

1.3.1 关闭 selinux 和防火墙

关闭防火墙

systemctl disable --now firewalld

关闭 selinux

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

1.3.2 设置主机名

根据上面规划的进行设置

# k8s-m1
hostnamectl set-hostname k8s-m1
# k8s-m2
hostnamectl set-hostname k8s-m2
# k8s-m3
hostnamectl set-hostname k8s-m3

1.3.3 设置时区

timedatectl set-timezone Asia/Shanghai

1.3.4 配置时间同步

yum makecache fast
yum -y install chrony
systemctl enable --now chronyd

1.3.5 修改 hosts 文件

tee /etc/hosts <<-EOF
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.10 k8s-m1
192.168.100.20 k8s-m2
192.168.100.30 k8s-m3
EOF

1.3.6 ssh 免密登录

ssh-keygen -t rsa -b 2048 -P '' -f ~/.ssh/id_rsa
ssh-copy-id k8s-m1
ssh-copy-id k8s-m2
ssh-copy-id k8s-m3

1.3.7 安装常用软件

安装 epel 源

yum -y install epel-release

修改为国内源

sed -e 's!^metalink=!#metalink=!g' \
    -e 's!^#baseurl=!baseurl=!g' \
    -e 's!//download\.fedoraproject\.org/pub!//mirrors.tuna.tsinghua.edu.cn!g' \
    -e 's!http://mirrors!https://mirrors!g' \
    -i /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel-testing.repo

安装常用软件

yum -y install net-tools \
    nmap-ncat \
    sysstat \
    git \
    ipset \
    ipvsadm \
    bash-completion \
    wget \
    unzip \
    lrzsz \
    lsof \
    vim

1.3.8 配置 docker-ce

使用用国内源,下载速度快

wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
   -O /etc/yum.repos.d/docker-ce.repo

1.3.9 配置 kubernetes

tee /etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name = kubernetes
baseurl = https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled = 1
gpgcheck =1
gpgkey = https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg \
  https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF

1.3.10 升级内核到 5.4-lts

CentOS 7.x 系统自带的 3.10.x 内核存在一些 Bugs,导致运行的 DockerKubernetes 不稳定。

Linux 内核官网: https://www.kernel.org/

类型 版本 更新日期
主线 5.17-rc1 2022-01-23
稳定 5.16.2 2022-01-2
长期 5.15.16 2022-01-20
长期 5.10.93 2022-01-20
长期 5.4.174 2022-01-27
长期 4.19.226 2022-01-27
长期 4.14.263 2022-01-27
长期 4.9.298 2022-01-27
长期 4.4.300 2022-01-27

安装 elrepo

elrepo源官网http://elrepo.org/tiki/tiki-index.php

  1. 导入验证key

    rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

  2. 安装 repo文件

    rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm

  3. 查看可用的版本

    yum makecache fast
yum --disablerepo="*" --enablerepo="elrepo-kernel" search all kernel-lt --show-duplicates

    Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* elrepo-kernel: mirrors.tuna.tsinghua.edu.cn
====================================================================== Matched: kernel-lt =======================================================================
kernel-lt-5.4.172-1.el7.elrepo.x86_64 : The Linux kernel. (The core of any Linux-based operating system.)
kernel-lt-5.4.173-1.el7.elrepo.x86_64 : The Linux kernel. (The core of any Linux-based operating system.)
kernel-lt-devel-5.4.172-1.el7.elrepo.x86_64 : Development package for building kernel modules to match the kernel.
kernel-lt-devel-5.4.173-1.el7.elrepo.x86_64 : Development package for building kernel modules to match the kernel.
kernel-lt-doc-5.4.172-1.el7.elrepo.noarch : Various bits of documentation found in the kernel sources.
kernel-lt-doc-5.4.173-1.el7.elrepo.noarch : Various bits of documentation found in the kernel sources.
kernel-lt-headers-5.4.172-1.el7.elrepo.x86_64 : Header files of the kernel, for use by glibc.
kernel-lt-headers-5.4.173-1.el7.elrepo.x86_64 : Header files of the kernel, for use by glibc.
kernel-lt-tools-5.4.172-1.el7.elrepo.x86_64 : Assortment of tools for the kernel.
kernel-lt-tools-5.4.173-1.el7.elrepo.x86_64 : Assortment of tools for the kernel.
kernel-lt-tools-libs-5.4.172-1.el7.elrepo.x86_64 : Libraries for the kernel tools.
kernel-lt-tools-libs-5.4.173-1.el7.elrepo.x86_64 : Libraries for the kernel tools.
kernel-lt-tools-libs-devel-5.4.172-1.el7.elrepo.x86_64 : Development package for the kernel tools libraries.
kernel-lt-tools-libs-devel-5.4.173-1.el7.elrepo.x86_64 : Development package for the kernel tools libraries.

  4. 安装最新的lts版本是5.4

    yum --enablerepo="elrepo-kernel" -y install kernel-lt-5.4.173-1.el7.elrepo

  5. 更改内核默认启动顺序

    grep "menuentry " /boot/grub2/grub.cfg

    输出如下

    menuentry 'CentOS Linux (5.4.173-1.el7.elrepo.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-957.el7.x86_64-advanced-85171631-9db7-4472-8193-b1b4887387ef' {
menuentry 'CentOS Linux (3.10.0-957.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-957.el7.x86_64-advanced-85171631-9db7-4472-8193-b1b4887387ef' {
menuentry 'CentOS Linux (0-rescue-3f9f2439363b4c3c85ecf490ca34ddad) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-3f9f2439363b4c3c85ecf490ca34ddad-advanced-85171631-9db7-4472-8193-b1b4887387ef' {

    设置5.4为默认启动内核

    grub2-set-default 'CentOS Linux (5.4.173-1.el7.elrepo.x86_64) 7 (Core)'

  6. 重启系统

    reboot

  7. 查看内核版本

    uname -r

    输出如下

    5.4.173-1.el7.elrepo.x86_64

    内核升级完成

1.3.11 加载 ipvs 模块

配置开机加载

IPVS-Based In-Cluster Load Balancing Deep Dive

高版本的 centos 内核 nf_conntrack_ipv4nf_conntrack 替换了。

tee /etc/modules-load.d/k8s-ipvs.conf <<EOF
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
EOF

手动加载

for mod in ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack; do
    modprobe $mod
done

1.3.12 系统参数优化

系统调优参数

tee /etc/sysctl.d/k8s.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.ip_forward = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
# 要求iptables不对bridge的数据进行处理
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.netfilter.nf_conntrack_max = 2310720
fs.inotify.max_user_watches=89100
fs.may_detach_mounts = 1
fs.file-max = 52706963
fs.nr_open = 52706963
vm.overcommit_memory=1
# 开启OOM
vm.panic_on_oom=0
# 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.swappiness=0
# ipvs优化
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10
EOF

sysctl --system

文件最大打开数

tee /etc/security/limits.d/k8s.conf <<EOF
*       soft    nproc   1048576
*       hard    nproc   1048576
*       soft    nofile  1048576
*       hard    nofile  1048576
root    soft    nproc   1048576
root    hard    nproc   1048576
root    soft    nofile  1048576
root    hard    nofile  1048576
EOF

优化日志处理,减少磁盘IO

sed -ri 's/^\$ModLoad imjournal/#&/' /etc/rsyslog.conf
sed -ri 's/^\$IMJournalStateFile/#&/' /etc/rsyslog.conf

sed -ri 's/^#(DefaultLimitCORE)=/\1=100000/' /etc/systemd/system.conf
sed -ri 's/^#(DefaultLimitNOFILE)=/\1=100000/' /etc/systemd/system.conf

ssh 连接优化

sed -ri 's/^#(UseDNS )yes/\1no/' /etc/ssh/sshd_config

禁用 swap

swapoff -a
sed -i '/swap/s/^\(.*\)$/#\1/g' /etc/fstab
Copyright © huangzhongde.cn 2021 all right reserved,powered by Gitbook该文件修订时间: 2022-01-28 00:02:24

results matching ""

    No results matching ""