11/19/2017 – 一江春水向东流

etcd 3.1 高可用集群搭建

CentOS 7.4

192.168.61.11 node1
192.168.61.12 node2
192.168.61.13 node3

192.168.61.11 node1

192.168.61.12 node2

192.168.61.13 node3

TLS密钥和证书这里部署的etcd集群使用TLS证书对证书通信进行加密，并开启基于CA根证书签名的双向数字证书认证。下面介绍使用cfssl生成所需要的私钥和证书. centos-mini版本的linux需要安装开发包: yum groupinstall “Development Tools” 安装cfssl cfssl是使用Go语言开发的工具，如果系统中安装了Go，可以使用直接go get安装cfssl: 项目地址:https://github.com/cloudflare/cfssl

go get -u <a class="vglnk" href="http://github.com/cloudflare/cfssl/cmd/" rel="nofollow">github.com/cloudflare/cfssl/cmd/</a>...

1 2	go get -u <a class="vglnk" href="http://github.com/cloudflare/cfssl/cmd/" rel="nofollow">github.com/cloudflare/cfssl/cmd/</a>...

会在$GOPATH/bin下安装cfssl, cfssjosn, mkbundle等工具。 CA证书和私钥创建ca-config.json：

<span class="p">{</span>
  <span class="nt">"signing"</span><span class="p">:</span> <span class="p">{</span>
    <span class="nt">"default"</span><span class="p">:</span> <span class="p">{</span>
      <span class="nt">"expiry"</span><span class="p">:</span> <span class="s2">"87600h"</span>
    <span class="p">},</span>
    <span class="nt">"profiles"</span><span class="p">:</span> <span class="p">{</span>
      <span class="nt">"frognew"</span><span class="p">:</span> <span class="p">{</span>
        <span class="nt">"usages"</span><span class="p">:</span> <span class="p">[</span>
            <span class="s2">"signing"</span><span class="p">,</span>
            <span class="s2">"key encipherment"</span><span class="p">,</span>
            <span class="s2">"server auth"</span><span class="p">,</span>
            <span class="s2">"client auth"</span>
        <span class="p">],</span>
        <span class="nt">"expiry"</span><span class="p">:</span> <span class="s2">"87600h"</span>
      <span class="p">}</span>
    <span class="p">}</span>
  <span class="p">}</span>
<span class="p">}</span>

{

"signing": {

"default": {

"expiry": "87600h"

},

"profiles": {

"frognew": {

"usages": [

"signing",

"key encipherment",

"server auth",

"client auth"

],

"expiry": "87600h"

}

ca-config.json中可以定义多个profile，分别设置不同的expiry和usages等参数。如上面的ca-config.json中定义了名称为frognew的profile，这个profile的expiry 87600h为10年，useages中： signing表示此CA证书可以用于签名其他证书，ca.pem中的CA=TRUE server auth表示TLS Server Authentication client auth表示TLS Client Authentication 创建CA证书签名请求配置ca-csr.json：

<span class="p">{</span>
  <span class="nt">"CN"</span><span class="p">:</span> <span class="s2">"frognew"</span><span class="p">,</span>
  <span class="nt">"key"</span><span class="p">:</span> <span class="p">{</span>
    <span class="nt">"algo"</span><span class="p">:</span> <span class="s2">"rsa"</span><span class="p">,</span>
    <span class="nt">"size"</span><span class="p">:</span> <span class="mi">2048</span>
  <span class="p">},</span>
  <span class="nt">"names"</span><span class="p">:</span> <span class="p">[</span>
    <span class="p">{</span>
      <span class="nt">"C"</span><span class="p">:</span> <span class="s2">"CN"</span><span class="p">,</span>
      <span class="nt">"ST"</span><span class="p">:</span> <span class="s2">"BeiJing"</span><span class="p">,</span>
      <span class="nt">"L"</span><span class="p">:</span> <span class="s2">"BeiJing"</span><span class="p">,</span>
      <span class="nt">"O"</span><span class="p">:</span> <span class="s2">"frognew"</span><span class="p">,</span>
      <span class="nt">"OU"</span><span class="p">:</span> <span class="s2">"cloudnative"</span>
    <span class="p">}</span>
  <span class="p">]</span>
<span class="p">}</span>

{

"CN": "frognew",

"key": {

"algo": "rsa",

"size": 2048

},

"names": [

{

"C": "CN",

"ST": "BeiJing",

"L": "BeiJing",

"O": "frognew",

"OU": "cloudnative"

}

]

}

下面使用cfss生成CA证书和私钥：

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

1 2	cfssl gencert -initca ca-csr.json \| cfssljson -bare ca

ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem

ca-key.pem和ca.pem需要保存在一个安全的地方，后边会用到。 etcd证书和私钥创建etcd证书签名请求配置etcd-csr.json：

<span class="p">{</span>
    <span class="nt">"CN"</span><span class="p">:</span> <span class="s2">"frognew"</span><span class="p">,</span>
    <span class="nt">"hosts"</span><span class="p">:</span> <span class="p">[</span>
      <span class="s2">"127.0.0.1"</span><span class="p">,</span>
      <span class="s2">"192.168.61.11"</span><span class="p">,</span>
      <span class="s2">"192.168.61.12"</span><span class="p">,</span>
      <span class="s2">"192.168.61.13"</span><span class="p">,</span>
      <span class="s2">"node1"</span><span class="p">,</span>
      <span class="s2">"node2"</span><span class="p">,</span>
      <span class="s2">"node3"</span>
    <span class="p">],</span>
    <span class="nt">"key"</span><span class="p">:</span> <span class="p">{</span>
        <span class="nt">"algo"</span><span class="p">:</span> <span class="s2">"rsa"</span><span class="p">,</span>
        <span class="nt">"size"</span><span class="p">:</span> <span class="mi">2048</span>
    <span class="p">},</span>
    <span class="nt">"names"</span><span class="p">:</span> <span class="p">[</span>
        <span class="p">{</span>
            <span class="nt">"C"</span><span class="p">:</span> <span class="s2">"CN"</span><span class="p">,</span>
            <span class="nt">"ST"</span><span class="p">:</span> <span class="s2">"BeiJing"</span><span class="p">,</span>
            <span class="nt">"L"</span><span class="p">:</span> <span class="s2">"BeiJing"</span><span class="p">,</span>
            <span class="nt">"O"</span><span class="p">:</span> <span class="s2">"frognew"</span><span class="p">,</span>
            <span class="nt">"OU"</span><span class="p">:</span> <span class="s2">"cloudnative"</span>
        <span class="p">}</span>
    <span class="p">]</span>
<span class="p">}</span>

{

"CN": "frognew",

"hosts": [

"127.0.0.1",

"192.168.61.11",

"192.168.61.12",

"192.168.61.13",

"node1",

"node2",

"node3"

],

"key": {

"algo": "rsa",

"size": 2048

},

"names": [

{

"C": "CN",

"ST": "BeiJing",

"L": "BeiJing",

"O": "frognew",

"OU": "cloudnative"

}

]

}

注意上面配置hosts字段中制定授权使用该证书的IP和域名列表，因为现在要生成的证书需要被etcd集群各个节点使用，所以这里指定了各个节点的IP和hostname。下面生成etcd的证书和私钥：

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=frognew etcd-csr.json | cfssljson -bare etcd

ls etcd*
etcd.csr  etcd-csr.json  etcd-key.pem  etcd.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=frognew etcd-csr.json | cfssljson -bare etcd

ls etcd*

etcd.csr etcd-csr.json etcd-key.pem etcd.pem

对生成的证书可以使用cfssl或openssl查看：

cfssl-certinfo -cert etcd.pem

openssl x509  -noout -text -in  etcd.pem

cfssl-certinfo -cert etcd.pem

openssl x509 -noout -text -in etcd.pem

安装etcd 将CA证书ca.pem, etcd秘钥etcd-key.pem, Read more…

By sean, 7 years11/19/2017 ago

未分类

Linux（centos 7.4）下部署Golang运行环境

导读 Go 语言又称为 golang，是由 Google 最初开发的一种开源编程语言，其在设计时就遵循了简单、安全和速度的 3 大原则。Go 语言具有多种调试、测试、分析和代码审查工具，如今 Go 语言和工具已在大多数 Linux 发行版本的源库中进行提供，本文我就来说明如何为 Linux 安装 Go 语言。安装首先查看centos是64位还是32位，显示是64就是64位：

getconf LONG_BIT

1	getconf LONG_BIT

然后下载go-linux-64位源码包，手动wget安装，不推荐yum安装（现在最新版都1.9了，yum仓库最新版本才1.8）。

wget https://www.golangtc.com/static/go/1.9.2/go1.9.2.linux-amd64.tar.gz

1	wget https://www.golangtc.com/static/go/1.9.2/go1.9.2.linux-amd64.tar.gz

解压二进制文件到 /usr/local 目录

sudo tar -xzf go1.8.linux-amd64.tar.gz -C /usr/local

1	sudo tar -xzf go1.8.linux-amd64.tar.gz -C /usr/local

使用 vi 在环境变量配置文件 /etc/profile 中增加如下内容：

vi /etc/profile 或者 vi $HOME/.profile

1	vi /etc/profile 或者 vi $HOME/.profile

进去添加：

# GO PATH
export PATH=$PATH:/usr/local/go/bin

# GO GOPATH
export GOPATH=/home/golang

# GO PATH

export PATH=$PATH:/usr/local/go/bin

# GO GOPATH

export GOPATH=/home/golang

使profile配置立即生效：

source $HOME/.profile

1	source $HOME/.profile

查看Go版本或者环境变量

go version #查看go版本

1	go version #查看go版本

go env #查看go环境变量

1	go env #查看go环境变量

完成。可以看到GOPATH目录为 /home/golang/。

By sean, 7 years11/19/2017 ago

KUBERNETES

k8s集群搭建

我们已经可以很方便的使用kubeadm快速初始化Kubernetes集群，但kubeadm当前还不能用于生产环境，同时kubeadm初始化的集群的Master节点不是高可用的，后端存储etcd也是单点。因此，本文将基于Kubernetes二进制包手动部署一个高可用的Kubernetes 1.6集群，将启用ApiServer的TLS双向认证和RBAC授权等安全机制。通过这个手动部署的过程，我们还可以更加深入理解Kubernetes各组件的交互和运行原理。 1. 环境准备 1.1 系统环境操作系统CentOS 7.3

192.168.61.11 node1
192.168.61.12 node2
192.168.61.13 node3

192.168.61.11 node1

192.168.61.12 node2

192.168.61.13 node3

1.2 安装包下载从这里下载kubernetes二进制安装包：

wget <a href="https://storage.googleapis.com/kubernetes-release-dashpole/release/v1.9.0-alpha.3/kubernetes-server-linux-amd64.tar.gz">https://storage.googleapis.com/kubernetes-release-dashpole/release/v1.9.0-alpha.3/kubernetes-server-linux-amd64.tar.gz</a>

tar -zxvf kubernetes-server-linux-amd64.tar.g

wget <a href="https://storage.googleapis.com/kubernetes-release-dashpole/release/v1.9.0-alpha.3/kubernetes-server-linux-amd64.tar.gz">https://storage.googleapis.com/kubernetes-release-dashpole/release/v1.9.0-alpha.3/kubernetes-server-linux-amd64.tar.gz</a>

tar -zxvf kubernetes-server-linux-amd64.tar.g

1.3 系统配置在各节点创建/etc/sysctl.d/k8s.conf文件，添加如下内容：

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

net.bridge.bridge-nf-call-ip6tables = 1

net.bridge.bridge-nf-call-iptables = 1

执行sysctl -p /etc/sysctl.d/k8s.conf使修改生效。如果报以下错:

[root@k8s-master-dev-1 packages]# sysctl -p /etc/sysctl.d/k8s.conf
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory

[root@k8s-master-dev-1 packages]# sysctl -p /etc/sysctl.d/k8s.conf

sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory

解决办法:

[root@k8s-master-dev-1 ~]# modprobe br_netfilter
[root@k8s-master-dev-1 ~]# ls /proc/sys/net/bridge
[root@k8s-master-dev-1 ~]# sysctl -p /etc/sysctl.d/k8s.conf

[root@k8s-master-dev-1 ~]# modprobe br_netfilter

[root@k8s-master-dev-1 ~]# ls /proc/sys/net/bridge

[root@k8s-master-dev-1 ~]# sysctl -p /etc/sysctl.d/k8s.conf

禁用selinux：

setenforce 0
vi /etc/selinux/config
SELINUX=disabled

setenforce 0

vi /etc/selinux/config

SELINUX=disabled

参考: https://blog.frognew.com/2017/04/install-ha-kubernetes-1.6-cluster.html#13-系统配置

By sean, 7 years11/19/2017 ago

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

November 19, 2017

KUBERNETES

etcd 3.1 高可用集群搭建

未分类

Linux（centos 7.4）下部署Golang运行环境

KUBERNETES

k8s集群搭建