rancher上部署EFK

一、环境准备

1.主机准备
# 操作系统:centos 7.6
# 性能配置: 4C/16G
#主机分配
10.0.4.11 node1.k8s.cn
10.0.4.8  node2.k8s.cn
10.0.4.4  node3.k8s.cn
2.主机初始化配置
hostnamectl set-hostname node1.k8s.cn
#配置 hosts
cat >> /etc/hosts << EOF
10.0.4.11 node1.k8s.cn
10.0.4.8  node2.k8s.cn
10.0.4.4  node3.k8s.cn
EOF
#关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
#关闭防火墙
systemctl stop firewalld.service && systemctl disable firewalld.service
#修改系统语言环境
echo 'LANG="en_US.UTF-8"' >> /etc/profile;source /etc/profile
#修改时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
#添加磁盘
mkdir /data&&mkdir /etc/docker
mkfs.ext4 /dev/vdb
fdisk /dev/vdb
#永久挂载
vi /etc/fstab
/dev/vdb /data                    ext4    defaults        0 0
#创建所需目录
mkdir /data&&mkdir /data/docker&&mkdir /etc/docker
ntpdate cn.ntp.org.cn
3.主机优化
解决es启动问题
#修改 vi /etc/security/limits.conf
#修改 vi /etc/sysctl.conf
vm.max_map_count = 655360
#修改 vi /etc/security/limits.d/20-nproc.conf
#内核调优
cat >> /etc/sysctl.conf<<EOF
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-iptables=1
net.ipv4.neigh.default.gc_thresh1=4096
net.ipv4.neigh.default.gc_thresh2=6144
net.ipv4.neigh.default.gc_thresh3=8192
EOF
#保存配置生效
sysctl -p 
#遇到 net.bridge.bridge-nf-call-iptables=1失败 则
modprobe br_netfilter
ls /proc/sys/net/bridge
sysctl -p 
reboot
注意:看主机环境而定

二、安装docker环境

# 安装docker的依赖以及常用命令
mkdir /data/docker
yum install -y yum-utils device-mapper-persistent-data lvm2 iftop
# 添加docker-ce源
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 查找版本
yum list docker-ce.x86_64 --showduplicates | sort -r
# 安装docker
yum -y install docker-ce-19.03.8-3.el7
# 修改daemon运行方式
vi /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd   #此行保留的内容
# 添加 vi /etc/docker/daemon.json
daemon.json
{
"data-root": "/data/docker",
"registry-mirrors": [
  "https://1nj0zren.mirror.aliyuncs.com",
  "https://docker.mirrors.ustc.edu.cn",
  "http://f1361db2.m.daocloud.io",
  "https://registry.docker-cn.com"
]
}
# 以上片段是指定docker root的目录以及加速器
systemctl daemon-reload
systemctl start docker && systemctl enable docker
docker info
查看docker info时有net.bridge.bridge-nf-call-iptables报错可以操作以上主机优化部分

三、安装rancher

参考:https://docs.rancher.cn/rancher2x/
#安装rancher
docker run -d --restart=unless-stopped \
-p 80:80 -p 443:443 \
-v 10.0.4.11:/var/lib/rancher/ \
-v /root/var/log/auditlog:/var/log/auditlog \
-e CATTLE_SYSTEM_CATALOG=bundled \
-e AUDIT_LEVEL=3 \
rancher/rancher:latest
docker run -d --restart=unless-stopped -v 10.0.4.11:/var/lib/rancher/ -p 80:80 -p 443:443 rancher/rancher:stable

docker run -d --restart=unless-stopped \
-p 80:80 -p 443:443 \
-v 192.168.1.22:/var/lib/rancher/ \
-v /root/var/log/auditlog:/var/log/auditlog \
-e CATTLE_SYSTEM_CATALOG=bundled \
-e AUDIT_LEVEL=3 \
rancher/rancher:v2.3.6

四、起K8S集群

创建集群,检查集群的组件健康状态,有问题查看日志逐个解决

image-20200407124615488

如果nginx-ingress-controller 查看端口被占用是因为rancher的服务起的docker-proxy被占用了,可以指定到其他主机即可。

image-20200407122347047

如果cattle-cluster-agent有问题查看日志访问不到443端口,可能是用来域名的事可以在环境变量里填写server的IP

image-20200407125452488

image-20200407125634729

五、安装kuectl

#添加Kubernetes源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 查找与平台上装的K8S的版本
yum list kubectl.x86_64 --showduplicates
# 安装kubectl
yum install -y  kubectl-1.17.4
mkdir /root/.kube
vi /root/.kube/config
# 内容在仪表盘复制到config文件
测试
kubectl get nodes
kubectl get ns

六、安装EFK

[ elasticsearch-master]问题解决:

image-20200407143030591

image-20200407143101989

image-20200407143124655

添加用户认证:

# 验证:
curl -XGET http://node1.k8s.cn:9200
curl -XGET http://10.43.3.235:9200


# 启用用户验证:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
# 自动生成密码:
echo y |/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto >> /usr/share/elasticsearch/pwd.txt

- name: xpack.security.enabled
     value: "true"

#在elasticsearch.yml最后添加
xpack.security.enabled: ``true
xpack.security.audit.enabled: ``true
#basic表示xpack使用基础版license,否则无法启动
xpack.license.self_generated.``type``: basic
xpack.security.transport.ssl.enabled: ``true


xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.security.audit.enabled: true

六、数据持久化

cat > /var/jenkins_home/hudson.model.UpdateCenter.xml <<EOF
<?xml version='1.0' encoding='UTF-8'?>
<sites>
  <site>
    <id>default</id>
    <url>http://mirror.xmission.com/jenkins/updates/update-center.json</url>
  </site>
</sites>
EOF

ES_JAVA_OPTS=-Xmx1g -Xms1g
cluster.initial_master_nodes=elasticsearch-master-0,elasticsearch-master-1,elasticsearch-master-2,
cluster.name=elasticsearch
discovery.seed_hosts=elasticsearch-master-headless
network.host=0.0.0.0
node.data=true
node.ingest=true
node.master=true

openssl req -sha512 -new \
    -subj "/C=CN/ST=JS/L=WX/O=zwx/OU=jhmy/CN=hub.devop.com" \
    -key harbor.key \
    -out harbor.csr
posted @ 2020-05-22 13:16  OldPilot  阅读(528)  评论(1)    收藏  举报