安装git

1
apt-get install -y git

下载源码

1
2
git clone -b manyuser https://github.com/mengskysama/shadowsocks.git
git clone https://github.com/wzxjohn/moeSS.git

配置LAMP环境

http2.4
php5.4+
mysql5.6

1
2
3
4
5
6
7
8
9
10
11
#安装apache httpd web服务
apt-get install -y apache2

#设置开机自启动
systemctl enable apache2
#启动应用
systemctl start apache2

#开启rewrite功能
a2enmod rewrite
systemctl restart apache2

修改配置文件

1
2
3
vim /etc/apache2/apache2.conf
/var/www/html/ #此路径为web服务器存放网页的地方。
AllowOverride All #开启rewrite所有

安装mysql数据库

1
2
3
4
5
6
7
8
9
10
apt-get install -y mysql-server

#开机自启动
systemctl enable mysql
systemctl start mysql

#新建数据库 shaodowsocks
create database shadowsocks;
#导入数据库结构表。
mysql -uroot -p shadowsocks <shadowsocks.sql

安装php和php插件

1
2
3
4
apt-get -y install php5 libapache2-mod-php5 php5-mysql php5-mysqlnd php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

#重启web服务
systemctl restart apache2

安装shadowsocks 插件

1
2
3
4
5
6
7
8
9
#安装pip工具,
apt-get install -y python-pip python-m2crypto

#安装python数据库支持
pip install cymysql

#运行shadowsocks
cd shadowsocks 
nohup python server.py &

distribute_crawler项目实战
distribute_crawler

Python编译依赖

1
apt-get install -y zlib1g-dev libssl-dev libbz2-dev libreadline-dev libsqlite3-dev

配置 pyenv

1
2
3
4
5
6
7
git clone https://github.com/pyenv/pyenv.git ~/.pyenv

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bash_profile

echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bash_profile

echo -e 'if command -v pyenv 1>/dev/null 2>&1; then\n  eval "$(pyenv init -)"\nfi' >> ~/.bash_profile
1
2
pyenv install 3.6.3
pyenv global 3.6.3

更改pypi源

1
2
3
4
5
6
7
# 新建pip.conf存放目录
mkdir ~/.pip&&cd ~/.pip

cat >pip.conf<<EOF
[global]
index-url = https://pypi.douban.com/simple
EOF
1
pip install pipenv
1
2
3
cd project
pipenv install 
pip install scrapy redis pymongo
1
apt-get install -y redis-server
1
2
3
4
5
6
7
8
9
10
11
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6

echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list

apt-get update

apt-get install -y mongodb-org

systemctl enable mongod

systemctl start mongod
1
2
3
4
apt-get install -y apache2 libapache2-mod-wsgi \
python-twisted python-cairo python-django-tagging

pip install Django==1.5.2 tagging carbon whisper graphite-web parse_lookup

Docker 配置

Docker

安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# step 1: 安装必要的一些系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2 firewalld
# Step 2: 添加软件源信息
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3: 更新并安装 Docker-CE
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start

# 注意:
# Step 1: 查找Docker-CE的版本:
# yum list docker-ce.x86_64 --showduplicates | sort -r
#   Loading mirror speeds from cached hostfile
#   Loaded plugins: branch, fastestmirror, langpacks
#   docker-ce.x86_64            17.03.1.ce-1.el7.centos            docker-ce-stable
#   docker-ce.x86_64            17.03.1.ce-1.el7.centos            @docker-ce-stable
#   docker-ce.x86_64            17.03.0.ce-1.el7.centos            docker-ce-stable
#   Available Packages
# Step2 : 安装指定版本的Docker-CE: (VERSION 例如上面的 17.03.0.ce.1-1.el7.centos)
# sudo yum -y install docker-ce-[VERSION]
1
2
3
systemctl enable docker.service
systemctl start docker.service
systemctl status docker.service

配置镜像加速器

Docker CE 镜像源站-阿里云

/etc/docker/daemon.json

1
2
3
{
    "registry-mirrors": ["https://mqxz7mjm.mirror.aliyuncs.com"]
}
1
systemctl restart docker

安装docker-compose

下载 docker-compose releases

1
2
3
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

bash/zsh 补全命令

1
curl -L https://raw.githubusercontent.com/docker/compose/1.23.2/contrib/completion/bash/docker-compose > /etc/bash_completion.d/docker-compose

查看版本

1
docker-compose version

常用操作

下载一个标签下的所有镜像

1
docker image pull -a ubuntu

下载所有 ubuntu 镜像。

查看日志位置

1
docker inspect --format='{{.LogPath}}'

查看正在运行的容器是通过什么命令启动的

1
docker ps -a --no-trunc

收集性能数据

Collect Docker metrics with Prometheus | Docker Documentation

/etc/docker/daemon.json

1
2
3
4
{
  "metrics-addr" : "127.0.0.1:9323",
  "experimental" : true
}

macOS Docker-Deskop

Getting a Shell in the Docker for Mac Moby VM

启动终端,不太好使,字符容易乱。

1
screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty

启动终端

1
docker run -it --rm --privileged --pid=host justincormack/nsenter1

参考

1
2
3
4
5
6
7
pipenv install

pipenv install uwsgi

pipenv install django

pipenv install gunicorn

django 2.0.4

pip show django

uwsgi 2.0.17

pip show uwsgi

1
django-admin startproject teacher

使用的

mkdir -p /data/uwsgi/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
vim /data/uwsgi/teacher.ini

[uwsgi]
# 项目目录
chdir=/root/py3/teacher
# 指定项目的application
module=teacher.wsgi:application
# 进程个数
workers=2
pidfile = /data/uwsgi/uwsgi_teacher.pid
# 指定IP端口
http=127.0.0.1:8001
# 指定静态文件
# static-map=/root/py3/teacher/static
# 启动uwsgi的用户名和用户组
uid=root
gid=root
# 启用主进程
master=true
# 自动移除unix Socket和pid文件当服务停止的时候
vacuum=true
# 序列化接受的内容,如果可能的话
thunder-lock=true
# 启用线程
enable-threads=true
# 设置自中断时间
harakiri=30
# 设置缓冲
post-buffering=4096
# 设置日志目录
daemonize=/data/uwsgi/teacher.log
# 指定sock的文件路径
socket=/data/uwsgi/teacher.sock
1
unix:/data/uwsgi.sock;

启动

1
2
3
4
5
6
7
8
9
# 启动uwsgi配置
uwsgi --ini /data/uwsgi/teacher.ini   

# 关闭uwsgi
uwsgi --stop uwsgi.pid  
killall -s INT /root/.virtualenv/py3-xzcW3AwM/bin/uwsgi

#重新加载配置
uwsgi --reload uwsgi.pid

nginx配置

1
2
3
4
5
6
7
8
9
10
11
12
13
# 指定项目路径uwsgi
       location /django/ {        # 这个location就和咱们Django的url(r'^admin/', admin.site.urls),
           include uwsgi_params;  # 导入一个Nginx模块他是用来和uWSGI进行通讯的
           uwsgi_connect_timeout 30;  # 设置连接uWSGI超时时间
           # 指定uwsgi的sock文件所有动态请求就会直接丢给他
           uwsgi_pass unix:/opt/project_teacher/script/uwsgi.sock;  
       }

       # 指定静态文件路径
       location /static/ {
           alias  /opt/project_teacher/teacher/static/;
           index  index.html index.htm;
       }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15


[uwsgi]
socket = 127.0.0.1:9090
master = true         //主进程
vhost = true          //多站模式
no-site = true        //多站模式时不设置入口模块和文件
workers = 2           //子进程数
reload-mercy = 10     
vacuum = true         //退出、重启时清理文件
max-requests = 1000   
limit-as = 512
buffer-size = 30000
pidfile = /var/run/uwsgi9090.pid    //pid文件,用于下面的脚本启动、停止该进程
daemonize = /data/log/uwsgi9090.log
1
2
3
4
5
6
7
8
[uwsgi]
chdir=/root/py3/teacher
module=teacher.wsgi:application
master=True
pidfile=/var/run/uwsgi9090.pid
vacuum=True
max-requests=5000
daemonize=/data/log/uwsgi9090.logi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[uwsgi]
chdir=/root/py3/teacher
uid=nobody
gid=nobody
module=teacher.wsgi:application
socket=/data/uwsgi.sock
master=true
workers=5
pidfile=/data/uwsgi.pid
vacuum=true
thunder-lock=true
enable-threads=true
harakiri=30
post-buffering=4096
daemonize=/data/uwsgi.log

django静态文件收集

​ 1.setting.py设置

1
2
DEBUG = False
STATIC_ROOT = os.path.join(BASE_DIR, 'statics')

​ 2. 执行collectstatic命令:

1
python manage.py collectstatic

好处:django把静态文件拷贝到你设置的statics目录下(这样可以更方便的和nignx集成,权限管理也更方便)

参考

Liunx之Ubuntu下Django+uWSGI+nginx部署

Django + Uwsgi + Nginx 的生产环境部署

如何配置nginx+uwsgi+django?˜

Kubernetes安装配置

Kubernetes Handbook

Kubernetes 最佳实践

手动档搭建 Kubernetes HA 集群

集群详情

  • OS:CentOS Linux release 7.4.1708 (Core) 3.10.0-693.21.1.el7.x86_64
  • Kubernetes 1.10.0
  • Docker 1.13.1(使用yum安装)
  • Etcd 3.2.18
  • Flannel 0.10.0 vxlan或者host-gw 网络
  • TLS 认证通信 (所有组件,如 etcd、kubernetes master 和 node)
  • RBAC 授权
  • kubelet TLS BootStrapping
  • kubedns、dashboard、heapster(influxdb、grafana)、EFK(elasticsearch、fluentd、kibana) 集群插件
  • VMware Harbor 1.4.0 (私有docker镜像仓库,harbor提供离线安装包,直接使用docker-compose启动即可)

Kubernetes v1.10.0

flannel v0.10.0

etcd v3.2.18

VMware Harbor v1.4.0

环境说明

在下面的步骤中,我们将在三台CentOS系统的物理机上部署具有三个节点的kubernetes1.6.0集群。

角色分配如下:

Master:10.8.8.8

Node:10.8.8.8、10.8.8.10、10.8.8.11

注意:10.8.8.8这台主机master和node复用。所有生成证书、执行kubectl命令的操作都在这台节点上执行。一旦node加入到kubernetes集群之后就不需要再登陆node节点了。

安装

安装前的准备

  • 1.关闭所有节点的SELinux
    修改/etc/selinux/config文件中设置SELINUX=disabled ,然后重启服务器。
    使用命令setenforce 0

  • 2.在node节点上安装docker yum -y install docker

  • 3.准备harbor私有镜像仓库

参考:https://github.com/vmware/harbor

docker

1.生成证书

2.下载安装文件

1
2
3
4
5
6
7
8
mkdir /root/k8s
cd /root/k8s

wget https://dl.k8s.io/v1.10.0/kubernetes-server-linux-amd64.tar.gz

wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz

wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz

master 10.8.8.8

1
2
3
4
5
6
vim ~/.bashrc
export PATH=/usr/local/bin:$PATH

#kubernetes
tar -xzvf kubernetes-server-linux-amd64.tar.gz
cp -r kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl} /usr/local/bin/
1
tar -xzf  kubernetes/kubernetes-src.tar.gz

node 10.8.8.10 10.8.8.11

1
2
3
4
5
vim ~/.bashrc
export PATH=/usr/local/bin:$PATH

# 不确定 node 需要kubectl不,暂时不复制到node节点
cp -r kubernetes/server/bin/{kube-proxy,kubelet} /usr/local/bin/

master和node

1
2
3
4
5
6
7
#etcd
tar -xzvf etcd-*-linux-amd64.tar.gz
mv etcd-*-linux-amd64/etcd* /usr/local/bin

#flanneld
tar -xzvf flannel-*-linux-amd64.tar.gz
mv flanneld mk-docker-opts.sh /usr/local/bin

3.创建 kubeconfig 文件

1.创建 TLS Bootstrapping Token

Token auth file

1
2
3
4
5
6
7
cd /etc/kubernetes/

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')

cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

2.创建 kubelet bootstrapping kubeconfig 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
export KUBE_APISERVER="https://10.8.8.8:6443"

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

3.创建 kube-proxy kubeconfig 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
export KUBE_APISERVER="https://10.8.8.8:6443"

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-proxy.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kube-proxy \
  --client-certificate=/etc/kubernetes/ssl/kube-proxy.pem \
  --client-key=/etc/kubernetes/ssl/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig
# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

4.分发 kubeconfig 文件

将两个 kubeconfig 文件分发到所有 Node 机器的 /etc/kubernetes/ 目录

1
cp bootstrap.kubeconfig kube-proxy.kubeconfig /etc/kubernetes/

5.创建 kubectl kubeconfig 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
export KUBE_APISERVER="https://10.8.8.8:6443"

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER}
# 设置客户端认证参数
kubectl config set-credentials admin \
  --client-certificate=/etc/kubernetes/ssl/admin.pem \
  --embed-certs=true \
  --client-key=/etc/kubernetes/ssl/admin-key.pem
# 设置上下文参数
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=admin
# 设置默认上下文
kubectl config use-context kubernetes

注意:生成的 kubeconfig 被保存到 ~/.kube/config 文件;~/.kube/config文件拥有对该集群的最高权限,请妥善保管。
admin.pem 证书 OU 字段值为 system:masters,kube-apiserver 预定义的 RoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 相关 API 的权限;

4.创建高可用 etcd 集群

1
mkdir /etc/etcd&&mkdir -p /var/lib/etcd

1.环境变量配置文件/etc/etcd/etcd.conf

这是10.8.8.8节点的配置,其他两个etcd节点只要将上面的IP地址改成相应节点的IP地址即可。ETCD_NAME换成对应节点的infra1/2/3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cat >/etc/etcd/etcd.conf<<EOF
# [member]
ETCD_NAME=infra1
ETCD_DATA_DIR="/var/lib/etcd"
ETCD_LISTEN_PEER_URLS="https://10.8.8.8:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.8.8.8:2379"

#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.8.8.8:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://10.8.8.8:2379"

# [security]
ETCD_CERT_FILE="/etc/kubernetes/ssl/kubernetes.pem"
ETCD_KEY_FILE="/etc/kubernetes/ssl/kubernetes-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/kubernetes/ssl/kubernetes.pem"
ETCD_PEER_KEY_FILE="/etc/kubernetes/ssl/kubernetes-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem"
ETCD_PEER_AUTO_TLS="true"
EOF

2.创建 etcd 的 systemd unit 文件 etcd.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
vim /usr/lib/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
  --name ${ETCD_NAME} \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  --peer-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --peer-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  --trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
  --initial-advertise-peer-urls ${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
  --listen-peer-urls ${ETCD_LISTEN_PEER_URLS} \
  --listen-client-urls ${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
  --advertise-client-urls ${ETCD_ADVERTISE_CLIENT_URLS} \
  --initial-cluster-token ${ETCD_INITIAL_CLUSTER_TOKEN} \
  --initial-cluster infra1=https://10.8.8.8:2380,infra2=https://10.8.8.10:2380,infra3=https://10.8.8.11:2380 \
  --initial-cluster-state new \
  --data-dir=${ETCD_DATA_DIR}
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

3.启动 etcd 服务

1
2
3
4
systemctl daemon-reload.service
systemctl enable etcd.service
systemctl start etcd.service
systemctl status etcd.service

4.验证服务

1
2
3
4
5
etcdctl \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  cluster-health

5.部署master节点

config

/etc/kubernetes/config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cat >/etc/kubernetes/config<<EOF
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=true"

# How the controller-manager, scheduler, and proxy find the apiserver
#KUBE_MASTER="--master=http://sz-pg-oam-docker-test-001.tendcloud.com:8080"
KUBE_MASTER="--master=http://10.8.8.8:8080"
EOF

/etc/kubernetes/apiserver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
cat >/etc/kubernetes/apiserver<<EOF
## kubernetes system config
##
## The following values are used to configure the kube-apiserver
##
#
## The address on the local server to listen to.
KUBE_API_ADDRESS="--advertise-address=10.8.8.8 --bind-address=10.8.8.8 --insecure-bind-address=10.8.8.8"
#
## The port on the local server to listen on.
#KUBE_API_PORT="--port=8080"
#
## Port minions listen on
#KUBELET_PORT="--kubelet-port=10250"
#
## Comma separated list of nodes in the etcd cluster
KUBE_ETCD_SERVERS="--etcd-servers=https://10.8.8.8:2379"
#
## Address range to use for services
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
#
## default admission control policies
KUBE_ADMISSION_CONTROL="--admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota"
#
## Add your own!
KUBE_API_ARGS="--authorization-mode=RBAC --runtime-config=rbac.authorization.k8s.io/v1beta1 --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/etc/kubernetes/token.csv --service-node-port-range=30000-32767 --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem --client-ca-file=/etc/kubernetes/ssl/ca.pem --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem --etcd-cafile=/etc/kubernetes/ssl/ca.pem --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem --enable-swagger-ui=true --apiserver-count=3 --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/var/lib/audit.log --event-ttl=1h"
EOF

/etc/kubernetes/controller-manager

1
2
3
4
5
6
7
8
cat >/etc/kubernetes/controller-manager<<EOF
# The following values are used to configure the kubernetes controller-manager

# defaults from config and apiserver should be adequate

# Add your own!
KUBE_CONTROLLER_MANAGER_ARGS="--address=127.0.0.1 --service-cluster-ip-range=10.254.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem  --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem --root-ca-file=/etc/kubernetes/ssl/ca.pem --leader-elect=true"
EOF

/etc/kubernetes/scheduler

1
2
3
4
5
6
7
8
cat >/etc/kubernetes/scheduler<<EOF
# kubernetes scheduler config

# default config should be adequate

# Add your own!
KUBE_SCHEDULER_ARGS="--leader-elect=true --address=127.0.0.1"
EOF

serivce配置文件

创建 kube-apiserver的service配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
vim /usr/lib/systemd/system/kube-apiserver.service

[Unit]
Description=Kubernetes API Service
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
After=etcd.service

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/local/bin/kube-apiserver \
        $KUBE_LOGTOSTDERR \
        $KUBE_LOG_LEVEL \
        $KUBE_ETCD_SERVERS \
        $KUBE_API_ADDRESS \
        $KUBE_API_PORT \
        $KUBELET_PORT \
        $KUBE_ALLOW_PRIV \
        $KUBE_SERVICE_ADDRESSES \
        $KUBE_ADMISSION_CONTROL \
        $KUBE_API_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

创建 kube-controller-manager的serivce配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
vim /usr/lib/systemd/system/kube-controller-manager.service

[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/controller-manager
ExecStart=/usr/local/bin/kube-controller-manager \
        $KUBE_LOGTOSTDERR \
        $KUBE_LOG_LEVEL \
        $KUBE_MASTER \
        $KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

创建 kube-scheduler的serivce配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
vim /usr/lib/systemd/system/kube-scheduler.service

[Unit]
Description=Kubernetes Scheduler Plugin
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/scheduler
ExecStart=/usr/local/bin/kube-scheduler \
            $KUBE_LOGTOSTDERR \
            $KUBE_LOG_LEVEL \
            $KUBE_MASTER \
            $KUBE_SCHEDULER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动

systemctl daemon-reload

1
2
3
4
5
for service in kube-apiserver kube-controller-manager kube-scheduler; do
	systemctl enable $service
	systemctl start $service
	systemctl status $service
done

验证 master 节点功能

我们启动每个组件后可以通过执行命令kubectl get componentstatuses,来查看各个组件的状态;

kubectl get componentstatuses

6.安装flannel网络插件

/etc/sysconfig/flanneld配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
cat >/etc/sysconfig/flanneld<<EOF
# Flanneld configuration options  

# etcd url location.  Point this to the server where etcd runs
FLANNEL_ETCD_ENDPOINTS="https://10.8.8.8:2379"

# etcd config key.  This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/kube-centos/network"

# Any additional options that you want to pass
FLANNEL_OPTIONS="-etcd-cafile=/etc/kubernetes/ssl/ca.pem -etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem -etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem"
EOF

service配置文件/usr/lib/systemd/system/flanneld.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
vim /usr/lib/systemd/system/flanneld.service

[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/flanneld
EnvironmentFile=-/etc/sysconfig/docker-network
ExecStart=/usr/local/bin/flanneld \
  -etcd-endpoints=${FLANNEL_ETCD_ENDPOINTS} \
  -etcd-prefix=${FLANNEL_ETCD_PREFIX} \
  $FLANNEL_OPTIONS
ExecStartPost=/usr/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
Restart=on-failure

[Install]
WantedBy=multi-user.target
RequiredBy=docker.service

3.在etcd中创建网络配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#新建目录 /kube-centos/network
etcdctl --endpoints=https://10.8.8.8:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  mkdir /kube-centos/network
  
#指定IP段
etcdctl --endpoints=https://10.8.8.8:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  mk /kube-centos/network/config '{"Network":"172.30.0.0/16","SubnetLen":24,"Backend":{"Type":"vxlan"}}'
  
#查看数据
etcdctl --endpoints=https://10.8.8.8:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  get /kube-centos/network/config 

#查看目录  
etcdctl --endpoints=${ETCD_ENDPOINTS} \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  ls /kube-centos/network/subnets

启动flannel

1
2
3
4
systemctl daemon-reload
systemctl enable flanneld.service
systemctl start flanneld.service
systemctl status flanneld.service

使用systemctl命令启动flanneld后,会自动执行./mk-docker-opts.sh -i生成如下两个文件环境变量文件:

/run/flannel/subnet.env
/run/docker_opts.env

配置docker

二进制方式安装的flannel

修改docker的配置文件/usr/lib/systemd/system/docker.service,增加如下几条环境变量配置:

1
2
EnvironmentFile=-/run/docker_opts.env
EnvironmentFile=-/run/flannel/subnet.env

7.部署Node节点

1
mkdir /var/lib/kubelet
  • 1.–kubeconfig=/etc/kubernetes/kubelet.kubeconfig中指定的kubelet.kubeconfig文件在第一次启动kubelet之前并不存在,请看下文,当通过CSR请求后会自动生成kubelet.kubeconfig文件,如果你的节点上已经生成了~/.kube/config文件,你可以将该文件拷贝到该路径下,并重命名为kubelet.kubeconfig,所有node节点可以共用同一个kubelet.kubeconfig文件,这样新添加的节点就不需要再创建CSR请求就能自动添加到kubernetes集群中。同样,在任意能够访问到kubernetes集群的主机上使用kubectl –kubeconfig命令操作集群时,只要使用~/.kube/config文件就可以通过权限认证,因为这里面已经有认证信息并认为你是admin用户,对集群拥有所有权限。
1
cp ~/.kube/config /etc/kubernetes/kubelet.kubeconfig
  • 1.修改/etc/fstab将,swap系统注释掉。
  • 2.kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求,需要先将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色(role), 然后 kubelet 才能有权限创建认证请求(certificate signing requests):
1
2
3
4
5
cd /etc/kubernetes

kubectl create clusterrolebinding kubelet-bootstrap \
  --clusterrole=system:node-bootstrapper \
  --user=kubelet-bootstrap

/etc/kubernetes/kubelet

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cat >/etc/kubernetes/kubelet<<EOF
###
## kubernetes kubelet (minion) config
#
## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=10.8.8.8"
#
## The port for the info server to serve on
#KUBELET_PORT="--port=10250"
#
## You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=10.8.8.8"
#
## location of the api-server
## COMMENT THIS ON KUBERNETES 1.8+
#KUBELET_API_SERVER="--api-servers=http://10.8.8.8:8080"
#
## pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=index.tenxcloud.com/jimmy/pod-infrastructure:rhel7"
#
## Add your own!
KUBELET_ARGS="--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice --cgroup-driver=systemd --cluster-dns=10.254.0.2 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"
# --require-kubeconfig 
EOF

Remove –require-kubeconfig and the default kubeconfig path in v1.10

kubelet Error: unknown flag: –api-servers

创建kubelet的service配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
vim /usr/lib/systemd/system/kubelet.service

[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/local/bin/kubelet \
            $KUBE_LOGTOSTDERR \
            $KUBE_LOG_LEVEL \
            $KUBELET_API_SERVER \
            $KUBELET_ADDRESS \
            $KUBELET_PORT \
            $KUBELET_HOSTNAME \
            $KUBE_ALLOW_PRIV \
            $KUBELET_POD_INFRA_CONTAINER \
            $KUBELET_ARGS
Restart=on-failure

[Install]
WantedBy=multi-user.target

启动kublet

1
2
3
4
systemctl daemon-reload
systemctl enable kubelet.service
systemctl start kubelet.service
systemctl status kubelet.service

2.配置 kube-proxy

/etc/kubernetes/proxy

1
2
3
4
5
6
7
8
9
cat >/etc/kubernetes/proxy<<EOF
###
# kubernetes proxy config

# default config should be adequate

# Add your own!
KUBE_PROXY_ARGS="--bind-address=10.8.8.8 --hostname-override=10.8.8.8 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.254.0.0/16"
EOF

/usr/lib/systemd/system/kube-proxy.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
vim /usr/lib/systemd/system/kube-proxy.service

[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/local/bin/kube-proxy \
        $KUBE_LOGTOSTDERR \
        $KUBE_LOG_LEVEL \
        $KUBE_MASTER \
        $KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动 kube-proxy

1
2
3
4
systemctl daemon-reload
systemctl enable kube-proxy
systemctl start kube-proxy
systemctl status kube-proxy

由于采用了 TLS Bootstrapping,所以 kubelet 启动后不会立即加入集群,而是进行证书申请,此时只需要在 master 允许其证书申请即可。

1
2
3
4
5
6
7
8
9
10
11
# 查看 csr
➜  kubectl get csr
NAME        AGE       REQUESTOR           CONDITION
csr-l9d25   2m        kubelet-bootstrap   Pending

# 签发证书
➜  kubectl certificate approve csr-l9d25
certificatesigningrequest "csr-l9d25" approved

# 查看 node
kubectl get node
1
2
3
4
5
docker pull jimmysong/pause-amd64:3.0

docker pull registry.cn-hangzhou.aliyuncs.com/sunyuki/pod-infrastructure:latest

docker pull nginx:1.13.11

4.验证测试

我们创建一个nginx的service试一下集群是否可用。

1
2
3
4
5
kubectl run nginx --replicas=2 --labels="run=nginx-load-balancer" --image=nginx:1.13.11  --port=80

kubectl expose deployment nginx --type=NodePort --name=nginx-service

kubectl describe svc nginx-service

删除

1
2
kubectl delete svc nginx
kubectl delete deploy nginx

当你做某件事的时候,一旦想要求快,就表示你再也不关心它,而想去做别的事。

Fighting and Happy Coding O(∩_∩)O~
Ele - A面

2016年点亮技能树的某个枝桠

nginx
uwsgi
couchbase
rbmq
redis

pdb和traceback来做调试

awk,sed 来快速搜索

pd来做统计分析

去吧去吧,2016

Pragmatic Thinking and Learning - Refactor Your Wetware

Docker
Go
DjangoCon US 2016
PyCon 2016
个人wiki
StackOverflow
得到上面订了一年的硅谷来信
pssh
ansible

深入理解Nginx
涂先生写的数据之巅
吴军老师的智能时代
Docker源码分析
Go语言编程
算法的乐趣
第一行代码

这个月发生了一件令我有所触动的小事。工作上使用了python的一个库,但有些功能它并不具备,因此写了一些shell script来做辅助,算是外部对功能进行扩展吧。后来发现这样做要填补的坑是在太多了,而且坑中有坑,不知何处还有坑。搞得头发又掉了好几百根。再后来觉得不行,决定破釜沉舟,从内部解决。于是好好分析了下那个库的代码,做了类继承,重写了一些功能。幸好那个库是可以扩展的,也幸好代码逻辑简单,花的功夫竟然比纠结的时间还少。这件事告诉我,不要觉得重写很麻烦,也不要害怕替换,虽然本质上是对自己的及其不信任。但是做总比不做来得强,更何况很多时候,那些困难不过是自己想出来吓唬自己的,要有所增进,不就是要打败一只只挡在路上的大大小小的真/假纸老虎吗?

上个月呀,信誓旦旦的要看uwsgi代码。于是某日,真的沐浴更衣,准备潜心阅读。但一看到它长长的一下子拉不到底的uwsgi_sever结构,嗯,我怂了。为了不误入歧途,索性准备换一下,潜心看uwsgi官方文档。

六月份要把Eva的个人网站加上xadmin (这也是最近玩得最多的package呀!!!),修整一下,差不多可以给它买个域名买个空间了。

前段时间看到某个博客上有个menu叫做”exchange”,是博主用来挂他看过的书并且希望换书的。我觉得这种想法相当的好!可惜当时没收藏,已经找不到是哪位的了。但是,Ele计划借鉴一下,也在自己的博客新增一个menu,放自己看过的书并且希望有人可以跟我换书看。

我几乎包办了产品在这个项目的需求分析、开发、测试、交付和问题处理,以及偶尔的人力预算分析。经过那些日子的洗礼,那个一无所知的小女孩也可以在别人需要帮助的时候出现在旁边,那些对从前的我来说晦涩难懂的东西也变得开明易懂起来,跟别人沟通也不再是一件艰难的事。而我的眼界也慢慢的放开。

就这样被折腾了一段时间,在某天项目清闲的时候,我终于忍不住,想对这个过程进行自动化。当然,全自动化是理想,半自动化却相对比较容易实现不是。这个决定大大提高了版本管理的效率,减缓了我的焦躁,以及奠定了我对python的喜爱。

先是用脚本统计N份文档中的代码量,然后将所有版本资料整理成规定形式,接着检查资料规范及完整性。随着对win32com这个python库进一步熟悉,还用它帮忙拷贝几十份文档的病毒扫描结果,提取相关信息以帮助输出版本度量表。从此,QA能挑出的毛病越来越少,我花在版本这件事上的时间也越来越少。而因为大大减少了文档的打开及复制粘贴,从此手也不酸了。直接跑个脚本,然后该干嘛干嘛。

人生苦短,我用python.

用脚本实现这些繁琐的工作,还有一个好处。中途因为出差,将版本这件事转交给另一个同事的时候,我只需要告诉他怎么使用这些脚本即可。

那些令人wow的小技巧集锦

五月不定阴晴暴雨时时至,不如静坐写代码
六月艳日夏愈显,吹着风扇写代码
七月浑浑又噩噩,打着呵欠写代码
八月早睡早起身体好,对着砖书写代码
九月团团圆圆平平淡淡,啃着糕点写代码
十月秋风扫落叶,啃着文档写代码

1
2
timedatectl set-timezone America/Los_Angeles
hostnamectl set-hostname ovwane.com
1
2
useradd 用户名
passwd 用户名
1
2
visudo
用户名 ALL=(ALL)       ALL
1
ssh-keygen -t rsa -b 4096 -C "邮箱" -f linode_vps_rsa
1
2
3
4
5
mkdir ~/.ssh
vim ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

设置 SSH,打开密钥登录功能
编辑 /etc/ssh/sshd_config 文件,进行如下设置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
vim /etc/ssh/sshd_config

Port 22
Protocol 2
RSAAuthentication yes
PubkeyAuthentication yes
#禁止root用户通过SSH登录
PermitRootLogin no
#禁用密码登录
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
UsePAM yes
UseDNS no
X11Forwarding no

最后,重启 SSH 服务:
systemctl restart sshd.service

#优化

  1. 关闭SELinux

    1
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

  2. 最大进程数和最大文件打开数
    修改/etc/security/limits.conf文件

  3. 删除默认用户
    centos

  4. 更换yum源
    CentOS mirrors List

1
2
3
4
5
6
7
8
9
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

删除缓存
yum clean all
rm -rf /var/cache/yum

生成缓存
yum makecache

EPEL mirrors

mirrors.cat.pdx.edu

yum upgrade](https://www.jianshu.com/p/4df7692bdc2b)

1
yum -y upgrade
1
2
3
4
rpm -qa | grep kernel  

yum -y autoremove kernel-3.10.0-693.el7
yum -y autoremove kernel-3.10.0-693.2.2.el7.x86_64

  1. 时间

    chrony

chrony软件使用说明

1
2
3
4
5
6
7
8
yum -y install chrony

systemctl start chronyd.service
systemctl enable chronyd.service
systemctl status chronyd.service

查看同步状态
chronyc sourcestats

删除软件包并删除孤立的依赖包
https://segmentfault.com/q/1010000000626683

1
2
3
4
需要在 /etc/yum.conf 里面添加一个配置:
clean_requirements_on_remove=1

yum autoremove

删除postfix

1
yum -y autoremove postfix
1
2
3
touch /var/lock/subsys/local
/usr/local/qcloud/rps/set_rps.sh >/tmp/setRps.log 2>&1
/usr/local/qcloud/irq/net_smp_affinity.sh >/tmp/net_affinity.log 2>&1

删除 wpa_supplicant

1
yum -y autoremove wpa_supplicant

删除用户

1
2
3
4
5
6
7
8
9
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

postfix
ntp
games
ftp

centOS7服务管理与启动流程

下载必要软件包
再安装操作系统的时候使用的最小化安装,有很多包没有安装,使用时发现好多命令没有如{vim、wget、tree…等},下面就安装命令,可以根据需求自行调整。

1
2
yum -y install wget vim lrzsz screen lsof tree unzip git
# tcpdump nc mtr openssl-devel  bash-completion  nmap telnet ntpdate net-tools

开启firewalld

1
2
systemctl start firewalld.service
systemctl status firewalld.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#显示状态
firewall-cmd --state

#查看区域信息
firewall-cmd --get-default-zone

#将接口添加到区域,默认接口都在public
firewall-cmd --zone=public --add-interface=eth0 --permanent

#设置默认接口区域
firewall-cmd --set-default-zone=public

#查看指定接口所属区域
firewall-cmd --get-zone-of-interface=eth0

#要得到特定区域的所有配置
firewall-cmd --zone=public --list-all

#查看所有打开的端口
firewall-cmd --zone=public --list-ports

#查看所有打开的服务
firewall-cmd --zone=public --list-services

#开启服务
firewall-cmd --zone=public --add-service=http

#永久开启服务
firewall-cmd --zone=public --add-service=http --permanent

#移除服务
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent

#更新防火墙规则
firewall-cmd --reload

KeePass使用问题

有些网站不能自动输入密码

例如 aliyun.com
它的密码输入框引用的是”https://passport.alibaba.com/"阿里巴巴的登录

KeePassXC
设置

1
2
3
KeePassHttp Settings

{"Allow":["passport.alibaba.com"],"Deny":[],"Realm":""}

允许多个域名

1
2
3
KeePassHttp Settings

{"Allow":["mailsso.mxhichina.com","passport.alibaba.com"],"Deny":[],"Realm":""}
,