下载ISO文件:https://mirrors.tuna.tsinghua.edu.cn/archlinux/iso/latest/
k8s: v1.26.4; calico: 3.25.1; dashboard:v2.7.0
1. 准备工作
以虚拟机VMWare为例。
使用EFI 非默认BIOS启动。如果不使用EFI,那么后续安装引导时也使用非EFI。
-
Controller-Panel节点(master)
节点列表:
hostname ip k8s-master1 10.0.2.101/24 k8s-master2 10.0.2.102/24 k8s-master3 10.0.2.103/24 CPU设置:2Core
内存设置:2GB
磁盘:20GB
网卡设置:网卡1(ens33)为自定义NAT
-
Worker节点
节点列表:
hostname ip k8s-worker1 10.0.2.111/24 k8s-worker2 10.0.2.112/24 k8s-worker3 10.0.2.113/24 CPU设置:2Core
内存设置:4GB
磁盘:20GB
网卡设置:网卡1(ens33)为自定义NAT
2. 磁盘管理
2.1 磁盘分区
使用GUID分区表,分2个区:
-
1)EFI System(EF00),Last sector: +500M (500MB)
-
2)Linux filesystem(8300) ,Last sector:<回车>(为剩余容量)
gdisk /dev/sda
2.2 磁盘格式化
mkfs.vfat -F32 /dev/sda1 # ESP分区 挂载 /boot
mkfs.ext4 /dev/sda2 # LFS分区 挂载 /
2.3 磁盘挂载
mount /dev/sda2 /mnt # 挂载root分区
mkdir /mnt/boot # 创建 /boot 目录
mount /dev/sda2 /mnt/boot # 挂载boot分区
lsblk # 查看分区挂载情况
3. 安装系统
3.1 安装系统文件
vim /etc/pacman.d/mirrorlist # 在顶部添加如下镜像服务器
Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch
#Server = https://mirrors.aliyun.com/archlinux/$repo/os/$arch
# 安装系统
pacstrap /mnt base base-devel
3.2 配置fstab
genfstab -U /mnt > /mnt/etc/fstab # 生成分区挂载表
编辑 fstab
vim /mnt/etc/fstab
# SSD的追加options “discard,noatime”
3.3 配置系统
编辑 /mnt/etc/pacman.conf文件,加入下面的内容:
[archlinuxcn]
Server = https://mirrors.tuna.tsinghua.edu.cn/archlinuxcn/$arch
#Server = https://mirrors.aliyun.com/archlinuxcn/$arch
切换root目录到新系统
arch-chroot /mnt /bin/bash
现在可以全面升级系统:
pacman -Syy # 切换了root目录,因此需要重新更新软件包缓存
pacman -S archlinuxcn-keyring
pacman -S vim bash-completion yay fakeroot
ln -s /usr/bin/vim /usr/bin/vi
3.4 安装引导程序
# 安装linux内核
pacman -S linux-lts linux-firmware
# 安装 Micro Code
pacman -S amd-ucode # intel安装 intel-ucode
bootctl install # boot-loader
vim /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux-lts
initrd /amd-ucode.img # intel的为 /intel-ucode.img
initrd /initramfs-linux-lts.img
options root=/dev/sda2 rw
vim /boot/loader/entries/arch-fallback.conf
title Arch Linux (fallback initramfs)
linux /vmlinuz-linux-lts
initrd /amd-ucode.img # intel的为 /intel-ucode.img
initrd /initramfs-linux-lts-fallback.img
options root=/dev/sda2 rw
vim /boot/efi/loader/loader.conf
default arch.conf
timeout 2
console-mode max
editor no
# 验证文件路径是否正确
bootctl list
bootctl status
3.5 安装OpenSSH
pacman -S openssh
sed -i 's/#PermitRootLogin\ prohibit-passwd/PermitRootLogin yes/g' /etc/ssh/sshd_config
systemctl enable sshd
3.6 主机名
echo > /etc/hostname
3.7 设置root密码
passwd
3.8 网络配置
使用 systemd-networkd
VMWare 网络配置:
NAT模式
网段:10.0.2.0/24
DHCP:10.0.2.200 - 10.0.2.254
网关:10.0.2.2 (不要设置为10.0.2.1,否则会导致无法访问外网)
vim /etc/systemd/network/20-wired.network
[Match]
Name=ens33
[Network]
#DHCP=ipv4 # 使用dhcp时启用
Address=10.0.2.101/24
Gateway=10.0.2.2
DNS=223.5.5.5
DNS=223.6.6.6
systemctl enable systemd-networkd
systemctl enable systemd-resolved
3.9 重启系统,并从硬盘引导
exit # 退出chroot
reboot # 重启后重新引导进入已安装的系统
3.10 本地化配置
vim /etc/locale.gen
en_US.UTF-8 UTF-8
zh_CN.GBK GBK
zh_CN.UTF-8 UTF-8
zh_CN GB2312
locale-gen # 生成locale
echo 'LANG=en_US.UTF-8' > /etc/locale.conf # 设置默认的 locale
3.11 时区配置
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
3.12 硬件时间设置
# date -s '2022-7-5 16:49:45'
hwclock --systohc --utc #采用UTC,将系统时间写入硬件时钟
# hwclock --hctosys --utc #采用UTC,将硬件时钟写入系统时间
3.13 安装DNS服务
pacman -S bind
# 参见: https://wiki.archlinux.org/title/BIND
4. 安装k8s
使用kubeadm安装: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
pacman -S kubeadm kubelet kubectl containerd
systemctl enable containerd
systemctl start containerd
systemctl enable kubelet
systemctl start kubelet
4.1 配置containerd
创建 /etc/modules-load.d/containerd.conf 配置文件:
cat << EOF > /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
修改 containerd 配置:
# 修改配置
mkdir -p /etc/containerd
if [ ! -f /etc/containerd/config.toml ]; then
containerd config default > /etc/containerd/config.toml
fi
# 设置 systemd_cgroup 为 true
sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
sed -i 's/k8s.gcr.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.toml
sed -i 's/registry.k8s.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.toml
配置mirrors镜像:
vim /etc/containerd/config.toml
# 查找 [plugins."io.containerd.grpc.v1.cri".registry.mirrors],在其后添加如下:
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://docker.mirrors.ustc.edu.cn"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
endpoint = ["https://registry.aliyuncs.com/google_containers"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]
endpoint = ["https://registry.aliyuncs.com/google_containers"]
重启containerd,并检查状态:
systemctl restart containerd
# 确保containerd 的cgroup 为 SystemdCgroup
crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock info | grep SystemdCgroup | awk -F ': ' '{ print $2 }'
true
设置crictl别名:
echo 'alias docker="crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock"' > /etc/profile.d/containerd.sh
source /etc/profile.d/containerd.sh
4.2 拉取k8s镜像
通过参数 --image-repository 指定k8s镜像的仓库地址
kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.26.4
4.3 创建k8s集群
# 应搭建负载均衡后,使用负载均衡IP,此处用自建DNS服务来实现: 10.0.2.101 cluster.berkaroad.com
# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数
sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env
# 初始化k8s集群
kubeadm init --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.26.4 --control-plane-endpoint=cluster.berkaroad.com --apiserver-advertise-address=10.0.2.101 --pod-network-cidr=10.100.0.0/16 --service-cidr=10.101.0.0/16 --service-dns-domain=cluster.berkaroad.com --upload-certs --v=5
# 执行成功后,根据提示,配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z
# You can now join any number of the control-plane node running the following command on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \
--control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44
# 如果 --certificate-key 过期了,执行如下:
kubeadm init phase upload-certs --upload-certs
# Then you can join any number of worker nodes by running the following on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3
# 如果token过期了,可以执行如下:
kubeadm token create --print-join-command
# 如果失败,检查 cgroup 是否一致(docker或者containerd 和 kubelet)
# 查看 kubeadm 使用的 CRI 为 containerd 还是 docker
cat /var/lib/kubelet/kubeadm-flags.env
KUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9"
# 查看 kubelet 的 cgroup driver
cat /var/lib/kubelet/config.yaml | grep cgroupDriver | awk -F ': ' '{ print $2 }'
systemd
4.4 加入control-plane节点
# 应搭建负载均衡后,使用负载均衡IP
echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts
# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数
sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env
# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z
# You can now join any number of the control-plane node running the following command on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \
--control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44
# 如果 --certificate-key 过期了,执行如下:
kubeadm init phase upload-certs --upload-certs
# 如果token过期了,可以执行如下:
kubeadm token create --print-join-command
# 执行成功后,根据提示,配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
4.5 加入worker节点
# 应搭建负载均衡后,使用负载均衡IP
echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts
# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数
sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env
# 执行成功后,根据提示,配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z
# Then you can join any number of worker nodes by running the following on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3
# 如果token过期了,可以执行如下:
kubeadm token create --print-join-command
4.6 安装CNI:Calico
kubectl apply -f https://projectcalico.docs.tigera.io/archive/v3.25/manifests/calico.yaml
4.7 安装Dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
新建 dashboard-admin.yaml
cat << EOF > dashboard-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin-cluster-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
EOF
kubectl apply -f dashboard-admin.yaml
新建 dashboard-admin-token.yaml
cat << EOF > dashboard-admin-token.yaml
apiVersion: v1
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: dashboard-admin
labels:
k8s-app: kubernetes-dashboard
name: dashboard-admin-token
namespace: kubernetes-dashboard
type: kubernetes.io/service-account-token
EOF
kubectl apply -f dashboard-admin-token.yaml
获取登录用的token:
kubectl -n kubernetes-dashboard describe secret dashboard-admin-token | grep 'token:' | awk -F ' ' '{print $2}'
访问Dashboard:
# 方法一:开启proxy
kubectl proxy --address <本机ip> --port=8001 --accept-hosts='^*$'
# 打开浏览器,访问 http://:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
# 方法二:设置NodePort
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort", "ports":[{"nodePort":30443, "port":443}]}}' -n kubernetes-dashboard
# 打开浏览器,访问 https://:30443/
4.8 查看k8s集群
节点信息:
kubectl get no -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-master1 Ready control-plane 23m v1.26.3 10.0.2.101 Arch Linux 6.1.25-1-lts containerd://1.7.0
k8s-master2 Ready control-plane 22m v1.26.3 10.0.2.102 Arch Linux 6.1.25-1-lts containerd://1.7.0
k8s-master3 Ready control-plane 22m v1.26.3 10.0.2.103 Arch Linux 6.1.25-1-lts containerd://1.7.0
k8s-worker1 Ready 20m v1.26.3 10.0.2.111 Arch Linux 6.1.25-1-lts containerd://1.7.0
k8s-worker2 Ready 18m v1.26.3 10.0.2.112 Arch Linux 6.1.25-1-lts containerd://1.7.0
k8s-worker3 Ready 17m v1.26.3 10.0.2.113 Arch Linux 6.1.25-1-lts containerd://1.7.0
pod信息:
kubectl get po -n kube-system
calico-kube-controllers-57b57c56f-g62jv 1/1 Running 0 120m
calico-node-2b5f9 1/1 Running 0 120m
calico-node-flbmt 1/1 Running 0 120m
calico-node-hwtvh 1/1 Running 0 120m
calico-node-j6dkp 1/1 Running 0 120m
calico-node-jqcfg 1/1 Running 0 120m
calico-node-lrq7q 1/1 Running 0 120m
coredns-5bbd96d687-fd9j7 1/1 Running 0 139m
coredns-5bbd96d687-kd48v 1/1 Running 0 139m
etcd-k8s-master1 1/1 Running 0 139m
etcd-k8s-master2 1/1 Running 0 139m
etcd-k8s-master3 1/1 Running 0 137m
kube-apiserver-k8s-master1 1/1 Running 0 139m
kube-apiserver-k8s-master2 1/1 Running 0 139m
kube-apiserver-k8s-master3 1/1 Running 0 139m
kube-controller-manager-k8s-master1 1/1 Running 0 139m
kube-controller-manager-k8s-master2 1/1 Running 0 137m
kube-controller-manager-k8s-master3 1/1 Running 0 136m
kube-proxy-6v7b9 1/1 Running 0 132m
kube-proxy-7dnmx 1/1 Running 0 136m
kube-proxy-c2cdd 1/1 Running 0 137m
kube-proxy-k4l4c 1/1 Running 0 134m
kube-proxy-rjw8j 1/1 Running 0 139m
kube-proxy-zrcvw 1/1 Running 0 137m
kube-scheduler-k8s-master1 1/1 Running 0 139m
kube-scheduler-k8s-master2 1/1 Running 0 139m
kube-scheduler-k8s-master3 1/1 Running 0 139m
kubectl get po -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-7bc864c59-flhzz 1/1 Running 0 13m
kubernetes-dashboard-6c7ccbcf87-8qgmg 1/1 Running 0 13m
附录
包签名错误
error: libcap: signature from "David Runge " is marginal trust
:: File /var/cache/pacman/pkg/libcap-2.65-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] Y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
更新pacman key证书
pacman -S gnupg
pacman -Sy archlinux-keyring
pacman-key --populate archlinux
pacman-key --refresh-keys
pacman -Syux