Centos7初始化适合k8s运行的系统环境

发表于2020-09-27更新于2020-09-27

1.设置主机名

1
hostnamectl set-hostname k8s-master(#根据自己要求更改主机名)

2.安装依赖包

1
yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git

3.设置防火墙为iptables并清空规则

1
2
3
4
5
6
7
systemctl stop firewalld.service
systemctl disable firewalld.service
yum -y install iptables-services
systemctl start iptables 
systemctl enable iptables 
iptables -F
service iptables save

4.关闭sellinux

1
2
setenforce 0 
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

5.关闭swap

1
2
3
swapoff -a
# 关闭开机启动
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

6.配置ulimit值

1
2
3
4
5
6
7
8
9
10
cat >> /etc/security/limits.conf << EOF
* soft nofile 102400
* hard nofile 102400
* soft nproc 102400
* hard nproc 102400
* soft core   unlimited
* hard core   unlimited
* soft memlock unlimited
* hard memlock unlimited
EOF

7.调整内核参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cat > kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
# 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.swappiness=0
# 不检查物理内存是否够用
vm.overcommit_memory=1 
# 开启 OOM
vm.panic_on_oom=0 
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
sysctl -p /etc/sysctl.d/kubernetes.conf

8.调整系统时区

1
2
3
4
# 设置系统时区为中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的 UTC 时间写入硬件时钟
timedatectl set-local-rtc 0

9.关闭系统不需要的服务

1
2
3
4
5
6
7
8
9
10
systemctl stop postfix 
systemctl disable postfix
systemctl stop auditd
systemctl disable auditd
systemctl stop microcode
systemctl disable microcode
systemctl stop NetworkManager
systemctl disable NetworkManager
systemctl stop tuned
systemctl disable tuned

10.升级内核4.4

Centos7.x系统自带的3.10.x内核存在一些bug,导致运行的Docker 、k8s不稳定,例如报报如下错误:

1
kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1

该问题已于4.4内核解决,因此需要升级内核

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
# 安装完成后检查/boot/grub2/grub.cfg 中对应内核menuentry中是否包含4.4内核信息配置
cat /boot/grub2/grub.cfg | grep menuentry
if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
  menuentry_id_option=""
export menuentry_id_option
menuentry 'CentOS Linux (3.10.0-862.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-862.el7.x86_64-advanced-3e912edb-502d-46e2-b73f-f7b1513675b6' {
menuentry 'CentOS Linux (0-rescue-d0035d9568d74a14bde6d8421c1df319) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-d0035d9568d74a14bde6d8421c1df319-advanced-3e912edb-502d-46e2-b73f-f7b1513675b6' {

# 如果没有,再安装
yum --enablerepo=elrepo-kernel install -y kernel-lt
# 再次查看
cat /boot/grub2/grub.cfg | grep menuentry
if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
  menuentry_id_option=""
export menuentry_id_option
menuentry 'CentOS Linux (4.4.237-1.el7.elrepo.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-862.el7.x86_64-advanced-3e912edb-502d-46e2-b73f-f7b1513675b6' {
menuentry 'CentOS Linux (3.10.0-862.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-862.el7.x86_64-advanced-3e912edb-502d-46e2-b73f-f7b1513675b6' {
menuentry 'CentOS Linux (0-rescue-d0035d9568d74a14bde6d8421c1df319) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-d0035d9568d74a14bde6d8421c1df319-advanced-3e912edb-502d-46e2-b73f-f7b1513675b6' {

# 查看启动顺序
awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg 
CentOS Linux (4.4.237-1.el7.elrepo.x86_64) 7 (Core)
CentOS Linux (3.10.0-862.el7.x86_64) 7 (Core)
CentOS Linux (0-rescue-d0035d9568d74a14bde6d8421c1df319) 7 (Core)

# 设置开机从新内核启动
grub2-set-default "Centos Linux (4.4.227-1.el7.elrepo.x86_64) 7 (Core)"
# 重启
reboot

11.kube-proxy开启ipvs的前置条件

在kubuernetes v1.14版本开始默认使用ipvs代理。如果系统没有安装ipvs,安装k8s时会自动退化使用iptables代理。

1
2
3
4
5
6
7
8
9
10
11
12
13
yum -y install ipvsadm  ipset
modprobe br_netfilter
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules 
bash /etc/sysconfig/modules/ipvs.modules 
lsmod | grep -e ip_vs -e nf_conntrack_ipv4