debian11 安装 k8s,containerd ,阿里云镜像(已成功)

本文涉及的产品
服务治理 MSE Sentinel/OpenSergo,Agent数量 不受限
应用实时监控服务-可观测链路OpenTelemetry版,每月50GB免费额度
容器镜像服务 ACR,镜像仓库100个 不限时长
简介: 在准备 Kubernetes 集群环境中,确保每台机器至少有 2GB RAM,推荐 4GB,需连接网络。需3台机器,1台作为 Master,2台作为 Worker。安装 `sudo`,设置各节点主机名为 k8s-master、k8s-node1、k8s-node2,并更新 `/etc/hosts`。升级系统,接着安装并更新 containerd 至 v1.7,配置 `containerd` 并启用。
  1. 环境准备
    系统要求:至少 2GB RAM(建议 4GB 或更多),网络连接。
    节点准备:至少 3 台机器,1 台作为 Master 节点,2 台作为 Worker 节点。
    安装sudo

apt update
apt install sudo
1
2
设置主机名(在每台机器上):

sudo hostnamectl set-hostname <主机名>
1
替换 <主机名> 为 k8s-master、k8s-node1、k8s-node2

配置 /etc/hosts(在所有节点上):
将所有节点的 IP 地址和主机名添加到 /etc/hosts 文件中。

root@k8s-node1:~# echo “192.168.0.147 k8s-master” >> /etc/hosts
root@k8s-node1:~# echo “192.168.0.217 k8s-node1” >> /etc/hosts

更新系统:

sudo apt update && sudo apt upgrade -y
1
2

  1. 安装 containerd
    在所有节点上执行以下步骤:

安装 containerd:

sudo apt install -y containerd
1
2
2.2 更新containered到最新版本1.7
默认安装的版本是1.4,如果不更新,后面 init 的时候会报如下错误

[ERROR CRI]: container runtime is not running: output: time="2024-02-03T22:17:09+08:00" level=fatal msg="validate service connection: CRI v1 runtime API is not implemented for endpoint \"unix:///var/run/containerd/containerd.sock\": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService"
, error: exit status 1
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
[preflight] If you know what you are doing, you can make a check non-fatal with --ignore-preflight-errors=...

1
2
3
4
5
6
https://github.com/containerd/containerd/releases 下载最新版本

解压缩文件
首先,您需要解压下载的压缩包。打开终端,切换到包含下载文件的目录,然后运行:

tar xzvf containerd-1.7.13-linux-amd64.tar.gz
sudo mv bin/* /usr/bin/
1
2
3
containerd --version 可以查看版本号为1.7

2.3 配置 containerd:
生成默认配置文件

sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
1
2
3
修改配置文件
nano /etc/containerd/config.toml
文件中 sandbox_image做如下修改,因为后面init的时候指定的是阿里云的
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true #这个很重要,否则,k8s启动起来后会自动停止,kubectl get pods -n kube-system 也会出现监听端口6443访问失败的报错
1
2
3
4
5
6
启用并启动 containerd:

sudo systemctl restart containerd
sudo systemctl enable containerd
1
2
sudo systemctl status containerd 可查看状态

  1. 安装 Kubernetes
    在所有节点上执行以下步骤:

安装必需的包:首先,确保你的系统安装了 apt-transport-https、ca-certificates 和 curl:

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
1
2
添加 Kubernetes 的 GPG 密钥:

curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add -
1
2
添加 Kubernetes 仓库:

echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
1
2
更新软件包列表:

sudo apt-get update
1
2
安装 kubeadm、kubelet 和 kubectl:

sudo apt-get install -y kubelet=1.28.2-00 kubeadm=1.28.2-00 kubectl=1.28.2-00

sudo apt-mark hold kubelet kubeadm kubectl
1
2
3
安装配置br_netfilter 模块:

sudo modprobe br_netfilter
1
确保 IP 转发被启用:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

echo "net.bridge.bridge-nf-call-iptables=1" | sudo tee -a /etc/sysctl.conf

sudo sysctl -p

4. 初始化 Kubernetes 集群(在 Master 节点上执行)

1
2
3
4
5
6
7
8
9
10
4.2 初始化集群:(Master节点)
直接执行下面的会报错

sudo kubeadm init --pod-network-cidr=10.244.0.0/16
1
报错:

[ERROR ImagePull]: failed to pull image registry.k8s.io/kube-apiserver:v1.28.6: output: E0212 19:15:37.560180   22897 remote_image.go:171] "P

1
应该执行下面的

sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.28.2
1
以下是 kubeadm init 命令的输出。
``` root@ecs-2144:~# sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containerssudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.28.6
unknown command "kubeadm" for "kubeadm init"
To see the stack trace of this error execute with --v=5 or higher
root@ecs-2144:~# sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.28.6
[init] Using Kubernetes version: v1.28.6
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.0.147]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.0.147 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.0.147 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 4.001658 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: c5ir0f.h8x43oj54kb1gppe
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.0.147:6443 --token c5ir0f.h8x43oj54kb1gppe \
--discovery-token-ca-cert-hash sha256:42dc8386b03f8c6c415e06153c4b978e2020ca48d19b7b8b383d1c5d311a36e7

```

  1. 设置 kubectl(仅限 Master 节点)

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
1
2
3
4

  1. 安装网络插件(在 Master 节点上)

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml --request-timeout='0'
1
2

不加–request-timeout=‘0’ 可能会导致超时

如果出现连接连接端口错误
运行 journalctl -u kubelet 可以看日志,如果看到以下错误

err="failed to load kubelet config file, path: /var/lib/kubelet/config.yaml, err>
1
可能是没有授权访问权限,运行以下即可

sudo chown root:root /var/lib/kubelet/config.yaml
sudo chmod 644 /var/lib/kubelet/config.yaml
1
2
然后重新运行kubelet
sudo systemctl restart kubelet //经测试只需要这一行即可
sudo systemctl status kubelet
sudo systemctl restart containerd
sudo systemctl status containerd

然后重新运行上面的 kubectl apply …
可能还会出现报错 unable to connect to the server: net/http: TLS handshake timeout
重新执行一遍一般就会成功

  1. 将 Worker 节点加入集群
    在每个 Worker 节点上,运行在初始化 Master 节点时得到的 kubeadm join 命令。
    效果如下:

root@ecs-7d63:~# kubeadm join 192.168.0.147:6443 --token lj3ooj.2x39tu70gyx5uj3v --discovery-token-ca-cert-hash sha256:7ce5191c1581dfcee7b33457bdd9341fa1ee128a19ac248c8daf9e69a57a8b18
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:

  • Certificate signing request was sent to apiserver and a response was received.
  • The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
验证集群状态
在 M
aster 节点上,运行:
kubectl get nodes
1
你应该能看到所有节点的状态为 Ready。

支持基础安装完成,下一步就是配置k8s

开放端口
API Server:

6443: Kubernetes API server。这是最关键的端口,用于集群管理通信。
etcd:

2379-2380: 用于etcd服务器客户端API通信。只有Kubernetes的API server才需要访问etcd,所以这些端口只需要在Master节点之间开放。

Kubelet:

10250: Kubelet API。这个端口用于API server获取节点和Pod的信息。
Kube-proxy:

Kubernetes中的Controller Manager和Scheduler虽然主要与API Server进行通信,但它们也监听在特定端口上,主要用于健康检查和指标收集。这些端口主要用于集群内部通信,而不是外部访问。下面是Controller Manager和Scheduler所监听的端口:

Kubernetes Controller Manager
默认端口:
10252: 用于健康检查和指标(metrics)的非安全HTTP访问。
安全端口:
当配置了安全访问(例如,通过启用HTTPS或认证和授权),Controller Manager可以配置为通过安全端口提供服务,但这需要手动配置,包括证书和相关的安全设置。
Kubernetes Scheduler
默认端口:
10251: 用于健康检查和指标的非安全HTTP访问。

排错
列出所有系统pod
kubectl get pods -n kube-system

calico-kube-controllers-7ddc4f45bc-snh9v 1/1 Running 1 (2m10s ago) 158m
calico-node-5mnpd 1/1 Running 1 (2m10s ago) 158m
calico-node-s6w74 1/1 Running 0 156m
coredns-66f779496c-cvwjx 1/1 Running 1 (2m10s ago) 171m
coredns-66f779496c-qx7fr 1/1 Running 1 (2m10s ago) 171m
etcd-k8s-master 1/1 Running 1 (2m10s ago) 171m
kube-apiserver-k8s-master 1/1 Running 1 (2m10s ago) 171m
kube-controller-manager-k8s-master 1/1 Running 1 (2m10s ago) 171m
kube-proxy-k7c6l 1/1 Running 1 (2m10s ago) 171m
kube-proxy-stft6 1/1 Running 0 156m
kube-scheduler-k8s-master 1/1 Running 1 (2m10s ago) 171m

找出名称后,可以查看该pod的日志
kubectl logs -n kube-system

调用 kubectl get pods -n kube-system
如果响应
root@k8s-master:~# kubectl get pods -n kube-system
The connection to the server 192.168.0.147:6443 was refused - did you specify the right host or port?
说明kubelet停了,需要调用
sudo systemctl restart kubelet 重启,

journalctl -u kubelet 可查看kubelet日志

相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
目录
相关文章
|
22天前
|
弹性计算 人工智能 Serverless
阿里云ACK One:注册集群云上节点池(CPU/GPU)自动弹性伸缩,助力企业业务高效扩展
在当今数字化时代,企业业务的快速增长对IT基础设施提出了更高要求。然而,传统IDC数据中心却在业务存在扩容慢、缩容难等问题。为此,阿里云推出ACK One注册集群架构,通过云上节点池(CPU/GPU)自动弹性伸缩等特性,为企业带来全新突破。
|
1月前
|
专有云 Serverless 持续交付
亚太唯一,阿里云再度入选Gartner®容器管理魔力象限领导者
Gartner正式发布 2024《容器管理魔力象限》报告,阿里云再度成为中国唯一一家入选「领导者象限」的科技公司。
|
1月前
|
人工智能 专有云 Serverless
亚太唯一!阿里云再度入选Gartner®容器管理魔力象限领导者
亚太唯一!阿里云再度入选Gartner®容器管理魔力象限领导者
105 2
|
14天前
|
Kubernetes Ubuntu Linux
我应该如何安装Kubernetes
我应该如何安装Kubernetes
|
14天前
|
Kubernetes 监控 Java
如何在Kubernetes中配置镜像和容器的定期垃圾回收
如何在Kubernetes中配置镜像和容器的定期垃圾回收
|
1月前
|
Kubernetes Ubuntu Docker
从0开始搞K8S:使用Ubuntu进行安装(环境安装)
通过上述步骤,你已经在Ubuntu上成功搭建了一个基本的Kubernetes单节点集群。这只是开始,Kubernetes的世界广阔且深邃,接下来你可以尝试部署应用、了解Kubernetes的高级概念如Services、Deployments、Ingress等,以及探索如何利用Helm等工具进行应用管理,逐步提升你的Kubernetes技能树。记住,实践是最好的老师,不断实验与学习,你将逐渐掌握这一强大的容器编排技术。
162 1
|
1月前
|
Kubernetes Linux 开发工具
centos7通过kubeadm安装k8s 1.27.1版本
centos7通过kubeadm安装k8s 1.27.1版本
|
1月前
|
Oracle Java 关系型数据库
在 Debian 12 上安装 Java 21
在 Debian 12 上安装 Java 21
|
1月前
|
Kubernetes Docker 容器
rancher docker k8s安装(二)
rancher docker k8s安装(二)
49 0
|
8天前
|
Kubernetes 监控 Cloud Native
Kubernetes集群的高可用性与伸缩性实践
Kubernetes集群的高可用性与伸缩性实践
33 1

相关产品

  • 容器服务Kubernetes版
  • 下一篇
    无影云桌面