为了在Kubernetes上搭建RabbitMQ3.7.X Cluster,踩爆无数坑,官方整合了第三方开源项目但没有完整demo,网上的post都是RabbitMQ 3.6.X旧版的部署方案,几经周折,最终弄明白在Kubernetes集群下,基于Kubernetes Discovery,使用hostname方式部署RabbitMQ3.7.X Cluster,总结如下:
1. IP模式
rabbitmq-peer-discovery-k8s是RabbitMQ官方基于第三方开源项目rabbitmq-autocluster开发,对3.7.X版本提供的Kubernetes下的同行发现插件,但官方只提供了一个基于IP模式的demo
kind: Service apiVersion: v1 metadata: namespace: test-rabbitmq name: rabbitmq labels: app: rabbitmq type: LoadBalancer spec: type: NodePort ports: - name: http protocol: TCP port: 15672 targetPort: 15672 nodePort: 31672 - name: amqp protocol: TCP port: 5672 targetPort: 5672 nodePort: 30672 selector: app: rabbitmq --- apiVersion: v1 kind: ConfigMap metadata: name: rabbitmq-config namespace: test-rabbitmq data: enabled_plugins: | [rabbitmq_management,rabbitmq_peer_discovery_k8s]. rabbitmq.conf: | ## Cluster formation. See http://www.rabbitmq.com/cluster-formation.html to learn more. cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s cluster_formation.k8s.host = kubernetes.default.svc.cluster.local ## Should RabbitMQ node name be computed from the pod's hostname or IP address? ## IP addresses are not stable, so using [stable] hostnames is recommended when possible. ## Set to "hostname" to use pod hostnames. ## When this value is changed, so should the variable used to set the RABBITMQ_NODENAME ## environment variable. cluster_formation.k8s.address_type = ip ## How often should node cleanup checks run? cluster_formation.node_cleanup.interval = 30 ## Set to false if automatic removal of unknown/absent nodes ## is desired. This can be dangerous, see ## * http://www.rabbitmq.com/cluster-formation.html#node-health-checks-and-cleanup ## * https://groups.google.com/forum/#!msg/rabbitmq-users/wuOfzEywHXo/k8z_HWIkBgAJ cluster_formation.node_cleanup.only_log_warning = true cluster_partition_handling = autoheal ## See http://www.rabbitmq.com/ha.html#master-migration-data-locality queue_master_locator=min-masters ## See http://www.rabbitmq.com/access-control.html#loopback-users loopback_users.guest = false --- apiVersion: apps/v1beta1 kind: StatefulSet metadata: name: rabbitmq namespace: test-rabbitmq spec: serviceName: rabbitmq replicas: 3 template: metadata: labels: app: rabbitmq spec: serviceAccountName: rabbitmq terminationGracePeriodSeconds: 10 containers: - name: rabbitmq-k8s image: rabbitmq:3.7 volumeMounts: - name: config-volume mountPath: /etc/rabbitmq ports: - name: http protocol: TCP containerPort: 15672 - name: amqp protocol: TCP containerPort: 5672 livenessProbe: exec: command: ["rabbitmqctl", "status"] initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 10 readinessProbe: exec: command: ["rabbitmqctl", "status"] initialDelaySeconds: 20 periodSeconds: 60 timeoutSeconds: 10 imagePullPolicy: Always env: - name: MY_POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: RABBITMQ_USE_LONGNAME value: "true" # See a note on cluster_formation.k8s.address_type in the config file section - name: RABBITMQ_NODENAME value: "rabbit@$(MY_POD_IP)" - name: K8S_SERVICE_NAME value: "rabbitmq" - name: RABBITMQ_ERLANG_COOKIE value: "mycookie" volumes: - name: config-volume configMap: name: rabbitmq-config items: - key: rabbitmq.conf path: rabbitmq.conf - key: enabled_plugins path: enabled_plugins
在ConfigMap配置项中,指明 cluster_formation.k8s.address_type = ip,也就是说RabbitMQ Node的命名和访问地址是以IP地址作为区分,如rabbit@172.0.5.1
但这样的配置会产生比较大的问题,如果我们使用pv和pvc去做数据的持久化,那么每个节点的配置和数据存储都会放在rabbit@172.0.5.1这样的文件夹下,而Kubernetes集群中,Pod的IP都是不稳定的,当有RabbitMQ Node的Pod挂掉后,重新创建的Pod IP可能会变,这就会使得节点的配置和数据全部丢失。
所以我们更希望RabbitMQ Node的命名是以一定规则编写的相对稳定的名称,如rabbit@rabbit-0,这就需要修改 cluster_formation.k8s.address_type = hostname,以启用hostname模式。
但直接修改address_type 并不能满足要求,注释部分也描述了“Set to hostname to use pod hostnames. When this value is changed, so should the variable used to set the RABBITMQ_NODENAME”。那么RABBITMQ_NODENAME该如何设置,就必须先要了解如何用hostname访问pod
2. Pod与Service的DNS
Kubernetes官方讲述了如何用hostname访问service和pod:dns-pod-service,
其中对于service,可以直接使用my-svc.my-namespace.svc.cluster.local进行访问;而对于pod,则需使用pod-ip-address.my-namespace.pod.cluster.local进行访问,但这里却仍显式的应用到了pod的ip。我们希望脱离ip对pod进行访问,很不幸的是,pod确实无法直接通过hostname访问,不过却有个曲线救国的方案。
apiVersion: v1 kind: Service metadata: name: default-subdomain # 和pod的subdomain相同 spec: selector: name: busybox clusterIP: None # clusterIP: None表示这是一个headless service ports: - name: foo # 没啥用 port: 1234 targetPort: 1234 --- apiVersion: v1 kind: Pod metadata: name: busybox1 labels: name: busybox spec: hostname: busybox-1 # 默认使用metadata.name作为hostname,也可指定设置 subdomain: default-subdomain containers: - image: busybox command: - sleep - "3600" name: busybox
如上面代码所示,我们需要一个headless service来作为中介,这样就可以使用busybox-1.default-subdomain.default.svc.cluster.local来访问pod了(hostname.subdomain.my-namespace.svc.cluster.local)
3. Statefulset 与Headless Service
了解了如何用hostname访问Pod还不足以解决问题,在RabbitMQ的配置中,我们使用的是StatefulSet,那么StatefulSet如何用Headless Service去做Pod的hostname访问呢?
Kubernetes(StatefulSets在1.9版本后已经是一个稳定功能)官方也给出了详细的说明:statefulset
Demo和注释如下:
apiVersion: v1 kind: Service metadata: name: nginx labels: app: nginx spec: ports: - port: 80 name: web clusterIP: None # 是一个headless service selector: app: nginx --- apiVersion: apps/v1 # 需要注意如果是apps/v1,.spec.selector.matchLabels和.spec.template.metadata.labels要相同;如果是apps/v1beta,可以省略.spec.selector.matchLabels kind: StatefulSet metadata: name: web spec: selector: matchLabels: app: nginx # 需要与 .spec.template.metadata.labels 相同,但无需与headless service name相同 serviceName: "nginx" # 需要与headless service name相同 replicas: 3 template: metadata: labels: app: nginx # 需要与 .spec.selector.matchLabels 相同,但无需与headless service name相同 spec: terminationGracePeriodSeconds: 10 containers: - name: nginx image: k8s.gcr.io/nginx-slim:0.8 ports: - containerPort: 80 name: web
需要特别注意的是,网上很多例子的StatefulSet用的apps/v1beta
4. hostname模式
在我查找的众多资料中,在Kubernetes中
讲RabbitMQ 3.6.X部署的,https://www.kubernetes.org.cn/2629.html 这篇讲的比较清楚
讲RabbitMQ 3.7.X部署的,https://habr.com/company/eastbanctech/blog/419817 这篇俄文的Post讲的比较清楚,但它也是用的apps/v1beta,同时有大量的重复配置,不知道哪些可用哪些无用,还有一个最致命的问题是按照它的配置部署后,readinessProbe老报错,说DNS解析出现问题。几经折腾,才明白因为用Headless Service去做Pod的hostname访问,需要等Pod和Service都启动后才能访问,而readiness探针还没等DNS正常就去探查服务是否可用,所以才会误认为服务不可达,最终无法启动Pod。解决办法是给Headless Service设置publishNotReadyAddresses: true
我的配置文件如下所示:
apiVersion: v1 kind: Namespace metadata: name: rabbitmq --- apiVersion: v1 kind: ServiceAccount metadata: name: rabbitmq namespace: rabbitmq --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: endpoint-reader namespace: rabbitmq rules: - apiGroups: [""] resources: ["endpoints"] verbs: ["get"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: endpoint-reader namespace: rabbitmq subjects: - kind: ServiceAccount name: rabbitmq roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: endpoint-reader --- apiVersion: v1 kind: PersistentVolume metadata: name: rabbitmq-data labels: release: rabbitmq-data namespace: rabbitmq spec: capacity: storage: 10Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain nfs: path: /rabbit server: xxxxx # nas地址 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: rabbitmq-data-claim namespace: rabbitmq spec: accessModes: - ReadWriteMany resources: requests: storage: 10Gi selector: matchLabels: release: rabbitmq-data --- # headless service 用于使用hostname访问pod kind: Service apiVersion: v1 metadata: name: rabbitmq-headless namespace: rabbitmq spec: clusterIP: None # publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery. This field will replace the service.alpha.kubernetes.io/tolerate-unready-endpoints when that annotation is deprecated and all clients have been converted to use this field. # 由于使用DNS访问Pod需Pod和Headless service启动之后才能访问,publishNotReadyAddresses设置成true,防止readinessProbe在服务没启动时找不到DNS publishNotReadyAddresses: true ports: - name: amqp port: 5672 - name: http port: 15672 selector: app: rabbitmq --- # 用于暴露dashboard到外网 kind: Service apiVersion: v1 metadata: namespace: rabbitmq name: rabbitmq-service spec: type: NodePort ports: - name: http protocol: TCP port: 15672 targetPort: 15672 nodePort: 15672 # 注意k8s默认情况下,nodeport要在30000~32767之间,可以自行修改 - name: amqp protocol: TCP port: 5672 targetPort: 5672 # 注意如果你想在外网下访问mq,需要增配nodeport selector: app: rabbitmq --- apiVersion: v1 kind: ConfigMap metadata: name: rabbitmq-config namespace: rabbitmq data: enabled_plugins: | [rabbitmq_management,rabbitmq_peer_discovery_k8s]. rabbitmq.conf: | cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s cluster_formation.k8s.host = kubernetes.default.svc.cluster.local cluster_formation.k8s.address_type = hostname cluster_formation.node_cleanup.interval = 10 cluster_formation.node_cleanup.only_log_warning = true cluster_partition_handling = autoheal queue_master_locator=min-masters loopback_users.guest = false cluster_formation.randomized_startup_delay_range.min = 0 cluster_formation.randomized_startup_delay_range.max = 2 # 必须设置service_name,否则Pod无法正常启动,这里设置后可以不设置statefulset下env中的K8S_SERVICE_NAME变量 cluster_formation.k8s.service_name = rabbitmq-headless # 必须设置hostname_suffix,否则节点不能成为集群 cluster_formation.k8s.hostname_suffix = .rabbitmq-headless.rabbitmq.svc.cluster.local # 内存上限 vm_memory_high_watermark.absolute = 1.6GB # 硬盘上限 disk_free_limit.absolute = 2GB --- # 使用apps/v1版本代替apps/v1beta apiVersion: apps/v1 kind: StatefulSet metadata: name: rabbitmq namespace: rabbitmq spec: serviceName: rabbitmq-headless # 必须与headless service的name相同,用于hostname传播访问pod selector: matchLabels: app: rabbitmq # 在apps/v1中,需与 .spec.template.metadata.label 相同,用于hostname传播访问pod,而在apps/v1beta中无需这样做 replicas: 3 template: metadata: labels: app: rabbitmq # 在apps/v1中,需与 .spec.selector.matchLabels 相同 # 设置podAntiAffinity annotations: scheduler.alpha.kubernetes.io/affinity: > { "podAntiAffinity": { "requiredDuringSchedulingIgnoredDuringExecution": [{ "labelSelector": { "matchExpressions": [{ "key": "app", "operator": "In", "values": ["rabbitmq"] }] }, "topologyKey": "kubernetes.io/hostname" }] } } spec: serviceAccountName: rabbitmq terminationGracePeriodSeconds: 10 containers: - name: rabbitmq image: registry-vpc.cn-shenzhen.aliyuncs.com/heygears/rabbitmq:3.7 resources: limits: cpu: 0.5 memory: 2Gi requests: cpu: 0.3 memory: 2Gi volumeMounts: - name: config-volume mountPath: /etc/rabbitmq - name: rabbitmq-data mountPath: /var/lib/rabbitmq/mnesia ports: - name: http protocol: TCP containerPort: 15672 - name: amqp protocol: TCP containerPort: 5672 livenessProbe: exec: command: ["rabbitmqctl", "status"] initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 5 readinessProbe: exec: command: ["rabbitmqctl", "status"] initialDelaySeconds: 20 periodSeconds: 60 timeoutSeconds: 5 imagePullPolicy: Always env: - name: HOSTNAME valueFrom: fieldRef: fieldPath: metadata.name - name: RABBITMQ_USE_LONGNAME value: "true" - name: RABBITMQ_NODENAME value: "rabbit@$(HOSTNAME).rabbitmq-headless.rabbitmq.svc.cluster.local" # 若在ConfigMap中设置了service_name,则此处无需再次设置 # - name: K8S_SERVICE_NAME # value: "rabbitmq-headless" - name: RABBITMQ_ERLANG_COOKIE value: "mycookie" volumes: - name: config-volume configMap: name: rabbitmq-config items: - key: rabbitmq.conf path: rabbitmq.conf - key: enabled_plugins path: enabled_plugins - name: rabbitmq-data persistentVolumeClaim: claimName: rabbitmq-data-claim
至此,终于在Kubernetes上部署完成RabbitMQ Cluster 3.7.X
本文转自中文社区-在Kubernetes上搭建RabbitMQ Cluster
