kubernetes集群环境搭建(4)

kubernetes集群环境搭建(4)

一、kubernetes集群环境搭建

1.1.1 安装部署主控节点服务apiserver

1.部署kube-apiserver集群

主机名 角色 ip
hdss-21 kube-apiserver 10.0.0.21
hdss-22 kube-apiserver 10.0.0.22
hdss-11 4层负载均衡 10.0.0.11
hdss-12 4层负载均衡 10.0.0.12

使用nginx做4层负载均衡器,用keepalive跑一个vip,代理两个kube-apiserver,实现高可用.
2.下载上传kubernetes-server

下载地址:https://github.com/kubernetes/kubernetes/
[root@hdss-21.host.com ~]# cd /opt/src
[root@hdss-21.host.com /opt/src]# ll
total 442992
-rw-r--r-- 1 root root   9850227 Apr 27 14:37 etcd-v3.1.20-linux-amd64.tar.gz
-rw-r--r-- 1 root root 443770238 Apr 27 14:44 kubernetes-server-linux-amd64-v1.15.2.tar.gz

3.解压做软连接

#21
[root@hdss-21.host.com /opt/src]# tar zxf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@hdss-21.host.com /opt/src]# mv /opt/kubernetes /opt/kubernetes-v1.15.2
[root@hdss-21.host.com /opt/src]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@hdss-21.host.com /opt/src]# ll -ld /opt/kubernetes
lrwxrwxrwx 1 root root 24 Jun 13 21:05 /opt/kubernetes -> /opt/kubernetes-v1.15.2/
[root@hdss-21.host.com /opt/src]# cd /opt/kubernetes/
[root@hdss-21.host.com /opt/kubernetes]# ll
total 27184
drwxr-xr-x 2 root root        6 Aug  5  2019 addons
-rw-r--r-- 1 root root 26625140 Aug  5  2019 kubernetes-src.tar.gz
-rw-r--r-- 1 root root  1205293 Aug  5  2019 LICENSES
drwxr-xr-x 3 root root       17 Aug  5  2019 server

#22操作同上
  1. 因为我们是二进制安装的,所以(可删可留)一些用不到的tar包
[root@hdss-21.host.com /opt/kubernetes]# rm -f kubernetes-src.tar.gz #源码包
[root@hdss-21.host.com /opt/kubernetes]# cd server/bin/
[root@hdss-21.host.com /opt/kubernetes/server/bin]# ls 
apiextensions-apiserver              kube-apiserver                      kubectl                kube-scheduler.docker_tag
cloud-controller-manager             kube-apiserver.docker_tag           kubelet                kube-scheduler.tar
cloud-controller-manager.docker_tag  kube-apiserver.tar                  kube-proxy             mounter
cloud-controller-manager.tar         kube-controller-manager             kube-proxy.docker_tag
hyperkube                            kube-controller-manager.docker_tag  kube-proxy.tar
kubeadm                              kube-controller-manager.tar         kube-scheduler
#后缀是tar(镜像)和tag(标签)都要删除
[root@hdss-21.host.com /opt/kubernetes/server/bin]# rm -f *.tar
[root@hdss-21.host.com /opt/kubernetes/server/bin]# rm -f *_tag
[root@hdss-21.host.com /opt/kubernetes/server/bin]# ll
total 884636
-rwxr-xr-x 1 root root  43534816 Aug  5  2019 apiextensions-apiserver
-rwxr-xr-x 1 root root 100548640 Aug  5  2019 cloud-controller-manager
-rwxr-xr-x 1 root root 200648416 Aug  5  2019 hyperkube
-rwxr-xr-x 1 root root  40182208 Aug  5  2019 kubeadm
-rwxr-xr-x 1 root root 164501920 Aug  5  2019 kube-apiserver
-rwxr-xr-x 1 root root 116397088 Aug  5  2019 kube-controller-manager
-rwxr-xr-x 1 root root  42985504 Aug  5  2019 kubectl
-rwxr-xr-x 1 root root 119616640 Aug  5  2019 kubelet
-rwxr-xr-x 1 root root  36987488 Aug  5  2019 kube-proxy
-rwxr-xr-x 1 root root  38786144 Aug  5  2019 kube-scheduler
-rwxr-xr-x 1 root root   1648224 Aug  5  2019 mounter
  1. 签发证书,签发apiserver-client证书:apiserver与etc通信用的证书。apiserver是客户端,etcd是服务端
#在hdss-201上操作
[root@hdss-201.host.com ~]# cd /opt/certs/
[root@hdss-201.host.com /opt/certs]# vim client-csr.json
[root@hdss-201.host.com /opt/certs]# cat client-csr.json 
{
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "guizhou",
            "L": "guiyang",
            "O": "od",
            "OU": "ops"
        }
    ]
}

[root@hdss-201.host.com /opt/certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
2020/06/13 21:23:17 [INFO] generate received request
2020/06/13 21:23:17 [INFO] received CSR
2020/06/13 21:23:17 [INFO] generating key: rsa-2048
2020/06/13 21:23:17 [INFO] encoded CSR
2020/06/13 21:23:17 [INFO] signed certificate with serial number 164742628745058938739196176750276413219457623573
2020/06/13 21:23:17 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[root@hdss-201.host.com /opt/certs]# ll
total 56
-rw-r--r-- 1 root root  585 Apr 27 13:49 apiserver-csr.json
-rw-r--r-- 1 root root  840 Jun 12 21:24 ca-config.json
-rw-r--r-- 1 root root  993 Jun 10 21:49 ca.csr
-rw-r--r-- 1 root root  345 Jun 10 21:48 ca-csr.json
-rw------- 1 root root 1675 Jun 10 21:49 ca-key.pem
-rw-r--r-- 1 root root 1346 Jun 10 21:49 ca.pem
-rw-r--r-- 1 root root  993 Jun 13 21:23 client.csr
-rw-r--r-- 1 root root  280 Jun 13 21:22 client-csr.json
-rw------- 1 root root 1675 Jun 13 21:23 client-key.pem
-rw-r--r-- 1 root root 1363 Jun 13 21:23 client.pem
-rw-r--r-- 1 root root 1062 Jun 12 21:33 etcd-peer.csr
-rw-r--r-- 1 root root  363 Jun 12 21:27 etcd-peer-csr.json
-rw------- 1 root root 1679 Jun 12 21:33 etcd-peer-key.pem
-rw-r--r-- 1 root root 1428 Jun 12 21:33 etcd-peer.pem
  1. 创建签名请求(csr)的JSON配置文件,apiserver,server端证书
[root@hdss-201.host.com /opt/certs]# vim apiserver-csr.json 
[root@hdss-201.host.com /opt/certs]# cat apiserver-csr.json 
{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.168.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "10.0.0.10",  #高可用vip
        "10.0.0.21",
        "10.0.0.22",
        "10.0.0.23"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "guizhou",
            "L": "guiyang",
            "O": "od",
            "OU": "ops"
        }
    ]
}

[root@hdss-201.host.com /opt/certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
\2020/06/13 21:35:49 [INFO] generate received request
2020/06/13 21:35:49 [INFO] received CSR
2020/06/13 21:35:49 [INFO] generating key: rsa-2048
2020/06/13 21:35:49 [INFO] encoded CSR
2020/06/13 21:35:49 [INFO] signed certificate with serial number 529471702081305162274454544664990111192752224227
2020/06/13 21:35:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@hdss-201.host.com /opt/certs]# ll
total 68
-rw-r--r-- 1 root root 1249 Jun 13 21:35 apiserver.csr
-rw-r--r-- 1 root root  566 Jun 13 21:31 apiserver-csr.json
-rw------- 1 root root 1679 Jun 13 21:35 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Jun 13 21:35 apiserver.pem
-rw-r--r-- 1 root root  840 Jun 12 21:24 ca-config.json
-rw-r--r-- 1 root root  993 Jun 10 21:49 ca.csr
-rw-r--r-- 1 root root  345 Jun 10 21:48 ca-csr.json
-rw------- 1 root root 1675 Jun 10 21:49 ca-key.pem
-rw-r--r-- 1 root root 1346 Jun 10 21:49 ca.pem
-rw-r--r-- 1 root root  993 Jun 13 21:23 client.csr
-rw-r--r-- 1 root root  280 Jun 13 21:22 client-csr.json
-rw------- 1 root root 1675 Jun 13 21:23 client-key.pem
-rw-r--r-- 1 root root 1363 Jun 13 21:23 client.pem
-rw-r--r-- 1 root root 1062 Jun 12 21:33 etcd-peer.csr
-rw-r--r-- 1 root root  363 Jun 12 21:27 etcd-peer-csr.json
-rw------- 1 root root 1679 Jun 12 21:33 etcd-peer-key.pem
-rw-r--r-- 1 root root 1428 Jun 12 21:33 etcd-peer.pem
  1. 拷贝证书
#21
[root@hdss-21.host.com /opt/kubernetes/server/bin]# mkdir certs
[root@hdss-21.host.com /opt/kubernetes/server/bin]# cd certs/
[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# scp hdss-201:/opt/certs/ca.pem ./
root@hdss-201‘s password: 
ca.pem                                                                                             100% 1346   878.7KB/s   00:00    
[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# scp hdss-201:/opt/certs/ca-key.pem ./
root@hdss-201‘s password: 
ca-key.pem                                                                                         100% 1675     2.0MB/s   00:00    
[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# scp hdss-201:/opt/certs/client.pem ./
root@hdss-201‘s password: 
client.pem                                                                                         100% 1363     1.6MB/s   00:00    
[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# scp hdss-201:/opt/certs/client-key.pem ./
root@hdss-201‘s password: 
client-key.pem                                                                                     100% 1675     2.2MB/s   00:00    
[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# scp hdss-201:/opt/certs/apiserver.pem ./
root@hdss-201‘s password: 
apiserver.pem                                                                                      100% 1598     1.3MB/s   00:00    
[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# scp hdss-201:/opt/certs/apiserver-key.pem ./
root@hdss-201‘s password: 
apiserver-key.pem                                                                                  100% 1679     1.7MB/s   00:00 

[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# ll
total 24
-rw------- 1 root root 1679 Jun 13 21:49 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Jun 13 21:48 apiserver.pem
-rw------- 1 root root 1675 Jun 13 21:47 ca-key.pem
-rw-r--r-- 1 root root 1346 Jun 13 21:46 ca.pem
-rw------- 1 root root 1675 Jun 13 21:48 client-key.pem
-rw-r--r-- 1 root root 1363 Jun 13 21:48 client.pem

#22 操作同上

8.创建启动配置脚本

[root@hdss-21.host.com /opt/kubernetes/server/bin/certs]# cd ..
[root@hdss-21.host.com /opt/kubernetes/server/bin]# mkdir config
[root@hdss-21.host.com /opt/kubernetes/server/bin/config]# vim audit.yaml 
[root@hdss-21.host.com /opt/kubernetes/server/bin/config]# cat audit.yaml 
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don‘t generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn‘t match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don‘t log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don‘t log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don‘t log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

#22操作同上
  1. 编写启动脚本
#21
[root@hdss-21.host.com /opt/kubernetes/server/bin/config]# cd ..
[root@hdss-21.host.com /opt/kubernetes/server/bin]# ./kube-apiserver --help #查看可选参数命令
The Kubernetes API server validates and configures data
for the api objects which include pods, services, replicationcontrollers, and
others. The API Server services REST operations and provides the frontend to the
cluster‘s shared state through which all other components interact.

[root@hdss-21.host.com /opt/kubernetes/server/bin]# vim /opt/kubernetes/server/bin/kube-apiserver.sh
[root@hdss-22.host.com /opt/kubernetes/server/bin]# cat /opt/kubernetes/server/bin/kube-apiserver.sh 
#!/bin/bash
./kube-apiserver   --apiserver-count 2   --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log   --audit-policy-file ./config/audit.yaml   --authorization-mode RBAC   --client-ca-file ./certs/ca.pem   --requestheader-client-ca-file ./certs/ca.pem   --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota   --etcd-cafile ./certs/ca.pem   --etcd-certfile ./certs/client.pem   --etcd-keyfile ./certs/client-key.pem   --etcd-servers https://10.0.0.12:2379,https://10.0.0.21:2379,https://10.0.0.22:2379   --service-account-key-file ./certs/ca-key.pem   --service-cluster-ip-range 192.168.0.0/16   --service-node-port-range 3000-29999   --target-ram-mb=1024   --kubelet-client-certificate ./certs/client.pem   --kubelet-client-key ./certs/client-key.pem   --log-dir  /data/logs/kubernetes/kube-apiserver   --tls-cert-file ./certs/apiserver.pem   --tls-private-key-file ./certs/apiserver-key.pem   --v 2

#赋予执行权限
[root@hdss-21.host.com /opt/kubernetes/server/bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@hdss-21.host.com /opt/kubernetes/server/bin]# ll /opt/kubernetes/server/bin/kube-apiserver.sh
-rwxr-xr-x 1 root root 1093 Jun 13 22:31 /opt/kubernetes/server/bin/kube-apiserver.sh

#创建日志文件目录
[root@hdss-21.host.com /opt/kubernetes/server/bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
[root@hdss-21.host.com /opt/kubernetes/server/bin]# ll /data/logs/kubernetes/
total 0
drwxr-xr-x 2 root root 6 Jun 13 22:33 kube-apiserver
#22同上
  1. 创建后台启动文件
[root@hdss-21.host.com /opt/kubernetes/server/bin]# vim /etc/supervisord.d/kube-apiserver.ini
[root@hdss-21.host.com /opt/kubernetes/server/bin]# cat /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-21]	#主机是22就改成22			
command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; ‘expected‘ exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in ‘capturemode‘ (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

[root@hdss-21.host.com /opt/kubernetes/server/bin]# supervisorctl update
[root@hdss-21.host.com /opt/kubernetes/server/bin]# netstat -luntp | grep kube-api
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      1657/./kube-apiserv 
tcp6       0      0 :::6443                 :::*                    LISTEN      1657/./kube-apiserv 
#22操作同上

二、安装部署主控节点4层反向代理服务

2.1.1 安装部署主控节点4层反向代理服务

  1. 部署原因

部署在hdss-11 hdss-12机器上,用VIP:10.0.0.10的7443端口,反代hdss-21、hdss-22的apiserver6443端口

  1. 下载安装并配置nginx
#11
[root@hdss-11.host.com ~]# yum install -y nginx
[root@hdss-11.host.com ~]# vim /etc/nginx/nginx.conf
#注意因为这是四层代理所以配置在最后,不要配置在http模块里面(切记一定要配置在最后)
stream {  
    upstream kube-apiserver {
        server 10.0.0.21:6443     max_fails=3 fail_timeout=30s;
        server 10.0.0.22:6443     max_fails=3 fail_timeout=30s;
    }
    server {
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
    }
}
#12操作同上
  1. 检查配置文件启动
#11
[root@hdss-11.host.com ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss-11.host.com ~]# systemctl start nginx
[root@hdss-11.host.com ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@hdss-11.host.com ~]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-06-14 22:07:26 CST; 18s ago
 Main PID: 5120 (nginx)
   CGroup: /system.slice/nginx.service
           ├─5120 nginx: master process /usr/sbin/nginx
           └─5121 nginx: worker process

Jun 14 22:07:26 hdss-11.host.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jun 14 22:07:26 hdss-11.host.com nginx[5114]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jun 14 22:07:26 hdss-11.host.com nginx[5114]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jun 14 22:07:26 hdss-11.host.com systemd[1]: Failed to parse PID from file /run/nginx.pid: Invalid argument
Jun 14 22:07:26 hdss-11.host.com systemd[1]: Started The nginx HTTP and reverse proxy server.
[root@hdss-11.host.com ~]# netstat -luntp|grep 7443
tcp        0      0 0.0.0.0:7443            0.0.0.0:*               LISTEN      5120/nginx: master  

#12配置同上
  1. 下载配置keepalived高可用
#11
[root@hdss-11.host.com ~]# yum install  keepalived -y
创建健康检查脚本
[root@hdss-11.host.com /etc/keepalived]# vim /etc/keepalived/check_port.sh
[root@hdss-11.host.com /etc/keepalived]# cat /etc/keepalived/check_port.sh
#!/bin/bash
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
        PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
        if [ $PORT_PROCESS -eq 0 ];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi
[root@hdss-11.host.com /etc/keepalived]# chmod +x /etc/keepalived/check_port.sh
[root@hdss-11.host.com /etc/keepalived]# ll /etc/keepalived/check_port.sh
-rwxr-xr-x 1 root root 281 Jun 14 22:37 /etc/keepalived/check_port.sh

配置keepalived文件
[root@hdss-11.host.com /etc/keepalived]# vim keepalived.conf 
[root@hdss-11.host.com /etc/keepalived]# cat keepalived.conf 
! Configuration File for keepalived

global_defs {
   router_id 10.0.0.11

}

vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 10.0.0.11
    nopreempt

    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
         chk_nginx
    }
    virtual_ipaddress {
        10.0.0.10/24 dev eth0 label eth0:1
    }
}
#12 只需要该更keepalived配置文件即可 ,其它操作相同
[root@hdds-12.host.com /etc/keepalived]# cat keepalived.conf 
! Configuration File for keepalived
global_defs {
	router_id 10.0.0.12
	script_user root
        enable_script_security 
}
vrrp_script chk_nginx {
	script "/etc/keepalived/check_port.sh 7443"
	interval 2
	weight -20
}
vrrp_instance VI_1 {
	state BACKUP
	interface eth0
	virtual_router_id 251
	mcast_src_ip 10.0.0.12
	priority 90
	advert_int 1
	authentication {
		auth_type PASS
		auth_pass 11111111
	}
	track_script {
		chk_nginx
	}
	virtual_ipaddress {
	   10.0.0.10/24 dev eth0 label eth0:1
	}
}
  1. 启动keepalived
#11
[root@hdss-11.host.com /etc/keepalived]# systemctl start keepalived
[root@hdss-11.host.com /etc/keepalived]# systemctl enable keepalived
Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.
[root@hdss-11.host.com /etc/keepalived]# systemctl status keepalived
● keepalived.service - LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-06-14 22:50:08 CST; 18s ago
 Main PID: 5324 (keepalived)
   CGroup: /system.slice/keepalived.service
           ├─5324 /usr/sbin/keepalived -D
           ├─5325 /usr/sbin/keepalived -D
           └─5326 /usr/sbin/keepalived -D

Jun 14 22:50:10 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:10 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:10 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:10 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:15 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:15 hdss-11.host.com Keepalived_vrrp[5326]: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on eth0 for 10.0.0.10
Jun 14 22:50:15 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:15 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:15 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10
Jun 14 22:50:15 hdss-11.host.com Keepalived_vrrp[5326]: Sending gratuitous ARP on eth0 for 10.0.0.10

[root@hdss-11.host.com /etc/keepalived]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:6e:66:ce brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.11/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.0.10/24 scope global secondary eth0:1  #vip
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe6e:66ce/64 scope link 
       valid_lft forever preferred_lft forever
  1. 测试高可用性
#11
[root@hdss-11.host.com /etc/keepalived]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:6e:66:ce brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.11/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.0.10/24 scope global secondary eth0:1 #vip
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe6e:66ce/64 scope link 
       valid_lft forever preferred_lft forever

停止hdss-11

#12
[root@hdds-12.host.com /etc/keepalived]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:3e:fb:87 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.12/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.0.10/24 scope global secondary eth0:1
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe3e:fb87/64 scope link 
       valid_lft forever preferred_lft forever

kubernetes集群环境搭建(4)

上一篇:android 记一次富文本加载之路


下一篇:JS实现斐波那契列数的三种方法