二进制安装kubernetes v1.11.2 (第十二章 部署docker)
继续前一章部署。
十二、部署docker
12.1 下载和分发 docker 二进制文件
下载页面:https://download.docker.com/linux/static/stable/x86_64/
[k8s@k8s-m1 ~]$cd /home/k8s/k8s [k8s@k8s-m1 k8s]$ wget https://download.docker.com/linux/static/stable/x86_64/docker-18.06.1-ce.tgz [k8s@k8s-m1 k8s]$ tar -xvf docker-18.06.1-ce.tgz
分发二进制文件
source /opt/k8s/bin/environment.sh for node_ip in ${NODE_IPS[@]} do echo ">>> ${node_ip}" scp docker/docker* k8s@${node_ip}:/opt/k8s/bin/ ssh k8s@${node_ip} "chmod +x /opt/k8s/bin/*" done
12.2 创建和分发 systemd unit 文件
[k8s@k8s-m1 k8s]$ cd /opt/k8s/template/ cat > docker.service <<"EOF" [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.io [Service] Environment="PATH=/opt/k8s/bin:/bin:/sbin:/usr/bin:/usr/sbin" EnvironmentFile=-/run/flannel/docker ExecStart=/opt/k8s/bin/dockerd --log-level=error $DOCKER_NETWORK_OPTIONS ExecReload=/bin/kill -s HUP $MAINPID Restart=on-failure RestartSec=5 LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity Delegate=yes KillMode=process [Install] WantedBy=multi-user.target EOF
- EOF 前后有双引号,这样 bash 不会替换文档中的变量,如 $DOCKER_NETWORK_OPTIONS;
- dockerd 运行时会调用其它 docker 命令,如 docker-proxy,所以需要将 docker 命令所在的目录加到 PATH 环境变量中;
- flanneld 启动时将网络配置写入 /run/flannel/docker 文件中,dockerd 启动前读取该文件中的环境变量 DOCKER_NETWORK_OPTIONS ,然后设置 docker0 网桥网段;
- 如果指定了多个 EnvironmentFile 选项,则必须将 /run/flannel/docker 放在最后(确保 docker0 使用 flanneld 生成的 bip 参数);
- docker 需要以 root 用于运行;
- docker 从 1.13 版本开始,可能将 iptables FORWARD chain的默认策略设置为DROP,从而导致 ping 其它 Node 上的 Pod IP 失败,遇到这种情况时,需要手动设置策略为 ACCEPT:
sudo iptables -P FORWARD ACCEPT
- 并且把以下命令写入 /etc/rc.local 文件中,防止节点重启iptables FORWARD chain的默认策略又还原为DROP
/sbin/iptables -P FORWARD ACCEPT
12.3 分发 systemd unit 文件
source /opt/k8s/bin/environment.sh for node_ip in ${NODE_IPS[@]} do echo ">>> ${node_ip}" scp docker.service root@${node_ip}:/etc/systemd/system/ done
12.4 配置和分发 docker 配置文件
配置国内镜像仓库,以加快 pull image,同时增加下载的并发数(需要重启 docker 生效)
cat > docker-daemon.json <<EOF { "registry-mirrors": ["https://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"], "max-concurrent-downloads": 2 } EOF
分发 docker 配置文件到所有 node 节点:
source /opt/k8s/bin/environment.sh for node_ip in ${NODE_IPS[@]} do echo ">>> ${node_ip}" ssh root@${node_ip} "mkdir -p /etc/docker/" scp docker-daemon.json root@${node_ip}:/etc/docker/daemon.json done
12.5 启动 docker 服务
source /opt/k8s/bin/environment.sh for node_ip in ${NODE_IPS[@]} do echo ">>> ${node_ip}" ## ssh root@${node_ip} "systemctl stop firewalld && systemctl disable firewalld" ## ssh root@${node_ip} "/usr/sbin/iptables -F && /usr/sbin/iptables -X && /usr/sbin/iptables -F -t nat && /usr/sbin/iptables -X -t nat" ## ssh root@${node_ip} "/usr/sbin/iptables -P FORWARD ACCEPT" ## ssh root@${node_ip} 'for intf in /sys/devices/virtual/net/docker0/brif/*; do echo 1 > $intf/hairpin_mode; done' ssh root@${node_ip} "sudo sysctl -p /etc/sysctl.d/k8s.conf" ssh root@${node_ip} "systemctl daemon-reload && systemctl enable docker && systemctl restart docker" done
- 为了安全考虑,防火墙保持开启状态
- 开启 docker0 网桥下虚拟网卡的 hairpin 模式;
12.6 检查服务运行状态
source /opt/k8s/bin/environment.sh for node_ip in ${NODE_IPS[@]} do echo ">>> ${node_ip}" ssh k8s@${node_ip} "systemctl status docker|grep Active" done
- 确保状态为 Active:active (running)
- 查看日志:journalctl -u docker
12.7 检查 docker0 网桥
source /opt/k8s/bin/environment.sh for node_ip in ${NODE_IPS[@]} do echo ">>> ${node_ip}" ssh k8s@${node_ip} "/usr/sbin/ip addr show flannel.1 && /usr/sbin/ip addr show docker0" done
确保各 node 节点的 docker0 网桥和fannel.1 接口处于同一个网段
>>> 192.168.56.20 6: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default link/ether 12:93:72:80:c9:7a brd ff:ff:ff:ff:ff:ff inet 172.30.99.0/32 scope global flannel.1 valid_lft forever preferred_lft forever inet6 fe80::1093:72ff:fe80:c97a/64 scope link valid_lft forever preferred_lft forever 7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b5:d9:c6:4c brd ff:ff:ff:ff:ff:ff inet 172.30.99.1/24 brd 172.30.99.255 scope global docker0 valid_lft forever preferred_lft forever
