001 - k8s 系统优化

k8s 节点的优化

1、关闭防火墙和selinux 关闭 swap

sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

systemctl stop firewalld.service
systemctl disable firewalld.service

swapoff -a  
sed -ri 's/.*swap.*/#&/' /etc/fstab 

2、每台主机都关闭NetworkManager

systemctl stop NetworkManager
systemctl disable NetworkManager

3、Base源 Epel源 更新阿里云

mv /etc/yum.repos.d/* /tmp/
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache all

4、时间同步服务器 (ntp chrony 只能使用一种)

echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com &>/dev/null' >>/var/spool/cron/root

5、文件描述符加大

echo '*               -       nofile          65535 ' >>/etc/security/limits.conf 

6、别名设置

cat>>/etc/profile.d/color.sh<<'EOF'
alias ll='ls -l --color=auto --time-style=long-iso'
PS1="\[\e[37;40m\][\[\e[32;1m\]\u\[\e[37;40m\]@\h \[\e[36;40m\]\w\[\e[0m\]]\[\e[32;1m\]\\$ \[\e[0m\]"
export HISTTIMEFORMAT='%F-%T '
EOF
source /etc/profile

7、内核优化

modprobe br_netfilter
# work节点添加到master节点时出现过这个问题。开启模块
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000    65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.forwarding = 1
EOF
sysctl  -p

8、ssh 优化

# DNS 反向解析
sed -i 's/#UseDNS yes/UseDNS no/g'  /etc/ssh/sshd_config
# 禁止GSS认证
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g'  /etc/ssh/sshd_config
systemctl restart sshd

9、升级内核版本 升级内核后软件包的取代关系 （重启 内核版本3.10）

yum install epel-release -y 
yum makecache all
yum update -y 
yum upgrade
# 重启 
reboot

10、 安装基础软件

yum -y install python-setuptools python-pip gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel \
zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip ncurses ncurses-devel curl curl-devel e2fsprogs \
e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients \
openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz \
kernel-devel kernel-headers pam-devel tcl tk cmake ncurses-devel bison setuptool popt-devel net-snmp screen perl-devel \
pcre-devel net-snmp screen tcpdump rsync sysstat man iptables sudo libconfig git  bind-utils \
tmux elinks numactl iftop bwm-ng net-tools expect sshpass

--------------------------- 实验使用hosts解析，生产环境使用 bind DNS解析

hostnamectl set-hostname k8s-01

查看修改结果

hostnamectl status

设置 hostname 解析

echo "127.0.0.1 $(hostname)" >> /etc/hosts

vm中配置虚拟机 调整IP地址和主机名的脚本

cat>/root/hostname_ip.sh<<'EOF'
#!/usr/bin/sh
source /etc/init.d/functions
if [ $# -ne 2 ];then
  echo "/bin/sh $0 New hostname  New IP address"
  exit 1
fi
hostnamectl  set-hostname   $1
if [ $? -eq 0 ];then
	action "hostname update Successfull." /bin/true
else
	action "hostname update Failed." /bin/false
fi
sed -ri  "s#IPADDR=.*#IPADDR=$2#g"  /etc/sysconfig/network-scripts/ifcfg-eth0
if [ $? -eq 0 ];then
	action "IP update Successfull." /bin/true
	systemctl  restart  network
else
	action "IP update Failed！" /bin/false
fi
EOF

可以批量克隆主机 ，设置IP 和主机名称

12 、免密登录 hosts解析

vim /etc/hosts
10.0.0.100 master01
10.0.0.101 master02
10.0.0.102 master03
10.0.0.103 node01
10.0.0.104 node02
10.0.0.105 node03
10.0.0.106 manager



ssh root@10.0.0.100
#需要输入确认认证，输入密码 

sshpass -p  '123456' ssh  -o StrictHostKeyChecking=no root@master01
# 不需要输入密码 不需要输入确认信息


sshpass -p  '123456' ssh-copy-id root@master01
# 分发密钥 使用域名

# 分发密钥时把密码放到文件中去，安全
sshpass -f /server/pass.txt  ssh-copy-id -i /root/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root@node01

# 使用脚本 批量分发
#!/bin/bash
for i in 'master01' 'master02' 'master03' 'node01' 'node02' 'node03' 'manager'
do
sshpass -f /server/pass.txt  ssh-copy-id -i /root/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root@$i
done

# 免密做好 ，就可以使用ansible 进行操作 ,hosts 文件分发

#!/bin/bash
for i in 'master01' 'master02' 'master03' 'node01' 'node02' 'node03' 'manager'
do
scp -rp /etc/hosts $i:/etc/hosts

done