极客时间运维进阶训练营第五周作业
1、完全基于 Pipeline 实现完整的代码部署流水线
#!groovy
pipeline {
agent any
// agent { label 'jenkins-slave01' }
options {
buildDiscarder(logRotator(numToKeepStr: '5'))
disableConcurrentBuilds()
timeout(time: 5, unit: 'MINUTES') //任务执行超时时间,默认单位小时
timestamps() //在控制台显示命令执行时间,格式10:33:29
retry(2) //流水线构建失败后重置次数为2次
}
// 声明环境变量
environment {
// def GIT_URL = 'https://gitlab.iclinux.com/linux/app1.git'
// def HARBOR_URL = 'harbor.iclinux.com'
// def IMAGE_PROJECT = 'app'
// def IMAAGE_NAME = 'nginx'
def IMAGE_BUILD_NODE="192.168.56.201"
def DOCKER_NODE="192.168.56.202"
def DATE = sh(script: "date +%F_%H-%M-%S", returnStdout: true).trim()
}
// 参数定义
parameters {
string(name: 'BRANCH', defaultValue: 'develop', description: 'branck select')
choice(name: 'DEPLOY_ENV', choices: ['develop', 'production'], description: 'deploy env')
}
// 流水线开始工作
stages {
stage('code clone'){
// agent { label 'master' }
steps {
deleteDir() //清空目录
script {
if ( env.BRANCH == 'main' ){
git branch: 'main', credentialsId: 'root', url: 'https://gitlab.iclinux.com/linux/app1.git'
} else if ( env.BRANCH == 'develop' ) {
git branch: 'develop', credentialsId: 'root', url: 'https://gitlab.iclinux.com/linux/app1.git'
} else {
echo 'BRANCH ERROR, please check it.'
}
GIT_COMMIT_TAG = sh(returnStdout: true, script: 'git rev-parse --short HEAD').trim()
}
// echo "${GIT_COMMIT_TAG}"
}
}
stage('sonarqube-scanner'){
// agent { label 'master' }
steps{
sh 'pwd'
dir('/var/lib/jenkins/workspace/pipeline-groovy-test') {
// some block
sh '/apps/sonar-scanner/bin/sonar-scanner -Dsonar.projectKey=iclinx -Dsonar.projectName=iclinux-python-app3 -Dsonar.projectVersion=1.3 -Dsonar.sources=./src -Dsonar.language=py -Dsonar.sourceEncoding=UTF-8'
}
}
}
stage('code build'){
steps{
dir('/var/lib/jenkins/workspace/pipeline-groovy-test'){
sh 'tar cvzf frontend.tar.gz ./index.html ./images'
}
}
}
stage('file sync'){
steps {
echo "file sync"
sh "scp frontend.tar.gz root@${IMAGE_BUILD_NODE}:/opt/dockerfiles/app/web1"
}
}
stage("image build"){
steps{
echo "sync file to docker images server and make docker image"
sh """
ssh root@${IMAGE_BUILD_NODE} "cd /opt/dockerfiles/app/web1 && bash build-command.sh ${GIT_COMMIT_TAG}-${DATE}"
"""
}
}
stage('docker-compose image update'){
steps{
sh """
#ssh root@192.168.56.202 "echo 123"
ssh root@${DOCKER_NODE} "cd /opt/iclinux-web && sed -i 's#image: harbor.iclinux.com/app/iclinux-web1:.*#image: harbor.iclinux.com/app/iclinux-web1:${GIT_COMMIT_TAG}-${DATE}#' docker-compose.yml && sleep 1 && docker-compose pull"
"""
}
}
stage('docker-compose app update'){
steps{
echo 'update app'
sh """
ssh root@${DOCKER_NODE} "cd /opt/iclinux-web && docker-compose up -d"
"""
}
}
stage('send email'){
steps {
sh 'echo send email'
}
post {
always{
script {
mail to: '1330430077@qq.com',
subject: "Pipeline Name: ${currentBuild.fullDisplayName}",
body: " ${env.JOB_NAME} -Build Number-${env.BUILD_NUMBER}\n 点击链接 ${env.BUILD_URL} 查看详情"
}
}
}
}
}
}
2、熟悉 ELK 各组件的功能、Elasticsearch 的节点角色类型
ELK主要组件
E-elasticsearch:数据存储及检索
L-logstash:日志收集、处理、发送给 elasticsearch
K-kibana:从ES读取数据进行可视化展示及数据管理
节点类型
data node:数据节点,数据的存储
master node: 主节点,index管理,分片的分配,node节点的添加三处,一个es集群只有一个活跃的master节点
client node/coordinationg-node: 客户端节点或协调节点,将数据读写请求发送到data node,它只作为集群的入口,不存储数据,也不参与master角色的选举
ingest节点:预处理节点,在检索数据前进行预处理,可以在管道对数据实现字段删除、文本提前等操作,所有节点默认都支持ingest节点
data_cold: 冷数据节点
data_swarm: 热数据节点
data_frozen:冻结数据节点
配置文件没有定义则可以做任何角色
3、熟悉索引、doc、分片与副本的概念
Index:一类相同的数据,在逻辑上通过一个index查询、修改
Document:文档,存储在ES的数据
shard:分片,对index的逻辑拆分存储,多个分片合起来就是index的所有数据
Replica:副本,一个分片的跨主机完整备份
4、掌握不同环境的 ELK 部署规划,基于 deb 或二进制部署 Elasticsearch 集群
安装elasticsearch集群
node1
# 准备工作
BASE_DIR="/apps"
install -d "${BASE_DIR}"
tar xzf /usr/local/src/elasticsearch-8.5.1-linux-x86_64.tar.gz -C "${BASE_DIR}"
echo "vm.max_map_count=262144" >> /etc/sysctl.conf && sysctl -p
sysctl -a|grep 'vm.max_map_count'
tee -a /etc/hosts << "EOF"
192.168.56.111 elk-node1 elk-node1.iclinux.com
192.168.56.112 elk-node2 elk-node2.iclinux.com
192.168.56.113 elk-node3 elk-node3.iclinux.com
EOF
## elk 对资源消耗大此处要完成基本优化
cat /etc/security/limits.conf
reboot
## 创建运行环境
groupadd -g 2888 elasticsearch && useradd -u 2888 -g 2888 -r -m -s /bin/bash elasticsearch &&\
mkdir /data/esdata /data/eslogs /apps -pv
passwd elasticsearch # 密码设置为123456
ln -sv /apps/elasticsearch-8.5.1 /apps/elasticsearch
chown elasticsearch.elasticsearch /data /apps/ -R
# 配置 x-pack 认证
## 配置证书
su - elasticsearch
cd /apps/elasticsearch &&\
tee instances.yml << "EOF"
instances:
- name: "elk-node1.iclinux.com"
ip:
- "192.168.56.111"
- name: "elk-node2.iclinux.com"
ip:
- "192.168.56.112"
- name: "elk-node3.iclinux.com"
ip:
- "192.168.56.113"
EOF
## ⽣成CA私钥,默认名字为elastic-stack-ca.p12
bin/elasticsearch-certutil ca
## ⽣产CA公钥,默认名称为elastic-certificates.p12
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
## 至此证书签发机构ca证书签发完毕
## 签发 es 集群主机证书
bin/elasticsearch-certutil cert --silent --in instances.yml --out certs.zip --pass magedu123 --ca elastic-stack-ca.p12
## 分发证书
unzip certs.zip
mkdir config/certs
cp -rp elk-node1.iclinux.com/elk-node1.iclinux.com.p12 config/certs/
scp -r elk-node2.iclinux.com root@elk-node2:/tmp
scp -r elk-node3.iclinux.com root@elk-node3:/tmp
## ⽣成 keystore ⽂件(keystore是保存了证书密码的认证⽂件magedu123)
./bin/elasticsearch-keystore create #创建keystore⽂件
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
#magedu123
## 分发keystore 文件
scp /apps/elasticsearch/config/elasticsearch.keystore elasticsearch@elk-node2:/apps/elasticsearch/config/elasticsearch.keystore
scp /apps/elasticsearch/config/elasticsearch.keystore elasticsearch@elk-node3:/apps/elasticsearch/config/elasticsearch.keystore
# 编辑配置文件
cp /apps/elasticsearch/config/elasticsearch.yml{,.bak}
tee /apps/elasticsearch/config/elasticsearch.yml << "EOF"
cluster.name: magedu-es-cluster1
node.name: node1
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
# 创建集群时的通过ip,全部写上#
discovery.seed_hosts: ["192.168.56.111", "192.168.56.112", "192.168.56.113"]
# 可以成为master的主机
cluster.initial_master_nodes: ["192.168.56.111", "192.168.56.112", "192.168.56.113"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/elk-node1.iclinux.com.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/elk-node1.iclinux.com.p12
EOF
## 配置systemd启动
tee /lib/systemd/system/elasticsearch.service << "EOF"
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/apps/elasticsearch
Environment=ES_PATH_CONF=/apps/elasticsearch/config
Environment=PID_DIR=/apps/elasticsearch
WorkingDirectory=/apps/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/apps/elasticsearch/bin/elasticsearch --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
EOF
chown elasticsearch.elasticsearch /data /apps/ -R &&\
systemctl daemon-reload && systemctl start elasticsearch.service && systemctl enable elasticsearch.service
systemctl restart elasticsearch.service
## 查看系统启动日志
tail -fn1111 /data/eslogs/magedu-es-cluster1.log
## 初始化账号
su - elasticsearch
/apps/elasticsearch/bin/elasticsearch-setup-passwords interactive
#密码均设置为: elastic 123456
node2
#准备工作
BASE_DIR="/apps"
install -d "${BASE_DIR}"
tar xzf /usr/local/src/elasticsearch-8.5.1-linux-x86_64.tar.gz -C "${BASE_DIR}"
echo "vm.max_map_count=262144" >> /etc/sysctl.conf && sysctl -p
sysctl -a|grep 'vm.max_map_count'
tee -a /etc/hosts << "EOF"
192.168.56.111 elk-node1 elk-node1.iclinux.com
192.168.56.112 elk-node2 elk-node2.iclinux.com
192.168.56.113 elk-node3 elk-node3.iclinux.com
EOF
# elk 对资源消耗大此处要完成基本优化
cat /etc/security/limits.conf
reboot
#创建运行环境
groupadd -g 2888 elasticsearch && useradd -u 2888 -g 2888 -r -m -s /bin/bash elasticsearch &&\
mkdir /data/esdata /data/eslogs /apps -pv
passwd elasticsearch # 密码设置为123456
ln -sv /apps/elasticsearch-8.5.1 /apps/elasticsearch
chown elasticsearch.elasticsearch /data /apps/ -R
install -d /apps/elasticsearch/config/certs
cp /tmp/elk-node2.iclinux.com/elk-node2.iclinux.com.p12 /apps/elasticsearch/config/certs
chown elasticsearch.elasticsearch /data /apps/ -R
# 编辑配置文件
cp /apps/elasticsearch/config/elasticsearch.yml{,.bak}
tee /apps/elasticsearch/config/elasticsearch.yml << "EOF"
cluster.name: magedu-es-cluster1
node.name: node2
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
# 创建集群时的通过ip,全部写上#
discovery.seed_hosts: ["192.168.56.111", "192.168.56.112", "192.168.56.113"]
# 可以成为master的主机
cluster.initial_master_nodes: ["192.168.56.111", "192.168.56.112", "192.168.56.113"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/elk-node2.iclinux.com.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/elk-node2.iclinux.com.p12
EOF
## 配置systemd启动
tee /lib/systemd/system/elasticsearch.service << "EOF"
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/apps/elasticsearch
Environment=ES_PATH_CONF=/apps/elasticsearch/config
Environment=PID_DIR=/apps/elasticsearch
WorkingDirectory=/apps/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/apps/elasticsearch/bin/elasticsearch --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
EOF
chown elasticsearch.elasticsearch /data /apps/ -R
systemctl daemon-reload && systemctl start elasticsearch.service &&
systemctl enable elasticsearch.service
node3
#准备工作
BASE_DIR="/apps"
install -d "${BASE_DIR}"
tar xzf /usr/local/src/elasticsearch-8.5.1-linux-x86_64.tar.gz -C "${BASE_DIR}"
echo "vm.max_map_count=262144" >> /etc/sysctl.conf && sysctl -p && sysctl -a|grep 'vm.max_map_count'
tee -a /etc/hosts << "EOF"
192.168.56.111 elk-node1 elk-node1.iclinux.com
192.168.56.112 elk-node2 elk-node2.iclinux.com
192.168.56.113 elk-node3 elk-node3.iclinux.com
EOF
# elk 对资源消耗大此处要完成基本优化
cat /etc/security/limits.conf
reboot
#创建运行环境
groupadd -g 2888 elasticsearch && useradd -u 2888 -g 2888 -r -m -s /bin/bash elasticsearch &&\
mkdir /data/esdata /data/eslogs /apps -pv
passwd elasticsearch # 密码设置为123456
ln -sv /apps/elasticsearch-8.5.1 /apps/elasticsearch
chown elasticsearch.elasticsearch /data /apps/ -R
install -d /apps/elasticsearch/config/certs
cp /tmp/elk-node3.iclinux.com/elk-node3.iclinux.com.p12 /apps/elasticsearch/config/certs
chown elasticsearch.elasticsearch /data /apps/ -R
# 编辑配置文件
cp /apps/elasticsearch/config/elasticsearch.yml{,.bak}
tee /apps/elasticsearch/config/elasticsearch.yml << "EOF"
cluster.name: magedu-es-cluster1
node.name: node3
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
# 创建集群时的通过ip,全部写上#
discovery.seed_hosts: ["192.168.56.111", "192.168.56.112", "192.168.56.113"]
# 可以成为master的主机
cluster.initial_master_nodes: ["192.168.56.111", "192.168.56.112", "192.168.56.113"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/elk-node3.iclinux.com.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/elk-node3.iclinux.com.p12
EOF
## 配置systemd启动
tee /lib/systemd/system/elasticsearch.service << "EOF"
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/apps/elasticsearch
Environment=ES_PATH_CONF=/apps/elasticsearch/config
Environment=PID_DIR=/apps/elasticsearch
WorkingDirectory=/apps/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/apps/elasticsearch/bin/elasticsearch --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
EOF
chown elasticsearch.elasticsearch /data /apps/ -R
systemctl daemon-reload && systemctl start elasticsearch.service &&
systemctl enable elasticsearch.service
5、了解 Elasticsearch API 的简单使用,安装 head 插件管理 ES 的数据
5.1 api的简单使用
### 查看服务器状态
curl -u magedu:123456 http://192.168.56.111:9200
curl -u magedu:123456 http://192.168.56.112:9200
curl -u magedu:123456 http://192.168.56.113:9200
curl -u magedu:123456 -X GET http://192.168.56.111:9200/_cat
curl -u magedu:123456 -X GET http://192.168.56.111:9200/_cat/health
curl -u magedu:123456 -X GET http://192.168.56.111:9200/_cat/master?v
curl -u magedu:123456 -X GET http://192.168.56.111:9200/_cat/nodes?v
### 创建索引
curl -u magedu:123456 -X PUT http://192.168.56.111:9200/creat_by_api?pretty
### 查看索引
curl -u magedu:123456 -X GET http://192.168.56.111:9200/creat_by_api?pretty
curl -u magedu:123456 -X POST "http://192.168.56.111:9200/creat_by_api/_doc/1?pretty" -H 'Content-Type: application/json' -d '{"name": "Jack", "age": 19}'
### 查看索引配置
curl -u magedu:123456 -X GET http://192.168.56.111:9200/creat_by_api/_settings?pretty
### 关闭索引
curl -u magedu:123456 -X POST http://192.168.56.111:9200/creat_by_api/_close
### 打开索引
curl -u magedu:123456 -X POST http://192.168.56.111:9200/creat_by_api/_open?pretty
### 删除索引
curl -u magedu:123456 -X DELETE "http://192.168.56.111:9200/creat_by_api?pretty"
### 修改集群每个节点的最大可分配的分片数,es7默认1000,用完后报错状态码400
curl -u magedu:123456 -X PUT http://192.168.56.111:9200/_cluster/settings -H 'Content-Type: application/json' -d '{"persistent":{"cluster.max_shards_per_node":"1000000"}}'
### 磁盘最低和最高使用百分比95%,默认85%不会在当前节点创建新的分配副本,90%开始将副本移动到其他节点,95所有索引只读
curl -u magedu:123456 -X PUT http://192.168.56.111:9200/_cluster/settings -H 'Content-Type: application/json' -d '{
"persistent":{
"cluster.routing.allocation.disk.watermark.low": "95%",
"cluster.routing.allocation.disk.watermark.high": "95%"
}
}'
### 查看集群配置
curl -u magedu:123456 -X GET http://192.168.56.111:9200/_cluster/settings?pretty
5.2 安装head插件
6、安装 Logstash 收集不同类型的系统日志并写入到 ES 的不同 index
6.1 安装logstash
#安装logstash
dpkg -i /usr/local/src/logstash-8.5.1-amd64.deb
cp /lib/systemd/system/logstash.service{,.bak}
sed -i 's/User=logstash/User=root/g' /lib/systemd/system/logstash.service
sed -i 's/Group=logstash/Group=root/g' /lib/systemd/system/logstash.service
systemctl daemon-reload
6.2 收集不同类型的日志并写入不同的es集群
tee /etc/logstash/conf.d/file-es-test.conf << "EOF"
input {
file {
path => "/var/log/syslog"
stat_interval => "1"
start_position => "beginning"
type => "syslog"
}
file {
path => "/var/log/auth.log"
stat_interval => "1"
start_position => "beginning"
type => "aulog"
}
}
output {
if [type] == "syslog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "syslog-117-%{+YYYY.MM.dd}"
user => "magedu"
password => "123456"
}
}
if [type] == "aulog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "authlog-117-%{+YYYY.MM.dd}"
user => "magedu"
password => "123456"
}
}
}
EOF
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/file-es-test.conf
7、安装 Kibana、查看 ES 集群的数据
7.1 安装kibana
dpkg -i /usr/local/src/kibana-8.5.1-amd64.deb
cp /etc/kibana/kibana.yml{,.bak}
tee /etc/kibana/kibana.yml << "EOF"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.56.113:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
EOF
systemctl restart kibana && systemctl enable kibana
#登录地址http://192.168.56.117:5601/
7.2 查看es集群
