Rancher单节点部署

环境

• CentOS 7.6
• Docker 20.10+
• Tengine 2.3.3 / Nginx 1.20+ (可选)

安装过程

调整OS内核参数

vi /etc/sysctl.conf 更改如下:

net.ipv4.ip_forward = 1
kernel.sysrq = 0
net.ipv4.tcp_syncookies = 1
fs.suid_dumpable = 0
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
vm.swappiness = 0
kernel.shmall = 4294967296
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

sysctl -p
reboot

安装基础组件

yum install epel-release -y
yum install -y yum-utils device-mapper-persistent-data lvm2
curl -L https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum install nginx* docker-ce* -y

配置Docker

mkdir -p /etc/docker && vim /etc/docker/daemon.json 编辑如下

{
  "exec-opts": [
    "native.cgroupdriver=systemd"
  ],
  "graph": "/var/lib/docker",
  "max-concurrent-downloads": 20,
  "max-concurrent-uploads": 10,
  "default-ulimits": {
    "nofile": {
      "Name": "nofile",
      "Hard": 655360,
      "Soft": 655360
    }
  },
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "5"
  },
  "storage-driver": "overlay2",
  "ipv6": false
}

启动docker

systemctl enable docker.service --now

配置Rancher

配置证书

需要将证书放到/etc/rancher/ssl目录下, cert.pem和key.pem, 如果是自签证书，还需要将签发证书的CA根证书放到该目录下,证书文件必须是pem格式.

[root@localhost ~]# ls /etc/rancher/ssl | grep '.pem'
cacerts.pem
cert.pem
key.pem

创建服务

创建Rancher数据持久化目录, Rancher官方默认是用了docker volume来做数据持久化的, 但是这样不利于数据快速恢复.

mkdir -p /var/lib/rancher /var/lib/cni /var/lib/kubelet /var/log/rancher

vim /etc/systemd/system/rancher.service 添加rancher启动到systemd

[Unit]
Description=Rancher Server
After=syslog.target network.target docker.service
Wants=syslog.target network.target docker.service

[Service]
Type=simple
ExecStart=/usr/bin/docker run --name rancher --restart unless-stopped --privileged \
        -v /etc/rancher/ssl:/etc/rancher/ssl \
        -v /var/lib/rancher:/var/lib/rancher \
        -v /var/lib/kubelet:/var/lib/kubelet \
        -v /var/lib/cni:/var/lib/cni \
        -v /var/log/rancher:/var/log \
        -e AUDIT_LEVEL=2 \
        -e TZ=Asia/Shanghai \
        -p 127.0.0.1:8080:80 \
        -p 127.0.0.1:8443:443 \
        rancher/rancher:stable
ExecStartPre=/usr/bin/docker rm -f rancher
ExecStop=/usr/bin/docker rm -f  rancher
PermissionsStartOnly=true
Restart=on-failure
RestartSec=5
LimitNOFILE=65535

User=root
Group=root

StandardOutput=null
StandardError=null

[Install]
WantedBy=multi-user.target

启动rancher, 稍等一会, docker会拉取镜像并启动rancher服务容器

systemctl enable rancher.service --now

配置Nginx (可选)

如果你不想用Nginx, 直接修改rancher.service, 将-p 127.0.0.1:8443:443修改为-p 0.0.0.0:443:443,并将-p 127.0.0.1:8080:80修改为-p 0.0.0.0:80:80即可

map $http_upgrade $connection_upgrade {
    default Upgrade;
    ''      close;
}
server {
    listen       80;
    server_name  rancher;
    return 308   https://$host$request_uri;
}
server {
    listen       443 ssl http2;
    server_name  rancher;
    access_log   /var/log/nginx/rancher_access.log;
    error_log    /var/log/nginx/rancher_error.log;
    ssl_certificate       /etc/rancher/ssl/cert.pem;
    ssl_certificate_key   /etc/rancher/ssl/key.pem;
    ssl_protocols         TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=63072000" always;
    location / {
        proxy_pass                 https://127.0.0.1:8443;
        proxy_set_header        Host                        $host;
	proxy_set_header        X-Real-IP                $remote_addr;
        proxy_set_header        X-Forwarded-Port    $server_port;
	proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto  $scheme;
	proxy_set_header        Upgrade                  $http_upgrade;
        proxy_set_header        Connection              $connection_upgrade;
        proxy_http_version      1.1;
        proxy_ssl_verify          off;
        proxy_ssl_session_reuse on;
        proxy_read_timeout       900s;
        proxy_buffering             off;
    }
}

启动nginx

systemctl enable nginx.service

需要注意的是

1. rancher版本问题：生产环境必须指定一个版本, 具体的版本release可以查看官网 https://docs.rancher.cn 与github: https://github.com/rancher/rancher