veilletechno:atomic

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision		 Révision précédente
veilletechno:atomic [2017/07/23 09:07] madkoveilletechno:atomic [2017/07/23 09:33] (Version actuelle) – [Services kubernetes master] madko
Ligne 1: Ligne 1:
 ====== Atomic CentOS 7 ====== ====== Atomic CentOS 7 ======
 +
 +===== Configuration du master =====
 +
 +==== Création du registry docker local ====
 +
 +Création d'un containeur docker registry :
 +
 +<code>
 +sudo docker create -p 5000:5000
 +-v /var/lib/local-registry:/var/lib/registry
 +-e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
 +-e REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io
 +--name=local-registry registry:2
 +</code>
 +
 +Gérer les contextes SELinux sur le stockage des images du registry :
 +
 +<code>
 +sudo mkdir -p /var/lib/local-registry
 +sudo chcon -Rvt svirt_sandbox_file_t /var/lib/local-registry
 +</code>
 +
 +Création d'un service pour démarrer automatiquement le registry. Contenu du fichier /etc/systemd/system/local-registry.service :
 +
 +<file>
 +[Unit]
 +Description=Local Docker Mirror registry cache
 +Requires=docker.service
 +After=docker.service
 +
 +[Service]
 +Restart=on-failure
 +RestartSec=10
 +ExecStart=/usr/bin/docker start -a %p
 +ExecStop=-/usr/bin/docker stop -t 2 %p
 +
 +[Install]
 +WantedBy=multi-user.target
 +</file>
 +
 +Pour l'activer :
 +
 +<code>
 +sudo systemctl daemon-reload
 +sudo systemctl enable local-registry
 +sudo systemctl start local-registry
 +</code>
 +
 +==== Configuration ETCD ====
 +
 +Fichier /etc/etcd/etcd.conf :
 +
 +<file>
 +# [member]
 +ETCD_NAME=default
 +ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
 +#ETCD_WAL_DIR=""
 +#ETCD_SNAPSHOT_COUNT="10000"
 +#ETCD_HEARTBEAT_INTERVAL="100"
 +#ETCD_ELECTION_TIMEOUT="1000"
 +#ETCD_LISTEN_PEER_URLS="http://localhost:2380"
 +ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379,http://0.0.0.0:4001"
 +#ETCD_MAX_SNAPSHOTS="5"
 +#ETCD_MAX_WALS="5"
 +#ETCD_CORS=""
 +#
 +#[cluster]
 +#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"
 +# if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
 +#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"
 +#ETCD_INITIAL_CLUSTER_STATE="new"
 +#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
 +ETCD_ADVERTISE_CLIENT_URLS="http://0.0.0.0:2379,http://0.0.0.0:4001"
 +#ETCD_DISCOVERY=""
 +#ETCD_DISCOVERY_SRV=""
 +#ETCD_DISCOVERY_FALLBACK="proxy"
 +#ETCD_DISCOVERY_PROXY=""
 +#ETCD_STRICT_RECONFIG_CHECK="false"
 +#ETCD_AUTO_COMPACTION_RETENTION="0"
 +#
 +#[proxy]
 +#ETCD_PROXY="off"
 +#ETCD_PROXY_FAILURE_WAIT="5000"
 +#ETCD_PROXY_REFRESH_INTERVAL="30000"
 +#ETCD_PROXY_DIAL_TIMEOUT="1000"
 +#ETCD_PROXY_WRITE_TIMEOUT="5000"
 +#ETCD_PROXY_READ_TIMEOUT="0"
 +#
 +#[security]
 +#ETCD_CERT_FILE=""
 +#ETCD_KEY_FILE=""
 +#ETCD_CLIENT_CERT_AUTH="false"
 +#ETCD_TRUSTED_CA_FILE=""
 +#ETCD_AUTO_TLS="false"
 +#ETCD_PEER_CERT_FILE=""
 +#ETCD_PEER_KEY_FILE=""
 +#ETCD_PEER_CLIENT_CERT_AUTH="false"
 +#ETCD_PEER_TRUSTED_CA_FILE=""
 +#ETCD_PEER_AUTO_TLS="false"
 +#
 +#[logging]
 +#ETCD_DEBUG="false"
 +# examples for -log-package-levels etcdserver=WARNING,security=DEBUG
 +#ETCD_LOG_PACKAGE_LEVELS=""
 +#
 +#[profiling]
 +#ETCD_ENABLE_PPROF="false"
 +#ETCD_METRICS="basic"
 +</file>
 +
 +==== Services kubernetes master ====
 +
 +Pour générer les certificats :
 +
 +<code>
 +curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
 +tar xzf easy-rsa.tar.gz
 +cd easy-rsa-master/easyrsa3
 +./easyrsa init-pki
 +MASTER_IP=192.168.2.112
 +./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
 +./easyrsa --subject-alt-name="IP:${MASTER_IP}" build-server-full server nopass
 +sudo mkdir /etc/kubernetes/certs
 +for i in {pki/ca.crt,pki/issued/server.crt,pki/private/server.key}; do sudo cp $i /etc/kubernetes/certs; done
 +sudo chown -R kube:kube /etc/kubernetes/certs
 +</code>
 +
 +Les services passent par l'utilisation de containeurs. Ils seront gérés par 3 services systemd.
 +
 +Fichier /etc/systemd/system/kube-apiserver.service :
 +
 +<file>
 +[Unit]
 +Description=Kubernetes API Server
 +Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 +After=docker.service
 +Requires=docker.service
 +
 +[Service]
 +TimeoutStartSec=0
 +Restart=always
 +ExecStartPre=-/usr/bin/docker stop %n
 +ExecStartPre=-/usr/bin/docker rm %n
 +ExecStartPre=/usr/bin/docker pull registry.centos.org/centos/kubernetes-apiserver
 +ExecStart=/usr/bin/docker run --rm --net=host -p 443:443 -v /etc/kubernetes:/etc/kubernetes:z --name %n registry.centos.org/centos/kubernetes-apiserver
 +
 +[Install]
 +WantedBy=multi-user.target
 +</file>
 +
 +Fichier /etc/systemd/system/kube-controller-manager.service :
 +
 +<file>
 +[Unit]
 +Description=Kubernetes Controller Manager
 +Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 +After=docker.service
 +Requires=docker.service
 +
 +[Service]
 +TimeoutStartSec=0
 +Restart=always
 +ExecStartPre=-/usr/bin/docker stop %n
 +ExecStartPre=-/usr/bin/docker rm %n
 +ExecStartPre=/usr/bin/docker pull registry.centos.org/centos/kubernetes-controller-manager
 +ExecStart=/usr/bin/docker run --rm --net=host -v /etc/kubernetes:/etc/kubernetes:z --name %n registry.centos.org/centos/kubernetes-controller-manager
 +
 +[Install]
 +WantedBy=multi-user.target
 +</file>
 +
 +Fichier /etc/systemd/system/kube-scheduler.service :
 +
 +<file>
 +[Unit]
 +Description=Kubernetes Scheduler Plugin
 +Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 +After=docker.service
 +Requires=docker.service
 +
 +[Service]
 +TimeoutStartSec=0
 +Restart=always
 +ExecStartPre=-/usr/bin/docker stop %n
 +ExecStartPre=-/usr/bin/docker rm %n
 +ExecStartPre=/usr/bin/docker pull registry.centos.org/centos/kubernetes-scheduler
 +ExecStart=/usr/bin/docker run --rm --net=host -v /etc/kubernetes:/etc/kubernetes:z --name %n registry.centos.org/centos/kubernetes-scheduler
 +
 +[Install]
 +WantedBy=multi-user.target
 +</file>
 +
 +Configuration du serveur API, fichier /etc/kubernetes/apiserver :
 +
 +<file>
 +KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
 +
 +KUBE_API_ARGS="--tls-cert-file=/etc/kubernetes/certs/server.crt --tls-private-key-file=/etc/kubernetes/certs/server.key --client-ca-file=/etc/kubernetes/certs/ca.crt --service-account-key-file=/etc/kubernetes/certs/server.crt --etcd-servers=http://192.168.2.112:2379 --service-cluster-ip-range=172.20.0.0/24"
 +</file>
 +
 +Partie controller-manager, fichier /etc/kubernetes/controller-manager :
 +
 +<file>
 +KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/etc/kubernetes/certs/server.key --root-ca-file=/etc/kubernetes/certs/ca.crt"
 +</file>
 +
 +Activation des services :
 +
 +<code>
 +sudo systemctl enable etcd kube-apiserver kube-controller-manager kube-scheduler
 +sudo systemctl start etcd kube-apiserver kube-controller-manager kube-scheduler
 +</code>
 +
  
 ===== Configuration d'un noeud ===== ===== Configuration d'un noeud =====
 +
 +==== Configuration docker registry ====
  
 Ajout du docker registry normalement hébergé sur le master. Dans /etc/sysconfig/docker dans OPTIONS ajouter : Ajout du docker registry normalement hébergé sur le master. Dans /etc/sysconfig/docker dans OPTIONS ajouter :
Ligne 15: Ligne 230:
 <file> <file>
 # etcd url location. Point this to the server where etcd runs # etcd url location. Point this to the server where etcd runs
-FLANNEL_ETCD_ENDPOINTS="http://192.168.122.10:2379"+FLANNEL_ETCD_ENDPOINTS="http://192.168.2.112:2379"
  
 # etcd config key. This is the configuration key that flannel queries # etcd config key. This is the configuration key that flannel queries
Ligne 21: Ligne 236:
 FLANNEL_ETCD_PREFIX="/atomic.io/network" FLANNEL_ETCD_PREFIX="/atomic.io/network"
 </file> </file>
 +
 +==== Configuration de Kubernetes ====
 +
 +Il s'agit de configurer la partie cliente : kubelet. Principalement d'indiquer le hostname (hostname -f doit correspondre) et l'adresse du client, ainsi que celle du master.
 +
 +<file>
 +###
 +# kubernetes kubelet (minion) config
 +
 +# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
 +KUBELET_ADDRESS="--address=192.168.2.108"
 +
 +# The port for the info server to serve on
 +# KUBELET_PORT="--port=10250"
 +
 +# You may leave this blank to use the actual hostname
 +KUBELET_HOSTNAME="--hostname-override=atomic7-1.localdomain"
 +
 +# location of the api-server
 +KUBELET_API_SERVER="--api-servers=http://192.168.2.112:8080"
 +
 +# pod infrastructure container
 +KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
 +
 +# Add your own!
 +KUBELET_ARGS=""
 +</file>
 +
 +Il faut aussi préciser comment joindre le cluster ETCD, via le fichier /etc/kubernetes/config :
 +
 +<file>
 +###
 +# kubernetes system config
 +#
 +# The following values are used to configure various aspects of all
 +# kubernetes services, including
 +#
 +#   kube-apiserver.service
 +#   kube-controller-manager.service
 +#   kube-scheduler.service
 +#   kubelet.service
 +#   kube-proxy.service
 +# logging to stderr means we get it in the systemd journal
 +KUBE_LOGTOSTDERR="--logtostderr=true"
 +
 +# journal message level, 0 is debug
 +KUBE_LOG_LEVEL="--v=0"
 +
 +# Should this cluster be allowed to run privileged docker containers
 +KUBE_ALLOW_PRIV="--allow-privileged=false"
 +
 +# How the controller-manager, scheduler, and proxy find the apiserver
 +KUBE_MASTER="--master=http://192.168.2.112:8080"
 +</file>
 +
 +Il ne reste plus qu'à activer les services, et à redemarrer pour être sûr de rien avoir oublié :
 +
 +<code>
 +sudo systemctl enable flanneld kubelet kube-proxy
 +sudo systemctl reboot
 +</code>
  
  
  • veilletechno/atomic.1500800841.txt.gz
  • Dernière modification : 2017/07/23 09:07
  • de madko