下载ISO文件:https://mirrors.tuna.tsinghua.edu.cn/archlinux/iso/latest/
k8s: v1.26.4;calico: 3.25.1
目录
- 1. 准备工作
- 2. 磁盘管理
- 2.1 磁盘分区
- 2.2 磁盘格式化
- 2.3 磁盘挂载
- 3. 安装系统
- 3.1 安装系统文件
- 3.2 配置fstab
- 3.3 配置系统
- 3.4 安装引导程序
- 3.5 安装OpenSSH
- 3.6 主机名
- 3.7 设置root密码
- 3.8 网络配置
- 3.9 重启系统,并从硬盘引导
- 3.10 本地化配置
- 3.11 时区配置
- 3.12 硬件时间设置
- 3.13 安装DNS服务
- 4. 安装k8s
- 4.1 配置containerd
- 4.2 拉取k8s镜像
- 4.3 创建k8s集群
- 4.4 加入control-plane节点
- 4.5 加入worker节点
- 4.6 安装CNI:Calico
- 4.7 查看k8s集群
- 附录
- 包签名错误
1. 准备工作
以虚拟机VMWare为例。
使用EFI 非默认BIOS启动。如果不使用EFI,那么后续安装引导时也使用非EFI。
Controller-Panel节点(master)
节点列表:
hostname ip k8s-master1 10.0.2.101/24 k8s-master2 10.0.2.102/24 k8s-master3 10.0.2.103/24 CPU设置:2Core
内存设置:2GB
磁盘:20GB
网卡设置:网卡1(ens33)为自定义NAT
Worker节点
节点列表:
hostname ip k8s-worker1 10.0.2.111/24 k8s-worker2 10.0.2.112/24 k8s-worker3 10.0.2.113/24 CPU设置:2Core
内存设置:4GB
磁盘:20GB
网卡设置:网卡1(ens33)为自定义NAT
2. 磁盘管理2.1 磁盘分区
使用GUID分区表,分2个区:
1)EFI System(EF00),Last sector: +500M (500MB)
2)Linux filesystem(8300) ,Last sector:(为剩余容量)
gdisk /dev/sda2.2 磁盘格式化
mkfs.vfat -F32 /dev/sda1 # ESP分区 挂载 /bootmkfs.ext4 /dev/sda2 # LFS分区 挂载 /2.3 磁盘挂载
mount /dev/sda2 /mnt # 挂载root分区mkdir /mnt/boot # 创建 /boot 目录mount /dev/sda2 /mnt/boot # 挂载boot分区lsblk # 查看分区挂载情况3. 安装系统3.1 安装系统文件
vim /etc/pacman.d/mirrorlist # 在顶部添加如下镜像服务器Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch#Server = https://mirrors.aliyun.com/archlinux/$repo/os/$arch# 安装系统pacstrap /mnt base base-devel3.2 配置fstab
genfstab -U /mnt > /mnt/etc/fstab # 生成分区挂载表编辑 fstab
vim /mnt/etc/fstab# SSD的追加options “discard,noatime”3.3 配置系统
编辑 /mnt/etc/pacman.conf文件,加入下面的内容:
[archlinuxcn]Server = https://mirrors.tuna.tsinghua.edu.cn/archlinuxcn/$arch#Server = https://mirrors.aliyun.com/archlinuxcn/$arch切换root目录到新系统
arch-chroot /mnt /bin/bash现在可以全面升级系统:
pacman -Syy # 切换了root目录,因此需要重新更新软件包缓存pacman -S archlinuxcn-keyringpacman -S vim bash-completion yay fakerootln -s /usr/bin/vim /usr/bin/vi3.4 安装引导程序
# 安装linux内核pacman -S linux-lts linux-firmware# 安装 Micro Codepacman -S amd-ucode # intel安装 intel-ucodebootctl install # boot-loadervim /boot/loader/entries/arch.conftitle Arch Linuxlinux /vmlinuz-linux-ltsinitrd /amd-ucode.img # intel的为 /intel-ucode.imginitrd /initramfs-linux-lts.imgoptions root=/dev/sda2 rwvim /boot/loader/entries/arch-fallback.conftitle Arch Linux (fallback initramfs)linux /vmlinuz-linux-ltsinitrd /amd-ucode.img # intel的为 /intel-ucode.imginitrd /initramfs-linux-lts-fallback.imgoptions root=/dev/sda2 rwvim /boot/efi/loader/loader.confdefault arch.conftimeout 2console-mode maxeditor no# 验证文件路径是否正确bootctl listbootctl status3.5 安装OpenSSH
pacman -S opensshsed -i 's/#PermitRootLogin\ prohibit-passwd/PermitRootLogin yes/g' /etc/ssh/sshd_configsystemctl enable sshd3.6 主机名
echo > /etc/hostname3.7 设置root密码
passwd3.8 网络配置
使用 systemd-networkd
VMWare 网络配置:NAT模式网段:10.0.2.0/24DHCP:10.0.2.200 - 10.0.2.254网关:10.0.2.2 (不要设置为10.0.2.1,否则会导致无法访问外网)vim /etc/systemd/network/20-wired.network[Match]Name=ens33[Network]#DHCP=ipv4 # 使用dhcp时启用Address=10.0.2.101/24Gateway=10.0.2.2DNS=223.5.5.5DNS=223.6.6.6systemctl enable systemd-networkdsystemctl enable systemd-resolved3.9 重启系统,并从硬盘引导
exit # 退出chrootreboot # 重启后重新引导进入已安装的系统3.10 本地化配置
vim /etc/locale.genen_US.UTF-8 UTF-8zh_CN.GBK GBKzh_CN.UTF-8 UTF-8zh_CN GB2312locale-gen # 生成localeecho 'LANG=en_US.UTF-8' > /etc/locale.conf # 设置默认的 locale3.11 时区配置
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime3.12 硬件时间设置
# date -s '2022-7-5 16:49:45'hwclock --systohc --utc #采用UTC,将系统时间写入硬件时钟# hwclock --hctosys --utc #采用UTC,将硬件时钟写入系统时间3.13 安装DNS服务
pacman -S bind# 参见: https://wiki.archlinux.org/title/BIND4. 安装k8s
使用kubeadm安装: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
pacman -S kubeadm kubelet kubectl containerdsystemctl enable containerdsystemctl start containerdsystemctl enable kubeletsystemctl start kubelet4.1 配置containerd
创建 /etc/modules-load.d/containerd.conf 配置文件:
cat < /etc/modules-load.d/containerd.confoverlaybr_netfilterEOF修改 containerd 配置
# 修改配置mkdir -p /etc/containerdif [ ! -f /etc/containerd/config.toml ]; then containerd config default > /etc/containerd/config.tomlfi# 设置 systemd_cgroup 为 truesed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.tomlsed -i 's/k8s.gcr.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.tomlsystemctl restart containerdecho 'alias docker="crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock"' > /etc/profile.d/containerd.shsource /etc/profile.d/containerd.sh# 确保containerd 的cgroup 为 SystemdCgroupcrictl --runtime-endpoint unix:///var/run/containerd/containerd.sock info | grep SystemdCgroup | awk -F ': ' '{ print $2 }'true4.2 拉取k8s镜像
通过参数 --image-repository 指定k8s镜像的仓库地址
kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.26.44.3 创建k8s集群
# 应搭建负载均衡后,使用负载均衡IP,此处用自建DNS服务来实现: 10.0.2.101 cluster.berkaroad.com# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env# 初始化k8s集群kubeadm init --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.26.4 --control-plane-endpoint=cluster.berkaroad.com --apiserver-advertise-address=10.0.2.101 --pod-network-cidr=10.100.0.0/16 --service-cidr=10.101.0.0/16 --service-dns-domain=cluster.berkaroad.com --upload-certs --v=5# 执行成功后,根据提示,配置mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z# You can now join any number of the control-plane node running the following command on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \ --control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44# 如果 --certificate-key 过期了,执行如下:kubeadm init phase upload-certs --upload-certs# Then you can join any number of worker nodes by running the following on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3# 如果token过期了,可以执行如下:kubeadm token create --print-join-command# 如果失败,检查 cgroup 是否一致(docker或者containerd 和 kubelet)# 查看 kubeadm 使用的 CRI 为 containerd 还是 dockercat /var/lib/kubelet/kubeadm-flags.envKUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9"# 查看 kubelet 的 cgroup drivercat /var/lib/kubelet/config.yaml | grep cgroupDriver | awk -F ': ' '{ print $2 }'systemd4.4 加入control-plane节点
# 应搭建负载均衡后,使用负载均衡IPecho '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z# You can now join any number of the control-plane node running the following command on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \ --control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44# 如果 --certificate-key 过期了,执行如下:kubeadm init phase upload-certs --upload-certs# 如果token过期了,可以执行如下:kubeadm token create --print-join-command# 执行成功后,根据提示,配置mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config4.5 加入worker节点
# 应搭建负载均衡后,使用负载均衡IPecho '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env# 执行成功后,根据提示,配置mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z# Then you can join any number of worker nodes by running the following on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \ --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3# 如果token过期了,可以执行如下:kubeadm token create --print-join-command4.6 安装CNI:Calico
kubectl apply -f https://projectcalico.docs.tigera.io/archive/v3.25/manifests/calico.yaml4.7 查看k8s集群
节点信息:
kubectl get no -o wideNAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIMEk8s-master1 Ready control-plane 23m v1.26.3 10.0.2.101 Arch Linux 6.1.25-1-lts containerd://1.7.0k8s-master2 Ready control-plane 22m v1.26.3 10.0.2.102 Arch Linux 6.1.25-1-lts containerd://1.7.0k8s-master3 Ready control-plane 22m v1.26.3 10.0.2.103 Arch Linux 6.1.25-1-lts containerd://1.7.0k8s-worker1 Ready 20m v1.26.3 10.0.2.111 Arch Linux 6.1.25-1-lts containerd://1.7.0k8s-worker2 Ready 18m v1.26.3 10.0.2.112 Arch Linux 6.1.25-1-lts containerd://1.7.0k8s-worker3 Ready 17m v1.26.3 10.0.2.113 Arch Linux 6.1.25-1-lts containerd://1.7.0pod信息:
kubectl get po -n kube-systemNAME READY STATUS RESTARTS AGEcalico-kube-controllers-57b57c56f-g62jv 1/1 Running 0 6m5scalico-node-2b5f9 1/1 Running 0 6m5scalico-node-flbmt 1/1 Running 0 6m5scalico-node-hwtvh 1/1 Running 0 6m5scalico-node-j6dkp 1/1 Running 0 6m5scalico-node-jqcfg 1/1 Running 0 6m5scalico-node-lrq7q 1/1 Running 0 6m5scoredns-5bbd96d687-fd9j7 1/1 Running 0 24mcoredns-5bbd96d687-kd48v 1/1 Running 0 24metcd-k8s-master1 1/1 Running 0 25metcd-k8s-master2 1/1 Running 0 23metcd-k8s-master3 1/1 Running 0 23mkube-apiserver-k8s-master1 1/1 Running 0 25mkube-apiserver-k8s-master2 1/1 Running 0 23mkube-apiserver-k8s-master3 1/1 Running 0 23mkube-controller-manager-k8s-master1 1/1 Running 0 25mkube-controller-manager-k8s-master2 1/1 Running 0 23mkube-controller-manager-k8s-master3 1/1 Running 0 22mkube-proxy-6v7b9 1/1 Running 0 18mkube-proxy-7dnmx 1/1 Running 0 22mkube-proxy-c2cdd 1/1 Running 0 23mkube-proxy-k4l4c 1/1 Running 0 19mkube-proxy-rjw8j 1/1 Running 0 24mkube-proxy-zrcvw 1/1 Running 0 23mkube-scheduler-k8s-master1 1/1 Running 0 25mkube-scheduler-k8s-master2 1/1 Running 0 23mkube-scheduler-k8s-master3 1/1 Running 0 23m附录包签名错误
error: libcap: signature from "David Runge " is marginal trust:: File /var/cache/pacman/pkg/libcap-2.65-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).Do you want to delete it? [Y/n] Yerror: failed to commit transaction (invalid or corrupted package)Errors occurred, no packages were upgraded.更新pacman key证书
pacman -S gnupgpacman -Sy archlinux-keyringpacman-key --populate archlinuxpacman-key --refresh-keyspacman -Syux