-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathatom.xml
More file actions
494 lines (281 loc) · 354 KB
/
atom.xml
File metadata and controls
494 lines (281 loc) · 354 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Wang'T博客</title>
<subtitle>_入网络深似海,从此节操是路人.</subtitle>
<link href="/atom.xml" rel="self"/>
<link href="http://www.idcsec.com/"/>
<updated>2020-01-09T15:04:57.763Z</updated>
<id>http://www.idcsec.com/</id>
<author>
<name>Wang'T</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>ELK日志平台索引备份,迁移及恢复 ELK7.5.1集群部署</title>
<link href="http://www.idcsec.com/2020/01/09/ELK%E6%97%A5%E5%BF%97%E5%B9%B3%E5%8F%B0%E7%B4%A2%E5%BC%95%E5%A4%87%E4%BB%BD%EF%BC%8C%E8%BF%81%E7%A7%BB%E5%8F%8A%E6%81%A2%E5%A4%8D-ELK7-5-1%E9%9B%86%E7%BE%A4%E9%83%A8%E7%BD%B2/"/>
<id>http://www.idcsec.com/2020/01/09/ELK日志平台索引备份,迁移及恢复-ELK7-5-1集群部署/</id>
<published>2020-01-09T14:42:00.000Z</published>
<updated>2020-01-09T15:04:57.763Z</updated>
<content type="html"><![CDATA[<p>从6.7或更早版本直接升级到7.5.1需要 完全重启群集。<br><img src="/img/kibana.png" alt="kibnan"><br><a id="more"></a></p><p>#创建快照备份索引.kibana<br><a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-snapshots.html" target="_blank" rel="external">https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-snapshots.html</a></p><p>1、修改elasticsearch配置文件必须path.repo 在所有主节点和数据节点上的设置中。<br><figure class="hljs highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">vim elasticsearch.yml</span><br><span class="line">path.repo: [<span class="string">"/opt/my_backup"</span>] <span class="comment">//设置仓库路径</span></span><br></pre></td></tr></table></figure></p><p>2、设置仓库<br><figure class="hljs highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">curl -H <span class="string">"Content-Type: application/json"</span> -XPUT http:<span class="comment">//192.168.0.156:9200/_snapshot/my_backup -d '</span></span><br><span class="line">{</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"fs"</span>,</span><br><span class="line"> <span class="string">"settings"</span>: {</span><br><span class="line"> <span class="string">"location"</span>: <span class="string">"/opt/my_backup"</span>,</span><br><span class="line"><span class="string">"compress"</span>: <span class="keyword">true</span></span><br><span class="line"> }</span><br><span class="line">}<span class="string">'</span></span><br></pre></td></tr></table></figure></p><p>3、查看仓库<br><figure class="hljs highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -GET http:<span class="comment">//192.168.0.156:9200/_snapshot</span></span><br></pre></td></tr></table></figure></p><p>4、备份数据<br><figure class="hljs highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -XPUT http:<span class="comment">//192.168.0.156:9200/_snapshot/my_backup/snapshot_20200108</span></span><br></pre></td></tr></table></figure></p><p>执行上面的命令会快照ealsticsearch上所有的索引。<br>如果需要快照指定的.kibana索引:<br><figure class="hljs highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">curl -XPUT http:<span class="comment">//192.168.0.156:9200/_snapshot/my_backup/snapshot_20200108 -d '</span></span><br><span class="line">{</span><br><span class="line"> <span class="string">"indices"</span>: <span class="string">".kibana"</span></span><br><span class="line">}<span class="string">'</span></span><br></pre></td></tr></table></figure></p><p>5、查看备份<br><figure class="hljs highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">curl -XGET http:<span class="comment">//192.168.0.156:9200/_snapshot/my_backup/snapshot_20200108</span></span><br><span class="line">_snapshot/my_backup/_all 查看全部</span><br></pre></td></tr></table></figure></p><p>6、删除备份<br><figure class="hljs highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -XDELETE http:<span class="comment">//192.168.0.156:9200/_snapshot/my_backup/snapshot_20200108</span></span><br></pre></td></tr></table></figure></p><p>7、恢复备份<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -XPOST http://192.168.0.156:9200/_snapshot/my_backup/snapshot_20200108/_restore</span><br></pre></td></tr></table></figure></p><h1 id="ELK_u96C6_u7FA4_u90E8_u7F72"><a href="#ELK_u96C6_u7FA4_u90E8_u7F72" class="headerlink" title="ELK集群部署"></a>ELK集群部署</h1><h2 id="Elasticsearch_u96C6_u7FA4_u90E8_u7F72_u67B6_u6784"><a href="#Elasticsearch_u96C6_u7FA4_u90E8_u7F72_u67B6_u6784" class="headerlink" title="Elasticsearch集群部署架构"></a>Elasticsearch集群部署架构</h2><table><thead><tr><th>节点</th><th style="text-align:center">CPU/内存</th><th style="text-align:right">节点角色</th></tr></thead><tbody><tr><td>ES-cluster-192.168.0.114</td><td style="text-align:center">8*32</td><td style="text-align:right">master Kibana</td></tr><tr><td>ES-cluster-192-168-0-98</td><td style="text-align:center">8*32</td><td style="text-align:right">master</td></tr><tr><td>ES-cluster-192-168-0-156</td><td style="text-align:center">8*32</td><td style="text-align:right">master</td></tr></tbody></table><h2 id="u521D_u59CB_u5316_u73AF_u5883"><a href="#u521D_u59CB_u5316_u73AF_u5883" class="headerlink" title="初始化环境"></a>初始化环境</h2><p>如果有多个java版本需要指定JAVA_HOME<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">export JAVA_HOME=/data/elk/elasticsearch-7.5.1/jdk export PATH=$JAVA_HOME/bin:$PATH</span><br></pre></td></tr></table></figure></p><p>创建用户<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">groupadd elk useradd elk -g elk echo '123456' | passwd --stdin elk</span><br></pre></td></tr></table></figure></p><p>修改文件描述符<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vi /etc/security/limits.conf * soft nofile 655360 * hard nofile 655360 * soft nproc 4096 * hard nproc 4096 elk soft memlock unlimited elk hard memlock unlimited ulimit -n echo 'vm.max_map_count=655360' >> /etc/sysctl.conf sysctl -p</span><br></pre></td></tr></table></figure></p><h2 id="elasticsearch7-0_u914D_u7F6E_u6587_u4EF6_u8BE6_u89E3"><a href="#elasticsearch7-0_u914D_u7F6E_u6587_u4EF6_u8BE6_u89E3" class="headerlink" title="elasticsearch7.0配置文件详解"></a>elasticsearch7.0配置文件详解</h2><p><a href="https://www.elastic.co/guide/en/elasticsearch/reference/master/modules-discovery-settings.html" target="_blank" rel="external">https://www.elastic.co/guide/en/elasticsearch/reference/master/modules-discovery-settings.html</a><br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br></pre></td><td class="code"><pre><span class="line">cluster.name: ES-Cluster</span><br><span class="line">#ES集群名称,同一个集群内的所有节点集群名称必须保持一致</span><br><span class="line"></span><br><span class="line">node.name: ES-cluster-192.168.0.114</span><br><span class="line">#ES集群内的节点名称,同一个集群内的节点名称要具备唯一性</span><br><span class="line"></span><br><span class="line">node.master: true</span><br><span class="line">#允许节点是否可以成为一个master节点,ES是默认集群中的第一台机器成为master,如果这台机器停止就会重新选举</span><br><span class="line"></span><br><span class="line">node.data: false</span><br><span class="line">#允许该节点存储索引数据(默认开启)</span><br><span class="line">#关于Elasticsearch节点的角色功能详解,请看:https://www.dockerc.com/elasticsearch-master-or-data/</span><br><span class="line"></span><br><span class="line">path.data: /data/elk_data/data</span><br><span class="line">#ES是搜索引擎,会创建文档,建立索引,此路径是索引的存放目录,如果我们的日志数据较为庞大,那么索引所占用的磁盘空间也是不可小觑的</span><br><span class="line">#这个路径建议是专门的存储系统,如果不是存储系统,最好也要有冗余能力的磁盘,此目录还要对elasticsearch的运行用户有写入权限</span><br><span class="line">#path可以指定多个存储位置,分散存储,有助于性能提升,以至于怎么分散存储请看详解https://www.dockerc.com/elk-theory-elasticsearch/</span><br><span class="line"></span><br><span class="line">path.logs: /data/elk_data/logs</span><br><span class="line">#elasticsearch专门的日志存储位置,生产环境中建议elasticsearch配置文件与elasticsearch日志分开存储</span><br><span class="line"></span><br><span class="line">bootstrap.memory_lock: true</span><br><span class="line">#在ES运行起来后锁定ES所能使用的堆内存大小,锁定内存大小一般为可用内存的一半左右;锁定内存后就不会使用交换分区</span><br><span class="line">#如果不打开此项,当系统物理内存空间不足,ES将使用交换分区,ES如果使用交换分区,那么ES的性能将会变得很差</span><br><span class="line"></span><br><span class="line">network.host: 0.0.0.0</span><br><span class="line">#es绑定地址,支持IPv4及IPv6,默认绑定127.0.0.1;es的HTTP端口和集群通信端口就会监听在此地址上</span><br><span class="line"></span><br><span class="line">network.tcp.no_delay: true</span><br><span class="line">#是否启用tcp无延迟,true为启用tcp不延迟,默认为false启用tcp延迟</span><br><span class="line"></span><br><span class="line">network.tcp.keep_alive: true</span><br><span class="line">#是否启用TCP保持活动状态,默认为true</span><br><span class="line"></span><br><span class="line">network.tcp.reuse_address: true</span><br><span class="line">#是否应该重复使用地址。默认true,在Windows机器上默认为false</span><br><span class="line"></span><br><span class="line">network.tcp.send_buffer_size: 128mb</span><br><span class="line">#tcp发送缓冲区大小,默认不设置</span><br><span class="line"></span><br><span class="line">network.tcp.receive_buffer_size: 128mb</span><br><span class="line">#tcp接收缓冲区大小,默认不设置</span><br><span class="line"></span><br><span class="line">transport.tcp.port: 9300</span><br><span class="line">#设置集群节点通信的TCP端口,默认就是9300</span><br><span class="line"></span><br><span class="line">transport.tcp.compress: true</span><br><span class="line">#设置是否压缩TCP传输时的数据,默认为false</span><br><span class="line"></span><br><span class="line">http.max_content_length: 200mb</span><br><span class="line">#设置http请求内容的最大容量,默认是100mb</span><br><span class="line"></span><br><span class="line">http.cors.enabled: true</span><br><span class="line">#是否开启跨域访问</span><br><span class="line"></span><br><span class="line">http.cors.allow-origin: "*"</span><br><span class="line">#开启跨域访问后的地址限制,*表示无限制</span><br><span class="line"></span><br><span class="line">http.port: 9200</span><br><span class="line">#定义ES对外调用的http端口,默认是9200</span><br><span class="line"></span><br><span class="line">discovery.zen.ping.unicast.hosts: [] #在Elasticsearch7.0版本已被移除,</span><br><span class="line"></span><br><span class="line">discovery.zen.minimum_master_nodes: 3 #在Elasticsearch7.0版本已被移除</span><br><span class="line">#为了避免脑裂,集群的最少节点数量为,集群的总节点数量除以2加一</span><br><span class="line"></span><br><span class="line">discovery.zen.fd.ping_timeout: 120s #在Elasticsearch7.0版本已被移除</span><br><span class="line">#探测超时时间,默认是3秒,我们这里填120秒是为了防止网络不好的时候ES集群发生脑裂现象</span><br><span class="line"></span><br><span class="line">discovery.zen.fd.ping_retries: 6 #在Elasticsearch7.0版本已被移除</span><br><span class="line">#探测次数,如果每次探测90秒,连续探测超过六次,则认为节点该节点已脱离集群,默认为3次</span><br><span class="line"></span><br><span class="line">discovery.zen.fd.ping_interval: 15s #在Elasticsearch7.0版本已被移除</span><br><span class="line">#节点每隔15秒向master发送一次心跳,证明自己和master还存活,默认为1秒太频繁,</span><br><span class="line"></span><br><span class="line">discovery.seed_hosts: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"]</span><br><span class="line">#Elasticsearch7新增参数,群集自动发现种子节点,由discovery.zen.ping.unicast.hosts:参数改变而来</span><br><span class="line"></span><br><span class="line">cluster.initial_master_nodes: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"]</span><br><span class="line">#这三个节点全启动了才会选举主节点,群的总节点数量除以2加1</span><br><span class="line"></span><br><span class="line">cluster.fault_detection.leader_check.interval: 15s </span><br><span class="line">#Elasticsearch7新增参数,设置每个节点在选中的主节点的检查之间等待的时间。默认为1秒</span><br><span class="line"></span><br><span class="line">discovery.cluster_formation_warning_timeout: 30s </span><br><span class="line">#Elasticsearch7新增参数,启动后30秒内,如果集群未形成,那么将会记录一条警告信息,警告信息未master not fount开始,默认为10秒</span><br><span class="line"></span><br><span class="line">cluster.join.timeout: 30s</span><br><span class="line">#Elasticsearch7新增参数,节点发送请求加入集群后,在认为请求失败后,再次发送请求的等待时间,默认为60秒</span><br><span class="line"></span><br><span class="line">cluster.publish.timeout: 90s </span><br><span class="line">#Elasticsearch7新增参数,设置主节点等待每个集群状态完全更新后发布到所有节点的时间,默认为30秒</span><br><span class="line"></span><br><span class="line">cluster.routing.allocation.cluster_concurrent_rebalance: 32</span><br><span class="line">#集群内同时启动的数据任务个数,默认是2个</span><br><span class="line"></span><br><span class="line">cluster.routing.allocation.node_concurrent_recoveries: 32</span><br><span class="line">#添加或删除节点及负载均衡时并发恢复的线程个数,默认4个</span><br><span class="line"></span><br><span class="line">cluster.routing.allocation.node_initial_primaries_recoveries: 32</span><br><span class="line">#初始化数据恢复时,并发恢复线程的个数,默认4个</span><br></pre></td></tr></table></figure></p><h2 id="u8C03_u6574JVM_u5185_u5B58"><a href="#u8C03_u6574JVM_u5185_u5B58" class="headerlink" title="调整JVM内存"></a>调整JVM内存</h2><p>主要修改elasticsearch/jvm.options<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-Xms16g #Xms表示ES堆内存初始大小 -Xmx16g #Xmx表示ES堆内存的最大可用空间 将 : -XX:+UseConcMarkSweepGC 改为:-XX:+UseG1GC</span><br></pre></td></tr></table></figure></p><h2 id="Master_u8282_u70B9elasticsearch-yml_u90E8_u7F72es-cluster-192-168-0-114"><a href="#Master_u8282_u70B9elasticsearch-yml_u90E8_u7F72es-cluster-192-168-0-114" class="headerlink" title="Master节点elasticsearch.yml部署es-cluster-192-168-0-114"></a>Master节点elasticsearch.yml部署es-cluster-192-168-0-114</h2><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"># ---------------------------------- Cluster ----------------------------------- cluster.name: ES-Cluster # ------------------------------------ Node ------------------------------------ node.name: es-cluster-192-168-0-114 node.master: true node.data: true # ----------------------------------- Paths ------------------------------------ path.data: /data/elk/elk_data path.logs: /data/elk/logs # ----------------------------------- Memory ----------------------------------- bootstrap.memory_lock: true # ---------------------------------- Network ----------------------------------- network.host: 0.0.0.0 network.tcp.no_delay: true network.tcp.keep_alive: true network.tcp.reuse_address: true network.tcp.send_buffer_size: 128mb network.tcp.receive_buffer_size: 128mb transport.tcp.port: 9300 transport.tcp.compress: true http.max_content_length: 200mb http.cors.enabled: true http.cors.allow-origin: "*" http.port: 9200 # --------------------------------- Discovery ---------------------------------- discovery.seed_hosts: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"] cluster.initial_master_nodes: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"] cluster.fault_detection.leader_check.interval: 15s discovery.cluster_formation_warning_timeout: 30s cluster.join.timeout: 120s cluster.publish.timeout: 90s cluster.routing.allocation.cluster_concurrent_rebalance: 32 cluster.routing.allocation.node_concurrent_recoveries: 32 cluster.routing.allocation.node_initial_primaries_recoveries: 32 # ---------------------------------- xpack ----------------------------------- xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.monitoring.collection.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.client_authentication: none xpack.security.http.ssl.verification_mode: certificate # ---------------------------------- Various ----------------------------------- script.painless.regex.enabled: true indices.fielddata.cache.size: 25% thread_pool: write: size: 4 queue_size: 5000</span><br></pre></td></tr></table></figure><h2 id="Master_u8282_u70B9elasticsearch-yml_u90E8_u7F72es-cluster-192-168-0-98"><a href="#Master_u8282_u70B9elasticsearch-yml_u90E8_u7F72es-cluster-192-168-0-98" class="headerlink" title="Master节点elasticsearch.yml部署es-cluster-192-168-0-98"></a>Master节点elasticsearch.yml部署es-cluster-192-168-0-98</h2><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"># ---------------------------------- Cluster ----------------------------------- cluster.name: ES-Cluster # ------------------------------------ Node ------------------------------------ node.name: es-cluster-192-168-0-98 node.master: true node.data: true # ----------------------------------- Paths ------------------------------------ path.data: /data/elk/elk_data path.logs: /data/elk/logs # ----------------------------------- Memory ----------------------------------- bootstrap.memory_lock: true # ---------------------------------- Network ----------------------------------- network.host: 0.0.0.0 network.tcp.no_delay: true network.tcp.keep_alive: true network.tcp.reuse_address: true network.tcp.send_buffer_size: 128mb network.tcp.receive_buffer_size: 128mb transport.tcp.port: 9300 transport.tcp.compress: true http.max_content_length: 200mb http.cors.enabled: true http.cors.allow-origin: "*" http.port: 9200 # --------------------------------- Discovery ---------------------------------- discovery.seed_hosts: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"] cluster.initial_master_nodes: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"] cluster.fault_detection.leader_check.interval: 15s discovery.cluster_formation_warning_timeout: 30s cluster.join.timeout: 120s cluster.publish.timeout: 90s cluster.routing.allocation.cluster_concurrent_rebalance: 32 cluster.routing.allocation.node_concurrent_recoveries: 32 cluster.routing.allocation.node_initial_primaries_recoveries: 32 # ---------------------------------- xpack ----------------------------------- xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.monitoring.collection.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.client_authentication: none xpack.security.http.ssl.verification_mode: certificate # ---------------------------------- Various ----------------------------------- script.painless.regex.enabled: true indices.fielddata.cache.size: 25% thread_pool: write: size: 4 queue_size: 5000</span><br></pre></td></tr></table></figure><h2 id="Master_u8282_u70B9elasticsearch-yml_u90E8_u7F72es-cluster-192-168-0-156"><a href="#Master_u8282_u70B9elasticsearch-yml_u90E8_u7F72es-cluster-192-168-0-156" class="headerlink" title="Master节点elasticsearch.yml部署es-cluster-192-168-0-156"></a>Master节点elasticsearch.yml部署es-cluster-192-168-0-156</h2><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"># ---------------------------------- Cluster ----------------------------------- cluster.name: ES-Cluster # ------------------------------------ Node ------------------------------------ node.name: es-cluster-192-168-0-156 node.master: true node.data: true # ----------------------------------- Paths ------------------------------------ path.data: /data/elk/elk_data path.logs: /data/elk/logs # ----------------------------------- Memory ----------------------------------- bootstrap.memory_lock: true # ---------------------------------- Network ----------------------------------- network.host: 0.0.0.0 network.tcp.no_delay: true network.tcp.keep_alive: true network.tcp.reuse_address: true network.tcp.send_buffer_size: 128mb network.tcp.receive_buffer_size: 128mb transport.tcp.port: 9300 transport.tcp.compress: true http.max_content_length: 200mb http.cors.enabled: true http.cors.allow-origin: "*" http.port: 9200 # --------------------------------- Discovery ---------------------------------- discovery.seed_hosts: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"] cluster.initial_master_nodes: ["192.168.0.114:9300", "192.168.0.98:9300","192.168.0.156:9300"] cluster.fault_detection.leader_check.interval: 15s discovery.cluster_formation_warning_timeout: 30s cluster.join.timeout: 120s cluster.publish.timeout: 90s cluster.routing.allocation.cluster_concurrent_rebalance: 32 cluster.routing.allocation.node_concurrent_recoveries: 32 cluster.routing.allocation.node_initial_primaries_recoveries: 32 # ---------------------------------- xpack ----------------------------------- xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.monitoring.collection.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12 xpack.security.http.ssl.client_authentication: none xpack.security.http.ssl.verification_mode: certificate # ---------------------------------- Various ----------------------------------- script.painless.regex.enabled: true indices.fielddata.cache.size: 25% thread_pool: write: size: 4 queue_size: 5000</span><br></pre></td></tr></table></figure><h2 id="u5B89_u88C5Kibana"><a href="#u5B89_u88C5Kibana" class="headerlink" title="安装Kibana"></a>安装Kibana</h2><p>1、通过elastic-stack-ca.p12 CA给kibana颁发证书<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bin/elasticsearch-certutil cert --ca \ elastic-stack-ca.p12 \ -name "CN=kibana,OU=elk,DC=mydomain,DC=com" ENTER kibana.p12 ENTER ENTER 转换成其他格式 不使用https可以不用 openssl pkcs12 -in kibana.p12 -nocerts -nodes > kibana.key openssl pkcs12 -in kibana.p12 -clcerts -nokeys > kibana.cer openssl pkcs12 -in kibana.p12 -cacerts -nokeys -chain > kibana-ca.cer mkdir /etc/kibana/certs cp kibana* /etc/kibana/certs/ chown kibana:kibana -R /etc/kibana/certs/</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim config/kibana.yml server.port: 5600 server.host: "192.168.0.98" elasticsearch.hosts: ["https://192.168.0.98:9200","https://192.168.0.98:9200","https://192.168.0.156:9200"] xpack.security.enabled: true elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/kibana-ca.cer elasticsearch.ssl.verificationMode: certificate server.ssl.enabled: true server.ssl.key: /etc/kibana/certs/kibana.key server.ssl.certificate: /etc/kibana/certs/kibana.cer server.ssl.certificateAuthorities: /etc/kibana/certs/kibana-ca.ce elasticsearch.username: "kibana" elasticsearch.password: "xxxxx" #elasticsearch.ssl.verificationMode: none elasticsearch.requestTimeout: 90000 i18n.locale: "zh-CN"</span><br></pre></td></tr></table></figure><p>如果你不想将用户ID和密码放在kibana.yml文件中明文配置,可以将它们存储在密钥库中。运行以下命令以创建Kibana密钥库并添加配置:<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./bin/kibana-keystore create ./bin/kibana-keystore add elasticsearch.username ./bin/kibana-keystore add elasticsearch.password</span><br></pre></td></tr></table></figure></p><h2 id="u542F_u7528X-pack_u5B89_u5168_u914D_u7F6ETLS_u548C_u8EAB_u4EFD_u9A8C_u8BC1"><a href="#u542F_u7528X-pack_u5B89_u5168_u914D_u7F6ETLS_u548C_u8EAB_u4EFD_u9A8C_u8BC1" class="headerlink" title="启用X-pack安全配置TLS和身份验证"></a>启用X-pack安全配置TLS和身份验证</h2><h3 id="u751F_u6210CA_u8BC1_u4E66"><a href="#u751F_u6210CA_u8BC1_u4E66" class="headerlink" title="生成CA证书"></a>生成CA证书</h3><p>开启安全模块后,节点间通讯需要配置TLS<br>生成CA证书 bin/elasticsearch-certutil ca,将产生新文件 elastic-stack-ca.p12<br>为集群中的每个节点生成证书和私钥 bin/elasticsearch-certutil cert –ca elastic-stack-ca.p12,将产生新文件 elastic-certificates.p12默认情况下 elasticsearch-certutil 生成没有主机名信息的证书,这意味着你可以将证书用于集群中的每个节点,另外要关闭主机名验证。<br>将 elastic-certificates.p12 文件复制到每个节点上Elasticsearch配置目录中<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mkdir /etc/elasticsearch/certs/ bin/elasticsearch-certutil ca --days 2920 bin/elasticsearch-certutil cert --days 2920 --ca elastic-stack-ca.p12 cp elastic-certificates.p12 /etc/elasticsearch/certs/ chown -R elk:elk /etc/elasticsearch/certs</span><br></pre></td></tr></table></figure></p><p>拷贝证书到所有节点下并赋予相关的权限<br>elasticsearch.yml末尾增加xpack相关配置<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 xpack.security.http.ssl.client_authentication: none</span><br></pre></td></tr></table></figure></p><h3 id="u8BBE_u7F6E_u5185_u7F6E_u7528_u6237_u5BC6_u7801"><a href="#u8BBE_u7F6E_u5185_u7F6E_u7528_u6237_u5BC6_u7801" class="headerlink" title="设置内置用户密码"></a>设置内置用户密码</h3><p>启动集群初始化elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user用户的密码,请牢记!<br>bin/elasticsearch-setup-passwords auto 各用户生成随机密码。<br>bin/elasticsearch-setup-passwords interactive 手动定义密码<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bin/elasticsearch-setup-passwords interactive</span><br></pre></td></tr></table></figure></p><h2 id="Logstash_u90E8_u7F72"><a href="#Logstash_u90E8_u7F72" class="headerlink" title="Logstash部署"></a>Logstash部署</h2><p><a href="http://idcsec.com/wp-admin/post.php?post=165&action=edit" target="_blank" rel="external">http://idcsec.com/wp-admin/post.php?post=165&action=edit</a></p><h2 id="kfaka_u90E8_u7F72"><a href="#kfaka_u90E8_u7F72" class="headerlink" title="kfaka部署"></a>kfaka部署</h2><h2 id="kubernetes_u90E8_u7F72fluent-bit"><a href="#kubernetes_u90E8_u7F72fluent-bit" class="headerlink" title="kubernetes部署fluent-bit"></a>kubernetes部署fluent-bit</h2><p>##<br>修改密码命令如下<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"> </span><br></pre></td></tr></table></figure></p><p>ES 7中集群分片限制的默认值为每节点最大1000个,可以通过cluster.max_shards_per_node进行设置,例如:<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">url -X PUT "localhost:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.max_shards_per_node": 100000 } } '</span><br></pre></td></tr></table></figure></p><p>7.x配置默认分片<br>index.number_of_shards: 7.X不支持<br>需要在template里面修改<br><figure class="hljs highlight"><figcaption><span>script</span></figcaption><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{ "order": 0, "version": 60001, "index_patterns": [ "logstash-*" ], "settings": { "index": { "max_result_window": "2147483647", "number_of_shards": "5", #在这里设置 "refresh_interval": "30s" } }, "mappings": {}, "aliases": {} }</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>从6.7或更早版本直接升级到7.5.1需要 完全重启群集。<br><img src="/img/kibana.png" alt="kibnan"><br>
</summary>
<category term="elk" scheme="http://www.idcsec.com/categories/elk/"/>
<category term="elk,elasticsearch" scheme="http://www.idcsec.com/tags/elk-elasticsearch/"/>
</entry>
<entry>
<title>python client通过token连接k8sAPI cluster</title>
<link href="http://www.idcsec.com/2019/07/21/python-client%E9%80%9A%E8%BF%87token%E8%BF%9E%E6%8E%A5k8sAPI-cluster/"/>
<id>http://www.idcsec.com/2019/07/21/python-client通过token连接k8sAPI-cluster/</id>
<published>2019-07-20T17:47:11.000Z</published>
<updated>2019-07-21T08:44:14.575Z</updated>
<content type="html"><![CDATA[<p>1、创建一个k8s admin-user<br><figure class="hljs highlight asciidoc"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="header">kubectl apply -f - <<EOF</span><br><span class="line">---</span></span><br><span class="line">#在kube-system下创建admin-user</span><br><span class="line">apiVersion: v1</span><br><span class="line">kind: ServiceAccount</span><br><span class="line">metadata:</span><br><span class="line"><span class="code"> name: admin-user</span></span><br><span class="line"><span class="header"> namespace: kube-system</span><br><span class="line">---</span></span><br><span class="line">#给admin-user cluster-admin权限</span><br><span class="line">apiVersion: rbac.authorization.k8s.io/v1beta1</span><br><span class="line">kind: ClusterRoleBinding</span><br><span class="line">metadata:</span><br><span class="line"><span class="code"> name: admin-user</span></span><br><span class="line">roleRef:</span><br><span class="line"><span class="code"> apiGroup: rbac.authorization.k8s.io</span></span><br><span class="line"><span class="code"> kind: ClusterRole</span></span><br><span class="line"><span class="code"> name: cluster-admin</span></span><br><span class="line">subjects:</span><br><span class="line"><span class="bullet">- </span>kind: ServiceAccount</span><br><span class="line"><span class="code"> name: admin-user</span></span><br><span class="line"><span class="code"> namespace: kube-system</span></span><br><span class="line">EOF</span><br></pre></td></tr></table></figure></p><p>查看k8sCluster APIURL地址<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl config view --minify | grep server | cut <span class="operator">-f</span> <span class="number">2</span>- <span class="operator">-d</span> <span class="string">":"</span> | tr <span class="operator">-d</span> <span class="string">" "</span></span><br></pre></td></tr></table></figure></p><p>获取刚刚创建的admin-user token在把base64解密出来的token<br><figure class="hljs highlight handlebars"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="xml">kubectl -n kube-system get secrets admin-user-token-dpg67 -o go-template --template '</span><span class="expression">{{<span class="variable">index</span> <span class="variable">.data</span> <span class="string">"token"</span>}}</span><span class="xml">' | base64 -d</span></span><br></pre></td></tr></table></figure></p><p>示例<br><figure class="hljs highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">from kubernetes import client, config</span><br><span class="line"></span><br><span class="line">#see https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-cluster-api to know how to get the token</span><br><span class="line">#The command look like kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t' but better <span class="operator"><span class="keyword">check</span> the official doc <span class="keyword">link</span></span><br><span class="line">aToken=<span class="string">"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXhsZnF3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5MmEzN2JkNi1hYjg5LTExZTktODkyMi0wODAwMjdlMWY4NDYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.GRerIItaGUf8PV8rb3eDsmP90YZCd3BGWuYhXr_y2f4zmd59rpHfP8E6xWoHQiav84Kq1b9E8tiEHC9aoPcNmmclS8AIm95DA-QHv_5WJrJPcTB-XpzF1ccPFSdJQ0hmjw54pxQo4gQLJ1MouPiwH-sWjVM1OYiEmillvglIiFfTrc24fJj1Fu2V46lsUXLPKBVrny3v6soUjteU4IDJxjHhQodpFSBbxnYVUvaK_hvthDv_IsCcY2rQ16ii4n6tTt8vf1D0NKZv4pWeXH2sRhzQ5Q3aK8VjZAd6PBd3iVMz2Gp24KWqFoqQ9-TRgwL6oIoHT3E0qEoapDzxg9jWSA"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"># Configs can be <span class="keyword">set</span> <span class="keyword">in</span> Configuration <span class="keyword">class</span> directly <span class="keyword">or</span> <span class="keyword">using</span> helper utility</span><br><span class="line">configuration = <span class="keyword">client</span>.Configuration()</span><br><span class="line">configuration.host=<span class="string">"https://192.168.99.100:8443"</span></span><br><span class="line">configuration.verify_ssl=<span class="literal">False</span></span><br><span class="line">configuration.debug = <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">#Maybe there <span class="keyword">is</span> a way <span class="keyword">to</span> <span class="keyword">use</span> these options instead <span class="keyword">of</span> token since they <span class="keyword">are</span> provided <span class="keyword">in</span> Google cloud UI</span><br><span class="line">#configuration.username = <span class="string">"admin"</span></span><br><span class="line">#configuration.<span class="keyword">password</span> = <span class="string">"XXXXXXXXXXX"</span></span><br><span class="line">configuration.api_key={<span class="string">"authorization"</span>:<span class="string">"Bearer "</span>+ aToken}</span><br><span class="line"><span class="keyword">client</span>.Configuration.set_default(configuration)</span><br><span class="line"></span><br><span class="line">v1 = <span class="keyword">client</span>.CoreV1Api()</span><br><span class="line">print(<span class="string">"Listing pods with their IPs:"</span>)</span><br><span class="line">ret = v1.list_pod_for_all_namespaces(watch=<span class="literal">False</span>)</span><br><span class="line"><span class="keyword">for</span> <span class="keyword">i</span> <span class="keyword">in</span> ret.items:</span><br><span class="line">trueprint(<span class="string">"%s\t%s\t%s"</span> % (<span class="keyword">i</span>.<span class="keyword">status</span>.pod_ip, <span class="keyword">i</span>.metadata.namespace, <span class="keyword">i</span>.metadata.<span class="keyword">name</span>))</span></span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>1、创建一个k8s admin-user<br><figure class="hljs highlight asciidoc"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span c
</summary>
</entry>
<entry>
<title>Kubernetes中的Taint和Toleration</title>
<link href="http://www.idcsec.com/2019/07/03/ubernetes%E4%B8%AD%E7%9A%84Taint%E5%92%8CToleration-1/"/>
<id>http://www.idcsec.com/2019/07/03/ubernetes中的Taint和Toleration-1/</id>
<published>2019-07-03T06:04:00.000Z</published>
<updated>2019-07-03T06:06:19.127Z</updated>
<content type="html"><![CDATA[<p><a href="https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/" target="_blank" rel="external">参考</a></p><p>Taint 和 toleration 相互配合,可以用来避免 pod 被分配到不合适的节点上。每个节点上都可以应用一个或多个 taint ,这表示对于那些不能容忍这些 taint 的 pod,是不会被该节点接受的。如果将 toleration 应用于 pod 上,则表示这些 pod 可以(但不要求)被调度到具有匹配 taint 的节点上。可使用节点污点来控制允许工作负载在哪些节点上运行。</p><h1 id="u6DFB_u52A0taint"><a href="#u6DFB_u52A0taint" class="headerlink" title="添加taint"></a>添加taint</h1><p>查看节点taint在返回的节点说明中,查找 Taints 字段<br><figure class="hljs highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="title">kubectl</span> describe nodes rancher-k8s-m1</span><br></pre></td></tr></table></figure></p><p>可以使用命令 kubectl taint 给节点增加一个 taint。比如<br><figure class="hljs highlight accesslog"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl taint nodes <span class="string">[NODE_NAME]</span> <span class="string">[KEY]</span>=<span class="string">[VALUE]</span>:<span class="string">[EFFECT]</span></span><br></pre></td></tr></table></figure></p><p>还可以向具有特定标签的节点添加污点:<br><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">kubectl taint node -l node-role<span class="class">.kubernetes</span><span class="class">.io</span>/etcd=tru dedicated=foo:PreferNoSchedule</span><br><span class="line"><span class="id">#kubectl</span> taint nodes dev-k8s-m1 node-role<span class="class">.kubernetes</span><span class="class">.io</span>/controlplane=true:NoSchedule 给节点 dev-k8s-m1 增加一个 taint,它的 key 是 role<span class="class">.kubernetes</span><span class="class">.io</span>/controlplane,value 是 true,effect 是 NoSchedule。除非pod有符合的容忍(toleration),否则不会被调度到dev-k8s-m1这个节点</span><br></pre></td></tr></table></figure></p><h1 id="u5220_u9664taint"><a href="#u5220_u9664taint" class="headerlink" title="删除taint"></a>删除taint</h1><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl taint nodes dev-k8s-m1 role<span class="class">.kubernetes</span><span class="class">.io</span>/controlplane:NoSchedule-</span><br></pre></td></tr></table></figure><p>点污点是与“effect”相关联的键值对。以下是可用的effect:<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">NoSchedule:不会将不能容忍此污点的 Pod 调度到节点上。</span><br><span class="line">PreferNoSchedule:Kubernetes 会避免将不能容忍此污点的 Pod 调度到节点上。这是一个优先选择或者软性版本的NoSchedule,调度系统会尽量避免调度不容忍这种污点的pod到带有此污点的节点上,但是并不是硬性要求</span><br><span class="line">NoExecute:如果 Pod 已在节点上运行,则会将该 Pod 从节点中逐出;如果尚未在节点上运行,则不会将其调度到节点上。</span><br></pre></td></tr></table></figure></p><h1 id="toleration"><a href="#toleration" class="headerlink" title="toleration"></a>toleration</h1><p>可以在 PodSpec 中定义 pod 的 toleration。下面两个 toleration 均与上面例子中使用 kubectl taint 命令创建的 taint 相匹配,因此如果一个 pod 拥有其中的任何一个 toleration 都能够被分配到 dev-k8s-m1<br><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">tolerations</span>:</span><br><span class="line">- <span class="attribute">key</span>: <span class="string">"role.kubernetes.io/controlplane"</span></span><br><span class="line"> <span class="attribute">operator</span>: <span class="string">"Equal"</span></span><br><span class="line"> <span class="attribute">value</span>: <span class="string">"true"</span></span><br><span class="line"> <span class="attribute">effect</span>: <span class="string">"NoSchedule"</span></span><br></pre></td></tr></table></figure></p><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">tolerations</span>:</span><br><span class="line">- <span class="attribute">key</span>: <span class="string">"role.kubernetes.io/controlplane"</span></span><br><span class="line"> <span class="attribute">operator</span>: <span class="string">"Exists"</span></span><br><span class="line"> <span class="attribute">effect</span>: <span class="string">"NoSchedule"</span></span><br></pre></td></tr></table></figure><p>只有pod的key和effect都和某一个污点的key与effect匹配,才被认为是匹配,并且要符合以下情形:<br>operator是Exists(这种情况下value不应当指定)<br>operator是 Equal 并且value相同<br>如果operator没有指定,则默认是Equal<br><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">tolerations</span>:</span><br><span class="line">- <span class="attribute">operator</span>: <span class="string">"Exists"</span></span><br><span class="line"></span><br><span class="line"><span class="attribute">tolerations</span>:</span><br><span class="line">- <span class="attribute">key</span>: <span class="string">"role.kubernetes.io/controlplane"</span></span><br><span class="line"> <span class="attribute">operator</span>: <span class="string">"Exists"</span></span><br></pre></td></tr></table></figure></p><p>以上会匹配所有key为role.kubernetes.io/controlplane的所有taint节点<br>可以为一个节点(node)添加多个污点,也可以为一个pod添加多个容忍(toleration).kubernetes处理多个污点(taint)或者多个容忍(toleration)类似于过滤器:起初包含所有污点,然后忽略掉pod匹配的污点,剩下不可被忽略的污点决定此节点对pod的效果,特别地:<br>1 如果至少有一个不可忽略的NoSchedule类型的效果(effect),kubernetes不会调度pod到此节点上来.<br>2 如果没有不可忽略的NoSchedule类型的效果(effect),但是至少有一个PreferNoSchedule类型的效果,则kubernetes会尝试调度pod到此节点上<br>3 如果至少有一个NoExecute类型的效果(effect),则此pod会被驱离此节点(当然,前提此pod在此节点上),并且如果pod不在此节点上,也不会被调度到此节点上<br>假如你有一个以下类型的节点<br><figure class="hljs highlight ceylon"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">kubectl taint nodes node<span class="number">1</span> key<span class="number">1</span>=<span class="keyword">value</span><span class="number">1</span>:NoSchedule</span><br><span class="line">kubectl taint nodes node<span class="number">1</span> key<span class="number">1</span>=<span class="keyword">value</span><span class="number">1</span>:NoExecute</span><br><span class="line">kubectl taint nodes node<span class="number">1</span> key<span class="number">2</span>=<span class="keyword">value</span><span class="number">2</span>:NoSchedule</span><br></pre></td></tr></table></figure></p><p>类型的pod<br><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">tolerations</span>:</span><br><span class="line">- <span class="attribute">key</span>: <span class="string">"key1"</span></span><br><span class="line"> <span class="attribute">operator</span>: <span class="string">"Equal"</span></span><br><span class="line"> <span class="attribute">value</span>: <span class="string">"value1"</span></span><br><span class="line"> <span class="attribute">effect</span>: <span class="string">"NoSchedule"</span></span><br><span class="line">- <span class="attribute">key</span>: <span class="string">"key1"</span></span><br><span class="line"> <span class="attribute">operator</span>: <span class="string">"Equal"</span></span><br><span class="line"> <span class="attribute">value</span>: <span class="string">"value1"</span></span><br><span class="line"> <span class="attribute">effect</span>: <span class="string">"NoExecute"</span></span><br></pre></td></tr></table></figure></p><p>这种情况下,pod不会被调度到node1上,因为没有容忍(toleration)来匹配第三个taint.但是如果它运行在此节点上,它仍然可以继续运行在此节点上,因为它仅仅不匹配第三个taint.(而第三个taint的效果是NoSchedule,指示不要被调度到此节点)</p><h1 id="tolerationSeconds"><a href="#tolerationSeconds" class="headerlink" title="tolerationSeconds"></a>tolerationSeconds</h1><p>通常情况下,一个效果类型为NoExecute的taint被添加到一个节点上后,所有不容忍此taint的pod会被马上驱离,容忍的永远不会被驱离.但是效果类型NoExecute可以指定一个tolerationSeconds字段来指示当NoExecute效果类型的污点被添加到节点以后,pod仍然可以继续在在指定时间内留存在此节点上,优雅驱离<br><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">tolerations</span>:</span><br><span class="line">- <span class="attribute">key</span>: <span class="string">"key1"</span></span><br><span class="line"> <span class="attribute">operator</span>: <span class="string">"Equal"</span></span><br><span class="line"> <span class="attribute">value</span>: <span class="string">"value1"</span></span><br><span class="line"> <span class="attribute">effect</span>: <span class="string">"NoExecute"</span></span><br><span class="line"> <span class="attribute">tolerationSeconds</span>: <span class="number">3600</span></span><br></pre></td></tr></table></figure></p><p>在此段时间内如果污点被移除,则pod不会被驱离</p>]]></content>
<summary type="html">
<p><a href="https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/" target="_blank" rel="external">参考</a></p>
<p>Taint 和 to
</summary>
<category term="kubernetes" scheme="http://www.idcsec.com/categories/kubernetes/"/>
<category term="taint" scheme="http://www.idcsec.com/tags/taint/"/>
<category term="toleration" scheme="http://www.idcsec.com/tags/toleration/"/>
</entry>
<entry>
<title>ingress-nginx后端pod容器获取客服端真实ip</title>
<link href="http://www.idcsec.com/2019/06/21/ingress-nginx%E5%90%8E%E7%AB%AFpod%E5%AE%B9%E5%99%A8%E8%8E%B7%E5%8F%96%E5%AE%A2%E6%9C%8D%E7%AB%AF%E7%9C%9F%E5%AE%9Eip/"/>
<id>http://www.idcsec.com/2019/06/21/ingress-nginx后端pod容器获取客服端真实ip/</id>
<published>2019-06-21T04:50:27.000Z</published>
<updated>2019-06-21T05:50:29.807Z</updated>
<content type="html"><![CDATA[<p>业务场景:<br>cdn-LB-ingress-nginx<br>创建ingres-nginx的configmap文件<br><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply -f - <<EOF</span><br><span class="line"><span class="string">apiVersion:</span> v1</span><br><span class="line"><span class="string">data:</span></span><br><span class="line"> compute-full-forwarded-<span class="string">for:</span> <span class="string">"true"</span></span><br><span class="line"> forwarded-<span class="keyword">for</span>-<span class="string">header:</span> X-Forwarded-For</span><br><span class="line"> use-forwarded-<span class="string">headers:</span> <span class="string">"true"</span></span><br><span class="line"><span class="string">kind:</span> ConfigMap</span><br><span class="line"><span class="string">metadata:</span></span><br><span class="line"><span class="label"> labels:</span></span><br><span class="line"><span class="label"> app:</span> ingress-nginx</span><br><span class="line"><span class="label"> name:</span> nginx-configuration</span><br><span class="line"><span class="label"> namespace:</span> ingress-nginx</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure></p><p>主要参数<a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers" target="_blank" rel="external">https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers</a><br><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">compute-full-forwarded-<span class="string">for:</span> <span class="string">"true"</span></span><br><span class="line">forwarded-<span class="keyword">for</span>-<span class="string">header:</span> X-Forwarded-For</span><br><span class="line">use-forwarded-<span class="string">headers:</span> <span class="string">"true"</span></span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>业务场景:<br>cdn-LB-ingress-nginx<br>创建ingres-nginx的configmap文件<br><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><
</summary>
</entry>
<entry>
<title>关于docker overlay2存储驱动配置</title>
<link href="http://www.idcsec.com/2019/05/19/%E5%85%B3%E4%BA%8Edocker-overlay2%E5%AD%98%E5%82%A8%E9%A9%B1%E5%8A%A8%E9%85%8D%E7%BD%AE/"/>
<id>http://www.idcsec.com/2019/05/19/关于docker-overlay2存储驱动配置/</id>
<published>2019-05-19T04:43:00.000Z</published>
<updated>2019-05-19T04:53:09.254Z</updated>
<content type="html"><![CDATA[<h1 id="u4E3A_u5565_u8981_u7528overlay2"><a href="#u4E3A_u5565_u8981_u7528overlay2" class="headerlink" title="为啥要用overlay2"></a>为啥要用overlay2</h1><p>docker centos(内核3.10)上默认存储驱动是devicemapper 的loop-lvm模式,这种模式是用文件模拟块设备,不推荐生产使用<br>direct lvm又不是一个开箱即用的模式,懒得配置<br>最关键的是 docker in docker的情况下 device mapper是行不通的,典型的场景就是用drone时,构建docker镜像就不能正常工作<br>overlay存储驱动层数过多时会导致文件链接数过多可能会耗尽inode<br>所以当前overlay2是个比较好的选择</p><p>内核<br>你需要一个高版本的内核推荐4.9以上,我们用的是4.14,如果使用低内核可能你一些FROM别的基础镜像就跑不了,如用overlay2在centos系统上跑FROM ubuntu的镜像(不是必现)</p><p>我们这里提供了一个免费的内核rpm包 这个在我们生产环境跑了将近一年没出任何问题</p><p>监控<br>overlay2如果不做一些特殊操作,cadvisor是监控不到容器内实际使用多少磁盘的,经过xfs和配额配置才能正常监控到<br>kubernetes<br>kubelet默认一次拉取一个镜像,设置为false可以同时拉取多个镜像,<br>前提是存储驱动要为overlay2,对应的Dokcer也需要增加下载并发数<br>serialize-image-pulls: ‘false’</p><p>使用xfs文件系统<br>不使用xfs就无法做到给每个容器限制10G的大小,就可能出现一个容器的误操作导致把机器盘全占完</p><p>我们使用了lvm去弄个分区出来做xfs文件系统,当然你也可以不用lvm<br><figure class="hljs highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> which lvs &><span class="regexp">/dev/null</span>; <span class="keyword">then</span></span><br><span class="line"> echo <span class="string">""</span>; echo -e <span class="string">"Remove last docker lv and mount ......"</span></span><br><span class="line"> lvremove k8s/docker -y</span><br><span class="line"> lvcreate -y -n docker k8s -<span class="constant">L</span> <span class="number">100</span>G</span><br><span class="line"> mkfs.xfs -n ftype=<span class="number">1</span> -f /dev/mapper/k8s-docker</span><br><span class="line"> mkdir -p /var/<span class="class"><span class="keyword">lib</span>/<span class="title">docker</span></span></span><br><span class="line"> mount -o pquota,uqnoenforce /dev/mapper/k8s-docker /var/<span class="class"><span class="keyword">lib</span>/<span class="title">docker</span></span></span><br><span class="line"> echo -e <span class="string">"/dev/mapper/k8s-docker /var/lib/docker xfs defaults,pquota 0 0"</span> >> <span class="regexp">/etc/fstab</span></span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p><h1 id="u914D_u7F6E_u4F7F_u7528overlay2"><a href="#u914D_u7F6E_u4F7F_u7528overlay2" class="headerlink" title="配置使用overlay2"></a>配置使用overlay2</h1><figure class="hljs highlight prolog"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"># <span class="atom">cat</span> /<span class="atom">etc</span>/<span class="atom">docker</span>/<span class="atom">daemon</span>.<span class="atom">json</span></span><br><span class="line">{</span><br><span class="line"> <span class="string">"registry-mirrors"</span>: [<span class="string">"https://registry.docker-cn.com"</span>],</span><br><span class="line"> <span class="string">"insecure-registries"</span>:[<span class="string">"192.168.1.0/24"</span>],</span><br><span class="line"> <span class="string">"storage-opts"</span>: [</span><br><span class="line"> <span class="string">"overlay2.override_kernel_check=true"</span>,</span><br><span class="line"> <span class="string">"overlay2.size=10G"</span></span><br><span class="line"> ],</span><br><span class="line"> <span class="string">"log-driver"</span>: <span class="string">"json-file"</span>,</span><br><span class="line"> <span class="string">"log-opts"</span>: {</span><br><span class="line"> <span class="string">"max-size"</span>: <span class="string">"10m"</span>,</span><br><span class="line"> <span class="string">"max-file"</span>: <span class="string">"3"</span></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="atom">systemctl</span> <span class="atom">daemon</span>-<span class="atom">reload</span> </span><br><span class="line"><span class="atom">systemctl</span> <span class="atom">restart</span> <span class="atom">docker</span></span><br></pre></td></tr></table></figure><p>这样就可以把每个容器磁盘大小限制在10G了</p>]]></content>
<summary type="html">
<h1 id="u4E3A_u5565_u8981_u7528overlay2"><a href="#u4E3A_u5565_u8981_u7528overlay2" class="headerlink" title="为啥要用overlay2"></a>为啥要用overlay2
</summary>
<category term="kubernetes" scheme="http://www.idcsec.com/categories/kubernetes/"/>
<category term="docker " scheme="http://www.idcsec.com/tags/docker/"/>
<category term="overlay2" scheme="http://www.idcsec.com/tags/overlay2/"/>
</entry>
<entry>
<title>Nginx常用配置笔记</title>
<link href="http://www.idcsec.com/2019/04/11/Nginx%E5%B8%B8%E7%94%A8%E9%85%8D%E7%BD%AE%E7%AC%94%E8%AE%B0/"/>
<id>http://www.idcsec.com/2019/04/11/Nginx常用配置笔记/</id>
<published>2019-04-11T13:52:00.000Z</published>
<updated>2019-04-11T15:14:53.590Z</updated>
<content type="html"><![CDATA[<p>location匹配规则及优先级</p><ol><li>= 严格匹配这个查询。如果找到,停止搜索。</li><li>^~ 匹配路径的前缀,如果找到,停止搜索。</li><li>~ 为区分大小写的正则匹配</li><li>~<em> 为不区分大小写匹配<br>优先级: =, ^~, ~/~</em>, 无</li></ol><p>Nginx禁止未绑定域名访问<br>nginx通过host配置确认转发到那台服务器处理。如果未匹配上就会转发到default_server节点来处理。例如配置如下:<br><figure class="hljs highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="title">server</span> {</span><br><span class="line"><span class="title">listen</span> <span class="number">80</span> default_server;</span><br><span class="line"><span class="title">server_name</span> nginx.net;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>对于所有请求的HOST未匹配上的都会转发到该server处理。<br>通过如下配置,所有未匹配到server_name的请求都会返回403<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">server{</span><br><span class="line">listen <span class="number">80</span> <span class="keyword">default</span>;</span><br><span class="line">server_name _ ;</span><br><span class="line"><span class="keyword">return</span> <span class="number">403</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>其中_是无效域名的代表,同样可以写成其他例如”-” “@”等等。</p><h1 id="Nginx_rewrite_u914D_u7F6E"><a href="#Nginx_rewrite_u914D_u7F6E" class="headerlink" title="Nginx rewrite配置"></a>Nginx rewrite配置</h1><p>1)last<br>重新将rewrite后的地址在server标签中执行<br>2)break<br>将rewrite后的地址在当前location标签中执行<br>3)redirect<br>返回302临时重定向,浏览器地址会显示跳转后的URL地址。<br>4)permanent<br>返回301永久重定向,浏览器地址会显示跳转后的URL地址。<br>使用last和break,浏览器中的地址不会改变,其中需要注意的是last和break的区别:<br>使用alias指令必须用last标记;使用proxy_pass指令时,需要使用break标记。Last标记在本条rewrite规则执行完毕后,会对其所在server{……}标签重新发起请求,而break标记则在本条规则匹配完成后,终止匹配。</p><p>将url中以/wap/开头的请求转发到后台对应的某台server上,可以再Nginx里设置一个变量,来临时保存/wap/后面的路径信息</p><figure class="hljs highlight xquery"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">location ^~ /wap/</span><br><span class="line">{</span><br><span class="line">if (<span class="variable">$request</span>_uri ~ /wap/(\d+)/(.+))</span><br><span class="line">{</span><br><span class="line">set <span class="variable">$bucketid</span> <span class="variable">$1</span>;</span><br><span class="line">set <span class="variable">$params</span> <span class="variable">$2</span>;</span><br><span class="line">}</span><br><span class="line">proxy_pass http://mx<span class="variable">$bucketid</span>.test.com:<span class="number">6601</span>/<span class="variable">$params</span>;</span><br><span class="line">}</span><br><span class="line">也可以首先rewrite一下,然后再代理:</span><br><span class="line">location ^~ /wap/{</span><br><span class="line">rewrite /wap/(\d+)/(.+) /<span class="variable">$2</span>?<span class="variable">$args</span> break;</span><br><span class="line">proxy_pass http://mx<span class="variable">$1</span>.test.com:<span class="number">6601</span>;</span><br><span class="line">}</span><br><span class="line">或者</span><br><span class="line">location ~* /wap/(\d+)/(.+)</span><br><span class="line">{</span><br><span class="line">proxy_pass http://mx<span class="variable">$1</span>.test.com:<span class="number">6601</span>/<span class="variable">$2</span>?<span class="variable">$args</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>注意上面最后的?$args,表明把原始url最后的get参数也给代理到后台<br>如果在proxy_pass中使用了变量(不管是主机名变量$1或后面的$2变量),则必须得加这段代码<br>但如果proxy_pass没用任何变量,则不需要加,它默认会把所有的url都给代理到后台,如:<br><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">location ~* <span class="regexp">/wap/</span>(\d+)/(.+)</span><br><span class="line">{</span><br><span class="line">proxy_pass <span class="string">http:</span><span class="comment">//mx.test.com:6601;</span></span><br><span class="line">}</span><br><span class="line">另外还需要注意url的/问题</span><br><span class="line">下面四种情况分别用<span class="string">http:</span><span class="comment">//192.168.1.4/proxy/test.html 进行访问。</span></span><br><span class="line">第一种:</span><br><span class="line">location <span class="regexp">/proxy/</span> {</span><br><span class="line">proxy_pass <span class="string">http:</span><span class="comment">//127.0.0.1:81/;</span></span><br><span class="line">}</span><br><span class="line">会被代理到<span class="string">http:</span><span class="comment">//127.0.0.1:81/test.html 这个url</span></span><br><span class="line">第二种(相对于第一种,最后少一个 /)</span><br><span class="line">location <span class="regexp">/proxy/</span> {</span><br><span class="line">proxy_pass <span class="string">http:</span><span class="comment">//127.0.0.1:81;</span></span><br><span class="line">}</span><br><span class="line">会被代理到<span class="string">http:</span><span class="comment">//127.0.0.1:81/proxy/test.html 这个url</span></span><br><span class="line">第三种:</span><br><span class="line">location <span class="regexp">/proxy/</span> {</span><br><span class="line">proxy_pass <span class="string">http:</span><span class="comment">//127.0.0.1:81/ftlynx/;</span></span><br><span class="line">}</span><br><span class="line">会被代理到<span class="string">http:</span><span class="comment">//127.0.0.1:81/ftlynx/test.html 这个url。</span></span><br><span class="line">第四种情况(相对于第三种,最后少一个 / ):</span><br><span class="line">location <span class="regexp">/proxy/</span> {</span><br><span class="line">proxy_pass <span class="string">http:</span><span class="comment">//127.0.0.1:81/ftlynx;</span></span><br><span class="line">}</span><br><span class="line">会被代理到<span class="string">http:</span><span class="comment">//127.0.0.1:81/ftlynxtest.html 这个url</span></span><br><span class="line">也就是说如果proxy_pass只是后端服务器的IP,最后没有/的话,就会将全uri带过去。</span><br><span class="line">而如果proxy_pass带了/的话,只是带最后访问的文件。</span><br></pre></td></tr></table></figure></p><h1 id="root_u4E0Ealias_u533A_u522B"><a href="#root_u4E0Ealias_u533A_u522B" class="headerlink" title="root与alias区别"></a>root与alias区别</h1><p>一句话概括,root对应的目录会加上location部分去找文件,而alias则不会<br>Nginx 配置文件 server 中指定两个 location 执行,分别为root 和 alias 指令:<br>alisa:<br><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">location</span> <span class="title">/static</span>/ {</span><br><span class="line"> alias /www/test/;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>按照上述配置,则访问 /static/ 目录里面的文件时,nginx 会去 /www/test/ 目录找文件<br>请求 <a href="http://idcsec.com/static/a.gif" target="_blank" rel="external">http://idcsec.com/static/a.gif</a> 时,在服务器查找的资源路径是:/www/test/a.gif</p><p>root:<br><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">location</span> <span class="title">/static</span>/ {</span><br><span class="line"> root /www/test;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>按照这种配置,则访问 /static/ 目录下的文件时,nginx 会去 /www/test/static/ 目录下找文件<br>请求 <a href="http://idcsec.com/static/a.gif" target="_blank" rel="external">http://idcsec.com/static/a.gif</a> 这个地址时,那么在服务器里面对应的真正的资源是 /www/test/static/a.gif文件,真实的路径是root指定的值加上location指定的值</p><ul><li>alias 是一个目录别名的定义,root 则是最上层目录的定义。</li><li>另一个区别是 alias 后面必须要用 “/” 结束,否则会找不到文件,而 root 则对 ”/” 可有可无。</li><li>误区:认为 root 是指 /www/test目录下,而应该是 /www/test/static 目录 。</li></ul><p>Nginx静动分离<br><figure class="hljs highlight gherkin"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">location ~ .<span class="keyword">*</span>\.(html|<span class="string">htm</span>|<span class="string">gif</span>|<span class="string">jpg</span>|<span class="string">jpeg</span>|<span class="string">bmp</span>|<span class="string">png</span>|<span class="string">ico</span>|<span class="string">txt</span>|<span class="string">js</span>|<span class="string">css)$ </span><br><span class="line"> { </span><br><span class="line"> root /usr/local/nginx/html/website/static/;</span><br><span class="line"> #expires定义用户浏览器缓存的时间为7天,如果静态页面不常更新,可以设置更长,这样可以节省带宽和缓解服务器的压力</span><br><span class="line"> expires 1d;</span><br><span class="line"> }</span></span><br></pre></td></tr></table></figure></p><p>Nginx日志 切割<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#nginx日志切割脚本</span></span><br><span class="line"><span class="shebang">#!/bin/bash</span></span><br><span class="line">logs_path=<span class="string">"/usr/local/nginx/logs/"</span></span><br><span class="line">pid_path=<span class="string">"/usr/local/nginx/logs/nginx.pid"</span></span><br><span class="line">mv <span class="variable">${logs_path}</span>access.log <span class="variable">${logs_path}</span>access_$(date <span class="operator">-d</span> <span class="string">"yesterday"</span> +<span class="string">"%Y%m%d"</span>).log</span><br><span class="line"><span class="built_in">kill</span> -USR1 `cat <span class="variable">${pid_path}</span>`</span><br><span class="line">crontab <span class="operator">-e</span></span><br><span class="line"></span><br><span class="line"><span class="number">0</span> <span class="number">0</span> * * * bash /usr/<span class="built_in">local</span>/nginx/nginx_log.sh</span><br></pre></td></tr></table></figure></p><p>Nginx 443强制跳转<br><figure class="hljs highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="title">server</span> {</span><br><span class="line"> <span class="title">listen</span> <span class="number">443</span>;</span><br><span class="line"> <span class="title">server_name</span> idcsec.com.com;</span><br><span class="line"> <span class="title">ssl</span> <span class="built_in">on</span>;</span><br><span class="line"> <span class="title">ssl_certificate</span> /etc/nginx/ssl/idcsec.com.crt;</span><br><span class="line"> <span class="title">ssl_certificate_key</span> /etc/nginx/ssl/idcsec.com.com.key;</span><br><span class="line"> <span class="title">ssl_session_cache</span> shared:SSL:<span class="number">10m</span>;</span><br><span class="line"> <span class="title">ssl_session_timeout</span> <span class="number">5m</span>;</span><br><span class="line"> <span class="title">ssl_protocols</span> TLSv1 TLSv1.<span class="number">1</span> TLSv1.<span class="number">2</span>;</span><br><span class="line"> <span class="title">ssl_ciphers</span> HIGH:!aNULL:!MD5;</span><br><span class="line"> <span class="title">ssl_prefer_server_ciphers</span> <span class="built_in">on</span>;</span><br><span class="line"> <span class="title">location</span> / {</span><br><span class="line"> <span class="title">proxy_pass</span> <span class="url">http://test_domain</span>;</span><br><span class="line"> <span class="title">proxy_next_upstream</span> <span class="built_in">error</span> timeout invalid_header http_500 http_502 http_503;</span><br><span class="line"> <span class="title">proxy_set_header</span> Host <span class="variable">$host</span>;</span><br><span class="line"> <span class="title">proxy_set_header</span> X-Real-IP <span class="variable">$remote_addr</span>;</span><br><span class="line"> <span class="title">proxy_set_header</span> X-Forwarded-For <span class="variable">$proxy_add_x_forwarded_for</span>;</span><br><span class="line"> <span class="title">proxy_set_header</span> X-Forwarded-Proto https;</span><br><span class="line"> <span class="title">proxy_redirect</span> <span class="built_in">off</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="title">server</span> {</span><br><span class="line"><span class="title">listen</span> <span class="number">80</span>;</span><br><span class="line"><span class="title">server_name</span> idcsec.com.com;</span><br><span class="line"><span class="title">location</span> / {</span><br><span class="line"><span class="title">return</span> <span class="number">301</span> <span class="url">https://<span class="variable">$server_name</span><span class="variable">$request_uri</span></span>;</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>location匹配规则及优先级</p>
<ol>
<li>= 严格匹配这个查询。如果找到,停止搜索。</li>
<li>^~ 匹配路径的前缀,如果找到,停止搜索。</li>
<li>~ 为区分大小写的正则匹配</li>
<li>~<em> 为不区分大小写匹配<br>优先级
</summary>
<category term="Nginx" scheme="http://www.idcsec.com/tags/Nginx/"/>
</entry>
<entry>
<title>fastDFS单节点搭建</title>
<link href="http://www.idcsec.com/2019/04/08/fastDFS%E5%8D%95%E8%8A%82%E7%82%B9%E6%90%AD%E5%BB%BA/"/>
<id>http://www.idcsec.com/2019/04/08/fastDFS单节点搭建/</id>
<published>2019-04-08T11:49:00.000Z</published>
<updated>2019-04-08T13:35:00.760Z</updated>
<content type="html"><![CDATA[<p><a href="http://www.idcsec.com/2018/03/23/fastDFS-Nginx%E5%88%86%E5%B8%83%E5%BC%8F%E5%9B%BE%E7%89%87%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BA/">集群环境查看之前的文档</a></p><h1 id="u5355_u673A_u7248_u642D_u5EFA"><a href="#u5355_u673A_u7248_u642D_u5EFA" class="headerlink" title="单机版搭建"></a>单机版搭建</h1><p>安装依赖</p><figure class="hljs highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"># yum <span class="operator"><span class="keyword">install</span> git gcc gcc-<span class="keyword">c</span>++ make automake autoconf libtool pcre pcre-devel zlib zlib-devel openssl-devel -y</span></span><br></pre></td></tr></table></figure><p>创建数据目录<br><figure class="hljs highlight vala"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="preprocessor"># mkdir -p /data/fastdfs/{tracker,storage}</span></span><br></pre></td></tr></table></figure></p><h1 id="u4E0B_u8F7D_u5B89_u88C5_u5305"><a href="#u4E0B_u8F7D_u5B89_u88C5_u5305" class="headerlink" title="下载安装包"></a>下载安装包</h1><h2 id="u5B89_u88C5libfatscommon"><a href="#u5B89_u88C5libfatscommon" class="headerlink" title="安装libfatscommon"></a>安装libfatscommon</h2><figure class="hljs highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">git clone http<span class="variable">s:</span>//github.<span class="keyword">com</span>/happyfish100/libfastcommon.git --depth <span class="number">1</span></span><br><span class="line">./<span class="keyword">make</span>.<span class="keyword">sh</span> && ./<span class="keyword">make</span>.<span class="keyword">sh</span> install</span><br></pre></td></tr></table></figure><h2 id="u5B89_u88C5FastDFS"><a href="#u5B89_u88C5FastDFS" class="headerlink" title="安装FastDFS"></a>安装FastDFS</h2><figure class="hljs highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">git clone http<span class="variable">s:</span>//github.<span class="keyword">com</span>/happyfish100/fastdfs.git --depth <span class="number">1</span></span><br><span class="line"><span class="keyword">cd</span> fastdfs/</span><br><span class="line">./<span class="keyword">make</span>.<span class="keyword">sh</span> && ./<span class="keyword">make</span>.<span class="keyword">sh</span> install</span><br></pre></td></tr></table></figure><p>配置文件生成<br><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">cp /etc/fdfs/tracker<span class="class">.conf</span><span class="class">.sample</span> /etc/fdfs/tracker<span class="class">.conf</span> #tarcker服务配置文件</span><br><span class="line">cp /etc/fdfs/storage<span class="class">.conf</span><span class="class">.sample</span> /etc/fdfs/storage<span class="class">.conf</span> #storage服务配置文件</span><br><span class="line">cp /etc/fdfs/client<span class="class">.conf</span><span class="class">.sample</span> /etc/fdfs/client<span class="class">.conf</span> #客户端文件,测试用</span><br><span class="line"> cp conf/http<span class="class">.conf</span> /etc/fdfs/ #供nginx访问使用</span><br><span class="line">cp conf/mime<span class="class">.types</span> /etc/fdfs/ #供nginx访问使用</span><br></pre></td></tr></table></figure></p><p>安装fastdfs-nginx-module需要在编译nginx时候添加这个模块<br><figure class="hljs highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">git clone <span class="symbol">https:</span>/<span class="regexp">/github.com/happyfish</span>100/fastdfs-nginx-<span class="class"><span class="keyword">module</span>.<span class="title">git</span> --<span class="title">depth</span> 1</span></span><br><span class="line">cp fastdfs-nginx-<span class="class"><span class="keyword">module</span>/<span class="title">src</span>/<span class="title">mod_fastdfs</span>.<span class="title">conf</span> /<span class="title">etc</span>/<span class="title">fdfs</span>/</span></span><br></pre></td></tr></table></figure></p><h1 id="u5B89_u88C5nginx"><a href="#u5B89_u88C5nginx" class="headerlink" title="安装nginx"></a>安装nginx</h1><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">~]<span class="preprocessor"># wget http:<span class="comment">//nginx.org/download/nginx-1.14.0.tar.gz</span></span></span><br><span class="line">tar -zxvf nginx-<span class="number">1.14</span><span class="number">.0</span>.tar.gz</span><br><span class="line">cd nginx-<span class="number">1.14</span><span class="number">.0</span></span><br><span class="line"> ./configure --add-module=/root/fastdfs-nginx-module/src/</span><br><span class="line"> make && make instal</span><br></pre></td></tr></table></figure><h1 id="tracker_u914D_u7F6E"><a href="#tracker_u914D_u7F6E" class="headerlink" title="tracker配置"></a>tracker配置</h1><figure class="hljs highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/fdfs/tracker.conf</span><br><span class="line"><span class="comment">#需要修改的内容如下</span></span><br><span class="line">port=<span class="number">22122</span> <span class="comment"># tracker服务器端口(默认22122,一般不修改)</span></span><br><span class="line">base_path=/data/fastdfs/tracker <span class="comment"># 存储日志和数据的根目录</span></span><br><span class="line"><span class="comment">#保存后启动</span></span><br><span class="line">/etc/init.d/fdfs_trackerd start <span class="comment">#启动tracker服务</span></span><br><span class="line">chkconfig fdfs_trackerd <span class="function_start"><span class="keyword">on</span></span> <span class="comment">#自启动tracker服务</span></span><br></pre></td></tr></table></figure><h1 id="storage_u914D_u7F6E"><a href="#storage_u914D_u7F6E" class="headerlink" title="storage配置"></a>storage配置</h1><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/fdfs/storage.conf</span><br><span class="line"><span class="preprocessor">#需要修改的内容如下</span></span><br><span class="line">port=<span class="number">23000</span> <span class="preprocessor"># storage服务端口(默认<span class="number">23000</span>,一般不修改)</span></span><br><span class="line">base_path=/data/fastdfs/storage <span class="preprocessor"># 数据和日志文件存储根目录</span></span><br><span class="line">store_path0=/data/fastdfs/storage/ <span class="preprocessor"># 第一个存储目录</span></span><br><span class="line">tracker_server=<span class="number">192.168</span><span class="number">.1</span><span class="number">.38</span>:<span class="number">22122</span> <span class="preprocessor"># tracker服务器IP和端口</span></span><br><span class="line">http.server_port=<span class="number">8888</span> <span class="preprocessor"># http访问文件的端口(默认<span class="number">8888</span>,看情况修改,和nginx中保持一致)其实现在这版本不需要</span></span><br><span class="line"><span class="preprocessor">#保存后启动</span></span><br><span class="line">/etc/init.d/fdfs_storaged start <span class="preprocessor">#启动storage服务</span></span><br><span class="line">chkconfig fdfs_storaged on</span><br></pre></td></tr></table></figure><p>检查fdfs状态<br>fdfs_monitor /etc/fdfs/storage.conf</p><h1 id="u914D_u7F6Enginx_u8BBF_u95EE"><a href="#u914D_u7F6Enginx_u8BBF_u95EE" class="headerlink" title="配置nginx访问"></a>配置nginx访问</h1><p>vim /etc/fdfs/mod_fastdfs.conf<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">需要修改的内容如下</span><br><span class="line">tracker_server=<span class="number">192.168</span><span class="number">.1</span><span class="number">.38</span>:<span class="number">22122</span></span><br><span class="line">url_have_group_name=<span class="literal">true</span></span><br><span class="line">store_path0=/data/fastdfs/storage</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">vi /usr/local/nginx/conf/nginx.conf</span><br><span class="line"><span class="preprocessor">#添加如下配置</span></span><br><span class="line">server {</span><br><span class="line"> listen <span class="number">8888</span>; <span class="preprocessor">## 该端口为storage.conf中的http.server_port相同 其实没必要</span></span><br><span class="line"> server_name localhost;</span><br><span class="line"> location ~/group[<span class="number">0</span>-<span class="number">9</span>]/ {</span><br><span class="line"> ngx_fastdfs_module;</span><br><span class="line"> }</span><br><span class="line"> error_page <span class="number">500</span> <span class="number">502</span> <span class="number">503</span> <span class="number">504</span> /<span class="number">50</span>x.html;</span><br><span class="line"> location = /<span class="number">50</span>x.html {</span><br><span class="line"> root html;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>vim /etc/fdfs/client.conf</p><h1 id="u4FEE_u6539_u7684_u5185_u5BB9_u5982_u4E0B"><a href="#u4FEE_u6539_u7684_u5185_u5BB9_u5982_u4E0B" class="headerlink" title="修改的内容如下"></a>修改的内容如下</h1><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">base_path=/data/fastdfs/tracker</span><br><span class="line">tracker_server=<span class="number">192.168</span><span class="number">.1</span><span class="number">.38</span>:<span class="number">22122</span> <span class="preprocessor">#tracker IP地址</span></span><br></pre></td></tr></table></figure><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">[root@ecs-<span class="number">1</span>d0e ~]<span class="preprocessor"># fdfs_upload_file /etc/fdfs/client.conf /root/<span class="number">1.</span>txt </span></span><br><span class="line">group1/M00/<span class="number">00</span>/<span class="number">00</span>/wKgBJlyrRtWAR5dVAAAAB4upymk232.txt</span><br><span class="line">[root@ecs-<span class="number">1</span>d0e ~]<span class="preprocessor"># curl http:<span class="comment">//192.168.1.38:8888/group1/M00/00/00/wKgBJlyrRtWAR5dVAAAAB4upymk232.txt</span></span></span><br><span class="line"><span class="number">111111</span></span><br></pre></td></tr></table></figure><h1 id="FastDFS__u9632_u76D7_u94FE_u5F00_u542F"><a href="#FastDFS__u9632_u76D7_u94FE_u5F00_u542F" class="headerlink" title="FastDFS 防盗链开启"></a>FastDFS 防盗链开启</h1><p>但是这样是不安全的,因为只要知道ip和文件路径,就能下载所需文件。因此采用Token方式防盗链。<br> cp /root/fastdfs/conf/anti-steal.jpg /etc/fdfs/<br>vim /etc/fdfs/http.conf<br><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#开启token校验 </span><br><span class="line">http<span class="class">.anti_steal</span><span class="class">.check_token</span>=true </span><br><span class="line">#设置校验失败后显示的警告图片 </span><br><span class="line">http<span class="class">.anti_steal</span><span class="class">.token_check_fail</span>=/etc/fdfs/anti-steal<span class="class">.jpg</span></span><br><span class="line">重启nginx</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p><a href="http://www.idcsec.com/2018/03/23/fastDFS-Nginx%E5%88%86%E5%B8%83%E5%BC%8F%E5%9B%BE%E7%89%87%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%
</summary>
</entry>
<entry>
<title>Istio配置之配置ingress流量Gateway暴露服务提供外部访问</title>
<link href="http://www.idcsec.com/2019/03/03/Istio%E9%85%8D%E7%BD%AE%E4%B9%8B%E9%85%8D%E7%BD%AEingress%E6%B5%81%E9%87%8FGateway%E6%9A%B4%E9%9C%B2%E6%9C%8D%E5%8A%A1%E6%8F%90%E4%BE%9B%E5%A4%96%E9%83%A8%E8%AE%BF%E9%97%AE/"/>
<id>http://www.idcsec.com/2019/03/03/Istio配置之配置ingress流量Gateway暴露服务提供外部访问/</id>
<published>2019-03-03T10:10:00.000Z</published>
<updated>2019-03-03T10:15:23.054Z</updated>
<content type="html"><![CDATA[<p>注意:此任务使用新的 v1alpha3 流量管理 API。旧的 API 已被弃用,ngress Gateway 组件替代了符合 Kubernetes 规范的 Ingress Controller,因此对入站流量具有了更大的控制能力。</p><p>1、创建pod应用,确保namespace开启自动注入Pod所在的namespace包含istio-injection=enabled的Label<br>否则就必须在部署 tomcatapp应用程序之前手动注入 Sidecar<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply <span class="operator">-f</span> <(istioctl kube-inject <span class="operator">-f</span> tomcat-demo.yaml) //namespaceswei</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight fortran"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply -f tomcat-demo.yaml</span><br><span class="line">[root@k8s-master ~]# cat tomcat-demo.yaml </span><br><span class="line">apiVersion: v1</span><br><span class="line"><span class="keyword">kind</span>: Service</span><br><span class="line">metadata:</span><br><span class="line"> annotations:</span><br><span class="line"> labels:</span><br><span class="line"> app: tomcat-istio</span><br><span class="line"> <span class="keyword">name</span>: tomcat-istio</span><br><span class="line"> namespace: <span class="keyword">default</span></span><br><span class="line">spec:</span><br><span class="line"> ports:</span><br><span class="line"> - <span class="keyword">name</span>: <span class="number">8080</span>-<span class="number">8080</span></span><br><span class="line"> port: <span class="number">8080</span></span><br><span class="line"> protocol: TCP</span><br><span class="line"> targetPort: <span class="number">8080</span></span><br><span class="line"> selector:</span><br><span class="line"> app: tomcat-istio</span><br><span class="line"> <span class="keyword">type</span>: NodePort</span><br><span class="line"><span class="keyword">status</span>:</span><br><span class="line"> loadBalancer: {}</span><br><span class="line">---</span><br><span class="line">apiVersion: v1</span><br><span class="line"><span class="keyword">kind</span>: Pod</span><br><span class="line">metadata:</span><br><span class="line"> <span class="keyword">name</span>: tomcat-istio</span><br><span class="line"> annotations:</span><br><span class="line">spec:</span><br><span class="line"> replicas: <span class="number">1</span></span><br><span class="line"> template:</span><br><span class="line"> metadata:</span><br><span class="line"> labels:</span><br><span class="line"> app: tomcat-istio</span><br><span class="line">spec:</span><br><span class="line"> containers:</span><br><span class="line"> - <span class="keyword">name</span>: tomcat-istio</span><br><span class="line"> image: toamcat:demo</span><br><span class="line"> env:</span><br><span class="line"> - <span class="keyword">name</span>: JAVA_OPTS</span><br><span class="line"> <span class="keyword">value</span>: <span class="string">"-server -Xms4096M -Xmx4096M -Xss256K -Dmy.pod.name=$MY_POD_NAME -Djava.awt.headless=true -Dfile.encoding=utf-8 -XX:MaxPermSize=256M -XX:PermSize=128M"</span></span><br><span class="line"> - <span class="keyword">name</span>: MY_POD_NAME</span><br><span class="line"> valueFrom:</span><br><span class="line"> fieldRef:</span><br><span class="line"> fieldPath: metadata.<span class="keyword">name</span></span><br></pre></td></tr></table></figure><p>创建Gateway<br><figure class="hljs highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">kubectl <span class="built_in">get</span> svc -n istio-<span class="keyword">system</span> -l istio=ingressgateway</span><br><span class="line">cat <<<span class="constant">EOF</span> | istioctl <span class="built_in">create</span> -f -</span><br><span class="line">apiVersion: networking.istio.io/v1alpha3</span><br><span class="line">kind: Gateway</span><br><span class="line">metadata:</span><br><span class="line"> name: tomcatapp-gateway</span><br><span class="line">spec:</span><br><span class="line"> selector:</span><br><span class="line"> istio: ingressgateway <span class="comment"># use Istio default gateway implementation </span></span><br><span class="line"> servers:</span><br><span class="line"> - port:</span><br><span class="line"> <span class="built_in">number</span>: <span class="number">80</span></span><br><span class="line"> name: <span class="keyword">http</span></span><br><span class="line"> protocol: HTTP</span><br><span class="line"> hosts:</span><br><span class="line"> - <span class="string">"tomcat.idcsec.com"</span></span><br><span class="line"><span class="constant">EOF</span></span><br></pre></td></tr></table></figure></p><figure class="hljs highlight haml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">创建VirtualService组绑定网关</span><br><span class="line">cat <<EOF | istioctl create -f -</span><br><span class="line">apiVersion: networking.istio.io/v1alpha3</span><br><span class="line">kind: VirtualService</span><br><span class="line">metadata:</span><br><span class="line"> name: tomcat-istio</span><br><span class="line">spec:</span><br><span class="line"> hosts:</span><br><span class="line"> -<span class="ruby"> <span class="string">"tomcat.idcsec.com"</span></span><br><span class="line"></span> gateways:</span><br><span class="line"> -<span class="ruby"> tomcatapp-gateway</span><br><span class="line"></span> http:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">match:</span></span><br><span class="line"></span> -<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span> exact: /</span><br><span class="line">true-<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span>prefix: /</span><br><span class="line"> route:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">destination:</span></span><br><span class="line"></span> host: tomcat-istio</span><br><span class="line"> port:</span><br><span class="line"> number: 8080</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure><p>接下来就可以在浏览器的访问域名自行修改host或者使用curl<br>一个简单使用IstioGateway 配置资源允许外部流量进入 Istio 服务网就完成 </p><h1 id="u6E05_u7406"><a href="#u6E05_u7406" class="headerlink" title="清理"></a>清理</h1><p>删除 Gateway 和 VirtualService,并关闭 tomcat-demo 服务:<br><figure class="hljs highlight coffeescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ istioctl <span class="keyword">delete</span> gateway tomcatapp-gateway</span><br><span class="line">$ istioctl <span class="keyword">delete</span> virtualservice tomcat-istio</span><br><span class="line">$ kubectl <span class="keyword">delete</span> --ignore-<span class="keyword">not</span>-found=<span class="literal">true</span> -f tomcat-demo.yaml</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>注意:此任务使用新的 v1alpha3 流量管理 API。旧的 API 已被弃用,ngress Gateway 组件替代了符合 Kubernetes 规范的 Ingress Controller,因此对入站流量具有了更大的控制能力。</p>
<p>1、创建pod应用,确保n
</summary>
<category term="kubernetes" scheme="http://www.idcsec.com/categories/kubernetes/"/>
<category term="istio" scheme="http://www.idcsec.com/tags/istio/"/>
</entry>
<entry>
<title>kubernetes部署网格服务Istio</title>
<link href="http://www.idcsec.com/2019/03/03/kubernetes%E9%83%A8%E7%BD%B2%E7%BD%91%E6%A0%BC%E6%9C%8D%E5%8A%A1Istio/"/>
<id>http://www.idcsec.com/2019/03/03/kubernetes部署网格服务Istio/</id>
<published>2019-03-03T09:58:00.000Z</published>
<updated>2019-03-03T10:07:25.334Z</updated>
<content type="html"><![CDATA[<h1 id="u5B89_u88C5Istio"><a href="#u5B89_u88C5Istio" class="headerlink" title="安装Istio"></a>安装Istio</h1><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -L <span class="string">https:</span><span class="comment">//git.io/getLatestIstio | sh -</span></span><br></pre></td></tr></table></figure><p>将在运行上述命令的同一目录中找到一个文件夹istio-1.0.6。将位置istio-1.0.6/ bin添加到PATH变量,以便于访问Istio二进制文件。<br>将Ingress Gateway服务从LoadBalancer类型更改为NodePort<br>Istio为Kubernetes提供了许多自定义资源定义(CRD)。它们帮助我们从kubectl操纵虚拟服务,规则,网关和其他特定于Istio的对象。让我们在部署实际服务网格之前安装CRD。<br><figure class="hljs highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply -f install<span class="regexp">/kubernetes/</span>helm<span class="regexp">/istio/</span>templates<span class="regexp">/crds.yaml</span></span><br></pre></td></tr></table></figure></p><p>查看安装的CRD:<br><figure class="hljs highlight actionscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl <span class="keyword">get</span> CustomResourceDefinition</span><br></pre></td></tr></table></figure></p><p>Kubernetes中安装Istio核心组件<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply <span class="operator">-f</span> install / kubernetes / istio-demo.yaml</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="label">kubectl</span> <span class="preprocessor">get</span> <span class="keyword">svc </span>-n istio-system -l istio<span class="label">=ingressgateway</span></span><br></pre></td></tr></table></figure><p>*当前EXTERNAL-IP处于pending状态,为了使得可以从外部访问,修改istio-ingressgateway这个Service的externalIps,所以这个指定一个192.168<br>.19.223作为externalIp。也是可以设置NodePort 通过节点的nodeip:PORT访问<br><figure class="hljs highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master istio-1.0.6]# kubectl get svc -n istio-system -l istio=ingressgateway</span><br><span class="line">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span><br><span class="line">istio-ingressgateway LoadBalancer <span class="number">10.102.137.201</span> <span class="number">192.168.19.223</span> <span class="number">80:31380</span>/TCP,<span class="number">443:31390</span>/TCP,<span class="number">31400:31400</span>/TCP,<span class="number">15011:31211</span>/TCP,<span class="number">8060:31598</span>/TCP,<span class="number">853:31745</span>/TCP,<span class="number">15030:30600</span>/TCP,<span class="number">15031:30012</span>/TCP 2m21s</span><br></pre></td></tr></table></figure></p><p>验证安装<br><figure class="hljs highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">kubectl <span class="built_in">get</span> svc -n istio-<span class="keyword">system</span></span><br><span class="line">kubectl <span class="built_in">get</span> pod -n istio-<span class="keyword">system</span></span><br></pre></td></tr></table></figure></p><p>部署Bookinfo应用自动注入sidecar<br>kubectl get pod -n istio-system | grep injector<br>istio-sidecar-injector可以自动将Envoy容器作为sidecar注入到Pod中,Pod所在的namespace包含istio-injection=enabled的Label。<br><figure class="hljs highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">kubectl label namespace <span class="keyword">default</span> istio-injection=enabled</span><br><span class="line">kubectl apply -f samples<span class="regexp">/bookinfo/</span>platform<span class="regexp">/kube/</span>bookinfo.yaml</span><br><span class="line">kubectl apply -f samples<span class="regexp">/bookinfo/</span>platform<span class="regexp">/kube/</span>bookinfo-ingress.yaml</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master istio-<span class="number">1.0</span>.<span class="number">6</span>]# kubectl get pod,svc | <span class="keyword">grep</span> -vE <span class="string">"tomcat|iperf"</span></span><br><span class="line">NAME READY STATUS RESTARTS AGE</span><br><span class="line">pod<span class="regexp">/details-v1-68c7c8666d-l9qsc 2/</span><span class="number">2</span> Running <span class="number">2</span> <span class="number">18</span>m</span><br><span class="line"></span><br><span class="line">pod<span class="regexp">/productpage-v1-54d799c966-8x6p8 2/</span><span class="number">2</span> Running <span class="number">2</span> <span class="number">18</span>m</span><br><span class="line">pod<span class="regexp">/ratings-v1-8558d4458d-jzx2t 2/</span><span class="number">2</span> Running <span class="number">0</span> <span class="number">18</span>m</span><br><span class="line">pod<span class="regexp">/reviews-v1-cb8655c75-ssnmm 2/</span><span class="number">2</span> Running <span class="number">0</span> <span class="number">18</span>m</span><br><span class="line">pod<span class="regexp">/reviews-v2-7fc9bb6dcf-7rq98 2/</span><span class="number">2</span> Running <span class="number">0</span> <span class="number">18</span>m</span><br><span class="line">pod<span class="regexp">/reviews-v3-c995979bc-qckj7 2/</span><span class="number">2</span> Running <span class="number">0</span> <span class="number">18</span>m</span><br><span class="line">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span><br><span class="line">service<span class="regexp">/details ClusterIP 10.105.255.93 <none> 9080/</span>TCP <span class="number">18</span>m</span><br><span class="line">service<span class="regexp">/kubernetes ClusterIP 10.96.0.1 <none> 443/</span>TCP <span class="number">7</span>d4h</span><br><span class="line">service<span class="regexp">/productpage ClusterIP 10.96.39.50 <none> 9080/</span>TCP <span class="number">18</span>m</span><br><span class="line">service<span class="regexp">/ratings ClusterIP 10.98.120.231 <none> 9080/</span>TCP <span class="number">18</span>m</span><br><span class="line">service<span class="regexp">/reviews ClusterIP 10.98.253.153 <none> 9080/</span>TCP <span class="number">18</span>m</span><br></pre></td></tr></table></figure><p>通过Istio Ingress Gateway暴露Bookinfo应用<br>创建bookinfo的Gateway和VirtualService:<br><figure class="hljs highlight haml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master istio-1.0.6]# cat samples/bookinfo/networking/bookinfo-gateway.yaml </span><br><span class="line">apiVersion: networking.istio.io/v1alpha3</span><br><span class="line">kind: Gateway</span><br><span class="line">metadata:</span><br><span class="line"> name: bookinfo-gateway</span><br><span class="line">spec:</span><br><span class="line"> selector:</span><br><span class="line"> istio: ingressgateway # use istio default controller</span><br><span class="line"> servers:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">port:</span></span><br><span class="line"></span> number: 80</span><br><span class="line"> name: http</span><br><span class="line"> protocol: HTTP</span><br><span class="line"> hosts:</span><br><span class="line"> -<span class="ruby"> <span class="string">"*"</span></span><br><span class="line"></span>-<span class="ruby">--</span><br><span class="line"></span>apiVersion: networking.istio.io/v1alpha3</span><br><span class="line">kind: VirtualService</span><br><span class="line">metadata:</span><br><span class="line"> name: bookinfo</span><br><span class="line">spec:</span><br><span class="line"> hosts:</span><br><span class="line"> -<span class="ruby"> <span class="string">"*"</span></span><br><span class="line"></span> gateways:</span><br><span class="line"> -<span class="ruby"> bookinfo-gateway <span class="comment">#对应上面的网关名称</span></span><br><span class="line"></span> http:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">match:</span></span><br><span class="line"></span> -<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span> exact: /productpage</span><br><span class="line"> -<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span> exact: /login</span><br><span class="line"> -<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span> exact: /logout</span><br><span class="line"> -<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span> prefix: /api/v1/products</span><br><span class="line"> route:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">destination:</span></span><br><span class="line"></span> host: productpage</span><br><span class="line"> port:</span><br><span class="line"> number: 9080</span><br><span class="line">kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master istio-<span class="number">1.0</span><span class="number">.6</span>]<span class="preprocessor"># kubectl get gateway</span></span><br><span class="line">NAME AGE</span><br><span class="line">bookinfo-gateway <span class="number">1</span>m</span><br></pre></td></tr></table></figure><p>访问<a href="http://192.168.19.223/productpage" target="_blank" rel="external">http://192.168.19.223/productpage</a><br>临时映射grafana端口<br><figure class="hljs highlight mel"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl -n istio-<span class="keyword">system</span> port-forward --address <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span> <span class="variable">$(</span>kubectl -n istio-<span class="keyword">system</span> get pod -l app=grafana -o jsonpath=<span class="string">'{.items[0].metadata.name}'</span>) <span class="number">3333</span>:<span class="number">3000</span> &</span><br></pre></td></tr></table></figure></p><h1 id="u4F7F_u7528_Istio__u7F51_u5173_u914D_u7F6E_Ingress_u66B4_u9732grafana_u670D_u52A1"><a href="#u4F7F_u7528_Istio__u7F51_u5173_u914D_u7F6E_Ingress_u66B4_u9732grafana_u670D_u52A1" class="headerlink" title="使用 Istio 网关配置 Ingress暴露grafana服务"></a>使用 Istio 网关配置 Ingress暴露grafana服务</h1><p>Ingress Gateway描述了在网格边缘操作的负载平衡器,用于接收传入的 HTTP/TCP 连接。它配置暴露的端口,协议等,但与 Kubernetes Ingress Resources 不同,它不包括任何流量路由配置。流入流量的流量路由使用 Istio 路由规则进行配置,与内部服务请求完全相同。</p><h2 id="u521B_u5EFA_u4E00_u4E2A_Istio_Gateway_uFF1A"><a href="#u521B_u5EFA_u4E00_u4E2A_Istio_Gateway_uFF1A" class="headerlink" title="创建一个 Istio Gateway:"></a>创建一个 Istio Gateway:</h2><figure class="hljs highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">cat <<<span class="constant">EOF</span> | istioctl <span class="built_in">create</span> -f -</span><br><span class="line">apiVersion: networking.istio.io/v1alpha3</span><br><span class="line">kind: Gateway</span><br><span class="line">metadata:</span><br><span class="line"> name: grafana-gateway</span><br><span class="line"> namespace: istio-<span class="keyword">system</span></span><br><span class="line">spec:</span><br><span class="line"> selector:</span><br><span class="line"> istio: ingressgateway <span class="comment"># use Istio default gateway implementation</span></span><br><span class="line"> servers:</span><br><span class="line"> - port:</span><br><span class="line"> <span class="built_in">number</span>: <span class="number">80</span></span><br><span class="line"> name: <span class="keyword">http</span></span><br><span class="line"> protocol: HTTP</span><br><span class="line"> hosts:</span><br><span class="line"> - <span class="string">"grafana.idcsec.com"</span></span><br><span class="line"><span class="constant">EOF</span></span><br></pre></td></tr></table></figure><p>为通过 Gateway 进入的流量配置路由创建VirtualService:<br><figure class="hljs highlight haml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">cat <<EOF | istioctl create -f -</span><br><span class="line">apiVersion: networking.istio.io/v1alpha3</span><br><span class="line">kind: VirtualService</span><br><span class="line">metadata:</span><br><span class="line"> name: grafana</span><br><span class="line"> namespace: istio-system</span><br><span class="line">spec:</span><br><span class="line"> hosts:</span><br><span class="line"> -<span class="ruby"> <span class="string">"grafana.idcsec.com"</span></span><br><span class="line"></span> gateways:</span><br><span class="line"> -<span class="ruby"> grafana-gateway</span><br><span class="line"></span> http:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">match:</span></span><br><span class="line"></span> -<span class="ruby"> <span class="symbol">uri:</span></span><br><span class="line"></span> prefix: /</span><br><span class="line"> route:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">destination:</span></span><br><span class="line"></span> port:</span><br><span class="line"> number: 3000</span><br><span class="line"> host: grafana</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure></p><p>使用浏览器访问 Ingress 服务<br>在浏览器中输入 grafana 服务的地址是不会生效的,这是因为因为我们没有办法让浏览器像 curl 一样装作访问grafana.idcse.com。因为有正常配置的主机和 DNS 记录,这种做法就能够成功了——只要简单的在浏览器中访问由域名构成的 URL 即可,例如 <a href="http://grafana.idcse.com/。" target="_blank" rel="external">http://grafana.idcse.com/。</a><br>要解决此问题以进行简单的测试和演示,我们可以在 Gateway 和 VirutualService 配置中为hosts:使用通配符值 *<br><a href="https://i.loli.net/2019/03/01/5c78a46165fd2.png" target="_blank" rel="external"><img src="https://i.loli.net/2019/03/01/5c78a46165fd2.png" alt="20190301110526.png"></a><br><a href="https://i.loli.net/2019/03/01/5c78a4616d36c.png" target="_blank" rel="external"><img src="https://i.loli.net/2019/03/01/5c78a4616d36c.png" alt="20190301110556.png"></a><br>删除 Gateway 和 VirtualService,并关闭 httpbin 服务:<br>·····<br>$istioctl delete gateway grafana-gateway<br>$ istioctl delete virtualservice grafana<br>····<br> 卸载Istio<br>···<br>kubectl delete -f install/kubernetes/istio-demo.yaml<br>kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system<br>···</p>]]></content>
<summary type="html">
<h1 id="u5B89_u88C5Istio"><a href="#u5B89_u88C5Istio" class="headerlink" title="安装Istio"></a>安装Istio</h1><figure class="hljs highlight groov
</summary>
<category term="kubernetes" scheme="http://www.idcsec.com/categories/kubernetes/"/>
<category term="ingressGateway" scheme="http://www.idcsec.com/tags/ingressGateway/"/>
<category term="istio" scheme="http://www.idcsec.com/tags/istio/"/>
</entry>
<entry>
<title>tomcat配置获取kubernetes自定义变量</title>
<link href="http://www.idcsec.com/2019/02/28/tomcat%E9%85%8D%E7%BD%AE%E8%8E%B7%E5%8F%96kubernetes%E8%87%AA%E5%AE%9A%E4%B9%89%E5%8F%98%E9%87%8F/"/>
<id>http://www.idcsec.com/2019/02/28/tomcat配置获取kubernetes自定义变量/</id>
<published>2019-02-28T15:18:00.000Z</published>
<updated>2019-02-28T15:20:34.369Z</updated>
<content type="html"><![CDATA[<p>tomcat获取kubernetes自定义变量<br>1、设置kubernetes自定义变量MY_POD_NAME<br>2、设置tomcat的JAVA_OPTS -D自定义变量名称:值(yaml里面定义的变量)<br>3、tomcat配置文件引用变量,获取kubernetes的pod主机名,处理多个pod日志按照主机名命名解决日志交叉写入</p><figure class="hljs highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master ~]<span class="comment"># cat tomcat-demo.yaml </span></span><br><span class="line">apiVersion: v1</span><br><span class="line">kind: Pod</span><br><span class="line">metadata:</span><br><span class="line"> <span class="property">name</span>: tomcat-istio</span><br><span class="line"> annotations:</span><br><span class="line">spec:</span><br><span class="line"> containers:</span><br><span class="line"> - <span class="property">name</span>: tomcat-istio</span><br><span class="line"> image: toamcat:demo</span><br><span class="line"> env:</span><br><span class="line"> - <span class="property">name</span>: JAVA_OPTS</span><br><span class="line"> value: <span class="string">"-server -Xms4096M -Xmx4096M -Xss256K -Dmy.pod.name=$MY_POD_NAME -Djava.awt.headless=true -Dfile.encoding=utf-8 -XX:MaxPermSize=256M -XX:PermSize=128M"</span></span><br><span class="line"> - <span class="property">name</span>: MY_POD_NAME</span><br><span class="line"> valueFrom:</span><br><span class="line"> fieldRef:</span><br><span class="line"> fieldPath: metadata.<span class="property">name</span></span><br></pre></td></tr></table></figure><figure class="hljs highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">DOckerfile</span><br><span class="line">sed -i <span class="string">"prefix="</span>localhost_access_log.<span class="string">" suffix="</span>.txt<span class="string">"/prefix="</span>$\{<span class="keyword">my</span>.pod.<span class="property">name</span>\}__access_log<span class="string">" suffix="</span>.txt<span class="string">"/g"</span> server.xml</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2019/02/28/5c77f94fec009.png" alt="20190228230738.png"></p>]]></content>
<summary type="html">
<p>tomcat获取kubernetes自定义变量<br>1、设置kubernetes自定义变量MY_POD_NAME<br>2、设置tomcat的JAVA_OPTS -D自定义变量名称:值(yaml里面定义的变量)<br>3、tomcat配置文件引用变量,获取kubernet
</summary>
<category term="jvm" scheme="http://www.idcsec.com/tags/jvm/"/>
<category term="kubernetes" scheme="http://www.idcsec.com/tags/kubernetes/"/>
<category term="tomcat" scheme="http://www.idcsec.com/tags/tomcat/"/>
</entry>
<entry>
<title>“免翻墙kubeadm1.13.3搭建kubernetes集群</title>
<link href="http://www.idcsec.com/2019/02/20/%E5%85%8D%E7%BF%BB%E5%A2%99kubeadm1-13-3%E6%90%AD%E5%BB%BAkubernetes%E9%9B%86%E7%BE%A4/"/>
<id>http://www.idcsec.com/2019/02/20/免翻墙kubeadm1-13-3搭建kubernetes集群/</id>
<published>2019-02-20T14:28:00.000Z</published>
<updated>2019-03-13T14:20:19.476Z</updated>
<content type="html"><![CDATA[<h1 id="u8282_u70B9_u89C4_u5212"><a href="#u8282_u70B9_u89C4_u5212" class="headerlink" title="节点规划"></a>节点规划</h1><p>master 192.168.19.222<br>node1 192.168.19.223<br>node2 192.168.19.224</p><h2 id="u8F6F_u4EF6_u7248_u672C"><a href="#u8F6F_u4EF6_u7248_u672C" class="headerlink" title="软件版本"></a>软件版本</h2><p>操作系统:CentOS Linux release7 4.4.174-1.el7.elrepo.x86_64<br>Docker版本:18.06.2-ce<br>kubernetes版本:1.13.3</p><h2 id="u73AF_u5883_u51C6_u5907"><a href="#u73AF_u5883_u51C6_u5907" class="headerlink" title="环境准备"></a>环境准备</h2><p> 配置SSH免密登录 </p><h2 id="u5173_u95ED_u6240_u6709_u8282_u70B9_u9632_u706B_u5899"><a href="#u5173_u95ED_u6240_u6709_u8282_u70B9_u9632_u706B_u5899" class="headerlink" title="关闭所有节点防火墙"></a>关闭所有节点防火墙</h2><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# service</span> firewalld <span class="literal">stop</span> && systemctl disable firewalld</span><br></pre></td></tr></table></figure><h2 id="u5173_u95ED_u6240_u6709_u8282_u70B9selinux"><a href="#u5173_u95ED_u6240_u6709_u8282_u70B9selinux" class="headerlink" title="关闭所有节点selinux"></a>关闭所有节点selinux</h2><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# setenforce</span> <span class="number">0</span></span><br><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# sed</span> -i 's/<span class="variable">SELINUX=</span>enforcing/<span class="variable">SELINUX=</span>disabled/g' /etc/selinux/config</span><br></pre></td></tr></table></figure><h2 id="u8BBE_u7F6E_u6240_u6709_u8282_u70B9/etc/hosts_u6587_u4EF6"><a href="#u8BBE_u7F6E_u6240_u6709_u8282_u70B9/etc/hosts_u6587_u4EF6" class="headerlink" title="设置所有节点/etc/hosts文件"></a>设置所有节点/etc/hosts文件</h2><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master ~]<span class="preprocessor"># cat /etc/hosts</span></span><br><span class="line"><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> localhost localhost.localdomain localhost4 localhost4.localdomain4</span><br><span class="line">::<span class="number">1</span> localhost localhost.localdomain localhost6 localhost6.localdomain6</span><br><span class="line"><span class="number">192.168</span><span class="number">.19</span><span class="number">.222</span> k8s-master</span><br><span class="line"><span class="number">192.168</span><span class="number">.19</span><span class="number">.223</span> node1</span><br><span class="line"><span class="number">192.168</span><span class="number">.19</span><span class="number">.224</span> node2</span><br></pre></td></tr></table></figure><a id="more"></a><h2 id="u5173_u95ED_u6240_u6709_u8282_u70B9swap"><a href="#u5173_u95ED_u6240_u6709_u8282_u70B9swap" class="headerlink" title="关闭所有节点swap"></a>关闭所有节点swap</h2><figure class="hljs highlight coffeescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root<span class="property">@k8s</span>-master ~]<span class="comment"># swapoff -a</span></span><br><span class="line">[root<span class="property">@k8s</span>-master ~]<span class="comment"># sed -i '/swap/d' /etc/fstab</span></span><br></pre></td></tr></table></figure><h2 id="u6240_u6709_u8282_u70B9_u53C2_u6570_u8BBE_u7F6E"><a href="#u6240_u6709_u8282_u70B9_u53C2_u6570_u8BBE_u7F6E" class="headerlink" title="所有节点参数设置"></a>所有节点参数设置</h2><figure class="hljs highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">[root<span class="constant">@k8s</span>-master ~]<span class="preprocessor"># cat > /etc/sysctl.d/k8s.conf <<EOF</span></span><br><span class="line">net.bridge.bridge-nf-<span class="built_in">call</span>-ip6tables = <span class="number">1</span></span><br><span class="line">net.bridge.bridge-nf-<span class="built_in">call</span>-iptables = <span class="number">1</span></span><br><span class="line">net.ipv4.ip_forward = <span class="number">1</span></span><br><span class="line">vm.swappiness=<span class="number">0</span></span><br><span class="line">EOF</span><br><span class="line">[root<span class="constant">@k8s</span>-master ~]<span class="preprocessor"># sysctl -p /etc/sysctl.d/k8s.conf</span></span><br><span class="line">[root<span class="constant">@k8s</span>-master ~]<span class="preprocessor"># modprobe br_netfilter</span></span><br><span class="line">[root<span class="constant">@k8s</span>-master ~]<span class="preprocessor"># sysctl -p /etc/sysctl.d/k8s.conf</span></span><br></pre></td></tr></table></figure><h1 id="4-_u6240_u6709_u8282_u70B9_u5B89_u88C5Docker"><a href="#4-_u6240_u6709_u8282_u70B9_u5B89_u88C5Docker" class="headerlink" title="4.所有节点安装Docker"></a>4.所有节点安装Docker</h1><p>安装docker的yum源:<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">yum install -y yum-utils device-mapper-persistent-data lvm2</span><br><span class="line">yum-config-manager \</span><br><span class="line"> --add-repo \</span><br><span class="line"> https:<span class="comment">//download.docker.com/linux/centos/docker-ce.repo</span></span><br><span class="line">查看最新的Docker版本:</span><br><span class="line">[root@k8s-master ~]<span class="preprocessor"># yum list docker-ce.x86_64 --showduplicates |sort -r</span></span><br><span class="line">已加载插件:fastestmirror</span><br><span class="line">已安装的软件包</span><br><span class="line">可安装的软件包</span><br><span class="line"> * updates: centos.ustc.edu.cn</span><br><span class="line">Loading mirror speeds from cached hostfile</span><br><span class="line"> * extras: centos.ustc.edu.cn</span><br><span class="line"> * elrepo: mirrors.tuna.tsinghua.edu.cn</span><br><span class="line">docker-ce.x86_64 <span class="number">3</span>:<span class="number">18.09</span><span class="number">.2</span>-<span class="number">3.</span>el7 docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">3</span>:<span class="number">18.09</span><span class="number">.1</span>-<span class="number">3.</span>el7 docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">3</span>:<span class="number">18.09</span><span class="number">.0</span>-<span class="number">3.</span>el7 docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">18.06</span><span class="number">.2</span>.ce-<span class="number">3.</span>el7 docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">18.06</span><span class="number">.2</span>.ce-<span class="number">3.</span>el7 @docker-ce-stable</span><br><span class="line">docker-ce.x86_64 <span class="number">18.06</span><span class="number">.1</span>.ce-<span class="number">3.</span>el7 docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">18.06</span><span class="number">.0</span>.ce-<span class="number">3.</span>el7 docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">18.03</span><span class="number">.1</span>.ce-<span class="number">1.</span>el7.centos docker-ce-stable </span><br><span class="line">docker-ce.x86_64 <span class="number">18.03</span><span class="number">.0</span>.ce-<span class="number">1.</span>el7.centos docker-ce-stable</span><br></pre></td></tr></table></figure></p><p>在各节点安装docker的18.06.2.ce-3.el7版本<br><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# yum</span> install -y --<span class="variable">setopt=</span><span class="variable">obsoletes=</span><span class="number">0</span> \</span><br><span class="line"> docker-ce-<span class="number">18.06</span>.<span class="number">2</span>.ce-<span class="number">3</span>.el7</span><br><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# systemctl</span> <span class="literal">start</span> docker && systemctl enable docker</span><br></pre></td></tr></table></figure></p><h2 id="u914D_u7F6Ekubernetes_u963F_u91CC_u6E90"><a href="#u914D_u7F6Ekubernetes_u963F_u91CC_u6E90" class="headerlink" title="配置kubernetes阿里源"></a>配置kubernetes阿里源</h2><figure class="hljs highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">[root<span class="variable">@k8s</span>-master ~]<span class="comment"># cat>>/etc/yum.repos.d/kubrenetes.repo<<EOF</span></span><br><span class="line">[kubernetes]</span><br><span class="line">name=<span class="constant">Kubernetes</span> <span class="constant">Repo</span></span><br><span class="line">baseurl=<span class="symbol">https:</span>/<span class="regexp">/mirrors.aliyun.com/kubernetes</span><span class="regexp">/yum/repos</span><span class="regexp">/kubernetes-el7-x86_64/</span></span><br><span class="line">gpgcheck=<span class="number">0</span></span><br><span class="line">gpgkey=<span class="symbol">https:</span>/<span class="regexp">/mirrors.aliyun.com/kubernetes</span><span class="regexp">/yum/doc</span><span class="regexp">/yum-key.gpg</span><br><span class="line">EOF</span></span><br></pre></td></tr></table></figure><p>如果使用google镜像站需要翻墙<br><a href="https://kubernetes.io/docs/setup/independent/install-kubeadm/" target="_blank" rel="external">https://kubernetes.io/docs/setup/independent/install-kubeadm/</a><br><figure class="hljs highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">cat <<<span class="constant">EOF</span> > <span class="regexp">/etc/yum</span>.repos.d/kubernetes.repo</span><br><span class="line">[kubernetes]</span><br><span class="line">name=<span class="constant">Kubernetes</span></span><br><span class="line">baseurl=<span class="symbol">https:</span>/<span class="regexp">/packages.cloud.google.com/yum</span><span class="regexp">/repos/kubernetes</span>-el7-x86_64</span><br><span class="line">enabled=<span class="number">1</span></span><br><span class="line">gpgcheck=<span class="number">1</span></span><br><span class="line">repo_gpgcheck=<span class="number">1</span></span><br><span class="line">gpgkey=<span class="symbol">https:</span>/<span class="regexp">/packages.cloud.google.com/yum</span><span class="regexp">/doc/yum</span>-key.gpg <span class="symbol">https:</span>/<span class="regexp">/packages.cloud.google.com/yum</span><span class="regexp">/doc/rpm</span>-package-key.gpg</span><br><span class="line">exclude=kube*</span><br><span class="line"><span class="constant">EOF</span></span><br></pre></td></tr></table></figure></p><h3 id="u6240_u6709_u8282_u70B9_u5B89_u88C5kubelet_kubeadm_kubectl_u5305"><a href="#u6240_u6709_u8282_u70B9_u5B89_u88C5kubelet_kubeadm_kubectl_u5305" class="headerlink" title="所有节点安装kubelet kubeadm kubectl包"></a>所有节点安装kubelet kubeadm kubectl包</h3><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# yum</span> install -y kubelet kubeadm kubectl</span><br><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# systemctl</span> enable kubelet && systemctl <span class="literal">start</span> kubelet</span><br></pre></td></tr></table></figure><h2 id="Docker_u83B7_u53D6kubernetes_u7EC4_u4EF6_u955C_u50CF"><a href="#Docker_u83B7_u53D6kubernetes_u7EC4_u4EF6_u955C_u50CF" class="headerlink" title="Docker获取kubernetes组件镜像"></a>Docker获取kubernetes组件镜像</h2><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">cat <<EOF > /tmp/get-images.sh</span><br><span class="line"><span class="preprocessor">#!/bin/bash</span></span><br><span class="line"></span><br><span class="line">images=(kube-apiserver:v1<span class="number">.13</span><span class="number">.3</span> kube-controller-manager:v1<span class="number">.13</span><span class="number">.3</span> kube-scheduler:v1<span class="number">.13</span><span class="number">.3</span> kube-proxy:v1<span class="number">.13</span><span class="number">.3</span> pause:<span class="number">3.1</span> etcd:<span class="number">3.2</span><span class="number">.24</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> imageName in \${images[@]} ; <span class="keyword">do</span></span><br><span class="line"></span><br><span class="line">docker pull mirrorgooglecontainers/\$imageName</span><br><span class="line"></span><br><span class="line">docker tag mirrorgooglecontainers/\$imageName k8s.gcr.io/\$imageName</span><br><span class="line"></span><br><span class="line">docker rmi mirrorgooglecontainers/\$imageName</span><br><span class="line"></span><br><span class="line">done</span><br><span class="line"></span><br><span class="line">EOF</span><br><span class="line"></span><br><span class="line">sh /tmp/get-images.sh</span><br><span class="line">docker pull coredns/coredns:<span class="number">1.2</span><span class="number">.6</span></span><br><span class="line">docker tag coredns/coredns:<span class="number">1.2</span><span class="number">.6</span> k8s.gcr.io/coredns:<span class="number">1.2</span><span class="number">.6</span></span><br><span class="line">docker rmi coredns/coredns:<span class="number">1.2</span><span class="number">.6</span></span><br></pre></td></tr></table></figure><h2 id="u5728Master_u8282_u70B9_u521D_u59CB_u5316kubernetes_u96C6_u7FA4"><a href="#u5728Master_u8282_u70B9_u521D_u59CB_u5316kubernetes_u96C6_u7FA4" class="headerlink" title="在Master节点初始化kubernetes集群"></a>在Master节点初始化kubernetes集群</h2><figure class="hljs highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master ]# kubeadm init <span class="comment">--kubernetes-version=v1.13.3 --apiserver-advertise-address 192.168.19.222 --pod-network-cidr=10.244.0.0/16</span></span><br><span class="line"><span class="comment">--kubernetes-version: 用于指定 k8s版本</span></span><br><span class="line"><span class="comment">--apiserver-advertise-address:用于指定使用 Master的哪个network interface进行通信,若不指定,则 kubeadm会自动选择具有默认网关的 interface</span></span><br><span class="line"><span class="comment">--pod-network-cidr:用于指定Pod的网络范围。该参数使用依赖于使用的网络方案,本文将使用经典的flannel网络方案。</span></span><br><span class="line"></span><br><span class="line">[root@k8s-master ]# kubeadm init <span class="comment">--kubernetes-version=v1.13.3 --apiserver-advertise-address 192.168.19.222 --pod-network-cidr=10.244.0.0/16</span></span><br><span class="line">.....</span><br><span class="line">Your Kubernetes master has initialized successfully!</span><br><span class="line"></span><br><span class="line">To <span class="operator"><span class="keyword">start</span> <span class="keyword">using</span> your cluster, you need <span class="keyword">to</span> run the <span class="keyword">following</span> <span class="keyword">as</span> a regular <span class="keyword">user</span>:</span><br><span class="line"></span><br><span class="line"> mkdir -<span class="keyword">p</span> $HOME/.kube</span><br><span class="line"> sudo cp -<span class="keyword">i</span> /etc/kubernetes/<span class="keyword">admin</span>.conf $HOME/.kube/config</span><br><span class="line"> sudo chown $(<span class="keyword">id</span> -u):$(<span class="keyword">id</span> -<span class="keyword">g</span>) $HOME/.kube/config</span><br><span class="line"></span><br><span class="line">You should <span class="keyword">now</span> deploy a pod network <span class="keyword">to</span> the cluster.</span><br><span class="line">Run <span class="string">"kubectl apply -f [podnetwork].yaml"</span> <span class="keyword">with</span> one <span class="keyword">of</span> the options listed <span class="keyword">at</span>:</span><br><span class="line"> https://kubernetes.io/docs/concepts/cluster-administration/addons/</span><br><span class="line"></span><br><span class="line">You can <span class="keyword">now</span> <span class="keyword">join</span> <span class="keyword">any</span> <span class="built_in">number</span> <span class="keyword">of</span> machines <span class="keyword">by</span> running the <span class="keyword">following</span> <span class="keyword">on</span> <span class="keyword">each</span> node</span><br><span class="line"><span class="keyword">as</span> root:</span><br><span class="line"></span><br><span class="line"> kubeadm <span class="keyword">join</span> <span class="number">192.168</span><span class="number">.19</span><span class="number">.222</span>:<span class="number">6443</span> <span class="comment">--token glv963.q0y5srs7s7qbna4y --discovery-token-ca-cert-hash sha256:3013d8f7b0cd16f3d3514031b6459851f047e8f0318d84e8515894198986936e</span></span></span><br></pre></td></tr></table></figure><h2 id="u6309_u7167_u63D0_u793A_u6267_u884C_u914D_u7F6Ekubectl_u914D_u7F6E"><a href="#u6309_u7167_u63D0_u793A_u6267_u884C_u914D_u7F6Ekubectl_u914D_u7F6E" class="headerlink" title="按照提示执行配置kubectl配置"></a>按照提示执行配置kubectl配置</h2><figure class="hljs highlight xquery"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">mkdir -p <span class="variable">$HOME</span>/.kube</span><br><span class="line">sudo cp -i /etc/kubernetes/admin.conf <span class="variable">$HOME</span>/.kube/config</span><br><span class="line">sudo chown $(id -u):$(id -g) <span class="variable">$HOME</span>/.kube/config</span><br></pre></td></tr></table></figure><p>查看一下集群状态<br><figure class="hljs highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl <span class="built_in">get</span> <span class="keyword">cs</span></span><br></pre></td></tr></table></figure></p><h2 id="u5C06_u6B64_u8282_u70B9_u52A0_u5165_u96C6_u7FA4_uFF0C_u5728node1_u548Cnode22_u8282_u70B9_u6267_u884C_u547D_u4EE4"><a href="#u5C06_u6B64_u8282_u70B9_u52A0_u5165_u96C6_u7FA4_uFF0C_u5728node1_u548Cnode22_u8282_u70B9_u6267_u884C_u547D_u4EE4" class="headerlink" title="将此节点加入集群,在node1和node22节点执行命令"></a>将此节点加入集群,在node1和node22节点执行命令</h2><figure class="hljs highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubeadm join <span class="number">192.168.19.222</span>:6443 --token glv963.q0y5srs7s7qbna4y --discovery-token-ca-cert-hash sha<span class="number">256:3013</span>d8f7b0cd<span class="number">16f3d35140</span><span class="number">31b6459851</span>f<span class="number">047e8f03</span><span class="number">18d84e85158</span><span class="number">94198986936</span>e</span><br></pre></td></tr></table></figure><h1 id="u914D_u7F6E_u7F51_u7EDCcalico3-4"><a href="#u914D_u7F6E_u7F51_u7EDCcalico3-4" class="headerlink" title="配置网络calico3.4"></a>配置网络calico3.4</h1><p><a href="https://docs.projectcalico.org/v3.4/getting-started/kubernetes/" target="_blank" rel="external">https://docs.projectcalico.org/v3.4/getting-started/kubernetes/</a><br><a href="https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/calico" target="_blank" rel="external">https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/calico</a><br><a href="https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/" target="_blank" rel="external">https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/</a><br>CNI插件已启用<br>Calico作为CNI插件安装。必须通过传递–network-plugin=cni参数将kubelet配置为使用CNI网络。(在kubeadm上,这是默认设置。)<br>使用以下命令安装etcd实例。<br><figure class="hljs highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply -f \</span><br><span class="line"><span class="keyword">https</span>://docs.projectcalico.org/v3<span class="number">.4</span>/getting-started/kubernetes/installation/hosted/etcd.yaml</span><br><span class="line">您应该看到以下输出。</span><br><span class="line">daemonset.extensions/calico-etcd created</span><br><span class="line">service/calico-etcd created</span><br><span class="line">kubectl <span class="built_in">get</span> endpoints <span class="comment">--all-namespaces</span></span><br></pre></td></tr></table></figure></p><h2 id="u4E0B_u8F7Detcd_u7684Calico_u7F51_u7EDC_u6E05_u5355"><a href="#u4E0B_u8F7Detcd_u7684Calico_u7F51_u7EDC_u6E05_u5355" class="headerlink" title="下载etcd的Calico网络清单"></a>下载etcd的Calico网络清单</h2><p>在使用kubeadm部署时,Calico并没有使用kubeadm在Kubernetes master中部署的etcd服务,而是创建了一个Calico自己使用的etcd pod,服务地址为 <a href="http://10.96.232.136:6666" target="_blank" rel="external">http://10.96.232.136:6666</a><br><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="literal">master</span>]<span class="comment">#curl \</span></span><br><span class="line">> https://docs.projectcalico.org/v3.<span class="number">4</span>/getting-<span class="literal">started</span>/kubernetes/installation/hosted/calico.yaml \</span><br><span class="line">> -O</span><br></pre></td></tr></table></figure></p><p>由于我的podcidr和官方默认不一样所以需要修改,修改etcdendpoints<br><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">POD_CIDR=<span class="string">"10.244.0.0/16"</span> \</span><br><span class="line">sed -<span class="tag">i</span> -e <span class="string">"s?192.168.0.0/16?$POD_CIDR?g"</span> calico<span class="class">.yaml</span></span><br><span class="line">kubectl apply -f calico.yaml</span><br></pre></td></tr></table></figure></p><p>kubeadm init 并且使用该标志指定的CIDR必须与Calico的IP池匹配。在Calico的清单中配置的默认IP池是192.168.0.0/16<br>在使用kubeadm部署时,Calico并没有使用kubeadm在Kubernetes master中部署的etcd服务,而是创建了一个Calico自己使用的etcd pod,服务地址为 <a href="http://10.96.232.136:6666" target="_blank" rel="external">http://10.96.232.136:6666</a><br>查看Pods是否正常<br><figure class="hljs highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root<span class="constant">@k8s</span>-master]<span class="preprocessor"># kubectl get pods --all-namespaces</span></span><br><span class="line">[root<span class="constant">@k8s</span>-master]<span class="preprocessor"># kubectl get node</span></span><br></pre></td></tr></table></figure></p><p><img src="https://i.loli.net/2019/02/20/5c6d625aea29b.png" alt="20190220222017.png"><br>到这里kubernetes集群基本就完成了<br>token使用命令查看(24小时有效)<br>查看token Master上执行:<br>[root@k8s-master]# kubeadm token list<br>重新生成新的token<br>[root@k8s-master]#kubeadm token create<br>获取ca证书sha256编码hash值<br>[root@k8s-master]#openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed ‘s/^.* //‘<br>可选</p><h1 id="kube-proxy_u5F00_u542Fipvs"><a href="#kube-proxy_u5F00_u542Fipvs" class="headerlink" title="kube-proxy开启ipvs"></a>kube-proxy开启ipvs</h1><p>kube-proxy开启ipvs需要加载的内核模块,在所以运行kube-proxy节点执行<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">cat > /etc/sysconfig/modules/ipvs.modules <<EOF</span><br><span class="line"><span class="shebang">#!/bin/bash</span></span><br><span class="line">modprobe -- ip_vs</span><br><span class="line">modprobe -- ip_vs_rr</span><br><span class="line">modprobe -- ip_vs_wrr</span><br><span class="line">modprobe -- ip_vs_sh</span><br><span class="line">modprobe -- nf_conntrack_ipv4</span><br><span class="line">EOF</span><br><span class="line">chmod <span class="number">755</span> /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep <span class="operator">-e</span> ip_vs <span class="operator">-e</span> nf_conntrack_ipv4</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">kubectl <span class="keyword">edit</span> cm kube-proxy -<span class="keyword">n</span> kube-system</span><br><span class="line">修改config.<span class="keyword">conf</span>,mode: “ipvs”</span><br><span class="line">Using ipvs Proxier,说明ipvs模式已经开启</span><br><span class="line">kubectl logs kube-proxy-xxxxx -<span class="keyword">n</span> kube-system</span><br><span class="line">`</span><br></pre></td></tr></table></figure><p>清理集群<br>移除node2这个Node执行下面的命令:<br><figure class="hljs highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">master执行:</span><br><span class="line">kubectl drain node2 --delete-local-data --force --ignore-daemonsets</span><br><span class="line">kubectl delete node node2</span><br><span class="line">在node2上面执行:</span><br><span class="line">kubeadm reset</span><br><span class="line">rm -rf /var/<span class="class"><span class="keyword">lib</span>/<span class="title">cni</span>/</span></span><br></pre></td></tr></table></figure></p><h1 id="u5B89_u88C5dashboard"><a href="#u5B89_u88C5dashboard" class="headerlink" title="安装dashboard"></a>安装dashboard</h1><p>pull镜像<br><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">docker pull registry<span class="class">.cn-qingdao</span><span class="class">.aliyuncs</span><span class="class">.com</span>/wangxiaoke/kubernetes-dashboard-amd64:v1.<span class="number">10.0</span></span><br><span class="line">docker tag registry<span class="class">.cn-qingdao</span><span class="class">.aliyuncs</span><span class="class">.com</span>/wangxiaoke/kubernetes-dashboard-amd64:v1.<span class="number">10.0</span> k8s<span class="class">.gcr</span><span class="class">.io</span>/kubernetes-dashboard-amd64:v1.<span class="number">10.0</span></span><br><span class="line">docker image rm registry<span class="class">.cn-qingdao</span><span class="class">.aliyuncs</span><span class="class">.com</span>/wangxiaoke/kubernetes-dashboard-amd64:v1.<span class="number">10.0</span></span><br></pre></td></tr></table></figure></p><p>dashboard.yaml<br><figure class="hljs highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br></pre></td><td class="code"><pre><span class="line"># Copyright 2017 The Kubernetes Authors.</span><br><span class="line">#</span><br><span class="line"># Licensed under the Apache License, Version 2.0 (the "License");</span><br><span class="line"># you may not <span class="operator"><span class="keyword">use</span> this <span class="keyword">file</span> <span class="keyword">except</span> <span class="keyword">in</span> compliance <span class="keyword">with</span> the License.</span><br><span class="line"># You may obtain a copy <span class="keyword">of</span> the License <span class="keyword">at</span></span><br><span class="line">#</span><br><span class="line"># <span class="keyword">http</span>://www.apache.org/licenses/LICENSE-<span class="number">2.0</span></span><br><span class="line">#</span><br><span class="line"># Unless <span class="keyword">required</span> <span class="keyword">by</span> applicable law <span class="keyword">or</span> agreed <span class="keyword">to</span> <span class="keyword">in</span> writing, software</span><br><span class="line"># <span class="keyword">distributed</span> <span class="keyword">under</span> the License <span class="keyword">is</span> <span class="keyword">distributed</span> <span class="keyword">on</span> an <span class="string">"AS IS"</span> BASIS,</span><br><span class="line"># <span class="keyword">WITHOUT</span> WARRANTIES <span class="keyword">OR</span> CONDITIONS <span class="keyword">OF</span> <span class="keyword">ANY</span> KIND, either express <span class="keyword">or</span> implied.</span><br><span class="line"># See the License <span class="keyword">for</span> the specific <span class="keyword">language</span> governing permissions <span class="keyword">and</span></span><br><span class="line"># limitations <span class="keyword">under</span> the License.</span><br><span class="line"></span><br><span class="line"># <span class="comment">------------------- Dashboard Secret ------------------- #</span></span><br><span class="line"></span><br><span class="line">apiVersion: v1</span><br><span class="line">kind: Secret</span><br><span class="line">metadata:</span><br><span class="line"> labels:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard-certs</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line"><span class="keyword">type</span>: <span class="keyword">Opaque</span></span><br><span class="line"></span><br><span class="line"><span class="comment">---</span></span><br><span class="line"># <span class="comment">------------------- Dashboard Service Account ------------------- #</span></span><br><span class="line"></span><br><span class="line">apiVersion: v1</span><br><span class="line">kind: ServiceAccount</span><br><span class="line">metadata:</span><br><span class="line"> labels:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line"></span><br><span class="line"><span class="comment">---</span></span><br><span class="line"># <span class="comment">------------------- Dashboard Role & Role Binding ------------------- #</span></span><br><span class="line"></span><br><span class="line">kind: <span class="keyword">Role</span></span><br><span class="line">apiVersion: rbac.authorization.k8s.io/v1</span><br><span class="line">metadata:</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard-minimal</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line"><span class="keyword">rules</span>:</span><br><span class="line"> # <span class="keyword">Allow</span> Dashboard <span class="keyword">to</span> <span class="keyword">create</span> <span class="string">'kubernetes-dashboard-key-holder'</span> secret.</span><br><span class="line">- apiGroups: [<span class="string">""</span>]</span><br><span class="line"> resources: [<span class="string">"secrets"</span>]</span><br><span class="line"> verbs: [<span class="string">"create"</span>]</span><br><span class="line"> # <span class="keyword">Allow</span> Dashboard <span class="keyword">to</span> <span class="keyword">create</span> <span class="string">'kubernetes-dashboard-settings'</span> config <span class="keyword">map</span>.</span><br><span class="line">- apiGroups: [<span class="string">""</span>]</span><br><span class="line"> resources: [<span class="string">"configmaps"</span>]</span><br><span class="line"> verbs: [<span class="string">"create"</span>]</span><br><span class="line"> # <span class="keyword">Allow</span> Dashboard <span class="keyword">to</span> <span class="keyword">get</span>, <span class="keyword">update</span> <span class="keyword">and</span> <span class="keyword">delete</span> Dashboard exclusive secrets.</span><br><span class="line">- apiGroups: [<span class="string">""</span>]</span><br><span class="line"> resources: [<span class="string">"secrets"</span>]</span><br><span class="line"> resourceNames: [<span class="string">"kubernetes-dashboard-key-holder"</span>, <span class="string">"kubernetes-dashboard-certs"</span>]</span><br><span class="line"> verbs: [<span class="string">"get"</span>, <span class="string">"update"</span>, <span class="string">"delete"</span>]</span><br><span class="line"> # <span class="keyword">Allow</span> Dashboard <span class="keyword">to</span> <span class="keyword">get</span> <span class="keyword">and</span> <span class="keyword">update</span> <span class="string">'kubernetes-dashboard-settings'</span> config <span class="keyword">map</span>.</span><br><span class="line">- apiGroups: [<span class="string">""</span>]</span><br><span class="line"> resources: [<span class="string">"configmaps"</span>]</span><br><span class="line"> resourceNames: [<span class="string">"kubernetes-dashboard-settings"</span>]</span><br><span class="line"> verbs: [<span class="string">"get"</span>, <span class="string">"update"</span>]</span><br><span class="line"> # <span class="keyword">Allow</span> Dashboard <span class="keyword">to</span> <span class="keyword">get</span> metrics <span class="keyword">from</span> heapster.</span><br><span class="line">- apiGroups: [<span class="string">""</span>]</span><br><span class="line"> resources: [<span class="string">"services"</span>]</span><br><span class="line"> resourceNames: [<span class="string">"heapster"</span>]</span><br><span class="line"> verbs: [<span class="string">"proxy"</span>]</span><br><span class="line">- apiGroups: [<span class="string">""</span>]</span><br><span class="line"> resources: [<span class="string">"services/proxy"</span>]</span><br><span class="line"> resourceNames: [<span class="string">"heapster"</span>, <span class="string">"http:heapster:"</span>, <span class="string">"https:heapster:"</span>]</span><br><span class="line"> verbs: [<span class="string">"get"</span>]</span><br><span class="line"></span><br><span class="line"><span class="comment">---</span></span><br><span class="line">apiVersion: rbac.authorization.k8s.io/v1</span><br><span class="line">kind: RoleBinding</span><br><span class="line">metadata:</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard-minimal</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line">roleRef:</span><br><span class="line"> apiGroup: rbac.authorization.k8s.io</span><br><span class="line"> kind: <span class="keyword">Role</span></span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard-minimal</span><br><span class="line">subjects:</span><br><span class="line">- kind: ServiceAccount</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line"></span><br><span class="line"><span class="comment">---</span></span><br><span class="line"># <span class="comment">------------------- Dashboard Deployment ------------------- #</span></span><br><span class="line"></span><br><span class="line">kind: Deployment</span><br><span class="line">apiVersion: apps/v1beta2</span><br><span class="line">metadata:</span><br><span class="line"> labels:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line">spec:</span><br><span class="line"> replicas: <span class="number">1</span></span><br><span class="line"> revisionHistoryLimit: <span class="number">10</span></span><br><span class="line"> selector:</span><br><span class="line"> matchLabels:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> <span class="keyword">template</span>:</span><br><span class="line"> metadata:</span><br><span class="line"> labels:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> spec:</span><br><span class="line"> containers:</span><br><span class="line"> - <span class="keyword">name</span>: kubernetes-dashboard</span><br><span class="line"> image: k8s.gcr.io/kubernetes-dashboard-amd64:v1<span class="number">.10</span><span class="number">.0</span></span><br><span class="line"> ports:</span><br><span class="line"> - containerPort: <span class="number">8443</span></span><br><span class="line"> protocol: TCP</span><br><span class="line"> args:</span><br><span class="line"> - <span class="comment">--auto-generate-certificates</span></span><br><span class="line"> - <span class="comment">--token-ttl=5400</span></span><br><span class="line"> # Uncomment the <span class="keyword">following</span> line <span class="keyword">to</span> manually specify Kubernetes API <span class="keyword">server</span> Host</span><br><span class="line"> # <span class="keyword">If</span> <span class="keyword">not</span> specified, Dashboard will attempt <span class="keyword">to</span> <span class="keyword">auto</span> discover the API <span class="keyword">server</span> <span class="keyword">and</span> <span class="keyword">connect</span></span><br><span class="line"> # <span class="keyword">to</span> it. Uncomment <span class="keyword">only</span> <span class="keyword">if</span> the <span class="keyword">default</span> does <span class="keyword">not</span> <span class="keyword">work</span>.</span><br><span class="line"> # - <span class="comment">--apiserver-host=http://my-address:port</span></span><br><span class="line"> volumeMounts:</span><br><span class="line"> - <span class="keyword">name</span>: kubernetes-dashboard-certs</span><br><span class="line"> mountPath: /certs</span><br><span class="line"> # <span class="keyword">Create</span> <span class="keyword">on</span>-disk volume <span class="keyword">to</span> <span class="keyword">store</span> exec <span class="keyword">logs</span></span><br><span class="line"> - mountPath: /tmp</span><br><span class="line"> <span class="keyword">name</span>: tmp-volume</span><br><span class="line"> livenessProbe:</span><br><span class="line"> httpGet:</span><br><span class="line"> scheme: HTTPS</span><br><span class="line"> <span class="keyword">path</span>: /</span><br><span class="line"> port: <span class="number">8443</span></span><br><span class="line"> initialDelaySeconds: <span class="number">30</span></span><br><span class="line"> timeoutSeconds: <span class="number">30</span></span><br><span class="line"> volumes:</span><br><span class="line"> - <span class="keyword">name</span>: kubernetes-dashboard-certs</span><br><span class="line"> hostPath:</span><br><span class="line"> <span class="keyword">path</span>: /home/<span class="keyword">share</span>/certs</span><br><span class="line"> <span class="keyword">type</span>: <span class="keyword">Directory</span></span><br><span class="line"> - <span class="keyword">name</span>: tmp-volume</span><br><span class="line"> emptyDir: {}</span><br><span class="line"> serviceAccountName: kubernetes-dashboard</span><br><span class="line"> # <span class="keyword">Comment</span> the <span class="keyword">following</span> tolerations <span class="keyword">if</span> Dashboard must <span class="keyword">not</span> be deployed <span class="keyword">on</span> <span class="keyword">master</span></span><br><span class="line"> tolerations:</span><br><span class="line"> - <span class="keyword">key</span>: node-<span class="keyword">role</span>.kubernetes.io/<span class="keyword">master</span></span><br><span class="line"> effect: NoSchedule</span><br><span class="line"></span><br><span class="line"><span class="comment">---</span></span><br><span class="line"># <span class="comment">------------------- Dashboard Service ------------------- #</span></span><br><span class="line"></span><br><span class="line">kind: Service</span><br><span class="line">apiVersion: v1</span><br><span class="line">metadata:</span><br><span class="line"> labels:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> <span class="keyword">name</span>: kubernetes-dashboard</span><br><span class="line"> namespace: kube-<span class="keyword">system</span></span><br><span class="line">spec:</span><br><span class="line"> ports:</span><br><span class="line"> - port: <span class="number">443</span></span><br><span class="line"> targetPort: <span class="number">8443</span></span><br><span class="line"> nodePort: <span class="number">31234</span></span><br><span class="line"> selector:</span><br><span class="line"> k8s-app: kubernetes-dashboard</span><br><span class="line"> <span class="keyword">type</span>: NodePort</span></span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<h1 id="u8282_u70B9_u89C4_u5212"><a href="#u8282_u70B9_u89C4_u5212" class="headerlink" title="节点规划"></a>节点规划</h1><p>master 192.168.19.222<br>node1 192.168.19.223<br>node2 192.168.19.224</p>
<h2 id="u8F6F_u4EF6_u7248_u672C"><a href="#u8F6F_u4EF6_u7248_u672C" class="headerlink" title="软件版本"></a>软件版本</h2><p>操作系统:CentOS Linux release7 4.4.174-1.el7.elrepo.x86_64<br>Docker版本:18.06.2-ce<br>kubernetes版本:1.13.3</p>
<h2 id="u73AF_u5883_u51C6_u5907"><a href="#u73AF_u5883_u51C6_u5907" class="headerlink" title="环境准备"></a>环境准备</h2><p> 配置SSH免密登录 </p>
<h2 id="u5173_u95ED_u6240_u6709_u8282_u70B9_u9632_u706B_u5899"><a href="#u5173_u95ED_u6240_u6709_u8282_u70B9_u9632_u706B_u5899" class="headerlink" title="关闭所有节点防火墙"></a>关闭所有节点防火墙</h2><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# service</span> firewalld <span class="literal">stop</span> &amp;&amp; systemctl disable firewalld</span><br></pre></td></tr></table></figure>
<h2 id="u5173_u95ED_u6240_u6709_u8282_u70B9selinux"><a href="#u5173_u95ED_u6240_u6709_u8282_u70B9selinux" class="headerlink" title="关闭所有节点selinux"></a>关闭所有节点selinux</h2><figure class="hljs highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# setenforce</span> <span class="number">0</span></span><br><span class="line">[root@k8s-<span class="keyword">master</span> <span class="title">~]# sed</span> -i 's/<span class="variable">SELINUX=</span>enforcing/<span class="variable">SELINUX=</span>disabled/g' /etc/selinux/config</span><br></pre></td></tr></table></figure>
<h2 id="u8BBE_u7F6E_u6240_u6709_u8282_u70B9/etc/hosts_u6587_u4EF6"><a href="#u8BBE_u7F6E_u6240_u6709_u8282_u70B9/etc/hosts_u6587_u4EF6" class="headerlink" title="设置所有节点/etc/hosts文件"></a>设置所有节点/etc/hosts文件</h2><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">[root@k8s-master ~]<span class="preprocessor"># cat /etc/hosts</span></span><br><span class="line"><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> localhost localhost.localdomain localhost4 localhost4.localdomain4</span><br><span class="line">::<span class="number">1</span> localhost localhost.localdomain localhost6 localhost6.localdomain6</span><br><span class="line"><span class="number">192.168</span><span class="number">.19</span><span class="number">.222</span> k8s-master</span><br><span class="line"><span class="number">192.168</span><span class="number">.19</span><span class="number">.223</span> node1</span><br><span class="line"><span class="number">192.168</span><span class="number">.19</span><span class="number">.224</span> node2</span><br></pre></td></tr></table></figure>
</summary>
<category term="kubernetes" scheme="http://www.idcsec.com/categories/kubernetes/"/>
<category term="calico" scheme="http://www.idcsec.com/tags/calico/"/>
<category term="kubeadm" scheme="http://www.idcsec.com/tags/kubeadm/"/>
</entry>
<entry>
<title>Haproxy快速编译安装以及配置详解</title>
<link href="http://www.idcsec.com/2019/01/23/Haproxy%E5%BF%AB%E9%80%9F%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85%E4%BB%A5%E5%8F%8A%E9%85%8D%E7%BD%AE%E8%AF%A6%E8%A7%A3/"/>
<id>http://www.idcsec.com/2019/01/23/Haproxy快速编译安装以及配置详解/</id>
<published>2019-01-23T02:50:22.000Z</published>
<updated>2019-01-23T06:38:38.248Z</updated>
<content type="html"><![CDATA[<h1 id="haproxy_u5B89_u88C5_u811A_u672Ccentos7-x"><a href="#haproxy_u5B89_u88C5_u811A_u672Ccentos7-x" class="headerlink" title="haproxy安装脚本centos7.x"></a>haproxy安装脚本centos7.x</h1><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br></pre></td><td class="code"><pre><span class="line"><span class="shebang">#!/bin/bash</span></span><br><span class="line"><span class="comment">#description: configure and install haproxy software</span></span><br><span class="line"></span><br><span class="line">SOFTDIR=/usr/<span class="built_in">local</span>/src</span><br><span class="line">H_SOFT=<span class="string">"haproxy-1.7.10.tar.gz"</span></span><br><span class="line">H_SOFT_DIR=<span class="string">"haproxy-1.7.10"</span></span><br><span class="line">H_PREFIX=<span class="string">"/usr/local/haproxy"</span></span><br><span class="line">H_CONFIG_DIR=<span class="string">"/etc/haproxy"</span></span><br><span class="line">H_WORK_DIR=<span class="string">"/var/lib/haproxy"</span></span><br><span class="line">USER=<span class="string">"haproxy"</span></span><br><span class="line">GROUP=<span class="string">"haproxy"</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ! id <span class="variable">$USER</span> &>/dev/null;<span class="keyword">then</span></span><br><span class="line">groupadd -g <span class="number">3320</span> -r <span class="variable">$GROUP</span></span><br><span class="line">useradd -u <span class="number">3320</span> -g <span class="variable">$GROUP</span> -M <span class="operator">-s</span> /sbin/nologin <span class="variable">$USER</span></span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#install haproxy</span></span><br><span class="line">yum groupinstall -y <span class="string">"Development tools"</span></span><br><span class="line"><span class="built_in">cd</span> <span class="variable">$SOFTDIR</span> && [ ! <span class="operator">-f</span> <span class="variable">${H_SOFT}</span> ] && wget https://www.haproxy.org/download/<span class="number">1.7</span>/src/<span class="variable">${H_SOFT}</span></span><br><span class="line">[ ! <span class="operator">-d</span> <span class="variable">${H_SOFT_DIR}</span> ] && tar xf <span class="variable">${H_SOFT}</span></span><br><span class="line"><span class="built_in">cd</span> <span class="variable">${SOFTDIR}</span>/<span class="variable">${H_SOFT_DIR}</span> && make TARGET=linux2628 ARCH=x86_64 PREFIX=<span class="variable">${H_PREFIX}</span> && make install PREFIX=<span class="variable">${H_PREFIX}</span></span><br><span class="line"><span class="keyword">if</span> [ $? <span class="operator">-ne</span> <span class="number">0</span> ];<span class="keyword">then</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">"install haproxy fail"</span></span><br><span class="line"><span class="built_in">exit</span> <span class="number">1</span></span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#create haproxy configure file</span></span><br><span class="line">[ ! <span class="operator">-d</span> <span class="variable">${H_WORK_DIR}</span> ] && mkdir -p <span class="variable">${H_WORK_DIR}</span> && chown -R <span class="variable">${USER}</span>.<span class="variable">${GROUP}</span> <span class="variable">${H_WORK_DIR}</span></span><br><span class="line">[ ! <span class="operator">-d</span> <span class="variable">${H_CONFIG_DIR}</span> ] && mkdir -p <span class="variable">${H_CONFIG_DIR}</span></span><br><span class="line">cat > /etc/haproxy/haproxy.cfg <<EOF</span><br><span class="line">global</span><br><span class="line"> <span class="built_in">log</span> <span class="number">127.0</span>.<span class="number">0.1</span> <span class="built_in">local</span>2</span><br><span class="line"> chroot <span class="variable">${H_WORK_DIR}</span></span><br><span class="line"> pidfile /var/run/haproxy.pid</span><br><span class="line"> maxconn <span class="number">4000</span></span><br><span class="line"> user haproxy</span><br><span class="line"> group haproxy</span><br><span class="line"> daemon</span><br><span class="line"> stats socket <span class="variable">${H_WORK_DIR}</span>/stats</span><br><span class="line"></span><br><span class="line">defaults</span><br><span class="line"> mode tcp</span><br><span class="line"> <span class="built_in">log</span> global</span><br><span class="line"> option tcplog</span><br><span class="line"> option dontlognull</span><br><span class="line"> option redispatch</span><br><span class="line"> retries <span class="number">3</span></span><br><span class="line"> timeout queue <span class="number">1</span>m</span><br><span class="line"> timeout connect <span class="number">10</span>s</span><br><span class="line"> timeout client <span class="number">1</span>m</span><br><span class="line"> timeout server <span class="number">1</span>m</span><br><span class="line"> timeout check <span class="number">10</span>s</span><br><span class="line"> maxconn <span class="number">3000</span></span><br><span class="line"></span><br><span class="line">listen stats</span><br><span class="line"><span class="built_in">bind</span> *:<span class="number">10800</span></span><br><span class="line">mode http</span><br><span class="line">option httplog</span><br><span class="line"><span class="built_in">log</span> <span class="number">127.0</span>.<span class="number">0.1</span> <span class="built_in">local</span>3</span><br><span class="line">stats refresh <span class="number">30</span>s</span><br><span class="line">stats <span class="built_in">enable</span></span><br><span class="line">stats uri /haproxyadmin?stats</span><br><span class="line">stats realm Haproxy\ Statistics</span><br><span class="line">stats auth Haproxyadmin:Aa123456</span><br><span class="line">stats hide-version</span><br><span class="line">stats admin <span class="keyword">if</span> TRUE</span><br><span class="line"></span><br><span class="line">frontend k8s-https-api</span><br><span class="line"> <span class="built_in">bind</span> *:<span class="number">8443</span></span><br><span class="line"> mode tcp</span><br><span class="line"> option tcplog</span><br><span class="line"> tcp-request inspect-delay <span class="number">5</span>s</span><br><span class="line"> tcp-request content accept <span class="keyword">if</span> { req.ssl_hello_<span class="built_in">type</span> <span class="number">1</span> }</span><br><span class="line"> default_backend k8s-https-api</span><br><span class="line"></span><br><span class="line">backend k8s-https-api</span><br><span class="line"> mode tcp</span><br><span class="line"> option tcplog</span><br><span class="line"> option tcp-check</span><br><span class="line"> balance roundrobin</span><br><span class="line"> default-server inter <span class="number">10</span>s downinter <span class="number">5</span>s rise <span class="number">2</span> fall <span class="number">2</span> slowstart <span class="number">60</span>s maxconn <span class="number">2000</span> maxqueue <span class="number">256</span> weight <span class="number">100</span></span><br><span class="line"> server k8s-https-api-<span class="number">1</span> <span class="number">192.168</span>.<span class="number">1.137</span>:<span class="number">6443</span> check</span><br><span class="line"> server k8s-https-api-<span class="number">2</span> <span class="number">192.168</span>.<span class="number">1.138</span>:<span class="number">6443</span> check</span><br><span class="line"></span><br><span class="line">frontend k8s-http-api</span><br><span class="line"> <span class="built_in">bind</span> *:<span class="number">80</span></span><br><span class="line"> mode tcp</span><br><span class="line"> option tcplog</span><br><span class="line"> default_backend k8s-http-api</span><br><span class="line"></span><br><span class="line">backend k8s-http-api</span><br><span class="line"> mode tcp</span><br><span class="line"> option tcplog</span><br><span class="line"> option tcp-check</span><br><span class="line"> balance roundrobin</span><br><span class="line"> default-server inter <span class="number">10</span>s downinter <span class="number">5</span>s rise <span class="number">2</span> fall <span class="number">2</span> slowstart <span class="number">60</span>s maxconn <span class="number">2000</span> maxqueue <span class="number">256</span> weight <span class="number">100</span></span><br><span class="line"> server k8s-http-api-<span class="number">1</span> <span class="number">192.168</span>.<span class="number">1.137</span>:<span class="number">8080</span> check</span><br><span class="line"> server k8s-http-api-<span class="number">2</span> <span class="number">192.168</span>.<span class="number">1.138</span>:<span class="number">8080</span> check</span><br><span class="line">EOF</span><br><span class="line"></span><br><span class="line"><span class="comment">#copy haproxy start script</span></span><br><span class="line"><span class="built_in">cd</span> <span class="variable">${SOFTDIR}</span>/<span class="variable">${H_SOFT_DIR}</span></span><br><span class="line">cp examples/haproxy.init /etc/init.d/haproxy</span><br><span class="line"><span class="built_in">cd</span> /etc/init.d/ && sed -i <span class="string">'s/\/usr\/sbin\/'</span>\<span class="variable">$BASENAME</span><span class="string">'/\/usr\/local\/haproxy\/sbin\/'</span>\<span class="variable">$BASENAME</span><span class="string">'/g'</span> haproxy</span><br><span class="line">chmod u+x /etc/init.d/haproxy</span><br><span class="line">chkconfig --add haproxy</span><br><span class="line">chkconfig haproxy on</span><br><span class="line">ln <span class="operator">-s</span> /usr/<span class="built_in">local</span>/haproxy/sbin/haproxy /usr/sbin/haproxy</span><br><span class="line"><span class="keyword">if</span> [ <span class="string">"ss -tunlp|grep 80|awk -F '[ :]+' '{print <span class="variable">$6</span>}'"</span> = <span class="string">"80"</span> ];<span class="keyword">then</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">"haproxy start fail,port 80"</span></span><br><span class="line"><span class="built_in">exit</span> <span class="number">1</span></span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">service haproxy start</span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"><span class="comment">#configure log</span></span><br><span class="line">sed -i <span class="string">'s/^#$ModLoad imudp/$ModLoad imudp/g'</span> /etc/rsyslog.conf</span><br><span class="line">sed -i <span class="string">'s/^#$UDPServerRun 514/$UDPServerRun 514/g'</span> /etc/rsyslog.conf</span><br><span class="line"><span class="built_in">echo</span> <span class="string">"local2.* /var/log/haproxy.log"</span> >> /etc/rsyslog.conf</span><br><span class="line"><span class="built_in">echo</span> <span class="string">"local3.* /var/log/haproxy_stats.log"</span> >> /etc/rsyslog.conf</span><br><span class="line">systemctl restart rsyslog</span><br></pre></td></tr></table></figure><p>基本配置说明记录<br><figure class="hljs highlight smali"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br></pre></td><td class="code"><pre><span class="line">global <span class="comment">#全局设置</span></span><br><span class="line"> log 127.0.0.1 local2 <span class="comment">#日志输出配置,所有日志都记录在本机,通过local2输出</span></span><br><span class="line"> <span class="comment">#log loghost local0 info</span></span><br><span class="line"> maxconn 4096 <span class="comment">#最大连接数</span></span><br><span class="line"> chroot /usr/local/haproxy</span><br><span class="line"> uid 99 <span class="comment">#所属运行的用户uid</span></span><br><span class="line"> gid 99 <span class="comment">#所属运行的用户组</span></span><br><span class="line"> group haproxy <span class="comment">#用户组</span></span><br><span class="line"> daemon <span class="comment">#后台运行haproxy</span></span><br><span class="line"> nbproc 1 <span class="comment">#启动1个haproxy实例</span></span><br><span class="line"> pidfile /usr/local/haproxy/haproxy.pid <span class="comment">#将所有进程PID写入pid文件</span></span><br><span class="line"> <span class="comment">#debug</span></span><br><span class="line"> <span class="comment">#quiet</span></span><br><span class="line"> </span><br><span class="line">defaults <span class="comment">#默认设置</span></span><br><span class="line"> <span class="comment">#log global</span></span><br><span class="line"> log 127.0.0.1 local3 <span class="comment">#日志文件的输出定向</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">#默认的模式:tcp|http|health</span></span><br><span class="line"> mode http <span class="comment">#所处理的类别,默认采用http模式</span></span><br><span class="line"> </span><br><span class="line"> option httplog <span class="comment">#日志类别,采用http日志格式`</span></span><br><span class="line"> option dontlognull</span><br><span class="line"> option forwardfor <span class="comment">#将客户端真实ip加到HTTP Header中供后端服务器读取</span></span><br><span class="line"> option retries 3 <span class="comment">#三次连接失败则认证服务器不可用</span></span><br><span class="line"> option httpclose <span class="comment">#每次请求完毕后主动关闭http通道,haproxy不支持keep-alive,只>能模拟这种模式的实现</span></span><br><span class="line"> retries 3 <span class="comment">#3次连接失败就认为服务器不可用,主要通过后面的check检查</span></span><br><span class="line"> option redispatch <span class="comment">#当serverid对应的服务器挂掉后,强制定向到其他健康服务器</span></span><br><span class="line"> option abortonclose <span class="comment">#当服务器负载很高时,自动结束掉当前队列中处理比较久的链接</span></span><br><span class="line"> maxconn 2000 <span class="comment">#默认最大连接数</span></span><br><span class="line"> </span><br><span class="line"> timeout connect 5000 <span class="comment">#连接超时时间</span></span><br><span class="line"> timeout client 50000 <span class="comment">#客户端连接超时时间</span></span><br><span class="line"> timeout server 50000 <span class="comment">#服务器端连接超时时间</span></span><br><span class="line"> </span><br><span class="line"> stats enable</span><br><span class="line"> stats uri /haproxy-stats <span class="comment">#haproxy监控页面的访问地址</span></span><br><span class="line"> stats auth test:test123 <span class="comment">#设置监控页面的用户和密码</span></span><br><span class="line"> stats hide-version <span class="comment">#隐藏统计页面的HAproxy版本信息</span></span><br><span class="line"> </span><br><span class="line">frontend http-in <span class="comment">#前台</span></span><br><span class="line"> bind *:81</span><br><span class="line"> mode http</span><br><span class="line"> option httplog</span><br><span class="line"> log global</span><br><span class="line"> default_backend htmpool <span class="comment">#静态服务器池</span></span><br><span class="line"> </span><br><span class="line">backend htmpool <span class="comment">#后台</span></span><br><span class="line"> balance leastconn <span class="comment">#负载均衡算法</span></span><br><span class="line"> option httpchk HEAD /index.html HTTP/1.0 <span class="comment">#健康检查</span></span><br><span class="line"> server web1 192.168.2.10:80 cookie 1 weight 5<span class="instruction"> check </span>inter 2000 rise 2 fall 3</span><br><span class="line"> server web2 192.168.2.11:80 cookie 2 weight 3<span class="instruction"> check </span>inter 2000 rise 2 fall 3</span><br><span class="line"> <span class="comment"># web1/web2:自定义服务器别名</span></span><br><span class="line"> <span class="comment"># 192.168.2.10:80:服务器IP:Port</span></span><br><span class="line"> <span class="comment"># cookie 1/2:表示serverid</span></span><br><span class="line"> <span class="comment"># weight: 服务器权重,数字越大分配到的请求数越高</span></span><br><span class="line"> <span class="comment"># check: 接受定时健康检查 </span></span><br><span class="line"> <span class="comment"># inter 2000: 检查频率</span></span><br><span class="line"> <span class="comment"># rise 2: 两次检测正确认为服务器可用</span></span><br><span class="line"> <span class="comment"># fall 3: 三次失败认为服务器不可用</span></span><br><span class="line"> </span><br><span class="line">listen w.gdu.me 0.0.0.0:80</span><br><span class="line"> option httpchk GET /index.html</span><br><span class="line"> server s1 192.168.2.10:80 weight 3<span class="instruction"> check</span><br><span class="line"></span> server s3 192.168.2.11:80 weight 3<span class="instruction"> check</span><br><span class="line"></span> </span><br><span class="line"><span class="comment"># Haproxy统计页面</span></span><br><span class="line"><span class="comment"># --------------------------------------------------------------------------------------------</span></span><br><span class="line">listen haproxy_stats</span><br><span class="line"> bind 0.0.0.0:1080 <span class="comment">#侦听IP:Port</span></span><br><span class="line"> mode http</span><br><span class="line"> log 127.0.0.1 local 0 err <span class="comment">#err|warning|info|debug]</span></span><br><span class="line"> stats refresh 30s</span><br><span class="line"> stats uri /haproxy-stats</span><br><span class="line"> stats realm Haproxy\ Statistics</span><br><span class="line"> stats auth admin:admin</span><br><span class="line"> stats auth test:test</span><br><span class="line"> stats hide-version</span><br><span class="line"> stats admin<span class="instruction"> if </span>TRUE <span class="comment">#手工启用/禁用后端服务器</span></span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"><span class="comment"># 网站检测listen配置</span></span><br><span class="line"><span class="comment"># --------------------------------------------------------------------------------------------</span></span><br><span class="line">listen site_status</span><br><span class="line"> bind 0.0.0.0:1081</span><br><span class="line"> mode http</span><br><span class="line"> log 127.0.0.1 local0 err</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#网站健康检查URI,用来检测Haproxy管理的网站是否可能,正常返回200、异常返回500</span></span><br><span class="line"> <span class="instruction"> monitor-uri </span>/site_status</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#定义网站down时的策略</span></span><br><span class="line"> <span class="comment">#当backend中的有效服务器数<1时,返回true</span></span><br><span class="line"> acl site_dead<span class="function"> nbsrv(</span>denali_server<span class="function">)</span> lt 1</span><br><span class="line"> acl site_dead<span class="function"> nbsrv(</span>tm_server<span class="function">)</span> lt 1</span><br><span class="line"> acl site_dead<span class="function"> nbsrv(</span>mms_server<span class="function">)</span> lt 1</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#当满足策略的时候返回http-500,否则返回http-200</span></span><br><span class="line"> <span class="instruction"> monitor </span>fail<span class="instruction"> if </span>site_dead</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#声名一个监测请求的来源网络</span></span><br><span class="line"> <span class="instruction"> monitor-net </span>192.168.0.252/31</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"><span class="comment"># https的配置方法</span></span><br><span class="line"><span class="comment"># --------------------------------------------------------------------------------------------</span></span><br><span class="line">listen login_https_server</span><br><span class="line"> bind 0.0.0.0:443 <span class="comment">#绑定HTTPS的443端口</span></span><br><span class="line"> mode tcp <span class="comment">#https必须使用tcp模式</span></span><br><span class="line"> log global</span><br><span class="line"> balance roundrobin</span><br><span class="line"> option httpchk GET /member/login.jhtml HTTP/1.1\r\nHost:login.daily.taobao.net</span><br><span class="line"> <span class="comment">#回送给server的端口也必须是443</span></span><br><span class="line"> server vm94f.sqa 192.168.212.94:443<span class="instruction"> check </span>port 80 inter 6000 rise 3 fall 3</span><br><span class="line"> server <span class="variable">v215120</span>.sqa 192.168.215.120:443<span class="instruction"> check </span>port 80 inter 6000 rise 3 fall 3</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"><span class="comment"># frontend配置</span></span><br><span class="line"><span class="comment"># --------------------------------------------------------------------------------------------</span></span><br><span class="line">frontend http_80_in</span><br><span class="line"> bind 0.0.0.0:80 <span class="comment">#监听端口</span></span><br><span class="line"> mode http <span class="comment">#http的7层模式</span></span><br><span class="line"> log global <span class="comment">#使用全局的日志配置</span></span><br><span class="line"> option httplog <span class="comment">#启用http的log</span></span><br><span class="line"> option httpclose <span class="comment">#每次请求完毕后主动关闭http通道,HA-Proxy不支持keep-alive模式</span></span><br><span class="line"> option forwardfor <span class="comment">##如果后端服务器需要获得客户端的真实IP需要配置次参数,将可以从Http Header中获得客户端IP</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">#HAProxy的日志记录内容配置</span></span><br><span class="line"> capture request header Host len 40 <span class="comment"># 请求中的主机名</span></span><br><span class="line"> capture request header Content-Length len 10 <span class="comment"># 请求中的内容长度</span></span><br><span class="line"> capture request header Referer len 200 <span class="comment"># 请求中的引用地址</span></span><br><span class="line"> capture response header Server len 40 <span class="comment"># 响应中的server name</span></span><br><span class="line"> capture response header Content-Length len 10 <span class="comment"># 响应中的内容长度(可配合option logasap使用)</span></span><br><span class="line"> capture response header Cache-Control len 8 <span class="comment"># 响应中的cache控制</span></span><br><span class="line"> capture response header Location len 20 <span class="comment"># 响应中的重定向地址</span></span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> <span class="comment">#ACL策略规则定义</span></span><br><span class="line"> <span class="comment">#-------------------------------------------------</span></span><br><span class="line"> <span class="function"> #如果请求的域名满足正则表达式返回true(</span>-i:忽略大小写<span class="function">)</span></span><br><span class="line"> acl denali_policy<span class="function"> hdr_reg(</span>host<span class="function">)</span> -i<span class="function"> ^(</span>www.gemini.taobao.net|my.gemini.taobao.net|auction1.gemini.taobao.net<span class="function">)</span>$</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#如果请求域名满足trade.gemini.taobao.net返回true</span></span><br><span class="line"> acl tm_policy<span class="function"> hdr_dom(</span>host<span class="function">)</span> -i trade.gemini.taobao.net</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#在请求url中包含sip_apiname=,则此控制策略返回true,否则为false</span></span><br><span class="line"> acl invalid_req url_sub -i sip_apiname=</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#在请求url中存在timetask作为部分地址路径,则此控制策略返回true,否则返回false</span></span><br><span class="line"> acl timetask_req url_dir -i timetask</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#当请求的header中Content-length等于0时返回true</span></span><br><span class="line"> acl missing_cl<span class="function"> hdr_cnt(</span>Content-length<span class="function">)</span> eq 0</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> <span class="comment">#ACL策略匹配相应</span></span><br><span class="line"> <span class="comment">#-------------------------------------------------</span></span><br><span class="line"> <span class="comment">#当请求中header中Content-length等于0阻止请求返回403</span></span><br><span class="line"> <span class="comment">#block表示阻止请求,返回403错误</span></span><br><span class="line"> block<span class="instruction"> if </span>missing_cl</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#如果不满足策略invalid_req,或者满足策略timetask_req,则阻止请求</span></span><br><span class="line"> block<span class="instruction"> if </span>!invalid_req || timetask_req</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#当满足denali_policy的策略时使用denali_server的backend</span></span><br><span class="line"> use_backend denali_server<span class="instruction"> if </span>denali_policy</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#当满足tm_policy的策略时使用tm_server的backend</span></span><br><span class="line"> use_backend tm_server<span class="instruction"> if </span>tm_policy</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#reqisetbe关键字定义,根据定义的关键字选择backend</span></span><br><span class="line"> reqisetbe ^Host:\ img dynamic</span><br><span class="line"> reqisetbe ^<span class="keyword">[</span>^\ ]*\<span class="function"> /(</span>img|css<span class="function">)</span>/ dynamic</span><br><span class="line"> reqisetbe ^<span class="keyword">[</span>^\ ]*\ /admin/stats stats</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#以上都不满足的时候使用默认mms_server的backend</span></span><br><span class="line"> default_backend mms_server</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#HAProxy错误页面设置</span></span><br><span class="line"> errorfile 400 /home/admin/haproxy/errorfiles/400.http</span><br><span class="line"> errorfile 403 /home/admin/haproxy/errorfiles/403.http</span><br><span class="line"> errorfile 408 /home/admin/haproxy/errorfiles/408.http</span><br><span class="line"> errorfile 500 /home/admin/haproxy/errorfiles/500.http</span><br><span class="line"> errorfile 502 /home/admin/haproxy/errorfiles/502.http</span><br><span class="line"> errorfile 503 /home/admin/haproxy/errorfiles/503.http</span><br><span class="line"> errorfile 504 /home/admin/haproxy/errorfiles/504.http</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"><span class="comment"># backend的设置</span></span><br><span class="line"><span class="comment"># --------------------------------------------------------------------------------------------</span></span><br><span class="line">backend mms_server</span><br><span class="line"> mode http <span class="comment">#http的7层模式</span></span><br><span class="line"> balance roundrobin <span class="comment">#负载均衡的方式,roundrobin平均方式</span></span><br><span class="line"> cookie SERVERID <span class="comment">#允许插入serverid到cookie中,serverid后面可以定义</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">#心跳检测的URL,HTTP/1.1¥r¥nHost:XXXX,指定了心跳检测HTTP的版本,XXX为检测时请求</span></span><br><span class="line"> <span class="comment">#服务器的request中的域名是什么,这个在应用的检测URL对应的功能有对域名依赖的话需要设置</span></span><br><span class="line"> option httpchk GET /member/login.jhtml HTTP/1.1\r\nHost:member1.gemini.taobao.net</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#服务器定义,cookie 1表示serverid为1,check inter 1500 是检测心跳频率</span></span><br><span class="line"> <span class="comment">#rise 3是3次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重</span></span><br><span class="line"> server mms1 10.1.5.134:80 cookie 1<span class="instruction"> check </span>inter 1500 rise 3 fall 3 weight 1</span><br><span class="line"> server mms2 10.1.6.118:80 cookie 2<span class="instruction"> check </span>inter 1500 rise 3 fall 3 weight 2</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line">backend denali_server</span><br><span class="line"> mode http</span><br><span class="line"> balance source <span class="comment">#负载均衡的方式,source根据客户端IP进行哈希的方式</span></span><br><span class="line"> option allbackups <span class="comment">#设置了backup的时候,默认第一个backup会优先,设置option allbackups后所有备份服务器权重一样</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">#心跳检测URL设置</span></span><br><span class="line"> option httpchk GET /mytaobao/home/my_taobao.jhtml HTTP/1.1\r\nHost:my.gemini.taobao.net</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#可以根据机器的性能不同,指定连接数配置,如minconn 10 maxconn 20</span></span><br><span class="line"> server denlai1 10.1.5.114:80 minconn 4 maxconn 12<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> server denlai2 10.1.6.104:80 minconn 10 maxconn 20<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> <span class="comment">#备份机器配置,正常情况下备机不会使用,当主机的全部服务器都down的时候备机会启用</span></span><br><span class="line"> server dnali-back1 10.1.7.114:80<span class="instruction"> check </span>backup inter 1500 rise 3 fall 3</span><br><span class="line"> server dnali-back2 10.1.7.114:80<span class="instruction"> check </span>backup inter 1500 rise 3 fall 3</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line">backend tm_server</span><br><span class="line"> mode http</span><br><span class="line"> balance leastconn <span class="comment">#负载均衡的方式,leastcon选择当前请求数最少的服务器</span></span><br><span class="line"> option httpchk GET /trade/itemlist/prepayCard.htm HTTP/1.1\r\nHost:trade.gemini.taobao.net</span><br><span class="line"> server tm1 10.1.5.115:80<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> server tm2 10.1.6.105:80<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"><span class="comment">#reqisetbe自定义关键字匹配backend部分</span></span><br><span class="line">backend dynamic</span><br><span class="line"> mode http</span><br><span class="line"> balance source</span><br><span class="line"> option httpchk GET /welcome.html </span><br><span class="line"> server denlai1 10.3.5.114:80<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> server denlai2 10.4.6.104:80<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> </span><br><span class="line">backend stats</span><br><span class="line"> mode http</span><br><span class="line"> balance source</span><br><span class="line"> option httpchk GET /welcome.html </span><br><span class="line"> server denlai1 10.5.5.114:80<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br><span class="line"> server denlai2 10.6.6.104:80<span class="instruction"> check </span>inter 1500 rise 3 fall 3</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<h1 id="haproxy_u5B89_u88C5_u811A_u672Ccentos7-x"><a href="#haproxy_u5B89_u88C5_u811A_u672Ccentos7-x" class="headerlink" title="haproxy安装脚本c
</summary>
</entry>
<entry>
<title>kubernetes prometheus监控JMX</title>
<link href="http://www.idcsec.com/2019/01/21/kubernetes-prometheus%E7%9B%91%E6%8E%A7JMX/"/>
<id>http://www.idcsec.com/2019/01/21/kubernetes-prometheus监控JMX/</id>
<published>2019-01-21T02:11:43.000Z</published>
<updated>2019-01-23T06:43:08.843Z</updated>
<content type="html"><![CDATA[<p>javaagent <a href="https://github.com/prometheus/jmx_exporter" target="_blank" rel="external">https://github.com/prometheus/jmx_exporter</a></p><h1 id="u4E0B_u8F7Djavaagent_uFF1A"><a href="#u4E0B_u8F7Djavaagent_uFF1A" class="headerlink" title="下载javaagent:"></a>下载javaagent:</h1><p><a href="https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.3.1/jmx_prometheus_javaagent-0.3.1.jar" target="_blank" rel="external">https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.3.1/jmx_prometheus_javaagent-0.3.1.jar</a></p><p>kubernetes监控jvm<br>每个应用都通过javaagent向外提供一个http服务暴露出自己的JMX信息。prometheus通过kubernetes 自动发现就能把这个应用加入监控对象列表,进行数据收集并跟踪服务的状态。为JVM添加参数: -javaagent:jmx_prometheus_javaagent-0.3.1.jar=9180:config.yaml即可运行此Exporter。其中9180为暴露的端口号,config.yaml为配置文件路径。要采集指标,访问<a href="http://host:9180/metrics即可。" target="_blank" rel="external">http://host:9180/metrics即可。</a><br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"> annotations:</span><br><span class="line"> prometheus.io/scrape: <span class="string">"true"</span></span><br><span class="line"> prometheus.io/port: <span class="string">"9180"</span></span><br><span class="line"> prometheus.io/path: /metrics</span><br><span class="line">```</span><br><span class="line">spec.<span class="keyword">template</span>.metadata.annotations.prometheus.io/scrape</span><br><span class="line">是否针对Discorvery</span><br><span class="line">spec.<span class="keyword">template</span>.metadata.annotations.prometheus.io/port</span><br><span class="line">发现目标端口</span><br><span class="line">spec.<span class="keyword">template</span>.metadata.annotations.prometheus.io/path</span><br><span class="line">发现目标路径</span><br><span class="line"></span><br><span class="line">创建一个configmap</span><br><span class="line">``` </span><br><span class="line">kubectl create cm prometheus-jmx-exporter-config --from-file=./config.yaml</span><br><span class="line">kubectl apply -f tomcat-monitoring-demo.yaml</span><br><span class="line">[root@centos-master jvm-exporter]<span class="preprocessor"># kubectl get pod | grep demo </span></span><br><span class="line">tomcat-monitoring-demo-<span class="number">1780394632</span>-c96hz <span class="number">1</span>/<span class="number">1</span> Running <span class="number">0</span> <span class="number">1</span>h</span><br><span class="line">tomcat-monitoring-demo-<span class="number">1780394632</span>-sk09b <span class="number">1</span>/<span class="number">1</span> Running <span class="number">0</span> <span class="number">1</span>h</span><br></pre></td></tr></table></figure></p><p>把javaagent放nfs里面如果没有nfs可以考虑添加到基础镜像或者dockerfile时候添加<br>grafana 添加仪表盘id:7727</p><p>prometheus配置文件添加<br><figure class="hljs highlight haml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">-<span class="ruby"> <span class="symbol">job_name:</span> <span class="string">'kubernetes-pods'</span></span><br><span class="line"></span> kubernetes_sd_configs:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">role:</span> pod</span><br><span class="line"></span> relabel_configs:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">source_labels:</span> [__meta_kubernetes_pod_annotation_prometheus_io_scrape]</span><br><span class="line"></span> action: keep</span><br><span class="line"> regex: true</span><br><span class="line"> -<span class="ruby"> <span class="symbol">source_labels:</span> [__meta_kubernetes_pod_annotation_prometheus_io_path]</span><br><span class="line"></span> action: replace</span><br><span class="line"> target_label: __metrics_path__</span><br><span class="line"> regex: (.+)</span><br><span class="line"> -<span class="ruby"> <span class="symbol">source_labels:</span> [__address_<span class="number">_</span>, __meta_kubernetes_pod_annotation_prometheus_io_port]</span><br><span class="line"></span> action: replace</span><br><span class="line"> regex: ([^:]+)(?::\d+)?;(\d+)</span><br><span class="line"> replacement: $1:$2</span><br><span class="line"> target_label: __address__</span><br><span class="line"> -<span class="ruby"> <span class="symbol">action:</span> labelmap</span><br><span class="line"></span> regex: __meta_kubernetes_pod_label_(.+)</span><br><span class="line"> -<span class="ruby"> <span class="symbol">source_labels:</span> [__meta_kubernetes_namespace]</span><br><span class="line"></span> action: replace</span><br><span class="line"> target_label: kubernetes_namespace</span><br><span class="line"> -<span class="ruby"> <span class="symbol">source_labels:</span> [__meta_kubernetes_pod_name]</span><br><span class="line"></span> action: replace</span><br><span class="line"> target_label: kubernetes_pod_name</span><br></pre></td></tr></table></figure></p><p>使用docker测试<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker run -d --name tomcat-jmx -v ~/jvm-exporter:/jmx-exporter -e CATALINA_OPTS="-Xms1G -Xmx1G -javaagent:/jmx-exporter/jmx_prometheus_javaagent-0.3.1.jar=6060:/jmx-exporter/config.yml" -p 6060:6060 -p 9090:8080 tomcat:latest</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>javaagent <a href="https://github.com/prometheus/jmx_exporter" target="_blank" rel="external">https://github.com/prometheus/jmx_exporter<
</summary>
</entry>
<entry>
<title>kubernetes pod资源限制</title>
<link href="http://www.idcsec.com/2019/01/21/kubernetes-pod%E8%B5%84%E6%BA%90%E9%99%90%E5%88%B6/"/>
<id>http://www.idcsec.com/2019/01/21/kubernetes-pod资源限制/</id>
<published>2019-01-21T02:09:32.000Z</published>
<updated>2019-01-23T06:19:22.126Z</updated>
<content type="html"><![CDATA[<p>资源限制namespace 设置 ResouceQuota 和 LimitRange两种</p><h1 id="u8D44_u6E90_u9650_u989D_uFF08Resource_Quota_uFF09"><a href="#u8D44_u6E90_u9650_u989D_uFF08Resource_Quota_uFF09" class="headerlink" title="资源限额(Resource Quota)"></a>资源限额(Resource Quota)</h1><p>资源限额可以为每一个命名空间提供一个总体的资源使用的限制,限制命名空间某种类型的资源对象的总数目上线,限制pod可以使用到的计算资源的总上限<br>创建应该dev的命名空间<br><a id="more"></a><br><code>kubectl create dev</code><br>创建Resource Quota对象资源文件<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"> cat quota-mem-cpu.yaml apiVersion: v1 kind: ResourceQuota metadata: name: mem-cpu-demo spec: hard: requests.cpu: "2" requests.memory: 2Gi limits.cpu: "4" limits.memory: 4Gi</span><br></pre></td></tr></table></figure></p><p>创建Resource Quota对象<br><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl apply -f quota-mem-cpu<span class="class">.yaml</span> -n dev</span><br></pre></td></tr></table></figure></p><p>创建应该pod测试<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat pod-quota-mem-cpu.yaml apiVersion: v1 kind: Pod metadata: name: quota-mem-cpu-demo spec: containers: - name: quota-mem-cpu-demo-ctr image: nginx resources: limits: memory: "800Mi" cpu: "800m" requests: memory: "600Mi" cpu: "400m"</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ kubectl describe resourcequota mem-cpu-demo -n dev quota-mem-cpu Name: mem-cpu-demo Namespace: dev Resource Used Hard -------- ---- ---- limits.cpu 800m 4 limits.memory 800Mi 4Gi requests.cpu 400m 2 requests.memory 600Mi 2Gi</span><br></pre></td></tr></table></figure><p>当开启了resource quota时,用户创建pod,必须指定cpu、内存的 requests or limits ,否则创建失败</p><h1 id="LimitRange_u914D_u7F6E_u9ED8_u8BA4CPU_u548C_u5185_u5B58"><a href="#LimitRange_u914D_u7F6E_u9ED8_u8BA4CPU_u548C_u5185_u5B58" class="headerlink" title="LimitRange配置默认CPU和内存"></a>LimitRange配置默认CPU和内存</h1><p>LimitRange分为默认请求和限额和限制大小,如果在一个拥有默认内存限额的命名空间中创建一个容器,并且这个容器未指定它自己的内存限额, 它会被分配这个默认的内存限额值<br>以下是一个 LimitRange 对象的配置文件。该配置指定了默认的内存请求与默认的内存限额。<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /root/quota-mem-cpu/limit-range.yaml apiVersion: v1 kind: LimitRange metadata: name: mem-cpu-limit-range spec: limits: - default: memory: 4Gi cpu: 4 defaultRequest: memory: 4Gi cpu: 2 type: Container</span><br></pre></td></tr></table></figure></p><p>限制可用最大最小配置文件,podLimitRange必须配置在最大资源的范围内。<br><figure class="hljs highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apiVersion: v1 kind: LimitRange metadata: name: cpu-min-max-demo-lr spec: limits: - max: cpu: "4" min: cpu: "2" type: Container</span><br></pre></td></tr></table></figure></p><h1 id="u6D4B_u8BD5"><a href="#u6D4B_u8BD5" class="headerlink" title="测试"></a>测试</h1><p>创建一个Pod尝试分配超过其限制的内存,下面的这个Pod的配置文档,它申请50M的内存, 内存限制设置为100M。在配置文件里的args段里,可以看到容器尝试分配250M的内存,超过了限制的100M。<br><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">apiVersion</span>: v1</span><br><span class="line"><span class="attribute">kind</span>: Pod</span><br><span class="line"><span class="attribute">metadata</span>:</span><br><span class="line"> <span class="attribute">name</span>: memory-limits-demo</span><br><span class="line"><span class="attribute">spec</span>:</span><br><span class="line"> <span class="attribute">containers</span>:</span><br><span class="line"> - <span class="attribute">name</span>: memory-demo-<span class="number">2</span>-ctr</span><br><span class="line"> <span class="attribute">image</span>: vish/stress</span><br><span class="line"> <span class="attribute">resources</span>:</span><br><span class="line"> <span class="attribute">requests</span>:</span><br><span class="line"> <span class="attribute">memory</span>: <span class="number">50</span>Mi</span><br><span class="line"> <span class="attribute">limits</span>:</span><br><span class="line"> <span class="attribute">memory</span>: <span class="string">"100Mi"</span></span><br><span class="line"> <span class="attribute">args</span>:</span><br><span class="line"> - -mem-total</span><br><span class="line"> - <span class="number">250</span>Mi</span><br><span class="line"> - -mem-alloc-size</span><br><span class="line"> - <span class="number">10</span>Mi</span><br><span class="line"> - -mem-alloc-sleep</span><br><span class="line"> - <span class="number">1s</span></span><br></pre></td></tr></table></figure></p><p>memory-limits-demo 0/1 OOMKilled 6</p>]]></content>
<summary type="html">
<p>资源限制namespace 设置 ResouceQuota 和 LimitRange两种</p>
<h1 id="u8D44_u6E90_u9650_u989D_uFF08Resource_Quota_uFF09"><a href="#u8D44_u6E90_u9650_u989D_uFF08Resource_Quota_uFF09" class="headerlink" title="资源限额(Resource Quota)"></a>资源限额(Resource Quota)</h1><p>资源限额可以为每一个命名空间提供一个总体的资源使用的限制,限制命名空间某种类型的资源对象的总数目上线,限制pod可以使用到的计算资源的总上限<br>创建应该dev的命名空间<br>
</summary>
</entry>
<entry>
<title>kubernetes apiserver高可用</title>
<link href="http://www.idcsec.com/2019/01/20/kubernetes-apiserver%E9%AB%98%E5%8F%AF%E7%94%A8/"/>
<id>http://www.idcsec.com/2019/01/20/kubernetes-apiserver高可用/</id>
<published>2019-01-20T15:14:51.000Z</published>
<updated>2019-01-24T07:39:47.116Z</updated>
<content type="html"><![CDATA[<h1 id="u5B89_u88C5Haproxy_keepalived"><a href="#u5B89_u88C5Haproxy_keepalived" class="headerlink" title="安装Haproxy keepalived"></a>安装Haproxy keepalived</h1><p>两台HA haproxy同样的配置<br><figure class="hljs highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><span class="line">$ yum <span class="operator"><span class="keyword">install</span> -y haproxy</span><br><span class="line">$<span class="keyword">at</span> /etc/haproxy/haproxy.cfg</span><br><span class="line"><span class="keyword">global</span></span><br><span class="line"> <span class="keyword">log</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> local2</span><br><span class="line"> chroot /<span class="keyword">var</span>/lib/haproxy</span><br><span class="line"> pidfile /<span class="keyword">var</span>/run/haproxy.pid</span><br><span class="line"> maxconn <span class="number">4000</span></span><br><span class="line"> <span class="keyword">user</span> haproxy</span><br><span class="line"> <span class="keyword">group</span> haproxy</span><br><span class="line"> daemon</span><br><span class="line"> stats socket /<span class="keyword">var</span>/lib/haproxy/stats</span><br><span class="line"></span><br><span class="line"><span class="keyword">defaults</span></span><br><span class="line"> <span class="keyword">mode</span> tcp</span><br><span class="line"> <span class="keyword">log</span> <span class="keyword">global</span></span><br><span class="line"> <span class="keyword">option</span> tcplog</span><br><span class="line"> <span class="keyword">option</span> dontlognull</span><br><span class="line"> <span class="keyword">option</span> redispatch</span><br><span class="line"> retries <span class="number">3</span></span><br><span class="line"> <span class="keyword">timeout</span> queue <span class="number">1</span><span class="keyword">m</span></span><br><span class="line"> <span class="keyword">timeout</span> <span class="keyword">connect</span> <span class="number">10</span>s</span><br><span class="line"> <span class="keyword">timeout</span> <span class="keyword">client</span> <span class="number">1</span><span class="keyword">m</span></span><br><span class="line"> <span class="keyword">timeout</span> <span class="keyword">server</span> <span class="number">1</span><span class="keyword">m</span></span><br><span class="line"> <span class="keyword">timeout</span> <span class="keyword">check</span> <span class="number">10</span>s</span><br><span class="line"> maxconn <span class="number">3000</span></span><br><span class="line">listen stats</span><br><span class="line"> bind *:<span class="number">9000</span></span><br><span class="line"> <span class="keyword">mode</span> <span class="keyword">http</span></span><br><span class="line"> stats <span class="keyword">enable</span></span><br><span class="line"> stats hide-<span class="keyword">version</span></span><br><span class="line"> stats uri /stats</span><br><span class="line"> stats <span class="keyword">refresh</span> <span class="number">30</span>s</span><br><span class="line"> stats realm Haproxy\ <span class="keyword">Statistics</span></span><br><span class="line"> stats auth <span class="keyword">Admin</span>:<span class="keyword">Password</span></span><br><span class="line"></span><br><span class="line">frontend <span class="keyword">in</span>-apiserver-cluster</span><br><span class="line"> bind *:<span class="number">8443</span></span><br><span class="line"> <span class="keyword">mode</span> tcp</span><br><span class="line"> <span class="keyword">option</span> tcplog</span><br><span class="line"> tcp-request inspect-delay <span class="number">5</span>s</span><br><span class="line"> tcp-request <span class="keyword">content</span> <span class="keyword">accept</span> <span class="keyword">if</span> { req.ssl_hello_type <span class="number">1</span> }</span><br><span class="line"> default_backend https-apiserver-cluster</span><br><span class="line"></span><br><span class="line">backend https-apiserver-cluster</span><br><span class="line"> <span class="keyword">mode</span> tcp</span><br><span class="line"> <span class="keyword">option</span> tcplog</span><br><span class="line"> <span class="keyword">option</span> httpchk <span class="keyword">GET</span> /healthz</span><br><span class="line"> balance roundrobin</span><br><span class="line"> <span class="keyword">default</span>-<span class="keyword">server</span> inter <span class="number">10</span>s downinter <span class="number">5</span>s rise <span class="number">2</span> fall <span class="number">2</span> slowstart <span class="number">60</span>s maxconn <span class="number">2000</span> maxqueue <span class="number">256</span> weight <span class="number">100</span></span><br><span class="line"> <span class="keyword">server</span> k8s-https-api-<span class="number">1</span> <span class="number">192.168</span><span class="number">.1</span><span class="number">.137</span>:<span class="number">6443</span> <span class="keyword">check</span> <span class="keyword">check</span>-ssl <span class="keyword">verify</span> <span class="keyword">none</span></span><br><span class="line"> <span class="keyword">server</span> k8s-https-api-<span class="number">2</span> <span class="number">192.168</span><span class="number">.1</span><span class="number">.138</span>:<span class="number">6443</span> <span class="keyword">check</span> <span class="keyword">check</span>-ssl <span class="keyword">verify</span> <span class="keyword">none</span></span><br><span class="line"></span><br><span class="line">#frontend k8s-<span class="keyword">http</span>-api</span><br><span class="line"># bind *:<span class="number">80</span></span><br><span class="line"># <span class="keyword">mode</span> tcp</span><br><span class="line"># <span class="keyword">option</span> tcplog</span><br><span class="line"># default_backend k8s-<span class="keyword">http</span>-api</span><br><span class="line"></span><br><span class="line">#backend k8s-<span class="keyword">http</span>-api</span><br><span class="line"># <span class="keyword">mode</span> tcp</span><br><span class="line"># <span class="keyword">option</span> tcplog</span><br><span class="line"># <span class="keyword">option</span> tcp-<span class="keyword">check</span></span><br><span class="line"># balance roundrobin</span><br><span class="line"># <span class="keyword">default</span>-<span class="keyword">server</span> inter <span class="number">10</span>s downinter <span class="number">5</span>s rise <span class="number">2</span> fall <span class="number">2</span> slowstart <span class="number">60</span>s maxconn <span class="number">2000</span> maxqueue <span class="number">256</span> weight <span class="number">100</span></span><br><span class="line"># <span class="keyword">server</span> k8s-<span class="keyword">http</span>-api-<span class="number">1</span> <span class="number">192.168</span><span class="number">.1</span><span class="number">.137</span>:<span class="number">8080</span> <span class="keyword">check</span></span><br><span class="line"># <span class="keyword">server</span> k8s-<span class="keyword">http</span>-api-<span class="number">2</span> <span class="number">192.168</span><span class="number">.1</span><span class="number">.138</span>:<span class="number">8080</span> <span class="keyword">check</span></span></span><br></pre></td></tr></table></figure></p><figure class="hljs highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">启动haproxy</span><br><span class="line"><span class="variable">$ </span>sudo systemctl start haproxy</span><br><span class="line"><span class="variable">$ </span>sudo systemctl enable haproxy</span><br><span class="line"><span class="variable">$ </span>sudo systemctl status haproxy</span><br></pre></td></tr></table></figure><h1 id="keepalived_u5B89_u88C5"><a href="#keepalived_u5B89_u88C5" class="headerlink" title="keepalived安装"></a>keepalived安装</h1><figure class="hljs highlight nimrod"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">开启路由转发,这里我们定义虚拟<span class="type">IP</span>为:<span class="number">192</span>.<span class="number">168</span>.<span class="number">1</span>.<span class="number">100</span></span><br><span class="line">$ vi /etc/sysctl.conf</span><br><span class="line"><span class="comment"># 添加以下内容</span></span><br><span class="line">net.ipv4.ip_forward = <span class="number">1</span></span><br><span class="line">net.ipv4.ip_nonlocal_bind = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证并生效</span></span><br><span class="line">$ sysctl -p</span><br><span class="line"><span class="comment"># 验证是否生效</span></span><br><span class="line">$ cat /<span class="keyword">proc</span>/sys/net/ipv4/ip_forward</span><br><span class="line"><span class="number">1</span></span><br><span class="line"> yum install -y keepalived</span><br></pre></td></tr></table></figure><p>将masterA设置为Master,masterB设置为Backup,修改配置:<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line">vi /etc/keepalived/keepalived.conf</span><br><span class="line">! Configuration File <span class="keyword">for</span> keepalived</span><br><span class="line"></span><br><span class="line">global_defs {</span><br><span class="line"> notification_email {</span><br><span class="line"> }</span><br><span class="line"> router_id kube_api</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">vrrp_script check_apiserver {</span><br><span class="line"> script <span class="string">"curl -o /dev/null -s -w %{http_code} -k https://192.168.1.4:6443"</span></span><br><span class="line"> interval <span class="number">3</span></span><br><span class="line"> timeout <span class="number">3</span></span><br><span class="line"> fall <span class="number">2</span></span><br><span class="line"> rise <span class="number">2</span></span><br><span class="line">} </span><br><span class="line"></span><br><span class="line">vrrp_instance haproxy-vip {</span><br><span class="line"> <span class="preprocessor"># 使用单播通信,默认是组播通信</span></span><br><span class="line"> unicast_src_ip <span class="number">192.168</span><span class="number">.1</span><span class="number">.4</span></span><br><span class="line"> unicast_peer {</span><br><span class="line"> <span class="number">192.168</span><span class="number">.1</span><span class="number">.5</span></span><br><span class="line"> }</span><br><span class="line"> <span class="preprocessor"># 初始化状态</span></span><br><span class="line"> state MASTER</span><br><span class="line"> <span class="preprocessor"># 虚拟ip 绑定的网卡 (这里根据你自己的实际情况选择网卡)</span></span><br><span class="line"> interface eth0</span><br><span class="line"> <span class="preprocessor"># 此ID 要与Backup 配置一致</span></span><br><span class="line"> virtual_router_id <span class="number">51</span></span><br><span class="line"> <span class="preprocessor"># 默认启动优先级,要比Backup 大点,但要控制量,保证自身状态检测生效</span></span><br><span class="line"> priority <span class="number">100</span></span><br><span class="line"> advert_int <span class="number">1</span></span><br><span class="line"> authentication {</span><br><span class="line"> auth_type PASS</span><br><span class="line"> auth_pass <span class="number">1111</span></span><br><span class="line"> }</span><br><span class="line"> virtual_ipaddress {</span><br><span class="line"> <span class="preprocessor"># 虚拟ip 地址</span></span><br><span class="line"> <span class="number">192.168</span><span class="number">.1</span><span class="number">.100</span></span><br><span class="line"> }</span><br><span class="line"> track_script {</span><br><span class="line"> check_apiserver</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">virtual_server <span class="number">192.168</span><span class="number">.1</span><span class="number">.100</span> <span class="number">80</span> {</span><br><span class="line"> delay_loop <span class="number">5</span></span><br><span class="line"> lvs_sched wlc</span><br><span class="line"> lvs_method NAT</span><br><span class="line"> persistence_timeout <span class="number">1800</span></span><br><span class="line"> protocol TCP</span><br><span class="line"></span><br><span class="line"> real_server <span class="number">192.168</span><span class="number">.1</span><span class="number">.4</span> <span class="number">8080</span> {</span><br><span class="line"> weight <span class="number">1</span></span><br><span class="line"> TCP_CHECK {</span><br><span class="line"> connect_port <span class="number">8080</span></span><br><span class="line"> connect_timeout <span class="number">3</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">virtual_server <span class="number">192.168</span><span class="number">.1</span><span class="number">.100</span> <span class="number">8443</span> {</span><br><span class="line"> delay_loop <span class="number">5</span></span><br><span class="line"> lvs_sched wlc</span><br><span class="line"> lvs_method NAT</span><br><span class="line"> persistence_timeout <span class="number">1800</span></span><br><span class="line"> protocol TCP</span><br><span class="line"></span><br><span class="line"> real_server <span class="number">192.168</span><span class="number">.1</span><span class="number">.4</span> <span class="number">6443</span> {</span><br><span class="line"> weight <span class="number">1</span></span><br><span class="line"> TCP_CHECK {</span><br><span class="line"> connect_port <span class="number">6443</span></span><br><span class="line"> connect_timeout <span class="number">3</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>或者使用健康检查脚本<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">haproxy检查脚本:/etc/keepalived/haproxy_check.sh</span><br><span class="line"><span class="shebang">#!/bin/bash</span></span><br><span class="line"><span class="keyword">if</span> [ `ps -C haproxy --no-header |wc <span class="operator">-l</span>` <span class="operator">-eq</span> <span class="number">0</span> ] ; <span class="keyword">then</span></span><br><span class="line"> docker restart k8s-haproxy</span><br><span class="line"> sleep <span class="number">2</span></span><br><span class="line"> <span class="keyword">if</span> [ `ps -C haproxy --no-header |wc <span class="operator">-l</span>` <span class="operator">-eq</span> <span class="number">0</span> ] ; <span class="keyword">then</span></span><br><span class="line"> service keepalived stop</span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"><span class="keyword">fi</span></span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<h1 id="u5B89_u88C5Haproxy_keepalived"><a href="#u5B89_u88C5Haproxy_keepalived" class="headerlink" title="安装Haproxy keepalived"></a>安装Haprox
</summary>
</entry>
<entry>
<title>EFK+Filebeat收集日志到kafka和logstash转发</title>
<link href="http://www.idcsec.com/2019/01/09/EFK+Filebeat%E6%94%B6%E9%9B%86%E6%97%A5%E5%BF%97/"/>
<id>http://www.idcsec.com/2019/01/09/EFK+Filebeat收集日志/</id>
<published>2019-01-09T08:26:00.000Z</published>
<updated>2019-01-18T09:06:54.460Z</updated>
<content type="html"><![CDATA[<h1 id="u4E00_u3001filebeat"><a href="#u4E00_u3001filebeat" class="headerlink" title="一、filebeat"></a>一、filebeat</h1><p>k8s日志收集方案使用官方推荐的EFK方案F(fluentd),部分宿主机日志使用filebeat<br>filebeat是一个日志文件托运工具,在你的服务器上安装客户端后,filebeat会监控日志目录或者指定的日志文件,追踪读取这些文件(追踪文件的变化,不停的读),并且转发这些信息到elasticsearch或者logstarsh、kafka、redis中存放。Filebeat 所占系统的 CPU 和内存几乎可以忽略不计,filebeat使用Go语言开发运行不依赖环境。<br><img src="https://i.loli.net/2019/01/10/5c36b7e69f537.png" alt="filebeat.png"></p><p>EFK 环境应该部署好,这里主要记录filrbeat-kafka-logstash-es-kibana</p><h1 id="u4E0B_u8F7D_u5B89_u88C5filebeat"><a href="#u4E0B_u8F7D_u5B89_u88C5filebeat" class="headerlink" title="下载安装filebeat"></a>下载安装filebeat</h1><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-<span class="number">6.5</span>.<span class="number">4</span>-x86_64.rpm</span><br><span class="line">rpm -ivh filebeat-<span class="number">1.3</span>.<span class="number">1</span>-x86_64.rpm</span><br></pre></td></tr></table></figure><a id="more"></a><h1 id="filebeat_u914D_u7F6E_u6587_u4EF6"><a href="#filebeat_u914D_u7F6E_u6587_u4EF6" class="headerlink" title="filebeat配置文件"></a>filebeat配置文件</h1><p>cat filebeat.yml<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">############################# Filebeat inputs #########################################</span></span><br><span class="line">filebeat.inputs:</span><br><span class="line">- input_<span class="built_in">type</span>: <span class="built_in">log</span> </span><br><span class="line"> enabled: <span class="literal">true</span></span><br><span class="line"> paths:</span><br><span class="line"> - /opt/tomcat7credit/clsp/Application.* <span class="comment">#日志文件路径可以使用正则表匹配</span></span><br><span class="line"> encoding: GB2312 <span class="comment">#编码解决tomcat使用非utf-8乱码问题</span></span><br><span class="line"> tags: [<span class="string">"tomcatlogs"</span>]</span><br><span class="line"> multiline.pattern: ^\d{<span class="number">4</span>} <span class="comment">#多行合并解决tomcat错误堆栈日志</span></span><br><span class="line"> multiline.negate: <span class="literal">true</span></span><br><span class="line"> multiline.match: after</span><br><span class="line"> multiline.max_lines: <span class="number">800</span></span><br><span class="line"> multiline.timeout: <span class="number">1</span></span><br><span class="line"> document_<span class="built_in">type</span>: xxxapplication <span class="comment">#新版本已经取消资格type</span></span><br><span class="line"><span class="comment"># 如果设置为trueFilebeat从文件尾开始监控文件新增内容把新增的每一行文件作为一个事件依次发送而不是从文件开始处重新发送所有内容。</span></span><br><span class="line"> tail_files: <span class="literal">true</span></span><br><span class="line"> backoff: <span class="number">1</span>s</span><br><span class="line"> fields: <span class="comment">#添加一个标签fields.appname</span></span><br><span class="line"> appname: xxxapplication</span><br><span class="line">- input_<span class="built_in">type</span>: <span class="built_in">log</span></span><br><span class="line"> enabled: <span class="literal">true</span></span><br><span class="line"> paths:</span><br><span class="line"> - /opt/tomcat7thirdtask/thirdtask/apilog.log </span><br><span class="line"> encoding: GB2312</span><br><span class="line"> multiline.pattern: ^\d{<span class="number">4</span>}</span><br><span class="line"> multiline.negate: <span class="literal">true</span></span><br><span class="line"> multiline.match: after</span><br><span class="line"> multiline.max_lines: <span class="number">800</span></span><br><span class="line"> multiline.timeout: <span class="number">1</span></span><br><span class="line"> document_<span class="built_in">type</span>: thirdtaskapilog</span><br><span class="line"><span class="comment"># 如果设置为trueFilebeat从文件尾开始监控文件新增内容把新增的每一行文件作为一个事件依次发送而不是从文件开始处重新发送所有内容。</span></span><br><span class="line"> tail_files: <span class="literal">true</span></span><br><span class="line"> backoff: <span class="number">1</span>s</span><br><span class="line"> fields:</span><br><span class="line"> appname: thirdtaskapilog</span><br><span class="line"><span class="comment">############################# output kafka #########################################</span></span><br><span class="line">output.kafka:</span><br><span class="line"> <span class="comment"># initial brokers for reading cluster metadata</span></span><br><span class="line"> hosts: [<span class="string">"192.168.200.102:9092"</span>,<span class="string">"192.168.200.102:9093"</span>,<span class="string">"192.168.200.102:9094"</span>]</span><br><span class="line"> enabled: <span class="literal">true</span></span><br><span class="line"> <span class="comment"># message topic selection + partitioning</span></span><br><span class="line"> topic: <span class="string">'Applicationlogs'</span></span><br><span class="line"> partition.round_robin:</span><br><span class="line"> reachable_only: <span class="literal">false</span></span><br><span class="line"> required_acks: <span class="number">1</span></span><br><span class="line"> compression: gzip</span><br><span class="line"> max_message_bytes: <span class="number">1000000</span></span><br></pre></td></tr></table></figure></p><p>之前版本使用filebeat.prospectors:</p><h1 id="u914D_u7F6Elogstash_u6D88_u8D39kafka_u7684topic_uFF1AApplicationlogs_u4FE1_u606F"><a href="#u914D_u7F6Elogstash_u6D88_u8D39kafka_u7684topic_uFF1AApplicationlogs_u4FE1_u606F" class="headerlink" title="配置logstash消费kafka的topic:Applicationlogs信息"></a>配置logstash消费kafka的topic:Applicationlogs信息</h1><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line">input {</span><br><span class="line"> kafka{</span><br><span class="line"> bootstrap_servers => [<span class="string">"XXXX:9092,XXXX:9093,XXXX:9094"</span>]</span><br><span class="line"> client_id => <span class="string">"logs"</span></span><br><span class="line"> group_id => <span class="string">"logs"</span></span><br><span class="line"> auto_offset_reset => <span class="string">"latest"</span> </span><br><span class="line"> consumer_threads => <span class="number">1</span></span><br><span class="line"> decorate_events => <span class="literal">false</span></span><br><span class="line"> topics => [<span class="string">"k8s-logs"</span>]</span><br><span class="line">truecodec =>[<span class="string">"json"</span>]}</span><br><span class="line"> kafka{</span><br><span class="line"> bootstrap_servers => [<span class="string">"XXXX:9092,XXXX:9093,XXX:9094"</span>]</span><br><span class="line"> client_id => <span class="string">"logs"</span></span><br><span class="line"> group_id => <span class="string">"logs"</span></span><br><span class="line"> consumer_threads => <span class="number">1</span></span><br><span class="line"> decorate_events => <span class="literal">false</span></span><br><span class="line"> topics => [<span class="string">"Applicationlogs"</span>]}</span><br><span class="line">}</span><br><span class="line">filter {</span><br><span class="line"> <span class="keyword">if</span> [<span class="built_in">type</span>] == <span class="string">"Application"</span>{</span><br><span class="line"> date { </span><br><span class="line">truematch => [ <span class="string">"timestamp"</span>,<span class="string">"yyyy-MM-dd HH:mm:ss"</span>]</span><br><span class="line"> target => <span class="string">"@timestamp"</span></span><br><span class="line"> remove_field => [<span class="string">"timestamp"</span>]</span><br><span class="line">truetrue}</span><br><span class="line">true} </span><br><span class="line"></span><br><span class="line">}</span><br><span class="line">output{ </span><br><span class="line"><span class="keyword">if</span> [topics] == [<span class="string">"Applicationlogs"</span>]{</span><br><span class="line"> elasticsearch {</span><br><span class="line"> hosts => [<span class="string">"XXXX:9200"</span>]</span><br><span class="line"> index => <span class="string">"nfs-%{[fields][appname]}%{+YYYY-MM-dd}"</span></span><br><span class="line"> }</span><br><span class="line"> } </span><br><span class="line"><span class="keyword">if</span> [topics] == [<span class="string">"k8s-logs"</span>]{</span><br><span class="line"> elasticsearch{ </span><br><span class="line"> hosts => [<span class="string">"XXXX:9200"</span>,<span class="string">"XXXX:9200"</span>] </span><br><span class="line"> index => <span class="string">"%{[kubernetes][container_name]}-%{+YYYY-MM}"</span> </span><br><span class="line"> action => <span class="string">"index"</span></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>如果kibana创建index完成。</p><h1 id="u83B7_u53D6_u65E5_u5FD7_u65F6_u95F4_u5B57_u6BB5_u66FF_u6362es_u91CC_u9762_u7684@timestamp_u5B57_u6BB5"><a href="#u83B7_u53D6_u65E5_u5FD7_u65F6_u95F4_u5B57_u6BB5_u66FF_u6362es_u91CC_u9762_u7684@timestamp_u5B57_u6BB5" class="headerlink" title="获取日志时间字段替换es里面的@timestamp字段"></a>获取日志时间字段替换es里面的@timestamp字段</h1><p>例如日志格式<br><figure class="hljs highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">2019<span class="tag">-01-09</span> 17<span class="pseudo">:23</span><span class="pseudo">:27</span> <span class="attr_selector">[ http-bio-8080-exec-151:67436064 ]</span> <span class="tag">-</span> <span class="attr_selector">[ INFO ]</span> <span class="tag">com</span><span class="class">.crfchina</span><span class="class">.p2p</span><span class="class">.finance</span><span class="class">.service</span><span class="class">.dao</span><span class="class">.hibernate</span><span class="class">.P2pAccountInfoDaoImpl</span><span class="class">.queryReserver</span>(<span class="tag">P2pAccountInfoDaoImpl</span><span class="class">.java</span><span class="pseudo">:2613)</span> 查询状态为1的结果!</span><br></pre></td></tr></table></figure></p><p>通过<a href="http://grokdebug.herokuapp.com/" target="_blank" rel="external">http://grokdebug.herokuapp.com/</a> 测试解析字段<br><figure class="hljs highlight gherkin"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%{TIMESTAMP_ISO8601:time}\s\[\s<span class="keyword">*</span>%{JAVAFILE:class}:%{NUMBER:lineNumber}\s<span class="keyword">*</span>\]\s<span class="keyword">*</span>-\s<span class="keyword">*</span>\[\s<span class="keyword">*</span>%{LOGLEVEL:level}\s<span class="keyword">*</span>\]\s(?<span class="variable"><msg></span>([\s\S]<span class="keyword">*</span>))</span><br></pre></td></tr></table></figure></p><p>配置logstash通过filter-grok解析字段<br>安装插件<br><figure class="hljs highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/usr/share/logstash/bin/logstash-plugin install logstash-<span class="built_in">filter</span>-grok logstash-<span class="built_in">filter</span>-<span class="built_in">date</span></span><br></pre></td></tr></table></figure></p><p>添加filter配置从字段里分析日期格式,然后放入@timestamp字段里。<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">### FILTERS</span></span><br><span class="line">filter {</span><br><span class="line"> <span class="keyword">if</span> [fields][appname] == <span class="string">"xxxapplication"</span>{</span><br><span class="line"> grok {</span><br><span class="line"> <span class="comment">#获取xxxapplication 日志字段</span></span><br><span class="line"> match => {</span><br><span class="line"> <span class="string">"message"</span> => [</span><br><span class="line"> <span class="comment">#xxxapplication格式</span></span><br><span class="line"> <span class="string">'%{TIMESTAMP_ISO8601:time}\s\[\s*%{JAVAFILE:class}:%{NUMBER:lineNumber}\s*\]\s*-\s*\[\s*%{LOGLEVEL:level}\s*\]\s(?<msg>([\s\S]*))'</span></span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line">true}</span><br><span class="line"> date { </span><br><span class="line">truematch => [ <span class="string">"time"</span>,<span class="string">"yyyy-MM-dd HH:mm:ss"</span>]</span><br><span class="line"> target => <span class="string">"@timestamp"</span></span><br><span class="line">true}</span><br><span class="line">true <span class="comment">#移除原有数据</span></span><br><span class="line"> <span class="comment">#remove_field => ["timestamp"]</span></span><br><span class="line"> <span class="comment">#remove_field => [ "message" ]</span></span><br><span class="line"> mutate {</span><br><span class="line"> remove_field =>[<span class="string">"message"</span>]</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>tomcatcatalina日志<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">2019</span>-<span class="number">01</span>-<span class="number">10</span> <span class="number">04</span>:<span class="number">51</span>:<span class="number">59.589</span> <span class="keyword">default</span> [scheduler_Worker-<span class="number">1</span>] INFO com.zhph.third.utils.BatchCheck - 第<span class="number">0</span>次请求跑批记录控制请求参数:{<span class="string">"startTime"</span>:<span class="string">"2019-01-10 04:00:22"</span>,<span class="string">"runResult"</span>:<span class="string">"0"</span>,<span class="string">"batchName"</span>:<span class="string">"magicReportDaily"</span>,<span class="string">"sysName"</span>:<span class="string">"thirdtask"</span>,<span class="string">"comment"</span>:<span class="string">"成功执行跑批"</span>,<span class="string">"endTime"</span>:<span class="string">"2019-01-10 04:51:59"</span>}</span><br></pre></td></tr></table></figure></p><p>对应grok<br><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%{<span class="tag">TIMESTAMP_ISO8601</span><span class="pseudo">:time</span>}\<span class="tag">s</span>(?<default>[a-z]{<span class="tag">7</span>})\<span class="tag">s</span>\<span class="attr_selector">[%{JAVAFILE:class}\]</span>\<span class="tag">s%</span>{<span class="tag">LOGLEVEL</span><span class="pseudo">:level</span>}\<span class="tag">s</span>\<span class="tag">s%</span>{<span class="attribute">GREEDYDATA</span>:message}</span><br></pre></td></tr></table></figure></p><p>tomcatcatalina日志<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">2016</span>-<span class="number">10</span>-<span class="number">22</span> <span class="number">20</span>:<span class="number">59</span>:<span class="number">22</span>,<span class="number">877</span> INFO com.zjzc.interceptor.ClientAuthInterceptor - authInfo servletPath=/validate/code/send,clientSn=null,access=<span class="literal">true</span><span class="string">",</span></span><br></pre></td></tr></table></figure></p><p>对应grok<br><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%{TIMESTAMP_ISO8601:time}\s+(?<Level>(\S+))%{GREEDYDATA:message}</span><br></pre></td></tr></table></figure></p><h1 id="tomcat_logs_u65E5_u5FD7"><a href="#tomcat_logs_u65E5_u5FD7" class="headerlink" title="tomcat logs日志"></a>tomcat logs日志</h1><p>filebea配置<br><figure class="hljs highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">- input_type: <span class="built_in">log</span></span><br><span class="line"> enabled: <span class="literal">true</span></span><br><span class="line"> paths:</span><br><span class="line"> - /<span class="built_in">opt</span>/tomcat8/localhost_access_log.*</span><br><span class="line"><span class="preprocessor"># 如果设置为trueFilebeat从文件尾开始监控文件新增内容把新增的每一行文件作为一个事件依次发送而不是从文件开始处重新发送所有内容。</span></span><br><span class="line"> tail_files: <span class="literal">true</span></span><br><span class="line"> backoff: <span class="number">1</span>s</span><br><span class="line"> fields:</span><br><span class="line"> appname: tomcataccess</span><br></pre></td></tr></table></figure></p><p>修改tomcat配置文件server.xml<br><figure class="hljs highlight perl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"> <Valve className=<span class="string">"org.apache.catalina.valves.AccessLogValve"</span></span><br><span class="line"> directory=<span class="string">"logs"</span> prefix=<span class="string">"access_log"</span></span><br><span class="line"> suffix=<span class="string">".log"</span> rotatable=<span class="string">"true"</span> resolveHosts=<span class="string">"false"</span></span><br><span class="line"> pattern=<span class="string">"<span class="variable">%h</span> <span class="variable">%l</span> <span class="variable">%u</span> <span class="variable">%t</span> [<span class="variable">%r</span>] <span class="variable">%s</span> [<span class="variable">%{Referer}</span>i] [%{User-Agent}i] <span class="variable">%b</span> <span class="variable">%T</span>"</span> /></span><br><span class="line"></span><br><span class="line"><<span class="regexp">/Host></span></span><br></pre></td></tr></table></figure></p><p>日志参数说明<br><a href="http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Logging" target="_blank" rel="external">http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Logging</a><br><figure class="hljs highlight mojolicious"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="xml"></span><span class="perl"><span class="variable">%h</span> 访问的用户IP地址</span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%l</span> 访问逻辑用户名,通常返回<span class="string">'-'</span></span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%u</span> 访问验证用户名,通常返回<span class="string">'-'</span></span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%t</span> 访问日时</span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%r</span> 访问的方式(post或者是get),访问的资源和使用的http协议版本</span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%s</span> 访问返回的http状态</span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%b</span> 访问资源返回的流量</span><span class="xml"></span><br><span class="line"></span><span class="perl"><span class="variable">%T</span> 访问所使用的时间</span><span class="xml"></span><br><span class="line">[%{Referer}i] </span><br><span class="line">[%{User-Agent}i]</span></span><br></pre></td></tr></table></figure></p><p>格式<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">10.10</span><span class="number">.0</span><span class="number">.100</span> - - [<span class="number">04</span>/Sep/<span class="number">2018</span>:<span class="number">19</span>:<span class="number">54</span>:<span class="number">07</span> +<span class="number">0800</span>] [GET / HTTP/<span class="number">1.1</span>] <span class="number">200</span> [-] [Mozilla/<span class="number">5.0</span> (Windows NT <span class="number">10.0</span>; Win64; x64) AppleWebKit/<span class="number">537.36</span> (KHTML, like Gecko) Chrome/<span class="number">60.0</span><span class="number">.3112</span><span class="number">.113</span> Safari/<span class="number">537.36</span>] <span class="number">5</span> <span class="number">0.104</span></span><br></pre></td></tr></table></figure></p><p>grok过滤<br><figure class="hljs highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="constant">JETTYAUDIT</span> <span class="string">%{IP:clent_ip}</span> (?<span class="symbol">:-|<span class="string">%{USER:logic_user}</span></span>) (?<span class="symbol">:-|<span class="string">%{USER:verification_user}</span></span>) \[<span class="string">%{HTTPDATE:timestamp}</span>\] \[(?<span class="symbol">:<span class="string">%{WORD:http_verb}</span></span> <span class="string">%{NOTSPACE:request_url}</span>(?<span class="symbol">:</span> <span class="constant">HTTP</span>/<span class="string">%{NUMBER:httpversion}</span>)?|<span class="string">%{DATA:rawrequest}</span>)\] <span class="string">%{NUMBER:status}</span> \[(?<span class="symbol">:-|<span class="string">%{NOTSPACE:request_url_2}</span></span>)\] \[<span class="string">%{GREEDYDATA:agent}</span>\] (?<span class="symbol">:-|<span class="string">%{NUMBER:curl_size}</span></span>) (?<span class="symbol">:-|<span class="string">%{NUMBER:responsetime}</span></span>)</span><br></pre></td></tr></table></figure></p><figure class="hljs highlight ocaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">grok {</span><br><span class="line"> patterns_dir => <span class="string">"/etc/logstash/patterns.d"</span></span><br><span class="line"> <span class="keyword">match</span> => { <span class="string">"message"</span> => <span class="string">"%{JETTYAUDIT}"</span> }</span><br><span class="line"> }</span><br><span class="line">`</span><br></pre></td></tr></table></figure><p>如果默认tomcatgrok格式<br><figure class="hljs highlight xquery"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">filter {</span><br><span class="line"> if [fields][appname] == <span class="string">"tomcataccess"</span>{</span><br><span class="line"> grok {</span><br><span class="line"> match => {</span><br><span class="line"> <span class="string">"message"</span> => [<span class="string">"message"</span>,<span class="string">"%{IPORHOST:clientip} %{USER:ident} %{DATA:auth} \[%{HTTPDATE:timestamp}\] \"</span>(%{WORD:verb} %{NOTSPACE:request} (HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\<span class="string">" %{NUMBER:response} (%{NUMBER:bytes})"</span>]</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> date {</span><br><span class="line"> match => [<span class="string">"timestamp"</span>, <span class="string">"dd/MMM/yyyy:HH:mm:ss Z"</span>]</span><br><span class="line"> }</span><br><span class="line"> }</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<h1 id="u4E00_u3001filebeat"><a href="#u4E00_u3001filebeat" class="headerlink" title="一、filebeat"></a>一、filebeat</h1><p>k8s日志收集方案使用官方推荐的EFK方案F(fluentd),部分宿主机日志使用filebeat<br>filebeat是一个日志文件托运工具,在你的服务器上安装客户端后,filebeat会监控日志目录或者指定的日志文件,追踪读取这些文件(追踪文件的变化,不停的读),并且转发这些信息到elasticsearch或者logstarsh、kafka、redis中存放。Filebeat 所占系统的 CPU 和内存几乎可以忽略不计,filebeat使用Go语言开发运行不依赖环境。<br><img src="https://i.loli.net/2019/01/10/5c36b7e69f537.png" alt="filebeat.png"></p>
<p>EFK 环境应该部署好,这里主要记录filrbeat-kafka-logstash-es-kibana</p>
<h1 id="u4E0B_u8F7D_u5B89_u88C5filebeat"><a href="#u4E0B_u8F7D_u5B89_u88C5filebeat" class="headerlink" title="下载安装filebeat"></a>下载安装filebeat</h1><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-<span class="number">6.5</span>.<span class="number">4</span>-x86_64.rpm</span><br><span class="line">rpm -ivh filebeat-<span class="number">1.3</span>.<span class="number">1</span>-x86_64.rpm</span><br></pre></td></tr></table></figure>
</summary>
<category term="EFK" scheme="http://www.idcsec.com/categories/EFK/"/>
<category term="filebeat" scheme="http://www.idcsec.com/tags/filebeat/"/>
</entry>
<entry>
<title>zabbix监控网络设备展示Grafana</title>
<link href="http://www.idcsec.com/2019/01/04/zabbix%E7%9B%91%E6%8E%A7%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E5%B1%95%E7%A4%BAGrafana/"/>
<id>http://www.idcsec.com/2019/01/04/zabbix监控网络设备展示Grafana/</id>
<published>2019-01-04T06:54:00.000Z</published>
<updated>2019-01-10T08:57:42.343Z</updated>
<content type="html"><![CDATA[<p>参考:<a href="http://docs.grafana.org/reference/templating/" target="_blank" rel="external">http://docs.grafana.org/reference/templating/</a><br> <a href="http://docs.grafana.org/features/panels/singlestat/" target="_blank" rel="external">http://docs.grafana.org/features/panels/singlestat/</a></p><h1 id="New_dashboard_u521B_u5EFA_u4EEA_u8868_u76D8"><a href="#New_dashboard_u521B_u5EFA_u4EEA_u8868_u76D8" class="headerlink" title="New dashboard创建仪表盘"></a>New dashboard创建仪表盘</h1><p><img src="https://i.loli.net/2019/01/04/5c2f055466397.png" alt="zabbix"><br><a id="more"></a><br>设置变-settings-variables</p><h2 id="u83B7_u53D6zabbix_u7EC4"><a href="#u83B7_u53D6zabbix_u7EC4" class="headerlink" title="获取zabbix组"></a>获取zabbix组</h2><p><img src="https://i.loli.net/2019/01/04/5c2f0686c7e6a.png" alt="g2.png"></p><h2 id="u8FC7_u6EE4_u7EC4_u91CC_u9762_u7684_u4E3B_u673A"><a href="#u8FC7_u6EE4_u7EC4_u91CC_u9762_u7684_u4E3B_u673A" class="headerlink" title="过滤组里面的主机"></a>过滤组里面的主机</h2><p>$Group.*<br><img src="https://i.loli.net/2019/01/04/5c2f07276254b.png" alt="g3.png"></p><h2 id="u8FC7_u6EE4_u4E3B_u673A_u63A5_u53E3_u4F7F_u7528_u6B63_u5219_u83B7_u53D6GigabitEthernet_u63A5_u53E3"><a href="#u8FC7_u6EE4_u4E3B_u673A_u63A5_u53E3_u4F7F_u7528_u6B63_u5219_u83B7_u53D6GigabitEthernet_u63A5_u53E3" class="headerlink" title="过滤主机接口使用正则获取GigabitEthernet接口"></a>过滤主机接口使用正则获取GigabitEthernet接口</h2><figure class="hljs highlight xquery"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">query:<span class="variable">$Group</span>.<span class="variable">$Hosts</span>.Interfaces.*</span><br><span class="line">Reagex:/(GigabitEthernet\d{<span class="number">1</span>,}/\d{<span class="number">1</span>,}/\d{<span class="number">1</span>,}/\d{<span class="number">1</span>,}|GigabitEthernet\d{<span class="number">1</span>,}/\d{<span class="number">1</span>,}/\d{<span class="number">1</span>,}|GigabitEthernet \d{<span class="number">1</span>,}/\d{<span class="number">1</span>,})/</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2019/01/04/5c2f09ed05e6e.png" alt="g4.png"></p><h1 id="u521B_u5EFA_Panel"><a href="#u521B_u5EFA_Panel" class="headerlink" title="创建 Panel"></a>创建 Panel</h1><p>1、点击 New Panel 下的 Singlestat 配置采集交换机名<br><img src="https://i.loli.net/2019/01/04/5c2f0b05c6bab.png" alt="获取设备名称.png"><br>2、Panel 下的 Singlestat 配置采集交换机在线时间<br><img src="https://i.loli.net/2019/01/04/5c2f0c42b0ac8.png" alt="获取设备运行时长1.png"><br><img src="https://i.loli.net/2019/01/04/5c2f0ed4c1edf.png" alt="获取设备运行时长2.png"><br>3、New Panel 下的 Singlestat 配置采集交换机 ping 值以确认交换机是否运行正常里选项页的阀值设置为0,1;配置将颜色选项卡的颜色倒置,也即0对应红色(WARNING),1对应绿色(HEALTHY)。]<br><img src="https://i.loli.net/2019/01/04/5c2f0ef187364.png" alt="设备状1.png"><br><img src="https://i.loli.net/2019/01/04/5c2f0f7039315.png" alt="设备状2.png"><br>4、New Panel 下的 Graph 配置采集流量</p>]]></content>
<summary type="html">
<p>参考:<a href="http://docs.grafana.org/reference/templating/">http://docs.grafana.org/reference/templating/</a><br> <a href="http://docs.grafana.org/features/panels/singlestat/">http://docs.grafana.org/features/panels/singlestat/</a></p>
<h1 id="New_dashboard_u521B_u5EFA_u4EEA_u8868_u76D8"><a href="#New_dashboard_u521B_u5EFA_u4EEA_u8868_u76D8" class="headerlink" title="New dashboard创建仪表盘"></a>New dashboard创建仪表盘</h1><p><img src="https://i.loli.net/2019/01/04/5c2f055466397.png" alt="zabbix"><br>
</summary>
<category term="zabbix Grafana" scheme="http://www.idcsec.com/tags/zabbix-Grafana/"/>
</entry>
<entry>
<title>Prometheus Node_Exporter监控主机性能展示Grafana</title>
<link href="http://www.idcsec.com/2018/12/29/Prometheus-Node-Exporter%E7%9B%91%E6%8E%A7%E4%B8%BB%E6%9C%BA%E6%80%A7%E8%83%BD%E5%B1%95%E7%A4%BAGrafana/"/>
<id>http://www.idcsec.com/2018/12/29/Prometheus-Node-Exporter监控主机性能展示Grafana/</id>
<published>2018-12-29T03:18:00.000Z</published>
<updated>2019-01-10T08:58:27.045Z</updated>
<content type="html"><![CDATA[<p><img src="https://i.loli.net/2018/12/29/5c26e87a05bad.png" alt="Consul"><br><a id="more"></a></p><h1 id="node_exporter_u5B89_u88C5"><a href="#node_exporter_u5B89_u88C5" class="headerlink" title="node_exporter安装"></a>node_exporter安装</h1><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">useradd prometheus -s <span class="regexp">/sbin/</span>nologin</span><br><span class="line"><span class="string">https:</span><span class="comment">//github.com/prometheus/node_exporter/releases/download/v0.16.0/node_exporter-0.16.0.linux-amd64.tar.gz</span></span><br><span class="line">tar -zxvf node_exporter-<span class="number">0.16</span><span class="number">.0</span>.linux-amd64.tar.gz -C <span class="regexp">/home/</span>prometheus<span class="regexp">/ && mv /</span>home<span class="regexp">/prometheus/</span>node_exporter-<span class="number">0.16</span><span class="number">.0</span>.linux-amd64 <span class="regexp">/home/</span>prometheus/node_exporter</span><br><span class="line"> vi <span class="regexp">/etc/</span>systemd<span class="regexp">/system/</span>node_exporter.service</span><br><span class="line"> [Unit]</span><br><span class="line">Description=Node Exporter</span><br><span class="line"></span><br><span class="line">[Service]</span><br><span class="line">User=prometheus</span><br><span class="line">ExecStart=<span class="regexp">/home/</span>prometheus/node_exporter</span><br><span class="line"></span><br><span class="line">[Install]</span><br><span class="line">WantedBy=<span class="keyword">default</span>.target</span><br></pre></td></tr></table></figure><p>重启服务<br><figure class="hljs highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">systemctl</span> <span class="tag">daemon-reload</span> && <span class="tag">systemctl</span> <span class="tag">enable</span> <span class="tag">node_exporter</span><span class="class">.service</span> && <span class="tag">systemctl</span> <span class="tag">start</span> <span class="tag">node_exporter</span><span class="class">.service</span></span><br></pre></td></tr></table></figure></p><p><a href="http://your_server_ip:9100/metrics" target="_blank" rel="external">http://your_server_ip:9100/metrics</a><br>修改prometheus文件<br><figure class="hljs highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">vi prometheus.yml</span><br><span class="line"><span class="string">scrape_configs:</span></span><br><span class="line"> - <span class="string">job_name:</span> <span class="string">"node"</span></span><br><span class="line"><span class="label"> scrape_interval:</span> <span class="string">"15s"</span></span><br><span class="line"><span class="label"> target_groups:</span></span><br><span class="line"> - <span class="string">targets:</span> [<span class="string">'NODE_IP:9100'</span>]</span><br></pre></td></tr></table></figure></p><h1 id="Prometheus_u9488_u5BF9nodes_u544A_u8B66_u89C4_u5219_u914D_u7F6E"><a href="#Prometheus_u9488_u5BF9nodes_u544A_u8B66_u89C4_u5219_u914D_u7F6E" class="headerlink" title="Prometheus针对nodes告警规则配置"></a>Prometheus针对nodes告警规则配置</h1><figure class="hljs highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line">groups:</span><br><span class="line">- name: example</span><br><span class="line"> rules:</span><br><span class="line"> </span><br><span class="line"> - alert: 实例丢失</span><br><span class="line"> expr: up{job=<span class="string">"node-exporter"</span>} == <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">1</span>m</span><br><span class="line"> labels:</span><br><span class="line"> severity: page</span><br><span class="line"> annotations:</span><br><span class="line"> summary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} 丢失"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }} 上的任务 {{ <span class="variable">$labels</span>.job }} 已经停止了 1 分钟已上了"</span></span><br><span class="line"> </span><br><span class="line"> - alert: 磁盘容量小于 <span class="number">5</span>%</span><br><span class="line"> expr: <span class="number">100</span> - ((node_filesystem_avail_bytes{job=<span class="string">"node-exporter"</span>,mountpoint=~<span class="string">".*"</span>,fstype=~<span class="string">"ext4|xfs|ext2|ext3"</span>} * <span class="number">100</span>) / node_filesystem_size_bytes {job=<span class="string">"node-exporter"</span>,mountpoint=~<span class="string">".*"</span>,fstype=~<span class="string">"ext4|xfs|ext2|ext3"</span>}) > <span class="number">95</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> annotations:</span><br><span class="line"> summary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} 磁盘不足 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}磁盘 {{ <span class="variable">$labels</span>.device }} 资源 已不足 5%, 当前值: {{ <span class="variable">$value</span> }}"</span></span><br><span class="line"> </span><br><span class="line"> - alert: <span class="string">"内存容量小于 20%"</span></span><br><span class="line"> expr: ((node_memory_MemTotal_bytes - node_memory_MemFree_bytes - node_memory_Buffers_bytes - node_memory_Cached_bytes) / (node_memory_MemTotal_bytes )) * <span class="number">100</span> > <span class="number">80</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> labels:</span><br><span class="line"> severity: warning</span><br><span class="line"> annotations:</span><br><span class="line"> summary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} 内存不足 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}内存资源已不足 20%,当前值: {{ <span class="variable">$value</span> }}"</span></span><br><span class="line"> </span><br><span class="line"> - alert: <span class="string">"CPU 平均负载大于 4 个"</span></span><br><span class="line"> expr: node_load5 > <span class="number">4</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> annotations:</span><br><span class="line"> sumary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} CPU 负载 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}CPU 平均负载(5 分钟) 已超过 4 ,当前值: {{ <span class="variable">$value</span> }}"</span></span><br><span class="line"> </span><br><span class="line"> - alert: <span class="string">"磁盘读 I/O 超过 30MB/s"</span></span><br><span class="line"> expr: irate(node_disk_<span class="built_in">read</span>_bytes_total{device=<span class="string">"sda"</span>}[<span class="number">1</span>m]) > <span class="number">30000000</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> annotations:</span><br><span class="line"> sumary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} I/O 读负载 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}I/O 每分钟读已超过 30MB/s,当前值: {{ <span class="variable">$value</span> }}"</span></span><br><span class="line"> </span><br><span class="line"> - alert: <span class="string">"磁盘写 I/O 超过 30MB/s"</span></span><br><span class="line"> expr: irate(node_disk_written_bytes_total{device=<span class="string">"sda"</span>}[<span class="number">1</span>m]) > <span class="number">30000000</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> annotations:</span><br><span class="line"> sumary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} I/O 写负载 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}I/O 每分钟写已超过 30MB/s,当前值: {{ <span class="variable">$value</span> }}"</span></span><br><span class="line"> </span><br><span class="line"> - alert: <span class="string">"网卡流出速率大于 10MB/s"</span></span><br><span class="line"> expr: (irate(node_network_transmit_bytes_total{device!~<span class="string">"lo"</span>}[<span class="number">1</span>m]) / <span class="number">1000</span>) > <span class="number">1000000</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> annotations:</span><br><span class="line"> sumary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} 网卡流量负载 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}网卡 {{ <span class="variable">$labels</span>.device }} 流量已经超过 10MB/s, 当前值: {{ <span class="variable">$value</span> }}"</span></span><br><span class="line"> </span><br><span class="line"> - alert: <span class="string">"CPU 使用率大于 90%"</span></span><br><span class="line"> expr: <span class="number">100</span> - ((avg by (instance,job,env)(irate(node_cpu_seconds_total{mode=<span class="string">"idle"</span>}[<span class="number">30</span>s]))) *<span class="number">100</span>) > <span class="number">90</span></span><br><span class="line"> <span class="keyword">for</span>: <span class="number">30</span>s</span><br><span class="line"> annotations:</span><br><span class="line"> sumary: <span class="string">"服务器实例 {{ <span class="variable">$labels</span>.instance }} CPU 使用率 告警通知"</span></span><br><span class="line"> description: <span class="string">"{{ <span class="variable">$labels</span>.instance }}CPU 使用率已超过 90%, 当前值: {{ <span class="variable">$value</span> }}"</span></span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<p><img src="https://i.loli.net/2018/12/29/5c26e87a05bad.png" alt="Consul"><br>
</summary>
<category term="prometheus" scheme="http://www.idcsec.com/categories/prometheus/"/>
<category term="node_exporter" scheme="http://www.idcsec.com/tags/node-exporter/"/>
<category term="prometheus" scheme="http://www.idcsec.com/tags/prometheus/"/>
</entry>
<entry>
<title>Prometheus+Consul实现自动服务发现</title>
<link href="http://www.idcsec.com/2018/12/29/Prometheus-Consul%E5%AE%9E%E7%8E%B0%E8%87%AA%E5%8A%A8%E6%9C%8D%E5%8A%A1%E5%8F%91%E7%8E%B0/"/>
<id>http://www.idcsec.com/2018/12/29/Prometheus-Consul实现自动服务发现/</id>
<published>2018-12-29T02:55:00.000Z</published>
<updated>2019-01-10T08:58:52.612Z</updated>
<content type="html"><![CDATA[<p>prometheus+Consul自动服务发现减少修改修改prometheus.yml重启prometheus等操作</p><h1 id="Consul__u4ECB_u7ECD"><a href="#Consul__u4ECB_u7ECD" class="headerlink" title="Consul 介绍"></a>Consul 介绍</h1><p>Consul有多个组件,但总体而言,它是基础架构中的一款服务发现和配置的工具。 它提供了几个关键功能:<br>服务发现:Consul client 可以提供服务,例如api或mysql,也可以使用Consul client来发现指定服务的提供者。 使用DNS或HTTP,应用程序可以轻松找到他们所依赖的服务。<br>健康检查:Consul client 可以提供任何数量的健康检查,或者与给定的服务(“Web服务器是否返回200 OK”),或与本地节点(“内存利用率是否低于90%”)相关联。 可以使用此信息来监控集群运行状况,服务发现组件使用此信息将流量从有问题的主机中移除出去。<br>KV Store:应用程序可以使用Consul的分层键/值存储,包括动态配置,功能标记,协调,leader选举等等。 简单的HTTP API使其易于使用。<br>多数据中心:Consul支持多个数据中心。 这意味着Consul的用户不必担心构建额外的抽象层以扩展到多个区域。<br>官方架构图<br><img src="https://i.loli.net/2018/12/29/5c26e3aa40037.png" alt="Consul"><br><a id="more"></a><br>端口介绍<br><figure class="hljs highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">8500</span>,客户端http api接口</span><br><span class="line"><span class="number">8600</span>,客户端DNS服务端口</span><br><span class="line"><span class="number">8400</span>,客户端RPC通信端口</span><br><span class="line"><span class="number">8300</span>,集群server RPC通信接口</span><br><span class="line"><span class="number">8301</span>,集群DC内部通信接口</span><br><span class="line"><span class="number">8302</span>,集群DC之间通信接口</span><br></pre></td></tr></table></figure></p><h1 id="prometheus_u670D_u52A1_u53D1_u73B0_Service_Discovery"><a href="#prometheus_u670D_u52A1_u53D1_u73B0_Service_Discovery" class="headerlink" title="prometheus服务发现 Service Discovery"></a>prometheus服务发现 Service Discovery</h1><p>Prometheus支持多种服务发现机制:文件,DNS,Consul,Kubernetes,OpenStack,EC2等等。基于服务发现的过程并不复杂,通过第三方提供的接口,Prometheus查询到需要监控的Target列表,然后轮训这些Target获取监控数据。</p><h1 id="u672C_u5730_u6D4B_u8BD5_u73AF_u5883_u7684Docker_Compose"><a href="#u672C_u5730_u6D4B_u8BD5_u73AF_u5883_u7684Docker_Compose" class="headerlink" title="本地测试环境的Docker Compose"></a>本地测试环境的Docker Compose</h1><p>使用gliderlabs/registrator监听Docker进程,对于暴露了端口的容器,registrator会自动将该容器暴露的服务地址注册到Consul中。<br>使用NodeExporter采集当前主机数据,cAdvisor采集容器相关数据之prometheus自动发现相关服务<br><figure class="hljs highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">version</span>: <span class="string">'2'</span></span><br><span class="line"></span><br><span class="line"><span class="haml">services:</span><br><span class="line"> consul:</span><br><span class="line"> image: consul</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">8400</span><span class="symbol">:</span><span class="number">8400</span></span><br><span class="line"></span> -<span class="ruby"> <span class="number">8500</span><span class="symbol">:</span><span class="number">8500</span></span><br><span class="line"></span> -<span class="ruby"> <span class="number">8600</span><span class="symbol">:</span><span class="number">53</span>/udp</span><br><span class="line"></span> command: agent -server -client=0.0.0.0 -dev -node=node0 -bootstrap-expect=1 -data-dir=/tmp/consul</span><br><span class="line"> labels:</span><br><span class="line"> SERVICE_IGNORE: 'true'</span><br><span class="line"> registrator:</span><br><span class="line"> image: gliderlabs/registrator</span><br><span class="line"> depends_on:</span><br><span class="line"> -<span class="ruby"> consul</span><br><span class="line"></span> volumes:</span><br><span class="line"> -<span class="ruby"> /var/<span class="symbol">run:</span>/<span class="symbol">tmp:</span>rw</span><br><span class="line"></span> command: consul://consul:8500</span><br><span class="line"> prometheus:</span><br><span class="line"> image: quay.io/prometheus/prometheus</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">9090</span><span class="symbol">:</span><span class="number">9090</span></span><br><span class="line"></span> node_exporter:</span><br><span class="line"> image: quay.io/prometheus/node-exporter</span><br><span class="line"> pid: "host"</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">9100</span><span class="symbol">:</span><span class="number">9100</span></span><br><span class="line"></span> cadvisor:</span><br><span class="line"> image: google/cadvisor:latest</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">8080</span><span class="symbol">:</span><span class="number">8080</span></span><br><span class="line"></span> volumes:</span><br><span class="line"> -<span class="ruby"> /<span class="symbol">:/rootfs</span><span class="symbol">:ro</span> </span><br><span class="line"></span> -<span class="ruby"> /var/<span class="symbol">run:</span>/var/<span class="symbol">run:</span>rw</span><br><span class="line"></span> -<span class="ruby"> /var/lib/docker/<span class="symbol">:/var/lib/docker</span><span class="symbol">:ro</span></span></span></span><br></pre></td></tr></table></figure></p><h1 id="promethues-yml_u914D_u7F6E_3A"><a href="#promethues-yml_u914D_u7F6E_3A" class="headerlink" title="promethues.yml配置:"></a>promethues.yml配置:</h1><figure class="hljs highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">global</span>:</span><br><span class="line"> <span class="attribute">scrape_interval</span>: <span class="number">5s</span></span><br><span class="line"> <span class="attribute">scrape_timeout</span>: <span class="number">5s</span></span><br><span class="line"> <span class="attribute">evaluation_interval</span>: <span class="number">15s</span></span><br><span class="line"><span class="attribute">scrape_configs</span>:</span><br><span class="line"> - <span class="attribute">job_name</span>: consul_sd</span><br><span class="line"> <span class="attribute">metrics_path</span>: /metrics</span><br><span class="line"> <span class="attribute">scheme</span>: http</span><br><span class="line"> <span class="attribute">consul_sd_configs</span>:</span><br><span class="line"> - <span class="attribute">server</span>: <span class="attribute">consul</span>:<span class="number">8500</span></span><br><span class="line"> <span class="attribute">scheme</span>: http</span><br><span class="line"> <span class="attribute">services</span>:</span><br><span class="line"> - node_exporter</span><br><span class="line"> - cadvisor</span><br><span class="line"> - prometheus-node</span><br></pre></td></tr></table></figure><h1 id="u9759_u6001_u6CE8_u518C_u65B9_u5F0F_3A"><a href="#u9759_u6001_u6CE8_u518C_u65B9_u5F0F_3A" class="headerlink" title="静态注册方式:"></a>静态注册方式:</h1><p>使用配置文件注册服务,创建文件夹/etc/consul.d 启动指定配置文件目录-config-dir /etc/consul.d<br><figure class="hljs highlight xquery"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"> cat consul/nodes-export.json </span><br><span class="line">{</span><br><span class="line"> <span class="string">"service"</span>:{</span><br><span class="line"> <span class="string">"id"</span>: <span class="string">"node"</span>,</span><br><span class="line"> <span class="string">"name"</span>: <span class="string">"prometheus-node"</span>,</span><br><span class="line"> <span class="string">"address"</span>: <span class="string">"172.18.241.194"</span>,</span><br><span class="line"> <span class="string">"port"</span>: <span class="number">9100</span>,</span><br><span class="line"> <span class="string">"tags"</span>: [<span class="string">"prometheus-target"</span>],</span><br><span class="line"> <span class="string">"checks"</span>: [</span><br><span class="line"> {</span><br><span class="line"> <span class="string">"http"</span>: <span class="string">"http://172.18.241.194:9100/metrics"</span>,</span><br><span class="line"> <span class="string">"interval"</span>: <span class="string">"15s"</span></span><br><span class="line"> }</span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>重新加载配置:<br><figure class="hljs highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker <span class="built_in">exec</span> -it <span class="number">7</span>fa7d7e9ead9 consul <span class="built_in">reload</span></span><br></pre></td></tr></table></figure></p><p><img src="https://i.loli.net/2018/12/29/5c26e57674794.png" alt="Consul"><br><img src="https://i.loli.net/2018/12/29/5c26e5768dad8.png" alt="Consul"></p><h1 id="api_u670D_u52A1_u6CE8_u518C_u65B9_u5F0F_uFF1A"><a href="#api_u670D_u52A1_u6CE8_u518C_u65B9_u5F0F_uFF1A" class="headerlink" title="api服务注册方式:"></a>api服务注册方式:</h1><p>用http的方式,直接调用/v1/agent/service/register接口注册:<br><figure class="hljs highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -X PUT -<span class="keyword">d</span> '{<span class="string">"id"</span>: <span class="string">"node"</span>,<span class="string">"name"</span>: <span class="string">"prometheus-node"</span>,<span class="string">"address"</span>: <span class="string">"172.18.241.194"</span>,<span class="string">"port"</span>: 9100,<span class="string">"tags"</span>: [<span class="string">"node-exporter"</span>],<span class="string">"checks"</span>: [{<span class="string">"http"</span>: <span class="string">"http://172.18.241.194:9100/"</span>,<span class="string">"interval"</span>: <span class="string">"5s"</span>}]}' http:<span class="comment">//localhost:8500/v1/agent/service/register</span></span><br></pre></td></tr></table></figure></p><h1 id="u4FEE_u6539_u540E_u7684compose_u6587_u4EF6"><a href="#u4FEE_u6539_u540E_u7684compose_u6587_u4EF6" class="headerlink" title="修改后的compose文件"></a>修改后的compose文件</h1><figure class="hljs highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">version</span>: <span class="string">'2'</span></span><br><span class="line"></span><br><span class="line"><span class="haml">services:</span><br><span class="line"> consul:</span><br><span class="line"> image: consul</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">8400</span><span class="symbol">:</span><span class="number">8400</span></span><br><span class="line"></span> -<span class="ruby"> <span class="number">8500</span><span class="symbol">:</span><span class="number">8500</span></span><br><span class="line"></span> -<span class="ruby"> <span class="number">8600</span><span class="symbol">:</span><span class="number">53</span>/udp</span><br><span class="line"></span> command: agent -server -client=0.0.0.0 -dev -node=node0 -bootstrap-expect=1 -config-dir=/consul/consul.d -data-dir=/tmp/consul</span><br><span class="line"> labels:</span><br><span class="line"> SERVICE_IGNORE: 'true'</span><br><span class="line"> volumes:</span><br><span class="line"> -<span class="ruby"> ./<span class="symbol">consul:</span>/consul/consul.d</span><br><span class="line"></span> registrator:</span><br><span class="line"> image: gliderlabs/registrator</span><br><span class="line"> depends_on:</span><br><span class="line"> -<span class="ruby"> consul</span><br><span class="line"></span> volumes:</span><br><span class="line"> -<span class="ruby"> /var/<span class="symbol">run:</span>/<span class="symbol">tmp:</span>rw</span><br><span class="line"></span> command: consul://consul:8500</span><br><span class="line"> prometheus:</span><br><span class="line"> image: quay.io/prometheus/prometheus</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">9090</span><span class="symbol">:</span><span class="number">9090</span></span><br><span class="line"></span> volumes:</span><br><span class="line"> -<span class="ruby"> ./prometheus.<span class="symbol">yml:</span>/etc/prometheus/prometheus.yml</span><br><span class="line"></span> command: --config.file=/etc/prometheus/prometheus.yml</span><br><span class="line"> node_exporter:</span><br><span class="line"> image: quay.io/prometheus/node-exporter</span><br><span class="line"> pid: "host"</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">9100</span><span class="symbol">:</span><span class="number">9100</span></span><br><span class="line"></span> cadvisor:</span><br><span class="line"> image: google/cadvisor:latest</span><br><span class="line"> ports:</span><br><span class="line"> -<span class="ruby"> <span class="number">8080</span><span class="symbol">:</span><span class="number">8080</span></span><br><span class="line"></span> volumes:</span><br><span class="line"> -<span class="ruby"> /<span class="symbol">:/rootfs</span><span class="symbol">:ro</span> </span><br><span class="line"></span> -<span class="ruby"> /var/<span class="symbol">run:</span>/var/<span class="symbol">run:</span>rw</span><br><span class="line"></span> -<span class="ruby"> /var/lib/docker/<span class="symbol">:/var/lib/docker</span><span class="symbol">:ro</span></span></span></span><br></pre></td></tr></table></figure><p><a href="http://consul.la/intro/what-is-consul" target="_blank" rel="external">http://consul.la/intro/what-is-consul</a></p>]]></content>
<summary type="html">
<p>prometheus+Consul自动服务发现减少修改修改prometheus.yml重启prometheus等操作</p>
<h1 id="Consul__u4ECB_u7ECD"><a href="#Consul__u4ECB_u7ECD" class="headerlink" title="Consul 介绍"></a>Consul 介绍</h1><p>Consul有多个组件,但总体而言,它是基础架构中的一款服务发现和配置的工具。 它提供了几个关键功能:<br>服务发现:Consul client 可以提供服务,例如api或mysql,也可以使用Consul client来发现指定服务的提供者。 使用DNS或HTTP,应用程序可以轻松找到他们所依赖的服务。<br>健康检查:Consul client 可以提供任何数量的健康检查,或者与给定的服务(“Web服务器是否返回200 OK”),或与本地节点(“内存利用率是否低于90%”)相关联。 可以使用此信息来监控集群运行状况,服务发现组件使用此信息将流量从有问题的主机中移除出去。<br>KV Store:应用程序可以使用Consul的分层键/值存储,包括动态配置,功能标记,协调,leader选举等等。 简单的HTTP API使其易于使用。<br>多数据中心:Consul支持多个数据中心。 这意味着Consul的用户不必担心构建额外的抽象层以扩展到多个区域。<br>官方架构图<br><img src="https://i.loli.net/2018/12/29/5c26e3aa40037.png" alt="Consul"><br>
</summary>
<category term="prometheus" scheme="http://www.idcsec.com/categories/prometheus/"/>
<category term="consul" scheme="http://www.idcsec.com/tags/consul/"/>
<category term="prometheus" scheme="http://www.idcsec.com/tags/prometheus/"/>
</entry>
<entry>
<title>Prometheus系统监控redis展示Grafana</title>
<link href="http://www.idcsec.com/2018/12/12/Prometheus%E7%B3%BB%E7%BB%9F%E7%9B%91%E6%8E%A7redis%E5%B1%95%E7%A4%BAGrafana/"/>
<id>http://www.idcsec.com/2018/12/12/Prometheus系统监控redis展示Grafana/</id>
<published>2018-12-12T02:54:00.000Z</published>
<updated>2019-01-10T08:59:11.839Z</updated>
<content type="html"><![CDATA[<p>使用redis_exporter采集Redis指标通过prometheus抓取数据展示Grafana<br><img src="/img/20181212112819.png" alt="pro"><br><a id="more"></a></p><h1 id="exporter_u5B89_u88C5"><a href="#exporter_u5B89_u88C5" class="headerlink" title="exporter安装"></a>exporter安装</h1><figure class="hljs highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">wget https:<span class="comment">//github.com/oliver006/redis_exporter/releases/download/v0.23.0/redis_exporter-v0.23.0.linux-amd64.tar.gz</span></span><br><span class="line">tar -zxvf redis_exporter-v0.<span class="number">23.0</span><span class="class">.linux-amd64</span><span class="class">.tar</span><span class="class">.gz</span> -C /opt/redis</span><br></pre></td></tr></table></figure><h1 id="u542F_u52A8redis_exporter_3A"><a href="#u542F_u52A8redis_exporter_3A" class="headerlink" title="启动redis_exporter:"></a>启动redis_exporter:</h1><figure class="hljs highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">redis_exporter</span> <span class="tag">-redis</span><span class="class">.addr</span> 192<span class="class">.168</span><span class="class">.2</span><span class="class">.1</span><span class="pseudo">:7000</span> <span class="tag">-redis</span><span class="class">.password</span> 123456 <span class="tag">-web</span><span class="class">.listen-address</span> 192<span class="class">.168</span><span class="class">.2</span><span class="class">.1</span><span class="pseudo">:9121</span></span><br><span class="line"><span class="tag">redis_exporter</span> <span class="tag">-redis</span><span class="class">.addr</span> 192<span class="class">.168</span><span class="class">.2</span><span class="class">.1</span><span class="pseudo">:7001</span> <span class="tag">-redis</span><span class="class">.password</span> 123456 <span class="tag">-web</span><span class="class">.listen-address</span> 192<span class="class">.168</span><span class="class">.2</span><span class="class">.1</span><span class="pseudo">:9122</span></span><br><span class="line"><span class="tag">redis_exporter</span> <span class="tag">-redis</span><span class="class">.addr</span> 192<span class="class">.168</span><span class="class">.2</span><span class="class">.1</span><span class="pseudo">:7002</span> <span class="tag">-redis</span><span class="class">.password</span> 123456 <span class="tag">-web</span><span class="class">.listen-address</span> 192<span class="class">.168</span><span class="class">.2</span><span class="class">.1</span><span class="pseudo">:9123</span></span><br></pre></td></tr></table></figure><p>grafana的redis的模板id763:<a href="https://grafana.com/dashboards/763" target="_blank" rel="external">https://grafana.com/dashboards/763</a><br>prometheus.yml加入redis节点,然后重启prometheus:<br><figure class="hljs highlight haml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">-<span class="ruby"> <span class="symbol">job_name:</span> redis</span><br><span class="line"></span> static_configs:</span><br><span class="line"> -<span class="ruby"> <span class="symbol">targets:</span> [<span class="string">'192.168.2.1:9121'</span>]</span><br><span class="line"></span> labels:</span><br><span class="line"> instance: redis-7000</span><br><span class="line"> -<span class="ruby"> <span class="symbol">targets:</span> [<span class="string">'192.168.2.1:9122'</span>]</span><br><span class="line"></span> labels:</span><br><span class="line"> instance: redis-7001</span><br><span class="line"> -<span class="ruby"> <span class="symbol">targets:</span> [<span class="string">'192.168.2.1:9123'</span>]</span><br><span class="line"></span> labels:</span><br><span class="line"> instance: redis-7002</span><br></pre></td></tr></table></figure></p><p>curl -XPOST <a href="http://ip/-/reload" target="_blank" rel="external">http://ip/-/reload</a><br><img src="/img/20181212112749.png" alt="pro"></p>]]></content>
<summary type="html">
<p>使用redis_exporter采集Redis指标通过prometheus抓取数据展示Grafana<br><img src="/img/20181212112819.png" alt="pro"><br>
</summary>
<category term="prometheus" scheme="http://www.idcsec.com/categories/prometheus/"/>
<category term="redis" scheme="http://www.idcsec.com/tags/redis/"/>
</entry>
</feed>