-
Notifications
You must be signed in to change notification settings - Fork 408
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
refactor yurtadm init/join and support to create high-availability OpenYurt cluster #926
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Build an OpenYurt CloudImage | ||
|
||
`yurtadm init` is implemented by sealer, you can modify the kubefile to make your own openyurt cloudimage. | ||
|
||
```bash | ||
cd openyurt-latest | ||
|
||
# build cloudimage | ||
sealer build -t registry-1.docker.io/openyurt/openyurt-cluster:latest-k8s-1198 -f Kubefile . | ||
|
||
# push to dockerhub | ||
sealer push registry-1.docker.io/openyurt/openyurt-cluster:latest-k8s-1198 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i think that common end user can not push openyurt-cluster image into OpenYurt dockerhub, because they can not get the password. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK. It is just an example. Solved. |
||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
FROM kubernetes:v1.19.8-alpine | ||
|
||
# flannel: https://github.com/sealerio/applications/tree/main/flannel | ||
COPY flannel/cni . | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why put cni files under flannel directory? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. solved. |
||
COPY flannel/init-kube.sh /scripts/ | ||
COPY flannel/kube-flannel.yml manifests/ | ||
|
||
COPY shell-plugin.yaml plugins | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. when do we apply this yaml file(shell-plugin.yaml)? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is sealer's plugin: http://sealer.cool/docs/getting-started/plugin.html#plugin-type-list |
||
|
||
# openyurt | ||
COPY yamls/*.yaml manifests | ||
COPY install-openyurt.sh . | ||
RUN chmod 777 install-openyurt.sh | ||
|
||
CMD kubectl apply -f manifests/kube-flannel.yml | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why not put There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ok, solved. |
||
CMD ./install-openyurt.sh |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,177 @@ | ||
#!/bin/bash | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ok, solved. |
||
|
||
# Copyright © 2021 Alibaba Group Holding Ltd. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Open ipvs | ||
modprobe -- ip_vs | ||
modprobe -- ip_vs_rr | ||
modprobe -- ip_vs_wrr | ||
modprobe -- ip_vs_sh | ||
modprobe -- br_netfilter | ||
## version_ge 4.19 4.19 true ; | ||
## version_ge 5.4 4.19 true ; | ||
## version_ge 3.10 4.19 false ; | ||
|
||
version_ge(){ | ||
test "$(echo "$@" | tr ' ' '\n' | sort -rV | head -n 1)" == "$1" | ||
} | ||
|
||
disable_selinux(){ | ||
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then | ||
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config | ||
setenforce 0 | ||
fi | ||
} | ||
|
||
get_distribution() { | ||
lsb_dist="" | ||
# Every system that we officially support has /etc/os-release | ||
if [ -r /etc/os-release ]; then | ||
lsb_dist="$(. /etc/os-release && echo "$ID")" | ||
fi | ||
# Returning an empty string here should be alright since the | ||
# case statements don't act unless you provide an actual value | ||
echo "$lsb_dist" | ||
} | ||
|
||
disable_firewalld() { | ||
lsb_dist=$( get_distribution ) | ||
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" | ||
case "$lsb_dist" in | ||
ubuntu|deepin|debian|raspbian) | ||
command -v ufw &> /dev/null && ufw disable | ||
;; | ||
centos|rhel|ol|sles|kylin|neokylin) | ||
systemctl stop firewalld && systemctl disable firewalld | ||
;; | ||
*) | ||
systemctl stop firewalld && systemctl disable firewalld | ||
echo "unknown system, use default to stop firewalld" | ||
;; | ||
esac | ||
} | ||
|
||
kernel_version=$(uname -r | cut -d- -f1) | ||
if version_ge "${kernel_version}" 4.19; then | ||
modprobe -- nf_conntrack | ||
else | ||
modprobe -- nf_conntrack_ipv4 | ||
fi | ||
|
||
cat <<EOF > /etc/sysctl.d/k8s.conf | ||
net.bridge.bridge-nf-call-ip6tables = 1 | ||
net.bridge.bridge-nf-call-iptables = 1 | ||
net.ipv4.conf.all.rp_filter=0 | ||
EOF | ||
sysctl --system | ||
sysctl -w net.ipv4.ip_forward=1 | ||
disable_firewalld | ||
swapoff -a || true | ||
disable_selinux | ||
|
||
chmod -R 755 ../bin/* | ||
chmod 644 ../bin | ||
cp ../bin/* /usr/bin | ||
cp ../scripts/kubelet-pre-start.sh /usr/bin | ||
#cni | ||
mkdir /opt/cni/bin -p | ||
chmod -R 755 ../cni/* | ||
chmod 644 ../cni | ||
cp ../cni/* /opt/cni/bin | ||
|
||
# Cgroup driver | ||
mkdir -p /etc/systemd/system | ||
cp ../etc/kubelet.service /etc/systemd/system/ | ||
[ -d /etc/systemd/system/kubelet.service.d ] || mkdir /etc/systemd/system/kubelet.service.d | ||
cp ../etc/10-kubeadm.conf /etc/systemd/system/kubelet.service.d/ | ||
|
||
[ -d /var/lib/kubelet ] || mkdir -p /var/lib/kubelet/ | ||
|
||
cat <<EOF > /var/lib/kubelet/config.yaml | ||
address: 0.0.0.0 | ||
apiVersion: kubelet.config.k8s.io/v1beta1 | ||
authentication: | ||
anonymous: | ||
enabled: false | ||
webhook: | ||
cacheTTL: 2m0s | ||
enabled: true | ||
x509: | ||
clientCAFile: /etc/kubernetes/pki/ca.crt | ||
authorization: | ||
mode: Webhook | ||
webhook: | ||
cacheAuthorizedTTL: 5m0s | ||
cacheUnauthorizedTTL: 30s | ||
cgroupDriver: ${criDriver} | ||
cgroupsPerQOS: true | ||
clusterDNS: | ||
- 10.96.0.10 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this ip address should be match with value that set by end user. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ok. |
||
clusterDomain: cluster.local | ||
configMapAndSecretChangeDetectionStrategy: Watch | ||
containerLogMaxFiles: 5 | ||
containerLogMaxSize: 10Mi | ||
contentType: application/vnd.kubernetes.protobuf | ||
cpuCFSQuota: true | ||
cpuCFSQuotaPeriod: 100ms | ||
cpuManagerPolicy: none | ||
cpuManagerReconcilePeriod: 10s | ||
enableControllerAttachDetach: true | ||
enableDebuggingHandlers: true | ||
enforceNodeAllocatable: | ||
- pods | ||
eventBurst: 10 | ||
eventRecordQPS: 5 | ||
evictionHard: | ||
imagefs.available: 15% | ||
memory.available: 100Mi | ||
nodefs.available: 10% | ||
nodefs.inodesFree: 5% | ||
evictionPressureTransitionPeriod: 5m0s | ||
failSwapOn: true | ||
fileCheckFrequency: 20s | ||
hairpinMode: promiscuous-bridge | ||
healthzBindAddress: 127.0.0.1 | ||
healthzPort: 10248 | ||
httpCheckFrequency: 20s | ||
imageGCHighThresholdPercent: 85 | ||
imageGCLowThresholdPercent: 80 | ||
imageMinimumGCAge: 2m0s | ||
iptablesDropBit: 15 | ||
iptablesMasqueradeBit: 14 | ||
kind: KubeletConfiguration | ||
kubeAPIBurst: 10 | ||
kubeAPIQPS: 5 | ||
makeIPTablesUtilChains: true | ||
maxOpenFiles: 1000000 | ||
maxPods: 110 | ||
nodeLeaseDurationSeconds: 40 | ||
nodeStatusUpdateFrequency: 10s | ||
oomScoreAdj: -999 | ||
podPidsLimit: -1 | ||
port: 10250 | ||
registryBurst: 10 | ||
registryPullQPS: 5 | ||
resolvConf: /etc/resolv.conf | ||
rotateCertificates: true | ||
runtimeRequestTimeout: 2m0s | ||
serializeImagePulls: true | ||
staticPodPath: /etc/kubernetes/manifests | ||
streamingConnectionIdleTimeout: 4h0m0s | ||
syncFrequency: 1m0s | ||
volumeStatsAggPeriod: 1m0s | ||
EOF | ||
|
||
systemctl enable kubelet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
openyurt cloudimage --> openyurt cluster image
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, solved.