評(píng)論員文章

下載ISO文件：https://mirrors.tuna.tsinghua.edu.cn/archlinux/iso/latest/

目錄1. 準(zhǔn)備工作2. 磁盤(pán)管理2.1 磁盤(pán)分區(qū)2.2 磁盤(pán)格式化2.3 磁盤(pán)掛載3. 安裝系統(tǒng)3.1 安裝系統(tǒng)文件3.2 配置fstab3.3 配置系統(tǒng)3.4 安裝引導(dǎo)程序3.5 安裝OpenSSH3.6 主機(jī)名3.7 設(shè)置root密碼3.8 網(wǎng)絡(luò)配置3.9 重啟系統(tǒng)，并從硬盤(pán)引導(dǎo)3.10 本地化配置3.11 時(shí)區(qū)配置3.12 硬件時(shí)間設(shè)置4. 安裝k8s4.1 配置containerd4.2 拉取k8s鏡像4.3 創(chuàng)建k8s集群4.4 加入control-plane節(jié)點(diǎn)4.5 加入worker節(jié)點(diǎn)4.6 查看k8s集群節(jié)點(diǎn)信息附錄包簽名錯(cuò)誤1. 準(zhǔn)備工作

以虛擬機(jī)VMWare為例。

(相關(guān)資料圖)

使用EFI 非默認(rèn)BIOS啟動(dòng)。如果不使用EFI，那么后續(xù)安裝引導(dǎo)時(shí)也使用非EFI。

Controller-Panel節(jié)點(diǎn)（master）

節(jié)點(diǎn)列表：

hostname	ip
k8s-master1	10.0.2.101/24
k8s-master2	10.0.2.102/24
k8s-master3	10.0.2.103/24

CPU設(shè)置：2Core

內(nèi)存設(shè)置：2GB

磁盤(pán)：20GB

網(wǎng)卡設(shè)置：網(wǎng)卡1（ens33）為自定義NAT

Worker節(jié)點(diǎn)

節(jié)點(diǎn)列表：

hostname	ip
k8s-worker1	10.0.2.111/24
k8s-worker2	10.0.2.112/24
k8s-worker3	10.0.2.113/24

CPU設(shè)置：2Core

內(nèi)存設(shè)置：4GB

磁盤(pán)：20GB

網(wǎng)卡設(shè)置：網(wǎng)卡1（ens33）為自定義NAT

2. 磁盤(pán)管理2.1 磁盤(pán)分區(qū)

使用GUID分區(qū)表，分2個(gè)區(qū)：

1）EFI System（EF00），Last sector： +500M （500MB）

2）Linux filesystem（8300） ，Last sector：<回車(chē)>（為剩余容量）

gdisk /dev/sda

2.2 磁盤(pán)格式化

mkfs.vfat -F32 /dev/sda1 # ESP分區(qū) 掛載 /bootmkfs.ext4 /dev/sda2 # LFS分區(qū) 掛載 /

2.3 磁盤(pán)掛載

mount /dev/sda2 /mnt # 掛載root分區(qū)mkdir /mnt/boot # 創(chuàng)建 /boot 目錄mount /dev/sda2 /mnt/boot # 掛載boot分區(qū)lsblk # 查看分區(qū)掛載情況

3. 安裝系統(tǒng)3.1 安裝系統(tǒng)文件

vim /etc/pacman.d/mirrorlist # 在頂部添加如下鏡像服務(wù)器Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch#Server = https://mirrors.aliyun.com/archlinux/$repo/os/$arch

# 安裝系統(tǒng)pacstrap /mnt base base-devel

3.2 配置fstab

genfstab -U /mnt > /mnt/etc/fstab # 生成分區(qū)掛載表

編輯 fstab

vim /mnt/etc/fstab# SSD的追加options “discard,noatime”

3.3 配置系統(tǒng)

編輯 /mnt/etc/pacman.conf文件，加入下面的內(nèi)容：

[archlinuxcn]Server = https://mirrors.tuna.tsinghua.edu.cn/archlinuxcn/$arch#Server = https://mirrors.aliyun.com/archlinuxcn/$arch

切換root目錄到新系統(tǒng)

arch-chroot /mnt /bin/bash

現(xiàn)在可以全面升級(jí)系統(tǒng)：

pacman -Syy # 切換了root目錄，因此需要重新更新軟件包緩存pacman -S archlinuxcn-keyringpacman -S vim bash-completion yay fakerootln -s /usr/bin/vim /usr/bin/vi

3.4 安裝引導(dǎo)程序

# 安裝linux內(nèi)核pacman -S linux-lts linux-firmware# 安裝 Micro Codepacman -S amd-ucode # intel安裝 intel-ucode

bootctl install # boot-loadervim /boot/loader/entries/arch.conftitle Arch Linuxlinux /vmlinuz-linux-ltsinitrd /amd-ucode.img # intel的為 /intel-ucode.imginitrd /initramfs-linux-lts.imgoptions root=/dev/sda2 rwvim /boot/loader/entries/arch-fallback.conftitle Arch Linux (fallback initramfs)linux /vmlinuz-linux-ltsinitrd /amd-ucode.img # intel的為 /intel-ucode.imginitrd /initramfs-linux-lts-fallback.imgoptions root=/dev/sda2 rwvim /boot/efi/loader/loader.confdefault arch.conftimeout 2console-mode maxeditor no# 驗(yàn)證文件路徑是否正確bootctl listbootctl status

3.5 安裝OpenSSH

pacman -S opensshsed -i "s/#PermitRootLogin\ prohibit-passwd/PermitRootLogin yes/g" /etc/ssh/sshd_configsystemctl enable sshd

3.6 主機(jī)名

echo  > /etc/hostname

3.7 設(shè)置root密碼

passwd

3.8 網(wǎng)絡(luò)配置

使用 systemd-networkd

VMWare 網(wǎng)絡(luò)配置：NAT模式網(wǎng)段：10.0.2.0/24DHCP：10.0.2.200 - 10.0.2.254網(wǎng)關(guān)：10.0.2.2 （不要設(shè)置為10.0.2.1，否則會(huì)導(dǎo)致無(wú)法訪問(wèn)外網(wǎng)）

vim /etc/systemd/network/20-wired.network[Match]Name=ens33[Network]#DHCP=ipv4 # 使用dhcp時(shí)啟用Address=10.0.2.101/24Gateway=10.0.2.2DNS=223.5.5.5DNS=223.6.6.6

systemctl enable systemd-networkdsystemctl enable systemd-resolved

3.9 重啟系統(tǒng)，并從硬盤(pán)引導(dǎo)

exit # 退出chrootreboot # 重啟后重新引導(dǎo)進(jìn)入已安裝的系統(tǒng)

3.10 本地化配置

vim /etc/locale.genen_US.UTF-8 UTF-8zh_CN.GBK GBKzh_CN.UTF-8 UTF-8zh_CN GB2312

locale-gen # 生成localeecho "LANG=en_US.UTF-8" > /etc/locale.conf # 設(shè)置默認(rèn)的 locale

3.11 時(shí)區(qū)配置

ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

3.12 硬件時(shí)間設(shè)置

# date -s "2022-7-5 16:49:45"hwclock --systohc --utc #采用UTC，將系統(tǒng)時(shí)間寫(xiě)入硬件時(shí)鐘# hwclock --hctosys --utc #采用UTC，將硬件時(shí)鐘寫(xiě)入系統(tǒng)時(shí)間

4. 安裝k8s

使用kubeadm安裝： https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/

pacman -S kubeadm kubelet kubectl containerdsystemctl enable containerdsystemctl start containerdsystemctl enable kubeletsystemctl start kubelet

4.1 配置containerd

創(chuàng)建 /etc/modules-load.d/containerd.conf 配置文件:

cat << EOF > /etc/modules-load.d/containerd.confoverlaybr_netfilterEOF

修改 containerd 配置

# 修改配置mkdir -p /etc/containerdif [ ! -f /etc/containerd/config.toml ]; then    containerd config default > /etc/containerd/config.tomlfi# 設(shè)置 systemd_cgroup 為 truesed -i "s/SystemdCgroup = false/SystemdCgroup = true/g" /etc/containerd/config.tomlsed -i "s/k8s.gcr.io/registry.aliyuncs.com\/google_containers/g" /etc/containerd/config.tomlsystemctl restart containerdecho "alias docker="crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock"" >> ~/.bashrcsource ~/.bashrc# 確保containerd 的cgroup 為 SystemdCgroupcrictl --runtime-endpoint unix:///var/run/containerd/containerd.sock info | grep SystemdCgroup | awk -F ": " "{ print $2 }"true

4.2 拉取k8s鏡像

通過(guò)參數(shù) --image-repository指定k8s鏡像的倉(cāng)庫(kù)地址

kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.24.2

4.3 創(chuàng)建k8s集群

# 應(yīng)搭建負(fù)載均衡后，使用負(fù)載均衡IPecho "10.0.2.101 cluster.berkaroad.com" >> /etc/hosts# 這個(gè)版本的kubelet，命令行參數(shù) `--cni-bin-dir` 已經(jīng)取消，因此需要拿掉此參數(shù)sed -i "s/--cni-bin-dir=\/usr\/lib\/cni//g" /etc/kubernetes/kubelet.env# 初始化k8s集群kubeadm init  --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.24.2 --control-plane-endpoint=cluster.berkaroad.com --apiserver-advertise-address=10.0.2.101 --pod-network-cidr=10.100.0.0/16 --service-cidr=10.101.0.0/16 --service-dns-domain=cluster.berkaroad.com --upload-certs --v=5# 執(zhí)行成功后，根據(jù)提示，配置mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config# 注意：集群中時(shí)間必須保持一致，否則會(huì)加入集群失敗，錯(cuò)誤信息： x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z# You can now join any number of the control-plane node running the following command on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \    --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \    --control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44# 如果 --certificate-key 過(guò)期了，執(zhí)行如下：kubeadm init phase upload-certs --upload-certs# Then you can join any number of worker nodes by running the following on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \    --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3# 如果token過(guò)期了，可以執(zhí)行如下：kubeadm token create --print-join-command# 安裝CNI：Calicokubectl apply -f https://projectcalico.docs.tigera.io/archive/v3.22/manifests/calico.yaml# 如果失敗，檢查 cgroup 是否一致（docker或者containerd 和 kubelet）# 查看 kubeadm 使用的 CRI 為 containerd 還是 dockercat /var/lib/kubelet/kubeadm-flags.envKUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.7"# 查看 kubelet 的 cgroup drivercat /var/lib/kubelet/config.yaml | grep cgroupDriver | awk -F ": " "{ print $2 }"systemd

4.4 加入control-plane節(jié)點(diǎn)

# 應(yīng)搭建負(fù)載均衡后，使用負(fù)載均衡IPecho "10.0.2.101 cluster.berkaroad.com" >> /etc/hosts# 這個(gè)版本的kubelet，命令行參數(shù) `--cni-bin-dir` 已經(jīng)取消，因此需要拿掉此參數(shù)sed -i "s/--cni-bin-dir=\/usr\/lib\/cni//g" /etc/kubernetes/kubelet.env# 注意：集群中時(shí)間必須保持一致，否則會(huì)加入集群失敗，錯(cuò)誤信息： x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z# You can now join any number of the control-plane node running the following command on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \    --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \    --control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44# 如果 --certificate-key 過(guò)期了，執(zhí)行如下：kubeadm init phase upload-certs --upload-certs# 如果token過(guò)期了，可以執(zhí)行如下：kubeadm token create --print-join-command# 執(zhí)行成功后，根據(jù)提示，配置mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config

4.5 加入worker節(jié)點(diǎn)

# 應(yīng)搭建負(fù)載均衡后，使用負(fù)載均衡IPecho "10.0.2.101 cluster.berkaroad.com" >> /etc/hosts# 這個(gè)版本的kubelet，命令行參數(shù) `--cni-bin-dir` 已經(jīng)取消，因此需要拿掉此參數(shù)sed -i "s/--cni-bin-dir=\/usr\/lib\/cni//g" /etc/kubernetes/kubelet.env# 執(zhí)行成功后，根據(jù)提示，配置mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config# 注意：集群中時(shí)間必須保持一致，否則會(huì)加入集群失敗，錯(cuò)誤信息： x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z# Then you can join any number of worker nodes by running the following on each as root:kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \    --discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3# 如果token過(guò)期了，可以執(zhí)行如下：kubeadm token create --print-join-command

4.6 查看k8s集群節(jié)點(diǎn)信息

kubectl get no -o wideNAME          STATUS   ROLES           AGE    VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE     KERNEL-VERSION   CONTAINER-RUNTIMEk8s-master1   Ready    control-plane   2d9h   v1.24.2   10.0.2.101            Arch Linux   5.15.50-1-lts    containerd://1.6.6k8s-master2   Ready    control-plane   2d5h   v1.24.2   10.0.2.102            Arch Linux   5.15.52-1-lts    containerd://1.6.6k8s-master3   Ready    control-plane   2d     v1.24.2   10.0.2.103            Arch Linux   5.15.52-1-lts    containerd://1.6.6k8s-worker1   Ready              3h4m   v1.24.2   10.0.2.111            Arch Linux   5.15.52-1-lts    containerd://1.6.6k8s-worker2   Ready              176m   v1.24.2   10.0.2.112            Arch Linux   5.15.52-1-lts    containerd://1.6.6k8s-worker3   Ready              176m   v1.24.2   10.0.2.113            Arch Linux   5.15.52-1-lts    containerd://1.6.6

附錄包簽名錯(cuò)誤

error: libcap: signature from "David Runge " is marginal trust:: File /var/cache/pacman/pkg/libcap-2.65-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).Do you want to delete it? [Y/n] Yerror: failed to commit transaction (invalid or corrupted package)Errors occurred, no packages were upgraded.

更新pacman key證書(shū)

pacman -S gnupgpacman -Sy archlinux-keyringpacman-key --populate archlinuxpacman-key --refresh-keyspacman -Syux