nginx反向代理kibana,使用二级目录

nginx的配置文件

    location ^~ /es/ {
#                auth_basic "Please input password";   #这里是验证时的提示信息
#                auth_basic_user_file password/passwd;
                proxy_redirect off;
                rewrite ^/es/(.*)$ /$1 break;
                proxy_http_version 1.1;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header REMOTE-HOST $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://kibana:5601/;
}

kibana.xml

server.name: kibana  
server.host: "0"  ## 任意主机可访问
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
monitoring.ui.container.elasticsearch.enabled: true
i18n.locale: "zh-CN" ## 中文显示
server.basePath: "/es"  ## 与nginx一致

CENTOS7升级内核

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --disablerepo="*" --enablerepo="elrepo-kernel" list available #查看可升级内核版本
yum --enablerepo=elrepo-kernel install kernel-ml -y #mainline较为激进
#指定版本
yum --disablerepo='*' --enablerepo='kernel-ml-x86_64                                                                                                5.17.1-1.el7.elrepo.*' upgrade
sed -i 's/saved/0/g' /etc/default/grub #自己注意修改
grub2-mkconfig -o /boot/grub2/grub.cfg && reboot

ubuntu安装kubernetes

基础环境

四台主机,一主三从,ubuntu20.04

重点:主机名必须不同!必须不同!必须不同!

修改系统参数

  • 禁用swap
vim /etc/fstab
注释掉swap行

  • 确保时区和时间正确
timedatectl set-timezone Asia/Shanghai
  • master安装ntp服务
apt install ntp -y
  • node节点变更ntp服务器
vim /etc/ntp.conf
清空,只写如下行
server master节点ip或者内部域名
  • net.bridge.bridge-nf-call-iptables
vim /etc/sysctl.d/k8s.conf

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
  • rp_filter
vim /etc/sysctl.d/10-network-security.conf

#将下面两个参数的值从2修改为1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

部署docker

  • installdocker.sh
#!/bin/env bash
apt update
apt upgrade -y
apt install apt-transport-https ca-certificates curl software-properties-common -y
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - 
add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt update
apt install docker-ce docker-ce-cli containerd.io -y
  • daemon.json

最后一行是重点

 {
	    "registry-mirrors": ["https://0xj5rnq5.mirror.aliyuncs.com"],
	    "log-driver":"json-file",
	    "log-opts": {"max-size":"500m", "max-file":"3"},
	    "exec-opts": ["native.cgroupdriver=systemd"]
 }

部署kubernetes master

  • installk8s.sh
#!/bin/env bash
k8sversion=1.22.7-00
apt update && apt install -y ca-certificates curl software-properties-common apt-transport-https curl
curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add -
tee /etc/apt/sources.list.d/kubernetes.list <<EOF 
deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
EOF
apt update
apt install -y kubelet=${k8sversion} kubeadm=${k8sversion} kubectl=${k8sversion}
apt-mark hold kubelet kubeadm kubectl
  • 初始化master

kubeadm init --kubernetes-version=1.22.7 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/16 --apiserver-advertise-address=0.0.0.0 --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers

  • 非root用户要做的
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
  • root用户要做的
/etc/profile
export KUBECONFIG=/etc/kubernetes/admin.conf
  • 安装calico网络插件(可选)
第一种:
wget -c https://docs.projectcalico.org/v3.21/manifests/calico.yaml
修改CALICO_IPV4POOL_CIDR,不能与宿主机冲突
kubectl apply -f calico.yaml

第二种:(安装正确,但是安装istio时候,ca过不去,不知道具体原因,暂时不适用这个方式)
wget https://docs.projectcalico.org/manifests/tigera-operator.yaml
wget https://docs.projectcalico.org/manifests/custom-resources.yaml
修改custom-resources.yaml,ippool修改的于pod-network一致
kubectl create -f tigera-operator.yaml
kubectl create -f custom-resources.yaml

给master打上污点
kubectl taint nodes --all node-role.kubernetes.io/master-
  • 安装flannel网络插件(可选)
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
  • 初始化后的输出
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.31.0.99:6443 --token 08gygc.dgz7t1gf1plglllc \
	--discovery-token-ca-cert-hash sha256:f4fbe6d79db14d9a038a01ba34e5fd460a3807b967c664e8658f0e4948e3beba 

安装K8s worker节点

  • 执行 installk8s.sh
  • 加入节点

kubeadm join 172.31.0.99:6443 --token 08gygc.dgz7t1gf1plglllc \
	--discovery-token-ca-cert-hash sha256:f4fbe6d79db14d9a038a01ba34e5fd460a3807b967c664e8658f0e4948e3beba

删除节点

  • 在master执行
kubectl drain tqu4jnp1sot5qxtx-0003  --delete-emptydir-data --force --ignore-daemonsets
kuberctl delete nods tqu4jnp1sot5qxtx-0003
  • 在client执行
kuberctl reset
  • token失效后的处理
kubeadm token create --print-join-command

安装helm

installhelm.sh

#!/bin/env bash
curl https://baltocdn.com/helm/signing.asc | apt-key add -
apt install apt-transport-https --yes
echo "deb https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
apt update
apt install helm

istio

  • 安装istio
wget -c https://github.com/istio/istio/releases/download/1.13.1/istio-1.13.1-linux-amd64.tar.gz
tar -zxvf istio-1.13.1-linux-amd64.tar.gz
mv istio-1.13.1 istio
export $PWD/bin:$PATH
cd istio
istioctl install --set profile=demo -y
kubectl label namespace default istio-injection=enabled
  • 删除istio
istioctl experimental uninstall --purge 
kubectl delete namespace istio-system

更新证书到100年

下载kubernetes源码

wget -c https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.22.7.tar.gz
tar -zxvf v1.22.7.tar.gz
mv ./kubernetes-1.22.7 /tmp/kubernetes
修改./staging/src/k8s.io/client-go/util/cert/cert.go
    // NotAfter: now.Add(duration365d * 10).UTC(),
    NotAfter:              now.Add(duration365d * 100).UTC(),
修改:./cmd/kubeadm/app/constants/constants.go
    // CertificateValidity = time.Hour * 24 * 365
    CertificateValidity = time.Hour * 24 * 365 * 100

docker run --rm -it -v /tmp/kubernetes:/go/src/k8s.io/kubernetes larryq/kube-cross:v-go1.17.7
#cd /go/src/k8s.io/kubernetes
make all WHAT=cmd/kubeadm GOFLAGS=-v
以下两个可以不编译
make all WHAT=cmd/kubectl GOFLAGS=-v
make all WHAT=cmd/kubelet GOFLAGS=-v

输出文件路径:/tmp/kubernetes/_output/local/bin/linux/amd64
将原kubeadm备份
mv /usr/bin/kubeadm /usr/bin/kubeadm-bak
cp /tmp/kubernetes/_output/local/bin/linux/amd64/kubeadm /usr/bin/
chmod a+x /usr/bin/kubeadm

如果在kubeadm init之前就处理了kubeadm,直接init即可,如果是之后,则需进行更新操作
检查有效期kubeadm certs check-expiration
更新证书:kubeadm certs renew all

大型软件使用docker要注意的问题

只有一个:数据持久化!数据持久化!数据持久化!!!

必须熟悉软件的所有的配置文件在哪里,数据文件保存在哪里,通过挂载方式(目录或者卷)挂载到宿主机。

elasticsearch安装ik插件

./bin/elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v6.3.0/elasticsearch-analysis-ik-6.3.0.zip

替换版本号即可

redis部署

docker-compose.yml

version: '2.2'
services:
        redis:
                image: redis:5
                ports:
                        - 6379:6379
                container_name: redis
                restart: always
                mem_limit: 1024m
                volumes:
                        - $PWD/conf/redis.conf:/usr/local/etc/redis/redis.conf
                        - /etc/localtime:/etc/localtime:ro
                        - redis:/data
                restart: always
                command:
                        - /bin/bash
                        - -c
                        - | 
                                redis-server /usr/local/etc/redis/redis.conf
volumes:
        redis:
                external: true

redis.conf

最核心的配置

bind 0.0.0.0
requirepass xxxx ##给出复杂密码

单实例NACOS

version: "2"
services:
  nacos:
    image: nacos/nacos-server:2.0.3
    restart: always
    container_name: nacos-standalone-mysql
    env_file:
      - ./nacos-standlone-mysql.env
    volumes:
      - ./standalone-logs/:/home/nacos/logs
      - ./init.d/custom.properties:/home/nacos/init.d/custom.properties
    ports:
      - "8848:8848"
      - "9848:9848"
      - "9555:9555"
    depends_on:
      - mysql
    restart: always
  mysql:
    container_name: mysql
    image: nacos/nacos-mysql:8.0.16
    restart: always
    env_file:
      - ./mysql.env
    volumes:
      - ./mysql:/var/lib/mysql
    ports:
      - "3306:3306"

nacos-standlone-mysql.env

PREFER_HOST_MODE=hostname
MODE=standalone
SPRING_DATASOURCE_PLATFORM=mysql
MYSQL_SERVICE_HOST=mysql
MYSQL_SERVICE_DB_NAME=nacos
MYSQL_SERVICE_PORT=3306
MYSQL_SERVICE_USER=nacos
MYSQL_SERVICE_PASSWORD=nacos
MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false

custom.properties

#spring.security.enabled=false
#management.security=false
#security.basic.enabled=false
#nacos.security.ignore.urls=/**
#management.metrics.export.elastic.host=http://localhost:9200
# metrics for prometheus
management.endpoints.web.exposure.include=*

# metrics for elastic search
#management.metrics.export.elastic.enabled=false
#management.metrics.export.elastic.host=http://localhost:9200

# metrics for influx
#management.metrics.export.influx.enabled=false
#management.metrics.export.influx.db=springboot
#management.metrics.export.influx.uri=http://localhost:8086
#management.metrics.export.influx.auto-create-db=true
#management.metrics.export.influx.consistency=one
#management.metrics.export.influx.compressed=true

mysql.env

MYSQL_ROOT_PASSWORD=root
MYSQL_DATABASE=nacos
MYSQL_USER=nacos
MYSQL_PASSWORD=nacos

单实例kafka

version: "2"

services:
  zookeeper:
    image: docker.io/bitnami/zookeeper:3.7
    container_name: zookeeper
    mem_limit: 2048m
    restart: always
    ports:
      - "2181:2181"
    volumes:
      - "zookeeper_data:/bitnami"
    environment:
      - ALLOW_ANONYMOUS_LOGIN=yes
  kafka:
    image: docker.io/bitnami/kafka:3
    container_name: kafka
    mem_limit: 4096m
    restart: always
    ports:
      - "9092:9092"
    volumes:
      - "kafka_data:/bitnami"
    environment:
      - KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper:2181
      - ALLOW_PLAINTEXT_LISTENER=yes
      - KAFKA_LISTENERS=PLAINTEXT://0.0.0.0:9092
      - KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092
      - LOG.RETENTION.HOURS=168
    depends_on:
      - zookeeper
volumes:
  zookeeper_data:
    driver: local
  kafka_data:
    driver: local

安装jenkins并使用nginx反向代理https

jenkins的docker-compose.yml

version: '2.2'
services:
        jenkins:
                image: jenkinsci/blueocean
                container_name: jenkins
                mem_limit: 2048m
                extra_hosts:
                        - "git服务器:内网地址"
                restart: always
                networks:
                        gitlab:
                environment:
                        - TZ=Asia/Shanghai
                volumes:
                        - /etc/localtime:/etc/localtime:ro
                        - jenkins:/var/jenkins_home
networks:
        gitlab:
                external: true
volumes:
        jenkins:
                external: true

nginx的default.conf

server {
    listen       80;
    listen  [::]:80;
    server_name xxx;

    location / {
        return 301 https://$host$request_uri;
    }

  
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

server {
    listen 443 ssl http2;
    server_name xxx;
    ssl_certificate certs/xxx.pem;
    ssl_certificate_key certs/xxx.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;  #使用此加密套件。
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;   #使用该协议进行配置。
    ssl_prefer_server_ciphers on;


    location / {
        proxy_pass http://jenkins:8080; ## nginx的docker-compose.yml和jenkins放在一个网络
        aio threads;
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout  600;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        proxy_buffers    8 512k;
        proxy_buffer_size 512k;
        client_max_body_size  2048M;
        client_body_buffer_size 256K;
    }
}