下载ISO文件:https://mirrors.tuna.tsinghua.edu.cn/archlinux/iso/latest/
目录
1. 准备工作
2. 磁盘管理
2.1 磁盘分区
2.2 磁盘格式化
2.3 磁盘挂载
3. 安装系统
3.1 安装系统文件
3.2 配置fstab
3.3 配置系统
3.4 安装引导程序
3.5 安装OpenSSH
3.6 主机名
3.7 设置root密码
3.8 网络配置
3.9 重启系统,并从硬盘引导
3.10 本地化配置
3.11 时区配置
3.12 硬件时间设置
4. 安装k8s
4.1 配置containerd
4.2 拉取k8s镜像
4.3 创建k8s集群
4.4 加入control-plane节点
4.5 加入worker节点
4.6 查看k8s集群节点信息
附录
包签名错误
1. 准备工作
以虚拟机VMWare为例。
使用EFI 非默认BIOS启动。如果不使用EFI,那么后续安装引导时也使用非EFI。
Controller-Panel节点(master)
节点列表:
| hostname | ip |
|---|---|
| k8s-master1 | 10.0.2.101/24 |
| k8s-master2 | 10.0.2.102/24 |
| k8s-master3 | 10.0.2.103/24 |
CPU设置:2Core
内存设置:2GB
磁盘:20GB
网卡设置:网卡1(ens33)为自定义NAT
Worker节点
节点列表:
| hostname | ip |
|---|---|
| k8s-worker1 | 10.0.2.111/24 |
| k8s-worker2 | 10.0.2.112/24 |
| k8s-worker3 | 10.0.2.113/24 |
CPU设置:2Core
内存设置:4GB
磁盘:20GB
网卡设置:网卡1(ens33)为自定义NAT
2. 磁盘管理
2.1 磁盘分区
使用GUID分区表,分2个区:
1)EFI System(EF00),Last sector: +500M (500MB)
2)Linux filesystem(8300) ,Last sector:<回车>(为剩余容量)
gdisk /dev/sda
2.2 磁盘格式化
mkfs.vfat -F32 /dev/sda1 # ESP分区 挂载 /boot
mkfs.ext4 /dev/sda2 # LFS分区 挂载 /
2.3 磁盘挂载
mount /dev/sda2 /mnt # 挂载root分区
mkdir /mnt/boot # 创建 /boot 目录
mount /dev/sda2 /mnt/boot # 挂载boot分区
lsblk # 查看分区挂载情况
3. 安装系统
3.1 安装系统文件
vim /etc/pacman.d/mirrorlist # 在顶部添加如下镜像服务器
Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch
#Server = https://mirrors.aliyun.com/archlinux/$repo/os/$arch
# 安装系统
pacstrap /mnt base base-devel
3.2 配置fstab
genfstab -U /mnt > /mnt/etc/fstab # 生成分区挂载表
编辑 fstab
vim /mnt/etc/fstab
# SSD的追加options “discard,noatime”
3.3 配置系统
编辑 /mnt/etc/pacman.conf文件,加入下面的内容:
[archlinuxcn]
Server = https://mirrors.tuna.tsinghua.edu.cn/archlinuxcn/$arch
#Server = https://mirrors.aliyun.com/archlinuxcn/$arch
切换root目录到新系统
arch-chroot /mnt /bin/bash
现在可以全面升级系统:
pacman -Syy # 切换了root目录,因此需要重新更新软件包缓存
pacman -S archlinuxcn-keyring
pacman -S vim bash-completion yay fakeroot
ln -s /usr/bin/vim /usr/bin/vi
3.4 安装引导程序
# 安装linux内核
pacman -S linux-lts linux-firmware
# 安装 Micro Code
pacman -S amd-ucode # intel安装 intel-ucode
bootctl install # boot-loader
vim /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux-lts
initrd /amd-ucode.img # intel的为 /intel-ucode.img
initrd /initramfs-linux-lts.img
options root=/dev/sda2 rw
vim /boot/loader/entries/arch-fallback.conf
title Arch Linux (fallback initramfs)
linux /vmlinuz-linux-lts
initrd /amd-ucode.img # intel的为 /intel-ucode.img
initrd /initramfs-linux-lts-fallback.img
options root=/dev/sda2 rw
vim /boot/efi/loader/loader.conf
default arch.conf
timeout 2
console-mode max
editor no
# 验证文件路径是否正确
bootctl list
bootctl status
3.5 安装OpenSSH
pacman -S openssh
sed -i 's/#PermitRootLogin\ prohibit-passwd/PermitRootLogin yes/g' /etc/ssh/sshd_config
systemctl enable sshd
3.6 主机名
echo <host-name> > /etc/hostname
3.7 设置root密码
passwd
3.8 网络配置
使用 systemd-networkd
VMWare 网络配置:
NAT模式
网段:10.0.2.0/24
DHCP:10.0.2.200 - 10.0.2.254
网关:10.0.2.2 (不要设置为10.0.2.1,否则会导致无法访问外网)
vim /etc/systemd/network/20-wired.network
[Match]
Name=ens33
[Network]
#DHCP=ipv4 # 使用dhcp时启用
Address=10.0.2.101/24
Gateway=10.0.2.2
DNS=223.5.5.5
DNS=223.6.6.6
systemctl enable systemd-networkd
systemctl enable systemd-resolved
3.9 重启系统,并从硬盘引导
exit # 退出chroot
reboot # 重启后重新引导进入已安装的系统
3.10 本地化配置
vim /etc/locale.gen
en_US.UTF-8 UTF-8
zh_CN.GBK GBK
zh_CN.UTF-8 UTF-8
zh_CN GB2312
locale-gen # 生成locale
echo 'LANG=en_US.UTF-8' > /etc/locale.conf # 设置默认的 locale
3.11 时区配置
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
3.12 硬件时间设置
# date -s '2022-7-5 16:49:45'
hwclock --systohc --utc #采用UTC,将系统时间写入硬件时钟
# hwclock --hctosys --utc #采用UTC,将硬件时钟写入系统时间
4. 安装k8s
使用kubeadm安装: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
pacman -S kubeadm kubelet kubectl containerd
systemctl enable containerd
systemctl start containerd
systemctl enable kubelet
systemctl start kubelet
4.1 配置containerd
创建 /etc/modules-load.d/containerd.conf 配置文件:
cat << EOF > /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
修改 containerd 配置
# 修改配置
mkdir -p /etc/containerd
if [ ! -f /etc/containerd/config.toml ]; then
containerd config default > /etc/containerd/config.toml
fi
# 设置 systemd_cgroup 为 true
sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
sed -i 's/k8s.gcr.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.toml
systemctl restart containerd
echo 'alias docker="crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock"' >> ~/.bashrc
source ~/.bashrc
# 确保containerd 的cgroup 为 SystemdCgroup
crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock info | grep SystemdCgroup | awk -F ': ' '{ print $2 }'
true
4.2 拉取k8s镜像
通过参数 --image-repository 指定k8s镜像的仓库地址
kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.24.2
4.3 创建k8s集群
# 应搭建负载均衡后,使用负载均衡IP
echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts
# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数
sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env
# 初始化k8s集群
kubeadm init --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.24.2 --control-plane-endpoint=cluster.berkaroad.com --apiserver-advertise-address=10.0.2.101 --pod-network-cidr=10.100.0.0/16 --service-cidr=10.101.0.0/16 --service-dns-domain=cluster.berkaroad.com --upload-certs --v=5
# 执行成功后,根据提示,配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z
# You can now join any number of the control-plane node running the following command on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \
--control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44
# 如果 --certificate-key 过期了,执行如下:
kubeadm init phase upload-certs --upload-certs
# Then you can join any number of worker nodes by running the following on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3
# 如果token过期了,可以执行如下:
kubeadm token create --print-join-command
# 安装CNI:Calico
kubectl apply -f https://projectcalico.docs.tigera.io/archive/v3.22/manifests/calico.yaml
# 如果失败,检查 cgroup 是否一致(docker或者containerd 和 kubelet)
# 查看 kubeadm 使用的 CRI 为 containerd 还是 docker
cat /var/lib/kubelet/kubeadm-flags.env
KUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.7"
# 查看 kubelet 的 cgroup driver
cat /var/lib/kubelet/config.yaml | grep cgroupDriver | awk -F ': ' '{ print $2 }'
systemd
4.4 加入control-plane节点
# 应搭建负载均衡后,使用负载均衡IP
echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts
# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数
sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env
# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z
# You can now join any number of the control-plane node running the following command on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3 \
--control-plane --certificate-key 6b6050b43696814460032c521569377829e6bda6d39ac69e1d650d5bfdad1a44
# 如果 --certificate-key 过期了,执行如下:
kubeadm init phase upload-certs --upload-certs
# 如果token过期了,可以执行如下:
kubeadm token create --print-join-command
# 执行成功后,根据提示,配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
4.5 加入worker节点
# 应搭建负载均衡后,使用负载均衡IP
echo '10.0.2.101 cluster.berkaroad.com' >> /etc/hosts
# 这个版本的kubelet,命令行参数 `--cni-bin-dir` 已经取消,因此需要拿掉此参数
sed -i 's/--cni-bin-dir=\/usr\/lib\/cni//g' /etc/kubernetes/kubelet.env
# 执行成功后,根据提示,配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 注意:集群中时间必须保持一致,否则会加入集群失败,错误信息: x509: certificate has expired or is not yet valid: current time 2022-07-05T03:57:41+08:00 is before 2022-07-04T23:42:18Z
# Then you can join any number of worker nodes by running the following on each as root:
kubeadm join cluster.berkaroad.com:6443 --token v3e3b4.a52hqkbd1rlxgkun \
--discovery-token-ca-cert-hash sha256:877bc4de6051c6aee8401bb99e6a3114f6d5a5fa7d87131c0b6377ce2419e5a3
# 如果token过期了,可以执行如下:
kubeadm token create --print-join-command
4.6 查看k8s集群节点信息
kubectl get no -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-master1 Ready control-plane 2d9h v1.24.2 10.0.2.101 <none> Arch Linux 5.15.50-1-lts containerd://1.6.6
k8s-master2 Ready control-plane 2d5h v1.24.2 10.0.2.102 <none> Arch Linux 5.15.52-1-lts containerd://1.6.6
k8s-master3 Ready control-plane 2d v1.24.2 10.0.2.103 <none> Arch Linux 5.15.52-1-lts containerd://1.6.6
k8s-worker1 Ready <none> 3h4m v1.24.2 10.0.2.111 <none> Arch Linux 5.15.52-1-lts containerd://1.6.6
k8s-worker2 Ready <none> 176m v1.24.2 10.0.2.112 <none> Arch Linux 5.15.52-1-lts containerd://1.6.6
k8s-worker3 Ready <none> 176m v1.24.2 10.0.2.113 <none> Arch Linux 5.15.52-1-lts containerd://1.6.6
附录
包签名错误
error: libcap: signature from "David Runge <dvzrv@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/libcap-2.65-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] Y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
更新pacman key证书
pacman -S gnupg
pacman -Sy archlinux-keyring
pacman-key --populate archlinux
pacman-key --refresh-keys
pacman -Syux
![PIP升级+安装Django命令[WARNING: Retrying (Retry(total=4, connect=None...]](https://www.kunjuke.com/file/css/thumb/10.jpg/280-180.jpg)
