07-1.部署 docker 组件

docker 是容器的运行环境,管理它的生命周期。kubelet 通过 Container Runtime Interface (CRI) 与 docker 进行交互。

安装依赖包

参考 07-0.部署worker节点.md

下载和分发 docker 二进制文件

https://download.docker.com/linux/static/stable/x86_64/ 页面下载最新发布包:

  1. cd /opt/k8s/work
  2. wget https://download.docker.com/linux/static/stable/x86_64/docker-18.06.1-ce.tgz
  3. tar -xvf docker-18.06.1-ce.tgz

分发二进制文件到所有 worker 节点:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4.   do
  5.     echo ">>> ${node_ip}"
  6.     scp docker/docker*  root@${node_ip}:/opt/k8s/bin/
  7.     ssh root@${node_ip} "chmod +x /opt/k8s/bin/*"
  8.   done

创建和分发 systemd unit 文件

  1. cd /opt/k8s/work
  2. cat > docker.service <<"EOF"
  3. [Unit]
  4. Description=Docker Application Container Engine
  5. Documentation=http://docs.docker.io
  7. [Service]
  8. WorkingDirectory=##DOCKER_DIR##
  9. Environment="PATH=/opt/k8s/bin:/bin:/sbin:/usr/bin:/usr/sbin"
  10. EnvironmentFile=-/run/flannel/docker
  11. ExecStart=/opt/k8s/bin/dockerd $DOCKER_NETWORK_OPTIONS 
  12. ExecReload=/bin/kill -s HUP $MAINPID
  13. Restart=always
  14. RestartSec=5
  15. StartLimitInterval=0
  16. LimitNOFILE=infinity
  17. LimitNPROC=infinity
  18. LimitCORE=infinity
  19. Delegate=yes
  20. KillMode=process
  22. [Install]
  23. WantedBy=multi-user.target
  24. EOF
  • EOF 前后有双引号,这样 bash 不会替换文档中的变量,如 $DOCKER_NETWORK_OPTIONS;
  • dockerd 运行时会调用其它 docker 命令,如 docker-proxy,所以需要将 docker 命令所在的目录加到 PATH 环境变量中;
  • flanneld 启动时将网络配置写入 /run/flannel/docker 文件中,dockerd 启动前读取该文件中的环境变量 DOCKER_NETWORK_OPTIONS ,然后设置 docker0 网桥网段;
  • 如果指定了多个 EnvironmentFile 选项,则必须将 /run/flannel/docker 放在最后(确保 docker0 使用 flanneld 生成的 bip 参数);
  • docker 需要以 root 用于运行;

  • docker 从 1.13 版本开始,可能将 iptables FORWARD chain的默认策略设置为DROP,从而导致 ping 其它 Node 上的 Pod IP 失败,遇到这种情况时,需要手动设置策略为 ACCEPT

    1. $ sudo iptables -P FORWARD ACCEPT

    并且把以下命令写入 /etc/rc.local 文件中,防止节点重启iptables FORWARD chain的默认策略又还原为DROP

    1. /sbin/iptables -P FORWARD ACCEPT

完整 unit 见 docker.service

分发 systemd unit 文件到所有 worker 机器:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. sed -i -e "s/##DOCKER_DIR##/${DOCKER_DIR}/" docker.service
  4. for node_ip in ${NODE_IPS[@]}
  5.   do
  6.     echo ">>> ${node_ip}"
  7.     scp docker.service root@${node_ip}:/etc/systemd/system/
  8.   done

配置 docker daemon 参数

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. cat > docker-daemon.json <<EOF
  4. {
  5.     "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn", "https://hub-mirror.c.163.com"],
  6.     "insecure-registries": ["docker02:35000"],
  7.     "max-concurrent-uploads": 10,
  8.     "max-concurrent-downloads": 20,
  9.     "live-restore": true,
  10.     "debug": true,
  11.     "data-root": "${DOCKER_DIR}/data",
  12.     "exec-root": "${DOCKER_DIR}/exec",
  13.     "log-opts": {
  14.       "max-size": "100m",
  15.       "max-file": "5"
  16.     }
  17. }
  18. EOF

分发 daemon.json 文件到所有 worker 机器:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4.   do
  5.     echo ">>> ${node_ip}"
  6.     ssh root@${node_ip} "mkdir -p ${DOCKER_DIR}/{data,exec} /etc/docker"
  7.     scp docker-daemon.json root@${node_ip}:/etc/docker/daemon.json
  8.   done

启动 docker 服务

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3.   do
  4.     echo ">>> ${node_ip}"
  5.     ssh root@${node_ip} "systemctl stop firewalld && systemctl disable firewalld"
  6.     ssh root@${node_ip} "iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat"
  7.     ssh root@${node_ip} "iptables -P FORWARD ACCEPT"
  8.     ssh root@${node_ip} "systemctl daemon-reload && systemctl enable docker && systemctl restart docker"
  9.     #ssh root@${node_ip} 'for intf in /sys/devices/virtual/net/docker0/brif/*; do echo 1 > $intf/hairpin_mode; done'
  10.   done
  • 关闭 firewalld(centos7)/ufw(ubuntu16.04),否则可能会重复创建 iptables 规则;
  • 清理旧的 iptables rules 和 chains 规则;
  • 开启 docker0 网桥下虚拟网卡的 hairpin 模式;

检查服务运行状态

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3.   do
  4.     echo ">>> ${node_ip}"
  5.     ssh root@${node_ip} "systemctl status docker|grep Active"
  6.   done

确保状态为 active (running),否则查看日志,确认原因:

  1. journalctl -u docker

检查 docker0 网桥

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3.   do
  4.     echo ">>> ${node_ip}"
  5.     ssh root@${node_ip} "/usr/sbin/ip addr show"
  6.   done

确认各 work 节点的 docker0 网桥和 flannel.1 接口的 IP 处于同一个网段中(如 172.30.37.0/32 和 172.30.37.1/24):

  1. >>> 172.27.136.3
  2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
  3.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  4.     inet 127.0.0.1/8 scope host lo
  5.        valid_lft forever preferred_lft forever
  6. 2: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
  7.     link/ether 0c:c4:7a:2a:f6:50 brd ff:ff:ff:ff:ff:ff
  8.     inet 172.27.136.3/20 brd 172.27.143.255 scope global noprefixroute enp3s0f0
  9.        valid_lft forever preferred_lft forever
  10. 3: enp3s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
  11.     link/ether 0c:c4:7a:2a:f6:51 brd ff:ff:ff:ff:ff:ff
  12. 4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
  13.     link/ether 7e:c4:ed:1a:53:58 brd ff:ff:ff:ff:ff:ff
  14.     inet 172.30.37.0/32 scope global flannel.1
  15.        valid_lft forever preferred_lft forever
  16. 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
  17.     link/ether 02:42:ec:a7:2b:41 brd ff:ff:ff:ff:ff:ff
  18.     inet 172.30.37.1/24 brd 172.30.37.255 scope global docker0
  19.        valid_lft forever preferred_lft forever