1、统一主机名
一般情况下如果是自己配置基础环境,个人建议还是起一个看一眼就知道这个机器是干啥的
例:假设有一个kubernetes节点是做master,配置是16G,1T,系统是Ubuntu 2404,IP是x.x.x.100
我个人会这样 k8s-master-u24-16-1024-100
下面开始配置吧
hostnamectl set-hostname k8s-master-u2404-4-20-101
root@ubuntu2404:~# hostnamectl set-hostname k8s-master-u2404-4-20-101
root@ubuntu2404:~# hostname
k8s-master-u2404-4-20-101
root@ubuntu2404:~# bash
root@k8s-master-u2404-4-20-101:~# 2、关闭防火墙
kubernetes不直接对外,所以在外会有服务隔离,而内部个各种转发,网络复杂无比,索性还是直接关闭收益更大
root@k8s-master-u2404-4-20-101:~# systemctl disable --now ufw
Synchronizing state of ufw.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable ufw
Removed "/etc/systemd/system/multi-user.target.wants/ufw.service".3、修改时区、同步时间
这个分布式服务绝大部分都是依赖时间的
因为其中的心跳机制,证书,超时。。。等机制都是以时间服务为底层的
timedatectl set-timezone Asia/Shanghai
root@k8s-master-u2404-4-20-101:~# timedatectl set-timezone Asia/Shanghai
root@k8s-master-u2404-4-20-101:~# timedatectl
Local time: Sat 2025-07-19 16:47:57 CST
Universal time: Sat 2025-07-19 08:47:57 UTC
RTC time: Sat 2025-07-19 16:47:54
Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no同步时间的话,一般情况下是在集群中选择一个做时间服务器,然后这个时间服务器在依照互联网时间,或者某一特定的设备为主
在ubuntu的一般是用chrony,这个服务也没什么特别需要注意的地方
apt -y install chrony
root@k8s-master-u2404-4-20-101:~# apt list chrony -a
Listing... Done
chrony/noble-updates 4.5-1ubuntu4.2 arm64
chrony/noble 4.5-1ubuntu4 arm64
root@k8s-master-u2404-4-20-101:~# apt update; apt -y install chrony
root@k8s-master-u2404-4-20-101:~# vim /etc/chrony/chrony.conf
...
7 # This will use (up to):
8 # - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
9 # - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well
10 # - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm)
11 # This means by default, up to 6 dual-stack and up to 2 additional IPv4-only
12 # sources will be used.
13 # At the same time it retains some protection against one of the entries being
14 # down (compare to just using one of the lines). See (LP: #1754358) for the
15 # discussion.
16 #
17 # About using servers from the NTP Pool Project in general see (LP: #104525).
18 # Approved by Ubuntu Technical Board on 2011-02-08.
19 # See http://www.pool.ntp.org/join.html for more information.
20
21 server ntp1.aliyun.com iburst
22
23 #pool ntp.ubuntu.com iburst maxsources 4
24 #pool 0.ubuntu.pool.ntp.org iburst maxsources 1
25 #pool 1.ubuntu.pool.ntp.org iburst maxsources 1
26 #pool 2.ubuntu.pool.ntp.org iburst maxsources 2
27
28 # Use time sources from DHCP.
29 sourcedir /run/chrony-dhcp
30
31 # Use NTP sources found in /etc/chrony/sources.d.
32 sourcedir /etc/chrony/sources.d
...
pool/server 使用 NTP 池/指定单个 NTP 服务器
ntp1.aliyun.com NTP 服务器地址
iburst 快速初始同步,在启动时发送多个请求以加快首次时间同步
maxsources 4 限制最大源数,最多从该池中使用 4 个不同的 NTP 服务器
local stratum 10 允许外部向自己同步
root@k8s-master-u2404-4-20-101:~# systemctl enable --now chrony
Synchronizing state of chrony.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable chrony
root@k8s-master-u2404-4-20-101:~# chronyc tracking
Reference ID : 79C74537 (121.199.69.55)
Stratum : 3
Ref time (UTC) : Sat Jul 19 09:13:49 2025
System time : 0.000113643 seconds fast of NTP time
Last offset : -0.046073332 seconds
RMS offset : 0.046073332 seconds
Frequency : 25600.000 ppm fast
Residual freq : -26453.182 ppm
Skew : 1000000.000 ppm
Root delay : 0.063439243 seconds
Root dispersion : 18.580360413 seconds
Update interval : 2.0 seconds
Leap status : Normal
4、修改网卡固定IP、统一网卡名
这个通过配置文件固定IP只是一种方法,也可以通过交换机或者路由器绑定进行固定IP
统一网卡名几乎是必做的
root@k8s-master-u2404-4-20-101:~# vim /etc/default/grub
1 # If you change this file, run 'update-grub' afterwards to update
2 # /boot/grub/grub.cfg.
3 # For full documentation of the options in this file, see:
4 # info -f grub -n 'Simple configuration'
5
6 GRUB_DEFAULT=0
7 GRUB_TIMEOUT_STYLE=hidden
8 GRUB_TIMEOUT=0
9 GRUB_DISTRIBUTOR=`( . /etc/os-release; echo ${NAME:-Ubuntu} ) 2>/dev/null || echo Ubuntu`
10 GRUB_CMDLINE_LINUX_DEFAULT=""
11 GRUB_CMDLINE_LINUX="net.ifnames=0" #添加这一行
12
13 # If your computer has multiple operating systems installed, then you
14 # probably want to run os-prober. However, if your computer is a host
15 # for guest OSes installed via LVM or raw disk devices, running
...
root@k8s-master-u2404-4-20-101:~# source /etc/default/grub
root@k8s-master-u2404-4-20-101:~# vim /etc/netplan/50-cloud-init.yaml
root@k8s-master-u2404-4-20-101:~# cat /etc/netplan/50-cloud-init.yaml
network:
ethernets:
eth0:
dhcp4: false
dhcp6: false
addresses: [172.16.101.101/24]
gateway4: 172.16.101.2
nameservers:
addresses: [114.114.114.114, 8.8.8.8]
version: 2
root@k8s-master-u2404-4-20-101:~# grub-mkconfig -o /boot/grub/grub.cfg
Sourcing file `/etc/default/grub'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-6.8.0-64-generic
Found initrd image: /boot/initrd.img-6.8.0-64-generic
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done
root@k8s-master-u2404-4-20-101:~# reboot5、关闭图形化界面(可选)
这里我就简单提供一下命令,一般情况下在安装系统的时候图形化界面就已经关了
root@node1:~# cat /etc/X11/default-display-manager
/usr/sbin/gdm3
root@node1:~# sudo systemctl stop gdm3
root@node1:~# sudo systemctl disable gdm36、关闭交换分区
kubernetes一般情况下是要关闭交换分区的,当然不关也可以,kubernetes也有可以配置的选项
root@k8s-master-u2404-4-20-101:~# swapoff -a
root@k8s-master-u2404-4-20-101:~# sed -ri 's/.*swap.*/#&/' /etc/fstab
root@k8s-master-u2404-4-20-101:~# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/dm-uuid-LVM-b9kNQAfbac1C7wrQVcwcDwViKjK8NZchZKTi89p3sgOXeZTv7Gdqc75y4kAHWJQC / ext4 defaults 0 1
# /boot was on /dev/nvme0n1p2 during curtin installation
/dev/disk/by-uuid/1cc6bacb-a517-46d5-af1d-4115dbf0d952 /boot ext4 defaults 0 1
# /boot/efi was on /dev/nvme0n1p1 during curtin installation
/dev/disk/by-uuid/72E8-95B0 /boot/efi vfat defaults 0 1
root@k8s-master-u2404-4-20-101:~# free -h
total used free shared buff/cache available
Mem: 3.8Gi 335Mi 3.4Gi 1.2Mi 227Mi 3.5Gi
Swap: 0B 0B 0B7、优化系统参数配置
一般情况下我们是用不到IPv6,所以我们就直接关掉
然后就是net.ipv4.ip_forward,net.bridge.bridge-nf-call-iptables这俩是必须要开的,其他的都是优化一下
配置之后需要启用必要的模块
记得modules-load.d,sysctl.d放在他们下面实现永久开机自启
关于vm.panic_on_oom这个参数,我个人感觉还是开着好,大不了就杀服务
下面我会放一个公共版本的参考
root@k8s-master-u2404-4-20-101:~# vim /etc/sysctl.d/k8s_better.conf
#网络相关参数
net.bridge.bridge-nf-call-iptables=1 #让网桥流量经过iptables
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1 #启用IPv4路由转发
net.ipv6.conf.all.disable_ipv6=1 #禁用IPv6
net.netfilter.nf_conntrack_max=2310720 #增大连接跟踪表大小
#虚拟内存(VM)参数
vm.swappiness=0 #禁用交换分区
vm.overcommit_memory=1 #允许内存超分配
vm.panic_on_oom=0 #OOM时不重启系统
#文件系统与监控参数
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963 #增大系统最大文件句柄数
fs.nr_open=52706963 #单个进程可打开的文件数
root@k8s-master-u2404-4-20-101:~# modprobe br_netfilter
root@k8s-master-u2404-4-20-101:~# modprobe ip_conntrack
root@k8s-master-u2404-4-20-101:~# lsmod |grep conntrack
nf_conntrack 204800 0
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 12288 1 nf_conntrack
libcrc32c 12288 3 nf_conntrack,btrfs,raid456
root@k8s-master-u2404-4-20-101:~# lsmod |grep netfilter
br_netfilter 32768 0
bridge 401408 1 br_netfilter
root@k8s-master-u2404-4-20-101:~# sysctl -p /etc/sysctl.d/k8s_better.conf
net.bridge.bridge-nf-call-iptables = 1 #让网桥流量经过iptables
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1 #启用IPv4路由转发
net.ipv6.conf.all.disable_ipv6 = 1 #禁用IPv6
net.netfilter.nf_conntrack_max = 2310720 #增大连接跟踪表大小
vm.swappiness = 0 #禁用交换分区
vm.overcommit_memory = 1 #允许内存超分配
vm.panic_on_oom = 0 #OOM时不重启系统
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 1048576
fs.file-max = 52706963 #增大系统最大文件句柄数
fs.nr_open = 52706963 #单个进程可打开的文件数
这里我用的是ipvs,也可以直接用iptables
简单笼统的讲一下区别,iptables使用的链式表,链式表吗时间复杂度就是o(n),ipvs用的哈希表o(1)
在service达到一定程度的情况下差距才会很明显,主要看自己的使用需求。
root@k8s-master-u2404-4-20-101:~# vim /etc/modules-load.d/ipvs.conf
#这里主要是ipvs,调度算法和一些辅助模块
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
#可以这样手动起,也可以直接restart
root@k8s-master-u2404-4-20-101:~# modprobe ip_vs
root@k8s-master-u2404-4-20-101:~# modprobe ip_vs_rr
root@k8s-master-u2404-4-20-101:~# modprobe ip_vs_wrr
root@k8s-master-u2404-4-20-101:~# modprobe ip_vs_sh
root@k8s-master-u2404-4-20-101:~# modprobe nf_conntrack
root@k8s-master-u2404-4-20-101:~# lsmod | grep -E 'ip_vs|nf_conntrack'
ip_vs_sh 12288 0
ip_vs_wrr 12288 0
ip_vs_rr 12288 0
ip_vs 217088 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 204800 1 ip_vs
nf_defrag_ipv6 24576 2 nf_conntrack,ip_vs
nf_defrag_ipv4 12288 1 nf_conntrack
libcrc32c 12288 4 nf_conntrack,btrfs,raid456,ip_vs
#restart 注意这是第二种方法,别看错了
root@k8s-master-u2404-4-20-101:~# systemctl restart systemd-modules-load.service
root@k8s-master-u2404-4-20-101:~# systemctl status systemd-modules-load.service
● systemd-modules-load.service - Load Kernel Modules
Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static)
Active: active (exited) since Sun 2025-07-20 02:19:49 CST; 9s ago
Docs: man:systemd-modules-load.service(8)
man:modules-load.d(5)
Process: 1900 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=0/SUCCESS)
Main PID: 1900 (code=exited, status=0/SUCCESS)
CPU: 16ms
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd[1]: Starting systemd-modules-load.service - Load Kernel Modu>
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd-modules-load[1900]: Inserted module 'ip_set'
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd-modules-load[1900]: Inserted module 'xt_set'
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd-modules-load[1900]: Inserted module 'ipt_rpfilter'
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd-modules-load[1900]: Inserted module 'ipt_REJECT'
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd-modules-load[1900]: Inserted module 'ipip'
Jul 20 02:19:49 k8s-master-u2404-4-20-101 systemd[1]: Finished systemd-modules-load.service - Load Kernel Modu>
#相同参数内核不会加载两遍,无所谓
root@k8s-master-u2404-4-20-101:~# vim /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.netfilter.nf_conntrack_max = 2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.forwarding = 1
root@k8s-master-u2404-4-20-101:~# sysctl -p /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.netfilter.nf_conntrack_max = 2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.forwarding = 1Ubuntu 2204 ARM64 参考
fuck apple virtual
root@node1:~# vim /etc/sysctl.d/k8s_better.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 1048576
fs.file-max = 52706963
fs.nr_open = 52706963
net.ipv6.conf.all.disable_ipv6 = 1
net.netfilter.nf_conntrack_max = 2310720
root@node1:~# cat /etc/sysctl.d/k8s_better.conf
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
root@node1:~# modprobe br_netfilter
root@node1:~# lsmod |grep conntrack
root@node1:~# lsmod |grep netfilter
br_netfilter 32768 0
bridge 401408 1 br_netfilter
root@node1:~# modprobe ip_conntrack
root@node1:~# lsmod |grep conntrack
nf_conntrack 204800 0
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 12288 1 nf_conntrack
libcrc32c 12288 3 nf_conntrack,btrfs,raid456
root@node1:~# sysctl -p /etc/sysctl.d/k8s_better.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 1048576
fs.file-max = 52706963
fs.nr_open = 52706963
net.ipv6.conf.all.disable_ipv6 = 1
net.netfilter.nf_conntrack_max = 2310720
#启用ipvs
root@node1:~# mkdir -p /etc/modules-load.d/
root@node1:~# vim /etc/modules-load.d/ipvs.conf
root@node1:~# cat /etc/modules-load.d/ipvs.conf
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
#重启内核加载
root@node1:~# systemctl restart systemd-modules-load.service
root@node1:~# systemctl status systemd-modules-load.service
● systemd-modules-load.service - Load Kernel Modules
Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static)
Active: active (exited) since Wed 2025-11-12 11:41:28 CST; 3s ago
Docs: man:systemd-modules-load.service(8)
man:modules-load.d(5)
Process: 3161 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=0/SUCCESS)
Main PID: 3161 (code=exited, status=0/SUCCESS)
CPU: 20ms
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ip_vs'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ip_vs_rr'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ip_vs_wrr'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ip_vs_sh'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ip_set'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'xt_set'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ipt_rpfilter'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ipt_REJECT'
Nov 12 11:41:28 node1 systemd-modules-load[3161]: Inserted module 'ipip'
Nov 12 11:41:28 node1 systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.
root@node1:~# lsmod | grep -e ip_vs -e nf_conntrack
ip_vs_sh 12288 0
ip_vs_wrr 12288 0
ip_vs_rr 12288 0
ip_vs 217088 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 204800 1 ip_vs
nf_defrag_ipv6 24576 2 nf_conntrack,ip_vs
nf_defrag_ipv4 12288 1 nf_conntrack
libcrc32c 12288 4 nf_conntrack,btrfs,raid456,ip_vs
root@node1:~# cat /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.netfilter.nf_conntrack_max = 2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.forwarding = 1
root@node1:~# sysctl -p /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.netfilter.nf_conntrack_max = 2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.forwarding = 18、安装Ansible
剩下的配置我们等其他的节点做完基础配置,在进行配置
root@k8s-master-u2404-4-20-101:~# apt -y install ansible
root@k8s-master-u2404-4-20-101:~# ansible --version
ansible [core 2.16.3]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.12.3 (main, Jun 18 2025, 17:59:45) [GCC 13.3.0] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True9、碎碎念
关于存储
软raid和lvm,raid相对的更安全,但是一般情况下性能比之lvm要差,同时不支持自动扩缩容。
一般的Work节点建议使用M2,Storage节点使用机械,期望的情况是硬raid加lvm作为底层的存储系统,
Work节点因为会存储Image和运行Pod本身也需要存储,所以不建议存储太小
Storage节点也可以提供pv但是速度肯定是很差的
在中型和大型的kubernetes也需要去做解耦
关于DNS解析
对于一般的小集群可以直接在hosts文件里进行解析
稍大一点的话,就建议单独做一个DNS服务器了,或者环境较封闭的情况也需要
如果已经需要DNS服务器了,同时也是访问较为频繁的情况下,还是建议做个主备
关于时间同步服务
一般的我们会在集群中选择一个节点,暂时称为A吧,去同步互联网时间或者某个硬件的时间
然后这个集群的其他节点都去向A去同步时间
正常情况下这个集群在搭建完成后,是不会做重启操作的,所以不必担心服务顺序的问题
最后还是建议鸡蛋不要放在一个篮子里,选择不同的NTP服务
关于集群管理
kubernetes更多是向服务去靠近,所以我们还需要一个统一管理的平台
最快的肯定是ansible,去维护系统和底层层面的配置
关于防火墙
正常情况下,kubernetes不直接对外开放,所以只需要做服务隔离就行,本身的节点防火墙就直接关了就行,不然到时候防火墙,cni,flannel/calico, 各种转发,调起来简直就是灾难
关于内核参数
不用太过在意内核参数的精度控制,只要在一个合理的范围就行,你都用分布式了,还在乎那1%的响应速度吗
只要那几个必须有的都在就行
哦对了
最重要的是,配置文件不要真删除,完全可以mv file.conf file.confold$(date +%s)在原目录,一定不要删除!!!
还有安装过程,文件路径,所需变量,配置文件一定要做好记录,分好目录!!!
10、Shell自动部署
#!/bin/bash
set -euo pipefail
#-----------------------------------------------------------
# CONFIG AREA
#-----------------------------------------------------------
HOSTNAME="${HOSTNAME:-node1}" # 主机名
FIX_IP="${FIX_IP:-172.16.101.156/24}" # 固定 IP/掩码
GATEWAY="${GATEWAY:-172.16.101.2}" # 网关
DNS_LIST="${DNS_LIST:-114.114.114.114,8.8.8.8}" # DNS,逗号分隔
NTP_SERVER="${NTP_SERVER:-ntp1.aliyun.com}" # NTP 源
DISABLE_IPv6="${DISABLE_IPv6:-1}" # 1=禁用 :: 0=启用
#-----------------------------------------------------------
### 颜色提示
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[0;33m'; NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
### 通用断言
assert() {
if ! "$@"; then
log_error "Command failed: $*"
exit 1
fi
}
#-----------------------------------------------------------
# 1. 设置主机名
#-----------------------------------------------------------
set_hostname() {
log_info "Step1: Set hostname -> $HOSTNAME"
hostnamectl set-hostname "$HOSTNAME"
assert bash -c "[[ \$(hostname) == \"$HOSTNAME\" ]]"
log_info "Hostname OK"
}
#-----------------------------------------------------------
# 2. 关闭防火墙
#-----------------------------------------------------------
disable_firewall() {
log_info "Step2: Disable UFW"
systemctl disable --now ufw || true
assert bash -c "[[ \$(systemctl is-active ufw) == inactive ]]"
log_info "UFW disabled"
}
#-----------------------------------------------------------
# 3. 时区 + 时间同步
#-----------------------------------------------------------
setup_ntp() {
log_info "Step3: Timezone & NTP"
timedatectl set-timezone Asia/Shanghai
apt-get update -qq
apt-get install -y chrony
# 写入个人 NTP 源
grep -q "^server $NTP_SERVER" /etc/chrony/chrony.conf || \
sed -i "/^pool /d; /^server /d; /^# Please/d" /etc/chrony/chrony.conf
echo "server $NTP_SERVER iburst" >> /etc/chrony/chrony.conf
systemctl enable --now chrony
chronyc -a makestep 2>/dev/null || true
log_info "Time sync OK"
}
#-----------------------------------------------------------
# 4. 固定 IP + 统一网卡名
#-----------------------------------------------------------
fix_network() {
log_info "Step4: Fix IP and rename interface -> eth0"
# GRUB 添加 net.ifnames=0
if ! grep -q net.ifnames=0 /etc/default/grub; then
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ net.ifnames=0"/' /etc/default/grub
update-grub
fi
# Netplan 配置
cat >/etc/netplan/50-cloud-init.yaml <<EOF
network:
version: 2
ethernets:
eth0:
dhcp4: no
addresses: [$FIX_IP]
gateway4: $GATEWAY
nameservers:
addresses: [$DNS_LIST]
EOF
# netplan apply
log_info "Network config applied (reboot to rename iface)"
}
#-----------------------------------------------------------
# 5. 关闭图形(可选)
#-----------------------------------------------------------
disable_gui() {
log_info "Step5: Disable GUI if exists"
systemctl set-default multi-user.target || true
systemctl stop gdm3 lightdm sddm || true
systemctl disable gdm3 lightdm sddm || true
}
#-----------------------------------------------------------
# 6. 关闭 swap
#-----------------------------------------------------------
disable_swap() {
log_info "Step6: Disable swap"
swapoff -a
sed -ri '/\sswap\s/s/^/#/' /etc/fstab
assert bash -c "[[ \$(free | grep Swap: | awk '{print \$2}') -eq 0 ]]"
log_info "Swap disabled"
}
#-----------------------------------------------------------
# 7. 内核参数 + 模块
#-----------------------------------------------------------
tune_kernel() {
log_info "Step7: Kernel parameters & modules"
# 加载模块
cat >/etc/modules-load.d/k8s.conf <<EOF
br_netfilter
nf_conntrack
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
ipt_REJECT
ipip
EOF
systemctl restart systemd-modules-load.service
# 内核参数
cat >/etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_max = 2310720
vm.swappiness = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 1048576
fs.file-max = 52706963
fs.nr_open = 52706963
EOF
[[ $DISABLE_IPv6 -eq 1 ]] && echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/k8s.conf
sysctl --system
log_info "Kernel tuned"
}
#-----------------------------------------------------------
# 8. 安装 Ansible(仅控制节点需要)
#-----------------------------------------------------------
install_ansible() {
log_info "Step8: Install Ansible"
apt-get install -y ansible
ansible --version
log_info "Ansible OK"
}
#-----------------------------------------------------------
# 一键全跑
#-----------------------------------------------------------
main() {
export DEBIAN_FRONTEND=noninteractive
set_hostname
disable_firewall
setup_ntp
fix_network
#disable_gui
disable_swap
tune_kernel
#install_ansible
log_info "All done! Reboot recommended: sudo reboot"
}
main "$@"