使用Ceph实现分布式存储
使用SSH远程管理终端软件,分别连接主机10.10.2.156(K8s-Ceph-1)、10.10.2.157(K8s-Ceph-2)、10.10.2.158(K8s-Ceph-3)。
6.1 服务器Labs-K8s-Ceph-1:Ceph存储集群准备
#关闭防火墙和SELINUX
systemctl disable firewalld --now
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#设置主机名
hostnamectl set-hostname Labs-K8s-Ceph-1
reboot
#配置本地hosts文件
cat << EOF >> /etc/hosts
10.10.2.157 Labs-K8s-Ceph-1
10.10.2.158 Labs-K8s-Ceph-2
10.10.2.159 Labs-K8s-Ceph-3
EOF
#配置时间同步
echo 'pool tiger.sina.com.cn iburst' >> /etc/chrony.conf
echo 'pool ntp1.aliyun.com iburst' >> /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
#安装podman、cephadm
yum install -y podman cephadm
# 添加Ceph源
cat >> /etc/yum.repos.d/ceph.repo <<EOF
[ceph]
name=ceph x86_64
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/x86_64
enabled=1
gpgcheck=0
[ceph-noarch]
name=ceph noarch
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/noarch
enabled=1
gpgcheck=0
[ceph-source]
name=ceph SRPMS
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/SRPMS
enabled=1
gpgcheck=0
EOF
6.2 服务器Labs-K8s-Ceph-2:Ceph存储集群准备
#关闭防火墙
systemctl disable firewalld --now
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#设置主机名
hostnamectl set-hostname Labs-K8s-Ceph-2
reboot
#配置本地hosts文件
cat << EOF >> /etc/hosts
10.10.2.157 Labs-K8s-Ceph-1
10.10.2.158 Labs-K8s-Ceph-2
10.10.2.159 Labs-K8s-Ceph-3
EOF
#配置时间同步
echo 'pool tiger.sina.com.cn iburst' >> /etc/chrony.conf
echo 'pool ntp1.aliyun.com iburst' >> /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
#安装podman、cephadm
yum install -y podman cephadm
# 添加Ceph源
cat >> /etc/yum.repos.d/ceph.repo <<EOF
[ceph]
name=ceph x86_64
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/x86_64
enabled=1
gpgcheck=0
[ceph-noarch]
name=ceph noarch
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/noarch
enabled=1
gpgcheck=0
[ceph-source]
name=ceph SRPMS
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/SRPMS
enabled=1
gpgcheck=0
EOF
6.3服务器Labs-K8s-Ceph-3:Ceph存储集群准备
#配置防火墙
systemctl disable firewalld --now
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#设置主机名
hostnamectl set-hostname Labs-K8s-Ceph-3
reboot
#配置本地hosts文件
cat << EOF >> /etc/hosts
10.10.2.157 Labs-K8s-Ceph-1
10.10.2.158 Labs-K8s-Ceph-2
10.10.2.159 Labs-K8s-Ceph-3
EOF
#配置时间同步
echo 'pool tiger.sina.com.cn iburst' >> /etc/chrony.conf
echo 'pool ntp1.aliyun.com iburst' >> /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
#安装podman、cephadm
yum install -y podman cephadm
# 添加Ceph源
cat >> /etc/yum.repos.d/ceph.repo <<EOF
[ceph]
name=ceph x86_64
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/x86_64
enabled=1
gpgcheck=0
[ceph-noarch]
name=ceph noarch
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/noarch
enabled=1
gpgcheck=0
[ceph-source]
name=ceph SRPMS
baseurl=https://repo.huaweicloud.com/ceph/rpm-pacific/el8/SRPMS
enabled=1
gpgcheck=0
EOF
6.4 服务器Labs-K8s-Ceph-1:初始化Ceph集群
cephadm bootstrap --mon-ip 10.10.2.157 --allow-fqdn-hostname --initial-dashboard-user admin --initial-dashboard-password ceph@2025 --dashboard-password-noupdate
初始化完成提示“Bootstrap complete.”证明Ceph集群初始化完成,如图3所示。
使用浏览器访问https://10.10.2.157:8443进入Ceph dashboard登录界面。
账号:admin
密码:ceph@2025
6.5 服务器Labs-K8s-Ceph-1:为集群添加node和osd
#安装ceph-common
yum install -y ceph-common
#创建Ceph公钥并分发
ceph cephadm get-pub-key > ~/ceph.pub
ssh-copy-id -f -i ~/ceph.pub root@Labs-K8s-Ceph-2
ssh-copy-id -f -i ~/ceph.pub root@Labs-K8s-Ceph-3
#添加节点进入Ceph集群
ceph orch host add Labs-K8s-Ceph-2
ceph orch host add Labs-K8s-Ceph-3
ceph orch host ls
#为Ceph集群节点添加标签
ceph orch host label add Labs-K8s-Ceph-2 _admin
ceph orch host label add Labs-K8s-Ceph-3 _admin
ceph orch host ls
#手动为某一块硬盘添加OSD
ceph orch daemon add osd Labs-K8s-Ceph-1:/dev/sdb
# 为Ceph集群节点所有空闲硬盘添加OSD
ceph orch apply osd --all-available-devices
#查看OSD
ceph osd ls
登录Ceph dashboard控制台界面,可查看到集群状态为“HEALTH_OK”,主机数量为3,OSD数量为3且均为up状态。
7.部署Kubernetes管理平台
7.1 Labs-K8s-Master-1:部署Dashboard
创建并编辑/var/kubernetes/dashboard.yaml文件,内容如下。
tee /var/kubernetes/dashboard.yaml << EOF
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30084
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
EOF
#部署dashboard
kubectl apply -f /var/kubernetes/dashboard.yaml
kubectl get pod -n kubernetes-dashboard
创建账户文件/var/kubernetes/dashboard-rbac.yaml,内容如下。
tee /var/kubernetes/dashboard-rbac.yaml << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
#部署账户文件
kubectl apply -f /var/kubernetes/dashboard-rbac.yaml
获取Token令牌
kubectl create token dashboard-admin --duration=720h --namespace kube-system
使用浏览器访问https://10.10.2.151:30084,将输出的Token填入浏览器中登录Dashboard。
