- CoreOS Container Linux\uff08Stable:1911.5.0\uff09<\/ul>\n<\/li>\n<\/ul>\n
- \n
- kubernetes1.13.1\uff081 master\u3001node\u306a\u3057\u306e\u69cb\u6210\u3002RBAC\uff09<\/ul>\n<\/li>\n<\/ul>\n
- \n
- etcd3\uff08docker\u3067\u99c6\u52d5\u3002tls secured\uff09<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Container Linux Config\uff08ignition\uff09<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u30b3\u30f3\u30c6\u30ca\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306fCanal<\/ul>\n<\/li>\n<\/ul>\n
- \n
- CoreDNS<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u3055\u304f\u3089\u306eVPS\u306eVPS\u30d7\u30e9\u30f3\uff11\u3064\uff08\u30e1\u30e2\u30ea\uff1a1GB\uff09<\/ul>\n<\/li>\n<\/ul>\n
- \n
- zram<\/ul>\n<\/li>\n<\/ul>\n
- \n
- ${MASTER_IP}\u3092vps\u306epublicly routable IP\u3067\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
- \n
- ${GATEWAY}\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
- \n
- ${DNS1}\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
- ${DNS2}\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n
$ <\/span>sudo <\/span>vi \/etc\/systemd\/network\/static.network\r\n<\/code><\/pre>\n[Match]\r\nName=eth0\r\n[Network]\r\nAddress=${MASTER_IP}\/23\r\nGateway=${GATEWAY}.1\r\nDNS=${DNS1}\r\nDNS=${DNS2}\r\n<\/code><\/pre>\n$ <\/span>sudo <\/span>systemctl restart systemd-networkd\r\n$ <\/span>sudo <\/span>passwd core\r\n<\/code><\/pre>\n\u8bf7\u6839\u636e\u73af\u5883\u8fdb\u884c\u7f16\u8f91\u4ee5\u4e0b\u7684yaml\u6587\u4ef6\u3002<\/p>\n
- \n
- \n
- ssh-rsa\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
- \n
- ${MASTER_IP}\u3092vps\u306epublicly routable IP\u3067\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
- \n
- ${GATEWAY}\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
- \n
- ${DNS1}\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
- ${DNS2}\u3092\u7f6e\u304d\u63db\u3048\u308b<\/ul>\n
# \/usr\/share\/oem\/config.ign<\/span>\r\n\r\n# ignition\u518d\u9069\u7528<\/span>\r\n# sudo touch \/boot\/coreos\/first_boot<\/span>\r\n# sudo rm \/etc\/machine-id<\/span>\r\n# sudo reboot<\/span>\r\n\r\npasswd<\/span>:<\/span>\r\n users<\/span>:<\/span>\r\n -<\/span> name<\/span>:<\/span> core<\/span>\r\n ssh_authorized_keys<\/span>:<\/span>\r\n -<\/span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB\u30fb\u30fb\u30fbZiDsoTMHdHt0nswTkLhl1NAdEHBqt core@localhost<\/span>\r\nstorage<\/span>:<\/span>\r\n files<\/span>:<\/span>\r\n -<\/span> path<\/span>:<\/span> \/var\/lib\/iptables\/rules-save<\/span>\r\n filesystem<\/span>:<\/span> root<\/span>\r\n mode<\/span>:<\/span> 0644<\/span>\r\n contents<\/span>:<\/span>\r\n inline<\/span>:<\/span> |<\/span>\r\n *filter<\/span>\r\n :INPUT DROP [0:0]<\/span>\r\n :FORWARD DROP [0:0]<\/span>\r\n :OUTPUT ACCEPT [0:0]<\/span>\r\n -A INPUT -i lo -j ACCEPT<\/span>\r\n -A INPUT -p icmp -j ACCEPT<\/span>\r\n -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT<\/span>\r\n -A INPUT -p udp --sport 53 -j ACCEPT<\/span>\r\n -A INPUT -p tcp --dport 22 -j ACCEPT<\/span>\r\n -A INPUT -p tcp --dport 80 -j ACCEPT<\/span>\r\n -A INPUT -p tcp --dport 443 -j ACCEPT<\/span>\r\n -A INPUT -p tcp --dport 6443 -j ACCEPT<\/span>\r\n COMMIT<\/span>\r\n -<\/span> path<\/span>:<\/span> \/etc\/systemd\/timesyncd.conf<\/span>\r\n filesystem<\/span>:<\/span> root<\/span>\r\n mode<\/span>:<\/span> 0644<\/span>\r\n contents<\/span>:<\/span>\r\n inline<\/span>:<\/span> |<\/span>\r\n [Time]<\/span>\r\n NTP=ntp.nict.jp ntp.jst.mfeed.ad.jp<\/span>\r\n -<\/span> path<\/span>:<\/span> \/etc\/zrm\/zrm.sh<\/span>\r\n filesystem<\/span>:<\/span> root<\/span>\r\n mode<\/span>:<\/span> 0755<\/span>\r\n contents<\/span>:<\/span>\r\n inline<\/span>:<\/span> |<\/span>\r\n #!\/bin\/bash<\/span>\r\n ### BEGIN INIT INFO<\/span>\r\n # Provides: zram<\/span>\r\n # Required-Start:<\/span>\r\n # Required-Stop:<\/span>\r\n # Default-Start: 2 3 4 5<\/span>\r\n # Default-Stop: 0 1 6<\/span>\r\n # Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM)<\/span>\r\n # Description: Adapted from systemd scripts at https:\/\/github.com\/mystilleef\/FedoraZram<\/span>\r\n ### END INIT INFO<\/span>\r\n start() {<\/span>\r\n # get the number of CPUs<\/span>\r\n num_cpus=$(grep -c processor \/proc\/cpuinfo)<\/span>\r\n # if something goes wrong, assume we have 1<\/span>\r\n [ \"$num_cpus\" != 0 ] || num_cpus=1<\/span>\r\n\r\n # set decremented number of CPUs<\/span>\r\n decr_num_cpus=$((num_cpus - 1))<\/span>\r\n\r\n # get the amount of memory in the machine<\/span>\r\n mem_total_kb=$(grep MemTotal \/proc\/meminfo | grep -E --only-matching '[[:digit:]]+')<\/span>\r\n\r\n #we will only assign 50% of system memory to zram<\/span>\r\n mem_total_kb=$((mem_total_kb * 2 \/ 5))<\/span>\r\n\r\n mem_total=$((mem_total_kb * 1024))<\/span>\r\n\r\n # load dependency modules<\/span>\r\n modprobe zram num_devices=$num_cpus<\/span>\r\n\r\n # initialize the devices<\/span>\r\n for i in $(seq 0 $decr_num_cpus); do<\/span>\r\n echo $((mem_total \/ num_cpus)) > \/sys\/block\/zram$i\/disksize<\/span>\r\n done<\/span>\r\n\r\n # Creating swap filesystems<\/span>\r\n for i in $(seq 0 $decr_num_cpus); do<\/span>\r\n mkswap \/dev\/zram$i<\/span>\r\n done<\/span>\r\n\r\n # Switch the swaps on<\/span>\r\n for i in $(seq 0 $decr_num_cpus); do<\/span>\r\n swapon -p 100 \/dev\/zram$i<\/span>\r\n done<\/span>\r\n }<\/span>\r\n stop() {<\/span>\r\n for i in $(grep '^\/dev\/zram' \/proc\/swaps | awk '{ print $1 }'); do<\/span>\r\n swapoff \"$i\"<\/span>\r\n done<\/span>\r\n\r\n if grep -q \"^zram \" \/proc\/modules; then<\/span>\r\n sleep 1<\/span>\r\n rmmod zram<\/span>\r\n fi<\/span>\r\n }<\/span>\r\n case \"$1\" in<\/span>\r\n start)<\/span>\r\n start<\/span>\r\n ;;<\/span>\r\n stop)<\/span>\r\n stop<\/span>\r\n ;;<\/span>\r\n restart)<\/span>\r\n stop<\/span>\r\n sleep 3<\/span>\r\n start<\/span>\r\n ;;<\/span>\r\n esac<\/span>\r\n wait<\/span>\r\n\r\n -<\/span> path<\/span>:<\/span> \/etc\/kubernetes\/manifests\/kube-apiserver.yaml<\/span>\r\n filesystem<\/span>:<\/span> root<\/span>\r\n mode<\/span>:<\/span> 0755<\/span>\r\n contents<\/span>:<\/span>\r\n inline<\/span>:<\/span> |<\/span>\r\n apiVersion: v1<\/span>\r\n kind: Pod<\/span>\r\n metadata:<\/span>\r\n name: kube-apiserver<\/span>\r\n namespace: kube-system<\/span>\r\n spec:<\/span>\r\n hostNetwork: true<\/span>\r\n containers:<\/span>\r\n - name: kube-apiserver<\/span>\r\n image: gcr.io\/google_containers\/hyperkube-amd64:v1.13.1<\/span>\r\n command:<\/span>\r\n - \/hyperkube<\/span>\r\n - apiserver<\/span>\r\n - --bind-address=0.0.0.0<\/span>\r\n - --etcd-servers=https:\/\/${MASTER_IP}:2379<\/span>\r\n - --etcd-cafile=\/etc\/kubernetes\/ssl\/ca.pem<\/span>\r\n - --etcd-certfile=\/etc\/kubernetes\/ssl\/apiserver.pem<\/span>\r\n - --etcd-keyfile=\/etc\/kubernetes\/ssl\/apiserver-key.pem<\/span>\r\n - --allow-privileged=true<\/span>\r\n - --apiserver-count=1<\/span>\r\n - --endpoint-reconciler-type=lease<\/span>\r\n - --service-cluster-ip-range=10.3.0.0\/24<\/span>\r\n - --secure-port=6443<\/span>\r\n - --advertise-address=${MASTER_IP}<\/span>\r\n - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota<\/span>\r\n - --storage-backend=etcd3<\/span>\r\n - --tls-cert-file=\/etc\/kubernetes\/ssl\/apiserver.pem<\/span>\r\n - --tls-private-key-file=\/etc\/kubernetes\/ssl\/apiserver-key.pem<\/span>\r\n - --client-ca-file=\/etc\/kubernetes\/ssl\/ca.pem<\/span>\r\n - --service-account-key-file=\/etc\/kubernetes\/ssl\/apiserver-key.pem<\/span>\r\n - --runtime-config=extensions\/v1beta1\/networkpolicies=true<\/span>\r\n - --service-node-port-range=25-32767<\/span>\r\n - --authorization-mode=RBAC<\/span>\r\n ports:<\/span>\r\n - containerPort: 6443<\/span>\r\n hostPort: 6443<\/span>\r\n name: https<\/span>\r\n - containerPort: 8080<\/span>\r\n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- swap<\/ul>\n
\u5c06CoreOS\u7684ISO\u6620\u50cf\u4e0a\u4f20\u81f3Sakura\u7684VPS\u3002<\/h1>\n
\u6b21\u306eURL\u304b\u3089ISO\u30a4\u30e1\u30fc\u30b8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9
\nhttps:\/\/stable.release.core-os.net\/amd64-usr\/1632.3.0\/coreos_production_iso_image.iso<\/p>\n![\"100_.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d24ff37434c4406c311e4\/5-0.png\" "\\"\\"")
<\/div>\n\u4eceISO\u955c\u50cf\u542f\u52a8VPS\u3002<\/p>\n
![\"111__.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d24ff37434c4406c311e4\/7-0.png\" "\\"\\"")
<\/div>\n\u5728\u8fd9\u91cc\u8f93\u5165\u4e0b\u4e00\u4e2a\u503c\u3002<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n