$ terraform init\r\n$ terraform apply -auto-approve\r\n$ docker run --rm -it \\\r\n --mount type=bind,source=\"$(pwd)\"\/inventory,dst=\/inventory \\\r\n --mount type=bind,source=\"$(pwd)\"\/generate_inventory.py,dst=\/kubespray\/generate_inventory.py \\\r\n --mount type=bind,source=\"$(pwd)\"\/terraform.tfstate,dst=\/kubespray\/terraform.tfstate \\\r\n --mount type=bind,source=\"${HOME}\"\/.ssh\/id_rsa,dst=\/root\/.ssh\/id_rsa \\\r\n quay.io\/kubespray\/kubespray:v2.23.1 bash\r\n\r\n# Inside a container\r\n$ ansible-playbook -i generate_inventory.py cluster.yml\r\n<\/code><\/pre>\n\u6837\u672c\u4ee3\u7801\uff1a<\/p>\n
<\/p>\n
\u7b80\u8981\u6982\u8ff0<\/h2>\n
\u4f7f\u7528Terraform + Kubespray\u5728KVM\u4e0a\u6784\u5efaKubernetes\u96c6\u7fa4\u3002\u5927\u81f4\u6b65\u9aa4\u5982\u4e0b\u3002<\/p>\n
\n- \n
\u4f7f\u7528 Terraform \u521b\u5efa\u865a\u62df\u673a<\/ol>\n<\/li>\n<\/ol>\n <\/p>\n
\n- \n
\u4ece\u751f\u6210\u7684 terraform.tfstate \u6587\u4ef6\u4e2d\u63d0\u53d6\u5b58\u8d27\u4fe1\u606f<\/ol>\n<\/li>\n<\/ol>\n <\/p>\n
\u4f7f\u7528\u5b58\u8d27\u4fe1\u606f\u548c Kuberspray \u7684 Ansible playbooks \u521b\u5efa Kubernetes \u96c6\u7fa4<\/ol>\n![\"dynamic_inventory.drawio.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d87c2913a08637a6c0c09\/8-0.png\" "\\"\\"")
<\/div>\n\u7f51\u7edc\u914d\u7f6e\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n
![\"network_architecture.drawio.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d87c2913a08637a6c0c09\/10-0.png\" "\\"\\"")
<\/div>\n\u5728\u96c6\u7fa4\u4e2d\uff0c\u5c06\u516c\u5171\u7f51\u7edc\uff08eth0\uff09\u4e0e\u7528\u4e8eAnsible SSH\u767b\u5f55\u7684\u7f51\u7edc\uff08eth1\uff09\u8fdb\u884c\u4e86\u5206\u9694\u3002<\/p>\n
\u524d\u63d0\u6761\u4ef6 (Qian ti tiao jian)<\/h2>\n\n- \n
terraform<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
Container runtime (docker, podman, nerdctl, etc.)<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
KVM packages<\/ul>\n<\/li>\n<\/ul>\nqemu-kvm
\nlibvirt<\/p>\n
crdtools
\nnmcli
\n(Host OS: Ubuntu 22.04)<\/p>\n
\u6b65\u9aa4<\/h2>\n\u4e3b\u6301\u4eba\u7684\u9884\u5148\u8bbe\u7f6e<\/h3>\n\u7f51\u7edc\u8bbe\u7f6e<\/h4>\n
\u521b\u5efa\u4e00\u4e2a\u865a\u62df\u6865\u63a5\u53e3br0\uff0c\u5e76\u5c06\u73b0\u6709\u4e3b\u673a\u7684\u7f51\u7edc\u63a5\u53e3\uff08\u5982enp1s0\uff09\u8fde\u63a5\u5230br0\u3002\u901a\u8fc7\u8fd9\u6837\u505a\uff0c\u53ef\u4ee5\u5c06\u540e\u7eed\u521b\u5efa\u7684\u865a\u62df\u673a\u8fde\u63a5\u5230br0\uff0c\u4f7f\u5f97\u53ef\u4ee5\u76f4\u63a5\u4ece\u5c40\u57df\u7f51\u4e2d\u7684\u4efb\u4f55\u4e3b\u673a\u8bbf\u95ee\u865a\u62df\u673a\u3002<\/p>\n
\u56fe\u793a\u8bf4\u660e\u5982\u4e0b\uff0c\u5c06\u8bbe\u7f6e\u4ece “Before” \u66f4\u6539\u4e3a “After”\u3002<\/p>\n
![\"network-diff.drawio.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d87c2913a08637a6c0c09\/19-0.png\" "\\"\\"")
<\/div>\n$ HOST_IP<\/span>=<\/span>192.168.8.10\r\n$ CIDR<\/span>=<\/span>24\r\n$ GATEWAY<\/span>=<\/span>192.168.8.1\r\n$ DNS<\/span>=<\/span>192.168.8.1\r\n$ NWIF<\/span>=<\/span>enp1s0\r\n\r\n# br0 \u3092\u4f5c\u6210<\/span>\r\n$ <\/span>nmcli connection add type <\/span>bridge ifname br0\r\n$ <\/span>nmcli connection show\r\nNAME UUID TYPE DEVICE\r\nbridge-br0 55bef68c-1232-46c3-adac-e40964c24d4d bridge br0\r\n...\r\n\r\n# \u65e2\u5b58\u306e enp1s0 \u3068\u540c\u3058\u8a2d\u5b9a\u3092 br0 \u306b\u4e0e\u3048\u308b<\/span>\r\n$ <\/span>nmcli connection modify bridge-br0 \\<\/span>\r\nipv4.method manual \\<\/span>\r\nipv4.addresses \"<\/span>$HOST_IP<\/span>\/<\/span>$CIDR<\/span>\"<\/span> \\<\/span>\r\nipv4.gateway \"<\/span>$GATEWAY<\/span>\"<\/span> \\<\/span>\r\nipv4.dns $DNS<\/span>\r\n\r\n# enp1s0 \u3092 br0 \u306b\u63a5\u7d9a<\/span>\r\n$ <\/span>nmcli connection add type <\/span>bridge-slave ifname $NWIF<\/span> master bridge-br0\r\n# \u65e2\u5b58\u306e enp1s0 \u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u3092\u524a\u9664<\/span>\r\n$ <\/span>nmcli connection delete $NWIF<\/span>\r\n\r\n# br0 \u306e\u8a2d\u5b9a\u3092\u53cd\u6620<\/span>\r\n$ <\/span>nmcli connection up bridge-br0\r\n<\/code><\/pre>\n\u68c0\u67e5libvirt\u7684\u9ed8\u8ba4\u5b58\u50a8\u6c60\u3002<\/h4>\n
\u9996\u5148\uff0c\u9700\u8981\u786e\u8ba4\u662f\u5426\u5b58\u5728\u9ed8\u8ba4\u5b58\u50a8\u6c60\uff0clibvirt\u4f7f\u7528\u5404\u79cd\u8d44\u6e90\uff0c\u8fd9\u4e9b\u8d44\u6e90\u5728\u79f0\u4e3a”default pool”\u7684\u76ee\u5f55\/var\/lib\/libvirt\/images\u5185\u8fdb\u884c\u7ba1\u7406\u3002<\/p>\n
$ virsh pool-list --all\r\n Name State Autostart\r\n-------------------------------\r\n default active yes\r\n<\/code><\/pre>\n\u5982\u679c\u6ca1\u6709\u9ed8\u8ba4\u6c60\u7684\u8bdd\uff0c\u5728\u8fd9\u91cc\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u521b\u5efa\u4e00\u4e2a\uff1a<\/p>\n
$ mkdir \/var\/lib\/libvirt\/images\r\n$ chmod 755 \/var\/lib\/libvirt\/images\r\n\r\n$ virsh pool-define \/dev\/stdin <<EOF\r\n<pool type='dir'>\r\n <name>default<\/name>\r\n <target>\r\n <path>\/var\/lib\/libvirt\/images<\/path>\r\n <\/target>\r\n<\/pool>\r\nEOF\r\n\r\n$ virsh pool-start default\r\n$ virsh pool-autostart default\r\n$ virsh pool-list --all\r\n<\/code><\/pre>\n\u83b7\u53d6 Linux \u955c\u50cf<\/h4>\n
\u5728\u672c\u6587\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528Rocky Linux\u4f5c\u4e3aVM\u7684\u64cd\u4f5c\u7cfb\u7edf\uff0c\u53d6\u4ee3\u539f\u5148\u7684CentOS\u3002\u6211\u4eec\u5c06\u4ecedownload.rockylinux.org\u7f51\u7ad9\u4e0b\u8f7d\u6620\u50cf\u6587\u4ef6\uff0c\u5e76\u5c06\u5176\u4fdd\u5b58\u5230libvirt\u7684\u9ed8\u8ba4\u5b58\u50a8\u6c60\/var\/lib\/libvirt\/images\/\u4e2d\u3002<\/p>\n
$ sudo curl -L -o \/var\/lib\/libvirt\/images\/Rocky-9-GenericCloud.latest.x86_64.qcow2 https:\/\/download.rockylinux.org\/pub\/rocky\/9.2\/images\/x86_64\/Rocky-9-GenericCloud.latest.x86_64.qcow2\r\n<\/code><\/pre>\n\u4f7f\u7528 Terraform \u8fdb\u884c\u865a\u62df\u673a\u7684\u914d\u7f6e<\/h3>\n\u4e91\u521d\u59cb\u5316\u914d\u7f6e<\/h4>\n
cloud-init\u662f\u4e00\u79cd\u7528\u4e8e\u81ea\u52a8\u5316\u865a\u62df\u673a\u7684\u521d\u59cb\u8bbe\u7f6e\u7684\u673a\u5236\uff0c\u5728\u8bb8\u591aLinux\u53d1\u884c\u7248\u4e2d\u88ab\u91c7\u7528\u3002\u53ef\u4ee5\u901a\u8fc7\u51c6\u5907\u4ee5\u4e0b\u4e24\u4e2a\u914d\u7f6e\u6587\u4ef6\u6765\u63d0\u4f9b\u8bbe\u7f6e\u3002<\/p>\n
cloud_init.cfg: \u30e6\u30fc\u30b6\u8a2d\u5b9a\u3092\u8a18\u8ff0<\/p>\n
network_config.cfg: \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u8a2d\u5b9a\u3092\u8a18\u8ff0<\/p>\n
#cloud-config<\/span>\r\nusers<\/span>:<\/span>\r\n -<\/span> name<\/span>:<\/span> root<\/span>\r\n ssh-authorized-keys<\/span>:<\/span>\r\n -<\/span> \"<\/span><YOUR_SSH_KEY>\"<\/span> # \u81ea\u5206\u306e SSH \u516c\u958b\u9375\u3092\u66f8\u304f<\/span>\r\n\r\nruncmd<\/span>:<\/span>\r\n -<\/span> dnf install -y python3<\/span>\r\n -<\/span> dnf install -y libselinux-python<\/span>\r\n<\/code><\/pre>\n\u5f53\u6267\u884c kubespray \u65f6\uff0c\u9700\u8981\u5b89\u88c5python3\u548clibselinux-python\u3002<\/div>\n\u7f51\u7edc\u8bbe\u7f6e\u7531 network_config.cfg \u63d0\u4f9b\u3002<\/p>\n
\u7136\u800c\uff0c\u5982\u679c\u6bcf\u4e2a\u865a\u62df\u673a\u6709\u4e0d\u540c\u7684\u503c\uff08\u4f8b\u5982\u5206\u914d\u9759\u6001 IP \u5730\u5740\uff09\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a\u5305\u542b\u53c2\u6570\u90e8\u5206\u7c7b\u4f3c\u4e8e ${foo} \u7684\u5360\u4f4d\u7b26\u7684\u6a21\u677f\uff0c\u5982\u4e0b\u6240\u793a\u3002\u4f7f\u7528 Terraform \u7684\u6a21\u677f\u529f\u80fd\uff0c\u7a0d\u540e\u53ef\u4ee5\u5c06\u503c\u5206\u914d\u7ed9\u5b83\uff0c\u5e76\u751f\u6210\u6bcf\u4e2a\u865a\u62df\u673a\u7684 network_config.cfg\u3002<\/p>\n
version<\/span>:<\/span> 2<\/span>\r\nethernets<\/span>:<\/span>\r\n eth0<\/span>:<\/span>\r\n dhcp4<\/span>:<\/span> no<\/span>\r\n addresses<\/span>:<\/span> [<\/span>$<\/span>{<\/span>ip<\/span>}]<\/span>\r\n gateway4<\/span>:<\/span> ${gateway}<\/span>\r\n nameservers<\/span>:<\/span>\r\n addresses<\/span>:<\/span> ${nameservers}<\/span>\r\n<\/code><\/pre>\n\u51c6\u5907 Terraform \u7684 libvirt \u63d0\u4f9b\u7a0b\u5e8f<\/h4>\n
\u4f7f\u7528Terraform libvirt provider (dmacvicar\/libvirt)\uff0c\u53ef\u4ee5\u901a\u8fc7Terraform\u63a7\u5236libvirt\u3002<\/p>\n
\u7531\u4e8elibvirt\u9ed8\u8ba4\u9650\u5236\u5916\u90e8\u5e94\u7528\u7a0b\u5e8f\u5bf9libvirt\u8d44\u6e90\u7684\u8bbf\u95ee\uff0c\u56e0\u6b64\u4e3a\u4e86\u7ed9libvirt\u63d0\u4f9b\u8005\u6388\u4e88\u8bbf\u95ee\u6743\u9650\uff0c\u9700\u8981\u7f16\u8f91\/etc\/apparmor.d\/libvirt\/TEMPLATE.qemu\u6587\u4ef6\u5982\u4e0b\u3002<\/p>\n
# This profile is for the domain whose UUID matches this file.\r\n#\r\n\r\n#include <tunables\/global>\r\n\r\nprofile LIBVIRT_TEMPLATE flags=(attach_disconnected) {\r\n #include <abstractions\/libvirt-qemu>\r\n \/var\/lib\/libvirt\/images\/** rwk,\r\n \/tmp\/** rwk,\r\n}\r\n<\/code><\/pre>\n\u91cd\u65b0\u542f\u52a8libvirt\u3002<\/p>\n
$ sudo systemctl restart libvirtd\r\n<\/code><\/pre>\n\u51c6\u5907Terraform\u6587\u4ef6<\/h3>\n\u672c\u8282\u5c06\u89e3\u91ca\u5982\u4f55\u5b9e\u65bd\u7528\u4e8e\u6784\u5efaKubespray\u7684VM\u7684Terraform\u4ee3\u7801\u3002\u8fd9\u4e9b\u4ee3\u7801\u88ab\u6a21\u5757\u5316\u4e86\uff0c\u6240\u4ee5\u5982\u679c\u4f60\u4e0d\u77e5\u9053\u5982\u4f55\u5b9e\u65bd\uff0c\u4f46\u662f\u60f3\u8981\u5bfc\u5165\u5e76\u4f7f\u7528\u5b83\u4eec\uff0c\u53ef\u4ee5\u53c2\u8003\u672c\u6587\u4e2d\u5173\u4e8e\u5c06\u672c\u6587\u7684Terraform\u4ee3\u7801\u4f5c\u4e3a\u6a21\u5757\u4f7f\u7528\u7684\u6280\u5de7\u3002<\/div>\n\u6587\u4ef6\u7531\u4ee5\u4e0b\u56db\u90e8\u5206\u7ec4\u6210\uff1a<\/p>\n
\n- \n
provider.tf<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
main.tf<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
variables.tf<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
output.tf<\/ul>\nprovider.tf (\u63d0\u4f9b\u8005.tf)<\/h4>\n
\u58f0\u660e\u4f7f\u7528Terraform Libvirt Provider\u3002<\/p>\n
terraform<\/span> {<\/span>\r\n required_providers<\/span> {<\/span>\r\n libvirt<\/span> =<\/span> {<\/span>\r\n source<\/span> =<\/span> \"dmacvicar\/libvirt\"<\/span>\r\n version<\/span> =<\/span> \"0.7.1\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\n\r\nprovider<\/span> \"libvirt\"<\/span> {<\/span>\r\n uri<\/span> =<\/span> var<\/span>.<\/span>libvirt_uri<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n\u4e3b\u8981.tf<\/h4>\n
\u4e3b\u8981\u63cf\u8ff0\u4e0e\u521b\u5efa\u865a\u62df\u673a\u76f8\u5173\u7684\u5904\u7406\u8fc7\u7a0b\u3002<\/p>\n
locals<\/span> {<\/span>\r\n cluster_cidr_splitted<\/span> =<\/span> split<\/span>(<\/span>\"\/\"<\/span>,<\/span> var<\/span>.<\/span>cidr<\/span>)<\/span>\r\n cluster_cidr_subnet<\/span> =<\/span> local<\/span>.<\/span>cluster_cidr_splitted<\/span>[<\/span>0<\/span>]<\/span>\r\n cluster_cidr_prefix<\/span> =<\/span> local<\/span>.<\/span>cluster_cidr_splitted<\/span>[<\/span>1<\/span>]<\/span>\r\n cluster_nameservers_string<\/span> =<\/span> \"[<\/span>\\\"<\/span>${join(\"<\/span>\\<\/span>\", <\/span>\\\"<\/span>\"<\/span>,<\/span> var<\/span>.<\/span>nameservers<\/span>)}<\/span>\\<\/span>\"]\"<\/span>\r\n\r\n # Auto-calculate mac address from IP <\/span>\r\n cluster_ips_parts<\/span> =<\/span> [<\/span>for<\/span> vm<\/span> in<\/span> var<\/span>.<\/span>vms<\/span> :<\/span> split<\/span>(<\/span>\".\"<\/span>,<\/span> vm<\/span>.<\/span>public_ip<\/span>)]<\/span>\r\n cluster_mac_addrs<\/span> =<\/span> [<\/span>\r\n for<\/span> ip_parts<\/span> in<\/span> local<\/span>.<\/span>cluster_ips_parts<\/span> :<\/span> format<\/span>(<\/span>\r\n \"52:54:00:%02X:%02X:%02X\"<\/span>,<\/span>\r\n tonumber<\/span>(<\/span>ip_parts<\/span>[<\/span>1<\/span>]),<\/span>\r\n tonumber<\/span>(<\/span>ip_parts<\/span>[<\/span>2<\/span>]),<\/span>\r\n tonumber<\/span>(<\/span>ip_parts<\/span>[<\/span>3<\/span>