【k8s】（二）kubernetes1.29.4离线部署之-镜像文件准备

离线镜像文件准备

**注意： **离线安装需要准备大量的镜像，这一步千万要仔细否则会出现各种意想不到的问题

需要准备的镜像文件

kube-apiserver
kube-controller-manager
kube-scheduler
kube-proxy
kube-proxy
coredns
pause
etcd

以上镜像文件可以从： registry.cn-hangzhou.aliyuncs.com/google_containers下载

calico/node
calico/kube-controllers
calico/node
calico/typha
calico/node-driver-registrar
calico/csi
calico/cni
calico/ctl
calico/pod2daemon-flexvol
calico/apiserver

以上可以直接从docker.io下载即可

注意：以上所有的镜像文件务必准备到位。本文脚本中的几个版本便令注意修改到位：
KUBERNETES_VERSION=${KUBERNETES_VERSION:-“v1.29.4”}
COREDNS_VERSION=${COREDNS_VERSION:-‘v1.11.1’}
PAUSE_VERSION=${PAUSE_VERSION:-‘3.9’}
ETCD_VERSION=${ETCD_VERSION:-‘3.5.12-0’}
REGISTRY_VERSION=${REGISTRY_VERSION:-‘2.8.3’}
CALICO_VERSION=${CALICO_VERSION:-‘v3.27.3’}

完整的镜像下载脚本

#!/bin/bashENV_CFG=./env.cfg
if [ -f ${ENV_CFG} ] ; thenchmod 777 ${ENV_CFG}source ${ENV_CFG}
fi
image_list="${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/kube-apiserver:${KUBERNETES_VERSION}
${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/kube-controller-manager:${KUBERNETES_VERSION}
${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/kube-scheduler:${KUBERNETES_VERSION}
${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/kube-proxy:${KUBERNETES_VERSION}
${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/coredns:${COREDNS_VERSION}
${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/pause:${PAUSE_VERSION}
${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/etcd:${ETCD_VERSION}
calico/node:${CALICO_VERSION}
calico/kube-controllers:${CALICO_VERSION}
calico/node:${CALICO_VERSION}
calico/typha:${CALICO_VERSION}
calico/node-driver-registrar:${CALICO_VERSION}
calico/csi:${CALICO_VERSION}
calico/cni:${CALICO_VERSION}
calico/ctl:${CALICO_VERSION}
calico/pod2daemon-flexvol:${CALICO_VERSION}
calico/apiserver:${CALICO_VERSION}
"
#${IMAGE_DOMAIN}/${IMAGE_NAMESPACE}/registry:${REGISTRY_VERSION}newimage_list=()
for image in ${image_list}; dodocker pull "${image}"newimage=$(echo $image | sed -e "s/calico/${LOCAL_IMAGE_DOMAIN}\/calico/")newimage=$(echo $newimage | sed -e "s/${IMAGE_DOMAIN}\/${IMAGE_NAMESPACE}/${LOCAL_IMAGE_DOMAIN}\/${LOCAL_IMAGE_NAMESPACE}/")newimage_list+="${newimage} "docker tag $image $newimagedocker push $newimage
donedocker save -o qinghub-kube-"${VERSION}".tar ${newimage_list}

轻云官方下载

https:/qingplus.cn/pkg/kubernetes/v1.29.4/qinghub-kube-v1.29.4.tar
下载完成后再手动导入所有的镜像即可。详细过程不在细说。

环境初始化

检查步骤

关闭防火墙
关闭 swap partition permanently
配置检查时间同步
配置安装时间同步组件
配置检查 nfs-utils kubeadmin方式安装不需要检查
配置检查内核版本
配置检查资源情况
配置检查SSH
配置检查系统配置
配置检查转发 IPv4
配置检查Docker用户并添加ssh免密认证<authoirzed_keys> （建议手动执行）
配置检查Docker （容器运行时为Containerd时，不需要检查）
配置检查Docker用户权限（容器运行时为Containerd时，不需要检查）
配置检查网络

完整的初始化脚本

#!/bin/bash###############################################
# QingHub K8S Install 版本: $VERSION
# 架构: $ARCH_TYPE 目前版本主要支持amd64，其他待敬请期待
# 操作系统: $os_type
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################ENV_CFG=./env.cfg
if [ -f ${ENV_CFG} ] ; thenchmod 777 ${ENV_CFG}source ${ENV_CFG}
fiexport CONSOLE=${CONSOLE:-false}
os_type=$(cat /etc/os-release | grep "^ID=" | awk -F= '{print $2}' | tr -d [:punct:])
os_version_id=$(cat /etc/os-release | grep "VERSION_ID=" | awk -F= '{print $2}' | tr -d [:punct:])if [ "$EUID" -ne 0 ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${RED}[ERROR] 当前用户不是 root 用户，请切换到 root 用户执行该脚本.${NC}"exit 1elseecho -e "${RED}[ERROR] Current user is not root user, please switch to root user to execute the script.${NC}"exit 1fi
fiif [ -z "$SSH_RSA" ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${RED}[ERROR] 请设置环境变量 SSH_RSA, 该变量为 SSH 公钥.${NC}"exit 1elseecho -e "${RED}[ERROR] Please set the environment variable SSH_RSA, the variable is SSH public key.${NC}"exit 1fi
fi###############################################
# 新增ubuntu 用户
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function add_user_in_ubuntu() {useradd --create-home -s /bin/bash -g root "$1"echo "$1":"$2" | chpasswdif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 用户 $1 已经创建.${NC}"elseecho -e "${GREEN}[INFO] User $1 has been created.${NC}"fi
}###############################################
# 新增redhat 用户
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function add_user_in_redhat() {adduser -g root "$1"echo "$1":"$2" | chpasswdif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 用户 $1 已经创建.${NC}"elseecho -e "${GREEN}[INFO] User $1 has been created.${NC}"fi
}###############################################
# 描述： 检查并新增用户, 有些版本可以不用检查，请使用时根据
# 情况自行注释掉
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function check_user() {if ! grep -q docker /etc/group; thengroupadd --force dockerfiif id -u "${DOCKER_USER}" >/dev/null 2>&1; thenif ! id -nG "${DOCKER_USER}" | grep -qw "docker"; thengpasswd -a "${DOCKER_USER}" dockerfiif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 用户 ${DOCKER_USER} 已经存在.${NC}"elseecho -e "${GREEN}[INFO] User ${DOCKER_USER} already exists.${NC}"fielsecase $os_type incentos|redhat|euleros|fusionos|anolis|kylin|rhel|rocky|fedora|openEuler)add_user_in_redhat "${DOCKER_USER}" "${DOCKER_PASS}";;ubuntu|debian)add_user_in_ubuntu "${DOCKER_USER}" "${DOCKER_PASS}";;*)if [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${RED}[ERROR] 暂不支持 $os_type 操作系统.${NC}"exit 1elseecho -e "${RED}[ERROR] The $os_type operating system is temporarily not supported.${NC}"exit 1fi;;esacfi$CONSOLE$CONSOLE || add_ssh_rsa "${DOCKER_USER}"
}function add_ssh_rsa() {if id -u "$user" >/dev/null 2>&1; thenif [ ! -d "/home/$1/.ssh" ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 创建 /home/$1/.ssh 目录.${NC}"elseecho -e "${GREEN}[INFO] Create /home/$1/.ssh directory.${NC}"fimkdir -p /home/"$1"/.sshfiif [ -f "/home/$1/.ssh/authorized_keys" ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] /home/$1/.ssh/authorized_keys 已经存在.${NC}"elseecho -e "${GREEN}[INFO] /home/$1/.ssh/authorized_keys already exists.${NC}"fichmod 777 /home/"$1"/.ssh/authorized_keysif ! < /home/"$1"/.ssh/authorized_keys grep -q "$SSH_RSA"; thenecho "$SSH_RSA" >> /home/"$1"/.ssh/authorized_keysfielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 创建 /home/$1/.ssh/authorized_keys.${NC}"elseecho -e "${GREEN}[INFO] Create /home/$1/.ssh/authorized_keys.${NC}"fitouch /home/"$1"/.ssh/authorized_keyschmod 777 /home/"$1"/.ssh/authorized_keysecho "$SSH_RSA" > /home/"$1"/.ssh/authorized_keysfiif < /home/"$1"/.ssh/authorized_keys grep -q "$SSH_RSA"; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 成功将 SSH 公钥添加到 /home/$1/.ssh/authorized_keys.${NC}"elseecho -e "${GREEN}[INFO] Successfully added ssh public key to /home/$1/.ssh/authorized_keys.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${RED}[ERROR] 将 SSH 公钥添加到 /home/$1/.ssh/authorized_keys 失败.${NC}"exit 1elseecho -e "${RED}[ERROR] Add ssh public key to /home/$1/.ssh/authorized_keys failed.${NC}"exit 1fifichmod 600 /home/"$1"/.ssh/authorized_keyschown -R "$1":"$1"  /home/"$1"/.sshfi
}function check_user_permission(){if su ${DOCKER_USER} -c "docker ps" >/dev/null 2>&1; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] Docker 用户有权限执行 docker 命令.${NC}"elseecho -e "${GREEN}[INFO] Docker users have the permission to execute docker commands.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${RED}[ERROR] Docker 用户无权限执行 docker 命令, 请尝试重启docker 'systemctl restart docker'. 重启 docker 后, 再次执行该脚本.${NC}"exit 1elseecho -e "${RED}[ERROR] Docker users have no permission to execute docker commands, Please try to restart docker 'systemctl restart docker'. After restarting docker, execute the script again.${NC}"exit 1fifi
}###############################################
# 描述： 关闭防火墙
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function disable_firewalld() {if systemctl status firewalld | grep Active | grep -q running >/dev/null 2>&1; thensystemctl stop firewalld >/dev/null 2>&1systemctl disable firewalld >/dev/null 2>&1if [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] 检测到 Firewalld 服务已启动，正在将 Firewalld 服务关闭并禁用.${NC}"elseecho -e "${GREEN}[INFO] The Firewalld service has been started, Firewalld service is being turned off and disabled.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] Firewalld 服务已经停止或未安装.${NC}"elseecho -e "${GREEN}[INFO] Firewalld service is not installed.${NC}"fifi
}###############################################
# 描述： 关闭swap
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function disable_swap() {if swapoff -a; thensed -i '/swap/s/^/#/' /etc/fstabif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] swap 已经禁用.${NC}"elseecho -e "${GREEN}[INFO] swap has been disabled.${NC}"fifi
}function check_time_sync() {if timedatectl status | grep "NTP synchronized" | grep -q "yes" >/dev/null 2>&1 || timedatectl show | grep "NTPSynchronized=yes" >/dev/null 2>&1; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] NTP 时间同步已经启用.${NC}"elseecho -e "${GREEN}[INFO] NTP time synchronization has been enabled.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] NTP 时间同步未启用.${NC}"elseecho -e "${YELLOW}[WARN] NTP time synchronization is not enabled.${NC}"fifi
}###############################################
# 描述： 安装时钟同步，请酌情修改并安装
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
install_chrony(){case $os_type inubuntu|debian)if dpkg -l | grep -q chrony >/dev/null 2>&1; thenecho -e "${GREEN}[INFO] chrony 已经安装在主机上.${NC}"elseecho -e "${YELLOW}[WARN] chrony 未安装在主机上, 请执行命令安装 'apt -y install chrony'.${NC}"apt -y install chrony &> /dev/null;systemctl restart chronyd && systemctl enable --now chronyd &> /dev/nullsystemctl is-active chronyd &> /dev/nullfi;;*)if rpm -qa | grep -q chrony >/dev/null 2>&1; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] chrony 已经安装在主机上.${NC}"elseecho -e "${GREEN}[INFO] chrony has been installed on the host.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] chrony 未安装在主机上, 请执行命令安装 'yum -y install chrony'.${NC}"elseecho -e "${YELLOW}[WARN] chrony is not installed on the host, please execute the command install 'yum -y install chrony'.${NC}"fiyum -y install chronyfi;;esacif [ "${CHRONY_TYPE}" == 'server' ]; thensudo bash -c 'cat > /etc/chrony.conf << EOF
pool ntp.aliyun.com iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow 10.0.0.0/24
local stratum 10
keyfile /etc/chrony.keys
leapsectz right/UTC
logdir /var/log/chrony
EOF'elsesudo bash -c 'cat > /etc/chrony.conf << EOF
pool ${CHRONY_SERVER} iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
leapsectz right/UTC
logdir /var/log/chrony
EOF'fisystemctl restart chronyd && systemctl enable --now chronyd &> /dev/nullsystemctl is-active chronyd &> /dev/nullif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] chrony 完成配置在主机上.${NC}"elseecho -e "${GREEN}[INFO] chrony has been configured on the host.${NC}"fi
}###############################################
# 描述： 优化配置forwarding_ipv4
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function check_forwarding_ipv4() {sudo bash -c 'cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF'sudo modprobe overlaysudo modprobe br_netfiltersudo bash -c 'cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF'sudo sysctl --system#加载ipvs模块sudo bash -c 'cat <<EOF | sudo tee /etc/modules-load.d/ipvs.conf <<EOF
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF'systemctl restart systemd-modules-load.service
}###############################################
# 描述： 检查服务器资源状况
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function check_resource(){cpu=$(grep -c 'processor' /proc/cpuinfo)mem=$(free -g | awk '/^Mem/{print $2}')DISK_SPACE=$(df /|sed -n '2p'|awk '{print $2}')# check cpuif [ "${cpu}" -lt 2 ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] CPU核数建议至少为2核.${NC}"elseecho -e "${YELLOW}[WARN] The cpu is recommended to be at least 2C.${NC}"fifi# check memoryif [ "${mem}" -lt 3 ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] 内存建议至少为8G.${NC}"elseecho -e "${YELLOW}[WARN] The Memory is recommended to be at least 8G.${NC}"fifi# check disk spaceif [ "${DISK_SPACE}" -lt 47185920 ];thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] 根分区空间需大于 50G.${NC}"elseecho -e "${YELLOW}[WARN] The root partition space must be greater than 50G.${NC}"fifi
}###############################################
# 描述： 检查内核版本
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function check_kernel() {kernel_version=$(uname -r | awk -F. '{print $1}')if [ "$kernel_version" -lt "4" ]; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] 内核版本必须高于4.0, 请尽快升级内核到4.0+.${NC}"elseecho -e "${YELLOW}[WARN] Kernel version must be higher than 4.0, Please upgrade the kernel to 4.0+ as soon as possible.${NC}"fifi
}###############################################
# 描述： 检查 nfs是否安装，这里并未自动安装
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function check_nfscli(){case $os_type inubuntu|debian)if dpkg -l | grep -q nfs-common >/dev/null 2>&1; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] nfs-common 已经安装在主机上.${NC}"elseecho -e "${GREEN}[INFO] nfs-common has been installed on the host.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] nfs-common 未安装在主机上, 请执行命令安装 'apt -y install nfs-common'.${NC}"elseecho -e "${YELLOW}[WARN] nfs-common is not installed on the host, please execute the command install 'apt-get update && apt -y install nfs-common'.${NC}"fifi;;*)if rpm -qa | grep -q nfs-utils >/dev/null 2>&1; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] nfs-utils 已经安装在主机上.${NC}"elseecho -e "${GREEN}[INFO] nfs-utils has been installed on the host.${NC}"fielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] nfs-utils 未安装在主机上, 请执行命令安装 'yum -y install nfs-utils'.${NC}"elseecho -e "${YELLOW}[WARN] nfs-utils is not installed on the host, please execute the command install 'yum -y install nfs-utils'.${NC}"fifi;;esac
}function check_openssh(){if ssh -V >/dev/null 2>&1; thenOPENSSH_VERSION=$(ssh -V |& awk -F[_.] '{print $2}')if [ "${OPENSSH_VERSION}" -lt "7" ];thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] Openssh 版本必须高于 7.0.${NC}"elseecho -e "${YELLOW}[WARN] Openssh version must be higher than 7.0 ${NC}"fifielseif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${RED}[ERROR] 需要安装 7.0+ 版本的openssh.${NC}"exit 1elseecho -e "${RED}[ERROR] Need to install 7.0+ version of openssh.${NC}"exit 1fifiif grep -v "^\s*#" /etc/ssh/sshd_config | grep "AllowTcpForwarding yes" >/dev/null 2>&1; thenif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${GREEN}[INFO] /etc/ssh/sshd_config 已经配置 AllowTcpForwarding yes.${NC}"elseecho -e "${GREEN}[INFO] /etc/ssh/sshd_config has been configured AllowTcpForwarding yes.${NC}"fielseif grep "AllowTcpForwarding no" /etc/ssh/sshd_config >/dev/null 2>&1; thensed -i '/AllowTcpForwarding/s/^/#/' /etc/ssh/sshd_configsed -i '$a\AllowTcpForwarding yes' /etc/ssh/sshd_configelsesed -i '$a\AllowTcpForwarding yes' /etc/ssh/sshd_configfiif [ "$LANG" == "zh_CN.UTF-8" ]; thenecho -e "${YELLOW}[WARN] /etc/ssh/sshd_config 配置 AllowTcpForwarding yes 成功, 请执行命令重启 sshd 服务生效, 'systemctl restart sshd'.${NC}"elseecho -e "${YELLOW}[WARN] /etc/ssh/sshd_config AllowTcpForwarding yes is successfully configured, Run the following command to restart the sshd service to take effect, 'systemctl restart sshd'.${NC}"fifi
}###############################################
# 描述： 优化参数
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function optimize_linux() {sudo bash -c 'cat > /etc/sysctl.conf << EOF
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv4.neigh.default.gc_thresh1=4096
net.ipv4.neigh.default.gc_thresh2=6144
net.ipv4.neigh.default.gc_thresh3=8192
net.ipv4.neigh.default.gc_interval=60
net.ipv4.neigh.default.gc_stale_time=120
kernel.perf_event_paranoid=-1
#sysctls for k8s node config
net.ipv4.tcp_slow_start_after_idle=0
net.core.rmem_max=16777216
fs.inotify.max_user_watches=524288
kernel.softlockup_all_cpu_backtrace=1
kernel.softlockup_panic=0
kernel.watchdog_thresh=30
fs.file-max=2097152
fs.inotify.max_user_instances=8192
fs.inotify.max_queued_events=16384
vm.max_map_count=262144
fs.may_detach_mounts=1
net.core.netdev_max_backlog=16384
net.ipv4.tcp_wmem=4096 12582912 16777216
net.core.wmem_max=16777216
net.core.somaxconn=32768
net.ipv4.ip_forward=1
net.ipv4.tcp_max_syn_backlog=8096
net.ipv4.tcp_rmem=4096 12582912 16777216net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1kernel.yama.ptrace_scope=0
vm.swappiness=0
kernel.core_uses_pid=1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries=1
net.ipv4.conf.all.promote_secondaries=1# Enable hard and soft link protection
fs.protected_hardlinks=1
fs.protected_symlinks=1net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2net.ipv4.tcp_max_tw_buckets=5000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_synack_retries=2
kernel.sysrq=1
EOF'sudo sysctl -p >/dev/null 2>&1echo -e "${GREEN}[INFO] 优化kernel参数成功${NC}"
}function optimize_limits() {sudo bash -c 'cat >> /etc/security/limits.conf <<EOF
* soft nofile 1024000
* hard nofile 1024000
EOF'echo -e "${GREEN}[INFO] 优化limits参数成功${NC}"
}
function check_syscfg(){sudo chmod 777 /etc/sysctl.confsudo chmod 777 /sbin/sysctlsudo chmod 777 /etc/security/limits.confoptimize_linuxoptimize_limitssudo chmod 644 /etc/sysctl.confsudo chmod 755 /sbin/sysctlsudo chmod 644 /etc/security/limits.conf
}###############################################
# 描述： calico 网络配置初始化
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function  check_network() {sudo bash -c 'cat >> /etc/NetworkManager/conf.d/calico.conf << EOF
[keyfile]
unmanaged-devices=interface-name:cali*;interface-name:tunl*
unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali
EOF'systemctl restart NetworkManager
}###############################################
# 描述： 主入口函数
# QingHub Studio官网: https://qinghub.net
# 如过您安装遇到问题，请到官网查找官方联系方式或加支持群:
#                                https://qinghub.net
###############################################
function main {echo -e "${GREEN}[INFO] ==========开始检查并配置初始化========= ${NC}"# 停止 friewallddisable_firewalld# 关闭 swap partition permanentlydisable_swap# 配置检查时间同步check_time_sync# 配置安装时间同步组件install_chrony# 配置检查 nfs-utils kubeadmin方式安装不需要检查#check_nfscli# 配置检查内核版本check_kernel# 配置检查资源情况check_resource# 配置检查SSHcheck_openssh# 配置检查系统配置check_syscfg# 转发 IPv4check_forwarding_ipv4# 配置检查Docker用户并添加ssh免密认证<authoirzed_keys>check_user# 配置检查Docker  容器运行时为Containerd时，不需要检查#check_docker# 配置检查Docker用户权限 容器运行时为Containerd时，不需要检查#check_user_permission# 配置检查网络check_networkecho -e "${GREEN}[INFO] ==========成功完成检查并配置初始化========= ${NC}"
}main