update

Author: Lin Ru

docker/trust-self-signed-certificates.md

@@ -8,8 +8,6 @@
    yum install -y ca-certificates
    ```
 
-   
-
 2. 复制 CA 证书
 
    ```shell
@@ -29,7 +27,4 @@
 
    ```shell
    systemctl restart docker
-   ```
-
-   
-
+   ```

elasticsearch/secure-es-with-tls.md

@@ -74,16 +74,13 @@ IP.3 = 10.10.20.153
 - IP 为 ES Node IP，不在列表中的IP将无法加入本集群
   对应配置为 `xpack.security.transport.ssl.verification_mode: full`
 
-
-
 ##### 生成 es-server Key
 
 ```shell
 openssl genrsa -out es-server.key 3072
 ```
 
 
-
 ##### 生成 es-server 证书签发请求
 
 ```shell

keepalived/README.md

@@ -16,28 +16,28 @@ dnf install -y keepalived
     global_defs {
         router_id nginx-ha-21
     }
-    vrrp_sync_group VG_1 {
-        group {
-            VI_1
-        }
-    }
-    vrrp_script nginx_check {
+
+    vrrp_script nginx_check 
+    {
         script "/usr/libexec/keepalived/check-nginx-status"
         interval 3
     }
-    vrrp_instance VI_1 {
+
+    vrrp_instance vi_nginx {
         state MASTER
         interface eth0
         virtual_router_id 18
         priority 100
         advert_int 1
         authentication {
             auth_type PASS
-            auth_pass 1111
+            auth_pass h3m5Ewvk
         }
+
         track_script {
             nginx_check weight 0
         }
+
         virtual_ipaddress {
             192.168.20.18 dev eth0
         }
@@ -50,28 +50,28 @@ dnf install -y keepalived
     global_defs {
         router_id nginx-ha-22
     }
-    vrrp_sync_group VG_1 {
-        group {
-            VI_1
-        }
-    }
-    vrrp_script nginx_check {
+
+    vrrp_script nginx_check 
+    {
         script "/usr/libexec/keepalived/check-nginx-status"
         interval 3
     }
-    vrrp_instance VI_1 {
+
+    vrrp_instance vi_nginx {
         state BACKUP
         interface eth0
         virtual_router_id 18
         priority 90
         advert_int 1
         authentication {
             auth_type PASS
-            auth_pass 1111
+            auth_pass h3m5Ewvk
         }
+
         track_script {
             nginx_check weight 0
         }
+        
         virtual_ipaddress {
             192.168.20.18 dev eth0
         }
@@ -97,16 +97,27 @@ chmod 755 /usr/libexec/keepalived/check-nginx-status
 chcon -u system_u -t keepalived_unconfined_script_exec_t /usr/libexec/keepalived/check-nginx-status
 ```
 
-### 防火墙打开端口
+### 防火墙
 
+##### 查看防火墙运行状态
 ```shell
-firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
-firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
-firewall-cmd --zone public --add-port 6443/tcp --permanent
+firewall-cmd --state
+```
+
+
+##### 添加规则
+
+```shell
+firewall-cmd --add-rich-rule='rule protocol value="vrrp" family=ipv4 destination address=224.0.0.18 accept' --permanent
 firewall-cmd --reload
 ```
 
 
+##### 查看规则
+```shell
+firewall-cmd --list-all
+```
+
 ## 启动
 
 ```shell

kubernetes/install/091.config-kernel-parameters.md

@@ -10,9 +10,15 @@
 modprobe ip_vs
 modprobe ip_vs_rr
 modprobe ip_vs_wrr
+modprobe ip_vs_lc
 modprobe ip_vs_wlc
 modprobe ip_vs_sh
+modprobe ip_vs_dh
+modprobe ip_vs_sed
+modprobe bridge
 modprobe overlay
+modprobe ip_tables
+modprobe iptable_filter
 modprobe br_netfilter
 modprobe nf_conntrack
 ```
@@ -29,9 +35,15 @@ cat << EOF > /etc/modules-load.d/k8s_ipvs.conf
 ip_vs
 ip_vs_rr
 ip_vs_wrr
+ip_vs_lc
 ip_vs_wlc
 ip_vs_sh
+ip_vs_dh
+ip_vs_sed
+bridge
 overlay
+ip_tables
+iptable_filter
 br_netfilter
 nf_conntrack
 EOF
@@ -58,20 +70,12 @@ EOF
 fs.file-max                				= 1000000
 kernel.sysrq                            = 1
 
-net.ipv4.neigh.default.gc_stale_time    = 120
-net.ipv4.conf.all.rp_filter 			= 0
-net.ipv4.conf.default.rp_filter 		= 0
-net.ipv4.conf.default.arp_announce 		= 2
-net.ipv4.conf.lo.arp_announce 			= 2
-net.ipv4.conf.all.arp_announce 			= 2
-
-net.ipv4.tcp_max_tw_buckets 			= 5000
-net.ipv4.tcp_syncookies 				= 1
-net.ipv4.tcp_max_syn_backlog 			= 1024
-net.ipv4.tcp_synack_retries 			= 2
-net.ipv4.tcp_slow_start_after_idle 		= 0
 net.ipv4.ip_forward                     = 1
 
+net.netfilter.nf_conntrack_max          = 2310720
+net.bridge.bridge-nf-call-iptables      = 1
+net.bridge.bridge-nf-call-ip6tables     = 1
+
 vm.max_map_count                        = 500000
 vm.swappiness                           = 0
 ```

kubernetes/install/101.install-etcd-cluster.md

@@ -279,6 +279,7 @@ yum install -y etcd
     ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.20.31:2380"
     ETCD_INITIAL_CLUSTER="etcd1=https://192.168.20.31:2380"
     ETCD_INITIAL_CLUSTER_STATE="new"
+    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
     ETCD_ADVERTISE_CLIENT_URLS="https://192.168.20.31:2379"
     [security]
     ETCD_CERT_FILE="/etc/etcd/pki/etcd-server.pem"
@@ -313,7 +314,7 @@ WorkingDirectory=/var/lib/etcd/
 EnvironmentFile=-/etc/etcd/etcd.conf
 User=etcd
 
-ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd"
+ExecStart=/usr/bin/etcd
 
 Restart=on-failure
 LimitNOFILE=65536
@@ -324,6 +325,26 @@ WantedBy=multi-user.target
 
 ##### 依次修改3个节点的 /etc/etcd/etc.conf 和 /usr/lib/systemd/system/etcd.service 文件
 
+
+### 4. 添加用户
+
+```shell
+useradd -u 2380 etcd
+```
+
+### 5. 配置证书权限
+
+```shell
+setfacl -m u:etcd:r etcd-server.key etcd-peer.key
+```
+
+
+### 6. 修改数据目录权限
+
+```shell
+chown etcd. /var/lib/etcd
+```
+
 ### 重新载入配置
 
 由于修改了 systemd 配置，所以需要重新载入配置

kubernetes/install/103.add-user.md

@@ -3,8 +3,8 @@
 ### Add Group & User `kube`
 
 ```shell
-groupadd -g 200 kube
-useradd  -g 200 kube -u 200 -d / -s /sbin/nologin -M
+groupadd -g 2000 kube
+useradd  -g 2000 kube -u 2000 -d / -s /sbin/nologin -M
 ```
 
 

kubernetes/install/104.gen-certs.md

@@ -84,17 +84,16 @@ openssl genrsa -out ca.key 4096
 #### 签发CA
 
 ```shell
-openssl req -x509 -new -nodes -key ca.key -days 1825 -out ca.pem -subj \
+openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.pem -subj \
         "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" \
         -config ca.cnf -extensions v3_req
 ```
 
-  - 有效期 **1825** (d) = 3 years
   - 注意 -subj 参数中仅 'C=CN' 与 'Shanghai' 可以修改，除非您清楚它们在 Kubernetes TLS 认证体系中的作用，否则建议**保持原样**，以免集群遇到权限异常问题
 
 ### kube-apiserver
 
-#### apiserver.cnf
+#### kube-apiserver.cnf
 
 ```
 [ req ]
@@ -132,15 +131,15 @@ DNS.5 = kubernetes.default.svc.cluster.local
 #### 生成 key
 
 ```shell
-openssl genrsa -out apiserver.key 4096
+openssl genrsa -out kube-apiserver.key 4096
 ```
 
 #### 生成证书签名请求
 
 ```shell
-openssl req -new -key apiserver.key -out apiserver.csr -subj \
+openssl req -new -key kube-apiserver.key -out kube-apiserver.csr -subj \
         "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" \
-        -config apiserver.cnf
+        -config kube-apiserver.cnf
 ```
 - CN、OU、O 字段为认证时使用, 请勿修改
 
@@ -151,10 +150,10 @@ openssl req -new -key apiserver.key -out apiserver.csr -subj \
 #### 签发证书
 
 ```shell
-openssl x509 -req -in apiserver.csr \
+openssl x509 -req -in kube-apiserver.csr \
         -CA ca.pem -CAkey ca.key -CAcreateserial \
-        -out apiserver.pem -days 1825 \
-        -extfile apiserver.cnf -extensions v3_req
+        -out kube-apiserver.pem -days 3650 \
+        -extfile kube-apiserver.cnf -extensions v3_req
 ```
 
 ### kube-apiserver-kubelet-client
@@ -198,7 +197,7 @@ openssl req -new -key kube-apiserver-kubelet-client.key -out kube-apiserver-kube
 ```shell
 openssl x509 -req -in kube-apiserver-kubelet-client.csr \
         -CA ca.pem -CAkey ca.key -CAcreateserial \
-        -out kube-apiserver-kubelet-client.pem -days 1825 \
+        -out kube-apiserver-kubelet-client.pem -days 3650 \
         -extfile kube-apiserver-kubelet-client.cnf -extensions v3_req
 ```
 
@@ -249,7 +248,7 @@ openssl req -new -key kube-controller-manager.key \
 ```shell
 openssl x509 -req -in kube-controller-manager.csr \
         -CA ca.pem -CAkey ca.key -CAcreateserial \
-        -out kube-controller-manager.pem -days 1825 \
+        -out kube-controller-manager.pem -days 3650 \
         -extfile kube-controller-manager.cnf -extensions v3_req
 ```
 
@@ -288,7 +287,7 @@ openssl req -new -key kube-scheduler.key \
 ```shell
 openssl x509 -req -in kube-scheduler.csr \
         -CA ca.pem -CAkey ca.key -CAcreateserial \
-        -out kube-scheduler.pem -days 1865 \
+        -out kube-scheduler.pem -days 3650 \
         -extfile kube-scheduler.cnf -extensions v3_req
 ```
 
@@ -400,7 +399,7 @@ openssl genrsa -out front-proxy-ca.key 4096
 #### 签发CA
 
 ```shell
-openssl req -x509 -new -nodes -key front-proxy-ca.key -days 1825 -out front-proxy-ca.pem -subj \
+openssl req -x509 -new -nodes -key front-proxy-ca.key -days 3650 -out front-proxy-ca.pem -subj \
         "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" \
         -config front-proxy-ca.cnf -extensions v3_req
 ```

kubernetes/install/105.install-depends.md

@@ -1,7 +1,7 @@
 ## 安装依赖项
 
 ```shell
-yum install -y libnetfilter_conntrack-devel libnetfilter_conntrack conntrack-tools ipvsadm ipset nmap-ncat bash-completion nscd chrony
+yum install -y libnetfilter_conntrack conntrack-tools ipvsadm ipset nmap-ncat bash-completion nscd chrony
 ```
 
 ### 启动时间同步服务

kubernetes/install/106.install-contaierd.io.md

@@ -16,6 +16,10 @@ dnf install -y containerd.io
 containerd config default > /etc/containerd/config.toml
 ```
 
+```shell
+sed -i 's#^root = ".*"#root = "/data/containerd"#' /etc/containerd/config.toml
+```
+
 > 设置 root = "/data/containerd"
 
 创建数据目录