Windows Server 2012 R2 Datacenter初体验

前几天和电信那边的云工程师和业务一起开了个会,他们给我讲述了上云的好处,这个概念呢,我是在大学就接触到了,但是这两年里,阿里云就出现了两起重大事故,导致上云的应用商被狠狠上了一课;这个先入为主,导致我对云服务器的安全、灾备产生很大的兴趣,这次,很有幸能和云工程师、业务经理开这个短会,我要到了体验云主机的一次机会。我今天收到邮件的时候以为是普普通通的一个账号和一个内网的win机子,但没想到电信很大方的给了搭载Windows Server 2012 R2 Datacenter志强处理器(Intel64 Family 6 Model 85属于第2代至第3代的Intel Xeon处理器)16G运行内存40G(NTFS)+500G(REFS)硬盘,我将在上面完成几个小小的测试体验一下这个服务器对比纯命令行的RHEL/Centos7/Ubuntu/Archlinux有没有带给我震撼。

这里有东西被加密了,需要输入密码查看哦。
阅读全文 »

[toc]

防火墙状态与关闭

1
2
3
[root@localhost ~]# systemctl status firewalld.service 
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service

SELinux永久关闭or禁用

1
[root@localhost ~]# sudo nano /etc/selinux/config

把里面内容改为:

1
SELINUX=disabled

或者使用下面禁用方法

1
2
3
[root@localhost ~]# sudo setenforce 0
# 将 SELinux 设置为 permissive 模式意味着 SELinux 仍然会记录违规操作,但不会阻止它们。
[root@localhost ~]# sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

swap禁用

先把swap禁用

1
2
3
4
5
6
7
8
9
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 3.7G 712M 2.3G 25M 697M 2.7G
Swap: 3.9G 0B 3.9G
[root@localhost ~]# swapoff -a
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 3.7G 708M 2.3G 25M 697M 2.7G
Swap: 0B 0B 0B

永久禁止swap启用

下面sed那个语句就是注释含有swap的配置行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@localhost ~]# sed -ri 's/.*swap.*/#&/' /etc/fstab

[root@localhost ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Thu May 30 04:10:42 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=f6071794-cb7e-4882-ab44-ecddae691138 /boot xfs defaults 0 0
/dev/mapper/centos-home /home xfs defaults 0 0
#/dev/mapper/centos-swap swap swap defaults 0 0

换源

更换软件源

1
[root@localhost ~]#  wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

然后更新

1
[root@localhost ~]# yum update -y && yum upgrade -y

更换docker软件源

1
2
3
4
[root@localhost ~]#  sudo yum install -y yum-utils
[root@localhost ~]# sudo yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

安装指定docker

1
yum install -y docker-ce-20.10.7 docker-ce-cli-20.10.7  containerd.io-1.4.6

docker配置

服务设置

设置重启docker和开机自启docker

1
2
[root@localhost ~]#  systemctl restart docker.service
[root@localhost ~]# systemctl enable docker --now

阿里云docker镜像源配置设置

1
2
3
4
5
6
7
8
[root@localhost ~]#  sudo mkdir -p /etc/docker
[root@localhost ~]# sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
EOF
[root@localhost ~]# sudo systemctl daemon-reload
[root@localhost ~]# sudo systemctl restart docker

安装k8s

添加k8s软件源

1
2
3
4
5
6
7
8
9
10
11
[root@localhost ~]# cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
> [kubernetes]
> name=Kubernetes
> baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
> enabled=1
> gpgcheck=0
> repo_gpgcheck=0
> gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg \
> http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
> exclude=kubelet kubeadm kubectl
> EOF

k8s服务安装和设置

1
2
3
[root@localhost ~]# sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes

[root@localhost ~]# sudo systemctl enable --now kubelet

克隆

master

1
[root@localhost ~]# hostnamectl set-hostname master
1
echo "192.168.15.128  master" >> /etc/hosts

nodex

1
[root@localhost ~]# hostnamectl set-hostname node1

。。。

1
echo "192.168.15.128  master" >> /etc/hosts

。。。

主节点初始化

master

1
2
3
4
5
6
7
8
#主节点初始化
kubeadm init \
--apiserver-advertise-address=192.168.15.128 \
--control-plane-endpoint=master \
--image-repository registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images \
--kubernetes-version v1.20.9 \
--service-cidr=10.96.0.0/16 \
--pod-network-cidr=192.16.0.0/16

得到

1
2
3
4
5
6
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubeadm join master:6443 --token x80x7w.zdjqhivr1jopdk2i \
--discovery-token-ca-cert-hash sha256:9e35229e76fd4c97e062fa4ddccb22bab93973ecb67cdaf073b7d3beab561ff0

但是先执行,剩下那个是给node节点的

1
2
3
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

下载网络组件

1
[root@master ~]# curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O

应用网络组件

1
[root@master ~]# kubectl apply -f calico.yaml 

查看集群部署了哪些应用

1
2
3
4
#查看集群部署了哪些应用?
docker ps === kubectl get pods -A
# 运行中的应用在docker里面叫容器,在k8s里面叫Pod
kubectl get pods -A

node

子节点加入master

1
2
kubeadm join master:6443 --token x80x7w.zdjqhivr1jopdk2i \
--discovery-token-ca-cert-hash sha256:9e35229e76fd4c97e062fa4ddccb22bab93973ecb67cdaf073b7d3beab561ff0

验证集群

1
2
3
4
5
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready control-plane,master 79m v1.20.9
node1 Ready <none> 23m v1.20.9
node2 Ready <none> 23m v1.20.9

K8S命令

生成新的令牌: 使用 kubeadm token create 命令生成一个新的加入令牌:

1
kubeadm token create --print-join-command

检查和管理现有令牌

  1. 查看现有令牌: 你可以使用以下命令查看当前有效的令牌:

    1
    kubeadm token list
  2. 删除过期令牌: 如果有需要,可以删除过期或不再使用的令牌:

    1
    kubeadm token delete <token-id>

部署dashboard

1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yaml

recommended.yaml

可以通过下面命令查看dashboard启动情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@master ~]# kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-577f77cb5c-gmhpd 1/1 Running 1 146m
kube-system calico-node-bm67j 1/1 Running 1 129m
kube-system calico-node-h55js 1/1 Running 1 146m
kube-system calico-node-j8x6m 1/1 Running 1 129m
kube-system coredns-5897cd56c4-gd2qj 1/1 Running 1 3h4m
kube-system coredns-5897cd56c4-ltk4h 1/1 Running 1 3h4m
kube-system etcd-master 1/1 Running 1 3h4m
kube-system kube-apiserver-master 1/1 Running 1 3h4m
kube-system kube-controller-manager-master 1/1 Running 1 3h4m
kube-system kube-proxy-72hqs 1/1 Running 1 3h4m
kube-system kube-proxy-dw6z2 1/1 Running 1 129m
kube-system kube-proxy-xlxqj 1/1 Running 1 129m
kube-system kube-scheduler-master 1/1 Running 1 3h4m
kubernetes-dashboard dashboard-metrics-scraper-79c5968bdc-nkbtb 1/1 Running 0 37m
kubernetes-dashboard kubernetes-dashboard-658485d5c7-v9mll 1/1 Running 0 37m

知道NAMESPACE之后,设置访问端口

1
kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard

type: ClusterIP 改为 type: NodePort

查找访问端口

1
2
3
4
5
[root@master ~]# kubectl get svc -A |grep kubernetes-dashboard
kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.96.11.165 <none> 8000/TCP 39m
kubernetes-dashboard kubernetes-dashboard NodePort 10.96.158.40 <none> 443:31718/TCP 39m

## 找到端口,在安全组放行,这里31718端口就是要访问的端口

不安全问题

无论是在谷歌浏览器还是edge浏览器都会出现这个,而且没得点进去好吧!这个时候可以在键盘输入thisisunsafe这个命令,页面自动给你跳转进去,非常神奇。

image-20240530160924513

输入那个命令就跳转这个了

image-20240530160635753

创建访问账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#创建访问账号,准备一个yaml文件; nano dash-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard

执行命令

1
kubectl apply -f dash-user.yaml

令牌访问

1
2
#获取访问令牌
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
1
eyJhbGciOiJSUzI1NiIsImtpZCI6IjRoa3k4djFzNUp4eENjN0Y0aXBybHNNaTFQd3hVM09HWGhLU24ycE9DMkkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTl4c3ZnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhODI0YmQxYS1jNjc4LTQzYmUtODhkOC0wYTkxNDhjZjhmYTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.EaVJeEKLHTr_Oh05GkUTzuwYKdOQfa8slgz-RzRZfE9ow8wmU7JbWNOR5YMT9bhb_sYi5LTjtvcgPqM6szCOGzW1mc0sPurRorkCaxgLW-K61PPGfPmB54HJvBCG-Cp65vAM4AyKCEPVj-cNMgncpyxe9yuik4z69mwt632Idb1Lcdhf5Vut_1LmGQMc1osRqAF4jVcFy-uPRv4CE2RBR1PL_GXEDHsS4KQjttVyUWwf2lqJ0ZefWvjMUCVazXeQI16QHLRTiXBdpg_iOwk8lXsHvV_I4ZdhClZr8FxTa9Cg5-njG9iGvgmZ2mkvZnM2c_dzlh5y98cAKRaRR0HbaA

把得到的令牌粘贴到token里面

image-20240530163317280

命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 随机一个机子拉取nginx
kubectl run mynginx --image=nginx
# 查看default名称空间的Pod
kubectl get pod
# 描述
kubectl describe pod 你自己的Pod名字
# 删除
kubectl delete pod 你自己的Pod名字
# 查看Pod的运行日志
kubectl logs Pod名字
# 每个Pod - k8s都会分配一个ip
kubectl get pod -owide
# 使用Pod的ip+pod里面运行容器的端口
curl 192.168.169.136
# 集群中的任意一个机器以及任意的应用都能通过Pod分配的ip来访问这个Pod

test

nginx.yaml

1
2
3
4
5
6
7
8
9
10
11
apiVersion: v1
kind: Pod
metadata:
labels:
run: mynginx
name: mynginx
# namespace: default
spec:
containers:
- image: nginx
name: mynginx

myapp.yaml

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp
name: myapp
spec:
containers:
- image: nginx
name: nginx
- image: tomcat:8.5.68
name: tomcat