tags: worker, docker
docker 是容器的运行环境,管理它的生命周期。kubelet 通过 Container Runtime Interface (CRI) 与 docker 进行交互。
到 https://download.docker.com/linux/static/stable/x86_64/ 页面下载最新发布包:
[admin@k8s-admin ~]$ wget https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz
[admin@k8s-admin ~]$ tar -zxf docker-18.09.3.tgz
[admin@k8s-admin ~]$ ansible k8s-workers -m copy -a "src=docker/ dest=/usr/local/bin/ mode=a+x"[admin@k8s-admin ~]$ cat >conf/docker.service.j2 <<"EOF"
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
[Service]
WorkingDirectory={{ DOCKER_DIR }}
Environment="PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
EnvironmentFile=-/run/flannel/docker
ExecStart=/usr/local/bin/dockerd $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF- EOF 前后有双引号,这样 bash 不会替换文档中的变量,如 $DOCKER_NETWORK_OPTIONS;
- dockerd 运行时会调用其它 docker 命令,如 docker-proxy,所以需要将 docker 命令所在的目录加到 PATH 环境变量中;
- flanneld 启动时将网络配置写入
/run/flannel/docker文件中,dockerd 启动前读取该文件中的环境变量DOCKER_NETWORK_OPTIONS,然后设置 docker0 网桥网段; - 如果指定了多个
EnvironmentFile选项,则必须将/run/flannel/docker放在最后(确保 docker0 使用 flanneld 生成的 bip 参数); - docker 需要以 root 用于运行。
使用国内的仓库镜像服务器以加快 pull image 的速度,同时增加下载的并发数 (需要重启 dockerd 生效):
[admin@k8s-admin ~]$ cat >conf/docker-daemon.json.j2 <<EOF
{
"registry-mirrors": ["https://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"],
"max-concurrent-downloads": 20,
"live-restore": true,
"max-concurrent-uploads": 10,
"debug": true,
"data-root": "{{ DOCKER_DIR }}/data",
"exec-root": "{{ DOCKER_DIR}}/exec",
"log-opts": {
"max-size": "100m",
"max-file": "5"
}
}
EOF[admin@k8s-admin ~]$ cat >conf/docker.service.yaml <<EOF
- hosts: k8s-workers
remote_user: root
tasks:
- name: copy docker.service
template:
src: docker.service.j2
dest: /usr/lib/systemd/system/docker.service
- name: mkdir /etc/docker
file:
path: /etc/docker/
state: directory
- name: mkdir /etc/docker
file:
path: /data/docker/
state: directory
- name: copy docker-daemon.json
template:
src: docker-daemon.json.j2
dest: /etc/docker/daemon.json
- name: stop firewalld
systemd:
name: firewalld
state: stopped
enabled: no
- name: iptables -F
iptables:
flush: yes
- name: iptables -F -t nat
iptables:
flush: yes
table: nat
- name: iptables -P FORWARD ACCEPT
iptables:
chain: FORWARD
jump: ACCEPT
- name: enable and start docker.service
systemd:
name: docker
state: restarted
enabled: yes
daemon_reload: yes
EOF
[admin@k8s-admin ~]$ ansible-playbook conf/docker.service.yaml
[admin@k8s-admin ~]$ ansible k8s-workers -m shell -a "systemctl status docker.service|grep -e Loaded -e Active"- 关闭 firewalld,否则可能会重复创建 iptables 规则;
- 清理旧的 iptables rules 和 chains 规则;
- 开启 docker0 网桥下虚拟网卡的 hairpin 模式;
- 必须创建工作目录;
- 确保状态为“active (running)”并且“enabled”。
确认各 worker 节点的 docker0 网桥和 flannel.1 接口的 IP 处于同一个网段中(如下 172.16.240.0/32 位于 172.16.240.1/21 中):
[admin@k8s-admin ~]$ ansible k8s-node01 -m shell -a "ip addr show flannel.1 && ip addr show docker0"
k8s-node01 | CHANGED | rc=0 >>
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether aa:99:dc:15:67:53 brd ff:ff:ff:ff:ff:ff
inet 172.16.240.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::a899:dcff:fe15:6753/64 scope link
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:89:eb:f0:81 brd ff:ff:ff:ff:ff:ff
inet 172.16.240.1/21 brd 172.16.247.255 scope global docker0
valid_lft forever preferred_lft forever