Last active
September 11, 2022 16:24
-
-
Save dongnguyenltqb/42fb1b748d30f1a84581501b50f5a3e1 to your computer and use it in GitHub Desktop.
install necessary component to init a k8s control plane (ubuntu os)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ex | |
if [[ $(whoami) != "root" ]]; then | |
echo "Please run as root" | |
exit | |
fi | |
# Install dep | |
apt update && apt install -y socat ebtables conntrack | |
# Forwarding IPv4 and letting iptables see bridged traffic | |
cat <<EOF | tee /etc/modules-load.d/k8s.conf | |
overlay | |
br_netfilter | |
EOF | |
modprobe overlay | |
modprobe br_netfilter | |
# sysctl params required by setup, params persist across reboots | |
cat <<EOF | tee /etc/sysctl.d/k8s.conf | |
net.bridge.bridge-nf-call-iptables = 1 | |
net.bridge.bridge-nf-call-ip6tables = 1 | |
net.ipv4.ip_forward = 1 | |
EOF | |
# Apply sysctl params without reboot | |
sysctl --system | |
# Install containerd | |
wget https://github.com/containerd/containerd/releases/download/v1.6.8/containerd-1.6.8-linux-amd64.tar.gz | |
tar Cxzvf /usr/local containerd-1.6.8-linux-amd64.tar.gz | |
wget https://raw.githubusercontent.com/containerd/containerd/main/containerd.service | |
mkdir -p /etc/containerd | |
cat <<EOF > /etc/containerd/config.toml | |
disabled_plugins = [] | |
imports = [] | |
oom_score = 0 | |
plugin_dir = "" | |
required_plugins = [] | |
root = "/var/lib/containerd" | |
state = "/run/containerd" | |
temp = "" | |
version = 2 | |
[cgroup] | |
path = "" | |
[debug] | |
address = "" | |
format = "" | |
gid = 0 | |
level = "" | |
uid = 0 | |
[grpc] | |
address = "/run/containerd/containerd.sock" | |
gid = 0 | |
max_recv_message_size = 16777216 | |
max_send_message_size = 16777216 | |
tcp_address = "" | |
tcp_tls_ca = "" | |
tcp_tls_cert = "" | |
tcp_tls_key = "" | |
uid = 0 | |
[metrics] | |
address = "" | |
grpc_histogram = false | |
[plugins] | |
[plugins."io.containerd.gc.v1.scheduler"] | |
deletion_threshold = 0 | |
mutation_threshold = 100 | |
pause_threshold = 0.02 | |
schedule_delay = "0s" | |
startup_delay = "100ms" | |
[plugins."io.containerd.grpc.v1.cri"] | |
device_ownership_from_security_context = false | |
disable_apparmor = false | |
disable_cgroup = false | |
disable_hugetlb_controller = true | |
disable_proc_mount = false | |
disable_tcp_service = true | |
enable_selinux = false | |
enable_tls_streaming = false | |
enable_unprivileged_icmp = false | |
enable_unprivileged_ports = false | |
ignore_image_defined_volumes = false | |
max_concurrent_downloads = 3 | |
max_container_log_line_size = 16384 | |
netns_mounts_under_state_dir = false | |
restrict_oom_score_adj = false | |
sandbox_image = "k8s.gcr.io/pause:3.6" | |
selinux_category_range = 1024 | |
stats_collect_period = 10 | |
stream_idle_timeout = "4h0m0s" | |
stream_server_address = "127.0.0.1" | |
stream_server_port = "0" | |
systemd_cgroup = false | |
tolerate_missing_hugetlb_controller = true | |
unset_seccomp_profile = "" | |
[plugins."io.containerd.grpc.v1.cri".cni] | |
bin_dir = "/opt/cni/bin" | |
conf_dir = "/etc/cni/net.d" | |
conf_template = "" | |
ip_pref = "" | |
max_conf_num = 1 | |
[plugins."io.containerd.grpc.v1.cri".containerd] | |
default_runtime_name = "runc" | |
disable_snapshot_annotations = true | |
discard_unpacked_layers = false | |
ignore_rdt_not_enabled_errors = false | |
no_pivot = false | |
snapshotter = "overlayfs" | |
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] | |
base_runtime_spec = "" | |
cni_conf_dir = "" | |
cni_max_conf_num = 0 | |
container_annotations = [] | |
pod_annotations = [] | |
privileged_without_host_devices = false | |
runtime_engine = "" | |
runtime_path = "" | |
runtime_root = "" | |
runtime_type = "" | |
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes] | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] | |
base_runtime_spec = "" | |
cni_conf_dir = "" | |
cni_max_conf_num = 0 | |
container_annotations = [] | |
pod_annotations = [] | |
privileged_without_host_devices = false | |
runtime_engine = "" | |
runtime_path = "" | |
runtime_root = "" | |
runtime_type = "io.containerd.runc.v2" | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] | |
BinaryName = "" | |
CriuImagePath = "" | |
CriuPath = "" | |
CriuWorkPath = "" | |
IoGid = 0 | |
IoUid = 0 | |
NoNewKeyring = false | |
NoPivotRoot = false | |
Root = "" | |
ShimCgroup = "" | |
SystemdCgroup = true | |
[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] | |
base_runtime_spec = "" | |
cni_conf_dir = "" | |
cni_max_conf_num = 0 | |
container_annotations = [] | |
pod_annotations = [] | |
privileged_without_host_devices = false | |
runtime_engine = "" | |
runtime_path = "" | |
runtime_root = "" | |
runtime_type = "" | |
[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options] | |
[plugins."io.containerd.grpc.v1.cri".image_decryption] | |
key_model = "node" | |
[plugins."io.containerd.grpc.v1.cri".registry] | |
config_path = "" | |
[plugins."io.containerd.grpc.v1.cri".registry.auths] | |
[plugins."io.containerd.grpc.v1.cri".registry.configs] | |
[plugins."io.containerd.grpc.v1.cri".registry.headers] | |
[plugins."io.containerd.grpc.v1.cri".registry.mirrors] | |
[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] | |
tls_cert_file = "" | |
tls_key_file = "" | |
[plugins."io.containerd.internal.v1.opt"] | |
path = "/opt/containerd" | |
[plugins."io.containerd.internal.v1.restart"] | |
interval = "10s" | |
[plugins."io.containerd.internal.v1.tracing"] | |
sampling_ratio = 1.0 | |
service_name = "containerd" | |
[plugins."io.containerd.metadata.v1.bolt"] | |
content_sharing_policy = "shared" | |
[plugins."io.containerd.monitor.v1.cgroups"] | |
no_prometheus = false | |
[plugins."io.containerd.runtime.v1.linux"] | |
no_shim = false | |
runtime = "runc" | |
runtime_root = "" | |
shim = "containerd-shim" | |
shim_debug = false | |
[plugins."io.containerd.runtime.v2.task"] | |
platforms = ["linux/amd64"] | |
sched_core = false | |
[plugins."io.containerd.service.v1.diff-service"] | |
default = ["walking"] | |
[plugins."io.containerd.service.v1.tasks-service"] | |
rdt_config_file = "" | |
[plugins."io.containerd.snapshotter.v1.aufs"] | |
root_path = "" | |
[plugins."io.containerd.snapshotter.v1.btrfs"] | |
root_path = "" | |
[plugins."io.containerd.snapshotter.v1.devmapper"] | |
async_remove = false | |
base_image_size = "" | |
discard_blocks = false | |
fs_options = "" | |
fs_type = "" | |
pool_name = "" | |
root_path = "" | |
[plugins."io.containerd.snapshotter.v1.native"] | |
root_path = "" | |
[plugins."io.containerd.snapshotter.v1.overlayfs"] | |
root_path = "" | |
upperdir_label = false | |
[plugins."io.containerd.snapshotter.v1.zfs"] | |
root_path = "" | |
[plugins."io.containerd.tracing.processor.v1.otlp"] | |
endpoint = "" | |
insecure = false | |
protocol = "" | |
[proxy_plugins] | |
[stream_processors] | |
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] | |
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] | |
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] | |
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] | |
path = "ctd-decoder" | |
returns = "application/vnd.oci.image.layer.v1.tar" | |
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] | |
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] | |
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] | |
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] | |
path = "ctd-decoder" | |
returns = "application/vnd.oci.image.layer.v1.tar+gzip" | |
[timeouts] | |
"io.containerd.timeout.bolt.open" = "0s" | |
"io.containerd.timeout.shim.cleanup" = "5s" | |
"io.containerd.timeout.shim.load" = "5s" | |
"io.containerd.timeout.shim.shutdown" = "3s" | |
"io.containerd.timeout.task.state" = "2s" | |
[ttrpc] | |
address = "" | |
gid = 0 | |
uid = 0 | |
EOF | |
mv containerd.service /etc/systemd/system/containerd.service | |
systemctl daemon-reload | |
systemctl enable containerd | |
systemctl start containerd | |
# install runc | |
wget https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64 | |
install -m 755 runc.amd64 /usr/local/sbin/runc | |
# install containerd cni pluggin | |
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz | |
mkdir -p /opt/cni/bin | |
tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz | |
# install crictl | |
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.25.0/crictl-v1.25.0-linux-amd64.tar.gz | |
tar -xvf crictl-v1.25.0-linux-amd64.tar.gz | |
mv crictl /usr/bin/crictl | |
# install kube-x tool | |
DOWNLOAD_DIR=/usr/bin | |
RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)" | |
ARCH="amd64" | |
curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/${ARCH}/{kubeadm,kubelet,kubectl} | |
chmod +x {kubeadm,kubelet,kubectl} | |
mv {kubeadm,kubelet,kubectl} $DOWNLOAD_DIR | |
RELEASE_VERSION="v0.4.0" | |
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" | tee /etc/systemd/system/kubelet.service | |
mkdir -p /etc/systemd/system/kubelet.service.d | |
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf | |
systemctl enable kubelet | |
systemctl start kubelet | |
# now can init cluster with | |
# generate ca cert | |
# if [[ $(command -v step) == "" ]] ; then | |
# wget https://dl.step.sm/gh-release/cli/docs-cli-install/v0.21.0/step-cli_0.21.0_amd64.deb | |
# sudo dpkg -i step-cli_0.21.0_amd64.deb | |
# fi; | |
# sudo mkdir -p /etc/kubernetes/pki | |
# sudo step certificate create root.linkerd.cluster.local /etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/ca.key \ | |
# --profile root-ca --no-password --insecure --not-after=87600h | |
# sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --cri-socket=/run/containerd/containerd.sock | |
# then taint node lable to allow coredns can allocate on master node | |
# kubectl taint nodes --all node-role.kubernetes.io/control-plane- | |
# install flannel cni pluggin, this allow pod can communicate with other | |
# kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml | |
# do the same step with the worker node | |
# then use kubeadm to join |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment