Linux系统容器编排与管理配置指南

1. 系统准备与基础配置

1.1 系统要求

• 操作系统: Ubuntu 20.04/22.04, CentOS 7/8, RHEL 8/9 或其他现代Linux发行版
• 资源: 建议至少2核CPU, 4GB内存, 20GB存储空间
• 内核要求: Linux内核4.x或更高版本

1.2 基础配置

# 更新系统
sudo apt update && sudo apt upgrade -y  # Ubuntu/Debian
sudo yum update -y                     # CentOS/RHEL

# 安装基础工具
sudo apt install -y curl wget git vim net-tools  # Ubuntu/Debian
sudo yum install -y curl wget git vim net-tools # CentOS/RHEL

# 禁用交换空间 (Kubernetes要求)
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

# 设置主机名
sudo hostnamectl set-hostname your-hostname

2. 容器运行时安装

2.1 安装Docker (可选)

# Ubuntu/Debian
sudo apt install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io

# CentOS/RHEL
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install -y docker-ce docker-ce-cli containerd.io

# 启动并设置开机自启
sudo systemctl enable --now docker

2.2 安装containerd (推荐)

# 对于Kubernetes 1.24+版本，containerd是推荐的运行时
# Ubuntu/Debian
sudo apt install -y containerd

# CentOS/RHEL
sudo yum install -y containerd.io

# 配置containerd
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml > /dev/null

# 修改配置使用systemd cgroup驱动
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml

# 重启并启用
sudo systemctl restart containerd
sudo systemctl enable containerd

3. Kubernetes集群安装

3.1 安装kubeadm, kubelet和kubectl

# Ubuntu/Debian
sudo apt install -y apt-transport-https ca-certificates curl
curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

# CentOS/RHEL
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
sudo yum install -y kubelet kubeadm kubectl
sudo systemctl enable --now kubelet

3.2 初始化控制平面节点

# 初始化集群 (根据网络插件可能需要调整参数)
sudo kubeadm init --pod-network-cidr=10.244.0.0/16

# 设置kubectl配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# 安装网络插件 (以Flannel为例)
kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml

3.3 加入工作节点

# 在控制平面节点上获取加入命令
kubeadm token create --print-join-command

# 在工作节点上执行上一步获取的命令
# 示例: sudo kubeadm join 10.0.0.1:6443 --token <token> --discovery-token-ca-cert-hash <hash>

4. 可选组件安装

4.1 Helm包管理器

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

4.2 监控工具 (Prometheus Operator)

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install prometheus prometheus-community/kube-prometheus-stack

4.3 日志系统 (ELK Stack)

helm repo add elastic https://helm.elastic.co
helm install elasticsearch elastic/elasticsearch
helm install kibana elastic/kibana
helm install filebeat elastic/filebeat

5. 安全加固

5.1 网络策略

# 安装Calico网络插件 (支持网络策略)
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/tigera-operator.yaml
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/custom-resources.yaml

5.2 RBAC配置

# 创建示例角色和角色绑定
kubectl create role pod-reader --verb=get,list,watch --resource=pods
kubectl create rolebinding pod-reader-binding --role=pod-reader --user=username

5.3 Pod安全策略 (PSP)

# 在Kubernetes 1.25+中已弃用，可使用Pod Security Admission替代
kubectl label namespace default pod-security.kubernetes.io/enforce=baseline

6. 维护与优化

6.1 集群维护命令

# 检查节点状态
kubectl get nodes

# 检查Pod状态
kubectl get pods -A

# 检查集群健康状况
kubectl get componentstatuses

# 升级集群
sudo apt update && sudo apt install -y kubeadm=1.28.0-00
sudo kubeadm upgrade plan
sudo kubeadm upgrade apply v1.28.0
sudo apt install -y kubelet=1.28.0-00 kubectl=1.28.0-00
sudo systemctl restart kubelet

6.2 资源优化

# 设置资源请求和限制示例
apiVersion: v1
kind: Pod
metadata:
  name: optimized-pod
spec:
  containers:
  - name: app
    image: nginx
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"

7. 故障排除

7.1 常见问题解决

• 节点NotReady: 检查kubelet状态 systemctl status kubelet
• Pod卡在Pending: 检查资源是否足够 kubectl describe pod <pod-name>
• 网络问题: 检查CNI插件日志 journalctl -u kubelet -f

7.2 日志收集

# 查看Pod日志
kubectl logs <pod-name>

# 查看容器日志 (多容器Pod)
kubectl logs <pod-name> -c <container-name>

# 查看节点日志
journalctl -u kubelet -f

通过以上配置，您的Linux系统将能够支持容器编排和管理，特别是Kubernetes集群的部署和运维。根据实际需求，您可能需要调整某些参数或添加额外的组件。