目录
系统
# 增加文本
# vi /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
# 在文件中添加如下行(此步可忽略)
# vi /etc/pam.d/login
session required /lib/security/pam_limits.so
# 如果是64bit系统的话,应该为 :
session required /lib64/security/pam_limits.so
# 添加内容
# vi /etc/sysctl.conf
net.ipv4.ip_local_port_range = 1024 65535
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
vm.max_map_count=655360
# sysctl -p /etc/sysctl.conf
# sysctl -w net.ipv4.route.flush=1
# echo ulimit -HSn 65536 >> /etc/rc.local
# echo ulimit -HSn 65536 >>/root/.bash_profile
# ulimit -HSn 65536
应用
- Docker Cgroup Driver 为 systemd
# vi /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"]
}
# systemctl restart docker
- kubelet --cgroup-driver 为 systemd
# vi /etc/kubernetes/kubelet
KUBELET_ARGS=”原有参数 --cgroup-driver=systemd”
# systemctl restart kubelet
# cat etcd_backup.sh
#!/bin/bash
cd /etc/etcd/ssl
endpoints=https://192.168.183.231:2379,https://192.168.183.232:2379,https://192.168.183.233:2379
export ETCDCTL_API=3
/usr/local/bin/etcdctl --cacert=ca.crt --cert=peer.crt --key=peer.key --endpoints=$endpoints snapshot save /opt/etcd_backup/`hostname`_`date "+%Y%m%d%H%M".db`
日志
# vi /etc/docker/daemon.json
{
"log-driver":"json-file","log-opts":{ "max-size" :"200m","max-file":"5"}
}
# systemctl restart docker
磁盘
# 插入
# vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Environment="KUBELET_OTHER_ARGS=
--eviction-hard=memory.available<2Gi,nodefs.available<5Gi,imagefs.available<5Gi
--eviction-minimum-reclaim=memory.available=500Mi,nodefs.available=5Gi,imagefs.available=5Gi
--node-status-update-frequency=10s
--eviction-pressure-transition-period=30s"
解读:内存小于2G驱逐,root目录磁盘空间小于5G驱逐,镜像目录磁盘空间小于5G驱逐,节点检测为每10秒一次,在跳出压力状态之前要等待的时间为30秒。
在某些场景下,驱逐 Pod 可能只回收了很少的资源。这就导致了 kubelet 反复触发驱逐阈值。另外回收资源例如磁盘资源,是需要消耗时间的。
要缓和这种状况,Kubelet 能够对每种资源定义 minimum-reclaim。kubelet 一旦发现了资源压力,就会试着回收至少 minimum-reclaim 的资源,使得资源消耗量回到期望范围。
也就是说当内存触发驱逐时,kubelet至少要让内存有2.5G,当root和镜像磁盘空间发生驱逐时,kubelet至少要让磁盘有10G的空间。
# PS: yum install -y expect
# cat Clean_Docker_Df.sh
expect << EOF
spawn docker system prune -a
expect "[y/N]" {send "y/r"}
expect "#" {send "echo OK/r"}
EOF
定时任务一览表
- etcd_backup.sh
- Clean_Docker_Df.sh
网友评论