cloud-config
说明:<XXX> 需要根据实际情况配置
hostname: <主机名>
core用户ssh登陆公钥
ssh_authorized_keys:
- 'ssh-rsa <AAAA...>'
coreos:
units:
- name: systemd-networkd.service
command: stop
- name: down-interfaces.service
command: start
content: |
[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set ens192 down dynamic off
ExecStart=/usr/bin/ip addr flush dev ens192
- name: ens192.network
runtime: true
content: |
[Match]
Name=ens192
[Network]
Address=<节点IP>/24
Gateway=<网关IP>
DNS=<DNS IP>
DNS=<DNS IP>
- name: systemd-networkd.service
command: start
# 参考 /usr/lib/systemd/system/clean-ca-certificates.service
- name: update-self-ca-certificate.service
content: |
[Unit]
Description=Update self CA certificate /etc/ssl/certs/XXXSecureInternetProxyCA.pem
DefaultDependencies=no
Wants=clean-ca-certificates.service
After=clean-ca-certificates.service
Before=sysinit.target
ConditionPathIsReadWrite=/etc/ssl/certs
[Service]
Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates
command: start
- name: etcd2.service
command: start
- name: fleet.service
command: start
- name: docker.service
drop-ins:
- name: proxy.conf
content: |
[Service]
# 只能用小写http_proxy和https_proxy,二选一即可?
Environment="http_proxy=<代理IP和端口>"
Environment="https_proxy=<代理IP和端口>"
- name: registry.conf
content: |
[Service]
# 1. 加速images下载的registry mirror,这里添加daocloud的mirror
# 2. 不安全(比如自己架设的)registry,这里添加希云、灵雀云的registry
Environment="DOCKER_OPTS=--registry-mirror=http://XXX.m.daocloud.io --insecure-registry=index.csphere.cn --insecure-registry=index.alauda.cn"
command: restart
# proxy环境下,update服务可能需要添加代理服务的CA证书才能使用(通过本配置文件的update-self-ca-certificate.service服务)
- name: update-engine.service
drop-ins:
- name: proxy.conf
content: |
[Service]
Environment="ALL_PROXY=<代理IP和端口>"
command: restart
etcd2:
# 参考https://coreos.com/os/docs/latest/cluster-architectures.html
# proxy场景下,可能需要添加代理服务的CA证书(通过本配置文件的update-self-ca-certificate.service服务),才能使用https
# 通过 curl https://discovery.etcd.io/new?size=<N> 生成,<N>根据实际集群节点个数配置
discovery: https://discovery.etcd.io/<XXX>
discovery-proxy: <代理IP和端口>
advertise-client-urls: http://<节点IP>:2379
initial-advertise-peer-urls: http://<节点IP>:2380
listen-client-urls: http://0.0.0.0:2379
listen-peer-urls: http://<节点IP>:2380
users:
-
name: root
ssh-authorized-keys:- 'ssh-rsa <AAAA...>'
python -c "import crypt, getpass, pwd; print crypt.crypt('<口令>', '$6$SALT$')" 生成
passwd: '<口令生成的hash值>'
-
name: core
python -c "import crypt, getpass, pwd; print crypt.crypt('<口令>', '$6$SALT$')" 生成
passwd: '<口令生成的hash值>'
write_files:
-
path: /etc/profile.d/custom.sh
content: |
unset PROMPT_COMMAND -
path: /etc/profile.d/custom.sh
content: |
export GIT_SSL_NO_VERIFY=true -
path: /etc/profile.d/proxy.sh
content: |
export ALL_PROXY=<代理IP和端口>
Docker configurtion file
- path: /run/flannel_docker_opts.env
content: |
-
path: /etc/systemd/timesyncd.conf
content: |
[Time]
NTP=<NTP IP> -
path: /etc/ssh/sshd_config
permissions: 0600
owner: root:root
content: |原有默认内容
Use most defaults for sshd configuration.
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp
ClientAliveInterval 180
UseDNS noXXX版本开始,需要添加以下配置,允许root口令登陆
PermitRootLogin yes
PasswordAuthentication yes
添加代理服务器的CA根证书,内容通过chrome浏览器导出获得,必须以pem后缀保存
- path: /etc/ssl/certs/XXXSecureInternetProxyCA.pem
permissions: 0644
owner: root:root
content: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
网友评论