目錄

系統(tǒng)

• 設(shè)置ulimit 及 tcp參數(shù)

# 增加文本
# vi /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535

# 在文件中添加如下行（此步可忽略）
# vi /etc/pam.d/login
session required /lib/security/pam_limits.so
# 如果是64bit系統(tǒng)的話歪今，應(yīng)該為 :
session required /lib64/security/pam_limits.so

# 添加內(nèi)容
# vi /etc/sysctl.conf
net.ipv4.ip_local_port_range = 1024 65535
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
vm.max_map_count=655360
kernel.watchdog_thresh=30
# sysctl -p /etc/sysctl.conf
# sysctl -w net.ipv4.route.flush=1

# echo ulimit -HSn 65536 >> /etc/rc.local
# echo ulimit -HSn 65536 >>/root/.bash_profile
# ulimit -HSn 65536

應(yīng)用

• Docker Cgroup Driver 為 systemd

# vi /etc/docker/daemon.json
{
    "exec-opts": ["native.cgroupdriver=systemd"]
}
# systemctl restart docker

• kubelet --cgroup-driver 為 systemd

# vi /etc/kubernetes/kubelet
KUBELET_ARGS=”原有參數(shù) --cgroup-driver=systemd”
# systemctl restart kubelet

• etcd備份(有"備"無患)

# cat etcd_backup.sh
#!/bin/bash
cd /etc/etcd/ssl
endpoints=https://192.168.183.231:2379,https://192.168.183.232:2379,https://192.168.183.233:2379
export ETCDCTL_API=3
/usr/local/bin/etcdctl --cacert=ca.crt --cert=peer.crt --key=peer.key --endpoints=$endpoints snapshot save /opt/etcd_backup/`hostname`_`date "+%Y%m%d%H%M".db`

日志

• 防止pod日志寫滿磁盤

# vi /etc/docker/daemon.json
{
    "log-driver":"json-file","log-opts":{ "max-size" :"200m","max-file":"5"}
}
# systemctl restart docker

磁盤

• 設(shè)置kubelet驅(qū)逐(參考文檔-http://www.reibang.com/p/c591260bbedb)

# 插入
# vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Environment="KUBELET_OTHER_ARGS=
--eviction-hard=memory.available<2Gi,nodefs.available<5Gi,imagefs.available<5Gi 
--eviction-minimum-reclaim=memory.available=500Mi,nodefs.available=5Gi,imagefs.available=5Gi 
--node-status-update-frequency=10s 
--eviction-pressure-transition-period=30s"

解讀：內(nèi)存小于2G驅(qū)逐，root目錄磁盤空間小于5G驅(qū)逐，鏡像目錄磁盤空間小于5G驅(qū)逐铆铆，節(jié)點(diǎn)檢測(cè)為每10秒一次缠劝，在跳出壓力狀態(tài)之前要等待的時(shí)間為30秒舷蒲。

在某些場(chǎng)景下蹬昌，驅(qū)逐 Pod 可能只回收了很少的資源例书。這就導(dǎo)致了 kubelet 反復(fù)觸發(fā)驅(qū)逐閾值锣尉。另外回收資源例如磁盤資源，是需要消耗時(shí)間的决采。

要緩和這種狀況自沧，Kubelet 能夠?qū)γ糠N資源定義 minimum-reclaim。kubelet 一旦發(fā)現(xiàn)了資源壓力树瞭，就會(huì)試著回收至少 minimum-reclaim 的資源拇厢，使得資源消耗量回到期望范圍。

也就是說當(dāng)內(nèi)存觸發(fā)驅(qū)逐時(shí)晒喷，kubelet至少要讓內(nèi)存有2.5G孝偎，當(dāng)root和鏡像磁盤空間發(fā)生驅(qū)逐時(shí)，kubelet至少要讓磁盤有10G的空間凉敲。

• 刪除不在使用的鏡像

# PS: yum install -y expect
# cat Clean_Docker_Df.sh
expect << EOF
spawn docker system prune -a 
expect "[y/N]" {send "y/r"}
expect "#" {send "echo OK/r"}
EOF

定時(shí)任務(wù)一覽表

• etcd_backup.sh
• Clean_Docker_Df.sh