cloud-config

說明：<XXX> 需要根據(jù)實(shí)際情況配置

hostname: <主機(jī)名>

core用戶ssh登陸公鑰

ssh_authorized_keys:

• 'ssh-rsa <AAAA...>'

coreos:
units:
- name: systemd-networkd.service
command: stop

- name: down-interfaces.service
  command: start
  content: |
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/ip link set ens192 down dynamic off
    ExecStart=/usr/bin/ip addr flush dev ens192

- name: ens192.network
  runtime: true
  content: |
    [Match]
    Name=ens192
    [Network]
    Address=<節(jié)點(diǎn)IP>/24
    Gateway=<網(wǎng)關(guān)IP>
    DNS=<DNS IP>
    DNS=<DNS IP>

- name: systemd-networkd.service
  command: start

# 參考 /usr/lib/systemd/system/clean-ca-certificates.service
- name: update-self-ca-certificate.service
  content: |
    [Unit]
    Description=Update self CA certificate /etc/ssl/certs/XXXSecureInternetProxyCA.pem
    DefaultDependencies=no
    Wants=clean-ca-certificates.service
    After=clean-ca-certificates.service
    Before=sysinit.target
    ConditionPathIsReadWrite=/etc/ssl/certs
    [Service]
    Type=oneshot
    ExecStart=/usr/sbin/update-ca-certificates
  command: start

- name: etcd2.service
  command: start

- name: fleet.service
  command: start

- name: docker.service
  drop-ins:
    - name: proxy.conf
      content: |
        [Service]
        # 只能用小寫http_proxy和https_proxy等限，二選一即可恩掷？
        Environment="http_proxy=<代理IP和端口>"
        Environment="https_proxy=<代理IP和端口>"
    - name: registry.conf
      content: |
        [Service]
        # 1. 加速images下載的registry mirror峻呛，這里添加daocloud的mirror
        # 2. 不安全（比如自己架設(shè)的）registry，這里添加希云、靈雀云的registry
        Environment="DOCKER_OPTS=--registry-mirror=http://XXX.m.daocloud.io --insecure-registry=index.csphere.cn --insecure-registry=index.alauda.cn"
  command: restart

# proxy環(huán)境下碟绑，update服務(wù)可能需要添加代理服務(wù)的CA證書才能使用（通過本配置文件的update-self-ca-certificate.service服務(wù)）
- name: update-engine.service
  drop-ins:
    - name: proxy.conf
      content: |
        [Service]
        Environment="ALL_PROXY=<代理IP和端口>"
  command: restart

etcd2:
# 參考https://coreos.com/os/docs/latest/cluster-architectures.html
# proxy場(chǎng)景下剖膳，可能需要添加代理服務(wù)的CA證書（通過本配置文件的update-self-ca-certificate.service服務(wù)），才能使用https
# 通過 curl https://discovery.etcd.io/new?size=<N> 生成格侯，<N>根據(jù)實(shí)際集群節(jié)點(diǎn)個(gè)數(shù)配置
discovery: https://discovery.etcd.io/<XXX>
discovery-proxy: <代理IP和端口>
advertise-client-urls: http://<節(jié)點(diǎn)IP>:2379
initial-advertise-peer-urls: http://<節(jié)點(diǎn)IP>:2380
listen-client-urls: http://0.0.0.0:2379
listen-peer-urls: http://<節(jié)點(diǎn)IP>:2380

users:

• name: root
  ssh-authorized-keys:

  • 'ssh-rsa <AAAA...>'

  python -c "import crypt, getpass, pwd; print crypt.crypt('<口令>', '$6$SALT$')" 生成

  passwd: '<口令生成的hash值>'

• name: core

  python -c "import crypt, getpass, pwd; print crypt.crypt('<口令>', '$6$SALT$')" 生成

  passwd: '<口令生成的hash值>'

write_files:

• path: /etc/profile.d/custom.sh
  content: |
  unset PROMPT_COMMAND

• path: /etc/profile.d/custom.sh
  content: |
  export GIT_SSL_NO_VERIFY=true

• path: /etc/profile.d/proxy.sh
  content: |
  export ALL_PROXY=<代理IP和端口>

Docker configurtion file

- path: /run/flannel_docker_opts.env

content: |

• path: /etc/systemd/timesyncd.conf
  content: |
  [Time]
  NTP=<NTP IP>

• path: /etc/ssh/sshd_config
  permissions: 0600
  owner: root:root
  content: |

  原有默認(rèn)內(nèi)容

  Use most defaults for sshd configuration.

  UsePrivilegeSeparation sandbox
  Subsystem sftp internal-sftp
  ClientAliveInterval 180
  UseDNS no

  XXX版本開始鼻听，需要添加以下配置，允許root口令登陸

  PermitRootLogin yes
  PasswordAuthentication yes

添加代理服務(wù)器的CA根證書联四，內(nèi)容通過chrome瀏覽器導(dǎo)出獲得撑碴，必須以pem后綴保存

• path: /etc/ssl/certs/XXXSecureInternetProxyCA.pem
  permissions: 0644
  owner: root:root
  content: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----