easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rewrite chrony installation

pull/1006/head
gjmzj 2021-04-06 20:03:42 +08:00
parent 2ea25dd600
commit 1b07f1b26e
13 changed files with 138 additions and 388 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
docs/guide/chrony.md
View File

@ -8,9 +8,9 @@
项目中选定一个节点(`groups.chrony[0]`)作为集群内部其他节点的时间同步源,而这个节点本身从公网源同步;当然如果整个集群都无法访问公网,那么请手动校准这个节点的时间后,仍旧可以作为内部集群的时间源服务器。
- 配置 chrony server详见roles/chrony/templates/server-*.conf.j2
- 配置 chrony server详见roles/chrony/templates/server.conf.j2
- 配置 chrony client详见roles/chrony/templates/client-*.conf.j2
- 配置 chrony client详见roles/chrony/templates/client.conf.j2
## `kubeasz` 集成安装
@ -18,68 +18,10 @@
- [可选] 修改 clusters/${cluster_name}/config.yml 中的相关配置
-执行命令安装 `ezctl setup ${cluster_name} 01`
## 验证配置
## 验证安装
- 在 chrony server 检查时间源信息,默认配置为`ntp1.aliyun.com`的地址:
```
$ chronyc sources -v
210 Number of sources = 5
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 120.25.115.20 2 9 377 55 +147us[ +250us] +/- 15ms
^- 85.199.214.100 1 10 377 182 -25ms[ -24ms] +/- 128ms
^- makaki.miuku.net 2 10 367 307 +61ms[ +61ms] +/- 127ms
^- static-5-103-139-163.ip.f 1 9 167 572 +532us[ +336us] +/- 117ms
^- 119.28.183.184 2 7 377 33 -130us[ -130us] +/- 47ms
```
- 在 chrony server 检查时间源同步状态
```
chronyc sourcestats -v
210 Number of sources = 5
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
120.25.115.20 15 11 44m +0.011 0.909 +4097ns 758us
85.199.214.100 22 13 49m -3.588 5.097 -23ms 5709us
makaki.miuku.net 22 14 46m +2.455 6.225 +64ms 4945us
static-5-103-139-163.ip.f 20 13 42m -2.472 10.168 +3615us 6732us
119.28.183.184 16 9 19m +10.378 25.190 +3469us 6803us
```
- 在 chrony client 检查可以看到时间源只有一个groups.chrony[0] 节点地址)
```
$ chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.1.1 3 6 377 15 +4085ns[ -25us] +/- 15ms
$ chronyc sourcestats
210 Number of sources = 1
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
192.168.1.1 5 4 323 -0.252 0.819 -3031ns 15us
```
- 检查chronyd服务状态 `systemctl status chronyd`
- 检查chronyd时间同步日志 `/var/log/chrony`
## 验证时间同步状态完成

2
ezdown
View File

@ -16,7 +16,7 @@ set -o errexit
DOCKER_VER=20.10.5
KUBEASZ_VER=3.0.1
K8S_BIN_VER=v1.20.5
EXT_BIN_VER=0.9.0
EXT_BIN_VER=0.9.2
SYS_PKG_VER=0.3.3
HARBOR_VER=v2.1.3
REGISTRY_MIRROR=CN

75
roles/chrony/tasks/main.yml
View File

@ -1,9 +1,9 @@
- name: apt更新缓存刷新
apt: update_cache=yes cache_valid_time=72000
ignore_errors: true
when:
- 'ansible_distribution in ["Ubuntu","Debian"]'
- 'INSTALL_SOURCE != "offline"'
- name: prepare some dirs
file: name={{ item }} state=directory
with_items:
- "/etc/chrony"
- "/var/lib/chrony"
- "/var/log/chrony"
- name: apt 卸载 ntp
shell: 'apt remove -y ntp'
@ -17,46 +17,33 @@
warn: false
ignore_errors: true
- name: 安装 chrony
package: name=chrony state=present
when: 'INSTALL_SOURCE != "offline"'
- name: 下载二进制文件chronyd
copy: src={{ base_dir }}/bin/chronyd dest=/usr/sbin/chronyd mode=0755
# 离线安装 chrony
- import_tasks: offline.yml
when: 'INSTALL_SOURCE == "offline"'
- name: 创建chronyd的systemd unit文件
template: src=chronyd.service.j2 dest=/etc/systemd/system/chronyd.service
- block:
- name: 配置 chrony server
template: src=server-centos.conf.j2 dest=/etc/chrony.conf
when: 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
- name: 配置 chrony server
template: src=server-ubuntu.conf.j2 dest=/etc/chrony/chrony.conf
when: 'ansible_distribution in ["Ubuntu","Debian"]'
- name: 启动 chrony server
service: name=chronyd state=restarted enabled=yes
when: 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
- name: 启动 chrony server
service: name=chrony state=restarted enabled=yes
when: 'ansible_distribution in ["Ubuntu","Debian"]'
- name: 配置 chrony server
template: src=server.conf.j2 dest=/etc/chrony/chrony.conf
when: 'inventory_hostname == groups.chrony[0]'
- block:
- name: 配置 chrony client
template: src=client-centos.conf.j2 dest=/etc/chrony.conf
when: 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
- name: 配置 chrony client
template: src=client-ubuntu.conf.j2 dest=/etc/chrony/chrony.conf
when: 'ansible_distribution in ["Ubuntu","Debian"]'
- name: 启动 chrony client
service: name=chronyd state=restarted enabled=yes
when: 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
- name: 启动 chrony client
service: name=chrony state=restarted enabled=yes
when: 'ansible_distribution in ["Ubuntu","Debian"]'
- name: 配置 chrony client
template: src=client.conf.j2 dest=/etc/chrony/chrony.conf
when: 'inventory_hostname != groups.chrony[0]'
- name: 开机启用chronyd服务
shell: systemctl enable chronyd
ignore_errors: true
- name: 开启chronyd服务
shell: systemctl daemon-reload && systemctl restart chronyd
ignore_errors: true
tags: restart_chronyd
- name: 以轮询的方式等待chronyd服务启动
shell: "systemctl status chronyd.service|grep Active"
register: svc_status
until: '"running" in svc_status.stdout'
retries: 3
delay: 3
tags: restart_chronyd

70
roles/chrony/tasks/offline.yml
View File

@ -1,70 +0,0 @@
# 离线安装 chrony
- name: 准备离线安装包目录
file: name=/opt/kube/packages/chrony state=directory
# ubuntu 1604
- block:
- name: 分发 chrony_xenial 离线包
copy:
src: "{{ base_dir }}/down/packages/chrony_xenial.tar.gz"
dest: "/opt/kube/packages/chrony/chrony_xenial.tar.gz"
- name: 安装 chrony_xenial 离线包
shell: 'cd /opt/kube/packages/chrony && tar zxf chrony_xenial.tar.gz && \
dpkg -i *.deb > /tmp/install_chrony.log 2>&1'
when: ansible_distribution_release == "xenial"
ignore_errors: true
# ubuntu 1804
- block:
- name: 分发 chrony_bionic 离线包
copy:
src: "{{ base_dir }}/down/packages/chrony_bionic.tar.gz"
dest: "/opt/kube/packages/chrony/chrony_bionic.tar.gz"
- name: 安装 chrony_bionic 离线包
shell: 'cd /opt/kube/packages/chrony && tar zxf chrony_bionic.tar.gz && \
dpkg -i *.deb > /tmp/install_chrony.log 2>&1'
when: ansible_distribution_release == "bionic"
ignore_errors: true
# centos7
- block:
- name: 分发 chrony_centos7 离线包
copy:
src: "{{ base_dir }}/down/packages/chrony_centos7.tar.gz"
dest: "/opt/kube/packages/chrony/chrony_centos7.tar.gz"
- name: 安装 chrony_centos7 离线包
shell: 'cd /opt/kube/packages/chrony && tar zxf chrony_centos7.tar.gz && \
rpm -Uvh --force --nodeps *.rpm > /tmp/install_chrony.log 2>&1'
when:
- 'ansible_distribution_major_version == "7"'
- 'ansible_distribution == "CentOS"'
ignore_errors: true
# debian9
- block:
- name: 分发 chrony_stretch 离线包
copy:
src: "{{ base_dir }}/down/packages/chrony_stretch.tar.gz"
dest: "/opt/kube/packages/chrony/chrony_stretch.tar.gz"
- name: 安装 chrony_stretch 离线包
shell: 'cd /opt/kube/packages/chrony && tar zxf chrony_stretch.tar.gz && \
dpkg -i *.deb > /tmp/install_chrony.log 2>&1'
when: ansible_distribution_release == "stretch"
ignore_errors: true
# debian10
- block:
- name: 分发 chrony_buster 离线包
copy:
src: "{{ base_dir }}/down/packages/chrony_buster.tar.gz"
dest: "/opt/kube/packages/chrony/chrony_buster.tar.gz"
- name: 安装 chrony_buster 离线包
shell: 'cd /opt/kube/packages/chrony && tar zxf chrony_buster.tar.gz && \
dpkg -i *.deb > /tmp/install_chrony.log 2>&1'
when: ansible_distribution_release == "buster"
ignore_errors: true

20
roles/chrony/templates/chronyd.service.j2 100644
View File

@ -0,0 +1,20 @@
[Unit]
Description=chrony, an NTP client/server
Documentation=https://chrony.tuxfamily.org/documentation.html
Conflicts=systemd-timesyncd.service openntpd.service ntpd.service ntp.service ntpsec.service
After=network.target
ConditionCapability=CAP_SYS_TIME
[Service]
# sysctl net.netfilter.nf_conntrack_count
Type=forking
PIDFile=/var/run/chrony/chronyd.pid
ExecStart=/usr/sbin/chronyd -f /etc/chrony/chrony.conf
ExecStartPost=/sbin/iptables -t raw -A PREROUTING -p udp -m udp --dport 123 -j NOTRACK
ExecStartPost=/sbin/iptables -t raw -A OUTPUT -p udp -m udp --sport 123 -j NOTRACK
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
[Install]
WantedBy=multi-user.target

44
roles/chrony/templates/client-centos.conf.j2
View File

@ -1,44 +0,0 @@
# Use public servers from the pool.ntp.org project.
server {{ groups['chrony'][0] }} iburst
# Ignor source level
stratumweight 0
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
allow {{ local_network }}
#
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
#
logchange 1

52
roles/chrony/templates/client-ubuntu.conf.j2
View File

@ -1,52 +0,0 @@
# Use public servers from the pool.ntp.org project.
pool {{ groups['chrony'][0] }} iburst
# Look here for the admin password needed for chronyc. The initial
# password is generated by a random process at install time. You may
# change it if you wish.
keyfile /etc/chrony/chrony.keys
# I moved the driftfile to /var/lib/chrony to comply with the Debian
# filesystem standard.
driftfile /var/lib/chrony/chrony.drift
# Comment this line out to turn off logging.
#log tracking measurements statistics
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Dump measurements when daemon exits.
#dumponexit
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# This directive lets 'chronyd' to serve time even if unsynchronised to any
# NTP server.
#local stratum 10
# This directive designates subnets (or nodes) from which NTP clients are allowed
# to access to 'chronyd'.
allow {{ local_network }}
# This directive forces `chronyd' to send a message to syslog if it
# makes a system clock adjustment larger than a threshold value in seconds.
logchange 1
# This directive defines an email address to which mail should be sent
# if chronyd applies a correction exceeding a particular threshold to the
# system clock.
# mailonchange root@localhost 0.5
# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
hwclockfile /etc/adjtime
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync

32
roles/chrony/templates/client.conf.j2 100644
View File

@ -0,0 +1,32 @@
# Use local server
server {{ groups['chrony'][0] }} iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# This directive designates subnets (or nodes) from which NTP clients are allowed
# to access to 'chronyd'.
allow {{ local_network }}
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Ignor source level
stratumweight 0
# Comment this line out to turn off logging.
#log tracking measurements statistics
logdir /var/log/chrony
log statistics measurements tracking
noclientlog

51
roles/chrony/templates/server-centos.conf.j2
View File

@ -1,51 +0,0 @@
# Use public servers from the pool.ntp.org project.
{% for HOST in ntp_servers %}
server {{ HOST }} iburst
{% endfor %}
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
# Ignor source level
stratumweight 0
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
allow {{ local_network }}
#
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
# Serve time even if not synchronized to a time source.
local stratum 10
# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
#
noclientlog
logchange 1

55
roles/chrony/templates/server-ubuntu.conf.j2
View File

@ -1,55 +0,0 @@
# Use public servers from the pool.ntp.org project.
{% for HOST in ntp_servers %}
server {{ HOST }} iburst
{% endfor %}
pool 2.debian.pool.ntp.org iburst
# Look here for the admin password needed for chronyc. The initial
# password is generated by a random process at install time. You may
# change it if you wish.
keyfile /etc/chrony/chrony.keys
# I moved the driftfile to /var/lib/chrony to comply with the Debian
# filesystem standard.
driftfile /var/lib/chrony/chrony.drift
# Comment this line out to turn off logging.
#log tracking measurements statistics
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Dump measurements when daemon exits.
#dumponexit
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# This directive lets 'chronyd' to serve time even if unsynchronised to any
# NTP server.
local stratum 10
# This directive designates subnets (or nodes) from which NTP clients are allowed
# to access to 'chronyd'.
allow {{ local_network }}
# This directive forces `chronyd' to send a message to syslog if it
# makes a system clock adjustment larger than a threshold value in seconds.
logchange 1
# This directive defines an email address to which mail should be sent
# if chronyd applies a correction exceeding a particular threshold to the
# system clock.
# mailonchange root@localhost 0.5
# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
hwclockfile /etc/adjtime
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync

39
roles/chrony/templates/server.conf.j2 100644
View File

@ -0,0 +1,39 @@
# Use public servers from the pool.ntp.org project.
{% for HOST in ntp_servers %}
server {{ HOST }} iburst
{% endfor %}
pool pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# This directive lets 'chronyd' to serve time even if unsynchronised to any NTP server.
local stratum 10
# This directive designates subnets (or nodes) from which NTP clients are allowed
# to access to 'chronyd'.
allow {{ local_network }}
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Ignor source level
stratumweight 0
# Comment this line out to turn off logging.
#log tracking measurements statistics
logdir /var/log/chrony
log statistics measurements tracking
noclientlog

17
roles/clean/tasks/clean_chrony.yml
View File

@ -1,11 +1,14 @@
- block:
- name: stop and disable chrony in Ubuntu
service: name=chrony state=stopped enabled=no
ignore_errors: true
when: 'ansible_distribution in ["Ubuntu","Debian"]'
- name: stop and disable chronyd in CentOS/RedHat
- name: stop and disable chronyd
service: name=chronyd state=stopped enabled=no
ignore_errors: true
when: 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
- name: remove files and dirs
file: name={{ item }} state=absent
with_items:
- "/etc/chrony"
- "/var/lib/chrony"
- "/var/log/chrony"
- "/var/run/chrony"
- "/etc/systemd/system/chronyd.service"
when: "groups['chrony']|length > 0"

1
roles/kube-master/tasks/main.yml
View File

@ -62,7 +62,6 @@
- "/root/.kube/config"
- "/etc/kubernetes/kube-controller-manager.kubeconfig"
- "/etc/kubernetes/kube-scheduler.kubeconfig"
tags: upgrade_k8s, restart_master
- name: 创建 kube-scheduler 配置文件
template: src=kube-scheduler-config.yaml.j2 dest=/etc/kubernetes/kube-scheduler-config.yaml