Linux df命令用于显示目前在Linux系统上的文件系统的磁盘使用情况统计。
df -h
df -h /home
df --total
Linux du命令用于显示目录或文件的大小。
du会显示指定的目录或文件所占用的磁盘空间。
du
du -h
du --time
du test.log
du test
du -m
du -k
du -s
du --max-depth=1
docker images -f "dangling=true"
docker rmi $(docker images -f "dangling=true" -q)
[root@node1 ~]# docker system df
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
Images 35 3 5.039GB 4.603GB (91%)
Containers 3 2 19.69kB 19.5kB (99%)
Local Volumes 28 0 3.782MB 3.782MB (100%)
Build Cache 0 0 0B 0B
docker volume ls -qf dangling=true
docker volume rm $(docker volume ls -qf dangling=true)
find / -name docker
可以使用
df或者du命令查看文件夹具体使用情况,参考Linux系统磁盘使用情况相关命令.
如:du -hs /var/lib/docker/
docker ps -a|grep Exited
docker ps -qf status=exited
docker rm $(docker ps -a|grep Exited |awk '{print $1}')
docker container prune
docker image prune
docker volume prune
docker network prune
docker system prune
注意
docker system prune和docker system prune -a两者的区别:
[root@node1 ~]#
docker system prune
WARNING! This will remove:
- all stopped containers
- all networks not used by at least one container
- all dangling images
- all dangling build cache
Are you sure you want to continue? [y/N]
[root@node1 ~]#
docker system prune -a
WARNING! This will remove:
- all stopped containers
- all networks not used by at least one container
- all images without at least one container associated to them
- all build cache
Are you sure you want to continue? [y/N]
Cert-manager 是一个云原生证书管理开源项目,用于在 Kubernetes 集群中提供 HTTPS 证书并自动续期,支持 Let’s Encrypt, HashiCorp Vault 这些免费证书的签发。在Kubernetes集群中,我们可以通过 Kubernetes Ingress 和 Let’s Encrypt 实现外部服务的自动化 HTTPS。
本文 Cert manager使用版本:v0.12.0
强烈建议参考官方文档:https://cert-manager.io/docs
注意stable/cert-manager已经过时不再维护了,转到jetstack/cert-manager。
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
或
kubectl create -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
这里设置了两个默认值
–set ingressShim.defaultIssuerName=letsencrypt-prod
–set ingressShim.defaultIssuerKind=ClusterIssuer
–set ingressShim.defaultIssuerGroup=cert-manager.io
用于在后续创建Ingress时,配合annotations
kubernetes.io/tls-acme: “true”
kubernetes.io/ingress.class: “nginx”
实现自动创建证书。
helm install --name cert-manager --namespace cert-manager --version v0.12.0 --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer --set ingressShim.defaultIssuerGroup=cert-manager.io jetstack/cert-manager
注意事项:下面的
pod需要部署在可以访问外网的机器上.
[root@k8s-master cert]# kubectl get pod -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5cd477f7bb-fxpvf 1/1 Running 0 22m
cert-manager-cainjector-df4dc78cd-l527b 1/1 Running 0 22m
cert-manager-webhook-5f78ff89bc-ggvqt 1/1 Running 0 22m
[root@k8s-master cert]# kubectl get crd | grep cert-manager
certificaterequests.cert-manager.io 2020-01-07T01:38:32Z
certificates.cert-manager.io 2020-01-07T01:38:32Z
challenges.acme.cert-manager.io 2020-01-07T01:38:32Z
clusterissuers.cert-manager.io 2020-01-07T01:38:32Z
issuers.cert-manager.io 2020-01-07T01:38:32Z
orders.acme.cert-manager.io 2020-01-07T01:38:32Z
刚刚安装时已经指定了默认签发类型是ClusterIssuer ,签发机构名称是letsencrypt-prod ,但是我们还没有创建,现在需要创建cluster-issuer.yaml。
cert-manager 给我们提供了
Issuer和ClusterIssuer这两种用于创建签发机构的自定义资源对象,Issuer只能用来签发自己所在 namespace 下的证书,ClusterIssuer可以签发任意 namespace 下的证书.
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 1154365135@qq.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
上述配置,更多配置参考ClusterIssuer
metadata.name是我们创建的签发机构的名称,后面我们创建证书的时候会引用它spec.acme.email是你自己的邮箱,证书快过期的时候会有邮件提醒,不过 cert-manager 会利用 acme 协议自动给我们重新颁发证书来续期spec.acme.server是 acme 协议的服务端,我们这里用 Let’s Encrypt,这个地址就写死成这样就行spec.acme.privateKeySecretRef指示此签发机构的私钥将要存储到哪个 Secret 对象中,名称不重要spec.acme.solvers.http01这里指示签发机构使用 HTTP-01 的方式进行 acme 协议 (还可以用 DNS 方式,acme 协议的目的是证明这台机器和域名都是属于你的,然后才准许给你颁发证书)
kubectl create -f cluster-issuer.yaml
kubectl get clusterissuer
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
labels:
app: kubernetes-dashboard
chart: kubernetes-dashboard-1.10.0
heritage: Tiller
release: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
rules:
- host: k8s.deri.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
path: /
tls:
- hosts:
- k8s.deri.com
secretName: deri-com-tls-secret-cc
由于添加了annotations kubernetes.io/tls-acme: "true",tls这个secret会自动创建。
创建完成后隔一会儿我们可以看到会多出现一个随机名称的 Ingress 对象
cm-acme-http-solver-hl5sx,这个 Ingress 对象就是用来专门验证证书的:$ kubectl get ingress -n gateway NAME HOSTS ADDRESS PORTS AGE cm-acme-http-solver-hl5sx cs.deri.com 80 37s kube-ui cs.deri.com 80, 443 41s
验证成功后,这个 Ingress 对象会自动删除.
helm delete --purge cert-manager
kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
检查服务是否正常
[root@master ~]# kubectl get certificate -n gateway
NAME READY SECRET AGE
consul-tls-test True consul-tls-test 19m
[root@master ~]# kubectl get clusterissuer
NAME READY AGE
letsencrypt-prod True 157m
[root@master ~]# kubectl get certificate -n gateway
NAME READY SECRET AGE
consul-tls-test True consul-tls-test 19m
[root@master ~]# kubectl get Order -n gateway
NAME STATE AGE
consul-tls-test-3546184973-1845474898 valid 20m
[root@master ~]# kubectl get CertificateRequest -n gateway
NAME READY AGE
consul-tls-test-3546184973 True 27m
[root@master ~]# kubectl get secret -ngateway
NAME TYPE DATA AGE
consul-tls-test kubernetes.io/tls 3 29m
quay.io/jetstack/cert-manager-cainjector:v0.12.0
quay.io/jetstack/cert-manager-webhook:v0.12.0
quay.io/jetstack/cert-manager-controller:v0.12.0
#这里由于上面配置solve是acme所以用到这个镜像,如果你配置别的,可能不一致
quay.io/jetstack/cert-manager-acmesolver:v0.12.0
使用国内镜像源。
例如下面拉取比较慢
docker pull quay.io/jetstack/cert-manager-cainjector:v0.12.0
可以换成
docker pull quay-mirror.qiniu.com/jetstack/cert-manager-cainjector:v0.12.0
例如下面拉取比较慢
docker pull gcr.io/google_containers/kube-proxy
可以换成阿里云的
docker pull registry.aliyuncs.com/google_containers/kube-proxy
可以使用tag命令改回去
docker tag
kubernetes在删除namespace时,或多或少出现过删除后一直处于Terminating状态,这时又该如何删除呢?
本文介绍各种手段删除处于Terminating状态的namespace。
kubectl delete namespace NAMESPACENAME
kubectl delete namespace NAMESPACENAME --force --grace-period=0
修改
namespace配置,删除红色框中内容
kubectl edit namespace NAMESPACE_NAME
也有可能,上述方法中没有看到
finalizers,这时可以通过调用接口的方式删除
kubectl get namespace NAMESPACE_NAME -o json > tmp.json
{
//删除spec整个内容
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Terminating"
}
}
[root@k8s-master ~]# kubectl proxy
Starting to serve on 127.0.0.1:8001
Namespace,注意URL中修改成要删除的NAMESPACE_NAMEcurl -k -H "Content-Type: application/json" -X PUT --data-binary @tmp.json http://127.0.0.1:8001/api/v1/namespaces/NAMESPACE_NAME/finalize
本文使用istio版本号:1.4.2
Istio安装时,第一步就是创建了各种自定义资源类型(CRD),参考istio部署【在kubernetes上部署】,其中最重要的几个CRD包括:Gateway、VirtualService、DestinationRule、ServiceEntry。主要架构如下图:
DestinationRule用于定义目标服务的访问策略,如在subset定义版本,定义负载均衡策略,熔断,一级TLS等。
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
loadBalancer:
simple: RANDOM
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
参考官网
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 100
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 1
interval: 1s
baseEjectionTime: 3m
maxEjectionPercent: 100
VirtualService是最重要的配置接口,定义服务的所有路由规则,包括条件判断、权重、路径重写等。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 90
- destination:
host: reviews
subset: v2
weight: 10
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- route:
- destination:
host: ratings
subset: v1
timeout: 10s
retries:
attempts: 3
perTryTimeout: 2s
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- fault:
#定义10%请求+5秒延迟, 也可以是percent: 10
delay:
percentage:
value: 10
fixedDelay: 5s
#定义10%请求返回400错误, 也可以是percent: 10
abort:
percentage:
value: 10
httpStatus: 400
route:
- destination:
host: ratings
subset: v1
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
...
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: productpage
spec:
hosts:
- productpage
http:
- match:
- uri:
prefix: /api/v1
...
如果是嵌套在一个匹配语句中,为AND关系。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
headers:
end-user:
exact: jason
...
如果是单独的匹配语句,为OR关系。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
- headers:
end-user:
exact: jason
...
将外部服务接入到服务注册表中,让Istio中自动发现的服务能够访问和路由到这些手工加入的服务。与VirtualService或DestinationRule配合使用。
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: foo-ext-svc
spec:
hosts:
- *.foo.com
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bar-foo-ext-svc
spec:
hosts:
- bar.foo.com
http:
- route:
- destination:
host: bar.foo.com
timeout: 10s
提供外部服务访问接入,可发布任意内部端口的服务,供外部访问。配合VirtualService使用。
Bookinfo示例:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080