春风十里不如你 —— Taozi - 监控 https://xiongan.host/index.php/tag/%E7%9B%91%E6%8E%A7/ zh-CN Mon, 30 Oct 2023 01:41:00 +0800 Mon, 30 Oct 2023 01:41:00 +0800 基于Kubernetes集群的监控网络服务 https://xiongan.host/index.php/archives/226/ https://xiongan.host/index.php/archives/226/ Mon, 30 Oct 2023 01:41:00 +0800 admin 基于Kubernetes集群的监控网络服务

介绍

需要以下环境

  • Kubernetes集群
  • Blackbox工具
  • Grafana、Prometheus监控

大致功能:通过在K8s集群中部署blackbox工具(用于监控服务,检查网络可用性)和Grafana、Prometheus(监控可视化面板)更直观的体现网络连通性,可以进行警报和分析

本文章通过若海博客的Kubernetes 集群上安装 Blackbox 监控网站状态】和【Kubernetes 集群上安装 Grafana 和 Prometheus】整合而成

部署Kubernetes集群(Ubuntu/Debian操作系统)

确保主节点和子节点都有Docker环境(最好是同一个版本)

主节点

//安装Docker,一键安装(如有安装可以忽略)
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
//开启docker、并设置开机自启
systemctl start docker & systemctl enable docker
apt update
apt install -y wireguard

echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf
//以下Token值请保存,任意字符串
export SERVER_TOKEN=r83nui54eg8wihyiteshuo3o43gbf7u9er63o43gbf7uitujg8wihyitr6

export PUBLIC_IP=$(curl -Ls http://metadata.tencentyun.com/latest/meta-data/public-ipv4)
export PRIVATE_IP=$(curl -Ls http://metadata.tencentyun.com/latest/meta-data/local-ipv4)

export INSTALL_K3S_SKIP_DOWNLOAD=true
export DOWNLOAD_K3S_BIN_URL=https://github.com/k3s-io/k3s/releases/download/v1.28.2%2Bk3s1/k3s

if [ $(curl -Ls http://ipip.rehi.org/country_code) == "CN" ]; then
   DOWNLOAD_K3S_BIN_URL=https://ghproxy.com/${DOWNLOAD_K3S_BIN_URL}
fi

curl -Lo /usr/local/bin/k3s $DOWNLOAD_K3S_BIN_URL
chmod a+x /usr/local/bin/k3s

curl -Ls https://get.k3s.io | sh -s - server \
    --cluster-init \
    --token $SERVER_TOKEN \
    --node-ip $PRIVATE_IP \
    --node-external-ip $PUBLIC_IP \
    --advertise-address $PRIVATE_IP \
    --service-node-port-range 5432-9876 \
    --flannel-backend wireguard-native \
    --flannel-external-ip

子节点

//安装Docker,一键安装(如有安装可以忽略)
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
//开启docker、并设置开机自启
systemctl start docker & systemctl enable docker
//子节点代码
apt update
apt install -y wireguard

echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf

export SERVER_IP=43.129.195.33 //此ip填你的主节点地址
export SERVER_TOKEN=r83nui54eg8wihyiteshuo3o43gbf7u9er63o43gbf7uitujg8wihyitr6

export PUBLIC_IP=$(curl -Ls http://metadata.tencentyun.com/latest/meta-data/public-ipv4)
export PRIVATE_IP=$(curl -Ls http://metadata.tencentyun.com/latest/meta-data/local-ipv4)

export INSTALL_K3S_SKIP_DOWNLOAD=true
export DOWNLOAD_K3S_BIN_URL=https://github.com/k3s-io/k3s/releases/download/v1.28.2%2Bk3s1/k3s

if [ $(curl -Ls http://ipip.rehi.org/country_code) == "CN" ]; then
   DOWNLOAD_K3S_BIN_URL=https://ghproxy.com/${DOWNLOAD_K3S_BIN_URL}
fi

curl -Lo /usr/local/bin/k3s $DOWNLOAD_K3S_BIN_URL
chmod a+x /usr/local/bin/k3s

curl -Ls https://get.k3s.io | sh -s - agent \
    --server https://$SERVER_IP:6443 \
    --token $SERVER_TOKEN \
    --node-ip $PRIVATE_IP \
    --node-external-ip $PUBLIC_IP

Blackbox工具部署(也有集群方式)

//拉取镜像
docker pull rehiy/blackbox
//一键启动
docker run -d \
    --name blackbox \
    --restart always \
    --publish 9115:9115 \
    --env "NODE_NAME=guangzhou-taozi" \
    --env "NODE_OWNER=Taozi" \
    --env "NODE_REGION=广州" \
    --env "NODE_ISP=TencentCloud" \
    --env "NODE_BANNER=From Taozii-www.xiongan.host" \
    rehiy/blackbox
//开始注册
docker logs -f blackbox

image-20231029233949787

Grafana、Prometheus部署

在主节点创建一个目录,名字任意,然后在同一目录中创建两个文件(grafpro.yaml、grafpro.sh)

grafpro.yaml

kind: Deployment
apiVersion: apps/v1
metadata:
  name: &name grafpro
  labels:
    app: *name
spec:
  selector:
    matchLabels:
      app: *name
  template:
    metadata:
      labels:
        app: *name
    spec:
      initContainers:
        - name: busybox
          image: busybox
          command:
            - sh
            - -c
            - |
              if [ ! -f /etc/prometheus/prometheus.yml ]; then
              cat <<EOF >/etc/prometheus/prometheus.yml
              global:
                scrape_timeout: 25s
                scrape_interval: 1m
                evaluation_interval: 1m

              scrape_configs:
                - job_name: prometheus
                  static_configs:
                    - targets:
                        - 127.0.0.1:9090
              EOF
              fi
          volumeMounts:
            - name: *name
              subPath: etc
              mountPath: /etc/prometheus
      containers:
        - name: grafana
          image: grafana/grafana
          securityContext:
            runAsUser: 0
          ports:
            - containerPort: 3000
          volumeMounts:
            - name: *name
              subPath: grafana
              mountPath: /var/lib/grafana
        - name: prometheus
          image: prom/prometheus
          securityContext:
            runAsUser: 0
          ports:
            - containerPort: 9090
          volumeMounts:
            - name: *name
              subPath: etc
              mountPath: /etc/prometheus
            - name: *name
              subPath: prometheus
              mountPath: /prometheus
      volumes:
        - name: *name
          hostPath:
            path: /srv/grafpro
            type: DirectoryOrCreate
---
kind: Service
apiVersion: v1
metadata:
  name: &name grafpro
  labels:
    app: *name
spec:
  selector:
    app: *name
  ports:
    - name: grafana
      port: 3000
      targetPort: 3000
    - name: prometheus
      port: 9090
      targetPort: 9090
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: &name grafpro
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
spec:
  rules:
    - host: grafana.example.org
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: *name
                port:
                  name: grafana
    - host: prometheus.example.org
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: *name
                port:
                  name: prometheus
  tls:
    - secretName: default

grafpro.sh

//警告:请修改路径和访问域名
# 配置存储路径
export GRAFPRO_STORAGE=${GRAFPRO_STORAGE:-"/srv/grafpro"}
# 配置访问域名
export GRAFANA_DOMAIN=${GRAFPRO_DOMAIN:-"grafana.example.org"}
export PROMETHEUS_DOMAIN=${PROMETHEUS_DOMAIN:-"prometheus.example.org"}

# 修改参数并部署服务
cat grafpro.yaml \
    | sed "s#/srv/grafpro#$GRAFPRO_STORAGE#g" \
    | sed "s#grafana.example.org#$GRAFANA_DOMAIN#g" \
    | sed "s#prometheus.example.org#$PROMETHEUS_DOMAIN#g" \
    | kubectl apply -f -

部署

chmod +x grafpro.sh
./grafpro.sh

测试打开

注意以下,开启端口9115、9090
浏览器打开地址http://grafana.example.org 账号密码都是admin,首次登录,提示修改密码,修改后自动跳到控制台
浏览器打开http://grafana.example.org/connections/datasources/选择第一个,然后编辑URL为:http://127.0.0.1:9090 然后保存
然后选择创建好的Prometheus,导入面板

浏览器打开http://prometheus.example.org,查看信息

image-20231030002818047

image-20231030003050033

image-20231030003343689

配置Promethues任务

//回到主节点的/srv/grafpro/etc目录下
编辑yml文件,备份一下原有的yml,创建新的yml
mv prometheus.yml prometheus00.yml
//以下是yml文件内容(若部署时修改了负载名称blackbox-exporter,下文的配置文件也要做相应的修改)
global:
  scrape_timeout: 15s
  scrape_interval: 1m
  evaluation_interval: 1m

scrape_configs:
  # prometheus
  - job_name: prometheus
    static_configs:
      - targets:
          - 127.0.0.1:9090
  # blackbox_all
  - job_name: blackbox_all
    static_configs:
      - targets:
          - blackbox-gz:9115
        labels:
          region: '广州,腾讯云'
  # http_status_gz
  - job_name: http_status_gz
    metrics_path: /probe
    params:
      module: [http_2xx] #配置get请求检测
    static_configs:
      - targets:
          - https://www.example.com
        labels:
          project: 测试1
          desc: 测试网站描述1
      - targets:
          - https://www.example.org
        labels:
          project: 测试2
          desc: 测试网站描述2
    basic_auth:
      username: ******
      password: ******      
    relabel_configs:
      - target_label: region
        replacement: '广州,腾讯云'
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: blackbox-gz:9115:80

然后重启svc,方法如下:首先查看pod

kubectl get pod
然后删除查看到关于grafana的pod,然后稍等几分钟即可
kubectl delete pod *

导入 Grafana 仪表盘

下载附件json在Grafana仪表盘里导入即可

image-20231030010749235

导入后可以查看到监控仪已经开始了,显示各项信息

image-20231030012948467

image-20231030013016056

]]>
0 https://xiongan.host/index.php/archives/226/#comments https://xiongan.host/index.php/feed/tag/%E7%9B%91%E6%8E%A7/
【Docker】k8s健康检查 https://xiongan.host/index.php/archives/212/ https://xiongan.host/index.php/archives/212/ Sun, 28 May 2023 12:05:24 +0800 admin 健康检查

使用存活探针

创建使用 execaction 模式的存活探针 pod 的 yaml 文件。

68489166457

需要创建目录(/tmp/healthy)查看到运行成功,持续监控pod状态,看到pod反复重启

68489177496

使用 describe 命令查看详细 pod 信息,正常

68489215771

创建使用 http 存活探针的 pod 的 yaml 文件。

创建yaml

68489270782

运行并查看状态

68489266877

查看详细events

68489274944

创建使用 tcp 存活探针的 pod 的 yaml,模板采用 httpd 容器镜像。

创建yaml文件

68489334782

运行并进行容器内操作

68489330745

查看pod的restarts次数

68489340633

查看pod之前未通过liveness的记录

68489347800

就绪探针

创建 http 的 deployment 的 yaml 文件,其中配置 readiness 探针。

运行deployment

68489537126

68489538966

使用describechakanhttp服务的endpoint

68489544567

可以看到有4个地址

进入一个容器,删除index.html文件

68489549710

再使用 describe 命令查看 endpoint

68489553113

可以看到删除的pod地址已经从endpoint中移除

查看pod的详细信息,看到pod未通过探针检测

68489560281

查看pod信息,kandaopod处于notready状态

68489564469

]]>
0 https://xiongan.host/index.php/archives/212/#comments https://xiongan.host/index.php/feed/tag/%E7%9B%91%E6%8E%A7/
【Zabbix】部署监控软件 https://xiongan.host/index.php/archives/190/ https://xiongan.host/index.php/archives/190/ Thu, 15 Dec 2022 17:43:00 +0800 admin 介绍
zabbix是一个监控软件,其可以监控各种网络参数,保证企业服务架构安全运营,同时支持灵活的告警机制,可以使得运维人员快速定位故障、解决问题。zabbix支持分布式功能,支持复杂架构下的监控解决方案,也支持web页面,为主机监控提供了良好直观的展现。

部署

安装httpd和php7

服务端:

[root@srv-tz ~]# yum install -y

[root@srv-tz ~]# systemctl enable --now httpd

客户端:

[root@client01 ~]# yum install -y yum-plugin-priorities && yum install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm -y
#修改repo配置文件
[root@client01 ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo
[root@client01 ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/remi-safe.repo
#安装php扩展
[root@client01 ~]# yum --enablerepo=remi-safe,epel install php72 php72-php-pear php72-php-mbstring -y
#启动和自启php
[root@client01 ~]# scl enable php72 bash
#查看php版本信息
[root@client01 ~]# php -v
PHP 7.2.34 (cli) (built: Oct 24 2022 10:27:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
编辑脚本文件
[root@client01 ~]# vim /etc/profile.d/php72.sh
#!/bin/bash
source /opt/remi/php72/enable
export X_SCLS="`scl enable php72 'echo $X_SCLS'`"
#安装php从remi源中
[root@client01 ~]# yum --enablerepo=remi-safe,epel -y install php72-php
[root@client01 ~]# systemctl enable --now httpd
#写入页面
[root@client01 ~]# echo '<?php phpinfo(); ?>' > /var/www/html/info.php
#查看页面
[root@client01 ~]# curl http://localhost/info.php | grep 'PHP Version' | tail -1 | sed --e 's/<[^>]*>//g'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 69230    0 69230    0     0  6822k      0 --:--:-- --:--:-- --:--:-- 7511k
PHP Version 7.2.34

phpinfo

安装及配置 MariaDB

安装环境

服务端:

[root@srv-tz ~]# yum install centos-release-scl-rh centos-release-scl -y
#修改配置文件
[root@srv-tz ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@srv-tz ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
[root@srv-tz ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo 
[root@srv-tz ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
#安装
[root@srv-tz ~]# yum --enablerepo=centos-sclo-rh install rh-mariadb103-mariadb-server -y

启用 MariaDB 环境

#运行mariadb
[root@srv-tz ~]# scl enable rh-mariadb103 bash
#查看版本
[root@srv-tz ~]# mysql -V
mysql  Ver 15.1 Distrib 10.3.35-MariaDB, for Linux (x86_64) using  EditLine wrapper
#写脚本
[root@srv-tz ~]# vim /etc/profile.d/rh-mariadb103.sh
#!/bin/bash
source /opt/rh/rh-mariadb103/enable
export X_SCLS="`scl enable rh-mariadb103 'echo $X_SCLS'`"
#启动运行
[root@srv-tz my.cnf.d]# systemctl enable --now rh-mariadb103-mariadb
#开始部署安装
[root@srv-tz my.cnf.d]# mysql_secure_installation
开始需要设置一个密码
按照提示进行确认即可最后会提示安装成功
All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

安装 Zabbix Server

[root@srv-tz ~]# yum install https://repo.zabbix.com/zabbix/5.0/rhel/7/x86_64/zabbix-release-5.0-1.el7.noarch.rpm -y
[root@srv-tz ~]# yum-config-manager --enable zabbix-frontend
[root@srv-tz ~]# yum --enablerepo=centos-sclo-rh install zabbix-server-mysql zabbix-web-mysql-scl zabbix-apache-conf-scl zabbix-agent zabbix-get -y

配置 Zabbix Server

配置 Zabbix Server 数据库

#登录数据库
[root@srv-tz ~]# mysql -uroot -p123456
MariaDB [(none)]> create database zabbix character set utf8 collate utf8_bin;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@'localhost' identified by 'password';
Query OK, 0 rows affected (0.028 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
[root@srv-tz ~]# cd /usr/share/doc/zabbix-server-mysql-5.0.30/
[root@srv-tz zabbix-server-mysql-5.0.30]# ls
AUTHORS  ChangeLog  COPYING  create.sql.gz  double.sql  NEWS  README
[root@srv-tz zabbix-server-mysql-5.0.30]# gunzip create.sql.gz
[root@srv-tz zabbix-server-mysql-5.0.30]# mysql -u root -p zabbix < create.sql
输入密码123456

设置SElinux

[root@srv-tz ~]# setsebool -P zabbix_can_network on
[root@srv-tz ~]# setsebool -P httpd_can_connect_zabbix on
[root@srv-tz ~]# setsebool -P domain_can_mmap_files on
[root@srv-tz ~]# setsebool -P daemons_enable_cluster_mode on
[root@srv-tz ~]# vim zabbix_server.te
module zabbix_server 1.0;

require {
 type zabbix_t;
 type zabbix_agent_t;
 type rpm_exec_t;
 type rpm_var_lib_t;
 class file { execute execute_no_trans map open };
 class capability dac_override;
}

#============= zabbix_t ==============
allow zabbix_t self:capability dac_override;

#============= zabbix_agent_t ==============
allow zabbix_agent_t rpm_var_lib_t:file open;
allow zabbix_agent_t rpm_exec_t:file { execute execute_no_trans map };
[root@srv-tz ~]# checkmodule -m -M -o zabbix_server.mod zabbix_server.te 
checkmodule:  loading policy configuration from zabbix_server.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 19) to zabbix_server.mod
[root@srv-tz ~]# semodule_package --outfile zabbix_server.pp --module zabbix_server.mod
[root@srv-tz ~]# semodule -i zabbix_server.pp

Firewall设置

[root@srv-tz ~]# firewall-cmd --add-service={http,https} --permanent
success
[root@srv-tz ~]# firewall-cmd --add-port={10050/tcp,10051/tcp} --permanent
success
[root@srv-tz ~]# firewall-cmd --reload
success

配置 Zabbix Agentd

[root@srv-tz ~]# vim /etc/zabbix/zabbix_agentd.conf
//* 更改 117 行,指定 Zabbix Server 的 IP
Server=127.0.0.1
//* 更改 158 行,指定 Zabbix Server 的 IP
ServerActive=127.0.0.1
//* 更改 169 行,指定 Zabbix Server 的 FQDN
Hostname=srv-tz
[root@srv-tz ~]# systemctl enable --now zabbix-agent

为 Zabbix Server 配置 httpd 服务

[root@srv-tz ~]# vim /etc/httpd/conf.d/zabbix.conf
//* 更改 10 行,允许指定网络访问
 #Require all granted
 Require ip 127.0.0.1 192.168.123.0/24
#定义 zabbix 的 timezone
[root@srv-tz ~]# vim /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf
//* 更改 24 行
php_value[date.timezone] = Asia/Shanghai
[root@srv-tz ~]# systemctl enable --now httpd rh-php72-php-fpm

访问web

http:ip/zabbix

进行页面安装

配置数据库 账号zabbix 密码为password

安装成功后默认账号Admin 密码zabbix

web

]]>
0 https://xiongan.host/index.php/archives/190/#comments https://xiongan.host/index.php/feed/tag/%E7%9B%91%E6%8E%A7/