EIC code displayed by LXR master/​iDDS/​main/​tools/​k8s/​install_k8s.sh	Source navigation Diff markup Identifier search General search
	Version: master test Revert   Change

File indexing completed on 2026-04-09 07:58:23

 #!/bin/bash
 
 mkdir /opt/k8s
 cd /opt/k8s
 
 curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
 
 # install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
 install -o root -g root -m 0755 kubectl /usr/bin/kubectl
 kubectl version --client
 
 # kubectl config ~/.kube/config
 
 # iptables bridged traffic
 cat /sys/class/dmi/id/product_uuid
 lsmod | grep br_netfilter
 
 cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
 br_netfilter
 EOF
 
 cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
 net.bridge.bridge-nf-call-ip6tables = 1
 net.bridge.bridge-nf-call-iptables = 1
 EOF
 
 sysctl --system
 
 #yum install telnet
 
 # install docker-ce
 yum remove docker \
                   docker-client \
                   docker-client-latest \
                   docker-common \
                   docker-latest \
                   docker-latest-logrotate \
                   docker-logrotate \
                   docker-engine
 yum-config-manager \
     --add-repo \
     https://download.docker.com/linux/centos/docker-ce.repo
 yum-config-manager --disable docker-ce-nightly
 
 yum-config-manager --setopt "docker-ce-stable.priority=1" --enable docker-ce-stable
 yum install docker-ce docker-ce-cli containerd.io
 
 systemctl start docker
 
 docker run hello-world
 
 # docker post installation
 groupadd docker
 usermod -aG docker $USER
 usermod -aG docker wguan
 
 #logout and login to activate the new group docker for account
 newgrp docker 
 
 # change cgroup to from cgroupfs to systemd
 vi /usr/lib/systemd/system/docker.service
 change
 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
 to
 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd
 
 systemctl daemon-reload
 systemctl restart docker
 docker info
 
 # start docker on boot
 # systemctl enable docker.service
 # systemctl enable containerd.service
 
 # install kubernetes
 cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
 [kubernetes]
 name=Kubernetes
 baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 exclude=kubelet kubeadm kubectl
 EOF
 
 cat <<EOF | sudo tee /etc/yum-puppet.repos.d/kubernetes.repo
 [kubernetes]
 name=Kubernetes
 baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 exclude=kubelet kubeadm kubectl
 EOF
 
 sudo setenforce 0
 sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
 
 sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
 systemctl enable --now kubelet
 
 # to clean previous installation
 # kubeadm reset
 [root@aipanda162 k8s]# kubeadm init
     [init] Using Kubernetes version: v1.23.5
     [preflight] Running pre-flight checks
         [WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service'
     [preflight] Pulling images required for setting up a Kubernetes cluster
     [preflight] This might take a minute or two, depending on the speed of your internet connection
     [preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
     [certs] Using certificateDir folder "/etc/kubernetes/pki"
     [certs] Generating "ca" certificate and key
     [certs] Generating "apiserver" certificate and key
     [certs] apiserver serving cert is signed for DNS names [aipanda162.cern.ch kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 188.184.109.78]
     [certs] Generating "apiserver-kubelet-client" certificate and key
     [certs] Generating "front-proxy-ca" certificate and key
     [certs] Generating "front-proxy-client" certificate and key
     [certs] Generating "etcd/ca" certificate and key
     [certs] Generating "etcd/server" certificate and key
     [certs] etcd/server serving cert is signed for DNS names [aipanda162.cern.ch localhost] and IPs [188.184.109.78 127.0.0.1 ::1]
     [certs] Generating "etcd/peer" certificate and key
     [certs] etcd/peer serving cert is signed for DNS names [aipanda162.cern.ch localhost] and IPs [188.184.109.78 127.0.0.1 ::1]
     [certs] Generating "etcd/healthcheck-client" certificate and key
     [certs] Generating "apiserver-etcd-client" certificate and key
     [certs] Generating "sa" key and public key
     [kubeconfig] Using kubeconfig folder "/etc/kubernetes"
     [kubeconfig] Writing "admin.conf" kubeconfig file
     [kubeconfig] Writing "kubelet.conf" kubeconfig file
     [kubeconfig] Writing "controller-manager.conf" kubeconfig file
     [kubeconfig] Writing "scheduler.conf" kubeconfig file
     [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
     [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
     [kubelet-start] Starting the kubelet
     [control-plane] Using manifest folder "/etc/kubernetes/manifests"
     [control-plane] Creating static Pod manifest for "kube-apiserver"
     [control-plane] Creating static Pod manifest for "kube-controller-manager"
     [control-plane] Creating static Pod manifest for "kube-scheduler"
     [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
     [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
     [apiclient] All control plane components are healthy after 8.004179 seconds
     [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
     [kubelet] Creating a ConfigMap "kubelet-config-1.23" in namespace kube-system with the configuration for the kubelets in the cluster
     NOTE: The "kubelet-config-1.23" naming of the kubelet ConfigMap is deprecated. Once the UnversionedKubeletConfigMap feature gate graduates to Beta the default name will become just "kubelet-config". Kubeadm upgrade will handle this transition transparently.
     [upload-certs] Skipping phase. Please see --upload-certs
     [mark-control-plane] Marking the node aipanda162.cern.ch as control-plane by adding the labels: [node-role.kubernetes.io/master(deprecated) node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
     [mark-control-plane] Marking the node aipanda162.cern.ch as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
     [bootstrap-token] Using token: 8yyxeo.hfw5ovunckalxvp7
     [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
     [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
     [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
     [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
     [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
     [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
     [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
     [addons] Applied essential addon: CoreDNS
     [addons] Applied essential addon: kube-proxy
 
     Your Kubernetes control-plane has initialized successfully!
 
     To start using your cluster, you need to run the following as a regular user:
 
       mkdir -p $HOME/.kube
       sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
       sudo chown $(id -u):$(id -g) $HOME/.kube/config
 
     Alternatively, if you are the root user, you can run:
 
       export KUBECONFIG=/etc/kubernetes/admin.conf
 
     You should now deploy a pod network to the cluster.
     Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
       https://kubernetes.io/docs/concepts/cluster-administration/addons/
 
     Then you can join any number of worker nodes by running the following on each as root:
 
     kubeadm join 188.184.109.78:6443 --token 8yyxeo.hfw5ovunckalxvp7 \
         --discovery-token-ca-cert-hash sha256:fa6675768a87db2ab0736d09b7bdcaaa9d1147dff13d67a4b3f62939dd46a486 
 
 
 # create pod network
 export KUBECONFIG=/etc/kubernetes/admin.conf
 kubectl create -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
 
 # on other nodes, join the master
 kubeadm join 188.184.109.78:6443 --token 8yyxeo.hfw5ovunckalxvp7 \
         --discovery-token-ca-cert-hash sha256:fa6675768a87db2ab0736d09b7bdcaaa9d1147dff13d67a4b3f62939dd46a486
     [preflight] Running pre-flight checks
         [WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service'
     [preflight] Reading configuration from the cluster...
     [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
     [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
     [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
     [kubelet-start] Starting the kubelet
     [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
 
     This node has joined the cluster:
     * Certificate signing request was sent to apiserver and a response was received.
     * The Kubelet was informed of the new secure connection details.
 
     Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
 
 
 #on aipanda162, accept all connection from aipanda161
 iptables -I INPUT -p tcp -s 188.184.109.78 -j ACCEPT
 iptables -I OUTPUT -p tcp -d  188.184.109.78 -j ACCEPT
 #on aipanda161, accept all connections from aipanda162
 iptables -I INPUT -p tcp -s 188.184.28.249 -j ACCEPT
 iptables -I OUTPUT -p tcp -d 188.184.28.249 -j ACCEPT
 

This page was automatically generated by the 2.3.7 LXR engine. The LXR team