第六节、K8s相关介绍以及主从节点服务安装

6.1、K8s最佳应用场景微服务架构

ccc765f55ca166dd64710d3c2caeb03.png

6.2、K8s核心组件及架构

57198394f0d28d49cd84e180bc990f4.png

18e36a27ed6253a53660f13764a0565.png

bf67180c6ac098e38597036e251b97b.png

6.3、K8s安装部署前准备工作

实验配置3台虚拟机
master 192.168.18.121 etcd/apiserver/controller manager/scheduler kublete/kube-proxy
node1 192.168.18.122 kublete/kube-proxy/docker
node2 192.168.18.123 kublete/kube-proxy/docker
虚拟机器优化

#关闭selinux
#关闭防火墙服务firewalld
#关闭NetworkManager.service
[root@master ~]# systemctl stop NetworkManager.service 
[root@master ~]# systemctl disable NetworkManager.service 
Removed symlink /etc/systemd/system/multi-user.target.wants/NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service.
Removed symlink /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service.
#配置阿里源
#安装一些服务
[root@master ~]# yum install bash-completion.noarch -y
[root@master ~]# yum install -y net-tools vim lrzsz wget tree screen lsof tcpdump
#关闭postfix.service服务
[root@master ~]# systemctl stop postfix.service 
[root@master ~]# systemctl disable postfix.service 
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
#配置好host解析(所有机器都需要配置)
[root@master ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.18.121  master
192.168.18.122  node1
192.168.18.123  node2
#远程推送文件
[root@master ~]# scp -rp /etc/hosts 192.168.18.122:/etc/hosts
The authenticity of host '192.168.18.122 (192.168.18.122)' can't be established.
ECDSA key fingerprint is SHA256:+BtfrhBtnaZlfOcA+jp7GC9MN32UwcX9l9qMSpa25uw.
ECDSA key fingerprint is MD5:e7:19:3d:34:57:53:e4:5b:88:0f:cb:1f:d1:81:b8:9d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.122' (ECDSA) to the list of known hosts.
root@192.168.18.122's password: 
hosts  

6.4、Master主机上服务安装

6.4.1、etcd服务安装
[root@master ~]# yum install -y etcd
#修改etcd配置文件
[root@master ~]# vim /etc/etcd/etcd.conf 
  6 ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
 21 ETCD_ADVERTISE_CLIENT_URLS="http://192.168.18.121:2379"
#检查etcd有效配置文件
[root@master ~]# grep -Ev "^$|^#"  /etc/etcd/etcd.conf 
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
ETCD_NAME="default"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.18.121:2379"
#启动etcd并设置开机自启动
[root@master ~]# systemctl start etcd.service 
[root@master ~]# systemctl enable etcd.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
#检查已启动监听端口2379以及2380
#2379对外提供服务,2380用于etcd集群内部通讯
[root@master ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:2380          0.0.0.0:*               LISTEN      1864/etcd           
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      773/sshd            
tcp6       0      0 :::2379                 :::*                    LISTEN      1864/etcd           
tcp6       0      0 :::22                   :::*                    LISTEN      773/sshd            
[root@master ~]# 

测试

[root@master ~]# etcdctl set testdir/testkey0 0
0
[root@master ~]# etcdctl get testdir/testkey0 
0
[root@master ~]# etcdctl -C http://192.168.18.121:2379 cluster-health
member 8e9e05c52164694d is healthy: got healthy result from http://192.168.18.121:2379
cluster is healthy
6.4.2、安装master节点
#yum源上搜索k8s-master安装包
[root@master ~]# yum search kubernetes-master
Loaded plugins: fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
=================================================== N/S matched: kubernetes-master ====================================================
kubernetes-master.x86_64 : Kubernetes services for master host

  Name and summary matches only, use "search all" for everything.
#安装
[root@master ~]# yum install   -y  kubernetes-master.x86_64

配置apiserver

[root@master ~]# vim /etc/kubernetes/apiserver 
8 KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
#只允许本地访问监听127.0.0.1,允许任意机器访问监听0.0.0.0
 10 # The port on the local server to listen on.
 11 KUBE_API_PORT="--port=8080"
#打开监听端口8080
 13 # Port minions listen on
 14 KUBELET_PORT="--kubelet-port=10250"
#打开minion监听端口10250
 16 # Comma separated list of nodes in the etcd cluster
 17 KUBE_ETCD_SERVERS="--etcd-servers=http://192.168.18.121:2379"
#查看apiserver配置文件
[root@master ~]# grep -Ev "^#|^$"  /etc/kubernetes/apiserver 
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
KUBE_API_PORT="--port=8080"
KUBELET_PORT="--kubelet-port=10250"
KUBE_ETCD_SERVERS="--etcd-servers=http://192.168.18.121:2379"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_API_ARGS=""

配置controller manager/scheduler(共用一个文件)

[root@master ~]# vim /etc/kubernetes/config 
 21 # How the controller-manager, scheduler, and proxy find the apiserver
 22 KUBE_MASTER="--master=http://192.168.18.121:8080"
[root@master ~]# grep -Ev "^#|^$"  /etc/kubernetes/config 
KUBE_LOGTOSTDERR="--logtostderr=true"
KUBE_LOG_LEVEL="--v=0"
KUBE_ALLOW_PRIV="--allow-privileged=false"
KUBE_MASTER="--master=http://192.168.18.121:8080"

完成配置启动服务并设置开机自启动

[root@master ~]# systemctl start kube-apiserver.service 
[root@master ~]# systemctl start kube-controller-manager.service 
[root@master ~]# systemctl start kube-scheduler.service 
[root@master ~]# systemctl enable kube-scheduler.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@master ~]# systemctl enable kube-controller-manager.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[root@master ~]# systemctl enable kube-apiserver.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.

检查K8s组件健康状态

[root@master ~]# kubectl get componentstatus 
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
etcd-0               Healthy   {"health":"true"}   
controller-manager   Healthy   ok  

6.5、node节点安装

[root@node1 ~]# yum install -y kubernetes-node.x86_64
6.5.1、master节点上配置node
#/etc/kubernetes/config已配置过不需要管
#/etc/kubernetes/kubelet 
[root@master ~]# vim /etc/kubernetes/kubelet 
  4 # The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
  5 KUBELET_ADDRESS="--address=192.168.18.121"
  6 
  7 # The port for the info server to serve on
  8 KUBELET_PORT="--port=10250"
 10 # You may leave this blank to use the actual hostname
 11 KUBELET_HOSTNAME="--hostname-override=master"
 13 # location of the api-server
 14 KUBELET_API_SERVER="--api-servers=http://192.168.18.121:8080"
#查看配置
[root@master ~]# grep -Ev "^#|^$"  /etc/kubernetes/kubelet 
KUBELET_ADDRESS="--address=192.168.18.121"
KUBELET_PORT="--port=10250"
KUBELET_HOSTNAME="--hostname-override=master"
KUBELET_API_SERVER="--api-servers=http://192.168.18.121:8080"
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
KUBELET_ARGS=""
#启动服务加入开机自启动kubelet会自动启动docker
[root@master ~]# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: http://docs.docker.com
[root@master ~]# systemctl start kubelet.service 
[root@master ~]# systemctl start kube-proxy.service 
[root@master ~]# systemctl enable  kubelet.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@master ~]# systemctl enable  kube-proxy.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@master ~]# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-09-15 00:58:28 CST; 55s ago
     Docs: http://docs.docker.com
 Main PID: 2734 (dockerd-current)
   CGroup: /system.slice/docker.service
           ├─2734 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docke...
           └─2740 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interv...

Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.241532749+08:00" level=warning msg="Docker could not e...ystem"
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.280003502+08:00" level=info msg="Graph migration to co...conds"
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.280865641+08:00" level=info msg="Loading containers: start."
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.326211940+08:00" level=info msg="Firewalld running: false"
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.414513143+08:00" level=info msg="Default bridge (docke...dress"
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.454367659+08:00" level=info msg="Loading containers: done."
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.472704447+08:00" level=info msg="Daemon has completed ...ation"
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.472734973+08:00" level=info msg="Docker daemon" commit...1.13.1
Sep 15 00:58:28 master dockerd-current[2734]: time="2022-09-15T00:58:28.483495766+08:00" level=info msg="API listen on /var/ru....sock"
Sep 15 00:58:28 master systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.

检查master上的node节点已自动注册

[root@master ~]# kubectl get node
NAME      STATUS    AGE
master    Ready     1m

其余node节点安装

[root@node1 ~]# vim /etc/kubernetes/config 
 21 # How the controller-manager, scheduler, and proxy find the apiserver
 22 KUBE_MASTER="--master=http://192.168.18.121:8080"
[root@node1 ~]# vim /etc/kubernetes/kubelet
  4 # The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
  5 KUBELET_ADDRESS="--address=192.168.18.122"
  7 # The port for the info server to serve on
  8 KUBELET_PORT="--port=10250"
 10 # You may leave this blank to use the actual hostname
 11 KUBELET_HOSTNAME="--hostname-override=node1"
 13 # location of the api-server
 14 KUBELET_API_SERVER="--api-servers=http://192.168.18.121:8080"
[root@node2 ~]# grep -Ev "^$|^#"  /etc/kubernetes/kubelet 
KUBELET_ADDRESS="--address=192.168.18.123"
KUBELET_PORT="--port=10250"
KUBELET_HOSTNAME="--hostname-override=node2"
KUBELET_API_SERVER="--api-servers=http://192.168.18.121:8080"
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
KUBELET_ARGS=""
#更改完配置后记得开启服务并加入开机自启动

验证node节点(在master上)

[root@master ~]# kubectl get node
NAME      STATUS    AGE
master    Ready     10m
node1     Ready     2m
node2     Ready     27s
#删除节点命令(无效的)
[root@master ~]# kubectl delete   node  node-name

6.6、为所有node节点配置flannel网络

为了实现所有node节点上容器之间的通讯

6.6.1、master配置flannel
[root@master ~]# yum install -y flannel
  3 # etcd url location.  Point this to the server where etcd runs
  4 FLANNEL_ETCD_ENDPOINTS="http://192.168.18.121:2379"
  6 # etcd config key.  This is the configuration key that flannel queries
  7 # For address range assignment
  8 FLANNEL_ETCD_PREFIX="/atomic.io/network"
#到etcd中创建对那个的key
[root@master ~]# grep -Ev  "^$|^#"  /etc/sysconfig/flanneld 
FLANNEL_ETCD_ENDPOINTS="http://192.168.18.121:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network"
 
[root@master ~]# etcdctl set /atomic.io/network/config  '{ "Network":"172.16.0.0/16" }'

重启flannel服务以及docker服务

[root@master ~]# systemctl restart docker
[root@master ~]# systemctl start flanneld.service 
[root@master ~]# systemctl enable flanneld.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
Created symlink from /etc/systemd/system/docker.service.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
#新增的flannel网卡用于容器间的通讯
[root@master ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.16.49.1  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 02:42:b3:03:1a:7b  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
flannel0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1472
        inet 172.16.49.0  netmask 255.255.0.0  destination 172.16.49.0
        inet6 fe80::75dd:f199:d48d:e8c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@master ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f8:64:fc brd ff:ff:ff:ff:ff:ff
    inet 192.168.18.121/24 brd 192.168.18.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fef8:64fc/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:b3:03:1a:7b brd ff:ff:ff:ff:ff:ff
    inet 172.16.49.1/24 scope global docker0
       valid_lft forever preferred_lft forever
4: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 172.16.49.0/16 scope global flannel0
       valid_lft forever preferred_lft forever
    inet6 fe80::75dd:f199:d48d:e8c/64 scope link flags 800 
       valid_lft forever preferred_lft forever
6.6.2、node配置flannel

不修改配置指定IP会卡住无法启动

[root@node1 ~]# tail -f /var/log/messages
Sep 15 11:26:09 node1 flanneld-start: E0915 11:26:09.441937    1447 network.go:102] failed to retrieve network config: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:2379: getsockopt: connection refused
Sep 15 11:26:10 node1 flanneld-start: E0915 11:26:10.443056    1447 network.go:102] failed to retrieve network config: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:2379: getsockopt: connection refused
Sep 15 11:26:11 node1 flanneld-start: E0915 11:26:11.443681    1447 network.go:102] failed to retrieve network config: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:2379: getsockopt: connection refused
Sep 15 11:26:12 node1 flanneld-start: E0915 11:26:12.444417    1447 network.go:102] failed to retrieve network config: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:2379: getsockopt: connection refused

改配置文件并重启服务

[root@node1 ~]# vi /etc/sysconfig/flanneld 
[root@node2 ~]# grep -Ev "^#|^$"  /etc/sysconfig/flanneld 
FLANNEL_ETCD_ENDPOINTS="http://192.168.18.121:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network"
[root@node1 ~]# systemctl start flanneld
[root@node1 ~]# systemctl enable flanneld
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
Created symlink from /etc/systemd/system/docker.service.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
[root@node1 ~]# systemctl restart docker

测试不同主机之间容器通讯

#下载busybox镜像 
[root@master ~]# docker pull busybox
#导入压缩tar包模式
[root@master ~]# docker  load  -i  docker_busybox.tar.gz 
#在宿主机上期启动容器查看各自IP
#master上容器
[root@master ~]# docker run -it busybox
/ # ip add
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1472 qdisc noqueue 
    link/ether 02:42:ac:10:31:02 brd ff:ff:ff:ff:ff:ff
    inet 172.16.49.2/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe10:3102/64 scope link 
       valid_lft forever preferred_lft forever
#node1上容器
[root@node1 ~]# docker run -it busybox
/ # ip add
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1472 qdisc noqueue 
    link/ether 02:42:ac:10:5f:02 brd ff:ff:ff:ff:ff:ff
    inet 172.16.95.2/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe10:5f02/64 scope link 
       valid_lft forever preferred_lft forever
#node2上容器
[root@node2 ~]# docker run -it busybox
/ # ip add
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1472 qdisc noqueue 
    link/ether 02:42:ac:10:13:02 brd ff:ff:ff:ff:ff:ff
    inet 172.16.19.2/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe10:1302/64 scope link 
       valid_lft forever preferred_lft forever
##############################
#在master上的容器ping其余node节点上容器的IP
/ # ping 172.16.95.2
PING 172.16.95.2 (172.16.95.2): 56 data bytes
64 bytes from 172.16.95.2: seq=0 ttl=60 time=2.165 ms
64 bytes from 172.16.95.2: seq=1 ttl=60 time=0.607 ms
^C
--- 172.16.95.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.607/1.386/2.165 ms
/ # ping 172.16.19.2
PING 172.16.19.2 (172.16.19.2): 56 data bytes
64 bytes from 172.16.19.2: seq=0 ttl=60 time=1.187 ms
64 bytes from 172.16.19.2: seq=1 ttl=60 time=1.475 ms
64 bytes from 172.16.19.2: seq=2 ttl=60 time=1.321 ms
^C
--- 172.16.19.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.187/1.327/1.475 ms

如果容器无法通讯检查防火墙规则

[root@master ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0           
#这里必须时Accept
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0           
KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

Chain KUBE-SERVICES (1 references)
target     prot opt source               destination  
#修正命令
[root@master ~]# iptables -P  FORWARD ACCEPT
#将该防火墙配置加入docker启动文件
[root@master ~]# vim /usr/lib/systemd/system/docker.service
 18 ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT
#重载docker配置后重启docker服务
[root@master ~]# systemctl daemon-reload
systemctl daemon-reload
[root@master ~]# systemctl restart docker.service 
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,588评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,456评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 160,146评论 0 350
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,387评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,481评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,510评论 1 293
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,522评论 3 414
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,296评论 0 270
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,745评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,039评论 2 330
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,202评论 1 343
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,901评论 5 338
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,538评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,165评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,415评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,081评论 2 365
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,085评论 2 352

推荐阅读更多精彩内容