Ansible管理平台AWX的部署
|Word Count:2.4k|Reading Time:12mins|Post Views:
概念
K3s
K3s 是一个轻量级的 Kubernetes 发行版,非常简单易用而且轻量。只需要一个简单的安装脚本即可把 K3s 安装到主机。
AWX
AWX是由Redhat运营的Ansible自动化运营平台Ansible Tower的上游项目,是将Ansible的管理和维护通过可视化的WEB GUI来进行展现。借用Ansible Tower的一张图来表示其具体架构:
相关的内容可见以下链接:
- Ansible
- AWX
由于Ansible AWX平台自v18之后,不在支持单机或者docker部署,要求必须部署到Kubernetes中,为了简化部署环境和步骤,现采用单节点的K3s来作为基础环境部署AWX。
部署
环境准备
# 本次部署基于RockyLinux 9.2 # 主机配置为2core CPU/4GB MEM/40GB Disk # 需要提前部署Dokcer和Kubectl
# 设置防火墙 firewall-cmd --set-default-zone=trusted firewall-cmd --reload
# 关闭selinux sed -i 's/enforceing/disabled' /etc/selinux/config
# 关闭SWAP swapoff -a ; sed -i '/swap/d' /etc/fstab
# 修改内核加载模块 cat > /etc/modules-load.d/containerd.conf <<EOF overlay br_netfilter EOF
cat >> /etc/sysctl.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF
# 卸载Podman dnf remove -y podman* dnf install -y yum-utils device-mapper-persistent-data lvm2 dnf install -y ipvsadm bridge-utils jq dnf install -y bash-completion
# 添加软件源信息 dnf config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# 更新并安装Docker-CE dnf makecache dnf install -y containerd.io python3-dnf-plugin-versionlock dnf versionlock add containerd.io
# 创建服务启动配置文件 containerd config default > /etc/containerd/config.toml
# 添加加速器地址 # 将OOM限制由0改为-999,即遇到OOM情况时杀死容器而不是进程 # pause镜像地址使用lank8s.cn做代理 sed -e 's|oom_score = 0|oom_score = -999|g' -e 's|registry.k8s.io|lank8s.cn|g' -e 's|config_path = ""|config_path = "/etc/containerd/certs.d"|g' -i.bak /etc/containerd/config.toml
# 创建加速器配置文件 mkdir -pv /etc/containerd/certs.d/docker.io/ cat >> /etc/containerd/certs.d/docker.io/hosts.toml <<EOF [host."https://37y8py0j.mirror.aliyuncs.com"] EOF
mkdir -pv /etc/containerd/certs.d/registry.k8s.io/ cat >> /etc/containerd/certs.d/registry.k8s.io/hosts.toml <<EOF [host."https://lank8s.cn"] EOF
# 下载管理工具NerdCtl wget https://github.com/containerd/nerdctl/releases/download/v1.6.2/nerdctl-1.6.2-linux-amd64.tar.gz tar zxvf -C nerdctl-1.6.2-linux-amd64.tar.gz /usr/local/bin/ chmod +x /usr/local/bin/nerdctl
# 配置NerdCtl自动补全 echo "source <(nerdctl completion bash)" >> ~/.bashrc
# 重新加载并配置开机启动 systemctl daemon-reload systemctl enable --now containerd
# 加载github的Hosts地址 # sh -c 'sed -i "/# GitHub520 Host Start/Q" /etc/hosts && curl https://raw.hellogithub.com/hosts >> /etc/hosts'
# 重启 sync ldconfig reboot
|
部署K3s
# 使用官方社区提供的国内源进行部署 # 首先,安装 K3s 使用的是存储在阿里云对象存储上的 K3s 安装脚本,并且使用存储在国内 channel 去解析对应的 K3s 版本。 # 其次,通过 INSTALL_K3S_MIRROR=cn 环境变量来指定 K3s 的二进制文件从国内的阿里云对象存储上去拉取。 # 最后,通过 --system-default-registry 参数来指定 K3s 的系统镜像从国内的阿里云镜像仓库(registry.cn-hangzhou.aliyuncs.com) 去拉取 curl –sfL \ https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | \ INSTALL_K3S_MIRROR=cn sh -s - \ --system-default-registry "registry.cn-hangzhou.aliyuncs.com" # 检查节点 [root@Ansbile ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION ansbile Ready control-plane,master 13m v1.27.6+k3s1 # 检查性能属性 [root@Ansbile ~]# kubectl top nodes NAME CPU(cores) CPU% MEMORY(bytes) MEMORY% ansbile 74m 3% 1475Mi 76%
# 检查版本信息 [root@Ansbile ~]# kubectl version --short Client Version: v1.27.6+k3s1 Kustomize Version: v5.0.1 Server Version: v1.27.6+k3s1
# 配置K3S用的镜像代理 cat >> /etc/rancher/k3s/registries.yaml <<EOF mirrors: docker.io: endpoint: - "https://docker.mirrors.ustc.edu.cn" EOF
cat >> /etc/rancher/k3s/registries.yaml <<EOF mirrors: gcr.io: endpoint: - "https://gcr.lank8s.cn" EOF
cat >> /etc/rancher/k3s/registries.yaml <<EOF mirrors: registry.k8s.io: endpoint: - "https://registry.lank8s.cn" EOF
systemctl restart k3s
# 部署helm curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 chmod 700 get_helm.sh sh get_helm.sh helm version
# 添加helm源 helm repo add stable https://charts.helm.sh/stable helm repo update
# 配置helm的自动补全 helm completion bash > ~/.helmrc echo "source ~/.helmrc" >> ~/.bashrc
# 配置kubectl的自动补全 echo "source <(kubectl completion bash)" >> ~/.bashrc
# 安装kubens,用于切换命名空间 curl -L https://github.com/ahmetb/kubectx/releases/download/v0.9.1/kubens -o /usr/local/bin/kubens chmod +x /usr/local/bin/kubens
# 执行环境变量 source ~/.bashrc
# 指定kubeconfig配置文件 kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces helm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces
|
测试用例
[root@Ansbile ~]# kubectl create deploy whoami --image=traefik/whoami --replicas=2 deployment.apps/whoami created # 测试LoadBalancer [root@Ansbile ~]# kubectl expose deploy whoami --type=LoadBalancer --port=80 --external-ip 192.168.10.102 service/whoami exposed [root@Ansbile ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 162m whoami LoadBalancer 10.43.193.248 192.168.10.102 80:30573/TCP 31m [root@Ansbile ~]# curl 192.168.10.102 Hostname: whoami-6f57d5d6b5-7qmp5 IP: 127.0.0.1 IP: ::1 IP: 10.42.0.38 IP: fe80::209c:10ff:fe71:6db8 RemoteAddr: 10.42.0.1:44357 GET / HTTP/1.1 Host: 192.168.10.102 User-Agent: curl/7.76.1 Accept: */*
# 测试NodePort [root@Ansbile ~]# kubectl delete svc whoami service "whoami" deleted [root@Ansbile ~]# kubectl expose deploy whoami --type=NodePort --port=80 service/whoami exposed [root@Ansbile ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 178m whoami NodePort 10.43.75.150 <none> 80:30047/TCP 6s [root@Ansbile ~]# curl 192.168.10.5:30047 Hostname: whoami-6f57d5d6b5-7qmp5 IP: 127.0.0.1 IP: ::1 IP: 10.42.0.38 IP: fe80::209c:10ff:fe71:6db8 RemoteAddr: 10.42.0.1:39611 GET / HTTP/1.1 Host: 192.168.10.5:30047 User-Agent: curl/7.76.1 Accept: */*
[root@Ansbile ~]# curl 192.168.10.5:30047 Hostname: whoami-6f57d5d6b5-pzgg8 IP: 127.0.0.1 IP: ::1 IP: 10.42.0.39 IP: fe80::dccd:bff:fe91:b7b7 RemoteAddr: 10.42.0.1:37584 GET / HTTP/1.1 Host: 192.168.10.5:30047 User-Agent: curl/7.76.1 Accept: */*
|
AWX安装
部署
# 添加awx的helm库 [root@Ansible ~]# helm repo add awx-operator https://ansible.github.io/awx-operator/ "awx-operator" has been added to your repositories # 刷新库 [root@Ansible ~]# helm repo update Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "awx-operator" chart repository ...Successfully got an update from the "stable" chart repository Update Complete. ⎈Happy Helming!⎈
# 检索awx-operator [root@Ansible ~]# helm search repo awx-operator NAME CHART VERSION APP VERSION DESCRIPTION awx-operator/awx-operator 2.7.0 2.7.0 A Helm chart for the AWX Operator
# 下载awx-operator的Chart [root@Ansible ~]# helm pull awx-operator/awx-operator --version=2.7.0 [root@Ansible ~]# tar zxf awx-operator-2.7.0.tgz [root@Ansible ~]# tree awx-operator awx-operator ├── Chart.yaml ├── crds │ ├── customresourcedefinition-awxbackups.awx.ansible.com.yaml │ ├── customresourcedefinition-awxrestores.awx.ansible.com.yaml │ └── customresourcedefinition-awxs.awx.ansible.com.yaml ├── README.md ├── templates │ ├── awx-deploy.yaml │ ├── clusterrole-awx-operator-metrics-reader.yaml │ ├── clusterrole-awx-operator-proxy-role.yaml │ ├── clusterrolebinding-awx-operator-proxy-rolebinding.yaml │ ├── configmap-awx-operator-awx-manager-config.yaml │ ├── deployment-awx-operator-controller-manager.yaml │ ├── _helpers.tpl │ ├── NOTES.txt │ ├── postgres-config.yaml │ ├── role-awx-operator-awx-manager-role.yaml │ ├── role-awx-operator-leader-election-role.yaml │ ├── rolebinding-awx-operator-awx-manager-rolebinding.yaml │ ├── rolebinding-awx-operator-leader-election-rolebinding.yaml │ ├── serviceaccount-awx-operator-controller-manager.yaml │ └── service-awx-operator-controller-manager-metrics-service.yaml └── values.yaml
2 directories, 21 files # 获取部署容器镜像,需要修改下述yaml文件的image属性,添加 imagePullPolicy: IfNotPresent [root@Ansible awx-operator]# grep image: templates/deployment-awx-operator-controller-manager.yaml templates/deployment-awx-operator-controller-manager.yaml: image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 templates/deployment-awx-operator-controller-manager.yaml: image: quay.io/ansible/awx-operator:2.7.0
# 拉取镜像,需要使用代理镜像,或者在外网vps上下载再回传 $ docker pull quay.io/ansible/awx-operator:2.7.0 $ docker pull gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 $ docker save gcr.io/kubebuilder/kube-rbac-proxy quay.io/ansible/awx-operator > awx-operator.tar
[root@Ansible ~]# docker load -i awx-operator.tar # 从本地安装 [root@Ansible ~]# export KUBECONFIG=/etc/rancher/k3s/k3s.yaml [root@Ansible awx-operator]# helm install -n awx --create-namespace my-awx-operator . NAME: my-awx-operator LAST DEPLOYED: Fri Oct 13 19:10:19 2023 NAMESPACE: awx STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: AWX Operator installed with Helm Chart version 2.7.0
# 部署要求必须要有双核CPU,导致pending [root@Ansible awx-operator]# kubectl get pods --namespace awx NAME READY STATUS RESTARTS AGE awx-operator-controller-manager-5644f9898c-x7xqh 0/2 Pending 0 40s
# 删除helm部署,增配之后再来 [root@Ansible awx-operator]# helm uninstall my-awx-operator --namespace awx release "my-awx-operator" uninstalled
# 切换awx命名空间 [root@Ansbile ~]# kubens awx Context "default" modified. Active namespace is "awx". # 再次部署,并检查运行结果 [root@Ansible awx-operator]# helm install --create-namespace my-awx-operator . [root@ansible awx-operator]# kubectl get pods NAME READY STATUS awx-operator-controller-manager-5644f9898c-dfd82 2/2 Running
[root@ansible awx-operator]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) awx-operator-controller-manager-metrics-service ClusterIP 10.96.80.75 <none> 8443/TCP
# 创建动态卷供应(可选) #[root@Kind AWX] #apiVersion: storage.k8s.io/v1 #kind: StorageClass #metadata: # name: local-path # namespace: awx #provisioner: rancher.io/local-path #volumeBindingMode: WaitForFirstConsumer #[root@Ansbile AWX]
# 创建pvc [root@Kind AWX]# cat pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: static-data-pvc namespace: awx spec: storageClassName: local-path accessModes: - ReadWriteOnce resources: requests: storage: 5Gi [root@Ansbile AWX]# kubectl create -f pvc.yaml
# 创建AWX站点部署文件 [root@Ansbile AWX]# cat ansible-awx.yaml --- apiVersion: awx.ansible.com/v1beta1 kind: AWX metadata: name: ansible-awx namespace: awx spec: service_type: nodeport projects_persistence: true projects_storage_access_mode: ReadWriteOnce web_extra_volume_mounts: | - name: static-data mountPath: /var/lib/projects extra_volumes: | - name: static-data persistentVolumeClaim: claimName: static-data-pvc [root@Ansbile AWX]# kubectl create -f ansible-awx.yaml # 部署完成,pod运行正常 [root@Ansbile AWX]# kubectl get pods -l "app.kubernetes.io/managed-by=awx-operator" NAME READY STATUS RESTARTS AGE ansible-awx-postgres-13-0 1/1 Running 0 6m55s ansible-awx-task-684dbfd67c-vz62h 4/4 Running 0 4m42s ansible-awx-web-6c64879999-vkbz6 3/3 Running 0 2m35s # 部署期间自动创建pvc和pv [root@Ansbile AWX]# kubectl get pvc NAME STATUS VOLUME postgres-13-ansible-awx-postgres-13-0 Bound pvc-bb2a8f4b-612d-4b32-9715-3a3e4c53a08a static-data-pvc Bound pvc-1f430871-97ff-4828-a748-cad713268497 ansible-awx-projects-claim Bound pvc-a012ecc9-8e6d-4377-aee9-1803035a8210 # 查看部署完成的service [root@Ansbile AWX]# kubectl get svc -l "app.kubernetes.io/managed-by=awx-operator" NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ansible-awx-postgres-13 ClusterIP None <none> 5432/TCP 10m ansible-awx-service NodePort 10.43.114.158 <none> 80:30769/TCP 7m58s
# 获取默认admin用户的密码 [root@Ansbile ~]# kubectl get secret ansible-awx-admin-password -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}' password: 7ryIBAw5RBUzhw0K2BvHctuncIcID8dM
|
访问
- 登陆portal页面
- 查看Dashboard
- 遗留项
- 使用域名访问;
- 加载SSL证书
参考
- kind:Kubernetes in Docker,单机运行 Kubernetes 群集的最佳方案
- 如何在 Kubernetes 集群上安装 Ansible AWX
- 使用 Kind 在离线环境创建 K8S 集群
- AWX-operator官方文档