目录
[2.K8S 1.29版本 部署Jenkins 服务](#2.K8S 1.29版本 部署Jenkins 服务)
一、实验
1.环境
(1)主机
表1 主机
|--------|--------------|--------|----------------|------------|
| 主机 | 架构 | 版本 | IP | 备注 |
| master | K8S master节点 | 1.29.0 | 192.168.204.8 | |
| node1 | K8S node节点 | 1.29.0 | 192.168.204.9 | |
| node2 | K8S node节点 | 1.29.0 | 192.168.204.10 | 已部署Kuboard |
(2)master节点查看集群
bash
1)查看node
kubectl get node
2)查看node详细信息
kubectl get node -o wide
(3)查看pod
bash
[root@master ~]# kubectl get pod -A
(4) 访问Kuboard
bash
http://192.168.204.10:30080/kuboard/cluster
查看节点
2.K8S 1.29版本 部署Jenkins 服务
(1)master节点创建命名空间
bash
[root@master jenkins]# kubectl create ns jenkins
(2)Kuboard查看名称空间
已新增jenkins
bash
http://192.168.204.10:30080/kubernetes/K8S-1.29/cluster/namespace
(3)创建serviceAccount服务账户
用来定义运行在Pod中的进程(容器)对Kubernetes API的访问权限的身份。
bash
[root@master jenkins]# vim serviceAccount.yaml
bash
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: jenkins-admin
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-admin
namespace: jenkins
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins-admin
subjects:
- kind: ServiceAccount
name: jenkins-admin
namespace: jenkins
(4)生成资源
bash
[root@master jenkins]# kubectl apply -f serviceAccount.yaml
(5)创建持久化清单
分配一个名为jenkins-pv-volume的pv容量为5G,在这个pv中分名为jenkins-pv-claim的pvc限制3G,挂载目录为/hone/jenkins,挂载节点为node2
bash
[root@master jenkins]# vim volume.yaml
bash
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-pv-volume
labels:
type: local
spec:
storageClassName: local-storage
claimRef:
name: jenkins-pv-claim
namespace: jenkins
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
local:
path: /home/jenkins
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- node2
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pv-claim
namespace: jenkins
spec:
storageClassName: local-storage
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi 
(6) node2节点创建挂载的目录
bash
[root@node2 ~]# mkdir /home/jenkins
[root@node2 ~]# chmod 777 jenkins/
(7)生成pv资源
bash
[root@master jenkins]# kubectl apply -f volume.yaml
查看
bash
[root@master jenkins]# kubectl get pv -n jenkins
(8)docker hub 查看jenkins镜像
bash
https://hub.docker.com/r/jenkins/jenkins/tags
(9)node节点提前拉取镜像
node2节点
bash
[root@node2 ~]# docker pull jenkins/jenkins:2.414.1
(10)创建deployment配置文件
bash
[root@master jenkins]# vim deployment.yaml 
挂载pv的节点为node2,image镜像版本为2.440.3-lts-jdk17
bash
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
namespace: jenkins
spec:
replicas: 1
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
nodeSelector:
kubernetes.io/hostname: node2
securityContext:
fsGroup: 1000
runAsUser: 1000
serviceAccountName: jenkins-admin
containers:
- name: jenkins
image: jenkins/jenkins:2.440.3-lts-jdk17
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "500Mi"
cpu: "500m"
ports:
- name: httpport
containerPort: 8080
- name: jnlpport
containerPort: 50000
livenessProbe:
httpGet:
path: "/login"
port: 8080
initialDelaySeconds: 90
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
readinessProbe:
httpGet:
path: "/login"
port: 8080
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
volumeMounts:
- name: jenkins-data
mountPath: /var/jenkins_home
volumes:
- name: jenkins-data
persistentVolumeClaim:
claimName: jenkins-pv-claim
(11) 创建资源
bash
[root@master jenkins]# kubectl apply -f deployment.yaml
查看pod
bash
[root@master jenkins]# kubectl get pods -n jenkins -o wide -w
(12)创建service
bash
[root@master jenkins]# vim service.yaml
Kubernetes的监控注解配置(配置Prometheus来抓取指标的注解设置):
bash
annotations:这是Kubernetes资源的注解字段,用于附加非标准的元数据。
prometheus.io/scrape:这是一个特殊的注解键,表示是否应该抓取这个服务的指标。
true:这是prometheus.io/scrape注解的值,表示应该抓取这个服务的指标。
prometheus.io/port注解指定了Prometheus用来抓取指标的端口。具体配置:
bash
apiVersion: v1
kind: Service
metadata:
name: jenkins
namespace: jenkins
annotations:
prometheus.io/scrape: 'true'
prometheus.io/path: /
prometheus.io/port: '8080'
spec:
selector:
app: jenkins
type: NodePort
ports:
- port: 8080
targetPort: 8080
nodePort: 32000
(13)生成service资源并查看
bash
[root@master jenkins]# kubectl apply -f service.yaml
查看svc
bash
[root@master jenkins]# kubectl get svc -n jenkins
(14)Kuboard查看
工作负载
容器组
(15)访问
bash
http://192.168.204.10:32000
(16)获取密码
bash
[root@master jenkins]# kubectl logs -f jenkins-69758d74c9-6tc8s -n jenkins
密码在这一段:
bash
Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:
df904552c24d46999f2bfb44b0aa916e(17)输入密码
可以跳过插件安装
可以点击右上角X 跳过安装
开始使用
(18)进入系统
3.jenkins安装Kubernetes插件
(1)点击系统右下角
Website可以跳转中文官网
bash
https://www.jenkins.io/zh/(2)管理界面
bash
https://192.168.204.10:32000/manage
插件管理
bash
https://192.168.204.10:32000/manage/pluginManager/advanced
设置国内源
bash
https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json
System也可以设置 Resource Root URL
(3)修改密码与时区
(4)重新登录
(5)master节点上重启jenkins
bash
[root@master jenkins]# kubectl delete pods jenkins-69758d74c9-6tc8s -n jenkins
(6)查看pod
bash
[root@master jenkins]# kubectl get pod -n jenkins
(7)node2节点查看
bash
[root@node2 var]# cd /home/jenkins/
[root@node2 jenkins]# ls
(8)容器进入查看
内容与node2的/home/jenkins/ 一致
bash
[root@master jenkins]# kubectl exec -it jenkins-69758d74c9-hxb89 -n jenkins /bin/bash
(9)离线安装包
bash
https://updates.jenkins-ci.org/download/plugins/下载中文包
bash
https://updates.jenkins-ci.org/download/plugins/localization-zh-cn/
(10)安装中文离线包
安装:
完成:(需要重新拉活pod)
(11)安装Kubernetes插件
完成:
(12) jenkins绑定k8s集群
创建
查看 Kubernetes API server
bash
[root@master ~]# kubectl cluster-info
连接测试 (因为是基于K8S部署的jenkins,也部署了Service Account的所以不需要填key)
测试成功:
完成连接:
(13)最后再次查看Kuboard
jenkins名称空间
kube-system名称空间
(14)其他方式的jenkins部署
可以参考本人博客:
二、问题
1.创建pod失败
(1)报错
节点创建Pod会一直卡在ContainerCreating的状态无法顺利创建并且就绪,READY状态一直为0/1
(2)原因分析
①查看pod
bash
[root@master jenkins]# kubectl describe pod jenkins-69758d74c9-6tc8s -n jenkins最后显示FailedCreatePodSandBox
bash
Warning FailedCreatePodSandBox 7m18s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "7d71985b3886817eb93f1885835a0bb869f67a4de34797266ff850f53f62af1c" network for pod "jenkins-69758d74c9-6tc8s": networkPlugin cni failed to set up pod "jenkins-69758d74c9-6tc8s_jenkins" network: plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized, failed to clean up sandbox container "7d71985b3886817eb93f1885835a0bb869f67a4de34797266ff850f53f62af1c" network for pod "jenkins-69758d74c9-6tc8s": networkPlugin cni failed to teardown pod "jenkins-69758d74c9-6tc8s_jenkins" network: plugin type="calico" failed (delete): error getting ClusterInformation: connection is unauthorized: Unauthorized]
Normal SandboxChanged 2m1s (x25 over 7m18s) kubelet Pod sandbox changed, it will be killed and re-created.
②node2节点继续查看cni的日志
bash
sudo journalctl -xe | grep cni
最后一个显示failed to "KillPodSandbox"
bash
4月 19 16:50:55 node2 kubelet[51899]: E0419 16:50:55.608296 51899 kubelet.go:2032] failed to "KillPodSandbox" for "2e3c9e42-396b-4b9b-980a-b8275991b8a8" with KillPodSandboxError: "rpc error: code = Unknown desc = networkPlugin cni failed to teardown pod \"jenkins-696cf86678-jx477_jenkins\" network: plugin type=\"calico\" failed (delete): error getting ClusterInformation: connection is unauthorized: Unauthorized"
4月 19 16:50:55 node2 kubelet[51899]: E0419 16:50:55.608390 51899 pod_workers.go:1298] "Error syncing pod, skipping" err="failed to \"KillPodSandbox\" for \"2e3c9e42-396b-4b9b-980a-b8275991b8a8\" with KillPodSandboxError: \"rpc error: code = Unknown desc = networkPlugin cni failed to teardown pod \\\"jenkins-696cf86678-jx477_jenkins\\\" network: plugin type=\\\"calico\\\" failed (delete): error getting ClusterInformation: connection is unauthorized: Unauthorized\"" pod="jenkins/jenkins-696cf86678-jx477" podUID="2e3c9e42-396b-4b9b-980a-b8275991b8a8"
4月 19 16:50:56 node2 sudo[73408]: root : TTY=pts/1 ; PWD=/etc/cni/net.d ; USER=root ; COMMAND=/bin/journalctl -xe
③CNI的配置文件默认在/etc/cni/net.d/目录,进入目录查看
bash
[root@node2 net.d]# cd /etc/cni/net.d/
[root@node2 net.d]# ls
nodename为node2,正确的
bash
[root@node2 net.d]# vim 10-calico.conflist 
④ 查看kubelet日志
bash
[root@node2 net.d]# journalctl --since="2024-04-19 16:00:00" --until="2024-04-19 17:00:00" -fu kubelet
显示Failed to stop sandbox
bash
4月 19 16:56:55 node2 kubelet[51899]: E0419 16:56:55.626079 51899 kuberuntime_manager.go:1381] "Failed to stop sandbox" podSandboxID={"Type":"docker","ID":"2958227182cb84e9c4bc0d44a662316ab58355f1cb9bb8a1923225d9b37247fc"}最后显示failed to "KillPodSandbox"
bash
4月 19 16:56:55 node2 kubelet[51899]: E0419 16:56:55.626182 51899 kubelet.go:2032] failed to "KillPodSandbox" for "18e3512f-846a-42c3-a10b-6bb0a2a33533" with KillPodSandboxError: "rpc error: code = Unknown desc = networkPlugin cni failed to teardown pod \"jenkins-69758d74c9-br846_jenkins\" network: plugin type=\"calico\" failed (delete): error getting ClusterInformation: connection is unauthorized: Unauthorized"
⑤ 查看各节点cri-docker 并重启服务
bash
systemctl status cri-docker
systemctl restart cri-docker
⑥ 综上分析
原因是node2节点的cni容器出现了异常无法为pod分配ip导致的卡在ContainerCreating的状态。
(3)解决方法
删除异常节点的calico-node容器,让它拉起重新同步数据即可修复。
① 删除 calico-node-zwfqf
②已重新拉活
查看
③ pod部署成功
2.journalctl如何查看日志信息
(1)命令
bash
1)以flow形式查看日志 实时滚动
journalctl -f
2)查看内核日志
journalctl -k
3)查看指定服务日志 实时滚动最新日志
journalctl -u kubelet
4)查看指定日期日志
journalctl --since="2024-04-19 16:00:00" -fu kubelet
journalctl --since="2024-04-19 16:00:00" --until="2024-04-19 17:00:00" -fu kubelet
# --until "1 hour ago" / --until now
journalctl --since "10 min ago" #显示最近10分钟内的日志
journalctl --since today/yesterday #显示今天/昨天以来的日志
5)查看日志占用的磁盘空间
journalctl --disk-usage
6)设置日志占用的空间
journalctl --vacuum-size=500M
7)设置日志保存的时间
journalctl --vacuum-time=1month
8)检查日志文件一致性
journalctl ---verify
9)显示最后num行的日志,如果省略num,则默认显示最后10行
journalctl -n [num]
10)设置日志输出格式
journalctl -o
#格式如下:
mode的值为(short, short-iso,short-precise, short-monotonic, verbose,export, json, json-pretty, json-sse, ca)
11)正常标准输出 日志默认分页输出,--no-pager改为正常的标准输出
journalctl --no-pager
12)获取指定进程号的日志
journalctl _PID=22856
13)查看指定用户的日志
journalctl _UID=33 --since=today
14)通过系统优先级匹配
journalctl _SYSTEMD_UNIT=cron.service PRIORITY=6
15)查看帮助文档
man journalctl
journalctl -h
2.容器内如何查询jenkins初始密码
(1)node节点上查询获取
bash
[root@master jenkins]# kubectl exec -it jenkins-69758d74c9-lb96b -n jenkins /bin/bash
jenkins@jenkins-69758d74c9-lb96b:/$ cat /var/jenkins_home/secrets/initialAdminPassword
jenkins@jenkins-69758d74c9-lb96b:/$ exit
(2)获取到运行的容器ID,然后进入容器查看初始密码
bash
[root@node2 ~]# docker ps -a
jenkins镜像id为4e586344183a
bash
[root@node2 ~]# docker ps -a | grep jenkins
查看
bash
docker ps -a --filter ancestor=4e586344183a --format "{{.ID}}"
进入容器
bash
docker exec -it 0821261b4091 bash
cat /var/jenkins_home/secrets/initialAdminPassword
3.jenkins离线安装中文包报错
(1)报错
(2)原因分析
需要先安装Localization Support。
(3)解决方法
先离线安装Localization Support:
然后安装中文包:
重新拉活jenkins
bash
[root@master jenkins]# kubectl delete pods jenkins-69758d74c9-hxb89 -n jenkins
观察pod:(68s完成重启)
成功:
4.jenkins插件报错
(1)报错
站点报错
安装Kubernetes离线包报错
(2)原因分析
因为 K8s 集群中运行的 Jenkins 的 pod 无法 ping 通外部网络域名,才导致网络报错问题。
(3)解决方法
①查看系统的 coredns pod 容器信息
bash
[root@master ~]# kubectl get pods -n kube-system -o wide |grep coredns
②Kuboard查看
③查看 dns server 的信息
bash
[root@master ~]# kubectl get svc -n kube-system -o wide
dns server 的 IP是10.96.0.10
④node节点操作无权限
bash
echo "$(sed 's/10.96.0.10/10.244.166.133/g' /etc/resolv.conf)" > /etc/resolv.conf
⑤docker进入容器操作无权限
⑥coredns 扩容
原先coredns只部署在了node1节点,现在扩容为3个
完成:node2节点部署的pod为10.244.104.10
查看pod
bash
[root@master ~]# kubectl get pods -n kube-system -o wide |grep coredns
⑦通过docker cp拷贝进行修改
将容器中的文件拷贝出来
bash
[root@node2 /]# sudo docker cp 0821261b4091:/etc/resolv.conf ~
查看配置文件
修改配置文件
将容器中的文件拷贝回去,还是无权限
bash
[root@node2 ~]# sudo docker cp resolv.conf 0821261b4091:/etc/
⑧root用户进入docker容器
修改文件
bash
echo "$(sed 's/10.96.0.10/10.244.104.10/g' /etc/resolv.conf)" > /etc/resolv.conf
⑨重新启动一下 jenkins 服务
观察pod拉活情况
⑩jenkins成功获取插件信息
安装: