1.修改host文件

vi /etc/hosts

添加如下内容 这样搭集群的时候就不用记ip了

#::1	localhost	localhost.localdomain	localhost6	localhost6.localdomain6127.0.0.1	localhost	localhost.localdomain	localhost4	localhost4.localdomain4
165.154.221.97 tlb-001 k8s01 k8s-master-01
165.154.187.67 tlb-002 k8s02 k8s-master-02
165.154.104.175 tlb-003 k8s03 k8s-node-01
123.58.199.75 tlb-004 k8s04 k8s-node-02
165.154.105.68 tlb-005 k8s05 k8s-vip

2.配置免密登录

每台机器上都执行 

ssh-keygen -t rsa

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s01

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s02

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s03

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s04

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s05

3.多机器批量执行脚本编写并使用

#!/bin/bash

# 检查参数数量
if [ "$#" -ne 2 ]; then
    echo "用法: $0 '主机列表' '命令列表'"
    echo "示例: $0 'k8s01 k8s02 k8s03 k8s04 k8s05' 'cd /aaa/bbb;mkdir ccc'"
    exit 1
fi

# 获取参数
HOSTS=$1
COMMANDS=$2

# 将主机列表转换为数组
IFS=' ' read -r -a HOST_ARRAY <<< "$HOSTS"

# 创建日志目录
LOG_DIR="logs_$(date +%Y%m%d%H%M%S)"
mkdir "$LOG_DIR"

# 遍历主机并在每台机器上执行命令
for HOST in "${HOST_ARRAY[@]}"; do
    {
        echo "在 $HOST 上执行命令..."
        ssh "$HOST" "$COMMANDS"
        echo "$HOST: 命令执行完毕。"
    } | tee "$LOG_DIR/$HOST.log" &  # 将输出同时发送到日志文件和控制台
done

# 等待所有后台任务完成
wait

echo "所有命令执行完毕，日志保存在 $LOG_DIR 目录中。"
 

4 批量执行安装防火墙并关闭

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' 'yum install firewalld -y;systemctl stop firewalld;systemctl disable firewalld;systemctl status firewalld'

5.安全策略级别设置

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' '

getenforce;setenforce 0;getenforce'

6.批量文件传输脚本

#!/bin/bash

# 检查参数数量
if [ "$#" -ne 3 ]; then
    echo "用法: $0 '服务器列表' '要传输的文件路径' '远程目标目录'"
    echo "示例: $0 'k8s01 k8s02 k8s03 k8s04 k8s05' /path/to/file /remote/directory"
    exit 1
fi

# 获取参数
SERVERS=$1  # 服务器列表
SOURCE_FILE=$2  # 本地文件路径
REMOTE_DIR=$3  # 远程目录

# 将服务器列表转换为数组
IFS=' ' read -r -a SERVER_ARRAY <<< "$SERVERS"

# 遍历服务器并将文件传输到每个服务器的指定目录
for SERVER in "${SERVER_ARRAY[@]}"; do
    echo "正在将文件 $SOURCE_FILE 传输到 $SERVER:$REMOTE_DIR..."
    
    # 使用 scp 传输文件到远程服务器
    scp "$SOURCE_FILE" "$SERVER:$REMOTE_DIR"
    
    if [ $? -eq 0 ]; then
        echo "文件成功传输到 $SERVER:$REMOTE_DIR"
    else
        echo "文件传输到 $SERVER 失败！"
    fi
done

echo "所有传输任务完成。"
 

6.设置swap分区

设置swap分区、关闭大页面压缩（所有节点）——性能考虑

Linux中Swap分区（即：交换分区），类似于Windows的虚拟内存，就是当内存不足的时候，把一部分硬盘空间虚拟成内存使用，从而解决内存容量不足的情况。

在大数据应用中，使用Swap分区会降低性能，通常需要关闭掉

脚本如下

执行批量传输命令

./transfer_file.sh 'k8s02 k8s03 k8s04 k8s05' /opt/juege/shell-scripts/close-swap-and-transparent-page.sh /opt/juege/shell-scripts

#!/bin/bash

# 设置 swappiness 为 0
sysctl vm.swappiness=0
echo 'vm.swappiness=0' >> /etc/sysctl.conf
sysctl -p

# 关闭当前 swap 分区
swapoff -a
# 注释掉 /etc/fstab 中的 swap 行
sed -i '/swap/s/^/#/' /etc/fstab

# 禁用透明大页面
echo never > /sys/kernel/mm/transparent_hugepage/defrag
echo never > /sys/kernel/mm/transparent_hugepage/enabled

# 添加到 /etc/rc.local 以永久禁用透明大页面
echo 'echo never > /sys/kernel/mm/transparent_hugepage/defrag' >> /etc/rc.local
echo 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' >> /etc/rc.local

# 确保 /etc/rc.local 是可执行的
chmod +x /etc/rc.local

echo "Swap 分区已关闭，透明大页面已禁用，Swappiness 已设置为 0。"
 

7.ntp设置

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' '

yum -y install ntp'

vi /etc/ntp.conf (k8s01执行)

driftfile /var/lib/ntp/drift

restrict 165.154.221.97 mask 255.255.255.0 nomodify notrap

server ntp.aliyun.com

fudge ntp.aliyun.com stratum 10

# Enable public key cryptography.

#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

# with symmetric key cryptography. 

keys /etc/ntp/keys

# Specify the key identifiers which are trusted.

#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

#requestkey 8

# Specify the key identifier to use with the ntpq utility.

#controlkey 8

# Enable writing of statistics records.

#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc

# monlist command when default restrict does not include the noquery flag. See

# CVE-2013-5211 for more details.

# Note: Monitoring will not be disabled with the limited restriction flag.

disable monitor

其它节点执行

driftfile /var/lib/ntp/drift

server k8s01

# Enable public key cryptography.

#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

# with symmetric key cryptography. 

keys /etc/ntp/keys

# Specify the key identifiers which are trusted.

#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

#requestkey 8

# Specify the key identifier to use with the ntpq utility.

#controlkey 8

# Enable writing of statistics records.

#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc

# monlist command when default restrict does not include the noquery flag. See

# CVE-2013-5211 for more details.

# Note: Monitoring will not be disabled with the limited restriction flag.

disable monitor

 /opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' '

service ntpd restart;systemctl enable ntpd.service'

ntpdc -c loopinfo