Skip to Main Content

Problem

Certificate Issue

PS: Normal kubeasz should have automatic handling, don't try this again

# Install cfssl tools (if not installed):
get https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 -O /usr/local/bin/cfssl
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64 -O /usr/local/bin/cfssljson
chmod +x / usr/local/bin/cfssljson

# 创建证书配置文件(示例):
# 创建工作目录
mkdir -p /etc/ssl/etcd/ssl && cd /etc/ssl/etcd/ssl

# 生成 CA 配置(ca-config.json)
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "etcd": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF

# 生成 CA 证书请求(ca-csr.json)
cat > ca-csr.json <<EOF
{
  "CN": "etcd-ca",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "O": "etcd",
      "OU": "etcd-ca",
      "ST": "Beijing"
    }
  ]
}
EOF

# 生成 CA 证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

# 生成 member-master1 证书请求(注意替换 IP 为你的 etcd 节点 IP)
cat > member-master1-csr.json <<EOF
{
  "CN": "member-master1",
  "hosts": [
    "127.0.0.1",
    "10.0.5.167"  # 这里填你的 etcd 节点实际 IP(从日志中看到的 10.0.5.167)
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "O": "etcd",
      "OU": "etcd-member",
      "ST": "Beijing"
    }
  ]
}
EOF

# 生成 member-master1 证书和私钥(使用 CA 签名)
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd member-master1-csr.json | cfssljson -bare member-master1

# Check if the target file already exists in:
girls -l /etc/ssl/etd/etcd/ssl/member-master1.pem # should see the file

# Restart etcd service and verify
# Restart etcd service
systemctl start etcd.service

# Check service status (check successful starting)
systemctl status etcd. ervice

# View the latest log (make sure there is another error)
journalctl -u etcd.service -f

Certificate Question 2

PS: This problem can cause dockerra to lose mirrors, it is a problem with https certificates, and the impact should be extensive.

# Certificate question
sudo mkdir -p /etc/ssl/certs
sudo chmod 755 /etc/ssl/certs
apt update && sudo apt install ca-certificates
sudo update-ca-certificates
## If docker is used, then docker may need to restart docker (systemctl hart docker)

kubeasz version of bug (v3.6.7)

  • Bad Report

## Requires comment on this check
  # check mash shell
# readlink /proc/$/exe|grep -q "bash" | 56 logger error "you should use cash shell only"; exit 1; }

kubelet could not start

kubelet residual problem

sudo kubeadm reset
sudo apt-get purge -y kubelet kubeadm kubectl
sudo apt-get automove -y # clear dependency

# Manually clean residual files (optional, ensure complete uninstall):
# Cleanup container network interface configuration
sudo rm -rf /etc/cni/net.

# Cleanup kubelet work directory
sudo rm -rf /var/lib/kubelet/

# Cleanup container running data (in containerd example, Adjust on run)
sudo systemctl stop containerd
sudo rm -rf /var/lib/containerd/
sudo systemctl start containerd

If Binary Deployed Cluster (manually installed)

# Stop kubelet service:
sudo systemctl stop kubelet
sudo systemctl disable kubelet # forbid boot

# Delete kubelet service configuration:
sudo rm -f /etc/systemd/system/kubelet. ervice
sudo rm -f /etc/systemd/system/kubelet.service.d/*. onf # Related configuration directory
sudo systemctl daemon-reload # reload systemd configuration

# Delete kubelet binary files and configuring:
# Binary file path is usually /usr/local/bin/kubelet (adjusted for actual installation path)
sudo rm -f /usr/local/bin/kubelet
# Delete configuration file (e.g. kubeconconfig, start parameter file)
sudo rm rf /etc/kubernetes/kubelet onf
sudo rm -rf /var/lib/kubelet/ # Workdirectory