refactor: refactor k3s service configuration and sysctl settings

- Remove duplicated `--kube-proxy-arg "metrics-bind-address=0.0.0.0"` line from the k3s exec command - Comment out IPv6 disabling settings in the sysctl configuration script - Update TCP settings in the sysctl configuration to adjust `net.ipv4.tcp_tw_reuse` and `net.core.somaxconn` - Add a new function `systemd_env` to create a k3s service environment configuration - Ensure the environment file is created with appropriate permissions for the k3s systemd service Signed-off-by: ysicing <[email protected]>
easysoft · Jan 17, 2025 · e3d4c12 · e3d4c12
1 parent b08475a
commit e3d4c12
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/common/const.go b/common/const.go
@@ -201,6 +201,5 @@ ExecStart=/usr/local/bin/k3s \
         --kube-proxy-arg "proxy-mode=ipvs" \
         --kube-proxy-arg "masquerade-all=true" \
         --kube-proxy-arg "ipvs-strict-arp=true" \
-        --kube-proxy-arg "metrics-bind-address=0.0.0.0" \
-        --docker
+        --kube-proxy-arg "metrics-bind-address=0.0.0.0"
 `
diff --git a/hack/manifests/scripts/init.sh b/hack/manifests/scripts/init.sh
@@ -90,9 +90,9 @@ sed -i  's/^.*net.ip.*/# &/g' /etc/sysctl.conf
 cat > /etc/sysctl.d/95-k8s-sysctl.conf <<EOF
 # 转发
 net.ipv4.ip_forward = 1
-net.ipv6.conf.all.disable_ipv6 = 1
-net.ipv6.conf.default.disable_ipv6 = 1
-net.ipv6.conf.lo.disable_ipv6=1
+# net.ipv6.conf.all.disable_ipv6 = 1
+# net.ipv6.conf.default.disable_ipv6 = 1
+# net.ipv6.conf.lo.disable_ipv6=1
 # 对直接连接的网络进行反向路径过滤
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
@@ -117,10 +117,10 @@ net.ipv4.tcp_syn_retries = 3
 # net.ipv4.icmp_echo_ignore_broadcasts = 1
 # net.ipv4.icmp_ignore_bogus_error_responses = 1
 #进程快速回收,避免系统中存在大量TIME_WAIT进程
-net.ipv4.tcp_tw_recycle = 1
+# net.ipv4.tcp_tw_recycle = 1
 net.ipv4.tcp_fin_timeout = 30 # 缩短TIME_WAIT时间,加速端口回收
 #端口重用, 一般不开启,仅对客户端有效果,对于高并发客户端,可以复用TIME_WAIT连接端口,避免源端口耗尽建连失败
-net.ipv4.tcp_tw_reuse = 0
+net.ipv4.tcp_tw_reuse = 1
 #临时端口范围
 net.ipv4.ip_local_port_range = 20000 65535
 #预留给kubernetes service的nodeport端口范围,不设置可能会造成
@@ -133,7 +133,7 @@ net.ipv4.ip_local_reserved_ports = 30000-32768
 net.ipv4.tcp_keepalive_time = 600
 net.ipv4.tcp_keepalive_intvl = 30
 net.ipv4.tcp_keepalive_probes = 10
-net.core.somaxconn = 32768
+net.core.somaxconn = 65535
 net.bridge.bridge-nf-call-iptables = 1
 net.bridge.bridge-nf-call-ip6tables = 1
 net.bridge.bridge-nf-call-arptables = 1

diff --git a/hack/manifests/scripts/node.sh b/hack/manifests/scripts/node.sh
@@ -70,6 +70,16 @@ systemd_disable() {
 #     sh -c export | while read x v; do echo $v; done | grep -Ei '^(NO|HTTP|HTTPS)_PROXY' | $SUDO tee -a ${FILE_K3S_ENV} >/dev/null
 # }
 
+systemd_env() {
+  info "enabling k3s unit env"
+  cat > /tmp/.k3s.service.env <<EOF
+CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
+EOF
+
+  $SUDO mv /tmp/.k3s.service.env /etc/systemd/system/k3s.service.env
+  $SUDO chmod 0777 /etc/systemd/system/k3s.service.env
+}
+
 # --- enable and start systemd service ---
 systemd_enable() {
     info "enabling k3s unit"
@@ -89,6 +99,7 @@ service_enable_and_start() {
     then
         info 'Failed to find memory cgroup, you may need to add "cgroup_memory=1 cgroup_enable=memory" to your linux cmdline (/boot/cmdline.txt on a Raspberry Pi)'
     fi
+    systemd_env
     systemd_enable
     systemd_start
     return 0
@@ -98,7 +109,7 @@ service_enable_and_start() {
 {
     create_symlinks
     systemd_disable
-    check_docker
+    # check_docker
     # create_env_file
     service_enable_and_start
 }