1.修改host文件

vi /etc/hosts

添加如下内容 这样搭集群的时候就不用记ip了

#::1    localhost    localhost.localdomain    localhost6    localhost6.localdomain6

127.0.0.1    localhost    localhost.localdomain    localhost4    localhost4.localdomain4
165.154.221.97 tlb-001 k8s01 k8s-master-01
165.154.187.67 tlb-002 k8s02 k8s-master-02
165.154.104.175 tlb-003 k8s03 k8s-node-01
123.58.199.75 tlb-004 k8s04 k8s-node-02
165.154.105.68 tlb-005 k8s05 k8s-vip

2.配置免密登录

每台机器上都执行

ssh-keygen -t rsa

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s01

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s02

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s03

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s04

ssh-copy-id -i ~/.ssh/id_rsa.pub k8s05

3.多机器批量执行脚本编写并使用

#!/bin/bash

检查参数数量

if [ "$#" -ne 2 ]; then
echo "用法: $0 '主机列表' '命令列表'"
echo "示例: $0 'k8s01 k8s02 k8s03 k8s04 k8s05' 'cd /aaa/bbb;mkdir ccc'"
exit 1
fi

获取参数

HOSTS=$1
COMMANDS=$2

将主机列表转换为数组

IFS=' ' read -r -a HOST_ARRAY <<< "$HOSTS"

创建日志目录

LOG_DIR="logs_$(date +%Y%m%d%H%M%S)"
mkdir "$LOG_DIR"

遍历主机并在每台机器上执行命令

for HOST in "${HOST_ARRAY[@]}"; do
{

     echo "在 $HOST 上执行命令..."
     ssh "$HOST" "$COMMANDS"
     echo "$HOST: 命令执行完毕。"
 } | tee "$LOG_DIR/$HOST.log" &  # 将输出同时发送到日志文件和控制台

done

等待所有后台任务完成

wait

echo "所有命令执行完毕，日志保存在 $LOG_DIR 目录中。"

4 批量执行安装防火墙并关闭

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' 'yum install firewalld -y;systemctl stop firewalld;systemctl disable firewalld;systemctl status firewalld'

5.安全策略级别设置

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' '

getenforce;setenforce 0;getenforce'

6.批量文件传输脚本

#!/bin/bash

检查参数数量

if [ "$#" -ne 3 ]; then
echo "用法: $0 '服务器列表' '要传输的文件路径' '远程目标目录'"
echo "示例: $0 'k8s01 k8s02 k8s03 k8s04 k8s05' /path/to/file /remote/directory"
exit 1
fi

获取参数

SERVERS=$1 # 服务器列表
SOURCE_FILE=$2 # 本地文件路径
REMOTE_DIR=$3 # 远程目录

将服务器列表转换为数组

IFS=' ' read -r -a SERVER_ARRAY <<< "$SERVERS"

遍历服务器并将文件传输到每个服务器的指定目录

for SERVER in "${SERVER_ARRAY[@]}"; do
echo "正在将文件 $SOURCE_FILE 传输到 $SERVER:$REMOTE_DIR..."

 # 使用 scp 传输文件到远程服务器
 scp "$SOURCE_FILE" "$SERVER:$REMOTE_DIR"
 
 if [ $? -eq 0 ]; then
     echo "文件成功传输到 $SERVER:$REMOTE_DIR"
 else
     echo "文件传输到 $SERVER 失败！"
 fi

done

echo "所有传输任务完成。"

6.设置swap分区

设置swap分区、关闭大页面压缩（所有节点）——性能考虑

Linux中Swap分区（即：交换分区），类似于Windows的虚拟内存，就是当内存不足的时候，把一部分硬盘空间虚拟成内存使用，从而解决内存容量不足的情况。

在大数据应用中，使用Swap分区会降低性能，通常需要关闭掉

脚本如下

执行批量传输命令

./transfer_file.sh 'k8s02 k8s03 k8s04 k8s05' /opt/juege/shell-scripts/close-swap-and-transparent-page.sh /opt/juege/shell-scripts

#!/bin/bash

设置 swappiness 为 0

sysctl vm.swappiness=0
echo 'vm.swappiness=0' >> /etc/sysctl.conf
sysctl -p

关闭当前 swap 分区

swapoff -a

注释掉 /etc/fstab 中的 swap 行

sed -i '/swap/s/^/#/' /etc/fstab

禁用透明大页面

echo never > /sys/kernel/mm/transparent_hugepage/defrag
echo never > /sys/kernel/mm/transparent_hugepage/enabled

添加到 /etc/rc.local 以永久禁用透明大页面

echo 'echo never > /sys/kernel/mm/transparent_hugepage/defrag' >> /etc/rc.local
echo 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' >> /etc/rc.local

确保 /etc/rc.local 是可执行的

chmod +x /etc/rc.local

echo "Swap 分区已关闭，透明大页面已禁用，Swappiness 已设置为 0。"

7.ntp设置

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' '

yum -y install ntp'

vi /etc/ntp.conf (k8s01执行)

driftfile /var/lib/ntp/drift

restrict 165.154.221.97 mask 255.255.255.0 nomodify notrap

server ntp.aliyun.com

fudge ntp.aliyun.com stratum 10

# Enable public key cryptography.

#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

*# with symmetric key cryptography. *

keys /etc/ntp/keys

# Specify the key identifiers which are trusted.

#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

#requestkey 8

# Specify the key identifier to use with the ntpq utility.

#controlkey 8

# Enable writing of statistics records.

#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc

# monlist command when default restrict does not include the noquery flag. See

# CVE-2013-5211 for more details.

# Note: Monitoring will not be disabled with the limited restriction flag.

disable monitor

其它节点执行

driftfile /var/lib/ntp/drift

server k8s01

# Enable public key cryptography.

#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

*# with symmetric key cryptography. *

keys /etc/ntp/keys

# Specify the key identifiers which are trusted.

#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

#requestkey 8

# Specify the key identifier to use with the ntpq utility.

#controlkey 8

# Enable writing of statistics records.

#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc

# monlist command when default restrict does not include the noquery flag. See

# CVE-2013-5211 for more details.

# Note: Monitoring will not be disabled with the limited restriction flag.

disable monitor

/opt/juege/shell-scripts/batch-execute.sh 'k8s01 k8s02 k8s03 k8s04 k8s05' '

service ntpd restart;systemctl enable ntpd.service'

ntpdc -c loopinfo