Kubernetes集群實(shí)戰(zhàn) 拓展訓(xùn)練匯 項(xiàng)目1-10

任務(wù)一拓展訓(xùn)練kubernetes架構(gòu)圖如下：各個(gè)組件的主要功能如下：APIServer[資源操作入口]提供了資源對(duì)象的唯一操作入口，其他所有組件都必須通過它提供的API來操作資源數(shù)據(jù)，只有APIServer與存儲(chǔ)通信，其他模塊通過APIServer訪問集群狀態(tài)。第一，是為了保證集群狀態(tài)訪問的安全。第二，是為了隔離集群狀態(tài)訪問的方式和后端存儲(chǔ)實(shí)現(xiàn)的方式：APIServer是狀態(tài)訪問的方式，不會(huì)因?yàn)楹蠖舜鎯?chǔ)技術(shù)etcd的改變而改變。作為kubernetes系統(tǒng)的入口，封裝了核心對(duì)象的增刪改查操作，以RESTFul接口方式提供給外部客戶和內(nèi)部組件調(diào)用。對(duì)相關(guān)的資源數(shù)據(jù)“全量查詢”+“變化監(jiān)聽”，實(shí)時(shí)完成相關(guān)的業(yè)務(wù)功能。ControllerManager[內(nèi)部管理控制中心]實(shí)現(xiàn)集群故障檢測(cè)和恢復(fù)的自動(dòng)化工作，負(fù)責(zé)執(zhí)行各種控制器，主要有：endpoint-controller：定期關(guān)聯(lián)service和pod(關(guān)聯(lián)信息由endpoint對(duì)象維護(hù))，保證service到pod的映射總是最新的。replication-controller：定期關(guān)聯(lián)replicationController和pod，保證replicationController定義的復(fù)制數(shù)量與實(shí)際運(yùn)行pod的數(shù)量總是一致的。Scheduler[集群分發(fā)調(diào)度器]Scheduler收集和分析當(dāng)前Kubernetes集群中所有Minion/Node節(jié)點(diǎn)的資源(內(nèi)存、CPU)負(fù)載情況，然后依此分發(fā)新建的Pod到Kubernetes集群中可用的節(jié)點(diǎn)。實(shí)時(shí)監(jiān)測(cè)Kubernetes集群中未分發(fā)和已分發(fā)的所有運(yùn)行的Pod。Scheduler也監(jiān)測(cè)Minion/Node節(jié)點(diǎn)信息，由于會(huì)頻繁查找Minion/Node節(jié)點(diǎn)，Scheduler會(huì)緩存一份最新的信息在本地。最后，Scheduler在分發(fā)Pod到指定的Minion/Node節(jié)點(diǎn)后，會(huì)把Pod相關(guān)的信息Binding寫回APIServer。kubelet負(fù)責(zé)Node節(jié)點(diǎn)上pod的創(chuàng)建、修改、監(jiān)控、刪除等全生命周期的管理定時(shí)上報(bào)本Node的狀態(tài)信息給APIServer。kubelet是MasterAPIServer和Node之間的橋梁，接收MasterAPIServer分配給它的commands和work，通過kube-apiserver間接與Etcd集群交互，讀取配置信息。具體的工作如下：設(shè)置容器的環(huán)境變量、給容器綁定Volume、給容器綁定Port、根據(jù)指定的Pod運(yùn)行一個(gè)單一容器、給指定的Pod創(chuàng)建network容器。同步Pod的狀態(tài)、同步Pod的狀態(tài)、從cAdvisor獲取containerinfo、podinfo、rootinfo、machineinfo。在容器中運(yùn)行命令、結(jié)束容器、刪除Pod的所有容器。任務(wù)二拓展訓(xùn)練安裝教材任務(wù)二在筆記本上實(shí)現(xiàn)。項(xiàng)目二任務(wù)一拓展訓(xùn)練首先使用的鏡像centos/httpd-24-centos7部署deployment控制器，命令如下：[root@master~]#kubectlcreatedeploymenthttpd--image=centos/httpd-24-centos7查看pod狀態(tài)，命令如下：[root@master~]#kubectlgetpod結(jié)果如下：[root@master~]#kubectlgetpod-owideNAMEREADYSTATUSRESTARTSAGEIPNODENOMINATEDNODEREADINESSGATEShttpd-7bb68fdccc-b6c8l1/1Running05m18s4node1<none><none>查看httpd服務(wù)版本信息，命令如下：[root@master~]#curl-I4:8080HTTP/1.1403ForbiddenDate:Sun,05Sep202101:23:21GMTServer:Apache/2.4.34(RedHat)OpenSSL/1.0.2k-fipsLast-Modified:Tue,22Sep202023:04:14GMTETag:"f91-5afeefc541780"Accept-Ranges:bytesContent-Length:3985Content-Type:text/html;charset=UTF-8查看容器的名稱[root@master~]#kubectldescribepodhttpd-7bb68fdccc-b6c8lName:httpd-7bb68fdccc-b6c8lNamespace:defaultPriority:0Node:node1/0StartTime:Sun,05Sep202109:16:36+0800Labels:app=httpdpod-template-hash=7bb68fdcccAnnotations:<none>Status:RunningIP:4IPs:IP:4ControlledBy:ReplicaSet/httpd-7bb68fdcccContainers:httpd-24-centos7:ContainerID:升級(jí)服務(wù)版本信息，命令如下：[root@master~]#kubectlsetimagedeployments.appshttpdhttpd-24-centos7=httpd查看服務(wù)升級(jí)版本信息，命令如下：[root@master~]#curl-I5HTTP/1.1200OKDate:Sun,05Sep202101:32:41GMTServer:Apache/2.4.48(Unix)Last-Modified:Mon,11Jun200718:53:14GMTETag:"2d-432a5e4a73a80"Accept-Ranges:bytesContent-Length:45Content-Type:text/html項(xiàng)目二任務(wù)二拓展訓(xùn)練創(chuàng)建deployment，命令如下：[root@master~]#kubectlcreatedeploymenthttpd--image=httpd--replicas=3創(chuàng)建service，命令如下：[root@master~]#kubectlexposedeploymenthttpd--port=80service/httpdexposed[root@master~]#kubectlgetserviceNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEhttpdClusterIP8<none>80/TCP6s修改pod中的主頁內(nèi)容，命令如下：首先查看pod[root@master~]#kubectlgetpod-owideNAMEREADYSTATUSRESTARTSAGEIPNODENOMINATEDNODEREADINESSGATEShttpd-757fb56c8d-72tlv1/1Running03m37s7node1<none><none>httpd-757fb56c8d-bdn6v1/1Running03m37s1node2<none><none>httpd-757fb56c8d-cnlsw1/1Running03m37s6node1<none><none>然后進(jìn)入pod容器，修改主頁內(nèi)容以名稱為httpd-757fb56c8d-bdn6v的pod為例[root@master~]#kubectlexec-ithttpd-757fb56c8d-bdn6v/bin/bashroot@httpd-757fb56c8d-bdn6v:/usr/local/apache2#echoweb2>/usr/local/apache2/htdocs/index.html訪問服務(wù)[root@master~]#curl8web1[root@master~]#curl8web2[root@master~]#curl8web3任務(wù)一拓展訓(xùn)練編寫httpd.yaml腳本創(chuàng)建deploymentapiVersion:apps/v1kind:Deploymentmetadata:name:de2spec:template:metadata:labels:app:httpspec:containers:-name:httpimage:httpdports:-name:p1containerPort:80selector:matchLabels:app:httpreplicas:3編寫s2.service腳本創(chuàng)建serviceapiVersion:v1kind:Servicemetadata:name:myhttpdspec:selector:app:httpports:-name:http80port:80targetPort:80nodePort:30001type:NodePort集群外部訪問如下：任務(wù)二拓展訓(xùn)練編寫以下腳本創(chuàng)建DaemonSet控制器#定義crontab的版本apiVersion:batch/v1beta1#控制器的類型kind:CronJob#源數(shù)據(jù)信息metadata:name:job3spec:#定義每分鐘執(zhí)行一次任務(wù)schedule:"*/1****"jobTemplate:spec:template:spec:containers:-name:helloimage:busyboxcommand:["/bin/sh","-c","echo'該休息一下了'"]restartPolicy:OnFailure查看創(chuàng)建pod的運(yùn)行結(jié)果[root@masteryaml]#kubectllogsjob2-1630907460-dmwsd該休息一下了任務(wù)一拓展訓(xùn)練編寫探測(cè)腳本apiVersion:v1kind:Podmetadata:name:httpget-podnamespace:defaultspec:containers:-name:httpget-containerimage:nginx:1.8.1imagePullPolicy:IfNotPresentports:-name:httpcontainerPort:80command:["/bin/sh","-c","sleep30;rm-rf/index.html"]livenessProbe:httpGet:port:httppath:/index.htmlinitialDelaySeconds:1periodSeconds:3timeoutSeconds:10運(yùn)行后查看pod重啟狀態(tài)[root@master~]#kubectlgetpodNAMEREADYSTATUSRESTARTSAGEhttpget-pod1/1Running14m任務(wù)二拓展訓(xùn)練編寫可讀性探測(cè)器腳本apiVersion:apps/v1kind:Deploymentmetadata:name:readiness-deploymentspec:template:metadata:labels:app:nginxspec:containers:-name:nginximage:nginx:1.8.1ports:-name:httpcontainerPort:80command:["/bin/sh","-c","sleep30;rm-rf/index.html"]readinessProbe:httpGet:#這里的http指定是定義容器時(shí)ports的name，即探測(cè)80端口port:http#使用http方式訪問根目錄下是否存在index.htmlpath:/index.htmlinitialDelaySeconds:1periodSeconds:3selector:matchLabels:app:nginxreplicas:3查看運(yùn)行結(jié)果[root@masteryaml]#kubectlgetpodNAMEREADYSTATUSRESTARTSAGEreadiness-deployment-7664485764-jdcc50/1Running154sreadiness-deployment-7664485764-jg9dz0/1Running154sreadiness-deployment-7664485764-sx5lb0/1Running154s通過觀察發(fā)現(xiàn)容器一直沒有ready狀態(tài)，說明readiness的初始值為false，和liveness探測(cè)正好相反。任務(wù)一拓展訓(xùn)練編寫使用nodeSelector調(diào)度腳本#定義控制器版本apiVersion:apps/v1#定義資源類型kind:Deployment#定義源數(shù)據(jù)metadata:name:nodeselector#定義容器模板spec:template:metadata:labels:app:httpdspec:containers:-name:httpdimage:httpdports:-name:httpcontainerPort:80#和containers字段對(duì)齊，使用nodeSelector調(diào)度到cpu=high的節(jié)點(diǎn)nodeSelector:cpu:high#定義匹配的labels標(biāo)簽是app:httpdselector:matchLabels:app:httpd#定義生成3個(gè)Podreplicas:3運(yùn)行后查看pod重啟狀態(tài)[root@masteryaml]#kubectlgetpodNAMEREADYSTATUSRESTARTSAGEnodeselector-678b44c686-77tcp0/1Pending03m43snodeselector-678b44c686-94q7k0/1Pending03m43snodeselector-678b44c686-h7cw60/1Pending03m43s結(jié)果顯示，如果調(diào)度的標(biāo)記不存在，會(huì)一直處于pending錯(cuò)誤狀態(tài)。任務(wù)二拓展訓(xùn)練配置node1和node2不在同一拓?fù)溆騥ubectllabelnodesnode1disk-type=ssdkubectllabelnodesnode2disk-type=sas配置pod軟親和性調(diào)度腳本apiVersion:apps/v1kind:Deploymentmetadata:name:pod-preferlabels:app:podpreferspec:replicas:6selector:matchLabels:app:mypodtemplate:metadata:labels:app:mypodspec:containers:-name:myapp-podimage:nginx:1.8.1imagePullPolicy:IfNotPresentports:-name:httpcontainerPort:80affinity:podAffinity:preferredDuringSchedulingIgnoredDuringExecution:-weight:100podAffinityTerm:labelSelector:#由于是Pod親和性,因此這里匹配規(guī)則寫的是Pod的標(biāo)簽信息matchExpressions:-key:appoperator:Invalues:-http#調(diào)度到disk作為label關(guān)鍵字的相同拓?fù)溆騮opologyKey:disk查看調(diào)度情況[root@masteryaml]#kubectlgetpodNAMEREADYSTATUSRESTARTSAGEpod-prefer-7d6f654cc8-k2d2n1/1Running0101spod-prefer-7d6f654cc8-kqfzx1/1Running0101spod-prefer-7d6f654cc8-msspw1/1Running0101spod-prefer-7d6f654cc8-r797q1/1Running0101spod-prefer-7d6f654cc8-tkm4n1/1Running0101spod-prefer-7d6f654cc8-tmccx1/1Running0101s結(jié)果中發(fā)現(xiàn)，能夠正常調(diào)度和運(yùn)行。任務(wù)三拓展訓(xùn)練定義污點(diǎn)[root@masteryaml]#kubectltaintnodesnode1db=no:NoSchedule[root@masteryaml]#kubectltaintnodesnode2web=no:PreferNoSchedule編寫控制器腳本apiVersion:apps/v1kind:Deploymentmetadata:name:toleration-specialspec:template:metadata:labels:app:nginxspec:containers:-name:nginximage:nginx:1.8.1ports:-name:p1containerPort:80selector:matchLabels:app:nginxreplicas:6觀察調(diào)度情況[root@masteryaml]#kubectlgetpodNAMEREADYSTATUSRESTARTSAGEtoleration-special-746bc96976-2f6qd0/1Pending02m2stoleration-special-746bc96976-4bn9p0/1Pending02m2stoleration-special-746bc96976-58qg90/1Pending02m2stoleration-special-746bc96976-644m80/1Pending02m2stoleration-special-746bc96976-7r6x40/1Pending02m2stoleration-special-746bc96976-wnqv80/1Pending02m2s通過觀察發(fā)現(xiàn)，配置了兩種effect污點(diǎn)的節(jié)點(diǎn)不調(diào)度Pod任務(wù)一拓展訓(xùn)練輸出base64編碼[root@master~]#echo"zs"|base64enMK[root@master~]#echo"80"|base64ODAK編寫secret腳本apiVersion:v1kind:Secret#定義類型為secretmetadata:name:mysecrettype:Opaque#定義secret的類型為Opaquedata:name:enMKage:ODAK[root@masteryaml]#kubectlapply-fsecret.yaml編寫使用envFrom導(dǎo)入secret的pod腳本apiVersion:v1kind:Podmetadata:name:test-secret#定義名稱為test-secretspec:containers:-name:webimage:nginx:1.8.1envFrom:#使用envFrom定義環(huán)境變量來源-secretRef:#定義來源于secretname:mysecret查看環(huán)境變量[root@masteryaml]#kubectlexec-ittest-secret/bin/bashroot@test-secret:/#env|grepnamename=zsroot@test-secret:/#env|grepageage=80任務(wù)二拓展訓(xùn)練創(chuàng)建nfs共享目錄/web//24(rw,no_root_squash)/data/24(rw,no_root_squash)重啟nfs，查看服務(wù)[root@masteryaml]#showmount-e0Exportlistfor0:/data/24/web/24編寫創(chuàng)建pv的yaml腳本apiVersion:v1kind:PersistentVolumemetadata:name:pv3spec:capacity:storage:1GiaccessModes:-ReadWriteOncepersistentVolumeReclaimPolicy:Retainnfs:path:/webserver:0---apiVersion:v1kind:PersistentVolumemetadata:name:pv4spec:capacity:storage:3GiaccessModes:-ReadWriteOncepersistentVolumeReclaimPolicy:Retainnfs:path:/dataserver:0編寫創(chuàng)建pvc的yaml腳本apiVersion:v1kind:PersistentVolumeClaimmetadata:name:pvc2spec:accessModes:-ReadWriteOnceresources:requests:storage:2Gi觀察綁定結(jié)果[root@masteryaml]#kubectlgetpvcNAMESTATUSVOLUMECAPACITYACCESSMODESSTORAGECLASSAGEpvc2Boundpv43GiRWO3s結(jié)果中發(fā)現(xiàn)已經(jīng)和pv4進(jìn)行了綁定，因?yàn)閜v4的存儲(chǔ)大小為3G。任務(wù)三拓展訓(xùn)練創(chuàng)建pv和pvc同教材內(nèi)容，創(chuàng)建mysql控制器腳本如下：在yaml目錄下創(chuàng)建文件pvc-pod.yaml，在文件中輸入以下腳本。apiVersion:apps/v1kind:Deploymentmetadata:name:de3spec:template:metadata:labels:app:mysqlspec:containers:-name:mysqlimage:mysql:5.7env:-name:MYSQL_ROOT_PASSWORDvalue:"1"ports:-containerPort:3306volumeMounts:-name:mysql#使用mysql的存儲(chǔ)卷subPath:mysql#在存儲(chǔ)目錄下創(chuàng)建mysql目錄mountPath:/var/lib/mysql#掛載的容器目錄volumes:#定義掛載存儲(chǔ)卷-name:mysql#名稱為mysqlpersistentVolumeClaim:#使用PVC存儲(chǔ)claimName:pvc1#PVC的名稱為pvc1selector:matchLabels:app:mysql任務(wù)一拓展訓(xùn)練查看pv綁定發(fā)現(xiàn)web-0綁定的是pv-web4的pv，web-1綁定的是pv-web1的pv，web-2綁定的是pv-web2。配置主頁文件內(nèi)容[root@masteryaml]#echoweb0>/data/web4/index.html[root@masteryaml]#echoweb1>/data/web1/index.html[root@masteryaml]#echoweb2>/data/web2/index.html刪除pod，查看訪問內(nèi)容是否變化刪除web-0[root@masteryaml]#kubectldeletepodweb-0pod"web-0"deleted查看pod[root@masteryaml]#kubectlgetpod-owideNAMEREADYSTATUSRESTARTSAGEIPNODENOMINATEDNODEREADINESSGATESweb-01/1Running06snode2<none><none>web-11/1Running031mnode2<none><none>web-21/1Running031mnode1<none><none>訪問pod內(nèi)容[root@masteryaml]#curlweb0發(fā)現(xiàn)沒有變化任務(wù)二拓展訓(xùn)練需要將動(dòng)態(tài)web程序放到一個(gè)指定的目錄，然后在創(chuàng)建容器時(shí)進(jìn)行掛載，以dami程序?yàn)槔膟aml腳本如下：apiVersion:apps/v1kind:Deploymentmetadata:name:de2spec:template:metadata:labels:app:damispec:containers:-name:damiimage:php:v1ports:-name:p1containerPort:80volumeMounts:-name:nfs1mountPath:/var/www/htmlvolumes:-name:nfs1nfs:path:/web/damiserver:0selector:matchLabels:app:dami任務(wù)一拓展訓(xùn)練制作dami:v1鏡像編寫制作dami:v1的Dockerfile腳本如下：#基礎(chǔ)鏡像是centos:7FROMcentos:7#安裝httpdphp支持php與mysql連接php-gd圖形支持組件RUNyuminstallhttpdphpphp-mysqlphp-gd-y#將dami源程序添加到默認(rèn)網(wǎng)站路徑下ADDdami/var/www/html#將默認(rèn)網(wǎng)站路徑的權(quán)限設(shè)置成777，否則用戶不能寫入RUNchmod-R777/var/www/html#持久化網(wǎng)站根目錄VOLUME/var/www/html#暴露服務(wù)的80端口EXPOSE80#啟動(dòng)容器時(shí)，將httpd程序運(yùn)行在前臺(tái)CMD["/usr/sbin/httpd","-DFOREGROUND"]通過dami:v1鏡像構(gòu)建pod和service編寫創(chuàng)建deployment和service的yaml腳本如下：apiVersion:apps/v1kind:Deploymentmetadata:name:damispec:replicas:1template:metadata:labels:app:damispec:containers:-name:damiimage:dami:v1selector:matchLabels:app:dami---#創(chuàng)建名稱為httpd-dami的service,提供給ingress規(guī)則使用apiVersion:v1kind:Servicemetadata:name:httpd-damispec:selector:app:damiports:-protocol:TCPport:80targetPort:80創(chuàng)建ingress規(guī)則apiVersion:extensions/v1beta1kind:Ingressmetadata:name:ingress-dammispec:rules:-host:http:paths:-path:/backend:serviceName:httpd-damiservicePort:80配置域名解析在C:\Windows\System32\drivers\etc的hosts文件，添加入下內(nèi)容0使用域名訪問服務(wù)任務(wù)二拓展訓(xùn)練編寫創(chuàng)建zm:v1的Dockerfile腳本如下：#基礎(chǔ)鏡像是centos:7FROMcentos:7#安裝httpdphp支持php與mysql連接php-gd圖形支持組件RUNyuminstallhttpdphpphp-mysqlphp-gd-y#將dami源程序添加到默認(rèn)網(wǎng)站路徑下ADDzm/var/www/html#將默認(rèn)網(wǎng)站路徑的權(quán)限設(shè)置成777，否則用戶不能寫入RUNchmod-R777/var/www/html#持久化網(wǎng)站根目錄VOLUME/var/www/html#暴露服務(wù)的80端口EXPOSE80#啟動(dòng)容器時(shí)，將httpd程序運(yùn)行在前臺(tái)CMD["/usr/sbin/httpd","-DFOREGROUND"]通過zm:v1鏡像構(gòu)建pod和service編寫創(chuàng)建deployment和service的yaml腳本如下：apiVersion:apps/v1kind:Deploymentmetadata:name:zmspec:replicas:1template:metadata:labels:app:zmspec:containers:-name:zmimage:zm:v1selector:matchLabels:app:zm---#創(chuàng)建名稱為httpd-zm的service,提供給ingress規(guī)則使用apiVersion:v1kind:Servicemetadata:name:httpd-zmspec:selector:app:zmports:-protocol:TCPport:80targetPort:80創(chuàng)建ingress規(guī)則apiVersion:extensions/v1beta1kind:Ingressmetadata:name:ingress-dami-zmannotations:nginx.ingress.kubernetes.io/rewrite-target:/spec:rules:-host:http:paths:-path:/backend:serviceName:httpd-damiservicePort:80-host:http:paths:-path:/backend:serviceName:httpd-zmservicePort:80配置域名配置hosts文件，添加入下內(nèi)容00訪問和任務(wù)一拓展訓(xùn)練編寫創(chuàng)建clusterrole的腳本如下：apiVersion:rbac.authorization.k8s.io/v1#定義創(chuàng)建Role的api版本kind:ClusterRole#定義的資源類型是ClusterRolemetadata:name:clusterrole1#資源的名稱是clusterrolerules:#角色定義的規(guī)則-apiGroups:[""]#使用””定義api組為核心組resources:["pods"]#核心組內(nèi)podsverbs:["get","list","delete"]#定義對(duì)核心組內(nèi)的pods具有的權(quán)限以上腳本定義了一個(gè)名稱為clusterrole的ClusterRole資源，定義了可以訪問集群的核心api組的pods資源，具有獲取、列表、刪除的功能。任務(wù)二拓展訓(xùn)練刪除clusterrolebinding[root@masteryaml]#kubectldelete-fclusterrolebinding-1.yaml修改clusterrolebinding-1配置如下：apiVersion:rbac.authorization.k8s.io/v1beta1kind:ClusterRoleBindingmetadata:name:crbroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:cluster-adminsubjects:-apiGroup:rbac.authorization.k8s.iokind:Username:u1使用clusterrolebinding-1構(gòu)建綁定[root@masteryaml]#kubectlapply-fclusterrolebinding-1.yaml切換到u1，測(cè)試[root@masteryaml]#su-u1發(fā)現(xiàn)可以訪問其它集群資源。任務(wù)一拓展訓(xùn)練配置https安全訪問Harbor私有倉(cāng)庫客服端到服務(wù)端或服務(wù)端到服務(wù)端的請(qǐng)求方式通常是http居多，但是考慮到安全性的問題，可以使用給系統(tǒng)添加一個(gè)證書來做認(rèn)證，這種訪問服務(wù)的協(xié)議就變成了https協(xié)議，使用的是443端口，對(duì)網(wǎng)站安全性要求高一點(diǎn)應(yīng)用都需要使用證書的方式加密訪問，因?yàn)閭}(cāng)庫的數(shù)據(jù)對(duì)安全性要求也是比較高的，所以這里配置Harbor倉(cāng)庫的https訪問。生成私鑰文件證書是由一個(gè)受信任的機(jī)構(gòu)頒發(fā)的，可以把它理解成有認(rèn)證機(jī)構(gòu)簽字的公鑰文件，這個(gè)證書是公開的，當(dāng)用戶訪問時(shí)，使用這個(gè)證書進(jìn)行加密數(shù)據(jù)，然后用服務(wù)器端的私鑰進(jìn)行解密數(shù)據(jù)，公鑰和私鑰匙成對(duì)出現(xiàn)的，所以一定要先生成私鑰文件，然后在私鑰的基礎(chǔ)上，頒發(fā)證書，即頒發(fā)有認(rèn)證機(jī)構(gòu)蓋章的公鑰文件?？梢栽诖笮偷淖C書提供平臺(tái)申請(qǐng)證書文件，但一般申請(qǐng)證書是收費(fèi)的，為了方便教學(xué)，這里通過自己在本機(jī)簽發(fā)證書的方式講解生成私鑰和證書過程。下面通過openssl命令生成一個(gè)私鑰文件server.key。[root@node~]#opensslgenrsa-idea-outserver.key2048GeneratingRSAprivatekey,2048bitlongmodulus.............+++.......................+++eis65537(0x10001)Enterpassphraseforserver.key:Verifying-Enterpassphraseforserver.key:genrsa指定加密算法#idea是一種加密方式，out后時(shí)輸出的文件名，這里是server.key，2028表示生成的私鑰長(zhǎng)度，生成私鑰時(shí)需要輸入私鑰的密碼。基于私鑰生成證書文件以下使用opensslreq在基于server.key私鑰的基礎(chǔ)上，生成了自己簽發(fā)的證書server.crt。[root@node~]#opensslreq-days36500-x509-sha256-nodes-newkeyrsa:2048-keyoutserver.key-outserver.crtGeneratinga2048bitRSAprivatekey.........+++....+++writingnewprivatekeyto'server.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:cnStateorProvinceName(fullname)[]:lnLocalityName(eg,city)[DefaultCity]:syOrganizationName(eg,company)[DefaultCompanyLtd]:collegeOrganizationalUnitName(eg,section)[]:comCommonName(