[{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/categories/linux/","section":"分类","summary":"","title":"Linux","type":"categories"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/posts/linux/","section":"文章","summary":"","title":"Linux","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/linux/","section":"标签","summary":"","title":"Linux","type":"tags"},{"content":"Linux 故障排查的第一步不是立刻修改配置，而是先建立足够清晰的观察面。CPU、内存、磁盘和网络通常能解释大多数系统层面的异常。\nCPU # 使用 top 或 htop 可以快速判断系统是否存在 CPU 饱和。\ntop uptime mpstat 1 重点关注 load average、用户态 CPU、系统态 CPU、iowait 和上下文切换。如果 load 很高但 CPU 使用率不高，需要进一步判断是否存在 IO 阻塞。\n内存 # 内存排查可以先看整体，再看进程。\nfree -h vmstat 1 ps aux --sort=-%mem | head Linux 会把空闲内存用于缓存，因此不能只看 free 数值。更重要的是 available、swap 使用量和持续增长的内存占用。\n磁盘 # 磁盘问题常见表现是服务延迟升高。\ndf -h iostat -xz 1 du -sh /var/log/* 如果 await、util、iowait 长时间偏高，需要进一步定位是哪个进程产生了大量读写。\n网络 # 网络排查先确认连通性，再看端口和连接状态。\nip addr ss -tunlp curl -I https://example.com 生产环境中还需要关注 DNS、路由、防火墙、安全组和负载均衡配置。\n总结 # 性能排查要先观察，再假设，最后验证。稳定的命令组合能减少盲目操作，也能让故障复盘更容易。\n","date":"2026-06-19","externalUrl":null,"permalink":"/posts/posts/linux/linux-observability-basics/","section":"文章","summary":"Linux 故障排查的第一步不是立刻修改配置，而是先建立足够清晰的观察面。CPU、内存、磁盘和网络通常能解释大多数系统层面的异常。\nCPU # 使用 top 或 htop 可以快速判断系统是否存在 CPU 饱和。\ntop uptime mpstat 1 重点关注 load average、用户态 CPU、系统态 CPU、iowait 和上下文切换。如果 load 很高但 CPU 使用率不高，需要进一步判断是否存在 IO 阻塞。\n","title":"Linux 性能排查的第一组命令","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/series/linux-%E8%BF%90%E7%BB%B4%E5%9F%BA%E7%A1%80/","section":"专题","summary":"","title":"Linux 运维基础","type":"series"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/categories/observability/","section":"分类","summary":"","title":"Observability","type":"categories"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/posts/observability/","section":"文章","summary":"","title":"Observability","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/observability/","section":"标签","summary":"","title":"Observability","type":"tags"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/pages/","section":"Pages","summary":"","title":"Pages","type":"pages"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/categories/rancher/","section":"分类","summary":"","title":"Rancher","type":"categories"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/posts/rancher/","section":"文章","summary":"","title":"Rancher","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/rancher/","section":"标签","summary":"","title":"Rancher","type":"tags"},{"content":" 一、文档说明 # 本文档用于说明 install-rancher-server.sh 的使用方法。\n脚本功能：\n自动安装 Helm\n自动配置 RKE2 Ingress Nginx Forward Header\n自动添加 Rancher Helm Repo\n支持 Rancher Prime\n支持 Rancher Prime GC\n支持指定 Rancher 版本\n支持指定 Rancher 域名\n支持 Harbor 私有镜像仓库\n支持 Helm Upgrade/Install\n二、前置条件 # Kubernetes 集群 # 已安装并运行：\nRKE2 验证：\nkubectl get nodes 示例：\nNAME STATUS ROLES node41 Ready control-plane,etcd,master 域名准备 # 确保 Rancher 域名已解析到负载均衡或 Ingress 地址。\n例如：\nrancher.rancherlsp.com 外部 TLS # 当前环境使用：\nNginx + TLS Rancher 配置：\ntls=external 脚本会自动配置：\ndata: use-forwarded-headers: \u0026#34;true\u0026#34; 对应：\nkubectl get configmap \\ -n kube-system \\ rke2-ingress-nginx-controller 三、脚本功能 # 脚本执行过程：\n安装 Helm ↓ 配置 ingress-nginx ↓ 添加 Rancher Helm Repo ↓ 更新 Repo ↓ 部署 Rancher ↓ 输出状态信息 四、默认参数 # 参数 默认值 RANCHER_EDITION prime-gc RANCHER_VERSION 2.13.0 RANCHER_GC_MINOR_VERSION 2.13 MY_HOSTNAME rancher.rancherlsp.com PRIVATE_REGISTRY harbor.rancherlsp.com RANCHER_IMAGE harbor.rancherlsp.com/prime/rancher HELM_VERSION v3.16.2 NAMESPACE cattle-system REPLICAS 1 BOOTSTRAP_PASSWORD Rancher12345 TLS_MODE external RELEASE_NAME rancher 五、保存脚本 # #!/usr/bin/env bash set -euo pipefail # ========================= # 可配置变量 # ========================= # prime 或 prime-gc RANCHER_EDITION=\u0026#34;${RANCHER_EDITION:-prime-gc}\u0026#34; # Rancher Chart 版本，例如：2.13.0、2.12.3 RANCHER_VERSION=\u0026#34;${RANCHER_VERSION:-2.13.0}\u0026#34; # 仅 prime-gc 使用，用于拼接 charts.rancher.cn 仓库地址 # 例如：2.13 -\u0026gt; https://charts.rancher.cn/2.13-prime/latest RANCHER_GC_MINOR_VERSION=\u0026#34;${RANCHER_GC_MINOR_VERSION:-2.13}\u0026#34; # Rancher 访问域名 MY_HOSTNAME=\u0026#34;${MY_HOSTNAME:-rancher.rancherlsp.com}\u0026#34; # Harbor 地址，仅 prime-gc 使用 PRIVATE_REGISTRY=\u0026#34;${PRIVATE_REGISTRY:-harbor.rancherlsp.com}\u0026#34; # Rancher 镜像，仅 prime-gc 使用 RANCHER_IMAGE=\u0026#34;${RANCHER_IMAGE:-${PRIVATE_REGISTRY}/prime/rancher}\u0026#34; # Helm 版本 HELM_VERSION=\u0026#34;${HELM_VERSION:-v3.16.2}\u0026#34; # Kubernetes Namespace NAMESPACE=\u0026#34;${NAMESPACE:-cattle-system}\u0026#34; # Rancher 副本数 REPLICAS=\u0026#34;${REPLICAS:-1}\u0026#34; # 初始密码 BOOTSTRAP_PASSWORD=\u0026#34;${BOOTSTRAP_PASSWORD:-Rancher12345}\u0026#34; # TLS 模式 TLS_MODE=\u0026#34;${TLS_MODE:-external}\u0026#34; # Release 名称 RELEASE_NAME=\u0026#34;${RELEASE_NAME:-rancher}\u0026#34; # ========================= # 基础检查 # ========================= if [[ \u0026#34;$(id -u)\u0026#34; -ne 0 ]]; then echo \u0026#34;[ERROR] 请使用 root 用户执行\u0026#34; exit 1 fi if [[ \u0026#34;${RANCHER_EDITION}\u0026#34; != \u0026#34;prime\u0026#34; \u0026amp;\u0026amp; \u0026#34;${RANCHER_EDITION}\u0026#34; != \u0026#34;prime-gc\u0026#34; ]]; then echo \u0026#34;[ERROR] RANCHER_EDITION 只能是 prime 或 prime-gc\u0026#34; exit 1 fi if ! command -v kubectl \u0026gt;/dev/null 2\u0026gt;\u0026amp;1; then echo \u0026#34;[ERROR] 未找到 kubectl，请先安装并配置好 RKE2 集群\u0026#34; exit 1 fi if ! kubectl get nodes \u0026gt;/dev/null 2\u0026gt;\u0026amp;1; then echo \u0026#34;[ERROR] kubectl 无法访问当前 Kubernetes 集群\u0026#34; exit 1 fi # ========================= # 配置 RKE2 Ingress Nginx 支持外部 TLS / X-Forwarded-* 头 # ========================= echo \u0026#34;[INFO] 配置 rke2-ingress-nginx-controller ConfigMap...\u0026#34; kubectl -n kube-system patch configmap rke2-ingress-nginx-controller \\ --type merge \\ -p \u0026#39;{\u0026#34;data\u0026#34;:{\u0026#34;use-forwarded-headers\u0026#34;:\u0026#34;true\u0026#34;}}\u0026#39; # ========================= # 安装 Helm # ========================= if ! command -v helm \u0026gt;/dev/null 2\u0026gt;\u0026amp;1; then echo \u0026#34;[INFO] 安装 Helm ${HELM_VERSION}...\u0026#34; curl https://rancher-mirror.rancher.cn/helm/get-helm-3.sh | \\ INSTALL_HELM_MIRROR=cn \\ bash -s -- --version \u0026#34;${HELM_VERSION}\u0026#34; else echo \u0026#34;[INFO] Helm 已存在：$(helm version --short)\u0026#34; fi # ========================= # 添加 Rancher Helm Repo # ========================= if [[ \u0026#34;${RANCHER_EDITION}\u0026#34; == \u0026#34;prime\u0026#34; ]]; then RANCHER_REPO_URL=\u0026#34;https://charts.rancher.com/server-charts/prime\u0026#34; else RANCHER_REPO_URL=\u0026#34;https://charts.rancher.cn/${RANCHER_GC_MINOR_VERSION}-prime/latest\u0026#34; fi echo \u0026#34;[INFO] Rancher Edition : ${RANCHER_EDITION}\u0026#34; echo \u0026#34;[INFO] Rancher Version : ${RANCHER_VERSION}\u0026#34; echo \u0026#34;[INFO] Rancher Repo : ${RANCHER_REPO_URL}\u0026#34; echo \u0026#34;[INFO] Hostname : ${MY_HOSTNAME}\u0026#34; helm repo add rancher-prime \u0026#34;${RANCHER_REPO_URL}\u0026#34; --force-update helm repo update # ========================= # 部署 Rancher # ========================= if [[ \u0026#34;${RANCHER_EDITION}\u0026#34; == \u0026#34;prime\u0026#34; ]]; then echo \u0026#34;[INFO] 开始部署 Rancher Prime...\u0026#34; helm upgrade --install \u0026#34;${RELEASE_NAME}\u0026#34; rancher-prime/rancher \\ --namespace \u0026#34;${NAMESPACE}\u0026#34; \\ --create-namespace \\ --set hostname=\u0026#34;${MY_HOSTNAME}\u0026#34; \\ --set replicas=\u0026#34;${REPLICAS}\u0026#34; \\ --set global.cattle.psp.enabled=false \\ --set bootstrapPassword=\u0026#34;${BOOTSTRAP_PASSWORD}\u0026#34; \\ --set tls=\u0026#34;${TLS_MODE}\u0026#34; \\ --version \u0026#34;${RANCHER_VERSION}\u0026#34; else echo \u0026#34;[INFO] 开始部署 Rancher Prime GC...\u0026#34; echo \u0026#34;[INFO] Private Registry : ${PRIVATE_REGISTRY}\u0026#34; echo \u0026#34;[INFO] Rancher Image : ${RANCHER_IMAGE}\u0026#34; helm upgrade --install \u0026#34;${RELEASE_NAME}\u0026#34; rancher-prime/rancher \\ --namespace \u0026#34;${NAMESPACE}\u0026#34; \\ --create-namespace \\ --set hostname=\u0026#34;${MY_HOSTNAME}\u0026#34; \\ --set replicas=\u0026#34;${REPLICAS}\u0026#34; \\ --set global.cattle.psp.enabled=false \\ --set bootstrapPassword=\u0026#34;${BOOTSTRAP_PASSWORD}\u0026#34; \\ --set rancherImage=\u0026#34;${RANCHER_IMAGE}\u0026#34; \\ --set systemDefaultRegistry=\u0026#34;${PRIVATE_REGISTRY}\u0026#34; \\ --set tls=\u0026#34;${TLS_MODE}\u0026#34; \\ --version \u0026#34;${RANCHER_VERSION}\u0026#34; fi # ========================= # 输出状态 # ========================= echo echo \u0026#34;=======================================\u0026#34; echo \u0026#34;Rancher Server 部署完成\u0026#34; echo \u0026#34;=======================================\u0026#34; echo \u0026#34;Edition : ${RANCHER_EDITION}\u0026#34; echo \u0026#34;Version : ${RANCHER_VERSION}\u0026#34; echo \u0026#34;Namespace : ${NAMESPACE}\u0026#34; echo \u0026#34;Hostname : ${MY_HOSTNAME}\u0026#34; echo \u0026#34;TLS : ${TLS_MODE}\u0026#34; echo \u0026#34;=======================================\u0026#34; echo echo \u0026#34;查看 Pod：\u0026#34; echo \u0026#34;kubectl -n ${NAMESPACE} get pods\u0026#34; echo echo \u0026#34;查看 Helm Release：\u0026#34; echo \u0026#34;helm -n ${NAMESPACE} list\u0026#34; 创建脚本：\nvi install-rancher-server.sh 赋予权限：\nchmod +x install-rancher-server.sh 六、Prime GC 安装 # 默认执行：\n./install-rancher-server.sh 等价于：\nRANCHER_EDITION=prime-gc \\ RANCHER_VERSION=2.13.0 \\ RANCHER_GC_MINOR_VERSION=2.13 \\ MY_HOSTNAME=rancher.rancherlsp.com \\ ./install-rancher-server.sh 脚本内部将执行：\nhelm repo add rancher-prime \\ https://charts.rancher.cn/2.13-prime/latest 以及：\nhelm upgrade --install rancher \\ rancher-prime/rancher 并自动配置：\nrancherImage=harbor.rancherlsp.com/prime/rancher systemDefaultRegistry=harbor.rancherlsp.com 七、Prime 安装 # 执行：\nRANCHER_EDITION=prime \\ MY_HOSTNAME=rancher.rancherlsp.com \\ RANCHER_VERSION=2.13.0 \\ ./install-rancher-server.sh 脚本将使用：\nhelm repo add rancher-prime \\ https://charts.rancher.com/server-charts/prime 并执行：\nhelm upgrade --install rancher Prime 版本不会配置：\nrancherImage systemDefaultRegistry 八、安装 Rancher 2.12 Prime GC # 例如安装：\n2.12.3 执行：\nRANCHER_EDITION=prime-gc \\ RANCHER_GC_MINOR_VERSION=2.12 \\ RANCHER_VERSION=2.12.3 \\ MY_HOSTNAME=rancher.rancherlsp.com \\ ./install-rancher-server.sh 脚本自动使用：\nhttps://charts.rancher.cn/2.12-prime/latest 九、自定义 Harbor # 默认：\nharbor.rancherlsp.com 如果 Harbor 地址发生变化：\nPRIVATE_REGISTRY=harbor.example.com \\ ./install-rancher-server.sh 同时会自动更新：\nsystemDefaultRegistry 以及：\nrancherImage 十、自定义管理员密码 # 默认：\nRancher12345 修改：\nBOOTSTRAP_PASSWORD=\u0026#39;MyPassword@123\u0026#39; \\ ./install-rancher-server.sh 十一、查看部署状态 # 查看 Helm Release：\nhelm -n cattle-system list 查看 Pod：\nkubectl -n cattle-system get pods 查看 Deployment：\nkubectl -n cattle-system get deploy 查看 Service：\nkubectl -n cattle-system get svc 查看 Ingress：\nkubectl -n cattle-system get ingress 十二、升级 Rancher # 例如升级：\n2.13.1 执行：\nRANCHER_VERSION=2.13.1 \\ ./install-rancher-server.sh 脚本自动执行：\nhelm upgrade 不会重复安装。\n十三、卸载 Rancher # 卸载 Release：\nhelm uninstall rancher -n cattle-system 删除 Namespace：\nkubectl delete ns cattle-system 十四、常见问题 # 1. Helm Repo 无法访问 # 测试：\nhelm repo list 更新：\nhelm repo update 2. Rancher Pod 无法启动 # 查看：\nkubectl -n cattle-system describe pod \u0026lt;pod-name\u0026gt; 日志：\nkubectl -n cattle-system logs -f \u0026lt;pod-name\u0026gt; 3. 域名无法访问 # 检查：\nkubectl -n cattle-system get ingress 检查 DNS：\nnslookup rancher.rancherlsp.com 4. 外部 TLS 出现重定向异常 # 确认：\nkubectl get configmap \\ -n kube-system \\ rke2-ingress-nginx-controller \\ -o yaml 存在：\ndata: use-forwarded-headers: \u0026#34;true\u0026#34; 如果缺失：\nkubectl patch configmap \\ rke2-ingress-nginx-controller \\ -n kube-system \\ --type merge \\ -p \u0026#39;{\u0026#34;data\u0026#34;:{\u0026#34;use-forwarded-headers\u0026#34;:\u0026#34;true\u0026#34;}}\u0026#39; 重启 Ingress：\nkubectl rollout restart deployment \\ rke2-ingress-nginx-controller \\ -n kube-system ","date":"2026-06-19","externalUrl":null,"permalink":"/posts/posts/rancher/rancher-install-shell/","section":"文章","summary":"一、文档说明 # 本文档用于说明 install-rancher-server.sh 的使用方法。\n脚本功能：\n自动安装 Helm\n自动配置 RKE2 Ingress Nginx Forward Header\n自动添加 Rancher Helm Repo\n支持 Rancher Prime\n支持 Rancher Prime GC\n支持指定 Rancher 版本\n支持指定 Rancher 域名\n支持 Harbor 私有镜像仓库\n支持 Helm Upgrade/Install\n二、前置条件 # Kubernetes 集群 # 已安装并运行：\n","title":"Rancher Server 一键安装脚本使用说明","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/posts/rke2/","section":"文章","summary":"","title":"rke2","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/categories/rke2/","section":"分类","summary":"","title":"Rke2","type":"categories"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/rke2/","section":"标签","summary":"","title":"Rke2","type":"tags"},{"content":" 文档说明 # 本文档用于通过 Harbor Proxy Cache 部署 RKE2 集群。\n当前环境：\n项目 值 Harbor地址 harbor.rancherlsp.com Harbor版本 2.14.4 RKE2安装方式 官方安装脚本 镜像加速方式 Harbor Proxy Cache 容器运行时 containerd kubectl安装方式 RKE2内置 crictl安装方式 RKE2内置 一、Harbor准备工作 # 1、创建Registry Endpoint # 进入：\nAdministration └── Registries 创建以下 Endpoint：\nName Provider Endpoint docker.io Docker Hub 默认 registry.rancher.com Docker Registry https://registry.rancher.com registry.k8s.io Docker Registry https://registry.k8s.io quay.io Docker Registry https://quay.io ghcr.io Docker Registry https://ghcr.io gcr.io Docker Registry https://gcr.io 全部测试通过：\nHealthy 2、创建 Proxy Cache 项目 # 进入：\nProjects └── New Project 勾选：\nProxy Cache 创建：\ndocker.io registry.rancher.com registry.k8s.io quay.io ghcr.io gcr.io 并关联对应 Endpoint。\n二、一键安装脚本 # 保存如下脚本：\nvi install-rke2.sh 内容如下：\n#!/usr/bin/env bash set -euo pipefail # ========================= # 可配置变量 # ========================= RKE2_VERSION=\u0026#34;${RKE2_VERSION:-v1.34.7+rke2r1}\u0026#34; HARBOR_REGISTRY=\u0026#34;${HARBOR_REGISTRY:-harbor.rancherlsp.com}\u0026#34; INSTALL_TYPE=\u0026#34;${INSTALL_TYPE:-server}\u0026#34; # Agent节点需要 RKE2_SERVER_URL=\u0026#34;${RKE2_SERVER_URL:-}\u0026#34; RKE2_TOKEN=\u0026#34;${RKE2_TOKEN:-}\u0026#34; # ========================= # 基础检查 # ========================= if [[ \u0026#34;$(id -u)\u0026#34; -ne 0 ]]; then echo \u0026#34;请使用root用户执行\u0026#34; exit 1 fi if [[ \u0026#34;${INSTALL_TYPE}\u0026#34; != \u0026#34;server\u0026#34; \u0026amp;\u0026amp; \u0026#34;${INSTALL_TYPE}\u0026#34; != \u0026#34;agent\u0026#34; ]]; then echo \u0026#34;INSTALL_TYPE只能是server或agent\u0026#34; exit 1 fi if [[ \u0026#34;${INSTALL_TYPE}\u0026#34; == \u0026#34;agent\u0026#34; ]]; then if [[ -z \u0026#34;${RKE2_SERVER_URL}\u0026#34; || -z \u0026#34;${RKE2_TOKEN}\u0026#34; ]]; then echo \u0026#34;agent模式必须指定RKE2_SERVER_URL和RKE2_TOKEN\u0026#34; exit 1 fi fi mkdir -p /etc/rancher/rke2 # ========================= # 配置 Harbor 镜像代理 # ========================= cat \u0026gt; /etc/rancher/rke2/registries.yaml \u0026lt;\u0026lt;EOF mirrors: docker.io: endpoint: - https://${HARBOR_REGISTRY} rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;docker.io/\\\\\\$1\u0026#34; quay.io: endpoint: - https://${HARBOR_REGISTRY} rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;quay.io/\\\\\\$1\u0026#34; gcr.io: endpoint: - https://${HARBOR_REGISTRY} rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;gcr.io/\\\\\\$1\u0026#34; ghcr.io: endpoint: - https://${HARBOR_REGISTRY} rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;ghcr.io/\\\\\\$1\u0026#34; registry.k8s.io: endpoint: - https://${HARBOR_REGISTRY} rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;registry.k8s.io/\\\\\\$1\u0026#34; registry.rancher.com: endpoint: - https://${HARBOR_REGISTRY} rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;registry.rancher.com/\\\\\\$1\u0026#34; EOF # ========================= # Agent配置 # ========================= if [[ \u0026#34;${INSTALL_TYPE}\u0026#34; == \u0026#34;agent\u0026#34; ]]; then cat \u0026gt; /etc/rancher/rke2/config.yaml \u0026lt;\u0026lt;EOF server: ${RKE2_SERVER_URL} token: ${RKE2_TOKEN} EOF fi # ========================= # 安装RKE2 # ========================= curl -sfL https://get.rke2.io | \\ INSTALL_RKE2_VERSION=\u0026#34;${RKE2_VERSION}\u0026#34; \\ INSTALL_RKE2_TYPE=\u0026#34;${INSTALL_TYPE}\u0026#34; \\ sh - # ========================= # 启动服务 # ========================= if [[ \u0026#34;${INSTALL_TYPE}\u0026#34; == \u0026#34;server\u0026#34; ]]; then systemctl enable rke2-server systemctl start rke2-server else systemctl enable rke2-agent systemctl start rke2-agent fi # ========================= # 配置命令 # ========================= ln -sf /var/lib/rancher/rke2/bin/kubectl /usr/bin/kubectl ln -sf /var/lib/rancher/rke2/bin/ctr /usr/bin/ctr ln -sf /var/lib/rancher/rke2/bin/crictl /usr/bin/crictl # ========================= # 配置crictl # ========================= crictl config runtime-endpoint unix:///run/k3s/containerd/containerd.sock crictl config image-endpoint unix:///run/k3s/containerd/containerd.sock # ========================= # 配置 kubeconfig # ========================= if [[ \u0026#34;${INSTALL_TYPE}\u0026#34; == \u0026#34;server\u0026#34; ]]; then mkdir -p /root/.kube cp /etc/rancher/rke2/rke2.yaml /root/.kube/config chmod 600 /root/.kube/config fi echo echo \u0026#34;=======================================\u0026#34; echo \u0026#34;RKE2 安装完成\u0026#34; echo \u0026#34;=======================================\u0026#34; echo \u0026#34;Version : ${RKE2_VERSION}\u0026#34; echo \u0026#34;Type : ${INSTALL_TYPE}\u0026#34; echo \u0026#34;Harbor : ${HARBOR_REGISTRY}\u0026#34; echo \u0026#34;=======================================\u0026#34; 三、安装 Server 节点 # 赋予权限：\nchmod +x install-rke2.sh 安装：\n./install-rke2.sh 指定版本：\nRKE2_VERSION=v1.34.7+rke2r1 ./install-rke2.sh 四、获取 Token # Master节点：\ncat /var/lib/rancher/rke2/server/node-token 输出示例：\nK10c0f4d5a4e3...... 记录备用。\n五、安装 Agent 节点 # 执行：\nINSTALL_TYPE=agent \\ RKE2_SERVER_URL=https://192.168.1.100:9345 \\ RKE2_TOKEN=K10c0f4d5a4e3...... \\ ./install-rke2.sh 六、验证集群 # 配置环境变量：\nexport KUBECONFIG=/etc/rancher/rke2/rke2.yaml 查看节点：\nkubectl get nodes 查看Pod：\nkubectl get pods -A 七、验证 Harbor 缓存 # 测试拉取镜像：\ncrictl pull registry.rancher.com/rancher/rke2-runtime:v1.34.7-rke2r1 进入 Harbor：\nProjects └── registry.rancher.com 应看到：\nrancher/rke2-runtime 镜像已被缓存。\n八、常用命令 # 查看节点：\nkubectl get nodes -o wide 查看Pod：\nkubectl get pods -A 查看镜像：\ncrictl images 查看容器：\ncrictl ps -a 查看containerd镜像：\nctr -n k8s.io images ls 查看RKE2状态：\nsystemctl status rke2-server 查看日志：\njournalctl -u rke2-server -f Agent日志：\njournalctl -u rke2-agent -f ","date":"2026-06-19","externalUrl":null,"permalink":"/posts/posts/rke2/rke2-install-shell/","section":"文章","summary":"文档说明 # 本文档用于通过 Harbor Proxy Cache 部署 RKE2 集群。\n当前环境：\n项目 值 Harbor地址 harbor.rancherlsp.com Harbor版本 2.14.4 RKE2安装方式 官方安装脚本 镜像加速方式 Harbor Proxy Cache 容器运行时 containerd kubectl安装方式 RKE2内置 crictl安装方式 RKE2内置 一、Harbor准备工作 # 1、创建Registry Endpoint # 进入：\n","title":"RKE2集群一键安装脚本使用说明","type":"posts"},{"content":" RKE2 通过 Harbor Proxy Cache 部署指南 # 环境信息 # 项目 信息 Harbor版本 2.14.4 Harbor地址 harbor.rancherlsp.com RKE2版本 v1.34.7+rke2r1 镜像代理方式 Harbor Proxy Cache 容器运行时 containerd 一、Harbor配置 # 1. 创建Registry Endpoint # 进入：\nAdministration └── Registries 创建以下 Endpoint：\nName Provider Endpoint docker.io Docker Hub 默认 registry.rancher.com Docker Registry https://registry.rancher.com registry.k8s.io Docker Registry https://registry.k8s.io quay.io Docker Registry https://quay.io ghcr.io Docker Registry https://ghcr.io gcr.io Docker Registry https://gcr.io 测试连接均应显示：\nHealthy 2. 创建 Proxy Cache 项目 # 进入：\nProjects └── New Project 勾选：\nProxy Cache 分别创建：\ndocker.io registry.rancher.com registry.k8s.io quay.io ghcr.io gcr.io 并关联对应 Endpoint。\n最终效果：\ndocker.io registry.rancher.com registry.k8s.io quay.io ghcr.io gcr.io 均为：\nProxy Cache 类型项目。\n二、RKE2节点配置 # 创建目录：\nmkdir -p /etc/rancher/rke2 创建 registries.yaml # 文件：\nvi /etc/rancher/rke2/registries.yaml 内容：\nmirrors: docker.io: endpoint: - https://harbor.rancherlsp.com rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;docker.io/$1\u0026#34; quay.io: endpoint: - https://harbor.rancherlsp.com rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;quay.io/$1\u0026#34; gcr.io: endpoint: - https://harbor.rancherlsp.com rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;gcr.io/$1\u0026#34; ghcr.io: endpoint: - https://harbor.rancherlsp.com rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;ghcr.io/$1\u0026#34; registry.k8s.io: endpoint: - https://harbor.rancherlsp.com rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;registry.k8s.io/$1\u0026#34; registry.rancher.com: endpoint: - https://harbor.rancherlsp.com rewrite: \u0026#34;(^.+$)\u0026#34;: \u0026#34;registry.rancher.com/$1\u0026#34; configs: harbor.rancherlsp.com: auth: username: admin password: HarborPassword 如果 Harbor 使用自签证书：\nconfigs: harbor.rancherlsp.com: auth: username: admin password: HarborPassword tls: insecure_skip_verify: true 三、安装RKE2 Server # 执行：\ncurl -sfL https://get.rke2.io | \\ INSTALL_RKE2_VERSION=v1.34.7+rke2r1 \\ INSTALL_RKE2_TYPE=server \\ sh - 启动服务：\nsystemctl enable rke2-server systemctl start rke2-server 查看状态：\nsystemctl status rke2-server 查看日志：\njournalctl -u rke2-server -f 四、获取Node Token # Master节点执行：\ncat /var/lib/rancher/rke2/server/node-token 记录输出内容。\n例如：\nK10f8b8f0d2a4b5a... 五、安装Agent节点 # 复制相同的：\n/etc/rancher/rke2/registries.yaml 到所有Agent节点。\n安装：\ncurl -sfL https://get.rke2.io | \\ INSTALL_RKE2_VERSION=v1.34.7+rke2r1 \\ INSTALL_RKE2_TYPE=agent \\ sh - 配置：\nmkdir -p /etc/rancher/rke2 创建：\nvi /etc/rancher/rke2/config.yaml 内容：\nserver: https://\u0026lt;MASTER-IP\u0026gt;:9345 token: \u0026lt;NODE-TOKEN\u0026gt; 启动：\nsystemctl enable rke2-agent systemctl start rke2-agent 六、验证镜像代理 # 测试拉取：\n/var/lib/rancher/rke2/bin/crictl pull \\ registry.rancher.com/rancher/rke2-runtime:v1.34.7-rke2r1 成功后进入 Harbor：\nProjects └── registry.rancher.com 可以看到：\nrancher/rke2-runtime 镜像已经自动缓存。\n七、验证集群 # Master节点执行：\nexport KUBECONFIG=/etc/rancher/rke2/rke2.yaml 查看节点：\nkubectl get nodes 查看系统Pod：\nkubectl get pods -A 查看镜像：\ncrictl images 八、后续扩展 # 当安装以下组件时：\nRancher Longhorn Cert-Manager Monitoring Logging Istio Cilium 涉及：\ndocker.io quay.io ghcr.io registry.k8s.io registry.rancher.com 镜像会自动经过 Harbor Proxy Cache，无需再修改 Helm Chart 镜像地址。\n实现效果：\nNode ↓ RKE2/containerd ↓ Harbor Proxy Cache ↓ Internet Registry\n首次拉取缓存，后续全部走 Harbor 本地镜像。 ","date":"2026-06-19","externalUrl":null,"permalink":"/posts/posts/rke2/rke2-install-with-harborproxy/","section":"文章","summary":"RKE2 通过 Harbor Proxy Cache 部署指南 # 环境信息 # 项目 信息 Harbor版本 2.14.4 Harbor地址 harbor.rancherlsp.com RKE2版本 v1.34.7+rke2r1 镜像代理方式 Harbor Proxy Cache 容器运行时 containerd 一、Harbor配置 # 1. 创建Registry Endpoint # 进入：\n","title":"RKE2通过Harbor Proxy Cache 部署指南","type":"posts"},{"content":" 1. 文档说明 # 本文档用于指导在 RKE2 Kubernetes 集群中安装 SUSE Observability。安装过程包含 Longhorn 存储环境准备、离线/私有镜像仓库镜像准备、证书准备、Helm values 配置以及 SUSE Observability 安装。\n说明：本文中的域名、IP、Harbor 地址、用户名、密码、License Key 等均为示例或现场环境值。生产环境中请根据实际情况替换，并避免将明文密码提交到代码仓库或共享文档中。\n2. 环境信息 # 项目 示例值 Kubernetes 发行版 RKE2 存储方案 Longhorn SUSE Observability Chart 版本 2.10.1 SUSE Observability Namespace suse-observability Longhorn Namespace longhorn-system 私有镜像仓库 harbor.rancherlsp.com SUSE Observability 访问域名 o11y.rancherlsp.com OTLP gRPC 域名 o11y-otlp.rancherlsp.com OTLP HTTP 域名 o11y-otlp-http.rancherlsp.com TLS Secret 名称 suse-o11y-tls 3. 前置条件 # 安装前请确认以下条件已满足：\nRKE2 集群已正常运行。 kubectl 可正常访问目标集群。 Helm 已安装并可正常使用。 Rancher UI 可访问，用于部署 Longhorn。 Harbor 私有镜像仓库已部署完成，并可从集群节点访问。 已准备 SUSE Observability License Key。 已准备 DNS 解析或本地 hosts 解析，例如： 192.168.50.22 o11y.rancherlsp.com 192.168.50.22 o11y-otlp.rancherlsp.com 192.168.50.22 o11y-otlp-http.rancherlsp.com 如 Ingress VIP 或 LoadBalancer IP 不是 192.168.50.22，请按实际地址调整。\n4. 准备 Longhorn 环境 # 4.1 安装 longhornctl # 在可访问 Kubernetes 集群的节点上执行以下命令：\ncurl -L https://github.com/longhorn/cli/releases/download/v1.12.0/longhornctl-linux-amd64 -o longhornctl chmod +x longhornctl mv ./longhornctl /usr/local/bin/longhornctl 4.2 创建 Longhorn Namespace # kubectl create namespace longhorn-system 如 namespace 已存在，可忽略相关提示。\n4.3 设置 KUBECONFIG # export KUBECONFIG=/root/.kube/config 4.4 执行 Longhorn 预检查 # longhornctl install preflight longhornctl check preflight 请确认预检查结果无阻断性错误。如存在缺失依赖、内核模块或系统配置问题，请先根据提示修复。\n4.5 通过 Rancher UI 部署 Longhorn # 完成预检查后，在 Rancher UI 中部署 Longhorn：\n登录 Rancher UI。 进入目标 RKE2 集群。 进入 Apps / Charts。 搜索并选择 Longhorn。 安装到 longhorn-system namespace。 配置项保持默认即可。 等待 Longhorn 相关 Pod 全部 Running。 验证 Longhorn 状态：\nkubectl -n longhorn-system get pods kubectl get storageclass 确认存在 Longhorn StorageClass，并且 Longhorn 组件运行正常。\n5. 镜像准备 # 本步骤建议在 Harbor 节点或可同时访问互联网与 Harbor 的节点上操作。\n5.1 添加 SUSE Observability Helm 仓库 # helm repo add suse-observability https://charts.rancher.com/server-charts/prime/suse-observability helm repo update 5.2 下载 SUSE Observability Chart # helm fetch suse-observability/suse-observability --version 2.10.1 下载完成后，当前目录下会生成类似文件：\nsuse-observability-2.10.1.tgz 5.3 下载 values helper chart # helm fetch suse-observability/suse-observability-values --version 2.10.1 下载完成后，当前目录下会生成类似文件：\nsuse-observability-values-2.10.1.tgz 实际文件名以 Helm 下载结果为准。\n5.4 下载镜像处理脚本 # curl -LO https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/suse-observability/installation/o11y-get-images.sh curl -LO https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/suse-observability/installation/o11y-save-images.sh curl -LO https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/suse-observability/installation/o11y-load-images.sh 5.5 添加脚本执行权限 # chmod a+x o11y-get-images.sh o11y-save-images.sh o11y-load-images.sh 5.6 提取镜像列表 # ./o11y-get-images.sh -f suse-observability-2.10.1.tgz \u0026gt; o11y-images.txt 检查镜像列表：\ncat o11y-images.txt 5.7 配置 Harbor 认证信息 # export DST_REGISTRY_USERNAME=\u0026#34;admin\u0026#34; export DST_REGISTRY_PASSWORD=\u0026#34;\u0026lt;Harbor 管理员密码\u0026gt;\u0026#34; 请将 \u0026lt;Harbor 管理员密码\u0026gt; 替换为实际 Harbor 密码。生产环境不建议在 shell history 中保留明文密码。\n5.8 推送镜像到 Harbor # 根据实际环境选择镜像同步方式。通常流程为：\n从源镜像仓库拉取 SUSE Observability 所需镜像。 保存镜像为离线包，或直接重新打标签。 推送到 Harbor 私有仓库。 确认 Harbor 中已存在对应镜像。 示例操作可参考下载的脚本帮助信息：\n./o11y-save-images.sh --help ./o11y-load-images.sh --help 如目标环境为完全离线环境，建议在联网节点执行镜像保存，在离线 Harbor 节点执行镜像加载与推送。\n6. 安装 SUSE Observability # 以下步骤在 RKE2 集群管理节点上执行。\n6.1 添加 Helm 仓库 # helm repo add suse-observability https://charts.rancher.com/server-charts/prime/suse-observability helm repo update 6.2 创建 Namespace # kubectl create namespace suse-observability 如 namespace 已存在，可忽略相关提示。\n7. 准备 TLS 证书 # 7.1 生成自签名证书 # 执行以下命令生成自签名证书：\n./create_self-signed-cert.sh \\ --ssl-domain=o11y.rancherlsp.com \\ --ssl-trusted-domain=o11y-otlp.rancherlsp.com,o11y-otlp-http.rancherlsp.com \\ --ssl-trusted-ip=192.168.50.22,192.168.50.23,192.168.50.24 \\ --ssl-size=2048 \\ --ssl-date=3650 生成后应得到以下文件：\ntls.crt tls.key 7.2 创建 Kubernetes TLS Secret # kubectl -n suse-observability create secret tls suse-o11y-tls \\ --cert=tls.crt \\ --key=tls.key 验证 Secret：\nkubectl -n suse-observability get secret suse-o11y-tls 8. 准备 Helm Values # 8.1 创建 values.yaml # 创建 values.yaml 文件：\nglobal: # 可选：覆盖默认镜像仓库。 # 默认镜像仓库为 registry.rancher.com。 # 离线环境或使用私有镜像仓库时需要配置该参数。 imageRegistry: \u0026#34;harbor.rancherlsp.com\u0026#34; suseObservability: # 必填：SUSE Observability License Key license: \u0026#34;\u0026lt;SUSE Observability License Key\u0026gt;\u0026#34; # 必填：SUSE Observability 访问地址 baseUrl: \u0026#34;https://o11y.rancherlsp.com\u0026#34; # 必填：规格配置 # 可选值：trial, 10-nonha, 20-nonha, 50-nonha, 100-nonha, # 150-ha, 250-ha, 500-ha, 4000-ha sizing: profile: \u0026#34;trial\u0026#34; # 必填：管理员明文密码 # 生产环境建议使用 adminPasswordBcrypt 替代明文密码 adminPassword: \u0026#34;\u0026lt;Admin Password\u0026gt;\u0026#34; # 如需使用 bcrypt 加密密码，可使用以下方式生成： # htpasswd -bnBC 10 \u0026#34;\u0026#34; \u0026#34;your-password\u0026#34; | tr -d \u0026#39;:\\n\u0026#39; # adminPasswordBcrypt: \u0026#34;$2a$10$...\u0026#34; # 可选：Receiver API Key，不配置时自动生成 # receiverApiKey: \u0026#34;your-receiver-api-key\u0026#34; # 可选：Pod 调度亲和性配置 # affinity: # nodeAffinity: ... # podAntiAffinity: # requiredDuringSchedulingIgnoredDuringExecution: true 请将 \u0026lt;SUSE Observability License Key\u0026gt; 与 \u0026lt;Admin Password\u0026gt; 替换为实际值。\n8.2 创建 ingress_values.yaml # 创建 ingress_values.yaml 文件：\ningress: enabled: true annotations: nginx.ingress.kubernetes.io/proxy-body-size: \u0026#34;50m\u0026#34; nginx.ingress.kubernetes.io/ssl-redirect: \u0026#34;true\u0026#34; hosts: - host: o11y.rancherlsp.com tls: - hosts: - o11y.rancherlsp.com secretName: suse-o11y-tls 9. 执行 Helm 安装 # 执行以下命令安装 SUSE Observability：\nhelm upgrade \\ --install \\ --version 2.10.1 \\ --namespace suse-observability \\ --values values.yaml \\ --values ingress_values.yaml \\ suse-observability \\ suse-observability/suse-observability 10. 安装后验证 # 10.1 查看 Helm Release # helm -n suse-observability list helm -n suse-observability status suse-observability 10.2 查看 Pod 状态 # kubectl -n suse-observability get pods 等待所有核心组件变为 Running 或 Completed。\n如需持续观察：\nkubectl -n suse-observability get pods -w 10.3 查看 Service 与 Ingress # kubectl -n suse-observability get svc kubectl -n suse-observability get ingress 确认 Ingress 中存在 o11y.rancherlsp.com，并绑定到正确的 Ingress Controller 地址。\n10.4 浏览器访问 # 访问：\nhttps://o11y.rancherlsp.com 使用安装时配置的管理员账号密码登录。\n管理员密码为 values.yaml 中 global.suseObservability.adminPassword 配置的值。\n11. 常用排障命令 # 11.1 查看异常 Pod # kubectl -n suse-observability get pods kubectl -n suse-observability describe pod \u0026lt;pod-name\u0026gt; 11.2 查看 Pod 日志 # kubectl -n suse-observability logs \u0026lt;pod-name\u0026gt; 如 Pod 内有多个容器：\nkubectl -n suse-observability logs \u0026lt;pod-name\u0026gt; -c \u0026lt;container-name\u0026gt; 11.3 查看事件 # kubectl -n suse-observability get events --sort-by=.metadata.creationTimestamp 11.4 检查镜像拉取问题 # 如 Pod 出现 ImagePullBackOff 或 ErrImagePull，请检查：\nglobal.imageRegistry 是否配置为正确的 Harbor 地址。 Harbor 中是否已存在所需镜像。 集群节点是否可访问 Harbor。 Harbor 证书是否被节点信任。 是否需要配置 imagePullSecret。 11.5 检查 Ingress 访问问题 # 如无法访问 https://o11y.rancherlsp.com，请检查：\nkubectl -n suse-observability get ingress kubectl -n suse-observability describe ingress kubectl -n ingress-nginx get pods 同时确认：\nDNS 或 hosts 是否正确解析到 Ingress 地址。 TLS Secret suse-o11y-tls 是否存在。 Ingress Controller 是否正常运行。 防火墙是否放通 80/443 端口。 11.6 检查 Longhorn 存储问题 # kubectl -n longhorn-system get pods kubectl get storageclass kubectl get pvc -A 如 PVC 无法绑定，请确认 Longhorn StorageClass 正常，并检查 Longhorn UI 中的卷状态。\n12. 卸载方法 # 如需卸载 SUSE Observability，可执行：\nhelm -n suse-observability uninstall suse-observability 如确认不再需要该 namespace，可删除：\nkubectl delete namespace suse-observability 删除 namespace 会清理其中的资源。生产环境请先确认数据备份和持久化卷处理策略。\n13. 安装流程汇总 # # 1. 准备 Longhorn curl -L https://github.com/longhorn/cli/releases/download/v1.12.0/longhornctl-linux-amd64 -o longhornctl chmod +x longhornctl mv ./longhornctl /usr/local/bin/longhornctl kubectl create namespace longhorn-system export KUBECONFIG=/root/.kube/config longhornctl install preflight longhornctl check preflight # 2. 在 Rancher UI 中部署 Longhorn，配置保持默认 # 3. 下载 SUSE Observability Chart 与镜像脚本 helm repo add suse-observability https://charts.rancher.com/server-charts/prime/suse-observability helm repo update helm fetch suse-observability/suse-observability --version 2.10.1 helm fetch suse-observability/suse-observability-values --version 2.10.1 curl -LO https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/suse-observability/installation/o11y-get-images.sh curl -LO https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/suse-observability/installation/o11y-save-images.sh curl -LO https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/suse-observability/installation/o11y-load-images.sh chmod a+x o11y-get-images.sh o11y-save-images.sh o11y-load-images.sh ./o11y-get-images.sh -f suse-observability-2.10.1.tgz \u0026gt; o11y-images.txt # 4. 创建 SUSE Observability namespace kubectl create namespace suse-observability # 5. 创建 TLS Secret kubectl -n suse-observability create secret tls suse-o11y-tls \\ --cert=tls.crt \\ --key=tls.key # 6. 安装 SUSE Observability helm upgrade \\ --install \\ --version 2.10.1 \\ --namespace suse-observability \\ --values values.yaml \\ --values ingress_values.yaml \\ suse-observability \\ suse-observability/suse-observability ","date":"2026-06-19","externalUrl":null,"permalink":"/posts/posts/observability/o11y-install/","section":"文章","summary":"1. 文档说明 # 本文档用于指导在 RKE2 Kubernetes 集群中安装 SUSE Observability。安装过程包含 Longhorn 存储环境准备、离线/私有镜像仓库镜像准备、证书准备、Helm values 配置以及 SUSE Observability 安装。\n说明：本文中的域名、IP、Harbor 地址、用户名、密码、License Key 等均为示例或现场环境值。生产环境中请根据实际情况替换，并避免将明文密码提交到代码仓库或共享文档中。\n","title":"SUSE Observability 安装部署文档","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/","section":"标签","summary":"","title":"标签","type":"tags"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/%E9%83%A8%E7%BD%B2/","section":"标签","summary":"","title":"部署","type":"tags"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/categories/","section":"分类","summary":"","title":"分类","type":"categories"},{"content":"这里是一个面向工程实践的中文技术博客，主要记录 Linux、云原生、AI等方向的知识沉淀。\n内容方向 # Linux 系统管理、性能分析、故障排查 Kubernetes、容器、服务网格、平台工程 AI 写作原则 # 文章尽量从真实问题出发，保留上下文、命令、配置和排查过程。技术关键词保留英文，正文以中文表达为主。\n联系方式 # 你可以在站点配置中修改 GitHub、邮箱和个人介绍。\n","date":"2026-06-19","externalUrl":null,"permalink":"/pages/about/","section":"Pages","summary":"这里是一个面向工程实践的中文技术博客，主要记录 Linux、云原生、AI等方向的知识沉淀。\n内容方向 # Linux 系统管理、性能分析、故障排查 Kubernetes、容器、服务网格、平台工程 AI 写作原则 # 文章尽量从真实问题出发，保留上下文、命令、配置和排查过程。技术关键词保留英文，正文以中文表达为主。\n","title":"关于","type":"pages"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/%E8%84%9A%E6%9C%AC/","section":"标签","summary":"","title":"脚本","type":"tags"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/","section":"首页","summary":"","title":"首页","type":"page"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/posts/","section":"文章","summary":"","title":"文章","type":"posts"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/%E6%80%A7%E8%83%BD%E6%8E%92%E6%9F%A5/","section":"标签","summary":"","title":"性能排查","type":"tags"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/%E8%BF%90%E7%BB%B4/","section":"标签","summary":"","title":"运维","type":"tags"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/series/","section":"专题","summary":"","title":"专题","type":"series"},{"content":"","date":"2026-06-19","externalUrl":null,"permalink":"/tags/%E8%87%AA%E5%8A%A8%E5%8C%96/","section":"标签","summary":"","title":"自动化","type":"tags"},{"content":"","date":"2026-06-18","externalUrl":null,"permalink":"/tags/kubernetes/","section":"标签","summary":"","title":"Kubernetes","type":"tags"},{"content":"Kubernetes 的对象很多，但初学时可以先把应用发布理解成几个核心对象之间的协作。\nDeployment # Deployment 描述应用副本、镜像版本和滚动更新策略。它负责把期望状态持续同步到集群中。\napiVersion: apps/v1 kind: Deployment metadata: name: demo-api spec: replicas: 2 selector: matchLabels: app: demo-api template: metadata: labels: app: demo-api spec: containers: - name: api image: nginx:1.27 Service # Pod 会变化，Service 提供稳定访问入口。应用之间通常不直接访问 Pod IP，而是访问 Service。\nConfigMap # ConfigMap 用于保存非敏感配置，例如日志级别、开关项、普通配置文件。敏感信息应使用 Secret 或外部密钥系统。\nIngress # Ingress 把集群外部流量转发到集群内部服务，通常和 Nginx Ingress Controller、Traefik 或云厂商网关配合使用。\n总结 # 第一阶段可以记住一条主线：Deployment 运行应用，Service 暴露稳定入口，ConfigMap 注入配置，Ingress 接入外部流量。\n","date":"2026-06-18","externalUrl":null,"permalink":"/posts/posts/cloud-native/kubernetes-workload-overview/","section":"文章","summary":"Kubernetes 的对象很多，但初学时可以先把应用发布理解成几个核心对象之间的协作。\nDeployment # Deployment 描述应用副本、镜像版本和滚动更新策略。它负责把期望状态持续同步到集群中。\napiVersion: apps/v1 kind: Deployment metadata: name: demo-api spec: replicas: 2 selector: matchLabels: app: demo-api template: metadata: labels: app: demo-api spec: containers: - name: api image: nginx:1.27 Service # Pod 会变化，Service 提供稳定访问入口。应用之间通常不直接访问 Pod IP，而是访问 Service。\n","title":"Kubernetes 工作负载的最小理解模型","type":"posts"},{"content":"","date":"2026-06-18","externalUrl":null,"permalink":"/series/kubernetes-%E5%85%A5%E9%97%A8%E5%88%B0%E5%AE%9E%E8%B7%B5/","section":"专题","summary":"","title":"Kubernetes 入门到实践","type":"series"},{"content":"","date":"2026-06-18","externalUrl":null,"permalink":"/tags/%E5%AE%B9%E5%99%A8/","section":"标签","summary":"","title":"容器","type":"tags"},{"content":"","date":"2026-06-18","externalUrl":null,"permalink":"/categories/%E4%BA%91%E5%8E%9F%E7%94%9F/","section":"分类","summary":"","title":"云原生","type":"categories"},{"content":"","date":"2026-06-18","externalUrl":null,"permalink":"/posts/cloud-native/","section":"文章","summary":"","title":"云原生","type":"posts"},{"content":"","date":"2026-06-18","externalUrl":null,"permalink":"/tags/%E4%BA%91%E5%8E%9F%E7%94%9F/","section":"标签","summary":"","title":"云原生","type":"tags"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/categories/ai/","section":"分类","summary":"","title":"AI","type":"categories"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/posts/ai/","section":"文章","summary":"","title":"AI","type":"posts"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/series/ai-%E5%B7%A5%E7%A8%8B%E5%8C%96/","section":"专题","summary":"","title":"AI 工程化","type":"series"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/tags/ai-%E5%B7%A5%E7%A8%8B%E5%8C%96/","section":"标签","summary":"","title":"AI 工程化","type":"tags"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/tags/llm/","section":"标签","summary":"","title":"LLM","type":"tags"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/tags/rag/","section":"标签","summary":"","title":"RAG","type":"tags"},{"content":"RAG 是把外部知识接入大模型的常见方式。它并不神秘，本质上是一条从文档到答案的工程链路。\n文档切分 # 文档需要被切成适合检索的片段。切分太大，召回不精准；切分太小，上下文容易丢失。常见做法是按标题、段落和固定 token 数组合切分。\n向量化 # 每个片段通过 embedding 模型转换为向量，并写入向量数据库。元数据需要保留来源、标题、时间、权限等信息。\n检索 # 用户问题也会被向量化，然后在向量库中查找相似片段。工程上经常会结合关键词搜索，形成混合检索。\n重排 # 初步召回的结果不一定最适合回答问题，可以通过 rerank 模型重新排序，把更相关的片段放到前面。\n生成 # 最后把问题和检索结果拼成 prompt，交给大模型生成答案。输出需要包含引用来源，降低幻觉风险。\n总结 # RAG 的质量来自每个环节的稳定性。比起只调 prompt，更重要的是文档治理、检索评估和可观测性。\n","date":"2026-06-17","externalUrl":null,"permalink":"/posts/posts/ai/llm-rag-starter/","section":"文章","summary":"RAG 是把外部知识接入大模型的常见方式。它并不神秘，本质上是一条从文档到答案的工程链路。\n文档切分 # 文档需要被切成适合检索的片段。切分太大，召回不精准；切分太小，上下文容易丢失。常见做法是按标题、段落和固定 token 数组合切分。\n","title":"RAG 应用的基础架构拆解","type":"posts"},{"content":"","date":"2026-06-17","externalUrl":null,"permalink":"/tags/%E5%90%91%E9%87%8F%E6%A3%80%E7%B4%A2/","section":"标签","summary":"","title":"向量检索","type":"tags"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/tags/ci/cd/","section":"标签","summary":"","title":"CI/CD","type":"tags"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/tags/cloudflare-pages/","section":"标签","summary":"","title":"Cloudflare Pages","type":"tags"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/categories/devops/","section":"分类","summary":"","title":"DevOps","type":"categories"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/posts/devops/","section":"文章","summary":"","title":"DevOps","type":"posts"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/tags/hugo/","section":"标签","summary":"","title":"Hugo","type":"tags"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/tags/pagefind/","section":"标签","summary":"","title":"Pagefind","type":"tags"},{"content":"","date":"2026-06-16","externalUrl":null,"permalink":"/series/%E5%8D%9A%E5%AE%A2%E5%B7%A5%E7%A8%8B%E5%8C%96/","section":"专题","summary":"","title":"博客工程化","type":"series"},{"content":"静态博客的运维成本很低，适合个人技术博客。Hugo 负责生成页面，Pagefind 负责生成本地搜索索引，Cloudflare Pages 负责自动构建和分发。\n构建命令 # 项目中的 package.json 提供了生产构建命令：\nnpm run build 它会执行 Hugo 构建，然后对 public 目录生成 Pagefind 索引。\nCloudflare Pages 配置 # 推荐配置如下：\n配置项 值 Build command npm run build Build output directory public Environment variable HUGO_VERSION=0.163.3 Node.js version 20 搜索索引 # Pagefind 会把搜索资源输出到 public/pagefind。搜索页通过 /pagefind/pagefind-ui.js 和 /pagefind/pagefind-ui.css 加载搜索组件，不需要数据库或后端服务。\n总结 # 这种架构把复杂度放在构建阶段，线上只托管静态资源。对于技术博客来说，性能、成本和可维护性都比较均衡。\n","date":"2026-06-16","externalUrl":null,"permalink":"/posts/posts/devops/cloudflare-pages-hugo-pagefind/","section":"文章","summary":"静态博客的运维成本很低，适合个人技术博客。Hugo 负责生成页面，Pagefind 负责生成本地搜索索引，Cloudflare Pages 负责自动构建和分发。\n构建命令 # 项目中的 package.json 提供了生产构建命令：\n","title":"用 Cloudflare Pages 部署 Hugo 与 Pagefind","type":"posts"}]