- What's New
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
-
UCS Clusters
- Overview
- Huawei Cloud Clusters
-
On-Premises Clusters
- Overview
- Service Planning for On-Premises Cluster Installation
- Registering an On-Premises Cluster
- Installing an On-Premises Cluster
- Managing an On-Premises Cluster
- Attached Clusters
- Multi-Cloud Clusters
- Single-Cluster Management
- Fleets
-
Cluster Federation
- Overview
- Enabling Cluster Federation
- Using kubectl to Connect to a Federation
- Upgrading a Federation
-
Workloads
- Workload Creation
-
Container Settings
- Setting Basic Container Information
- Setting Container Specifications
- Setting Container Lifecycle Parameters
- Setting Health Check for a Container
- Setting Environment Variables
- Configuring a Workload Upgrade Policy
- Configuring a Scheduling Policy (Affinity/Anti-affinity)
- Configuring Scheduling and Differentiation
- Managing a Workload
- ConfigMaps and Secrets
- Services and Ingresses
- MCI
- MCS
- DNS Policies
- Storage
- Namespaces
- Multi-Cluster Workload Scaling
- Adding Labels and Taints to a Cluster
- RBAC Authorization for Cluster Federations
- Image Repositories
- Permissions
-
Policy Center
- Overview
- Basic Concepts
- Enabling Policy Center
- Creating and Managing Policy Instances
- Example: Using Policy Center for Kubernetes Resource Compliance Governance
-
Policy Definition Library
- Overview
- k8spspvolumetypes
- k8spspallowedusers
- k8spspselinuxv2
- k8spspseccomp
- k8spspreadonlyrootfilesystem
- k8spspprocmount
- k8spspprivilegedcontainer
- k8spsphostnetworkingports
- k8spsphostnamespace
- k8spsphostfilesystem
- k8spspfsgroup
- k8spspforbiddensysctls
- k8spspflexvolumes
- k8spspcapabilities
- k8spspapparmor
- k8spspallowprivilegeescalationcontainer
- k8srequiredprobes
- k8srequiredlabels
- k8srequiredannotations
- k8sreplicalimits
- noupdateserviceaccount
- k8simagedigests
- k8sexternalips
- k8sdisallowedtags
- k8sdisallowanonymous
- k8srequiredresources
- k8scontainerratios
- k8scontainerrequests
- k8scontainerlimits
- k8sblockwildcardingress
- k8sblocknodeport
- k8sblockloadbalancer
- k8sblockendpointeditdefaultrole
- k8spspautomountserviceaccounttokenpod
- k8sallowedrepos
- Configuration Management
- Traffic Distribution
- Observability
- Container Migration
- Pipeline
- Error Codes
-
UCS Clusters
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
-
API
- UCS Cluster
-
Fleet
- Adding a Cluster to a Fleet
- Removing a Cluster from a Fleet
- Registering a Fleet
- Deleting a Fleet
- Querying a Fleet
- Adding Clusters to a Fleet
- Updating Fleet Description
- Updating Permission Policies Associated with a Fleet
- Updating the Zone Associated with the Federation of a Fleet
- Obtaining the Fleet List
- Enabling Fleet Federation
- Disabling Cluster Federation
- Querying Federation Enabling Progress
- Creating a Federation Connection and Downloading kubeconfig
- Creating a Federation Connection
- Downloading Federation kubeconfig
- Permissions Management
- Using the Karmada API
- Appendix
-
FAQs
- About UCS
-
Billing
- How Is UCS Billed?
- What Status of a Cluster Will Incur UCS Charges?
- Why Am I Still Being Billed After I Purchase a Resource Package?
- How Do I Change the Billing Mode of a Cluster from Pay-per-Use to Yearly/Monthly?
- What Types of Invoices Are There?
- Can I Unsubscribe from or Modify a Resource Package?
-
Permissions
- How Do I Configure Access Permissions for Each Function of the UCS Console?
- What Can I Do If an IAM User Cannot Obtain Cluster or Fleet Information After Logging In to UCS?
- How Do I Restore ucs_admin_trust I Deleted or Modified?
- What Can I Do If I Cannot Associate the Permission Policy with a Fleet or Cluster?
- How Do I Clear RBAC Resources After a Cluster Is Unregistered?
- Policy Center
-
Fleets
- What Can I Do If Cluster Federation Verification Fails to Be Enabled for a Fleet?
- What Can I Do If an Abnormal, Federated Cluster Fails to Be Removed from the Fleet?
- What Can I Do If an Nginx Ingress Is in the Unready State After Being Deployed?
- What Can I Do If "Error from server (Forbidden)" Is Displayed When I Run the kubectl Command?
- Huawei Cloud Clusters
- Attached Clusters
-
On-Premises Clusters
- What Can I Do If an On-Premises Cluster Fails to Be Connected?
- How Do I Manually Clear Nodes of an On-Premises Cluster?
- How Do I Downgrade a cgroup?
- What Can I Do If the VM SSH Connection Times Out?
- How Do I Expand the Disk Capacity of the CIA Add-on in an On-Premises Cluster?
- What Can I Do If the Cluster Console Is Unavailable After the Master Node Is Shut Down?
- What Can I Do If a Node Is Not Ready After Its Scale-Out?
- How Do I Update the CA/TLS Certificate of an On-Premises Cluster?
- What Can I Do If an On-Premises Cluster Fails to Be Installed?
- Multi-Cloud Clusters
-
Cluster Federation
- What Can I Do If the Pre-upgrade Check of the Cluster Federation Fails?
- What Can I Do If a Cluster Fails to Be Added to a Federation?
- What Can I Do If Status Verification Fails When Clusters Are Added to a Federation?
- What Can I Do If an HPA Created on the Cluster Federation Management Plane Fails to Be Distributed to Member Clusters?
- What Can I Do If an MCI Object Fails to Be Created?
- What Can I Do If I Fail to Access a Service Through MCI?
- What Can I Do If an MCS Object Fails to Be Created?
- What Can I Do If an MCS or MCI Instance Fails to Be Deleted?
- Traffic Distribution
- Container Intelligent Analysis
- General Reference
Copied.
Pre-Installation Check
Disabling Automatic Software Updates and Upgrades
Disable automatic software updates on nodes. Do not install Docker or upgrade containerd. For details about how to disable automatic software updates in Ubuntu, see Ubuntu Enable Automatic Updates Unattended Upgrades.
Checking the OS Language
Ensure the OS language is English.
Checking APT Repositories on Nodes Running Ubuntu
APT repositories can be checked only on nodes running Ubuntu. If your node runs Huawei Cloud EulerOS or Red Hat, check Yum repositories by referring to Checking Yum Repositories on Nodes Running Huawei Cloud EulerOS and Red Hat.
APT repositories provide dependency packages required for installing components such as ntpdate on nodes (servers) added to on-premises clusters. Make sure the APT repositories are available on nodes. If there are any APT repositories unavailable, take the following steps:
- Log in to the management node as the installation user (root by default).
- Edit /etc/apt/sources.list.
Use the actual IP address of the Apt server.
- Save the file and run the following command:
sudo apt-get update
- Log in to each planned node and perform the preceding operations.
Checking Yum Repositories on Nodes Running Huawei Cloud EulerOS and Red Hat
Yum repositories provide dependency packages required for installing components such as ntpdate on nodes (servers) added to on-premises clusters. Make sure the yum repositories are available on nodes. If there are any yum repositories unavailable, take the following steps:
- Log in to the management node as the installation user (root by default).
- Modify the software source configuration file in /etc/yum.repos.d/.
Use the actual IP address of the yum server.
- Save the file and run the following command:
sudo yum clean all
sudo yum makecache
- Log in to each planned node and perform the preceding operations.
Minimum Installation Requirements
- Do not install unnecessary software packages in the OS.
To reduce system vulnerabilities and prevent system attacks, install only the necessary software packages and service components.
- Do not retain development and compilation tools in the production environment.
For example:
'cpp' (/usr/bin/cpp) 'gcc' (/usr/bin/gcc) 'ld' (/usr/bin/ld) 'lex' (/usr/bin/lex) 'rpcgen' (/usr/bin/rpcgen)
If interpreters such as Lua and Python are required for product deployment and execution in the production environment, these interpreters can be kept.'python' (/usr/bin/python) 'lua' (/usr/bin/lua)
Some management programs in SUSE Linux rely on the Perl interpreter. In this case, the Perl interpreter can be kept.perl (/usr/bin/perl)
- Do not install security policy tools in the OS.
To prevent security information disclosure, ensure that user root is the file owner of the preinstalled security hardening tools, and only root has the execution permission.
- Do not install network sniffing tools in the OS.
To prevent malicious use, ensure there are no sniffing tools such as Tcpdump and Ethereal in the OS.
- Do not install modem software in the OS unless necessary.
To adhere to the principle of minimal installation, do not install modem software unless necessary.
Pre-Installation Check Items
Before installing the on-premises cluster, you need to check the nodes.
The commands in the following table apply to Huawei Cloud EulerOS and Red Hat. If you use Ubuntu, change yum in the commands to apt.
Category |
Item |
Description |
Criteria |
---|---|---|---|
Cluster check |
Architecture check |
Architecture check for all master nodes |
The architectures of all master nodes must be the same. |
Host name check |
Host name check for all master nodes |
The host names of all master nodes must be unique. |
|
Time synchronization check |
Time synchronization check for all master nodes |
The time differences among all master nodes must be less than 10 seconds. |
|
VIP usage check |
Whether the VIP is occupied by other nodes |
The VIP must be idle. The method is to check whether port 22 can be accessed. |
|
Node check |
Language check |
Whether the node language meets the criteria |
The node language can be en_US.UTF-8 or en_GB.UTF-8. |
OS check |
Whether the node OS meets the criteria |
The node OS must be Ubuntu 22.04, Red Hat 8.6, or Huawei Cloud EulerOS 2.0. |
|
System command check |
Whether basic command line tools are available |
The OS must have the following command line tools: ifconfig, netstat, curl, systemctl, nohup, pidof, mount, uname, lsmod, swapoff, hwclock, ip, and ntpdate (for NTP servers). |
|
Idle port check |
Whether the ports of mandatory services are idle |
The following ports must be idle: 4001, 4002, 4003, 2380, 2381, 2382, 4011, 4012, 4013, 4005, 4006, 4007, 5444, 8080, 10257, 10259, 4133, 20100, 9444, 20102, 9443, 5443, 4134, 4194, 10255, 10248, 10250, 80, 443, 10256, 10249, and 20101 |
|
Keepalived installation check |
Whether Keepalived is installed |
Keeplived must not be installed. You can run the yum list --installed keepalived command to check that. |
|
HAProxy installation check |
Whether HAProxy is installed |
HAProxy must not be installed. You can run the yum list --installed haproxy command to check that. |
|
Runit installation check |
Whether runit is installed |
Runit must not be installed. You can run the yum list --installed runit command to check that. |
|
paas user check |
Whether the paas user can be created on the node |
The paas user whose ID is 10000 can be created. |
|
NTP service check |
Whether the NTP service is available |
The NTP server must be configured for chrony. You can run the chronyc sources -v command on the node to check the NTP server status. The NTP service uses chrony by default. The chrony command is used for check by default. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot