kubeflow 1.6.1 stand-alone build
If you don’t configure the https certificate, you will get an error everywhere when you go in. It is recommended to configure HTTPS, but I still get an error after configuring https.
Manifest form construction (failed)
prerequisites
- Kubernetes (up to 1.21) with a default StorageClass
I built the binary k8s with kubeasz , and then used the StorageClass to create nfs, referring to the blogger’s construction process - kustomize (version 3.2.0) (download link)
requires downloading 3.2.0, you do not use other versions , but the official V4 version is changing
wget https://github.com/kubernetes-sigs/kustomize/releases/download/v3.2.0/kustomize_3.2.0_linux_amd64
mv kustomize_3.2.0_linux_amd64 kustomize
chmod u+x kustomize
mv kustomize /bin/
- kubectl
Install kubeflow
I installed: kubeflow 1.6.1
k8s version, 1.24.2 . After installation, a StorageClass must be set and set as the default
system: Linux Centos 7.9.2009
git clone https://github.com/kubeflow/manifests.git
cd manifests # 记得切换到1.6.1
while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
View the access port, access through the public network IP + port
kubectl get svc -n istio-system
At this time, you log in, but an error will be reported. Check the error solution below.
Upgrade istio from k8s 1.25 or above
The istio installed in the manifests is 1.14.
First , istio 1.15 to work with k8s 1.25 . You can check the compatibility here. So upgrade istio, how to upgrade is introduced manifests-1.6.1/common/istio-1-14/README.mdin
export MANIFESTS_SRC=/media/manifests
export ISTIO_OLD=$MANIFESTS_SRC/common/istio-1-14
export ISTIO_NEW=$MANIFESTS_SRC/common/istio-1-15
cp -a $ISTIO_OLD $ISTIO_NEW
ISTIO_VERSION="1.15.2"
wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION-linux-amd64.tar.gz"
tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz
mv istio-${ISTIO_VERSION}/bin/istioctl /bin/
cd $ISTIO_NEW
istioctl profile dump demo > profile.yaml
export PATH="$MANIFESTS_SRC/scripts:$PATH"
istioctl manifest generate -f profile.yaml -f profile-overlay.yaml > dump.yaml
chmod +x split-istio-packages
split-istio-packages -f dump.yaml # 记得要现在pip3 install ruamel.yaml==0.16.12
mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
problems encountered
Solve the Pending status of MySQL and minio
You kubectl -n kubeflow get pvc mysql-pv-claim -o yamlcan see that there is nothing mysql-pv-claimin it storageClassName, find it under
the directory and add it in the spec , the name is the name you created, first , then/media/manifests/apps/pipeline/upstream/third-party/mysql/basemysql-pv-claim.yamlstorageClassName: "managed-nfs-storage"delete
kubectl apply -f mysql-pv-claim.yaml -n kubeflow
CrashLoopBackOff
After the above is fixed, the CrashLoopBackOffother pods will automatically resume running
login screenCannot load dashboard menu link
apps/centraldashboard/upstream/base/deployment.yamlAlways add environment variables hereNODE_TLS_REJECT_UNAUTHORIZED = "0"
Configure https certificate
The client enters the domain name, resolves the domain name to server ip through DNS, and finds the proxy server. Because the port occupied by the http protocol service is port 80 by default, it will access port 80 of the server, and then forward the request to a different server through the proxy server. server and port
Method 1 (doesn't work)
xxxx is a certificate that I bought a domain name from Alibaba Cloud and then applied for for free. You can download it after you pass it.
Create a secret for the domain name , the name must be istio-ingressgateway-certs to ensure that the Ingress gateway automatically loads the certificate configuration;
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key xxxx.key --cert xxxxx.pem
kubectl describe secrets istio-ingressgateway-certs -n istio-system
Name: istio-ingressgateway-certs
Namespace: istio-system
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 3834 bytes
tls.key: 1675 bytes
kubectl -n kubeflow edit gateways.networking.istio.io kubeflow-gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: kubeflow-gateway
namespace: kubeflow
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- xxxxx # 你的域名
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- xxxxx # 你的域名
port:
name: https
number: 443 #就是istio-ingressgateway pod暴漏的端口,对应的是service的targetPort
protocol: HTTPS
tls:
credentialName: istio-ingressgateway-certs
mode: SIMPLE
kubectl -n istio-system edit service istio-ingressgateway
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 10.68.204.100
clusterIPs:
- 10.68.204.100
externalIPs:
- xxxxx # 公网ip
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: status-port
nodePort: 31573
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
nodePort: 32509
port: 80
protocol: TCP
targetPort: 8080
- name: https
nodePort: 32717 #Node 暴露出来的Port
port: 443 # Service暴露出来的Port
protocol: TCP
targetPort: 8443 #Container上暴露的Port
- name: tcp
nodePort: 31544
port: 31400
protocol: TCP
targetPort: 31400
- name: tls
nodePort: 30500
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
sessionAffinity: None
type: LoadBalancer
The service that can be 32717accessed 443will be forwarded to the exposed pod 8443,
so that you can https://域名:32717/access , but after entering Cannot load dashboard menu link, do you still get an error? At this time, you can’t set the environment variable to solve the problem
juju deploy kubeflow
Install
Waiting for all pods to run normally, I opened the US server directly on Alibaba Cloud, and the domestic mirror download is troublesome
enter the dashboard
1,Logout from the current session with the exit command
2,Re-establish connection to the machine using ssh with SOCKS proxy enabled through the -D 9999 parameter. As in the example below:
Open the cmd side operation of win
ssh -D 9999 ubuntu@<machine_public_ip>
3,On your computer, go to Settings > Network > Network Proxy, and enable SOCKS proxy pointing to: 127.0.0.1:9999
4,On a new browser window, access the link given in the previous step, appended by .nip.io, for example: http://10.64.140.43.nip.io
Information and Reference
Configure the https certificate in vmware . I failed to do this. If you succeed, please give feedback on
how to play with Kubeflow Pipelines: https://developer.aliyun.com/article/986636
https://juejin.cn/post/7124944761726697502
https:// www.arrikto.com/blog/kubeflow-fundamentals-part-6-working-with-jupyter-lab-notebooks/
https://nip.io/
https://blog.csdn.net/luo15242208310/article/details/ 100653453
Installation certbot 1.31.0: https://certbot.eff.org/instructions?ws=webproduct&os=centosrhel7