操作系统: CentOS Linux release 7.6.1810

内网ip: 192.168.20.15

kubernetes: v1.15.1

docker: 19.03.1

安装docker

1
2
3
4

curl -fsSL get.docker.com -o get-docker.sh
sh get-docker.sh --mirror Aliyun
systemctl enable docker
systemctl start docker

添加docker国内镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

cat <<EOF > /etc/docker/daemon.json
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ],
  "debug" : true,
  "insecure-registries" : [
    "nas.pocketdigi.com:8083"
  ],
  "experimental" : false,
  "registry-mirrors" : [
    "https://registry.docker-cn.com",
    "https://reg-mirror.qiniu.com"
  ]
}
EOF
systemctl restart docker
docker login nas.pocketdigi.com:8083

nas.pocketdigi.com:8083 是私有仓库地址，不支持https，所以需要放到insecure-registries,没有私有仓库就不需要

添加阿里云源,安装kubelet,kubeadm,kubectl

1
2
3
4
5
6
7
8
9
10
11
12

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet

配置iptables

1
2
3
4
5

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

关闭swap

注释掉/etc/fstab文件里swap分区，重启

创建集群

1

kubeadm init --apiserver-advertise-address=192.168.20.15 --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans=nas.pocketdigi.com

因为服务器没有外网ip,是通过nginx转发的,必须通过-apiserver-cert-extra-sans 配置最终访问的外网ip或域名

如果是国内服务器，因为k8s仓库被墙，会报以下错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'


error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-apiserver:v1.15.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-controller-manager:v1.15.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-scheduler:v1.15.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-proxy:v1.15.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/pause:3.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/etcd:3.3.10: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/coredns:1.3.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
, error: exit status 1

好办，我们先找台海外服务器，把相应的镜像拉下来，推到我们自己的私有仓库里，再pull,然后改tag。没有私有仓库也不要紧，我已经把1.15.1推到hub.docker.com了。

找一台能连接k8s.gcr.io的服务器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

docker pull k8s.gcr.io/kube-apiserver:v1.15.1
docker pull k8s.gcr.io/kube-controller-manager:v1.15.1
docker pull k8s.gcr.io/kube-scheduler:v1.15.1
docker pull k8s.gcr.io/kube-proxy:v1.15.1
docker pull k8s.gcr.io/pause:3.1
docker pull k8s.gcr.io/etcd:3.3.10
docker pull k8s.gcr.io/coredns:1.3.1

docker tag k8s.gcr.io/kube-apiserver:v1.15.1 nas.pocketdigi.com:8083/k8s.gcr.io/kube-apiserver:v1.15.1
docker tag k8s.gcr.io/kube-controller-manager:v1.15.1 nas.pocketdigi.com:8083/k8s.gcr.io/kube-controller-manager:v1.15.1
docker tag k8s.gcr.io/kube-scheduler:v1.15.1 nas.pocketdigi.com:8083/k8s.gcr.io/kube-scheduler:v1.15.1
docker tag k8s.gcr.io/kube-proxy:v1.15.1 nas.pocketdigi.com:8083/k8s.gcr.io/kube-proxy:v1.15.1
docker tag k8s.gcr.io/pause:3.1 nas.pocketdigi.com:8083/k8s.gcr.io/pause:3.1
docker tag k8s.gcr.io/etcd:3.3.10 nas.pocketdigi.com:8083/k8s.gcr.io/etcd:3.3.10
docker tag k8s.gcr.io/coredns:1.3.1 nas.pocketdigi.com:8083/k8s.gcr.io/coredns:1.3.1

docker push nas.pocketdigi.com:8083/k8s.gcr.io/kube-apiserver:v1.15.1
docker push nas.pocketdigi.com:8083/k8s.gcr.io/kube-controller-manager:v1.15.1
docker push nas.pocketdigi.com:8083/k8s.gcr.io/kube-scheduler:v1.15.1
docker push nas.pocketdigi.com:8083/k8s.gcr.io/kube-proxy:v1.15.1
docker push nas.pocketdigi.com:8083/k8s.gcr.io/pause:3.1
docker push nas.pocketdigi.com:8083/k8s.gcr.io/etcd:3.3.10
docker push nas.pocketdigi.com:8083/k8s.gcr.io/coredns:1.3.1

回到安装kubernetes的机器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

docker pull nas.pocketdigi.com:8083/k8s.gcr.io/kube-apiserver:v1.15.1
docker pull nas.pocketdigi.com:8083/k8s.gcr.io/kube-controller-manager:v1.15.1
docker pull nas.pocketdigi.com:8083/k8s.gcr.io/kube-scheduler:v1.15.1
docker pull nas.pocketdigi.com:8083/k8s.gcr.io/kube-proxy:v1.15.1
docker pull nas.pocketdigi.com:8083/k8s.gcr.io/pause:3.1
docker pull nas.pocketdigi.com:8083/k8s.gcr.io/etcd:3.3.10
docker pull nas.pocketdigi.com:8083/k8s.gcr.io/coredns:1.3.1

docker tag nas.pocketdigi.com:8083/k8s.gcr.io/kube-apiserver:v1.15.1 k8s.gcr.io/kube-apiserver:v1.15.1
docker tag nas.pocketdigi.com:8083/k8s.gcr.io/kube-controller-manager:v1.15.1 k8s.gcr.io/kube-controller-manager:v1.15.1
docker tag nas.pocketdigi.com:8083/k8s.gcr.io/kube-scheduler:v1.15.1 k8s.gcr.io/kube-scheduler:v1.15.1 
docker tag nas.pocketdigi.com:8083/k8s.gcr.io/kube-proxy:v1.15.1 k8s.gcr.io/kube-proxy:v1.15.1 
docker tag nas.pocketdigi.com:8083/k8s.gcr.io/pause:3.1 k8s.gcr.io/pause:3.1 
docker tag nas.pocketdigi.com:8083/k8s.gcr.io/etcd:3.3.10 k8s.gcr.io/etcd:3.3.10 
docker tag nas.pocketdigi.com:8083/k8s.gcr.io/coredns:1.3.1 k8s.gcr.io/coredns:1.3.1

没有条件的小伙伴，请直接使用下面的命令下载我转到hub.docker.com的镜像:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

docker pull pocketdigi/kube-apiserver:v1.15.1
docker pull pocketdigi/kube-controller-manager:v1.15.1
docker pull pocketdigi/kube-scheduler:v1.15.1
docker pull pocketdigi/kube-proxy:v1.15.1
docker pull pocketdigi/pause:3.1
docker pull pocketdigi/etcd:3.3.10
docker pull pocketdigi/coredns:1.3.1

docker tag pocketdigi/kube-apiserver:v1.15.1 k8s.gcr.io/kube-apiserver:v1.15.1
docker tag pocketdigi/kube-controller-manager:v1.15.1 k8s.gcr.io/kube-controller-manager:v1.15.1
docker tag pocketdigi/kube-scheduler:v1.15.1 k8s.gcr.io/kube-scheduler:v1.15.1 
docker tag pocketdigi/kube-proxy:v1.15.1 k8s.gcr.io/kube-proxy:v1.15.1 
docker tag pocketdigi/pause:3.1 k8s.gcr.io/pause:3.1 
docker tag pocketdigi/etcd:3.3.10 k8s.gcr.io/etcd:3.3.10 
docker tag pocketdigi/coredns:1.3.1 k8s.gcr.io/coredns:1.3.1

重新执行init:

1

kubeadm init --apiserver-advertise-address=192.168.20.15 --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans=nas.pocketdigi.com

–pod-network-cidr是因为我们后面用的是flannel网络插件，默认就是这个网段

成功后得到以下信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.20.15:6443 --token m5sli6.w3z0zprk0883acuo \
    --discovery-token-ca-cert-hash sha256:114fd2e850b62e7cb9924be9fb980d75e10e3e4c8e2505eddbfdd2e0f081b964

注意保存token,token会在24小时后过期，到时如果需要往集群里加节点，需要重新创建token,discovery-token-ca-cert-hash值是不会变的

1

kubeadm token create

复制kubectl所需的配置文件:

1
2
3

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

安装网络插件flannel，先从镜像节点下载镜像

1
2
3

docker pull pocketdigi/flannel:v0.11.0-amd64
docker tag pocketdigi/flannel:v0.11.0-amd64 quay.io/coreos/flannel:v0.11.0-amd64
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

允许在master节点安装pod（默认不允许)

1

kubectl taint nodes --all node-role.kubernetes.io/master-

后期如果增加了节点，要禁止在master节点部署pod,通过以下命令恢复:

1

kubectl taint nodes kubernetes-master  node-role.kubernetes.io/master=:NoSchedule

kubernetes-master是master节点名

如果使用外部安装的rancher管理集群，会无法注册，关闭防火墙解决:

1

systemctl disable firewalld

Nginx Ingress Controller

如果要对外暴露http服务，建议安装Ingress. 官方文档

官方文档里的yaml不会暴露80，443端口，需要下载后修改。

1

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml

在nginx-ingress-controller Deployment的spec.template.spec节点下增加hostNetwork: true，即使用主机网络。
如果有多台机器，不只一个master节点，需要把Deployment改成DaemonSet，以便在每个节点都部署nginx。最后修改后如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
    verbs:
      - update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
#  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      hostNetwork: true
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10

---

然后在master和worker节点pull镜像

1
2

docker pull pocketdigi/nginx-ingress-controller:0.25.0
docker tag pocketdigi/nginx-ingress-controller:0.25.0 quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0

在master节点执行:

1

kubectl apply -f mandatory.yaml

添加ingress-nginx Service,这一步不同主机提供商操作不同，参考官方文档，一般虚拟机就用下面的就可以了。

1

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

导入SSL证书

1

kubectl create secret tls nas-pocketdigi-com --key private.pem  --cert fullchain.pem --namespace prod

nas-pocketdigi-com是证书名，我这个是泛域名证书,prod是指定导入的命名空间，需要先创建

测试

nginx.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: prod
spec:
  selector:
    app: nginx
  type: ClusterIP
  ports:
  - name: default
    port: 80
    protocol: TCP
    targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx
  namespace: prod
spec:
  tls:
    - hosts:
      - nginx.nas.pocketdigi.com
      secretName: nas-pocketdigi-com
  rules:
    - host: nginx.nas.pocketdigi.com
      http:
        paths:
          - backend:
              serviceName: nginx
              servicePort: 80
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: nginx
  namespace: prod
spec:
  progressDeadlineSeconds: 180
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          imagePullPolicy: Always
          image: nginx:1.17.1-alpine
          resources:
            requests:
              memory: "256Mi"
              cpu: "0.1"
            limits:
              memory: "384Mi"
              cpu: "0.8"
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 80
              scheme: HTTP
            initialDelaySeconds: 120
            periodSeconds: 20
            successThreshold: 1
            timeoutSeconds: 2
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 80
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 20
            successThreshold: 2
            timeoutSeconds: 3

1

kubectl apply -f nginx.yaml

如果nginx.nas.pocketdigi.com已经解析到这台主机，现在应该能正常访问到nginx。

编辑器，我现在用的是Visual Studio Code,图片用PicGo插件，配上阿里云oss，非常方便。部署用的是hexo-deployer-rsync插件，一条命令，打算写个小脚本，配上gitlab runner,实现提交后自动部署。

Spring boot项目在启动时会加载application.properties(或yaml)里的配置，如果修改了application.properties，需要重新打包、部署，当服务有多个实例，需要每个都重新部署。配置中心就是用来解决这个问题的，我们所配置内容放在配置中心统一管理，项目启动时先去配置中心拉取配置，再用这些配置执行启动操作。如果配置有变更，在配置中心修改后，只需要一一重启服务，即可完成配置更新。有些配置中心甚至不需要重启，支持配置推送，比如我们今天介绍的Spring cloud zookeeper config。

Spring Cloud Zookeeper Config 介绍

Zookeeper提供了一个类似目录树的存储结构，允许客户端存储任意数据，如：配置数据。

Spring Cloud Zookeeper Config是Spring Cloud Config Server和Client的替代方案(这个方案需要起一个server服务，依赖git存储配置)，在bootstrap阶段，加载配置到Spring环境中。

默认情况下，配置存储在/config节点下。Spring Cloud Zookeeper Config会基于应用程序名称和profile创建多个PropertySource模拟Spring Cloud Config顺序从Zookeeper读取并解析配置。

例如，应用名是testApp,profile是dev会创建下面几个property源：

1
2
3
4

/config/testApp,dev
/config/testApp
/config/application,dev
/config/application

配置优先级是从上至下的。/config/application 会应用到所有使用zookeeper作配置中心的项目上，/config/testApp 只对应用名为testApp的项目有效.

如何配置Spring Cloud Zookeeper Config

下面的例子是

引入依赖

1
2
3
4
5

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-zookeeper-config</artifactId>
<version>2.1.0.RELEASE</version>
</dependency>

版本号跟你用的spring boot版本相关，2.1.x版本可以直接使用2.1.0.RELEASE，其他版本参考 https://spring.io/projects/spring-cloud

修改默认配置

上文提到Spring cloud zookeeper config默认配置存在/confi节点，默认读取/config/application配置，application和profile之间用逗号分割，这些都是可配置的。

resources目录下创建bootstrap.properties：

1
2
3
4

spring.cloud.zookeeper.config.enable=true
spring.cloud.zookeeper.config.root=config
spring.cloud.zookeeper.config.defaultContext=application
spring.cloud.zookeeper.config.profileSeparator=,

不过没有特殊需要，不建议修改这些默认配置，原因下面会讲。

引用配置

引用配置方法跟放properties里的一样，用@Value或者 @ConfigurationProperties,只有在使用@ConfigurationProperties才能动态更新, @Value要重启后生效

1
2

@Value("${key}")
String key;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

@ConfigurationProperties(prefix = "test")
public class Test {
    String key1;
    String key2;

    public String getKey1() {
        return key1;
    }

    public void setKey1(String key1) {
        this.key1 = key1;
    }

    public String getKey2() {
        return key2;
    }

    public void setKey2(String key2) {
        this.key2 = key2;
    }
}

图形化配置:

Spring并没有提供一个图形化修改配置的工具，但有第三方解决方案。zookeeper-config-keeper

docker一键部署:

1

docker run  --name=zkck -p 80:80 -e jwtsecret=asdfwefasdf -e zookeeperaddress=192.168.2.103:2181 pocketdigi/zookeeper-config-keeper:v0.1

原理

Kong本身自带授权认证插件，如Basic Authentication,我们通过kong代理kong admin api，再配上Basic Authentication插件，访问kong admin api时，需要带上账号密码。根据Basic Authentication规范，账号密码就是base64编码后，通过header里的Authorization字段传输。而Custom Headers功能会在给Kong admin api接口发送请求时，加上您指定的header，所以可以实现带密码访问kong admin api,解决了安全问题。

配置

假设部署kong的部署地址是 http://192.168.0.205/, admin api地址是 http://192.168.0.205:8001/ ，我们接下来把http://192.168.0.205/manage 转到 http://192.168.0.205:8001/ ,并配上Basic Authentication.

Service和Route配置

我们先使用http://192.168.0.205:8001/ 配置，完成后再禁止admin api外部访问 创建Service: 创建Route: 完成上面操作后，可以试试浏览器打开 http://192.168.0.205/manage ，可以访问admin api了。

Consumer 配置

Basic Authentication 需要Credential才可以访问，Credential属于某个Consumer,一个Consumer可以有多个Credential。 先创建 Consumer 再创建一个Basic Auth Credential，输入账号密码，这个账号密码就是Basic Authentication需要的。

Basic Authentication 配置

完成配置以后，再用浏览器打开 http://192.168.0.205/manage 提示输入账号密码，刚刚我们配的都是admin。 Basic Authentication插件会校验header里的Authorization字段，值的格式是Basic base64(账号:密码) admin:admin base64以后得到的值是YWRtaW46YWRtaW4=,所以在Kong Admin UI里使用，Custom Headers字段应该填 {"Authorization":"Basic YWRtaW46YWRtaW4="} 如果其他api没有用到Consumer，配置就到此结束了，接下来配置改kong的配置文件，限制本机外的ip无法访问admin api即可。但如果其他服务也有Consumer，那么需要用ACL限制一下指定的Consumer才能访问admin api,因为默认情况下，所有Consumer都能访问。

ACL配置

ACL黑白名单配置的是Consumer group,所以需要先把我们指定的Consumer加到一个group里。 ACL Group这个功能是我在写这篇教程时加的，老版本的用户要更新下。 再配置ACL: config.whitelist输入group. 现在，只有指定admin可以访问了。

• 路由器:小米路由3G 需root，否则登不上ssh, ip 192.168.0.1
• DNS服务商：dnspod

理论上所有openwrt路由都支持，因为下面的脚本没用到小米路由的特性，都是linux上的命令，但我没有测其他路由器。 dnspod开放了api，可以调接口更新记录，现在已经被腾讯收购，也可以用腾讯的api,但腾讯的api比较复杂，反正我没调通。其他的像阿里云也开放了云解析接口，有需要的同学可以自己研究。 重点不在脚本，而在于思路：

• linux 定时任务，每分钟执行一次脚本
• 脚本访问外网指定服务器，获取当前外网ip地址，比较上次获取的外网ip地址，如果不一致，则调dns系统的api更新记录

ddns 脚本内容:

#!/bin/sholdIPFile=/tmp/oldip.txtlogin_token=xxxxxxxdomain=pocketdigi.comrecord_id=xxxxxxxsub_domain=testupdateIp(){  result=$(curl -s -d "login_token=$login_token&format=json&domain=$domain&record_id=$record_id&sub_domain=$sub_domain&value=$myip&record_type=A&record_line=默认" https://dnsapi.cn/Record.Modify)  grepResult=$(echo $result | grep "\"code\":\"1\"")  if [[ "$grepResult" != "" ]]   then       echo '更新成功'       echo "$myip" > $oldIPFile   else       echo '更新失败'  fi}myip=$(curl -s http://myip.dnsomatic.com/)echo "当前ip:$myip"if [ ! -f "$oldIPFile" ]; then  echo "文件不存在，更新"  updateIp;else  oldip=$(cat $oldIPFile)  echo "旧IP:$oldip"  if [ "$myip" = "$oldip" ]; then    echo "当前IP与旧IP相同，不更新"  else    echo "当前IP与旧IP不同，更新"    updateIp  fifi

login_token需要登录dnspod获取，record_id可以使用chrome,在dnspod后台编辑保存那条记录时抓包找到。 使用scp将脚本拷到路由器上的/data目录，小米路由很多目录是只读的，写不进去 ssh登录路由器:

ssh root@192.168.0.1

密码需要到小米路由官网找 给ddns脚本增加可执行权限

chmod +x /data/ddns

添加定时任务

crontab -e

在末尾添加

* * * * * /data/ddns

大功告成！

tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'#tilemap.url: 'http://mt2.google.cn/vt/lyrs=m&hl=zh-CN&gl=cn&x={x}&y={y}&z={z}'tilemap.options.maxZoom: 18

用google还是高德随意，google.cn在国内还是可以访问的，tilemap.options.maxZoom配置的是最大缩放级别，默认只能缩放到区级。 重启kibana，6.3.1实测有效。

[Unit]Description=Elasticsearch[Service]Environment=JAVA_HOME=/usr/local/jdk1.8.0_171LimitCORE=infinityLimitNOFILE=65536LimitNPROC=65536ExecStart=/usr/local/elasticsearch-6.3.1/bin/elasticsearchUser=elasticsearchGroup=elasticsearch[Install]WantedBy=multi-user.target

private void fullScreenImmersive(View view) {     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {         int uiOptions = View.SYSTEM_UI_FLAG_LAYOUT_STABLE             | View.SYSTEM_UI_FLAG_LAYOUT_HIDE_NAVIGATION             | View.SYSTEM_UI_FLAG_HIDE_NAVIGATION             | View.SYSTEM_UI_FLAG_IMMERSIVE_STICKY             | View.SYSTEM_UI_FLAG_LAYOUT_FULLSCREEN             | View.SYSTEM_UI_FLAG_FULLSCREEN;         view.setSystemUiVisibility(uiOptions);     } } @Override public void show() {     this.getWindow().setFlags(WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE, WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE);     super.show();     fullScreenImmersive(getWindow().getDecorView());     this.getWindow().clearFlags(WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE); }

• 官服在国外，速度慢
• 创建的镜像是私有的，不想公开传到外部服务器上

Sonatype Nexus介绍

Sonatype Nexus是一个仓库管理软件，支持Maven、Docker、Bower、PyPI、Yum等类型仓库。使用Maven管理依赖的Java程序员一定不陌生，搭建Maven私服基本是用这个。注意:3.x版本才支持docker。 今天我们就用Nexus作Docker的私服，管理我们自己的私有镜像。

Sonatype Nexus安装

很简单，下载，解压，我的路径是
/usr/local/nexus-3.11.0-01
创建开机启动脚本
vim /etc/systemd/system/nexus.service
内容如下:

[Unit]Description=nexus serviceAfter=network.target[Service]Type=forkingLimitNOFILE=65536ExecStart=/usr/local/nexus-3.11.0-01/bin/nexus startExecStop=/usr/local/nexus-3.11.0-01/bin/nexus stopRestart=on-abort[Install]WantedBy=multi-user.target

设置开机启动
systemctl enable nexus
启动
systemctl start nexus nexus默认端口是8081, 现在打开浏览器，访问http://ip:8081, 应该能看到如下界面
 点击右上角Sign in,账号admin 密码admin123,登录
 点击admin ,把默认的密码改掉，安装完成。

创建仓库

点击顶部配置图标，切到配置页面，左侧菜单选Repositories, 打开仓库配置，点击Create repository 创建仓库。
 我之前已经创建好，配置如下图
 注意，这里HTTP设置了一个10008端口，仅供docker使用，找个不冲突的就行。

docker配置

docker仓库默认需要https支持，但nexus没有配ssl,需要将服务器加到insecure-registries。
vim /etc/docker/daemon.json

{  "registry-mirrors": ["https://registry.docker-cn.com"],  "insecure-registries":["192.168.0.201:10008"]}

我的nexus部署在192.168.0.201 后面的端口10008与创建仓库时对应。 登录仓库:
docker login 192.169.0.201:10008
按提示输入nexus的账号密码。登录一次以后，会自动保存，以后pull/push都不需要再登录。

docker 提交镜像

1. 将正在运行的container打包成image
   
   如图，nginx2容器基于nginx镜像，但是改了一些配置， 现在我们将其打包成image
   docker commit -m "nginx modified" -a "Exception" cb4cbbcde646 nginx-modified -m 描述
   -a 作者
   cb4cbbcde646 container id
   nginx-modified 生成的image名
   现在再看镜像列表:
   
   发现我们刚刚commit的image已经在里面了。

2. 给image打标签
   docker tag f3b408f36cf7 192.168.0.201:10008/nginx-modified f3b408f36cf7 image id
   192.168.0.201:10008/nginx-modified 仓库地址和保存路径

3. 推送镜像
   docker push 192.168.0.201:10008/nginx-modified

4. 下载镜像
   在另一台服务器上，如果要下载镜像,重复上面的docker配置步骤,然后pull
   docker pull 192.168.0.201:10008/nginx-modified

   

[Unit]Description=zookeeper.serviceAfter=network.target[Service]Type=forkingEnvironment=ZOO_LOG_DIR=/usr/local/zookeeper-3.4.11/Environment=PATH=/usr/local/jdk1.8.0_152/bin:/usr/local/jdk1.8.0_152/jre/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/binExecStart=/usr/local/zookeeper-3.4.11/bin/zkServer.sh startExecStop=/usr/local/zookeeper-3.4.11/bin/zkServer.sh stopExecReload=/usr/local/zookeeper-3.4.11/bin/zkServer.sh restartPIDFile=/tmp/zookeeper/zookeeper_server.pidUser=www[Install]WantedBy=multi-user.target

重点在两行Environment。

• 第一行设置日志目录，如果没有设置，默认是当前目录，对www用户来说，可能没有权限。
• 第二行是配置环境变量，systemd用户实例不会继承类似.bashrc中定义的环境变量，所以是找不到jdk目录的，而zookeeper又必须有。

保存后，reload

systemctl daemon-reload

启用开机自启

systemctl enable zookeeper

启动服务

systemctl start zookeeper

java -jar xxx.jar

命令启动,但是开启关闭还是有个脚本会比较方便。自己写了个shell脚本，功能是查找当前目录下的jar文件，然后启动，也可以关闭，重启。经过几次修改，个人觉得比较完美了，放出源码:

#! /bin/bash# springboot的jar放同级目录下即可，只能有一个jar文件export PATH=$JAVA_HOME/bin:$PATHCURRENT_PATH=$(cd "$(dirname "$0")"; pwd)JAR=$(find $CURRENT_PATH -maxdepth 1 -name "*.jar")PID=$(ps -ef | grep $JAR | grep -v grep | awk '{ print $2 }')case "$1" in    start)        if [ ! -z "$PID" ]; then            echo "$JAR 已经启动，进程号: $PID"        else            echo -n -e "启动 $JAR ... \n"            cd $CURRENT_PATH        nohup java -jar $JAR >/dev/null 2>&1 &            if [ "$?"="0" ]; then                echo "启动完成，请查看日志确保成功"            else                echo "启动失败"            fi        fi        ;;    stop)        if [ -z "$PID" ]; then            echo "$JAR 没有在运行，无需关闭"        else            echo "关闭 $JAR ..."              kill -9 $PID            if [ "$?"="0" ]; then                echo "服务已关闭"            else                echo "服务关闭失败"            fi        fi        ;;    restart)        ${0} stop        ${0} start        ;;    kill)        echo "强制关闭 $JAR"        killall $JAR        if [ "$?"="0" ]; then            echo "成功"        else            echo "失败"        fi        ;;    status)        if [ ! -z "$PID" ]; then            echo "$JAR 正在运行"        else            echo "$JAR 未在运行"        fi        ;;  *)    echo "Usage: ./springboot {start|stop|restart|status|kill}" >&2        exit 1esac

脚本会找到当前目录下的jar文件，所以，只能放一个jar文件。 开机启动脚本:

[Unit]Description=Dubbo-adminWants=network.target[Service]Environment=JAVA_HOME=/usr/local/jdk1.8.0_171Type=forkingExecStart=/usr/local/xxx/springboot startExecStop=/usr/local/xxx/springboot stop[Install]WantedBy=multi-user.target

下面的操作，Logstash和Elasticsearch的版本都是6.0.1

1. 下载安装 Logstash和Elasticsearch就不介绍了，下载后解压即可使用。 默认Logstash不包含读取数据库的jdbc插件，需要手动下载。进入Logstash的bin目录，执行：

   ./logstash-plugin install logstash-input-jdbc

因为网络原因，安装可能费点时间。

2. 在某处建一个目录，放置配置文件(哪不重要，因为执行时会配置路径)，我这放到bin下的mysql目录里。

3. 复制mysql jdbc驱动(mysql-connector-java-5.1.35.jar)到该目录下

4. 编写导出数据的sql，放到sql.sql(文件名自己取)里,内容类似这样：

   select *, id as car_id from violation_car car where car.gmt_modified>= :sql_last_value

这里需要介绍下，我的表里有个gmt\_modified字段，用于记录该条记录的最后修改时间，sql\_last_value是Logstash查询后，保存的上次查询时间，第一次查询时，该值是1970/1/1,所以第一次导入，如果你的表现有数据很多，可能会有点问题，后面会根据最后修改时间，更新修改过的数据。

5. 编写输入输出配置文件jdbc.conf

   input {  jdbc {    jdbc_driver_library => "/xxx/xxx/logstash-6.0.1/bin/mysql/mysql-connector-java-5.1.35.jar"    jdbc_driver_class => "com.mysql.jdbc.Driver"    jdbc_connection_string => "jdbc:mysql://localhost:3306/violation"    jdbc_user => "root"    jdbc_password => ""    schedule => "* * * * *"    jdbc_default_timezone => "Asia/Shanghai"    statement_filepath => "/xxx/xxx/logstash-6.0.1/bin/mysql/sql.sql"    use_column_value  => false    last_run_metadata_path => "/xxx/xxx/logstash-6.0.1/bin/mysql/last_run.txt"  }}output {    elasticsearch {        hosts => ["127.0.0.1:9200"]        index => "violation"        document_id => "%{car_id}"        document_type => "car"    }    stdout {        codec => json_lines    }}

字段介绍：    input.jdbc.jdbc_driver_library  jdbc驱动的位置    input.jdbc.jdbc_driver_class    驱动类名    input.jdbc.jdbc_connection_string   数据库连接字符串    input.jdbc.jdbc_user    用户名    input.jdbc.jdbc_password  密码    input.jdbc.schedule   更新计划(参考linux crontab)    input.jdbc.jdbc_default_timezone   时区，默认没有时区，日志里时间差8小时，中国需要用Asia/Shanghai    input.jdbc.statement_filepath 导出数据的sql文件，就是上面写的    input.jdbc.use_column_value  如果是true,sql_last_value是tracking_column指定字段的数字值，false就是时间，默认是false    input.jdbc.last_run_metadata_path  保存sql_last_value值文件的位置    output.elasticsearch.hosts elasticsearch服务器，填多个，请求会负载均衡。    output.elasticsearch.index 索引名    output.elasticsearch.document_id   生成文件的id,这里使用sql产生的car_id    output.elasticsearch.document_type  文档类型     output.stdout 配置的是命令行输出，使用json

6. 配置完以后，启动

   ./logstash -f mysql/jdbc.conf

按上面的配置，logstash会每分钟查询一次表，看是否会更新，有更新则提交到Elasticsearch

    BASE64Decoder base64decoder = new BASE64Decoder();try {    //读取pem证书    BufferedReader br = new BufferedReader(new FileReader("xxx.pem"));    String s = br.readLine();    StringBuffer publickey = new StringBuffer();    while (s.charAt(0) != '-') {        publickey.append(s + "\r");        s = br.readLine();    }    byte[] keybyte = base64decoder.decodeBuffer(publickey.toString());    KeyFactory kf = KeyFactory.getInstance("RSA");    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keybyte);    PublicKey publicKey = kf.generatePublic(keySpec);    BASE64Encoder bse=new BASE64Encoder();    System.out.println("pk:"+bse.encode(publicKey.getEncoded()));    //被签的原文    String toSign="sxxxsasdsss";    //生成的签名    String sign="xxxxx";    Signature signature = Signature.getInstance("SHA1withRSA");    signature.initVerify(publicKey);    signature.update(toSign.getBytes());    boolean verify = signature.verify(base64decoder        .decodeBuffer(            sign));    System.out.println(verify);} catch (Exception e) {    e.printStackTrace();}

什么是druid

druid是阿里巴巴开源的数据库连接池，自称是Java语言中最好的数据库连接池，提供强大的监控和扩展功能。

为什么用druid

1. 性能

   官方数据Benchmark_aliyun,druid在响应时间上优于其他几个线程池。非官方的测试数据可能差距没这么明显，但仍然高于其他几个线程池。

2. 自带监控功能

   自带监控，可帮助开发者找出慢查询，查看并发数等。

配置步骤：

1. 基于干净的spring boot web项目，添加mysql、mybatis、druid库:

   <dependency>    <groupId>org.mybatis.spring.boot</groupId>    <artifactId>mybatis-spring-boot-starter</artifactId>    <version>1.3.0</version></dependency><dependency>    <groupId>mysql</groupId>    <artifactId>mysql-connector-java</artifactId>    <scope>runtime</scope></dependency><dependency>    <groupId>com.alibaba</groupId>    <artifactId>druid</artifactId>    <version>1.0.31</version></dependency>

2. 配置数据库连接

   application.properties:

   spring.datasource.driverClassName=com.mysql.jdbc.Driverspring.datasource.url=jdbc:mysql://localhost:3306/mydb?useUnicode=true&characterEncoding=utf8spring.datasource.username=rootspring.datasource.password=

这里key叫什么其实并不重要，因为后面配置数据源，我们会自己读取配置。

3. Mybatis、druid配置
   新建MyBatisConfig.java:

   package com.pocketdigi.config.database;import com.alibaba.druid.pool.DruidDataSourceFactory;import org.mybatis.spring.SqlSessionFactoryBean;import org.mybatis.spring.annotation.MapperScan;import org.springframework.beans.factory.annotation.Value;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.core.io.ClassPathResource;import org.springframework.core.io.support.PathMatchingResourcePatternResolver;import org.springframework.core.io.support.ResourcePatternResolver;import javax.sql.DataSource;import java.io.IOException;import java.util.HashMap;import java.util.Map;@Configuration@MapperScan("com.pocketdigi.dal.mapper")public class MyBatisConfig {    @Value("${spring.datasource.url}")    String dbUrl;    @Value("${spring.datasource.username}")    String userName;    @Value("${spring.datasource.password}")    String password;    @Value("${spring.datasource.driverClassName}")    String driverClassName;    private static String MYBATIS_CONFIG = "mybatis_config.xml";    private static String MAPPER_PATH = "/mapper/*.xml";    @Bean    public SqlSessionFactoryBean createSqlSessionFactoryBean() throws IOException {        SqlSessionFactoryBean sqlSessionFactoryBean = new SqlSessionFactoryBean();        //设置mybatis configuration 扫描路径        sqlSessionFactoryBean.setConfigLocation(new ClassPathResource(MYBATIS_CONFIG));        //添加mapper 扫描路径        PathMatchingResourcePatternResolver pathMatchingResourcePatternResolver = new PathMatchingResourcePatternResolver();        String packageSearchPath = ResourcePatternResolver.CLASSPATH_ALL_URL_PREFIX + MAPPER_PATH;        sqlSessionFactoryBean.setMapperLocations(pathMatchingResourcePatternResolver.getResources(packageSearchPath));        //设置datasource        sqlSessionFactoryBean.setDataSource(dataSource());        return sqlSessionFactoryBean;    }    private DataSource dataSource() {        Map<String,Object> properties=new HashMap<>();        properties.put(DruidDataSourceFactory.PROP_DRIVERCLASSNAME,driverClassName);        properties.put(DruidDataSourceFactory.PROP_URL,dbUrl);        properties.put(DruidDataSourceFactory.PROP_USERNAME,userName);        properties.put(DruidDataSourceFactory.PROP_PASSWORD,password);        //添加统计、SQL注入、日志过滤器        properties.put(DruidDataSourceFactory.PROP_FILTERS,"stat,wall,log4j2");        //sql合并，慢查询定义为5s        properties.put(DruidDataSourceFactory.PROP_CONNECTIONPROPERTIES,"druid.stat.mergeSql=true;druid.stat.slowSqlMillis=5000");        try {            return DruidDataSourceFactory.createDataSource(properties);        } catch (Exception e) {            e.printStackTrace();        }        return null;    }}

mybatis的mapper接口在com.pocketdigi.dal.mapper，mybatis_config.xml在resources目录下，xml mapper文件在resources/mapper/目录下。mybatis_config.xml:    <?xml version="1.0" encoding="utf-8" ?>    <!DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "http://mybatis.org/dtd/mybatis-3-config.dtd">    <configuration>        <settings>            <!-- 所有映射器中配置的缓存的全局开关-->            <setting name="cacheEnabled" value="false"/>            <!-- 延迟加载的全局开关 配置二级缓存时将此属性关闭-->            <setting name="lazyLoadingEnabled" value="false"/>            <!-- 关联对象加载 配置二级缓存时将此属性关闭-->            <setting name="aggressiveLazyLoading" value="false"/>            <!-- 是否允许单一语句返回多结果集-->            <setting name="multipleResultSetsEnabled" value="true"/>            <!-- 使用列标签代替列名-->            <setting name="useColumnLabel" value="true"/>            <!-- 允许 JDBC 支持自动生成主键，需要驱动兼容 -->            <setting name="useGeneratedKeys" value="false"/>            <!-- 指定 MyBatis 是否以及如何自动映射指定的列到字段或属性-->            <setting name="autoMappingBehavior" value="PARTIAL"/>            <!-- 配置默认的执行器-->            <setting name="defaultExecutorType" value="SIMPLE"/>            <!-- 设置超时时间，它决定驱动等待数据库响应的秒数-->            <setting name="defaultStatementTimeout" value="30"/>            <!-- 允许在嵌套语句中使用行分界 -->            <setting name="safeRowBoundsEnabled" value="false"/>            <!-- 是否开启自动驼峰命名规则映射 -->            <setting name="mapUnderscoreToCamelCase" value="false"/>            <!-- 利用本地缓存机制防止循环引用和加速重复嵌套查询 默认值为 SESSION，这种情况下会缓存一个会话中执行的所有查询-->            <setting name="localCacheScope" value="SESSION"/>            <!-- 当没有为参数提供特定的 JDBC 类型时，为空值指定 JDBC 类型 -->            <setting name="jdbcTypeForNull" value="OTHER"/>            <!-- 指定哪些对象的方法触发一次延迟加载-->            <setting name="lazyLoadTriggerMethods" value="equals,clone,hashCode,toString"/>        </settings>        <typeAliases>            <package name="com.pocketdigi.dal.po"/>        </typeAliases>    </configuration>数据库对应的POJO类在com.pocketdigi.dal.po

4. druid监控后台配置

   druid监控后台需要配置一个Filter和一个Servlet,将指定的路径转发到com.alibaba.druid.support.http.StatViewServlet

   ServletConfiguration.java:

   @Configurationpublic class ServletConfiguration {    @Bean    public ServletRegistrationBean druidStatViewServletBean() {        //后台的路径        ServletRegistrationBean statViewServletRegistrationBean = new ServletRegistrationBean(new StatViewServlet(), "/druid/*");        Map<String,String> params = new HashMap<>();        //账号密码，是否允许重置数据        params.put("loginUsername","admin");        params.put("loginPassword","admin");        params.put("resetEnable","true");        statViewServletRegistrationBean.setInitParameters(params);        return statViewServletRegistrationBean;    }}

FilterConfiguration.java    @Configuration    public class FilterConfiguration {        @Bean        public FilterRegistrationBean druidStatFilterBean() {            FilterRegistrationBean druidStatFilterBean=new FilterRegistrationBean(new WebStatFilter());            List<String> urlPattern=new ArrayList<>();            urlPattern.add("/*");            druidStatFilterBean.setUrlPatterns(urlPattern);            Map<String,String> initParams=new HashMap<>();            initParams.put("exclusions","*.js,*.gif,*.jpg,*.bmp,*.png,*.css,*.ico,/druid/*");            druidStatFilterBean.setInitParameters(initParams);            return druidStatFilterBean;        }    }配置完成，启动应用，打开[http://localhost:8000/druid/](http://localhost:8000/druid/) 用ServletConfiguration.java配置的账号密码登录，即可进入druid监控后台。

代码已传github https://github.com/pocketdigi/springboot-demo

@Slf4jpublic class TestServlet extends HttpServlet{    @Override    public void init(ServletConfig config) throws ServletException {        super.init(config);        String value=config.getInitParameter("param1");        log.info("param1:{}",value);    }    @Override    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {        PrintWriter out = resp.getWriter();        out.println("<html>");        out.println("<head>");        out.println("<title>Hello World</title>");        out.println("</head>");        out.println("<body>");        out.println("Hello");        out.println("</body>");        out.println("</html>");    }}

代码注册:

代码注册通过ServletRegistrationBean和FilterRegistrationBean两个类，注册Servlet和Filter。 在Application类里添加注册代码：

@SpringBootApplicationpublic class DemoApplication {    public static void main(String[] args) {        SpringApplication.run(DemoApplication.class, args);    }    @Bean    public ServletRegistrationBean testServletBean() {        ServletRegistrationBean testServletRegistration = new ServletRegistrationBean(new TestServlet(), "/test1/");        Map<String,String> params = new HashMap<>();        params.put("param1","value2");        testServletRegistration.setInitParameters(params);        return testServletRegistration;    }}

三个参数，servlet实例、url mapping、init-param, Filter也类似，只是用FilterRegistrationBean。 或者，放到一个单独的配置类里：

@Configurationpublic class ServletConfiguration {    @Bean    public ServletRegistrationBean testServletBean() {        ServletRegistrationBean testServletRegistration = new ServletRegistrationBean(new TestServlet(), "/test1/");        Map<String,String> params = new HashMap<>();        params.put("param1","value2");        testServletRegistration.setInitParameters(params);        return testServletRegistration;    }}

建议拆开放到单独的类里，如果所有配置都放Application里，乱。

注解注册

注解注册需要在Servlet类上加上@WebServlet,@WebFilter注解，Application里加上@ServletComponentScan开启Servlet注解扫描。 修改TestServlet

@Slf4j@WebServlet(urlPatterns = "/test/*",initParams = {        @WebInitParam(name = "param1", value = "value1"),})public class TestServlet extends HttpServlet{    @Override    public void init(ServletConfig config) throws ServletException {        super.init(config);        String value=config.getInitParameter("param1");        log.info("param1:{}",value);    }    @Override    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {        PrintWriter out = resp.getWriter();        out.println("<html>");        out.println("<head>");        out.println("<title>Hello World</title>");        out.println("</head>");        out.println("<body>");        out.println("Hello");        out.println("</body>");        out.println("</html>");    }}

如果是Filter:

@WebFilter(filterName = "webFilter", urlPatterns = "/*",        initParams = {@WebInitParam(name = "exclusions", value = "*.js,*.gif,*.jpg,*.bmp,*.png,*.css,*.ico")})public class WebFilter extends Filter {}

Application:

@SpringBootApplication@ServletComponentScanpublic class DemoApplication {    public static void main(String[] args) {        SpringApplication.run(DemoApplication.class, args);    }   }

怎么选择？

如果是自己实现的Servlet,那么直接加个注解，即可注册。但Servlet不是自己实现的话，用代码注册比较好，否则需要继承原来的Servlet加一个子类。

找出代码中的死锁

学习从一段简单的代码开始:

public class Main {    public static void main(String[] args) {        test1();    }    private static void test1() {        final Object lock1 = new Object();        final Object lock2 = new Object();        Thread thread=new Thread(new Runnable() {            public void run() {                synchronized (lock1) {                    try {                        for(int i=0;i<20;i++) {                            Thread.sleep(1000);                            System.out.println(Thread.currentThread().getName()+" "+i);                        }                        synchronized (lock2) {                            for(int i=20;i<40;i++) {                                Thread.sleep(1000);                                System.out.println(Thread.currentThread().getName()+" "+i);                            }                        }                    } catch (InterruptedException e) {                        e.printStackTrace();                    }                }            }        });        thread.start();        synchronized (lock2) {            try {                for(int i=0;i<20;i++) {                    Thread.sleep(1000);                    System.out.println(Thread.currentThread().getName()+" "+i);                }                synchronized (lock1) {                    for(int i=20;i<40;i++) {                        Thread.sleep(1000);                        System.out.println(Thread.currentThread().getName()+" "+i);                    }                }            } catch (InterruptedException e) {                e.printStackTrace();            }        }    }}

肉眼都能看出来的死锁，程序运行20s后进入死锁状态。
首先我们先找出这个程序的进程id,建议用jps,而不是ps,原因是jps只会显示当前用户下面的java进程，等于自动帮我们过滤了。

jps -l

Main进程，id 5632,这时出动我们的主角jstack.

jstack 5632

结果如下

2017-05-23 13:57:22Full thread dump Java HotSpot(TM) 64-Bit Server VM (25.45-b02 mixed mode):"Attach Listener" #12 daemon prio=9 os_prio=31 tid=0x00007ff0f780c800 nid=0x4507 waiting on condition [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"Thread-0" #11 prio=5 os_prio=31 tid=0x00007ff0f80c0000 nid=0x5a03 waiting for monitor entry [0x0000700002310000]   java.lang.Thread.State: BLOCKED (on object monitor)    at Main$1.run(Main.java:33)    - waiting to lock <0x000000076adb1a98> (a java.lang.Object)    - locked <0x000000076adb1a88> (a java.lang.Object)    at java.lang.Thread.run(Thread.java:745)"Service Thread" #10 daemon prio=9 os_prio=31 tid=0x00007ff0f980b800 nid=0x5603 runnable [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"C1 CompilerThread3" #9 daemon prio=9 os_prio=31 tid=0x00007ff0f6803000 nid=0x5403 waiting on condition [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"C2 CompilerThread2" #8 daemon prio=9 os_prio=31 tid=0x00007ff0f6802800 nid=0x5203 waiting on condition [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"C2 CompilerThread1" #7 daemon prio=9 os_prio=31 tid=0x00007ff0f6801800 nid=0x5003 waiting on condition [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"C2 CompilerThread0" #6 daemon prio=9 os_prio=31 tid=0x00007ff0f90de800 nid=0x4e03 waiting on condition [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"Monitor Ctrl-Break" #5 daemon prio=5 os_prio=31 tid=0x00007ff0f90dc800 nid=0x4c03 runnable [0x0000700001bfb000]   java.lang.Thread.State: RUNNABLE    at java.net.SocketInputStream.socketRead0(Native Method)    at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)    at java.net.SocketInputStream.read(SocketInputStream.java:170)    at java.net.SocketInputStream.read(SocketInputStream.java:141)    at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)    at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)    at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)    - locked <0x000000076af12b68> (a java.io.InputStreamReader)    at java.io.InputStreamReader.read(InputStreamReader.java:184)    at java.io.BufferedReader.fill(BufferedReader.java:161)    at java.io.BufferedReader.readLine(BufferedReader.java:324)    - locked <0x000000076af12b68> (a java.io.InputStreamReader)    at java.io.BufferedReader.readLine(BufferedReader.java:389)    at com.intellij.rt.execution.application.AppMainV2$1.run(AppMainV2.java:64)"Signal Dispatcher" #4 daemon prio=9 os_prio=31 tid=0x00007ff0f8039800 nid=0x4a03 runnable [0x0000000000000000]   java.lang.Thread.State: RUNNABLE"Finalizer" #3 daemon prio=8 os_prio=31 tid=0x00007ff0f9803000 nid=0x3903 in Object.wait() [0x0000700001972000]   java.lang.Thread.State: WAITING (on object monitor)    at java.lang.Object.wait(Native Method)    - waiting on <0x000000076ab06f58> (a java.lang.ref.ReferenceQueue$Lock)    at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:143)    - locked <0x000000076ab06f58> (a java.lang.ref.ReferenceQueue$Lock)    at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:164)    at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:209)"Reference Handler" #2 daemon prio=10 os_prio=31 tid=0x00007ff0f9802000 nid=0x3703 in Object.wait() [0x000070000186f000]   java.lang.Thread.State: WAITING (on object monitor)    at java.lang.Object.wait(Native Method)    - waiting on <0x000000076ab06998> (a java.lang.ref.Reference$Lock)    at java.lang.Object.wait(Object.java:502)    at java.lang.ref.Reference$ReferenceHandler.run(Reference.java:157)    - locked <0x000000076ab06998> (a java.lang.ref.Reference$Lock)"main" #1 prio=5 os_prio=31 tid=0x00007ff0f8002000 nid=0x1c03 waiting for monitor entry [0x0000700000e51000]   java.lang.Thread.State: BLOCKED (on object monitor)    at Main.test1(Main.java:52)    - waiting to lock <0x000000076adb1a88> (a java.lang.Object)    - locked <0x000000076adb1a98> (a java.lang.Object)    at Main.main(Main.java:18)"VM Thread" os_prio=31 tid=0x00007ff0f801f800 nid=0x3503 runnable"GC task thread#0 (ParallelGC)" os_prio=31 tid=0x00007ff0f9003800 nid=0x2503 runnable"GC task thread#1 (ParallelGC)" os_prio=31 tid=0x00007ff0f9004000 nid=0x2703 runnable"GC task thread#2 (ParallelGC)" os_prio=31 tid=0x00007ff0f7801000 nid=0x2903 runnable"GC task thread#3 (ParallelGC)" os_prio=31 tid=0x00007ff0f600e800 nid=0x2b03 runnable"GC task thread#4 (ParallelGC)" os_prio=31 tid=0x00007ff0f600f000 nid=0x2d03 runnable"GC task thread#5 (ParallelGC)" os_prio=31 tid=0x00007ff0f6010000 nid=0x2f03 runnable"GC task thread#6 (ParallelGC)" os_prio=31 tid=0x00007ff0f6010800 nid=0x3103 runnable"GC task thread#7 (ParallelGC)" os_prio=31 tid=0x00007ff0f6011000 nid=0x3303 runnable"VM Periodic Task Thread" os_prio=31 tid=0x00007ff0f980c000 nid=0x5803 waiting on conditionJNI global references: 26Found one Java-level deadlock:============================="Thread-0":  waiting to lock monitor 0x00007ff0f8024f38 (object 0x000000076adb1a98, a java.lang.Object),  which is held by "main""main":  waiting to lock monitor 0x00007ff0f8023bf8 (object 0x000000076adb1a88, a java.lang.Object),  which is held by "Thread-0"Java stack information for the threads listed above:==================================================="Thread-0":    at Main$1.run(Main.java:33)    - waiting to lock <0x000000076adb1a98> (a java.lang.Object)    - locked <0x000000076adb1a88> (a java.lang.Object)    at java.lang.Thread.run(Thread.java:745)"main":    at Main.test1(Main.java:52)    - waiting to lock <0x000000076adb1a88> (a java.lang.Object)    - locked <0x000000076adb1a98> (a java.lang.Object)    at Main.main(Main.java:18)Found 1 deadlock.

jstack直接帮我们找出来了deadlock。真实场景下，如果代码比较复杂，可能需要我们自己分析找出死锁。
如果我们自己分析，该怎么找出死锁呢？重点分析java.lang.Thread.State: BLOCKED的进程，找到
waiting to lock，看看这个锁的持有者，是不是也被锁着，沿着这个链路找下去，是不是死锁就能找出来 了。比如上面的例子中,main线程持有0x000000076adb1a98锁，等待0x000000076adb1a88锁释放，而Thread-0持有0x000000076adb1a88锁，等待0x000000076adb1a98锁释放，两个线程互相等待，而进入死锁状态。

找出CPU消耗多的代码

如果程序cpu占用很高，我们需要找到问题优化，可以配合top命令，找出最耗cpu的进程，从而找到相应代码解决问题。

1. 先用jps找出程序pid，这里是23034

2. 用top命令找出该进程最耗cpu的线程。下面的top是linux中的，mac里的不一样。

   top -Hp 23034

结果如下图  ![](https://img.pocketdigi.com/blog/1495522309.jpg)23046线程占了93.8的cpu,就是它.

3. 将23046转成16进制。因为top里的pid是10进制，而jstack里是16进制，叫nid。
   可以用printf命令转换

   printf "%x\n" 23046

得到`5a06`

4. jstack出场

   jstack 23034 | grep 5a06

结果如下：  ![](https://img.pocketdigi.com/blog/1495522365.jpg)writeFileThread占用了最多的cpu资源。找到后，可以优化代码了.