我的书签
添加书签
移除书签- How can I enable debug logging?
- Where can I manage Node Templates?
- Where is the state of Rancher stored?
- How can I access nodes created by Rancher?
- The IP address of a node changed, how can I recover?
- How do I check if my certificate chain is valid?
- Why does it take 5+ minutes for a pod to be rescheduled when a node has failed?
Kubernetes install (Helm):
$ KUBECONFIG=./kube_config_rancher-cluster.ymlNew password for default administrator (user-xxxxx):<new_password>
I deleted/deactivated the last admin, how can I fix it?
Docker Install:
$ docker exec -ti <container_id> ensure-default-adminNew default administrator (user-xxxxx)New password for default administrator (user-xxxxx):<new_password>
Kubernetes install (Helm):
How can I enable debug logging?
My ClusterIP does not respond to ping
ClusterIP is a virtual IP, which will not respond to ping. Best way to test if the ClusterIP is configured correctly, is by using curl to access the IP and port to see if it responds.
Where can I manage Node Templates?
Node Templates can be accessed by opening your account menu (top right) and selecting Node Templates.
The Layer-4 Load Balancer is created as type: LoadBalancer. In Kubernetes, this needs a cloud provider or controller that can satisfy these requests, otherwise these will be in Pending state forever. More information can be found on or Create External Load Balancer
Where is the state of Rancher stored?
- Docker Install: in the embedded etcd of the
rancher/ranchercontainer, located at/var/lib/rancher. - Kubernetes install: in the etcd of the RKE cluster created to run Rancher.
How are the supported Docker versions determined?
We follow the validated Docker versions for upstream Kubernetes releases. The validated versions can be found under in the Kubernetes release CHANGELOG.md.
How can I access nodes created by Rancher?
Unzip the downloaded zip file, and use the file id_rsa to connect to you host. Be sure to use the correct username (rancher or for RancherOS, ubuntu for Ubuntu, ec2-user for Amazon Linux)
$ ssh -i id_rsa user@ip_of_node
How can I automate task X in Rancher?
The UI consists of static files, and works based on responses of the API. That means every action/task that you can execute in the UI, can be automated via the API. There are 2 ways to do this:
- Visit
https://your_rancher_ip/v3and browse the API options. - Capture the API calls when using the UI (Most commonly used for this is Chrome Developer Tools but you can use anything you like)
A node is required to have a static IP configured (or a reserved IP via DHCP). If the IP of a node has changed, you will have to remove it from the cluster and readd it. After it is removed, Rancher will update the cluster to the correct state. If the cluster is no longer in Provisioning state, the node is removed from the cluster.
When the IP address of the node changed, Rancher lost connection to the node, so it will be unable to clean the node properly. See to clean the node.
When the node is removed from the cluster, and the node is cleaned, you can readd the node to the cluster.
How can I add additional arguments/binds/environment variables to Kubernetes components in a Rancher Launched Kubernetes cluster?
You can add additional arguments/binds/environment variables via the option in Cluster Options. For more information, see the Extra Args, Extra Binds, and Extra Environment Variables in the RKE documentation or browse the .
How do I check if my certificate chain is valid?
Use the openssl verify command to validate your certificate chain:
SSL_CERT_DIR=/dummy SSL_CERT_FILE=/dummy openssl verify -CAfile ca.pem rancher.yourdomain.com.pemrancher.yourdomain.com.pem: OK
If you receive the error unable to get local issuer certificate, the chain is incomplete. This usually means that there is an intermediate CA certificate that issued your server certificate. If you already have this certificate, you can use it in the verification of the certificate like shown below:
If you have successfully verified your certificate chain, you should include needed intermediate CA certificates in the server certificate to complete the certificate chain for any connection made to Rancher (for example, by the Rancher agent). The order of the certificates in the server certificate file should be first the server certificate itself (contents of rancher.yourdomain.com.pem), followed by intermediate CA certificate(s) (contents of intermediate.pem).
-----BEGIN CERTIFICATE-----%YOUR_CERTIFICATE%-----END CERTIFICATE-----%YOUR_INTERMEDIATE_CERTIFICATE%-----END CERTIFICATE-----
If you still get errors during verification, you can retrieve the subject and the issuer of the server certificate using the following command:
subject= /C=GB/ST=England/O=Alice Ltd/CN=rancher.yourdomain.comissuer= /C=GB/ST=England/O=Alice Ltd/CN=Alice Intermediate CA
How do I check Common Name and Subject Alternative Names in my server certificate?
Although technically an entry in Subject Alternative Names is required, having the hostname in both Common Name and as entry in Subject Alternative Names gives you maximum compatibility with older browser/applications.
Check Common Name:
Check Subject Alternative Names:
openssl x509 -noout -in cert.pem -text | grep DNSDNS:rancher.my.org
Why does it take 5+ minutes for a pod to be rescheduled when a node has failed?
This is due to a combination of the following default Kubernetes settings:
- kubelet
node-status-update-frequency: Specifies how often kubelet posts node status to master (default 10s)
- kube-controller-manager
node-monitor-period: The period for syncing NodeStatus in NodeController (default 5s)node-monitor-grace-period: Amount of time which we allow running Node to be unresponsive before marking it unhealthy (default 40s)pod-eviction-timeout: The grace period for deleting pods on failed nodes (default 5m0s)
See and Kubernetes: kube-controller-manager for more information on these settings.
- kube-apiserver (Kubernetes v1.13 and up)
default-not-ready-toleration-seconds: Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration.default-unreachable-toleration-seconds: Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration.
Yes, most parts of the UI can be reached using keyboard shortcuts. For an overview of the available shortcuts, press ? anywhere in the UI.
