docker 是容器的运行环境，管理它的生命周期。kubelet 通过 Container Runtime Interface (CRI) 与 docker 进行交互。

1，下载和分发 docker 二进制文件

到 https://download.docker.com/linux/static/stable/x86_64/ 页面下载最新发布包：

wget https://download.docker.com/linux/static/stable/x86_64/docker-18.03.1-ce.tgz
tar -xvf docker-18.03.1-ce.tgz

分发二进制文件到所有 worker 节点：

cat > magic.sh << "EOF"
#!/bin/bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}"
    scp docker/docker*  k8s@${node_ip}:/opt/k8s/bin/
    ssh k8s@${node_ip} "chmod +x /opt/k8s/bin/*"
done
EOF

2，创建和分发 systemd unit 文件

cat > docker.service <<"EOF"
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
[Service]
Environment="PATH=/opt/k8s/bin:/bin:/sbin:/usr/bin:/usr/sbin"
EnvironmentFile=-/run/flannel/docker
ExecStart=/opt/k8s/bin/dockerd --log-level=error $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF

• EOF 前后有双引号，这样 bash 不会替换文档中的变量，如 $DOCKER_NETWORK_OPTIONS；

• dockerd 运行时会调用其它 docker 命令，如 docker-proxy，所以需要将 docker 命令所在的目录加到 PATH 环境变量中；

• flanneld 启动时将网络配置写入 /run/flannel/docker 文件中，dockerd 启动前读取该文件中的环境变量 DOCKER_NETWORK_OPTIONS ，然后设置 docker0 网桥网段；

• 如果指定了多个 EnvironmentFile 选项，则必须将 /run/flannel/docker 放在最后 (确保 docker0 使用 flanneld 生成的 bip 参数)；

• docker 需要以 root 用于运行；

• docker 从 1.13 版本开始，可能将 iptables FORWARD chain 的默认策略设置为 DROP，从而导致 ping 其它 Node 上的 Pod IP 失败，遇到这种情况时，需要手动设置策略为 ACCEPT：

  $ sudo iptables -P FORWARD ACCEPT
  

  并且把以下命令写入 /etc/rc.local 文件中，防止节点重启 iptables FORWARD chain 的默认策略又还原为 DROP

   /sbin/iptables -P FORWARD ACCEPT
  

分发 systemd unit 文件到所有 worker 机器:

cat > magic.sh << "EOF"
#!/bin/bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}"
    scp docker.service root@${node_ip}:/etc/systemd/system/
done
EOF

3，配置和分发 docker 配置文件

使用国内的仓库镜像服务器以加快 pull image 的速度，同时增加下载的并发数 (需要重启 dockerd 生效)：

cat > docker-daemon.json <<EOF
{
    "registry-mirrors": ["https://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"],
    "max-concurrent-downloads": 20
}
EOF

分发 docker 配置文件到所有 work 节点：

cat > magic.sh << "EOF"
#!/bin/bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}"
    ssh root@${node_ip} "mkdir -p  /etc/docker/"
    scp docker-daemon.json root@${node_ip}:/etc/docker/daemon.json
done
EOF

4，启动 docker 服务

cat > magic.sh << "EOF"
#!/bin/bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}"
    ssh root@${node_ip} "systemctl stop firewalld && systemctl disable firewalld"
    ssh root@${node_ip} "/usr/sbin/iptables -F && /usr/sbin/iptables -X && /usr/sbin/iptables -F -t nat && /usr/sbin/iptables -X -t nat"
    ssh root@${node_ip} "/usr/sbin/iptables -P FORWARD ACCEPT"
    ssh root@${node_ip} "systemctl daemon-reload && systemctl enable docker && systemctl start docker"
    ssh root@${node_ip} 'for intf in /sys/devices/virtual/net/docker0/brif/*; do echo 1 > $intf/hairpin_mode; done'
    ssh root@${node_ip} "sudo sysctl -p /etc/sysctl.d/kubernetes.conf"
done
EOF

• 关闭 firewalld(centos7)/ufw(ubuntu16.04)，否则可能会重复创建 iptables 规则；
• 清理旧的 iptables rules 和 chains 规则；
• 开启 docker0 网桥下虚拟网卡的 hairpin 模式;

5，检查服务运行状态

cat > magic.sh << "EOF"
#!/bin/bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}"
    ssh k8s@${node_ip} "systemctl status docker|grep Active"
done
EOF

如果输出如下：

$bash magic.sh
>>> 192.168.106.3
   Active: active (running) since Fri 2018-11-23 18:51:54 CST; 6h ago
>>> 192.168.106.4
   Active: active (running) since Fri 2018-11-23 18:51:54 CST; 6h ago
>>> 192.168.106.5
   Active: active (running) since Fri 2018-11-23 18:51:54 CST; 6h ago

则正常，如果启动失败，则检查日志：

$ journalctl -xu docker

6，检查 docker0 网桥

cat > magic.sh << "EOF"
#!/bin/bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}"
    ssh k8s@${node_ip} "/usr/sbin/ip addr show flannel.1 && /usr/sbin/ip addr show docker0"
done
EOF

输出：

$bash magic.sh
>>> 192.168.106.3
3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether b2:29:a7:da:fa:d8 brd ff:ff:ff:ff:ff:ff
    inet 172.30.84.0/32 scope global flannel.1
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 02:42:fc:9f:7d:c9 brd ff:ff:ff:ff:ff:ff
    inet 172.30.84.1/24 brd 172.30.84.255 scope global docker0
       valid_lft forever preferred_lft forever
>>> 192.168.106.4
3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether f2:14:20:50:4f:af brd ff:ff:ff:ff:ff:ff
    inet 172.30.8.0/32 scope global flannel.1
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 02:42:a1:25:5f:c9 brd ff:ff:ff:ff:ff:ff
    inet 172.30.8.1/24 brd 172.30.8.255 scope global docker0
       valid_lft forever preferred_lft forever
>>> 192.168.106.5
3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether b2:fe:60:ff:53:be brd ff:ff:ff:ff:ff:ff
    inet 172.30.29.0/32 scope global flannel.1
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 02:42:a1:8a:c7:9c brd ff:ff:ff:ff:ff:ff
    inet 172.30.29.1/24 brd 172.30.29.255 scope global docker0
       valid_lft forever preferred_lft forever

确认各 work 节点的 docker0 网桥和 flannel.1 接口的 IP 处于同一个网段中，如上 kube-node1 节点的 172.30.84.0 和 172.30.84.1。