Chemmy's Blog

chengming0916@outlook.com

发表于 更新于

项目风险通常体现在需求、技术、成本和进度四个方面。在IT项目开发中,常见的风险可归纳为以下九大类。

1. 需求风险

需求是项目的基石,其不确定性是主要风险来源。

  • 需求基准已定,但仍在持续变化。
  • 需求定义不清晰,后续的澄清工作会扩大项目范围。
  • 在项目过程中不断添加新的需求。
  • 产品定义中模糊的部分比预期消耗更多时间。
  • 客户在需求阶段参与不足。
  • 缺乏有效的需求变更管理流程。

2. 计划编制风险

计划不切实际或基于错误假设,将直接导致项目失控。

  • 计划仅依据客户或上级的口头指令制定,且指令本身可能存在矛盾。
  • 计划过于理想化(“最佳状态”),脱离现实,实为“期望状态”。
  • 计划依赖于特定的核心成员,而该成员可能无法到位或发挥作用。
  • 实际产品规模(代码行、功能点)远超预估。
  • 项目截止日期提前,但未相应缩减范围或增加资源。
  • 进入不熟悉的技术领域,导致设计和实现时间超出预期。

3. 组织与管理风险

低效的组织结构和决策流程会严重拖慢项目。

  • 仅由非技术人员(如管理层、市场人员)做技术决策,导致进度迟缓。
  • 项目团队结构不合理,降低了整体效率。
  • 管理层审批决策周期过长。
  • 项目预算中途被削减,打乱原有计划。
  • 管理层作出打击团队积极性的决定。
  • 缺乏必要的工作规范,导致失误和返工。
  • 依赖的非技术第三方(如法务、采购)工作延期。

4. 人员风险

人是项目成功的关键,人员问题会引发连锁反应。

  • 项目依赖的前置任务(如培训)未能按时完成。
  • 开发人员与管理者关系不佳,决策缓慢,影响全局。
  • 缺乏有效的激励措施,团队士气低落,生产力下降。
  • 成员需要额外时间适应不熟悉的工具和环境。
  • 项目后期加入新成员,产生培训与沟通成本,降低现有成员效率。
  • 团队内部发生冲突,导致沟通不畅、设计缺陷和返工。
  • 不称职的成员未被调离,影响整个团队的积极性。
  • 无法招募到项目急需的特定技能人才。

5. 开发环境风险

“工欲善其事,必先利其器”,糟糕的环境会阻碍开发。

  • 办公场所、硬件设施未能及时到位。
  • 设施不配套(如缺网络、电话)。
  • 工作环境拥挤、杂乱或破损。
  • 必要的开发工具未及时就绪。
  • 工具效果不如预期,需额外时间配置或更换。
  • 学习新工具的时间比预期长。

6. 客户风险

客户是项目的最终服务对象,其行为直接影响项目。

  • 客户对最终交付物不满意,要求返工或重做。
  • 客户的意见未被充分采纳,导致产品无法满足其真实需求。
  • 客户对方案、原型等的审核决策周期过长。
  • 客户未能参与关键阶段的评审,导致需求反复变更。
  • 客户回复问题(如需求澄清)的时间延迟。
  • 客户提供的组件质量差,导致额外的测试、集成和沟通工作。

7. 产品风险

产品本身的技术复杂度和依赖关系带来的挑战。

  • 为修正低质量产品,需要远超预期的测试和开发工作。
  • 开发了不必要的“镀金”功能,延长了工期。
  • 与现有系统兼容性要求苛刻,增加了工作量。
  • 需要与外部或不可控系统集成,带来未知工作量。
  • 在陌生或未经验证的软硬件环境中运行,产生意外问题。
  • 开发全新技术模块的时间远超预估。
  • 依赖尚未成熟的技术,会延长项目周期。

8. 设计与实现风险

将设计转化为代码过程中遇到的具体技术障碍。

  • 设计质量低劣,导致重复设计。
  • 现有代码库无法实现某些功能,必须开发新库或功能。
  • 采用的代码或第三方库质量低下,引发额外测试和修复工作。
  • 高估了新工具对效率的提升效果。
  • 各自开发的模块无法有效集成,需要重新设计。

9. 过程风险

项目所遵循的流程和管理方法本身存在的问题。

  • 过多的文书工作拖慢了项目进程。
  • 前期的质量保证流于形式,导致后期大量返工。
  • 流程过于松散(不遵循开发规范),导致沟通不畅、质量低下。
  • 流程过于僵化(教条式遵循规范),在无用流程上耗费时间。
  • 撰写管理报告占用了开发人员过多时间。
  • 风险管理疏忽,未能识别出重大风险。

总结:成功的IT项目管理,不仅在于技术实现,更在于对上述九大类风险的持续识别、评估和应对。建立规范流程、保持沟通顺畅、进行务实计划并预留缓冲,是 mitigating(缓解)这些风险的关键。

发表于 更新于

安装

1
2
3
4
5
6
7
8
helm repo add traefik https://helm.traefik.io/traefik
helm repo update 
helm upgrade traefik traefik/traefik \
    --install --create-namespace \
    --namespace=traefik 

# 导出配置文件
helm show values traefik/traefik > traefik-values.yaml

修改配置

traefik-values.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
# Default values for Traefik

# This is a YAML-formatted file.

# Declare variables to be passed into templates

  

image:  # @schema additionalProperties: false

  # -- Traefik image host registry

  registry: docker.io

  # -- Traefik image repository

  repository: traefik

  # -- defaults to appVersion

  tag:  # @schema type:[string, null]

  # -- Traefik image pull policy

  pullPolicy: IfNotPresent

  

# -- Add additional label to all resources

commonLabels: {}

  

deployment:

  # -- Enable deployment

  enabled: true

  # -- Deployment or DaemonSet

  kind: Deployment

  # -- Number of pods of the deployment (only applies when kind == Deployment)

  replicas: 1

  # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)

  revisionHistoryLimit:  # @schema type:[integer, null];minimum:0

  # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down

  terminationGracePeriodSeconds: 60

  # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available

  minReadySeconds: 0

  ## -- Override the liveness/readiness port. This is useful to integrate traefik

  ## with an external Load Balancer that performs healthchecks.

  ## Default: ports.traefik.port

  healthchecksPort:  # @schema type:[integer, null];minimum:0

  ## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.

  ## Default: ports.traefik.hostIP if set, otherwise Pod IP

  healthchecksHost: ""

  ## -- Override the liveness/readiness scheme. Useful for getting ping to

  ## respond on websecure entryPoint.

  healthchecksScheme:   # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP

  ## -- Override the readiness path.

  ## Default: /ping

  readinessPath: ""

  # -- Override the liveness path.

  # Default: /ping

  livenessPath: ""

  # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)

  annotations: {}

  # -- Additional deployment labels (e.g. for filtering deployment by custom labels)

  labels: {}

  # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)

  # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'

  podAnnotations: {}

  # -- Additional Pod labels (e.g. for filtering Pod by custom labels)

  podLabels: {}

  # -- Additional containers (e.g. for metric offloading sidecars)

  additionalContainers: []

  # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host

  # - name: socat-proxy

  #   image: alpine/socat:1.0.5

  #   args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]

  #   volumeMounts:

  #     - name: dsdsocket

  #       mountPath: /socket

  # -- Additional volumes available for use with initContainers and additionalContainers

  additionalVolumes: []

  # - name: dsdsocket

  #   hostPath:

  #     path: /var/run/statsd-exporter

  # -- Additional initContainers (e.g. for setting file permission as shown below)

  initContainers: []

  # The "volume-permissions" init container is required if you run into permission issues.

  # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396

  # - name: volume-permissions

  #   image: busybox:latest

  #   command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]

  #   volumeMounts:

  #     - name: data

  #       mountPath: /data

  # -- Use process namespace sharing

  shareProcessNamespace: false

  # -- Custom pod DNS policy. Apply if `hostNetwork: true`

  dnsPolicy: ""

  # -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)

  dnsConfig: {}

  # -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)

  hostAliases: []

  # -- Pull secret for fetching traefik container image

  imagePullSecrets: []

  # -- Pod lifecycle actions

  lifecycle: {}

  # preStop:

  #   exec:

  #     command: ["/bin/sh", "-c", "sleep 40"]

  # postStart:

  #   httpGet:

  #     path: /ping

  #     port: 9000

  #     host: localhost

  #     scheme: HTTP

  # -- Set a runtimeClassName on pod

  runtimeClassName: ""

  

# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)

podDisruptionBudget:  # @schema additionalProperties: false

  enabled: false

  maxUnavailable:  # @schema type:[string, integer, null];minimum:0

  minAvailable:    # @schema type:[string, integer, null];minimum:0

  

# -- Create a default IngressClass for Traefik

ingressClass:  # @schema additionalProperties: false

  enabled: true

  isDefaultClass: true

  name: ""

  

core:  # @schema additionalProperties: false

  # -- Can be used to use globally v2 router syntax

  # See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes

  defaultRuleSyntax: ""

  

# Traefik experimental features

experimental:

  # -- Enable traefik experimental plugins

  plugins: {}

  # demo:

  #   moduleName: github.com/traefik/plugindemo

  #   version: v0.2.1

  kubernetesGateway:

    # -- Enable traefik experimental GatewayClass CRD

    enabled: false

  

gateway:

  # -- When providers.kubernetesGateway.enabled, deploy a default gateway

  enabled: true

  # -- Set a custom name to gateway

  name: ""

  # -- By default, Gateway is created in the same `Namespace` than Traefik.

  namespace: ""

  # -- Additional gateway annotations (e.g. for cert-manager.io/issuer)

  annotations: {}

  # -- Define listeners

  listeners:

    web:

      # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.

      # The port must match a port declared in ports section.

      port: 8000

      # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)

      hostname: ""

      # Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)

      protocol: HTTP

      # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces

      namespacePolicy:  # @schema type:[string, null]

    # websecure listener is disabled by default because certificateRefs needs to be added,

    # or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.

    # websecure:

    #   # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.

    #   # The port must match a port declared in ports section.

    #   port: 8443

    #   # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)

    #   hostname:

    #   # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)

    #   protocol: HTTPS

    #   # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)

    #   namespacePolicy:

    #   # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)

    #   certificateRefs:

    #   # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).

    #   mode:

  

gatewayClass:  # @schema additionalProperties: false

  # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass

  enabled: true

  # -- Set a custom name to GatewayClass

  name: ""

  # -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)

  labels: {}

  

ingressRoute:

  dashboard:

    # -- Create an IngressRoute for the dashboard

    enabled: true # 修改此处,启用dashboard

    # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)

    annotations: # 修改此处,添加配置
      ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "0"
      kubernetes.io/ingress.class: "traefik"
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.entrypoints: websecure

    # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)

    labels: {}

    # -- The router match rule used for the dashboard ingressRoute

    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)

    # -- The internal service used for the dashboard ingressRoute

    services:

      - name: api@internal

        kind: TraefikService

    # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).

    # By default, it's using traefik entrypoint, which is not exposed.

    # /!\ Do not expose your dashboard without any protection over the internet /!\

    entryPoints: ["traefik"]

    # -- Additional ingressRoute middlewares (e.g. for authentication)

    middlewares: []

    # -- TLS options (e.g. secret containing certificate)

    tls: # 修改此处,配置证书,需要cert-manager
      enabled: true
      certSource: secret
      secret:
        secretName: "traefik-tls-secret"
        

  healthcheck:

    # -- Create an IngressRoute for the healthcheck probe

    enabled: false

    # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)

    annotations: {}

    # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)

    labels: {}

    # -- The router match rule used for the healthcheck ingressRoute

    matchRule: PathPrefix(`/ping`)

    # -- The internal service used for the healthcheck ingressRoute

    services:

      - name: ping@internal

        kind: TraefikService

    # -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).

    # By default, it's using traefik entrypoint, which is not exposed.

    entryPoints: ["traefik"]

    # -- Additional ingressRoute middlewares (e.g. for authentication)

    middlewares: []

    # -- TLS options (e.g. secret containing certificate)

    tls: {}

  

updateStrategy:  # @schema additionalProperties: false

  # -- Customize updateStrategy of Deployment or DaemonSet

  type: RollingUpdate

  rollingUpdate:

    maxUnavailable: 0  # @schema type:[integer, string, null]

    maxSurge: 1        # @schema type:[integer, string, null]

  

readinessProbe:  # @schema additionalProperties: false

  # -- The number of consecutive failures allowed before considering the probe as failed.

  failureThreshold: 1

  # -- The number of seconds to wait before starting the first probe.

  initialDelaySeconds: 2

  # -- The number of seconds to wait between consecutive probes.

  periodSeconds: 10

  # -- The minimum consecutive successes required to consider the probe successful.

  successThreshold: 1

  # -- The number of seconds to wait for a probe response before considering it as failed.

  timeoutSeconds: 2

livenessProbe:  # @schema additionalProperties: false

  # -- The number of consecutive failures allowed before considering the probe as failed.

  failureThreshold: 3

  # -- The number of seconds to wait before starting the first probe.

  initialDelaySeconds: 2

  # -- The number of seconds to wait between consecutive probes.

  periodSeconds: 10

  # -- The minimum consecutive successes required to consider the probe successful.

  successThreshold: 1

  # -- The number of seconds to wait for a probe response before considering it as failed.

  timeoutSeconds: 2

  

# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)

startupProbe: {}

  

providers:  # @schema additionalProperties: false

  kubernetesCRD:

    # -- Load Kubernetes IngressRoute provider

    enabled: true

    # -- Allows IngressRoute to reference resources in namespace other than theirs

    allowCrossNamespace: false

    # -- Allows to reference ExternalName services in IngressRoute

    allowExternalNameServices: false

    # -- Allows to return 503 when there is no endpoints available

    allowEmptyServices: true

    # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.

    ingressClass: ""

    # labelSelector: environment=production,method=traefik

    # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.

    namespaces: []

    # -- Defines whether to use Native Kubernetes load-balancing mode by default.

    nativeLBByDefault: false

  

  kubernetesIngress:

    # -- Load Kubernetes Ingress provider

    enabled: true

    # -- Allows to reference ExternalName services in Ingress

    allowExternalNameServices: false

    # -- Allows to return 503 when there is no endpoints available

    allowEmptyServices: true

    # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.

    ingressClass:  # @schema type:[string, null]

    # labelSelector: environment=production,method=traefik

    # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.

    namespaces: []

    # IP used for Kubernetes Ingress endpoints

    publishedService:

      enabled: false

      # Published Kubernetes Service to copy status from. Format: namespace/servicename

      # By default this Traefik service

      # pathOverride: ""

    # -- Defines whether to use Native Kubernetes load-balancing mode by default.

    nativeLBByDefault: false

  

  kubernetesGateway:

    # -- Enable Traefik Gateway provider for Gateway API

    enabled: false

    # -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).

    # This option currently enables support for TCPRoute and TLSRoute.

    experimentalChannel: false

    # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.

    namespaces: []

    # -- A label selector can be defined to filter on specific GatewayClass objects only.

    labelselector: ""

  

  file:

    # -- Create a file provider

    enabled: false

    # -- Allows Traefik to automatically watch for file changes

    watch: true

    # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)

    content: ""

  

# -- Add volumes to the traefik pod. The volume name will be passed to tpl.

# This can be used to mount a cert pair or a configmap that holds a config.toml file.

# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:

# `additionalArguments:

# - "--providers.file.filename=/config/dynamic.toml"

# - "--ping"

# - "--ping.entrypoint=web"`

volumes: []

# - name: public-cert

#   mountPath: "/certs"

#   type: secret

# - name: '{{ printf "%s-configs" .Release.Name }}'

#   mountPath: "/config"

#   type: configMap

  

# -- Additional volumeMounts to add to the Traefik container

additionalVolumeMounts: []

# -- For instance when using a logshipper for access logs

# - name: traefik-logs

#   mountPath: /var/log/traefik

  

logs:

  general:

    # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)

    format:  # @schema enum:["common", "json", null]; type:[string, null]; default: "common"

    # By default, the level is set to INFO.

    # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.

    level: "INFO"  # @schema enum:[INFO,WARN,ERROR,FATAL,PANIC,DEBUG]; default: "INFO"

    # -- To write the logs into a log file, use the filePath option.

    filePath: ""

    # -- When set to true and format is common, it disables the colorized output.

    noColor: false

  access:

    # -- To enable access logs

    enabled: false

    # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format)

    format:  # @schema enum:["CLF", "json", null]; type:[string, null]; default: "CLF"

    # filePath: "/var/log/traefik/access.log

    # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize)

    bufferingSize:  # @schema type:[integer, null]

    # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering)

    filters: {}

    statuscodes: ""

    retryattempts: false

    minduration: ""

    # -- Enables accessLogs for internal resources. Default: false.

    addInternals: false

    fields:

      general:

        # -- Set default mode for fields.names

        defaultmode: keep  # @schema enum:[keep, drop, redact]; default: keep

        # -- Names of the fields to limit.

        names: {}

      # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers)

      headers:

        # -- Set default mode for fields.headers

        defaultmode: drop  # @schema enum:[keep, drop, redact]; default: drop

        names: {}

  

metrics:

  ## -- Enable metrics for internal resources. Default: false

  addInternals: false

  

  ## -- Prometheus is enabled by default.

  ## -- It can be disabled by setting "prometheus: null"

  prometheus:

    # -- Entry point used to expose metrics.

    entryPoint: metrics

    ## Enable metrics on entry points. Default: true

    addEntryPointsLabels:  # @schema type:[boolean, null]

    ## Enable metrics on routers. Default: false

    addRoutersLabels:  # @schema type:[boolean, null]

    ## Enable metrics on services. Default: true

    addServicesLabels:  # @schema type:[boolean, null]

    ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"

    buckets: ""

    ## When manualRouting is true, it disables the default internal router in

    ## order to allow creating a custom router for prometheus@internal service.

    manualRouting: false

    service:

      # -- Create a dedicated metrics service to use with ServiceMonitor

      enabled: false

      labels: {}

      annotations: {}

    # -- When set to true, it won't check if Prometheus Operator CRDs are deployed

    disableAPICheck:  # @schema type:[boolean, null]

    serviceMonitor:

      # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.

      enabled: false

      metricRelabelings: []

      relabelings: []

      jobLabel: ""

      interval: ""

      honorLabels: false

      scrapeTimeout: ""

      honorTimestamps: false

      enableHttp2: false

      followRedirects: false

      additionalLabels: {}

      namespace: ""

      namespaceSelector: {}

    prometheusRule:

      # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.

      enabled: false

      additionalLabels: {}

      namespace: ""

  

  #  datadog:

  #    ## Address instructs exporter to send metrics to datadog-agent at this address.

  #    address: "127.0.0.1:8125"

  #    ## The interval used by the exporter to push metrics to datadog-agent. Default=10s

  #    # pushInterval: 30s

  #    ## The prefix to use for metrics collection. Default="traefik"

  #    # prefix: traefik

  #    ## Enable metrics on entry points. Default=true

  #    # addEntryPointsLabels: false

  #    ## Enable metrics on routers. Default=false

  #    # addRoutersLabels: true

  #    ## Enable metrics on services. Default=true

  #    # addServicesLabels: false

  #  influxdb2:

  #    ## Address instructs exporter to send metrics to influxdb v2 at this address.

  #    address: localhost:8086

  #    ## Token with which to connect to InfluxDB v2.

  #    token: xxx

  #    ## Organisation where metrics will be stored.

  #    org: ""

  #    ## Bucket where metrics will be stored.

  #    bucket: ""

  #    ## The interval used by the exporter to push metrics to influxdb. Default=10s

  #    # pushInterval: 30s

  #    ## Additional labels (influxdb tags) on all metrics.

  #    # additionalLabels:

  #    #   env: production

  #    #   foo: bar

  #    ## Enable metrics on entry points. Default=true

  #    # addEntryPointsLabels: false

  #    ## Enable metrics on routers. Default=false

  #    # addRoutersLabels: true

  #    ## Enable metrics on services. Default=true

  #    # addServicesLabels: false

  #  statsd:

  #    ## Address instructs exporter to send metrics to statsd at this address.

  #    address: localhost:8125

  #    ## The interval used by the exporter to push metrics to influxdb. Default=10s

  #    # pushInterval: 30s

  #    ## The prefix to use for metrics collection. Default="traefik"

  #    # prefix: traefik

  #    ## Enable metrics on entry points. Default=true

  #    # addEntryPointsLabels: false

  #    ## Enable metrics on routers. Default=false

  #    # addRoutersLabels: true

  #    ## Enable metrics on services. Default=true

  #    # addServicesLabels: false

  otlp:

    # -- Set to true in order to enable the OpenTelemetry metrics

    enabled: false

    # -- Enable metrics on entry points. Default: true

    addEntryPointsLabels:  # @schema type:[boolean, null]

    # -- Enable metrics on routers. Default: false

    addRoutersLabels:  # @schema type:[boolean, null]

    # -- Enable metrics on services. Default: true

    addServicesLabels:  # @schema type:[boolean, null]

    # -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]

    explicitBoundaries: []

    # -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s

    pushInterval: ""

    http:

      # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.

      enabled: false

      # -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics

      endpoint: ""

      # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.

      headers: {}

      ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

      tls:

        # -- The path to the certificate authority, it defaults to the system bundle.

        ca: ""

        # -- The path to the public certificate. When using this option, setting the key option is required.

        cert: ""

        # -- The path to the private key. When using this option, setting the cert option is required.

        key: ""

        # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

        insecureSkipVerify:  # @schema type:[boolean, null]

    grpc:

      # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC

      enabled: false

      # -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics

      endpoint: ""

      # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.

      insecure: false

      ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

      tls:

        # -- The path to the certificate authority, it defaults to the system bundle.

        ca: ""

        # -- The path to the public certificate. When using this option, setting the key option is required.

        cert: ""

        # -- The path to the private key. When using this option, setting the cert option is required.

        key: ""

        # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

        insecureSkipVerify: false

  

## Tracing

# -- https://doc.traefik.io/traefik/observability/tracing/overview/

tracing:  # @schema additionalProperties: false

  # -- Enables tracing for internal resources. Default: false.

  addInternals: false

  otlp:

    # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/

    enabled: false

    http:

      # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.

      enabled: false

      # -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics

      endpoint: ""

      # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.

      headers: {}

      ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

      tls:

        # -- The path to the certificate authority, it defaults to the system bundle.

        ca: ""

        # -- The path to the public certificate. When using this option, setting the key option is required.

        cert: ""

        # -- The path to the private key. When using this option, setting the cert option is required.

        key: ""

        # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

        insecureSkipVerify: false

    grpc:

      # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC

      enabled: false

      # -- Format: <scheme>://<host>:<port><path>. Default: http://localhost:4318/v1/metrics

      endpoint: ""

      # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.

      insecure: false

      ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.

      tls:

        # -- The path to the certificate authority, it defaults to the system bundle.

        ca: ""

        # -- The path to the public certificate. When using this option, setting the key option is required.

        cert: ""

        # -- The path to the private key. When using this option, setting the cert option is required.

        key: ""

        # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.

        insecureSkipVerify: false

  

# -- Global command arguments to be passed to all traefik's pods

globalArguments:

- "--global.checknewversion"

- "--global.sendanonymoususage"

  

# -- Additional arguments to be passed at Traefik's binary

# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)

# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`

additionalArguments: []

#  - "--providers.kubernetesingress.ingressclass=traefik-internal"

#  - "--log.level=DEBUG"

  

# -- Environment variables to be passed to Traefik's binary

# @default -- See _values.yaml_

env:

- name: POD_NAME

  valueFrom:

    fieldRef:

      fieldPath: metadata.name

- name: POD_NAMESPACE

  valueFrom:

    fieldRef:

      fieldPath: metadata.namespace

  

# -- Environment variables to be passed to Traefik's binary from configMaps or secrets

envFrom: []

  

ports:

  redis: # 添加此部分,用于暴露Redis对外访问
    port: 6379
    expose: true
    exposedPort: 6379 # 对外暴露端口
    protocol: TCP
  mysql: #添加此部分,用于暴露MySQL对外访问
    port: 3306
    expose: true
    exposedPort: 3306 # 对外暴露端口
    protocol: TCP

  traefik:

    port: 9000

    # -- Use hostPort if set.

    hostPort:  # @schema type:[integer, null]; minimum:0

    # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which

    # means it's listening on all your interfaces and all your IPs. You may want

    # to set this value if you need traefik to listen on specific interface

    # only.

    hostIP:  # @schema type:[string, null]

  

    # Defines whether the port is exposed if service.type is LoadBalancer or

    # NodePort.

    #

    # -- You SHOULD NOT expose the traefik port on production deployments.

    # If you want to access it from outside your cluster,

    # use `kubectl port-forward` or create a secure ingress

    expose:

      default: false

    # -- The exposed port for this service

    exposedPort: 9000

    # -- The port protocol (TCP/UDP)

    protocol: TCP

  web:

    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.

    # asDefault: true

    port: 8000

    # hostPort: 8000

    # containerPort: 8000

    expose:

      default: true

    exposedPort: 80

    ## -- Different target traefik port on the cluster, useful for IP type LB

    targetPort:  # @schema type:[integer, null]; minimum:0

    # The port protocol (TCP/UDP)

    protocol: TCP

    # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)

    nodePort:  # @schema type:[integer, null]; minimum:0

    # Port Redirections

    # Added in 2.2, you can make permanent redirects via entrypoints.

    # https://docs.traefik.io/routing/entrypoints/#redirection

    redirectTo: {}

    forwardedHeaders:

      # -- Trust forwarded headers information (X-Forwarded-*).

      trustedIPs: []

      insecure: false

    proxyProtocol:

      # -- Enable the Proxy Protocol header parsing for the entry point

      trustedIPs: []

      insecure: false

    # -- Set transport settings for the entrypoint; see also

    # https://doc.traefik.io/traefik/routing/entrypoints/#transport

    transport:

      respondingTimeouts:

        readTimeout:   # @schema type:[string, integer, null]

        writeTimeout:  # @schema type:[string, integer, null]

        idleTimeout:   # @schema type:[string, integer, null]

      lifeCycle:

        requestAcceptGraceTimeout:  # @schema type:[string, integer, null]

        graceTimeOut:               # @schema type:[string, integer, null]

      keepAliveMaxRequests:         # @schema type:[integer, null]; minimum:0

      keepAliveMaxTime:             # @schema type:[string, integer, null]

  websecure:

    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.

    # asDefault: true

    port: 8443

    hostPort:  # @schema type:[integer, null]; minimum:0

    containerPort:  # @schema type:[integer, null]; minimum:0

    expose:

      default: true

    exposedPort: 443

    ## -- Different target traefik port on the cluster, useful for IP type LB

    targetPort:  # @schema type:[integer, null]; minimum:0

    ## -- The port protocol (TCP/UDP)

    protocol: TCP

    # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)

    nodePort:  # @schema type:[integer, null]; minimum:0

    # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)

    appProtocol:  # @schema type:[string, null]

    # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass)

    allowACMEByPass: false

    http3:

      ## -- Enable HTTP/3 on the entrypoint

      ## Enabling it will also enable http3 experimental feature

      ## https://doc.traefik.io/traefik/routing/entrypoints/#http3

      ## There are known limitations when trying to listen on same ports for

      ## TCP & UDP (Http3). There is a workaround in this chart using dual Service.

      ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741

      enabled: false

      advertisedPort:  # @schema type:[integer, null]; minimum:0

    forwardedHeaders:

        # -- Trust forwarded headers information (X-Forwarded-*).

      trustedIPs: []

      insecure: false

    proxyProtocol:

      # -- Enable the Proxy Protocol header parsing for the entry point

      trustedIPs: []

      insecure: false

    # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport)

    transport:

      respondingTimeouts:

        readTimeout:   # @schema type:[string, integer, null]

        writeTimeout:  # @schema type:[string, integer, null]

        idleTimeout:   # @schema type:[string, integer, null]

      lifeCycle:

        requestAcceptGraceTimeout:  # @schema type:[string, integer, null]

        graceTimeOut:               # @schema type:[string, integer, null]

      keepAliveMaxRequests:         # @schema type:[integer, null]; minimum:0

      keepAliveMaxTime:             # @schema type:[string, integer, null]

    # --  See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls)

    tls:

      enabled: true

      options: ""

      certResolver: ""

      domains: []

    # -- One can apply Middlewares on an entrypoint

    # https://doc.traefik.io/traefik/middlewares/overview/

    # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares

    # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\

    # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace

    #   - namespace-name1@kubernetescrd

    #   - namespace-name2@kubernetescrd

    middlewares: []

  metrics:

    # -- When using hostNetwork, use another port to avoid conflict with node exporter:

    # https://github.com/prometheus/prometheus/wiki/Default-port-allocations

    port: 9100

    # -- You may not want to expose the metrics port on production deployments.

    # If you want to access it from outside your cluster,

    # use `kubectl port-forward` or create a secure ingress

    expose:

      default: false

    # -- The exposed port for this service

    exposedPort: 9100

    # -- The port protocol (TCP/UDP)

    protocol: TCP

  

# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options)

# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.

# See EXAMPLE.md for details.

tlsOptions: {}

  

# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details.

tlsStore: {}

  

service:

  enabled: true

  ## -- Single service is using `MixedProtocolLBService` feature gate.

  ## -- When set to false, it will create two Service, one for TCP and one for UDP.

  single: true

  type: LoadBalancer

  # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)

  annotations: {}

  # -- Additional annotations for TCP service only

  annotationsTCP: {}

  # -- Additional annotations for UDP service only

  annotationsUDP: {}

  # -- Additional service labels (e.g. for filtering Service by custom labels)

  labels: {}

  # -- Additional entries here will be added to the service spec.

  # -- Cannot contain type, selector or ports entries.

  spec: {}

  # externalTrafficPolicy: Cluster

  # loadBalancerIP: "1.2.3.4"

  # clusterIP: "2.3.4.5"

  loadBalancerSourceRanges: []

  # - 192.168.0.1/32

  # - 172.16.0.0/16

  ## -- Class of the load balancer implementation

  # loadBalancerClass: service.k8s.aws/nlb

  externalIPs: []

  # - 1.2.3.4

  ## One of SingleStack, PreferDualStack, or RequireDualStack.

  # ipFamilyPolicy: SingleStack

  ## List of IP families (e.g. IPv4 and/or IPv6).

  ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services

  # ipFamilies:

  #   - IPv4

  #   - IPv6

  ##

  additionalServices: {}

  ## -- An additional and optional internal Service.

  ## Same parameters as external Service

  # internal:

  #   type: ClusterIP

  #   # labels: {}

  #   # annotations: {}

  #   # spec: {}

  #   # loadBalancerSourceRanges: []

  #   # externalIPs: []

  #   # ipFamilies: [ "IPv4","IPv6" ]

  

autoscaling:

  # -- Create HorizontalPodAutoscaler object.

  # See EXAMPLES.md for more details.

  enabled: false

  

persistence:

  # -- Enable persistence using Persistent Volume Claims

  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/

  # It can be used to store TLS certificates, see `storage` in certResolvers

  enabled: false

  name: data

  existingClaim: ""

  accessMode: ReadWriteOnce

  size: 128Mi

  storageClass: ""

  volumeName: ""

  path: /data

  annotations: {}

  # -- Only mount a subpath of the Volume into the pod

  subPath: ""

  

# -- Certificates resolvers configuration.

# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers

# See EXAMPLES.md for more details.

certResolvers: {}

  

# -- If hostNetwork is true, runs traefik in the host network namespace

# To prevent unschedulabel pods due to port collisions, if hostNetwork=true

# and replicas>1, a pod anti-affinity is recommended and will be set if the

# affinity is left as default.

hostNetwork: false

  

# -- Whether Role Based Access Control objects like roles and rolebindings should be created

rbac:  # @schema additionalProperties: false

  enabled: true

  # When set to true:

  # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`.

  # 2. Set `disableIngressClassLookup` on Kubernetes Ingress providers with Traefik Proxy v3 until v3.1.1

  # 3. Set `disableClusterScopeResources` on Kubernetes Ingress and CRD providers with Traefik Proxy v3.1.2+

  # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC.

  # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details.

  namespaced: false

  # Enable user-facing roles

  # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

  aggregateTo: []

  # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret.

  secretResourceNames: []

  

# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding

podSecurityPolicy:

  enabled: false

  

# -- The service account the pods will use to interact with the Kubernetes API

serviceAccount:  # @schema additionalProperties: false

  # If set, an existing service account is used

  # If not set, a service account is created automatically using the fullname template

  name: ""

  

# -- Additional serviceAccount annotations (e.g. for oidc authentication)

serviceAccountAnnotations: {}

  

# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.

resources: {}

  

# -- This example pod anti-affinity forces the scheduler to put traefik pods

# -- on nodes where no other traefik pods are scheduled.

# It should be used when hostNetwork: true to prevent port conflicts

affinity: {}

#  podAntiAffinity:

#    requiredDuringSchedulingIgnoredDuringExecution:

#      - labelSelector:

#          matchLabels:

#            app.kubernetes.io/name: '{{ template "traefik.name" . }}'

#            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'

#        topologyKey: kubernetes.io/hostname

  

# -- nodeSelector is the simplest recommended form of node selection constraint.

nodeSelector: {}

# -- Tolerations allow the scheduler to schedule pods with matching taints.

tolerations: []

# -- You can use topology spread constraints to control

# how Pods are spread across your cluster among failure-domains.

topologySpreadConstraints: []

# This example topologySpreadConstraints forces the scheduler to put traefik pods

# on nodes where no other traefik pods are scheduled.

#  - labelSelector:

#      matchLabels:

#        app: '{{ template "traefik.name" . }}'

#    maxSkew: 1

#    topologyKey: kubernetes.io/hostname

#    whenUnsatisfiable: DoNotSchedule

  

# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)

priorityClassName: ""

  

# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)

# @default -- See _values.yaml_

securityContext:

  allowPrivilegeEscalation: false

  capabilities:

    drop: [ALL]

  readOnlyRootFilesystem: true

  

# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)

# @default -- See _values.yaml_

podSecurityContext:

  runAsGroup: 65532

  runAsNonRoot: true

  runAsUser: 65532

  

#

# -- Extra objects to deploy (value evaluated as a template)

#

# In some cases, it can avoid the need for additional, extended or adhoc deployments.

# See #595 for more details and traefik/tests/values/extra.yaml for example.

extraObjects: []

  

# -- This field override the default Release Namespace for Helm.

# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`

namespaceOverride: ""

  

## -- This field override the default app.kubernetes.io/instance label for all Objects.

instanceLabelOverride: ""

  

# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/

hub:

  # -- Name of `Secret` with key 'token' set to a valid license token.

  # It enables API Gateway.

  token: ""

  apimanagement:

    # -- Set to true in order to enable API Management. Requires a valid license token.

    enabled: false

    admission:

      # -- WebHook admission server listen address. Default: "0.0.0.0:9943".

      listenAddr: ""

      # -- Certificate of the WebHook admission server. Default: "hub-agent-cert".

      secretName: ""

  

  ratelimit:

    redis:

      # -- Enable Redis Cluster. Default: true.

      cluster:    # @schema type:[boolean, null]

      # -- Database used to store information. Default: "0".

      database:   # @schema type:[string, null]

      # -- Endpoints of the Redis instances to connect to. Default: "".

      endpoints: ""

      # -- The username to use when connecting to Redis endpoints. Default: "".

      username: ""

      # -- The password to use when connecting to Redis endpoints. Default: "".

      password: ""

      sentinel:

        # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".

        masterset: ""

        # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".

        username: ""

        # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".

        password: ""

      # -- Timeout applied on connection with redis. Default: "0s".

      timeout: ""

      tls:

        # -- Path to the certificate authority used for the secured connection.

        ca: ""

        # -- Path to the public certificate used for the secure connection.

        cert: ""

        # -- Path to the private key used for the secure connection.

        key: ""

        # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.

        insecureSkipVerify: false

  # Enable export of errors logs to the platform. Default: true.

  sendlogs:  # @schema type:[boolean, null]

应用配置

1
2
3
helm upgrade traefik traefik/traefik \
    --namespace traefik -f traefik-values.yaml

IngressRouteTCP示例

mysql-traefik-ingress.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mysql
  namespace: default
spec: 
...
---
apiVersion: v1
kind: Service
metadata:
  name: mysql-svc
  namespace: default
spec:
  selector: 
    app: mysql
  ports:
  - port: 3306
    name: mysql-tcp
    protocol: TCP
  clusterIP: None # 定义Headless Service
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mysql-ingress
  namespace: default #根据实际情况修改,或应用文件时指定
spec:
  entryPoints:
    - mysql
  routes:
    - match: HostSNI(`*`)
      services:
        - name: mysql-svc
          namespace: default

发表于 更新于

一、问题背景与准备工作

当您忘记 MySQL 的 root 密码,或者怀疑密码被篡改(例如服务器遭受攻击)时,可以通过进入 MySQL 的“安全模式”来重置密码。此方法适用于 MySQL 5.7 及更高版本。

重要前提:您需要拥有操作系统的管理员权限,并能访问 MySQL 的安装目录。

二、核心步骤:进入安全模式并重置密码

2.1 第一步:停止 MySQL 服务

首先,必须停止正在运行的 MySQL 服务。

方法 A:使用命令提示符(推荐)

1
net stop mysql

注意:服务名可能因安装版本而异(如 mysql57mysql80)。如果上述命令失败,请打开“服务”管理面板(services.msc)查找准确的 MySQL 服务名称。

方法 B:通过服务管理面板

  1. Win + R,输入 services.msc 并回车。
  2. 在服务列表中找到 MySQL 服务(如 “MySQL57”)。
  3. 右键点击,选择“停止”。

2.2 第二步:以无授权表模式启动 MySQL

此模式允许您无需密码即可连接数据库。

  1. 打开新的命令提示符窗口(管理员身份)

  2. 切换到 MySQL 的 bin 目录

    1
    cd “C:\Program Files\MySQL\MySQL Server 5.7\bin”

    请根据您的实际安装路径调整。

  3. 启动 MySQL 并跳过权限验证

    • 标准命令
      1
      mysqld --skip-grant-tables
    • 如果配置了 my.ini 文件(通常指定了数据目录),必须引入配置文件:
      1
      mysqld --defaults-file=”../my.ini” --skip-grant-tables
      配置文件 my.ini 通常位于 C:\ProgramData\MySQL\MySQL Server X.X\ 目录下。

  4. 此时,当前窗口会挂起,显示 MySQL 已启动。请勿关闭此窗口

2.3 第三步:连接数据库并清空 root 密码

  1. 打开另一个新的命令提示符窗口(管理员身份)

  2. 同样切换到 MySQL 的 bin 目录

  3. 无密码连接 MySQL

    1
    mysql -u root

    成功连接后,会看到 mysql> 提示符。

  4. 切换到 mysql 系统数据库并清空 root 密码

    1
    2
    3
    4
    5
    USE mysql;
    -- 对于 MySQL 5.7+,密码存储在 `authentication_string` 字段
    UPDATE user SET authentication_string=’’ WHERE user=’root’;
    -- 对于 MySQL 5.6 及更早版本,使用 `password` 字段
    -- UPDATE user SET password=’’ WHERE user=’root’;

    执行成功后,会提示 Query OK, 1 row affected

  5. 刷新权限并退出

    1
    2
    FLUSH PRIVILEGES;
    QUIT;

2.4 第四步:重启 MySQL 服务

  1. 返回到运行 mysqld --skip-grant-tables 的命令窗口,按 Ctrl + C 终止进程。
  2. 或者,打开任务管理器,结束 mysqld.exe 进程。
  3. 重新启动 MySQL 服务:
    1
    net start mysql
    (同样,请使用您的实际服务名)

至此,root 密码已被清空。您可以使用 mysql -u root 直接登录,无需密码。

三、为 root 账户设置新密码(安全加固)

出于安全考虑,必须为 root 账户设置一个强密码。登录后,可选择以下任一方法。

3.1 方法一:使用 SET PASSWORD 命令(推荐)

1
2
3
4
5
6
7
8
-- 登录 MySQL
mysql -u root

-- 修改密码(MySQL 5.7+ 语法)
ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘您的新密码’;

-- 或使用传统语法(某些版本支持)
SET PASSWORD FOR ‘root’@’localhost’ = PASSWORD(‘您的新密码’);

3.2 方法二:使用 mysqladmin 命令行工具

在命令提示符(非 MySQL 客户端)中操作:

1
mysqladmin -u root password “您的新密码”

注意:如果 root 已有密码,需要使用 -p 参数输入旧密码。此方法会因在命令行中暴露密码而收到安全警告。

3.3 方法三:直接更新 user

在 MySQL 客户端内执行:

1
2
3
4
5
6
7
USE mysql;
-- 对于 MySQL 5.7+
UPDATE user SET authentication_string = PASSWORD(‘您的新密码’) WHERE user = ‘root’;
-- 对于旧版本
-- UPDATE user SET password = PASSWORD(‘您的新密码’) WHERE user = ‘root’;

FLUSH PRIVILEGES;

无论使用哪种方法,修改密码后都必须执行 FLUSH PRIVILEGES; 使更改立即生效。

四、故障排除与注意事项

4.1 常见错误与解决

  • 错误:mysqld: [ERROR] Found option without preceding group in config file
    原因my.ini 配置文件编码或格式错误(例如保存为 UTF-8 with BOM)。
    解决:使用记事本打开 my.ini,另存为 ANSI 编码。

  • 错误:No such file or directory
    原因:未指定正确的 my.ini 路径,或数据目录不存在。
    解决:使用 --defaults-file 参数明确指定配置文件完整路径。

  • 服务无法启动
    解决:检查事件查看器(eventvwr.msc)中 “应用程序” 日志的 MySQL 错误信息。

4.2 安全建议

  1. 立即修改密码:重置后,务必立即设置一个强密码。
  2. 检查用户:登录后,执行 SELECT user, host FROM mysql.user;,检查是否有未知或可疑账户。
  3. 考虑重装:如果服务器确认被入侵,重置密码仅是第一步,建议全面安全检查,甚至考虑备份数据后重装 MySQL。
  4. 使用强密码:密码应包含大小写字母、数字和特殊字符,长度至少12位。

4.3 不同 MySQL 版本的差异

版本 密码字段 修改密码推荐命令
MySQL 5.7+ authentication_string ALTER USER … IDENTIFIED BY ‘密码’;
MySQL 5.6 及更早 password SET PASSWORD = PASSWORD(‘密码’);

五、总结操作流程

  1. 停止服务net stop mysql
  2. 无授权启动:在 bin 目录运行 mysqld --skip-grant-tables(必要时加 --defaults-file)。
  3. 无密码连接:新窗口运行 mysql -u root
  4. 清空密码:执行 UPDATE mysql.user SET authentication_string=’’ WHERE user=’root’;FLUSH PRIVILEGES;
  5. 重启服务:结束 mysqld 进程,运行 net start mysql
  6. 设置新密码:登录后使用 ALTER USER 命令设置强密码。
  7. 安全检查:审查用户列表,确保无其他安全隐患。

发表于 更新于

一、概述与准备工作

1.1 GPU 加速的优势与局限

优势

  • 速度极快:GPU 拥有强大的并行计算能力,视频编解码速度远超 CPU。
  • 释放 CPU:将繁重的视频处理任务卸载到 GPU,让 CPU 专注于其他应用。

局限

  • 质量与体积:GPU 编码器(硬件编码)的压缩效率通常低于 CPU 编码器(软件编码,如 libx264)。在相同码率下,GPU 编码的视频质量可能稍差,或为达到相同质量需要更大的文件体积。
  • 功能限制:GPU 编码器支持的编码参数(如 crfpreset)通常比软件编码器少。

适用场景:适用于对处理速度要求极高,且对最终文件体积或极致画质要求不苛刻的场景,如实时流媒体、大规模视频转码批处理。

1.2 下载 FFmpeg

  1. 访问 FFmpeg 官网下载页:https://ffmpeg.org/download.html
  2. 对于 Windows 用户,建议直接下载编译好的版本,例如来自 gyan.devBtbN 的构建包。
  3. 下载后解压,将 bin 目录路径(如 C:\ffmpeg\bin)添加到系统的 PATH 环境变量中,以便在命令行中直接使用 ffmpeg 命令。

二、NVIDIA GPU 加速配置与使用

2.1 安装 CUDA 驱动(必需)

FFmpeg 的 NVIDIA GPU 加速依赖于 NVIDIA 的 CUDANVENC/NVDEC 驱动。

  1. 访问 NVIDIA 开发者网站:https://developer.nvidia.com/cuda-downloads
  2. 选择适合你系统的版本(操作系统、架构、版本、安装类型)。对于大多数用户,选择 Windows -> x86_64 -> 10 -> exe(local) 即可。
  3. 下载并运行安装程序,按提示完成安装。

2.2 检查 FFmpeg 是否支持 CUDA/NVENC

在命令提示符中运行以下命令,查看支持的硬件加速方法:

1
ffmpeg -hwaccels

如果输出中包含 cudacuvidnvdec,则说明当前 FFmpeg 版本支持 NVIDIA 硬件加速。

2.3 核心命令与参数详解

一个完整的 NVIDIA GPU 加速转码命令包含硬件解码处理硬件编码三个部分。

基础命令结构

1
ffmpeg -hwaccel cuvid -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -y output.mp4

参数分解

参数 作用 说明
-hwaccel cuvid 指定使用 CUDA 视频加速 API 进行解码。 也可用 nvdec(更新)。
-c:v h264_cuvid 硬件解码器。指定使用 NVIDIA 的 H.264 解码器。 根据输入视频编码格式选择:hevc_cuvid (H.265), mpeg2_cuvid, vp9_cuvid 等。
-i input.mp4 输入文件。
-c:v h264_nvenc 硬件编码器。指定使用 NVIDIA 的 H.264 编码器。 可选:hevc_nvenc (H.265), av1_nvenc
-y 覆盖输出文件。
output.mp4 输出文件。

2.4 常用转码示例

1. 改变码率(控制体积)

1
ffmpeg -hwaccel cuvid -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -b:v 2000k -y output.mp4

-b:v 2000k:将视频码率设置为 2000 Kbps。

2. 改变帧率

1
ffmpeg -hwaccel cuvid -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -r 30 -y output.mp4

-r 30:将输出视频帧率设置为 30 fps。

3. 缩放分辨率(使用 GPU 滤镜)

1
ffmpeg -hwaccel cuvid -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -vf "scale_npp=1280:-2" -y output.mp4

-vf "scale_npp=1280:-2":使用 NVIDIA 的 scale_npp 滤镜将宽度缩放到 1280 像素,高度按比例自动计算(-2 保证为偶数)。注意:GPU 滤镜与 CPU 滤镜(scale)不同。

4. 综合示例(转码、缩放、修改码率)

1
ffmpeg -hwaccel cuvid -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -b:v 1500k -vf "scale_npp=1920:1080" -r 25 -y output.mp4

2.5 多 GPU 系统指定设备

如果系统装有多个 NVIDIA GPU,可以使用 -hwaccel_device 参数指定使用哪一块 GPU。

1
2
3
4
5
# 使用第一块 GPU (索引 0)
ffmpeg -hwaccel cuvid -hwaccel_device 0 -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -y output_gpu0.mp4

# 使用第二块 GPU (索引 1)
ffmpeg -hwaccel cuvid -hwaccel_device 1 -c:v h264_cuvid -i input.mp4 -c:v h264_nvenc -y output_gpu1.mp4

性能提示:单个 GPU 通常在同一时间只能高效处理一个编码任务。多个转码任务不会自动分配到不同 GPU,需要手动指定。

三、AMD GPU 加速配置与使用

AMD GPU 加速无需安装额外的 SDK(如 CUDA),只要 FFmpeg 编译时启用了 AMF(AMD Media Framework)支持即可。大多数预编译的 Windows 版 FFmpeg 已包含此支持。

3.1 检查 AMF 支持

运行以下命令,查看编码器列表:

1
ffmpeg -encoders | findstr amf

如果看到 h264_amfhevc_amf 等编码器,则说明支持 AMD GPU 加速。

3.2 核心命令示例

基础转码命令

1
ffmpeg -i input.mp4 -c:v h264_amf -y output.mp4

参数比 NVIDIA 方案更简洁,因为 AMD 目前主要提供硬件编码器,解码通常仍由 CPU 或通用硬件解码器完成。

调整编码参数
AMD AMF 编码器支持一些特定的参数来控制质量和速度。

1
ffmpeg -i input.mp4 -c:v h264_amf -quality quality -y output.mp4

-quality:可设置为 speed(速度优先)、balanced(平衡)或 quality(质量优先)。

更多参数示例

1
ffmpeg -i input.mp4 -c:v h264_amf -b:v 3M -usage transcoding -profile high -y output.mp4
  • -usage transcoding:指定为转码用途。
  • -profile high:指定 H.264 High Profile。

四、Intel GPU 加速(Quick Sync Video, QSV)

许多 Intel 酷睿处理器集成了核芯显卡,支持 QSV 技术,也可用于 FFmpeg 加速。

4.1 命令示例

基础命令

1
ffmpeg -hwaccel qsv -c:v h264_qsv -i input.mp4 -c:v h264_qsv -y output.mp4
  • -hwaccel qsv:启用 QSV 硬件加速。
  • -c:v h264_qsv:既作解码器也作编码器。

使用不同的编解码器

1
2
# H.265/HEVC 编解码
ffmpeg -hwaccel qsv -c:v hevc_qsv -i input.hevc -c:v hevc_qsv -y output.mp4

五、通用建议与故障排除

5.1 如何选择编解码器?

  1. 查看支持的编码器ffmpeg -encoders
  2. 查看支持的解码器ffmpeg -decoders
  3. 在输出中查找 nvencamfqsv 等关键词。

5.2 常见问题

  • 错误:Driver does not support the required nvenc API version
    原因:GPU 驱动或 FFmpeg 版本太旧。
    解决:更新 NVIDIA 显卡驱动至最新版,并使用最新的 FFmpeg 构建。

  • 错误:No NVENC capable devices found
    原因:消费级 GPU 的 NVENC 会话数有上限,或 GPU 不支持。
    解决:检查 GPU 是否支持 NVENC(GeForce 600 系列后基本都支持)。关闭其他占用 NVENC 的程序。

  • AMD/Intel 加速未生效
    解决:确保在 BIOS/UEFI 中已启用集成显卡,并且安装了最新的显卡驱动。

5.3 质量与速度的权衡

  • 追求极限压缩率/画质:使用 CPU 软件编码,如 -c:v libx264 -crf 23 -preset slow
  • 追求极限速度:使用 GPU 硬件编码,并选择 -preset fast(如 -preset p7 用于 NVENC)。
  • 平衡之选:可以考虑使用 GPU 解码 + CPU 编码(-c:v libx264),或使用 GPU 编码但设置较高的码率来弥补画质损失。

5.4 监控 GPU 使用情况

  • NVIDIA:使用 nvidia-smi 命令监控 GPU 利用率、显存占用和编码会话。
  • 任务管理器:在“性能”选项卡中查看 GPU 的“视频编码”利用率。

六、总结

平台 加速类型 关键参数 特点
NVIDIA 解码 + 编码 -hwaccel cuvid, -c:v h264_cuvid, -c:v h264_nvenc 生态完善,文档丰富,多 GPU 支持好。
AMD 主要编码 -c:v h264_amf 无需额外 SDK,配置简单。
Intel 解码 + 编码 -hwaccel qsv, -c:v h264_qsv 适合笔记本和台式机核显,功耗低。

最终建议

  1. 根据你的显卡型号选择对应的方案。
  2. 首次使用时,先用一段短视频测试命令是否可行。
  3. 对于生产环境,务必对比输出视频的质量、体积和处理速度,找到符合你需求的最佳参数组合。

发表于 更新于 分类于

堆排序算法(C#实现)

Excerpt

在软件设计相关领域,“堆(Heap)”的概念主要涉及到两个方面:一种是数据结构,逻辑上是一颗完全二叉树,存储上是一个数组对象(二叉堆)。另一种是垃圾收集存储区,是软件系统可以编程的内存区域。本文所说的堆指的是前者,另外,这篇文章中堆中元素的值均以整形为例堆排序的时间复杂度是O(nlog2n),与快速

在软件设计相关领域,“堆(Heap)”的概念主要涉及到两个方面:

一种是数据结构,逻辑上是一颗完全二叉树,存储上是一个数组对象(二叉堆)。

另一种是垃圾收集存储区,是软件系统可以编程的内存区域。

本文所说的堆指的是前者,另外,这篇文章中堆中元素的值均以整形为例

堆排序的时间复杂度是O(nlog2n),与快速排序达到相同的时间复杂度. 但是在实际应用中,我们往往采用快速排序而不是堆排序. 这是因为快速排序的一个好的实现,往往比堆排序具有更好的表现. 堆排序的主要用途,是在形成和处理优先级队列方面. 另外, 如果计算要求是类优先级队列(比如, 只要返回最大或者最小元素, 只有有限的插入要求等), 堆同样是很适合的数据结构.

**堆排序
**堆排序是一种选择排序。是不稳定的排序方法。时间复杂度为O(nlog2n)。
堆排序的特点是:在排序过程中,将排序数组看成是一棵完全二叉树的顺序存储结构,利用完全二叉树中双亲节点和孩子节点之间的内在关系,在当前无序区中选择关键字最大(或最小)的记录。

基本思想
1.将要排序的数组创建为一个大根堆。大根堆的堆顶元素就是这个堆中最大的元素。
2.将大根堆的堆顶元素和无序区最后一个元素交换,并将无序区最后一个位置例入有序区,然后将新的无序区调整为大根堆。
重复操作,无序区在递减,有序区在递增。
初始时,整个数组为无序区,第一次交换后无序区减一,有序区增一。
每一次交换,都是大根堆的堆顶元素插入有序区,所以有序区保持是有序的。

大根堆和小根堆
堆:是一颗完全二叉树。
大根堆:所有节点的子节点比其自身小的堆
小根堆:所有节点的子节点比其自身大的堆

堆与数组的关系

堆是一种逻辑结构(形象的表示数据的存储格式),数组则是数据的实际存储结构(对应数据的存储地址),堆中的根节点与左右子节点在存储数组中的位置关系如下:假设根节点在数组中的位置(数组下标)为 i ,那么左节点在数组中的位置(数组下标)为 i * 2 + 1 , 右节点在数组中的位置(数组下标)为 i * 2 + 2 。

以上是基本的知识点,具体代码如下所示:

复制代码

1
<span>        //</span><span>堆排序算法(传递待排数组名,即:数组的地址。故形参数组的各种操作反应到实参数组上)</span><span><br></span><span>     private </span><span>static </span><span>void</span><span> HeapSortFunction(</span><span>int</span><span>[] array)<br>        {<br>            </span><span>try</span><span><br>            {<br>                BuildMaxHeap(array);    </span><span>//</span><span>创建大顶推(初始状态看做:整体无序)</span><span><br></span><span>         for</span><span> (</span><span>int</span><span> i </span><span>=</span><span> array.Length </span><span>-</span><span>1</span><span>; i </span><span>&gt;</span><span>0</span><span>; i</span><span>--</span><span>)<br>                {<br>                    Swap(</span><span>ref</span><span> array[</span><span>0</span><span>], </span><span>ref</span><span> array[i]); </span><span>//</span><span>将堆顶元素依次与无序区的最后一位交换(使堆顶元素进入有序区)</span><span><br></span><span>                    MaxHeapify(array, </span><span>0</span><span>, i); </span><span>//</span><span>重新将无序区调整为大顶堆</span><span><br></span><span>                }<br>            }<br>            </span><span>catch</span><span> (Exception ex)<br>            { }<br>        }<br><br>        </span><span>///</span><span>&lt;summary&gt;</span><span><br>        </span><span>///</span><span> 创建大顶推(根节点大于左右子节点)<br>        </span><span>///</span><span>&lt;/summary&gt;</span><span><br>        </span><span>///</span><span>&lt;param name="array"&gt;</span><span>待排数组</span><span>&lt;/param&gt;</span><span><br></span><span>     private </span><span>static </span><span>void</span><span> BuildMaxHeap(</span><span>int</span><span>[] array)<br>        {<br>            </span><span>try</span><span><br>            {<br>                </span><span>//</span><span>根据大顶堆的性质可知:数组的前半段的元素为根节点,其余元素都为叶节点</span><span><br></span><span>         for</span><span> (</span><span>int</span><span> i </span><span>=</span><span> array.Length </span><span>/</span><span>2</span><span>-</span><span>1</span><span>; i </span><span>&gt;=</span><span>0</span><span>; i</span><span>--</span><span>) </span><span>//</span><span>从最底层的最后一个根节点开始进行大顶推的调整</span><span><br></span><span>                {<br>                    MaxHeapify(array, i, array.Length); </span><span>//</span><span>调整大顶堆</span><span><br></span><span>                }<br>            }<br>            </span><span>catch</span><span> (Exception ex)<br>            { }<br>        }<br><br>        </span><span>///</span><span>&lt;summary&gt;</span><span><br>        </span><span>///</span><span> 大顶推的调整过程<br>        </span><span>///</span><span>&lt;/summary&gt;</span><span><br>        </span><span>///</span><span>&lt;param name="array"&gt;</span><span>待调整的数组</span><span>&lt;/param&gt;</span><span><br>        </span><span>///</span><span>&lt;param name="currentIndex"&gt;</span><span>待调整元素在数组中的位置(即:根节点)</span><span>&lt;/param&gt;</span><span><br>        </span><span>///</span><span>&lt;param name="heapSize"&gt;</span><span>堆中所有元素的个数</span><span>&lt;/param&gt;</span><span><br></span><span>     private </span><span>static </span><span>void</span><span> MaxHeapify(</span><span>int</span><span>[] array, </span><span>int</span><span> currentIndex, </span><span>int</span><span> heapSize)<br>        {<br>            </span><span>try</span><span><br>            {<br>                </span><span>int</span><span> left </span><span>=</span><span>2</span><span>*</span><span> currentIndex </span><span>+</span><span>1</span><span>;    </span><span>//</span><span>左子节点在数组中的位置</span><span><br></span><span>         int</span><span> right </span><span>=</span><span>2</span><span>*</span><span> currentIndex </span><span>+</span><span>2</span><span>;   </span><span>//</span><span>右子节点在数组中的位置</span><span><br></span><span>         int</span><span> large </span><span>=</span><span> currentIndex;   </span><span>//</span><span>记录此根节点、左子节点、右子节点 三者中最大值的位置</span><span><br></span><span><br>                </span><span>if</span><span> (left </span><span>&lt;</span><span> heapSize </span><span>&amp;&amp;</span><span> array[left] </span><span>&gt;</span><span> array[large])  </span><span>//</span><span>与左子节点进行比较</span><span><br></span><span>                {<br>                    large </span><span>=</span><span> left;<br>                }<br>                </span><span>if</span><span> (right </span><span>&lt;</span><span> heapSize </span><span>&amp;&amp;</span><span> array[right] </span><span>&gt;</span><span> array[large])    </span><span>//</span><span>与右子节点进行比较</span><span><br></span><span>                {<br>                    large </span><span>=</span><span> right;<br>                }<br>                </span><span>if</span><span> (currentIndex </span><span>!=</span><span> large)  </span><span>//</span><span>如果 currentIndex != large 则表明 large 发生变化(即:左右子节点中有大于根节点的情况)</span><span><br></span><span>                {<br>                    Swap(</span><span>ref</span><span> array[currentIndex], </span><span>ref</span><span> array[large]);    </span><span>//</span><span>将左右节点中的大者与根节点进行交换(即:实现局部大顶堆)</span><span><br></span><span>                    MaxHeapify(array, large, heapSize); </span><span>//</span><span>以上次调整动作的large位置(为此次调整的根节点位置),进行递归调整</span><span><br></span><span>                }<br>            }<br>            </span><span>catch</span><span> (Exception ex)<br>            { }<br>        }<br><br>        </span><span>///</span><span>&lt;summary&gt;</span><span><br>        </span><span>///</span><span> 交换函数<br>        </span><span>///</span><span>&lt;/summary&gt;</span><span><br>        </span><span>///</span><span>&lt;param name="a"&gt;</span><span>元素a</span><span>&lt;/param&gt;</span><span><br>        </span><span>///</span><span>&lt;param name="b"&gt;</span><span>元素b</span><span>&lt;/param&gt;</span><span><br></span><span>     private </span><span>static </span><span>void</span><span> Swap(</span><span>ref</span><span>int</span><span> a, </span><span>ref</span><span>int</span><span> b)<br>        {<br>            </span><span>int</span><span> temp </span><span>=</span><span>0</span><span>;<br>            temp </span><span>=</span><span> a;<br>            a </span><span>=</span><span> b;<br>            b </span><span>=</span><span> temp;<br>        }</span>

复制代码

发表于 更新于

一、 核心概念与架构

1. 什么是ELK?
ELK是三个开源软件的缩写,构成一套完整的日志集中管理、搜索分析和可视化解决方案:

  • Elasticsearch:分布式搜索和分析引擎,负责存储和索引日志数据。
  • Logstash:数据收集、处理和转发管道,负责从各种来源采集日志,进行过滤、解析,然后输出到存储(如ES)。
  • Kibana:数据可视化平台,为存储在Elasticsearch中的数据提供Web界面,用于搜索、分析和图表展示。

2. 为什么需要ELK?
解决传统日志分析(如 grep, awk)在分布式、大规模环境下的痛点:

  • 日志分散,难以集中管理。
  • 海量日志下,文本搜索效率低下。
  • 缺乏多维度查询和实时分析能力。
  • 无法进行直观的数据可视化。

3. ELK 工作原理

  • 数据流:应用/系统产生日志 -> Logstash (Shipper) 收集 -> 消息队列 (如Redis) 缓冲 -> Logstash (Indexer) 处理 -> Elasticsearch 存储/索引 -> Kibana 查询/展示。
  • Logstash 处理三阶段
    • Input:从文件、Syslog、Redis、Beats等来源读取数据。
    • Filter:使用 grok(解析文本)、mutate(修改字段)、geoip(添加地理位置)等插件对数据进行清洗、解析和丰富。
    • Output:将处理后的数据写入Elasticsearch、文件或其它系统。

二、 环境部署详细步骤

1. 基础环境准备

  • 系统:CentOS 7.1
  • 节点
    • elk-node1 (192.168.1.160):Master节点,部署全套ELK及Redis。
    • elk-node2 (192.168.1.161):Slave节点,部署Elasticsearch作为数据/候选主节点。
  • 前置操作:关闭防火墙、SELinux。

2. Elasticsearch 集群部署

  • 安装:通过配置Yum源安装。
  • 关键配置 (/etc/elasticsearch/elasticsearch.yml):
    1
    2
    3
    4
    5
    6
    7
    cluster.name: huanqiu
    node.name: elk-node1
    path.data: /data/es-data
    network.host: 0.0.0.0
    http.port: 9200
    # 集群发现配置 (node2上需要添加)
    discovery.zen.ping.unicast.hosts: ["192.168.1.160", "192.168.1.161"]
  • 插件安装
    • Head插件:用于集群管理和数据浏览。
    • Kopf插件:用于集群监控。
  • 启动与验证systemctl start elasticsearch,访问 http://<ip>:9200 或通过插件界面查看。

3. Logstash 部署与配置

  • 安装:通过Yum源安装。
  • 核心概念:编写 .conf 配置文件,定义 input, filter, output 部分。
  • 配置示例
    • 收集系统日志:从 /var/log/messages 读取,输出到ES。
    • 收集Nginx JSON日志:配置Nginx输出JSON格式日志,Logstash使用 json codec直接解析。
    • 使用 multiline 处理多行日志(如Java异常堆栈)。
    • 使用 grok 过滤器解析非结构化日志

4. Kibana 部署

  • 安装:下载解压包,配置 /usr/local/kibana/config/kibana.yml
    1
    2
    3
    server.port: 5601
    server.host: "0.0.0.0"
    elasticsearch.url: "http://192.168.1.160:9200"
  • 启动:通过 screen 会话在后台运行 /usr/local/kibana/bin/kibana
  • 使用:访问Web界面,在 Management -> Index Patterns 中创建索引模式(如 system-*),即可在 Discover 页面查询日志。

5. 引入Redis作为缓冲队列(生产环境推荐)

  • 目的:解耦日志收集与处理,提高可靠性,防止ES故障导致数据丢失,并缓冲流量压力。
  • 架构
    1. Shipper端:各应用服务器的Logstash将日志推送到Redis队列。
    2. Indexer端:中心服务器的Logstash从Redis队列拉取日志,处理后写入Elasticsearch。
  • 配置关键
    • 输出到Redis (Shipper):
      1
      2
      3
      4
      5
      6
      7
      output {
        redis {
          host => "192.168.1.160"
          data_type => "list"
          key => "logstash:nginx"
        }
      }
    • 从Redis输入 (Indexer):
      1
      2
      3
      4
      5
      6
      7
      input {
        redis {
          host => "192.168.1.160"
          data_type => "list"
          key => "logstash:nginx"
        }
      }

三、 配置要点与问题排查

  1. Elasticsearch 集群优化

    • 设置 discovery.zen.minimum_master_nodes 防止脑裂(通常为 (master节点数/2) + 1)。
    • 调整 ES_HEAP_SIZE(建议不超过物理内存一半,且小于32GB)。
    • 规划好索引分片(shard)数量和生命周期(按天/月分割)。

  2. Logstash 使用技巧

    • 使用 --configtest 参数测试配置文件语法。
    • 利用 type 字段区分不同日志源,便于后续分流处理。
    • 善用 Grok Debugger 在线工具调试 grok 匹配模式。

  3. Kibana 常见问题

    • 查询超时:在 kibana.yml 中调整 elasticsearch.requestTimeout 设置。
    • 字段被分词导致聚合不准:对字符串字段进行聚合时,使用 .raw 字段(未分析版本)。

  4. Java环境问题:如果系统Java版本与Logstash要求(通常需要Java 8+)冲突,可在 /etc/sysconfig/logstash 和启动脚本中单独为Logstash指定JAVA_HOME。

四、 总结

这份文档完整地展示了从零开始搭建一个具备生产级可靠性的ELK日志平台的过程,涵盖了:

  • 理论:ELK组件角色、架构设计(含缓冲队列)。
  • 实践:逐步安装、配置、集成各个组件。
  • 进阶:多种日志源的收集配置(系统日志、Nginx、Java应用、MySQL慢查询等)、使用Redis解耦、集群配置和基础调优。

通过此部署,可以实现日志的集中采集、实时处理、快速检索和可视化分析,极大提升运维排障效率和系统可观测性。

发表于 更新于

一、最小-最大搜索(Minimax Search)

核心思想:最小与最大是相对的,且只针对一方(AI)。

原理
AI走一步后,假设对手会走对AI最差的一步;AI需选择使自身收益最大的走法。

示例(搜索深度4): 

1
AI走第1步 → 对手走第2步(最差) → AI走第3步(最佳) → 对手走第4步(最差)

→ 深度0时调用 Evaluate() 返回局面评价

代码实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
int Max(int depth) {
    int best = -INFINITY;
    if (depth <= 0) {
        return Evaluate();
    }
    GenerateLegalMoves();       //产生所有合理走法
    while (MovesLeft()) {
        MakeNextMove();          //走这一步时
        val = Min(depth - 1);    //接受一个相对最小值
        UnmakeMove();
        if (val > best) {
            best = val;
        }
    }
    return best;                //返回一个相对最大的评价(AI 认为的最佳着法)
}

int Min(int depth) {
    int best = INFINITY;        // 注意这里不同于"最大"算法
    if (depth <= 0) {
        return Evaluate();
    }
    GenerateLegalMoves();
    while (MovesLeft()) {
        MakeNextMove();
        val = Max(depth - 1);    //接受一个相对最大值
        UnmakeMove();
        if (val < best) {       // 注意这里不同于"最大"算法
            best = val;
        }
    }
    return best;                //返回一个相对最小的评价(对方,人认为的最差走法)
}

调用方式val = MinMax(5); → 返回向前看5步的当前局面评价。

二、负值最大函数(Negamax Search)

优化点:将 Min/Max 合并为单函数,通过取负号处理双方角色切换。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int NegaMax(int depth) {
    int best = -INFINITY;
    if (depth <= 0) {
        return Evaluate();
    }
    GenerateLegalMoves();
    while (MovesLeft()) {
        MakeNextMove();
        val = -NegaMax(depth - 1);  // 注意这里有个负号
        UnmakeMove();
        if (val > best) {           //始终最优值
            best = val;
        }
    }
    return best;
}

优势:省去求 min 函数的步骤,减少代码量,始终求对当前节点的最佳走法。

三、Alpha-Beta搜索

问题:Minimax 需检查整个博弈树,分枝因子大导致效率低。

解决方案:通过维护上下界 alphabeta,剪枝无效分支。

3.1 核心概念

概念 说明
Alpha 当前节点的最优上界(MAX节点的最大值)
Beta 对手节点的最优下界(MIN节点的最小值)
Alpha剪枝 MIN节点:当 alpha >= beta 时终止扩展
Beta剪枝 MAX节点:当 alpha >= beta 时终止扩展

3.2 口袋示例

场景:死敌面前有多个口袋,你挑口袋,他挑物品。

目标:挑出在诸多最糟糕物品中最好的物品所在的口袋。

排序后剪枝示意

  • 节点2最小值200,节点3中150<200
  • 节点1下第一个子节点170 < 200,第二个子节点更小 → 剪裁
  • 节点4类似,第一个子节点50,后面的无需再比较

3.3 代码实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int AlphaBeta(int depth, int alpha, int beta) {
    if (depth == 0) {
        return Evaluate();
    }
    GenerateLegalMoves();
    while (MovesLeft()) {
        MakeNextMove();
        val = -AlphaBeta(depth - 1, -beta, -alpha);  // Alpha和Beta互换并取负
        UnmakeMove();
        if (val >= beta) {
            return beta;      // Beta剪枝
        }
        if (val > alpha) {
            alpha = val;      // 更新alpha
        }
    }
    return alpha;
}

3.4 性能关键

依赖搜索顺序:若先搜最差分支,无法触发剪枝,退化为 Minimax。

优化建议:生成全部着法后,排序很重要。

参考文献

待补充

  • 评估函数设计(子力价值、位置优势、残局特征)
  • 迭代加深(Iterative Deepening)优化
  • 实际象棋博弈树规模估算

发表于 更新于

一、 环境规划

  • 部署模式:单机多节点 Docker 集群
  • 节点数量:3(node1、node2、node3)
  • 集群发现策略:静态节点列表(static)
  • 负载均衡器:Nginx(Stream 模块代理 TCP 流量)

二、 EMQX 集群部署

1. 目录准备与授权
1
2
3
4
5
6
7
8
mkdir -p node1/data node1/logs
mkdir -p node2/data node2/logs
mkdir -p node3/data node3/logs

chown 1000 node1/ node2/ node3/
chown 1000 node1/data/ node1/logs/
chown 1000 node2/data/ node2/logs/
chown 1000 node3/data/ node3/logs/
2. Docker Compose 配置

创建 docker-compose.yml,保留原配置值,仅修正缩进与语法高亮:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
version: '3'
services:
  emqx1:
    image: emqx:5.3.1
    container_name: emqx1
    environment:
      - "EMQX_NODE_NAME=emqx@node1.emqx.io"
      - "EMQX_CLUSTER__DISCOVERY_STRATEGY=static"
      - "EMQX_CLUSTER__STATIC__SEEDS=[emqx@node1.emqx.io,emqx@node2.emqx.io,emqx@node3.emqx.io]"
    healthcheck:
      test: ["CMD", "/opt/emqx/bin/emqx ctl", "status"]
      interval: 5s
      timeout: 25s
      retries: 5
    networks:
      emqx-bridge:
        aliases:
          - node1.emqx.io
    ports:
      - 1883:1883
      - 8083:8083
      - 8084:8084
      - 8883:8883
      - 18083:18083
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./node1/logs:/opt/emqx/log
      - ./node1/data:/opt/emqx/data

  emqx2:
    image: emqx:5.3.1
    container_name: emqx2
    environment:
      - "EMQX_NODE_NAME=emqx@node2.emqx.io"
      - "EMQX_CLUSTER__DISCOVERY_STRATEGY=static"
      - "EMQX_CLUSTER__STATIC__SEEDS=[emqx@node1.emqx.io,emqx@node2.emqx.io,emqx@node3.emqx.io]"
    healthcheck:
      test: ["CMD", "/opt/emqx/bin/emqx ctl", "status"]
      interval: 5s
      timeout: 25s
      retries: 5
    networks:
      emqx-bridge:
        aliases:
          - node2.emqx.io
    ports:
      - 1873:1883
      - 8073:8083
      - 8074:8084
      - 8873:8883
      - 18073:18083
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./node2/logs:/opt/emqx/log
      - ./node2/data:/opt/emqx/data

  emqx3:
    image: emqx:5.3.1
    container_name: emqx3
    environment:
      - "EMQX_NODE_NAME=emqx@node3.emqx.io"
      - "EMQX_CLUSTER__DISCOVERY_STRATEGY=static"
      - "EMQX_CLUSTER__STATIC__SEEDS=[emqx@node1.emqx.io,emqx@node2.emqx.io,emqx@node3.emqx.io]"
    healthcheck:
      test: ["CMD", "/opt/emqx/bin/emqx ctl", "status"]
      interval: 5s
      timeout: 25s
      retries: 5
    networks:
      emqx-bridge:
        aliases:
          - node3.emqx.io
    ports:
      - 1863:1883
      - 8063:8083
      - 8064:8084
      - 8863:8883
      - 18063:18083
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./node3/logs:/opt/emqx/log
      - ./node3/data:/opt/emqx/data

networks:
  emqx-bridge:
    driver: bridge
3. 启动集群
1
docker-compose up -d

三、 Nginx 负载均衡配置

1. 基础 TCP 代理策略

编辑 nginx.conf,使用 stream 模块代理 MQTT 流量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

stream {
    upstream emqx_tcp_cluster {
        server 10.10.1.100:1883 weight=1 max_fails=3 fail_timeout=30s;
        server 10.10.1.110:1873 weight=1 max_fails=3 fail_timeout=30s;
        server 10.10.1.120:1863 weight=1 max_fails=3 fail_timeout=30s;
    }

    server {
        listen 1893;
        proxy_pass emqx_tcp_cluster;
        proxy_buffer_size 8k;
        tcp_nodelay on;
    }
}
2. 扩展调度策略

根据业务需求替换 upstream 块配置:

  • 随机轮询
    1
    2
    3
    4
    5
    6
    upstream emqx_tcp_cluster {
        random;
        server 10.10.1.100:1883;
        server 10.10.1.110:1873;
        server 10.10.1.120:1863;
    }
  • 带权轮询
    1
    2
    3
    4
    5
    upstream emqx_tcp_cluster {
        server 10.10.1.100:1883 weight=1;
        server 10.10.1.110:1873 weight=2;
        server 10.10.1.120:1863 weight=3;
    }
  • 最小连接数
    1
    2
    3
    4
    5
    6
    upstream emqx_tcp_cluster {
        least_conn;
        server 10.10.1.100:1883;
        server 10.10.1.110:1873;
        server 10.10.1.120:1863;
    }
  • IP Hash(会话保持)
    1
    2
    3
    4
    5
    6
    upstream emqx_tcp_cluster {
        ip_hash;
        server 10.10.1.100:1883;
        server 10.10.1.110:1873;
        server 10.10.1.120:1863;
    }

四、 验证与访问

  • Dashboard 访问http://${ip}:18083
  • 默认凭证admin / public(首次登录强制修改)
  • 集群状态验证:进入任意容器执行 /opt/emqx/bin/emqx ctl cluster status,确认三节点状态为 running
  • 负载均衡验证:客户端连接 10.10.1.x:1893,查看 Nginx 访问日志或 EMQX Dashboard 连接分布。

五、 关键注意事项

  • 节点间通过 Docker 自定义网络 emqx-bridge 通信,需确保 EMQX_CLUSTER__STATIC__SEEDS 中的域名解析正确。
  • Nginx stream 模块需编译时启用(官方默认包通常已包含)。
  • 生产环境建议将 10.10.1.x 替换为实际宿主机 IP 或 Docker 网关 IP。
  • 端口映射已做偏移处理(1883/1873/1863),避免宿主机端口冲突。
0%