首页 > 其他分享 >Kubernetes集群证书过期解决方案:使用kubeadm为证书续期

Kubernetes集群证书过期解决方案:使用kubeadm为证书续期

时间:2024-11-01 09:44:20浏览次数:1  
标签:k8scludes1 Kubernetes 证书 kubelet client conf pem kubeadm root

目录

一.系统环境

本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu 18.04。

服务器版本 docker软件版本 Kubernetes(k8s)集群版本 CPU架构
Ubuntu 18.04.5 LTS Docker version 20.10.14 v1.22.2 x86_64

Kubernetes集群架构:k8scludes1作为master节点,k8scludes2,k8scludes3作为worker节点。

服务器 操作系统版本 CPU架构 进程 功能描述
k8scludes1/192.168.110.128 Ubuntu 18.04.5 LTS x86_64 docker,kube-apiserver,etcd,kube-scheduler,kube-controller-manager,kubelet,kube-proxy,coredns,calico k8s master节点
k8scludes2/192.168.110.129 Ubuntu 18.04.5 LTS x86_64 docker,kubelet,kube-proxy,calico k8s worker节点
k8scludes3/192.168.110.130 Ubuntu 18.04.5 LTS x86_64 docker,kubelet,kube-proxy,calico k8s worker节点

二.前言

Kubernetes集群的证书对于集群的安全性和稳定性至关重要。然而,随着时间的推移,这些证书会过期,导致集群服务不可用。本文将详细介绍如何使用kubeadm工具为Kubernetes集群续期证书。

给Kubernetes集群证书续期的前提是已经有一套可以正常运行的Kubernetes集群,关于Kubernetes(k8s)集群的安装部署,可以查看博客《Ubuntu 安装部署Kubernetes(k8s)集群》https://www.cnblogs.com/renshengdezheli/p/17632858.html,如果你的操作系统是RHEL的,可以查看博客《Centos7 安装部署Kubernetes(k8s)集群》https://www.cnblogs.com/renshengdezheli/p/16686769.html。

三.Kubernetes证书过期及续期简介

Kubernetes集群在初始化时,会自动生成一系列证书,包括API服务器证书、CA证书、Kubelet证书等。这些证书通常有1年的有效期。当证书过期后,Kubernetes集群的某些服务可能会受到影响,例如API服务器无法访问。为了解决证书过期的问题,我们可以使用kubeadm工具进行证书续期。

四.使用kubeadm为Kubernetes集群证书续期

4.1 查看k8s集群证书过期时间

现在k8s集群已经不能正常运行了,查询pod报错,可以看到报错信息为:“连接API服务器拒绝”。

root@k8scludes1:~# kubectl get pod -o wie
The connection to the server 192.168.110.128:6443 was refused - did you specify the right host or port?

master节点的/etc/kubernetes/pki/目录下存的是各个组件的证书。

root@k8scludes1:~# ls /etc/kubernetes/pki/
apiserver.crt              apiserver-etcd-client.key  apiserver-kubelet-client.crt  ca.crt  ca.srl  front-proxy-ca.crt  front-proxy-ca.srl      front-proxy-client.key  sa.key
apiserver-etcd-client.crt  apiserver.key              apiserver-kubelet-client.key  ca.key  etcd    front-proxy-ca.key  front-proxy-client.crt  mytok.csv               sa.pub

查看master节点的apiserver证书有效期,可以看到证书在2023年4月16号就过期了,证书已经过期一年多了。

root@k8scludes1:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
            Not Before: Apr 16 14:57:44 2022 GMT
            Not After : Apr 16 14:57:44 2023 GMT            

在master节点查看各个组件的证书过期时间。

root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 21, 2023 14:25 UTC   9y                                      no      
apiserver                  Oct 21, 2023 14:25 UTC   9y              ca                      no      
apiserver-etcd-client      Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
apiserver-kubelet-client   Oct 21, 2023 14:25 UTC   9y              ca                      no      
controller-manager.conf    Oct 21, 2023 14:25 UTC   9y                                      no      
etcd-healthcheck-client    Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
etcd-peer                  Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
etcd-server                Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
front-proxy-client         Oct 21, 2023 14:25 UTC   9y              front-proxy-ca          no      
scheduler.conf             Oct 21, 2023 14:25 UTC   9y                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 13, 2023 14:57 UTC   7y              no      
etcd-ca                 Apr 13, 2023 14:57 UTC   7y              no      
front-proxy-ca          Apr 13, 2023 14:57 UTC   7y              no      

查看master节点的kubelet证书过期时间。

root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Apr 16 14:57:44 2022 GMT
            Not After : Apr 16 14:57:46 2023 GMT

4.2 为master节点续期证书

在master节点给各个组件续签证书。

root@k8scludes1:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

在master节点再次查看各个组件的证书过期时间,可以看到证书续签了一年。

root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 24, 2025 02:53 UTC   364d                                    no      
apiserver                  Oct 24, 2025 02:53 UTC   364d            ca                      no      
apiserver-etcd-client      Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Oct 24, 2025 02:53 UTC   364d            ca                      no      
controller-manager.conf    Oct 24, 2025 02:53 UTC   364d                                    no      
etcd-healthcheck-client    Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
etcd-peer                  Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
etcd-server                Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
front-proxy-client         Oct 24, 2025 02:53 UTC   364d            front-proxy-ca          no      
scheduler.conf             Oct 24, 2025 02:53 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 13, 2025 14:57 UTC   7y              no      
etcd-ca                 Apr 13, 2025 14:57 UTC   7y              no      
front-proxy-ca          Apr 13, 2025 14:57 UTC   7y              no      

当前kubernetes各个组件所使用的kubecong文件都在/etc/kubernetes/里。

root@k8scludes1:~# ls /etc/kubernetes/
admin.conf  admission-control-config-file  audit  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

文件后缀为conf的都是各个组件所需的kubeconfig文件,但是这些文件里使用的证书都是之前过期的证书,需要把conf文件删除并重新生成。

root@k8scludes1:~# ls /etc/kubernetes/*.conf
/etc/kubernetes/admin.conf  /etc/kubernetes/controller-manager.conf  /etc/kubernetes/kubelet.conf  /etc/kubernetes/scheduler.conf

root@k8scludes1:~# mkdir k8sconf_bak

root@k8scludes1:~# cp /etc/kubernetes/*.conf k8sconf_bak/

root@k8scludes1:~# ls k8sconf_bak/
admin.conf  controller-manager.conf  kubelet.conf  scheduler.conf

root@k8scludes1:~# rm -rf /etc/kubernetes/*.conf

root@k8scludes1:~# ls /etc/kubernetes/
admission-control-config-file  audit  manifests  pki

为k8s的各个组件重新生成kubeconfig文件。

root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2  phase kubeconfig all
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file

root@k8scludes1:~# ls /etc/kubernetes/
admin.conf  admission-control-config-file  audit  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

替换管理员所用的kubeconfig文件。

root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config

root@k8scludes1:~# rm -rf ~/.kube/config

root@k8scludes1:~# ls ~/.kube/
cache  config.old-20241023  kubens

root@k8scludes1:~# cp /etc/kubernetes/admin.conf ~/.kube/config

root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config

重启kube-scheduler。

root@k8scludes1:~# docker ps | grep kube-scheduler
47ac8592cf5c   b51ddc1014b0                                        "kube-scheduler --au…"   6 minutes ago   Up 6 minutes             k8s_kube-scheduler_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_289
6e65a5b16329   registry.aliyuncs.com/google_containers/pause:3.5   "/pause"                 6 minutes ago   Up 6 minutes             k8s_POD_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_75

root@k8scludes1:~# docker ps | awk '/kube-scheduler /{print $1}'
47ac8592cf5c

root@k8scludes1:~# docker rm -f $(docker ps | awk '/kube-scheduler /{print $1}')
47ac8592cf5c

root@k8scludes1:~# kubectl get pods -n kube-system | grep scheduler
kube-scheduler-k8scludes1                  1/1     Running   289 (2y120d ago)   2y191d

查看master节点的kubelet当前使用的证书,kubelet-client-current.pem软链接到了kubelet-client-2024-10-24-11-08-14.pem,说明现在kubelet使用的是最新的证书。

root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem  kubelet-client-2024-10-24-11-05-29.pem  kubelet-client-2024-10-24-11-08-14.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes1:~# ls /var/lib/kubelet/pki/kubelet-client-current.pem -l
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem

如果kubelet-client-current.pem软链接到kubelet-client-2022-04-16-22-57-47.pem,说明kubelet使用的是旧的证书,重启kebelet即可。

root@k8scludes1:~# systemctl restart kubelet

root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem  kubelet-client-2024-10-24-11-05-29.pem  kubelet-client-2024-10-24-11-08-14.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes1:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem 
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem

在master节点上查看证书签名请求(简称为CSR),如果CONDITION显示的是Approved,Issued,说明证书签名请求CSR已经被批准,则不需要执行kubectl certificate approve csr-htp29,如果CONDITION显示的是Pending,则需要手动批准证书签名请求CSR,语法为:kubectl certificate approve CSR名

root@k8scludes1:~# kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                REQUESTEDDURATION   CONDITION
csr-htp29   12m   kubernetes.io/kube-apiserver-client-kubelet   system:node:k8scludes1   <none>              Approved,Issued

#批准证书签名请求CSR
root@k8scludes1:~# kubectl certificate approve csr-htp29
certificatesigningrequest.certificates.k8s.io/csr-rn8xc approved

在master节点查看kubelet的证书过期时间,到2025年才过期了。

root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Oct 24 03:03:14 2024 GMT
            Not After : Oct 24 03:03:14 2025 GMT

查看k8s集群状态,可以发现k8scludes1节点已经正常了,但是两个worker节点还是不正常,原因是两个worker节点的证书还是旧的,需要替换为最新的证书。

root@k8scludes1:~# kubectl get node
NAME         STATUS     ROLES                  AGE      VERSION
k8scludes1   Ready      control-plane,master   2y191d   v1.22.2
k8scludes2   NotReady   <none>                 2y191d   v1.22.2
k8scludes3   NotReady   <none>                 2y191d   v1.22.2

4.3 为worker节点替换最新的证书

k8scludes2节点的kubelet使用的还是旧的证书。

root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Apr 16 17:54:26 2022 GMT
            Not After : Apr 16 17:54:26 2023 GMT

在master节点生成k8scludes2节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。

root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes2 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file
 
root@k8scludes1:~# ls /tmp/
kubelet.conf  systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-resolved.service-kzxcft  systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-timesyncd.service-Uop8xG  vmware-root_751-4290559920

复制文件到k8scludes2节点的/etc/kubernetes/目录下。

root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.129:/etc/kubernetes/
[email protected]'s password: 
kubelet.conf                                                                                                                                                                   100% 5671     1.4MB/s   00:00    

k8scludes2节点重启kubelet。

root@k8scludes2:~# systemctl restart kubelet

再次查看k8scludes2节点的kubelet证书,现在已经是最新的证书了。

root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem  kubelet-client-2024-10-24-11-29-31.pem  kubelet-client-2024-10-24-11-29-40.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes2:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem 
lrwxrwxrwx 1 root root 59 Oct 24 11:29 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-29-40.pem

root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Oct 24 03:24:40 2024 GMT
            Not After : Oct 24 03:24:40 2025 GMT

k8scludes3节点也是类似的操作。

在master节点生成k8scludes3节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。

root@k8scludes1:~# rm -rf /tmp/* ;  ls /tmp/

root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes3 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file

复制kubelet.conf到k8scludes3节点的/etc/kubernetes/目录下

root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.130:/etc/kubernetes/
[email protected]'s password: 
kubelet.conf                                                                                                                                                                   100% 5671     2.6MB/s   00:00    

重启k8scludes3节点的kubelet,现在kubelet使用的是最新的证书了。

root@k8scludes3:~# systemctl restart kubelet

root@k8scludes3:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-29.pem  kubelet-client-2024-10-24-11-34-49.pem  kubelet-client-2024-10-24-11-34-57.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes3:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem 
lrwxrwxrwx 1 root root 59 Oct 24 11:34 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-34-57.pem

root@k8scludes3:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Oct 24 03:29:57 2024 GMT
            Not After : Oct 24 03:29:57 2025 GMT

查看k8s集群状态,现在集群恢复正常了。

root@k8scludes1:~# kubectl get node
NAME         STATUS   ROLES                  AGE      VERSION
k8scludes1   Ready    control-plane,master   2y191d   v1.22.2
k8scludes2   Ready    <none>                 2y191d   v1.22.2
k8scludes3   Ready    <none>                 2y191d   v1.22.2

五.总结

本文介绍了如何使用kubeadm工具为Kubernetes集群续期证书。通过定期检查和续期证书,可以确保Kubernetes集群的安全性和稳定性。

  • 在进行证书续期时,请确保有足够的磁盘空间来存储新的证书文件;
  • 如果你的集群配置了自动化工具或脚本来管理Kubernetes集群,确保这些工具和脚本也更新为处理新的证书;
  • 在生产环境中,建议设置证书到期提醒,以便提前进行维护工作。

标签:k8scludes1,Kubernetes,证书,kubelet,client,conf,pem,kubeadm,root
From: https://www.cnblogs.com/renshengdezheli/p/18519390

相关文章

  • 无成本申请泛域名、通配符SSL证书教程
    对于免费通配符证书而言,目前能够有效申请到的渠道确实不多,但由于其应用面广泛,且需求量庞大,目前还是可以在JoySSL进行申请。在当前市场上,的确存在一些提供免费SSL证书的机构或服务商,但这些免费证书大多为单域名的DV(域名验证)证书,对于个人博客、小型网站或测试环境来说是一个不......
  • 使用OpenSSL生成SANs证书实操
    当初:原来的x.509证书,生成就一行代码,非常方便:opensslreq-x509-nodes-days365-newkeyrsa:2048-keyoutkey.pem-outcert.pem然后按照提示输入机构和dns信息即可。 然而:最近在开发一个websocket项目时,需要使用wss协议,在机器A(win7)上调试没问题,在机器B(win10+go1.22.3......
  • 在K8S中,有一家拥有非常分散系统,拥有大量数据中心、虚拟机以及许多从事各种任务的员工
    对于一家拥有非常分散系统的跨国公司来说,使用Kubernetes(K8s)来管理其大量的数据中心、虚拟机以及相关的基础设施可以带来显著的好处。Kubernetes是一个用于自动化部署、扩展和管理容器化应用的开源平台,它可以帮助企业实现资源的一致管理和更高效的运营。以下是如何利用Kubernetes进......
  • https 的本质、证书验证过程以及数据加密
    1.什么是HTTPSHTTP加上加密处理和认证以及完整性保护后即是HTTPS。它是为了解决HTTP存在的安全性问题,而衍生的协议,那使用HTTP的缺点有:1.通信使用明文可能会被窃听2.不验证通信方的身份可能遭遇伪装3.无法验证报文完整性,可能已遭篡改 HTTPS并非是一种新协议,只是H......
  • 网站有多个域名,使用哪种类型的SSL证书?
    当网站拥有多个域名时,可以选择以下几种类型的SSL证书来满足安全需求:一、多域名SSL证书(SAN证书)定义:多域名SSL证书,也被称为SAN(SubjectAlternativeName)证书或UCC(UnifiedCommunicationsCertificate)证书,是一种特殊的SSL证书类型,可以保护一个主域名以及多个其他附属域名。这些......
  • 最新宝塔安装教程:Linux 稳定版 9.0 宝塔面板+免费SSL证书解析
    在本教程中,我们将详细介绍如何在Linux服务器上安装宝塔面板的最新稳定版9.0,并为您的网站添加免费的SSL证书。此教程适合初学者和有一定经验的用户。通过SSH连接至VPS服务器后,您将能够顺利完成宝塔安装和初步设置,这篇文章将为您提供简单易懂的操作指南,帮助您在几分钟内完成服务......
  • 最新宝塔安装教程:Linux 稳定版 9.0 宝塔面板+免费SSL证书解析
    在本教程中,我们将详细介绍如何在Linux服务器上安装宝塔面板的最新稳定版9.0,并为您的网站添加免费的SSL证书。此教程适合初学者和有一定经验的用户。通过SSH连接至VPS服务器后,您将能够顺利完成宝塔安装和初步设置,这篇文章将为您提供简单易懂的操作指南,帮助您在几分钟内完成服务......
  • Debian12 搭建LNMP环境,配置SSL证书,安装WordPress
    一、安装并配置PHPSSH连接上VPS之后,我们先更新一下系统组件,使用下面的命令。aptupdate-y&&aptupgrade-y接着输入下面的命令安装PHP和相关组件aptinstallphp-fpmphp-mysqlphp-gdphp-cliphp-curlphp-mbstringphp-zipphp-opcachephp-xmlphp-mysqli-y查看/et......
  • httpsok:自动续期SSL证书的最佳选择!
    一、引言        在数字化时代,网站的安全性至关重要,而SSL证书是保护用户数据、提升网站信誉的关键。然而,证书的续期往往令人头痛。今天,我们为你介绍一款高效的SSL证书自动续期工具——httpsok,让你的证书管理变得轻松无忧。二、什么是httpsok?httpsok是一款专为网站......
  • kubeadm⽅式部署k8s集群
    准备环境三台机器,所有机器相互做解析centos7.6关闭防⽕墙和selinux关闭交换空间临时关闭:swapoff-a永久关闭:vi/etc/fstab找到如下内容:注释或删除#/dev/sdXnoneswapsw00[root@localhost/]#swapoff-a修改/etc/fstab文件,注释掉SWAP的自动挂载,使用free-m确......