RKE2 Cluster offline installation with rhel9.2 and SELinux

# RKE2 Cluster offline installation with rhel9.2 and SELinux ## 1. Firewall list disable firewalld first. REF: https://docs.rke2.io/install/requirements ## .設定固定IP ```shell! 1. 確認可用網路介面：nmcli connection 2. 透過nmcli設定網卡：nmcli connection modify ens33 ipv4.addresses 192.168.1.210/24 ipv4.gateway 192.168.1.254 ipv4.dns 192.168.1.X ipv4.method manual 3. 確認映像檔倉庫可以可偵測到（e.g. harbor）：ping harbor.example.com ``` ## 安裝RKE2 :::info 1. 從harbor copy rke2資料夾全部檔案至相關節點。 2. 不要先安裝selinux相關套件，請按照文件順序進行安裝。 ::: 複製相關檔案 ```shell! [suse@localhost ~]$ scp root@192.168.1.101:/root/work/rke2/* . The authenticity of host '192.168.1.101 (192.168.1.101)' can't be established. ED25519 key fingerprint is SHA256:N2ypmxaouqdjtc51LqpYR1YSOHnDm1mmIwAzT/7ej3Q. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.101' (ED25519) to the list of known hosts. (root@192.168.1.101) Password: config.yaml 100% 70 88.2KB/s 00:00 install.sh 100% 24KB 13.2MB/s 00:00 registries.yaml 100% 208 201.8KB/s 00:00 rke2-images.linux-amd64.tar.zst 100% 812MB 341.5MB/s 00:02 rke2.linux-amd64.tar.gz 100% 33MB 417.0MB/s 00:00 rke2selinux.tar.gz 100% 177MB 380.0MB/s 00:00 sha256sum-amd64.txt 100% 4252 3.7MB/s 00:00 ``` 建立RKE2離線安裝所需目錄與複製相關套件。 ```shell! [suse@localhost ~]$ pwd /home/suse [suse@localhost ~]$ sudo mkdir /root/rke2-artifacts && sudo mv * /root/rke2-artifacts/ [suse@localhost ~]$ sudo su - root [root@localhost ~]# cd /root/rke2-artifacts/ [root@localhost rke2-artifacts]# ls -alh total 1023M drwxr-xr-x. 3 root root 4.0K Nov 26 11:50 . dr-xr-x---. 4 root root 185 Nov 26 11:50 .. -rw-r--r--. 1 suse suse 70 Nov 26 11:44 config.yaml -rwxr-xr-x. 1 suse suse 25K Nov 26 11:44 install.sh -rw-r--r--. 1 suse suse 208 Nov 26 11:44 registries.yaml -rw-r--r--. 1 suse suse 813M Nov 26 11:44 rke2-images.linux-amd64.tar.zst -rw-r--r--. 1 suse suse 34M Nov 26 11:44 rke2.linux-amd64.tar.gz drwxr-xr-x. 4 suse suse 109 Nov 26 09:30 rke2selinux -rw-r--r--. 1 suse suse 178M Nov 26 11:44 rke2selinux.tar.gz -rw-r--r--. 1 suse suse 4.2K Nov 26 11:44 sha256sum-amd64.txt [root@localhost rke2-artifacts]# INSTALL_RKE2_ARTIFACT_PATH=/root/rke2-artifacts sh install.sh [WARN] /usr/local is read-only or a mount point; installing to /opt/rke2 [INFO] staging local checksums from /root/rke2-artifacts/sha256sum-amd64.txt [INFO] staging zst airgap image tarball from /root/rke2-artifacts/rke2-images.linux-amd64.tar.zst [INFO] staging tarball from /root/rke2-artifacts/rke2.linux-amd64.tar.gz [INFO] verifying airgap tarball grep: /tmp/rke2-install.VlfWezVfj7/rke2-images.checksums: No such file or directory [INFO] installing airgap tarball to /var/lib/rancher/rke2/agent/images [INFO] verifying tarball [INFO] unpacking tarball file to /opt/rke2 [INFO] updating tarball contents to reflect install path [INFO] moving systemd units to /etc/systemd/system [INFO] install complete; you may want to run: export PATH=$PATH:/opt/rke2/bin [root@localhost rke2-artifacts]# export PATH=$PATH:/opt/rke2/bin ``` RKE2 config - 注意第一台與二、三台的組態在config.yaml中的不同。第一台組態，這裡的node name要與hostname一致，不一致會以這邊為主強制更新。 ```shell! node-name: - 'r1' token: my-shared-secret selinux: true ``` 第二與第三，注意server的IP位置。 ```shell! server: https://192.168.1.203:9345 node-name: - 'r2' token: my-shared-secret selinux: true ``` 映像檔組態(all) - registries.yaml ```shell! mirrors: docker.io: endpoint: - "https://harbor.example.com" configs: "harbor.example.com": auth: username: admin password: Harbor12345 tls: insecure_skip_verify: true ``` 安裝selinux與rke2 server相關套件 ```shell! # tar -zxvf rke2selinux.tar.gz rke2selinux/ rke2selinux/rancher-rke2-1-30-latest/ rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.0~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.1~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.2~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.3~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.4~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.5~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-agent-1.30.6~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.0~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.1~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.2~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.3~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.4~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.5~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-common-1.30.6~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.0~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.1~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.2~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.3~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.4~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.5~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-1-30-latest/rke2-server-1.30.6~rke2r1-0.el9.x86_64.rpm rke2selinux/rancher-rke2-common-latest/ rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.12-1.el9.noarch.rpm rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.13-1.el9.noarch.rpm rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.14-1.el9.noarch.rpm rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.15-1.el9.noarch.rpm rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.16-1.el9.noarch.rpm rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.17-1.el9.noarch.rpm rke2selinux/rancher-rke2-common-latest/rke2-selinux-0.18-1.el9.noarch.rpm rke2selinux/rancher-rke2-1-30-latest.repo # cd rke2selinux/ [suse@localhost rke2selinux]# ls rancher-rke2-1-30-latest rancher-rke2-1-30-latest.repo rancher-rke2-common-latest [suse@localhost rke2selinux]# cd rancher-rke2-common-latest/ [suse@localhost rancher-rke2-common-latest]# ls rke2-selinux-0.12-1.el9.noarch.rpm rke2-selinux-0.15-1.el9.noarch.rpm rke2-selinux-0.18-1.el9.noarch.rpm rke2-selinux-0.13-1.el9.noarch.rpm rke2-selinux-0.16-1.el9.noarch.rpm rke2-selinux-0.14-1.el9.noarch.rpm rke2-selinux-0.17-1.el9.noarch.rpm [suse@localhost rancher-rke2-common-latest]# sudo rpm -ivh rke2-selinux-0.18-1.el9.noarch.rpm [sudo] password for suse: warning: rke2-selinux-0.18-1.el9.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID e257814a: NOKEY Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:rke2-selinux-0.18-1.el9 ################################# [100%] [suse@localhost rancher-rke2-1-30-latest]# sudo rpm -ivh rke2-common-1.30.6~rke2r1-0.el9.x86_64.rpm warning: rke2-common-1.30.6~rke2r1-0.el9.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID e257814a: NOKEY Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:rke2-common-1.30.6~rke2r1-0.el9 ################################# [100%] ``` 啟用叢集 ```shell! systemctl enable --now rke2-server.service ``` 測試 pull image 正常. ```shell! kubectl create deploy myweb --image=rancher/mirrored-library-nginx:1.24.0-alpine --port=80 ``` :::info export service, if unable access service/pod IP, it's must be firewall issue. ::: ## REF 1. [firewall list](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements) 2. [SELinux RPM](https://docs.rke2.io/install/methods#rpm)