create an installation doc for RHEL 7

[gorozco1]

as stated in PR #372 we need to separate CentOS from RHEL and two documents need to be created.

[jodh-intel]

We're now thinking that #371 can accommodate both CentOS and RHEL (it originally did, then it became CentOS only, now it's back to both :-), so this can probably be closed.

@gorozco1 - what's your view?

[gorozco1]

@jodh-intel Due the fact that on RHEL system we will install docker-ce and an extra dependency from a CentOS repo the doc for RHEL should be different and warn the user to not run in prod.
This is the reason I open #527 could you help me to review?

[jodh-intel]

Hi @chavafg, @GabyCT - Is this something you could take a look into again? It's still a really important requirement, particularly so given that we have now landed https://github.com/clearcontainers/runtime/blob/master/docs/sles-installation-guide.md 😄

/cc @xsgordon

[xsgordon]

@gorozco1 Which dependency specifically has to come from CentOS? When I was attempting to follow the existing CentOS guide/script and what was pulled from where it seemed like most of the requirements were actually available in Extras/Optional for RHEL?

From my POV I'm ultimately trying to get to something aligned with the standalone CRI-O docs here:

https://github.com/kubernetes-incubator/cri-o

[jodh-intel]

For reference, here's my latest "CentOS + RHEL" install script (which was eventually abandoned as we wanted to keep CentOS and RHEL separate due to their differences):

• https://github.com/jodh-intel/runtime/tree/add-centos%2Brhel-install-doc/

Specifically, the following chunk shows that for a successful install, RHEL users need to enable an extra repo:

• https://github.com/jodh-intel/runtime/blob/add-centos%2Brhel-install-doc/installation/centos%2Brhel-setup.sh#L71..L93

[GabyCT]

@jodh-intel , I tried the latest script in RHEL 7.3, however, I am getting this error
install -d -m 0755 "/usr/local//bin"
install -c -m 0755 qemu-system-x86_64 "/usr/local//bin"

• popd
  ~/go/src/github.com/clearcontainers/runtime/dependencies ~/go/src/github.com/clearcontainers/runtime
• popd
  ~/go/src/github.com/clearcontainers/runtime
• '[' rhel = rhel ']'
• sudo rpm -Uvh http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.9-4.el7.noarch.rpm
  Retrieving http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.9-4.el7.noarch.rpm
  curl: (7) Failed to connect to 2607:f130:0:87::10: Network is unreachable
  error: skipping http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.9-4.el7.noarch.rpm - transfer failed
  Script done, file is typescript

[jodh-intel]

Hi @GabyCT - when you say you've tried the latest script, are you referring to the following?:

• https://github.com/jodh-intel/runtime/blob/add-centos%2Brhel-install-doc/installation/centos%2Brhel-setup.sh

For RHEL, we're back to the discussion about whether we need a single script that handles both CentOS and RHEL or whether we create a separate installation/rhel-setup.sh. I'm personally undecided about that but -- even though they will be very similar -- leaning towards having two separate scripts.

It's going to be rather difficult to debug this since I don't have access to a RHEL system, so please can you confirm which script you are running and then attach the typescript file generated when you ran:

$ script -fec 'installation/$script'

That container-selinux package was problematic before as I recall (/cc @gorozco1). FWICS, rpm / curl seems to be using IPv6 and failing. But also, that package version doesn't appear to even exist (now). The latest version seems to be:

• http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.21-1.el7.noarch.rpm

... which implies the package metadata on your RHEL system isn't current. Have you run yum update?

[jodh-intel]

... and I've just noticed that $script is attempting to install a CentOS package on a RHEL system which is clearly incorrect. Hence, we need to establish whatever $script is and fix it to only use the RHEL repositories for RHEL :)

[GabyCT]

@jodh-intel , yes I am using https://github.com/jodh-intel/runtime/blob/add-centos%2Brhel-install-doc/installation/centos%2Brhel-setup.sh. I am using Red Hat Enterprise Linux Server 7.3 (Maipo). I did perform a yum update.
Yes, I noticed also that even if it is detecting that is a RHEL system is trying to obtain the rpms of container-selinux from the centos mirrors which are not longer available.
@jodh-intel, I will attach the typescript.

[GabyCT]

@jodh-intel , here it is the typescript

rhel.zip

[jodh-intel]

Hi @GabyCT. OK, there are a few things to do fwics:

• Assuming you haven't already done so, copy the following file into your own branch:
  https://github.com/jodh-intel/runtime/blob/add-centos%2Brhel-install-doc/installation/centos%2Brhel-setup.sh
  I think it probably should be called installation/rhel-setup.sh. In other words, there will be a separate script for RHEL even though it is very similar to CentOS.
• Fix the logic in rhel-setup.sh that actually installs docker. Currently, it's doing:

# Install docker                                                                               
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo     
sudo yum -y install docker-ce  

... but clearly, that isn't correct for RHEL because CentOS != RHEL 😄

---

According to https://docs.docker.com/engine/installation/linux/docker-ee/rhel/#upgrade-docker-ee, for RHEL you need to enable the "Extras repo" to get the container-selinux package so the script will need to do that.

However, at this point, we have a decision to make. For the purposes of the installation docs, what we are trying to do is:

a) Explain how to setup a Docker system with Clear Containers on a RHEL host.
b) Prove to ourselves that users will be able to use Clear Containers version X with Docker version Y on RHEL version Z by testing our documentation and scripts regularly.

I think the problem here is (b) since "real" RHEL users will no doubt install Docker EE, but we (I think) can be satisfied by testing the installation with Docker CE (since that's what we are specifying for the other distros). The issue is that Docker EE and Docker CE are seemingly installed in different ways. What we could do is:

• Change rhel-setup.sh to accept an argument that specifies which "variant" of docker to install. The argument should be mandatory and can be either docker-ce or docker-ee.
• Running rhel-setup.sh -h should list both those values and explain what the arguments mean.
• If the user runs rhel-setup.sh docker-ee, the script will perform all setup, except it won't install docker. At the end of the script, it will display a message informing the user they need to install docker-ee from the docker EE repository manually.
• If the user runs rhel-setup.sh docker-ce, the script will download and install the static version of docker-ce from https://download.docker.com/linux/static/stable/x86_64/. The version installed should be read from ./versions.txt. This isn't ideal, but would seem to be the only way we can reliably automate installation of Docker on any RHEL system purely for testing purposes.
• At the end of the script, a warning should be displayed stating that it is up to the admin to maintain that static version of docker (in other words, if a new point release containing security fixes is issued by docker, it's up to the user to upgrade/re-install that system component.

That should give us a basic RHEL test and we can investigate ways to expand coverage for Docker EE later.

What do you think @grahamwhaley, @sameo, @gorozco1, @xsgordon ?

[xsgordon]

I don't necessarily think it's a valid assumption that a "real" RHEL user will install Docker EE:

1. There is a version of Docker provided by Red Hat in RHEL Extras.
2. Increasingly RHEL users have other options available (e.g. CRI-O).
3. The RHEL user trying out an install script directly from Github is likely prototyping (so even if we ignore (1) and (2), CE would still seem like a valid option).

Is there a specific version or feature requirement that is driving the assumption?

[jodh-intel]

1. There is a version of Docker provided by Red Hat in RHEL Extras.

Oh great! Well, I think that's probably our answer - thanks for the info @xsgordon!

Is there a specific version or feature requirement that is driving the assumption?

Not that I'm aware of. If we can use docker CE from a RHEL repo, that's great as it should cater for this particular (install doc) requirement. Do you agree @grahamwhaley et al?

[gorozco1]

@xsgordon I don't recall to be honest,

As you said, this work was moved from using "centos" extras and packages, because this was not a real scenario. A production RHEL user will use it's credentials to have supported packages from oficial rhel repos and install docker EE.

[xsgordon]

@gorozco1 yes but I guess part of the undercurrent of my thinking here is that a user who can only run supported packages from official repositories wouldn't be running an installation script directly from GitHub in the first place (after all last I looked if the script can't find the official packages for many things it goes and attempts to build from source)?

[jodh-intel]

@xsgordon - it does this because our qemu variant (qemu-lite) needs newer library versions than are available in CentOS/RHEL. It also needs to be built with gcc 6, which is also not available aiui. But maybe there is another RHEL repo containing backports of these packages that we could use?

[xsgordon]

@jodh-intel yeah that's kind of my point though, as long as that's the case a user who absolutely must have all packages from official sources wont use this process anyway. W.r.t. GCC I believe you can get GCC 6 via the Red Hat Developer Toolset:

https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/6/html/user_guide/chap-red_hat_developer_toolset#sect-Red_Hat_Developer_Toolset-About
https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/6/html/6.0_release_notes/dts6.0_release#Changes_in_DTS

[GabyCT]

@jodh-intel so I got confused, the point is that the user will use docker EE? . In case that yes, I do not have access to this repository. On the other hand, the script should install the latest GCC 6 in /usr/local or in which path? thanks

[jodh-intel]

Hi @GabyCT - for consistency with the other distros we provide install docs for, and for simply testing the installation, I think we should be using Docker CE (which is available in the RHEL Extras repo apparently).

Clearly, it would be highly preferable to use the RHEL-packaged versions of gcc 6 and the libraries that we need to build qemu-lite rather than having to build from source. Therefore, I think we can still use the plan outlined in #463 (comment), but make the following additional changes:

• Change gcc_setup() in installation/installation-setup.sh to only install gcc if the available version is older than 6.2.0 (gcc_version= from ./versions.txt). To do that, we can do something like the following which uses the magic sort -V:

  actual_gcc_version=$(gcc --version | head -1 | awk '{print $NF}' | tr -d '()')
  
  # XXX: $gcc_version is set from "./versions.txt"
  oldest_gcc=$(echo -e "${gcc_version}\n${actual_gcc_version}" | sort -V | head -1)
  
  if [ "$oldest_gcc" = "$gcc_version" ]; then
    # the installed gcc is *newer* than the minimum version we need
    return
  fi
  

• Change docs/rhel-installation-guide.md to state the users should (ideally) pre-install gcc 6 and the libraries required to build qemu-lite from the the Red Hat Developer Toolset. However, if those library and binary versions are not available at install time, they will be downloaded and built.

[GabyCT]

@jodh-intel sorry but I do not have access to the RHEL Extras repo as I do not have a subscription

[jodh-intel]

In which case, we may be forced to go with the static binaries approach mentioned above. If our install instructions can prove the system works, it's probably not unreasonable to assume that a simplified install process for those with full subscriptions to all the RHEL repos would work also.

If there are issues using the alternative installation method, users can of course still report bugs.

[GabyCT]

@jodh-intel another problem that I have is about gcc. I do not have access to the Red Hat Developer Toolset. So are we going to use the same method as we did with Centos?

[xsgordon]

@GabyCT you can get a subscription via the developer program at https://developers.redhat.com/articles/red-hat-developer-program-benefits/

[GabyCT]

@jodh-intel and @xsgordon , I tried to do the subscription, however, it is giving me an error when I registered my email and then it sends a link to my email in order to verify my address. Well there is an error that says ' We are sorry ... An error occurs, go back to your application'. I even tried to send me again the link to verify my email multiple times and I get the same error.

[xsgordon]

@GabyCT I reached out to the Red Hat Developer Program folks and they double checked and said that your account was verified successfully, so you should just be able to login at developers.redhat.com. Thanks!