-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Add adr for supporting air gapped rpm installs #4934
Open
matttrach
wants to merge
2
commits into
rancher:master
Choose a base branch
from
matttrach:adr-rpm-airgap
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # RPM Airgap Support | ||
|
|
||
| We should better support RPM installation in air gapped environments | ||
|
|
||
| ## Established | ||
|
|
||
| 2023-10-20 | ||
|
|
||
| ## Revisit by | ||
|
|
||
| 2024-10-01 | ||
|
|
||
| ## Subject | ||
|
|
||
| 1. When releasing, we bundle RPMs into groups by OS, copy them to a directory, use createrepo to generate local repo information, tarball the directory, and add it as an artifact on the release. | ||
| 2. Given install method 'rpm' and variable 'INSTALL_RKE2_ARTIFACT_PATH', when run, the install.sh script looks for a local rpm installation at the given path and installs rke2 using that repo. | ||
| 3. Given variable 'INSTALL_CUSTOM_RPM_SITE', when run, the install.sh script uses the value of that variable when creating repo files. | ||
| 1. specifically the `rpm_site` value in the install.sh is based on this variable | ||
|
|
||
| ## Status | ||
|
|
||
| Requesting Feedback | ||
|
|
||
| ## Context | ||
|
|
||
| Users who are concerned with security often deploy in air gapped environments. | ||
| These users also often want selinux enforcing. | ||
| The rke2 selinux policies rely on RPM installation. | ||
| There is a significant use case for RPM installation in air gapped environments. | ||
| This use case closely aligns with goals for rke2. | ||
|
|
||
| Strengths: | ||
|
|
||
| - RPM installation in air gapped environments will be as simple as tar installation in air gapped environments. | ||
| - This improves our ability to test and enables higher quality support for this use case. | ||
| - When well documented, bundling all dependencies and building within a specific operating system can improve reliability. | ||
|
|
||
| Weaknesses: | ||
|
|
||
| * RPM bundling requires another step in the release process | ||
| * RPM bundles have the potential to include dependencies that are not supported in a particular version of an operating system | ||
| * this is only when RPMs have external dependencies, which ours currently don't | ||
|
|
||
| Threats involved in not doing process: | ||
|
|
||
| * Users with this use case continue to depend on some infrastructure (beyond a hypervisor) being in place before they can use rke2; | ||
|
|
||
| Threats involved in doing process: | ||
|
|
||
| * Any change to the install script has the potential to cause interruption with users outside of this use case. | ||
|
|
||
| Opportunities: | ||
|
|
||
| * Enable automatically testing air gapped environments with selinux enforcing on CIS provided VM images. | ||
| * Enable automatically deploying air gapped environments with selinux enforcing on CIS provided VM images. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this work? I didn't even know that you could point yum or zypper at a local repo-dir instead of a http/https server. I guess this is how the ISO installers work so I suppose that makes sense.
What are the advantages of shipping a full snapshot of repo files, over just shipping the 4 RPMs (rke2-common, rke2-agent, rke2-server, and rke2-selinux)?
How does this affect installation and upgrade via system-agent-installer-rke2 and the system-upgrade-controller? One of the primary asks around RPM+selinux support is that they be handled properly by rancher-system-agent and system-agent-installer-rke2.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Local yum repositories are possible: https://rpmdeb.com/devops-articles/how-to-create-local-yum-repository/
The problem is that you need some utility to initialize the local repo which is not installed by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
createrepo is not a core linux utility, and is only necessary to generate the rpm repo files, running this and bundling it up for the user enables a much simpler approach, just like bundling our other images into an archive.
Another way to think of this approach is just like the tar installation, but for rpms.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the context on rancher-system-agent and system-agent-installer-rke2, I will add that to the context part of this doc!
It appears rancher-system-agent is just a program that watches for plans from something else, it would be unaffected by this change.
The system-agent-installer-rke2 appears to be a plan for the rancher-system-agent which downloads the install script and runs it with install method = 'tar'. I am not sure how this affects rpm installs, but since the RPMs install the binaries in similar places as the docs for the manual install, I would assume this would still work. I am sure that we test this upgrade path already and that the directory forces the proper selinux tags on the binaries, the change proposed in this ADR won't affect that at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have found several tools which bundle all dependencies for rke2 so that it can be copied and installed locally on a server with no internet, but most have their own installation method. I think it would be better if we provided support for this use case. We supply almost all our dependencies currently in various code repos, we just need to bundle them up by operating system and enable our installer to use them. We already have this for users that don't need selinux enforcing, but we should expand that to selinux support.
This ADR targets the installer changes to enable custom and local RPM repos.