fix: Add adr for supporting air gapped rpm installs #4934
Conversation
Signed-off-by: matttrach <[email protected]>
docs/adrs/006-airgap-rpm-support.md
Outdated
| ## Subject | ||
|
|
||
| 1. When releasing, we bundle RPMs into groups by OS, copy them to a directory, use createrepo to generate local repo information, tarball the directory, and add it as an artifact on the release. | ||
| 2. Given install method 'rpm' and variable 'INSTALL_RKE2_ARTIFACT_PATH', when run, the install.sh script looks for a local rpm installation at the given path and installs rke2 using that repo. |
There was a problem hiding this comment.
Does this work? I didn't even know that you could point yum or zypper at a local repo-dir instead of a http/https server. I guess this is how the ISO installers work so I suppose that makes sense.
What are the advantages of shipping a full snapshot of repo files, over just shipping the 4 RPMs (rke2-common, rke2-agent, rke2-server, and rke2-selinux)?
How does this affect installation and upgrade via system-agent-installer-rke2 and the system-upgrade-controller? One of the primary asks around RPM+selinux support is that they be handled properly by rancher-system-agent and system-agent-installer-rke2.
There was a problem hiding this comment.
Local yum repositories are possible: https://rpmdeb.com/devops-articles/how-to-create-local-yum-repository/
The problem is that you need some utility to initialize the local repo which is not installed by default.
There was a problem hiding this comment.
createrepo is not a core linux utility, and is only necessary to generate the rpm repo files, running this and bundling it up for the user enables a much simpler approach, just like bundling our other images into an archive.
Another way to think of this approach is just like the tar installation, but for rpms.
There was a problem hiding this comment.
Thank you for the context on rancher-system-agent and system-agent-installer-rke2, I will add that to the context part of this doc!
It appears rancher-system-agent is just a program that watches for plans from something else, it would be unaffected by this change.
The system-agent-installer-rke2 appears to be a plan for the rancher-system-agent which downloads the install script and runs it with install method = 'tar'. I am not sure how this affects rpm installs, but since the RPMs install the binaries in similar places as the docs for the manual install, I would assume this would still work. I am sure that we test this upgrade path already and that the directory forces the proper selinux tags on the binaries, the change proposed in this ADR won't affect that at all.
There was a problem hiding this comment.
I have found several tools which bundle all dependencies for rke2 so that it can be copied and installed locally on a server with no internet, but most have their own installation method. I think it would be better if we provided support for this use case. We supply almost all our dependencies currently in various code repos, we just need to bundle them up by operating system and enable our installer to use them. We already have this for users that don't need selinux enforcing, but we should expand that to selinux support.
This ADR targets the installer changes to enable custom and local RPM repos.
… risks brought up in discussion. Signed-off-by: matttrach <[email protected]>
|
Selinux policies depend on container-selinux which has different versions for each operating system and OS configuration. |
|
I need to follow up internally to see if container-selinux has dependencies that we are not aware of, or if there is a possibility of choosing a single OS to target the bundle (rhel-9 STIG), or if there is a coupling between our selinux policies and the version of container-selinux that would have this make more sense. |
|
here is a link to the dependencies for the rke2 policy: |
User-Facing Change
Further Comments
Adr requesting support for air gapped RPM installations