Documentation survey

离线安装

SUSE® Rancher Prime: RKE2 can be installed in an air-gapped environment with two different methods. You can either deploy via the rke2-airgap-images tarball artifact or by using a private registry.

You can use any RKE2 Prime version listed on the Prime Artifacts URL for the assets mentioned in these steps. To learn more about the Prime Artifacts URL, see our Prime-only documentation. Authentication is required. Use your SUSE Customer Center (SCC) credentials to log in.

Prerequisites

Ensure you meet the following prerequisites based on your environment before proceeding. All the steps listed on this page must be run as the root user or through sudo.

If your node has NetworkManager installed and enabled, ensure you configure NetworkManager to ignore CNI-managed interfaces.

  • If running on an air-gapped node with SELinux enabled, you must manually install the necessary SELinux policy RPM before performing these steps. See our RPM Documentation to determine what you need.

  • If running on an air-gapped node with SELinux enabled, the following are required dependencies for SLES, CentOS, or RHEL 8 when doing an RPM install: container-selinux iptables libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils rke2-common rke2-selinux

  • If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. RKE2 requires a default route to auto-detect the node’s primary IP and for kube-proxy ClusterIP routing to function correctly. To add a dummy route, do the following:

    ip link add dummy0 type dummy
ip link set dummy0 up
ip addr add 203.0.113.254/31 dev dummy0
ip route add default via 203.0.113.255 dev dummy0 metric 1000

Tarball Method

  1. Download the air-gap images tarballs from the Prime Artifacts URL for the RKE2 version, CNI, and platform you are using.

    • rke2-images.linux-<ARCH>.tar.zst, or rke2-images-core.linux-<ARCH>.tar.gz. This tarball contains the core container images required for RKE2 Prime to function. Zstandard offers better compression ratios and faster decompression speeds compared to gzip.

    • rke2-images-<CNI>.linux-<ARCH>.tar.gz: This tarball specifically contains the container images for your Container Network Interface (CNI). The default CNI in RKE2 is Canal.

      • If you are using the default CNI, Canal (--cni=canal), you can use either the rke2-image legacy archive as described above or the rke2-images-core and rke2-images-canal archives.

      • If you are using the alternative CNI, Cilium (--cni=cilium), you must download the rke2-images-core and rke2-images-cilium archives.

      • If using your own CNI (--cni=none), download only the rke2-images-core archive.

    • If enabling the vSphere CPI/CSI charts (--cloud-provider-name=rancher-vsphere), you must also download the rke2-images-vsphere archive.

  2. Create a directory named /rke2-artifacts on the node and save the previously downloaded files there.

  3. Install RKE2.

Private Registry Method

Private registry support honors all settings from the containerd registry configuration, including endpoint override, transport protocol (HTTP/HTTPS), authentication, certificate verification, and more.

  1. Add all the required system images to your private registry. A list of images can be obtained from the .txt file corresponding to each tarball referenced above. Alternatively, you can docker load the airgap image tarballs, then tag and push the loaded images.

  2. Install RKE2 using the system-default-registry parameter, or use the containerd registry configuration to use your registry as a mirror for docker.io.

Install RKE2

The following options to install RKE2 should only be performed after completing either the Tarball Method or Private Registry Method.

RKE2 can be installed either by running the binary directly or by using the install.sh script.

RKE2 Binary Install

  1. Obtain the RKE2 binary file rke2.linux-<ARCH>.tar.gz.

  2. Ensure the binary is named rke2 and place it in /usr/local/bin. Ensure it is executable.

  3. Run the binary with the desired parameters.

    • If you are using the Rancher Prime registry, set the following values in config.yaml:

      1. Set system-default-registry: registry.rancher.com.

      2. If you are not using the default CNI, Canal, set cni: <CNI>.

        system-default-registry: registry.rancher.com
cni: <CNI>

    • If using the Private Registry Method, set the following values in config.yaml:

      system-default-registry: "registry.example.com:5000"

      The system-default-registry parameter must specify only valid RFC 3986 URI authorities, i.e. a host and optional port.

RKE2 Install.sh Script Install

install.sh may be used in an offline mode by setting the INSTALL_RKE2_ARTIFACT_PATH variable to a path containing pre-downloaded artifacts. This will run through a standard install, including creating systemd units.

  1. Download the install script, RKE2 binaires, RKE2 images, and SHA256 checksums archives from the Prime Artifacts URL into the /rke2-artifacts directory, as in the example below:

    mkdir /rke2-artifacts && cd /rke2-artifacts/
curl -OLs <PRIME-ARTIFACTS-URL>/rke2/<VERSION>/rke2-images.linux-<ARCH>.tar.zst
curl -OLs <PRIME-ARTIFACTS-URL>/rke2/<VERSION>/rke2.linux-<ARCH>.tar.gz
curl -OLs <PRIME-ARTIFACTS-URL>/rke2/<VERSION>/sha256sum-<ARCH>.txt
curl -sfL https://get.rke2.io --output install.sh

  2. Run install.sh using the directory, as in the example below:

    INSTALL_RKE2_ARTIFACT_PATH=/rke2-artifacts sh install.sh

  3. Enable and run the service as outlined here.