21 使用 Edge Image Builder 进行隔离式部署 #
21.1 简介 #
本指南将介绍如何使用 Edge Image Builder (EIB)(第 9 章 “Edge Image Builder”)在 SLE Micro 5.5 上以完全隔离的方式部署多个 SUSE Edge 组件。使用此方法可以引导至 EIB 所创建的自定义的、随时可引导 (CRB) 的映像,并在 RKE2 或 K3s 群集上部署指定的组件,而无需连接到互联网,也无需执行任何手动步骤。对于想要将部署所需的所有项目预先植入其操作系统映像的客户而言,此配置非常理想,这样就可以在引导时立即使用这些项目。
本指南将介绍以下组件的隔离式安装:
警告
EIB 将分析并预先下载提供的 Helm chart 和 Kubernetes 清单中引用的所有映像。但是,其中一些操作可能会尝试提取容器映像并在运行时基于这些映像创建 Kubernetes 资源。在这种情况下,如果我们想要设置完全隔离的环境,则必须在定义文件中手动指定所需的映像。
21.2 先决条件 #
我们假设本指南的读者已事先熟悉 EIB(第 9 章 “Edge Image Builder”)。如果您不熟悉,请阅读快速入门指南(第 3 章 “使用 Edge Image Builder 配置独立群集”)来更好地理解以下实践中所述的概念。
21.3 Libvirt 网络配置 #
注意
为了演示隔离式部署,本指南将使用模拟的 libvirt
隔离网络,并根据该网络定制以下配置。对于您自己的部署,可能需要修改下一步骤中将介绍的
host1.local.yaml 配置。
如果您要使用相同的 libvirt 网络配置,请继续阅读。否则请跳到第 21.4 节 “基础目录配置”。
我们来为 DHCP 创建 IP 地址范围为 192.168.100.2/24 的隔离网络配置:
cat << EOF > isolatednetwork.xml
<network>
<name>isolatednetwork</name>
<bridge name='virbr1' stp='on' delay='0'/>
<ip address='192.168.100.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.100.2' end='192.168.100.254'/>
</dhcp>
</ip>
</network>
EOF现在,唯一剩下的操作就是创建并启动网络:
virsh net-define isolatednetwork.xml virsh net-start isolatednetwork
21.4 基础目录配置 #
基础目录配置在所有组件中是相同的,现在我们就设置此配置。
首先创建所需的子目录:
export CONFIG_DIR=$HOME/config mkdir -p $CONFIG_DIR/base-images mkdir -p $CONFIG_DIR/network mkdir -p $CONFIG_DIR/kubernetes/helm/values
请确保将您要使用的任何基础映像添加到 base-images 目录中。本指南将重点介绍此处提供的自行安装 ISO 映像。
我们来复制已下载的映像:
cp SLE-Micro.x86_64-5.5.0-Default-SelfInstall-GM2.install.iso $CONFIG_DIR/base-images/slemicro.iso
注意
EIB 永远不会修改基础映像输入。
我们来创建一个包含所需网络配置的文件:
cat << EOF > $CONFIG_DIR/network/host1.local.yaml
routes:
config:
- destination: 0.0.0.0/0
metric: 100
next-hop-address: 192.168.100.1
next-hop-interface: eth0
table-id: 254
- destination: 192.168.100.0/24
metric: 100
next-hop-address:
next-hop-interface: eth0
table-id: 254
dns-resolver:
config:
server:
- 192.168.100.1
- 8.8.8.8
interfaces:
- name: eth0
type: ethernet
state: up
mac-address: 34:8A:B1:4B:16:E7
ipv4:
address:
- ip: 192.168.100.50
prefix-length: 24
dhcp: false
enabled: true
ipv6:
enabled: false
EOF此配置确保置备的系统上存在以下设置(使用指定的 MAC 地址):
采用静态 IP 地址的以太网接口
路由
DNS
主机名 (
host1.local)
生成的文件结构现在应如下所示:
├── kubernetes/
│ └── helm/
│ └── values/
├── base-images/
│ └── slemicro.iso
└── network/
└── host1.local.yaml21.5 基础定义文件 #
Edge Image Builder 使用定义文件来修改 SLE Micro 映像。这些文件包含大部分可配置选项。其中的许多选项将在不同的组件部分中重复出现,因此下面列出并解释了这些选项。
我们来看看所有定义文件中的以下字段:
apiVersion: 1.0
image:
imageType: iso
arch: x86_64
baseImage: slemicro.iso
outputImageName: eib-image.iso
operatingSystem:
users:
- username: root
encryptedPassword: $6$jHugJNNd3HElGsUZ$eodjVe4te5ps44SVcWshdfWizrP.xAyd71CVEXazBJ/.v799/WRCBXxfYmunlBO2yp1hm/zb4r8EmnrrNCF.P/
kubernetes:
version: v1.28.9+rke2r1
embeddedArtifactRegistry:
images:
- ...image 部分是必需的,用于指定输入映像、输入映像的体系结构和类型,以及输出映像的名称。
operatingSystem 部分是可选的,其中包含的配置可用于通过
root/eib 用户名/口令登录到置备的系统。
kubernetes 部分是可选的,用于定义 Kubernetes 类型和版本。我们默认将使用
Kubernetes 1.28.9 和 RKE2。如果需要 K3s,请改用 kubernetes.version:
v1.28.9+k3s1。除非通过 kubernetes.nodes
字段明确配置,否则本指南中引导的所有群集都是单节点群集。
embeddedArtifactRegistry 部分包含仅在运行时为特定组件引用和提取的所有映像。
21.6 Rancher 安装 #
Rancher
v2.8.4 版本资产包含 rancher-images.txt
文件,其中列出了隔离式安装所需的所有映像。
总共有大约 602 个容器映像,这意味着,生成的 CRB 映像的大小约为 28GB 以上。对于我们的 Rancher 安装,我们将精简该列表,使之与最小有效配置相当。在该列表中,可以重新添加部署所需的任何映像。
创建定义文件并在其中包含精简的映像列表:
apiVersion: 1.0
image:
imageType: iso
arch: x86_64
baseImage: slemicro.iso
outputImageName: eib-image.iso
operatingSystem:
users:
- username: root
encryptedPassword: $6$jHugJNNd3HElGsUZ$eodjVe4te5ps44SVcWshdfWizrP.xAyd71CVEXazBJ/.v799/WRCBXxfYmunlBO2yp1hm/zb4r8EmnrrNCF.P/
kubernetes:
version: v1.28.9+rke2r1
network:
apiVIP: 192.168.100.151
manifests:
urls:
- https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.crds.yaml
helm:
charts:
- name: rancher
version: 2.8.4
repositoryName: rancher-prime
valuesFile: rancher-values.yaml
targetNamespace: cattle-system
createNamespace: true
installationNamespace: kube-system
- name: cert-manager
installationNamespace: kube-system
createNamespace: true
repositoryName: jetstack
targetNamespace: cert-manager
version: 1.14.2
repositories:
- name: jetstack
url: https://charts.jetstack.io
- name: rancher-prime
url: https://charts.rancher.com/server-charts/prime
embeddedArtifactRegistry:
images:
- name: registry.rancher.com/rancher/backup-restore-operator:v4.0.2
- name: registry.rancher.com/rancher/calico-cni:v3.27.0-rancher1
- name: registry.rancher.com/rancher/cis-operator:v1.0.13
- name: registry.rancher.com/rancher/coreos-kube-state-metrics:v1.9.7
- name: registry.rancher.com/rancher/coreos-prometheus-config-reloader:v0.38.1
- name: registry.rancher.com/rancher/coreos-prometheus-operator:v0.38.1
- name: registry.rancher.com/rancher/flannel-cni:v0.3.0-rancher9
- name: registry.rancher.com/rancher/fleet-agent:v0.9.4
- name: registry.rancher.com/rancher/fleet:v0.9.4
- name: registry.rancher.com/rancher/gitjob:v0.9.7
- name: registry.rancher.com/rancher/grafana-grafana:7.1.5
- name: registry.rancher.com/rancher/hardened-addon-resizer:1.8.20-build20240410
- name: registry.rancher.com/rancher/hardened-calico:v3.27.3-build20240423
- name: registry.rancher.com/rancher/hardened-cluster-autoscaler:v1.8.10-build20240124
- name: registry.rancher.com/rancher/hardened-cni-plugins:v1.4.1-build20240325
- name: registry.rancher.com/rancher/hardened-coredns:v1.11.1-build20240305
- name: registry.rancher.com/rancher/hardened-dns-node-cache:1.22.28-build20240125
- name: registry.rancher.com/rancher/hardened-etcd:v3.5.9-k3s1-build20240418
- name: registry.rancher.com/rancher/hardened-flannel:v0.25.1-build20240423
- name: registry.rancher.com/rancher/hardened-k8s-metrics-server:v0.7.1-build20240401
- name: registry.rancher.com/rancher/hardened-kubernetes:v1.28.9-rke2r1-build20240416
- name: registry.rancher.com/rancher/hardened-multus-cni:v4.0.2-build20240208
- name: registry.rancher.com/rancher/hardened-node-feature-discovery:v0.14.1-build20230926
- name: registry.rancher.com/rancher/hardened-whereabouts:v0.6.3-build20240208
- name: registry.rancher.com/rancher/helm-project-operator:v0.2.1
- name: registry.rancher.com/rancher/istio-kubectl:1.5.10
- name: registry.rancher.com/rancher/jimmidyson-configmap-reload:v0.3.0
- name: registry.rancher.com/rancher/k3s-upgrade:v1.28.9-k3s1
- name: registry.rancher.com/rancher/klipper-helm:v0.8.3-build20240228
- name: registry.rancher.com/rancher/klipper-lb:v0.4.7
- name: registry.rancher.com/rancher/kube-api-auth:v0.2.1
- name: registry.rancher.com/rancher/kubectl:v1.28.7
- name: registry.rancher.com/rancher/library-nginx:1.19.2-alpine
- name: registry.rancher.com/rancher/local-path-provisioner:v0.0.26
- name: registry.rancher.com/rancher/machine:v0.15.0-rancher112
- name: registry.rancher.com/rancher/mirrored-cluster-api-controller:v1.4.4
- name: registry.rancher.com/rancher/nginx-ingress-controller:nginx-1.9.6-rancher1
- name: registry.rancher.com/rancher/pause:3.6
- name: registry.rancher.com/rancher/prom-alertmanager:v0.21.0
- name: registry.rancher.com/rancher/prom-node-exporter:v1.0.1
- name: registry.rancher.com/rancher/prom-prometheus:v2.18.2
- name: registry.rancher.com/rancher/prometheus-auth:v0.2.2
- name: registry.rancher.com/rancher/prometheus-federator:v0.3.4
- name: registry.rancher.com/rancher/pushprox-client:v0.1.0-rancher2-client
- name: registry.rancher.com/rancher/pushprox-proxy:v0.1.0-rancher2-proxy
- name: registry.rancher.com/rancher/rancher-agent:v2.8.4
- name: registry.rancher.com/rancher/rancher-csp-adapter:v3.0.1
- name: registry.rancher.com/rancher/rancher-webhook:v0.4.5
- name: registry.rancher.com/rancher/rancher:v2.8.4
- name: registry.rancher.com/rancher/rke-tools:v0.1.96
- name: registry.rancher.com/rancher/rke2-cloud-provider:v1.29.3-build20240412
- name: registry.rancher.com/rancher/rke2-runtime:v1.28.9-rke2r1
- name: registry.rancher.com/rancher/rke2-upgrade:v1.28.9-rke2r1
- name: registry.rancher.com/rancher/security-scan:v0.2.15
- name: registry.rancher.com/rancher/shell:v0.1.24
- name: registry.rancher.com/rancher/system-agent-installer-k3s:v1.28.9-k3s1
- name: registry.rancher.com/rancher/system-agent-installer-rke2:v1.28.9-rke2r1
- name: registry.rancher.com/rancher/system-agent:v0.3.6-suc
- name: registry.rancher.com/rancher/system-upgrade-controller:v0.13.1
- name: registry.rancher.com/rancher/ui-plugin-catalog:1.3.0
- name: registry.rancher.com/rancher/ui-plugin-operator:v0.1.1
- name: registry.rancher.com/rancher/webhook-receiver:v0.2.5
- name: registry.rancher.com/rancher/kubectl:v1.20.2与包含 602 个容器映像的完整列表相比,此精简版本仅包含 62 个容器映像,因此新 CRB 映像的大小只有大约 7GB。
我们还需要为 Rancher 创建 Helm values 文件:
cat << EOF > $CONFIG_DIR/kubernetes/helm/values/rancher-values.yaml hostname: 192.168.100.50.sslip.io replicas: 1 bootstrapPassword: "adminadminadmin" systemDefaultRegistry: registry.rancher.com useBundledSystemChart: true EOF
警告
将 systemDefaultRegistry 设置为
registry.rancher.com 可让 Rancher 在引导时,在 CRB
映像内启动的嵌入式项目注册表中自动查找映像。省略此字段可能会导致无法在节点上找到容器映像。
我们来构建映像:
podman run --rm -it --privileged -v $CONFIG_DIR:/eib \ registry.suse.com/edge/edge-image-builder:1.0.2 \ build --definition-file eib-iso-definition.yaml
输出应如下所示:
Generating image customization components... Identifier ................... [SUCCESS] Custom Files ................. [SKIPPED] Time ......................... [SKIPPED] Network ...................... [SUCCESS] Groups ....................... [SKIPPED] Users ........................ [SUCCESS] Proxy ........................ [SKIPPED] Rpm .......................... [SKIPPED] Systemd ...................... [SKIPPED] Elemental .................... [SKIPPED] Suma ......................... [SKIPPED] Downloading file: dl-manifest-1.yaml 100% (437/437 kB, 17 MB/s) Populating Embedded Artifact Registry... 100% (69/69, 26 it/min) Embedded Artifact Registry ... [SUCCESS] Keymap ....................... [SUCCESS] Configuring Kubernetes component... The Kubernetes CNI is not explicitly set, defaulting to 'cilium'. Downloading file: rke2_installer.sh Downloading file: rke2-images-core.linux-amd64.tar.zst 100% (780/780 MB, 115 MB/s) Downloading file: rke2-images-cilium.linux-amd64.tar.zst 100% (367/367 MB, 108 MB/s) Downloading file: rke2.linux-amd64.tar.gz 100% (34/34 MB, 117 MB/s) Downloading file: sha256sum-amd64.txt 100% (3.9/3.9 kB, 34 MB/s) Downloading file: dl-manifest-1.yaml 100% (437/437 kB, 106 MB/s) Kubernetes ................... [SUCCESS] Certificates ................. [SKIPPED] Building ISO image... Kernel Params ................ [SKIPPED] Image build complete!
置备使用构建映像的节点后,可以校验 Rancher 安装:
/var/lib/rancher/rke2/bin/kubectl get all -A --kubeconfig /etc/rancher/rke2/rke2.yaml
输出应类似于以下内容,这表明已成功部署所有组件:
NAMESPACE NAME READY STATUS RESTARTS AGE
cattle-fleet-local-system pod/fleet-agent-68f4d5d5f7-tdlk7 1/1 Running 0 34s
cattle-fleet-system pod/fleet-controller-85564cc978-pbtvk 1/1 Running 0 5m51s
cattle-fleet-system pod/gitjob-9dc58fb5b-7cwsw 1/1 Running 0 5m51s
cattle-provisioning-capi-system pod/capi-controller-manager-5c57b4b8f7-wlp5k 1/1 Running 0 4m52s
cattle-system pod/helm-operation-4fk5c 0/2 Completed 0 37s
cattle-system pod/helm-operation-6zgbq 0/2 Completed 0 4m54s
cattle-system pod/helm-operation-cjds5 0/2 Completed 0 5m37s
cattle-system pod/helm-operation-kt5c2 0/2 Completed 0 5m21s
cattle-system pod/helm-operation-ppgtw 0/2 Completed 0 5m30s
cattle-system pod/helm-operation-tvcwk 0/2 Completed 0 5m54s
cattle-system pod/helm-operation-wpxd4 0/2 Completed 0 53s
cattle-system pod/rancher-58575f9575-svrg2 1/1 Running 0 6m34s
cattle-system pod/rancher-webhook-5c6556f7ff-vgmkt 1/1 Running 0 5m19s
cert-manager pod/cert-manager-6c69f9f796-fkm8f 1/1 Running 0 7m14s
cert-manager pod/cert-manager-cainjector-584f44558c-wg7p6 1/1 Running 0 7m14s
cert-manager pod/cert-manager-webhook-76f9945d6f-lv2nv 1/1 Running 0 7m14s
endpoint-copier-operator pod/endpoint-copier-operator-58964b659b-l64dk 1/1 Running 0 7m16s
endpoint-copier-operator pod/endpoint-copier-operator-58964b659b-z9t9d 1/1 Running 0 7m16s
kube-system pod/cilium-fht55 1/1 Running 0 7m32s
kube-system pod/cilium-operator-558bbf6cfd-gwfwf 1/1 Running 0 7m32s
kube-system pod/cilium-operator-558bbf6cfd-qsxb5 0/1 Pending 0 7m32s
kube-system pod/cloud-controller-manager-host1.local 1/1 Running 0 7m21s
kube-system pod/etcd-host1.local 1/1 Running 0 7m8s
kube-system pod/helm-install-cert-manager-fvbtt 0/1 Completed 0 8m12s
kube-system pod/helm-install-endpoint-copier-operator-5kkgw 0/1 Completed 0 8m12s
kube-system pod/helm-install-metallb-zfphb 0/1 Completed 0 8m12s
kube-system pod/helm-install-rancher-nc4nt 0/1 Completed 2 8m12s
kube-system pod/helm-install-rke2-cilium-7wq87 0/1 Completed 0 8m12s
kube-system pod/helm-install-rke2-coredns-nl4gc 0/1 Completed 0 8m12s
kube-system pod/helm-install-rke2-ingress-nginx-svjqd 0/1 Completed 0 8m12s
kube-system pod/helm-install-rke2-metrics-server-gqgqz 0/1 Completed 0 8m12s
kube-system pod/helm-install-rke2-snapshot-controller-crd-r6b5p 0/1 Completed 0 8m12s
kube-system pod/helm-install-rke2-snapshot-controller-ss9v4 0/1 Completed 1 8m12s
kube-system pod/helm-install-rke2-snapshot-validation-webhook-vlkpn 0/1 Completed 0 8m12s
kube-system pod/kube-apiserver-host1.local 1/1 Running 0 7m29s
kube-system pod/kube-controller-manager-host1.local 1/1 Running 0 7m30s
kube-system pod/kube-proxy-host1.local 1/1 Running 0 7m30s
kube-system pod/kube-scheduler-host1.local 1/1 Running 0 7m42s
kube-system pod/rke2-coredns-rke2-coredns-6c8d9bb6d-qlwc8 1/1 Running 0 7m31s
kube-system pod/rke2-coredns-rke2-coredns-autoscaler-55fb4bbbcf-j5r2z 1/1 Running 0 7m31s
kube-system pod/rke2-ingress-nginx-controller-4h2mm 1/1 Running 0 7m3s
kube-system pod/rke2-metrics-server-544c8c66fc-lsrc6 1/1 Running 0 7m15s
kube-system pod/rke2-snapshot-controller-59cc9cd8f4-4wx75 1/1 Running 0 7m14s
kube-system pod/rke2-snapshot-validation-webhook-54c5989b65-5kp2x 1/1 Running 0 7m15s
metallb-system pod/metallb-controller-5895d8446d-z54lm 1/1 Running 0 7m15s
metallb-system pod/metallb-speaker-fxwgk 1/1 Running 0 7m15s
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
cattle-fleet-system service/gitjob ClusterIP 10.43.30.8 <none> 80/TCP
5m51s
cattle-provisioning-capi-system service/capi-webhook-service ClusterIP 10.43.7.100 <none> 443/TCP
4m52s
cattle-system service/rancher ClusterIP 10.43.100.229 <none> 80/TCP,443/TCP
6m34s
cattle-system service/rancher-webhook ClusterIP 10.43.121.133 <none> 443/TCP
5m19s
cert-manager service/cert-manager ClusterIP 10.43.140.65 <none> 9402/TCP
7m14s
cert-manager service/cert-manager-webhook ClusterIP 10.43.108.158 <none> 443/TCP
7m14s
default service/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP
8m26s
default service/kubernetes-vip LoadBalancer 10.43.138.138 192.168.100.151 9345:31006/TCP,6443:31599/TCP 8m21s
kube-system service/cilium-agent ClusterIP None <none> 9964/TCP
7m32s
kube-system service/rke2-coredns-rke2-coredns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP
7m31s
kube-system service/rke2-ingress-nginx-controller-admission ClusterIP 10.43.157.19 <none> 443/TCP
7m3s
kube-system service/rke2-metrics-server ClusterIP 10.43.4.123 <none> 443/TCP
7m15s
kube-system service/rke2-snapshot-validation-webhook ClusterIP 10.43.91.161 <none> 443/TCP
7m16s
metallb-system service/metallb-webhook-service ClusterIP 10.43.71.192 <none> 443/TCP
7m15s
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-system daemonset.apps/cilium 1 1 1 1 1 kubernetes.io/os=linux 7m32s
kube-system daemonset.apps/rke2-ingress-nginx-controller 1 1 1 1 1 kubernetes.io/os=linux 7m3s
metallb-system daemonset.apps/metallb-speaker 1 1 1 1 1 kubernetes.io/os=linux 7m15s
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
cattle-fleet-local-system deployment.apps/fleet-agent 1/1 1 1 34s
cattle-fleet-system deployment.apps/fleet-controller 1/1 1 1 5m51s
cattle-fleet-system deployment.apps/gitjob 1/1 1 1 5m51s
cattle-provisioning-capi-system deployment.apps/capi-controller-manager 1/1 1 1 4m52s
cattle-system deployment.apps/rancher 1/1 1 1 6m34s
cattle-system deployment.apps/rancher-webhook 1/1 1 1 5m19s
cert-manager deployment.apps/cert-manager 1/1 1 1 7m14s
cert-manager deployment.apps/cert-manager-cainjector 1/1 1 1 7m14s
cert-manager deployment.apps/cert-manager-webhook 1/1 1 1 7m14s
endpoint-copier-operator deployment.apps/endpoint-copier-operator 2/2 2 2 7m16s
kube-system deployment.apps/cilium-operator 1/2 2 1 7m32s
kube-system deployment.apps/rke2-coredns-rke2-coredns 1/1 1 1 7m31s
kube-system deployment.apps/rke2-coredns-rke2-coredns-autoscaler 1/1 1 1 7m31s
kube-system deployment.apps/rke2-metrics-server 1/1 1 1 7m15s
kube-system deployment.apps/rke2-snapshot-controller 1/1 1 1 7m14s
kube-system deployment.apps/rke2-snapshot-validation-webhook 1/1 1 1 7m15s
metallb-system deployment.apps/metallb-controller 1/1 1 1 7m15s
NAMESPACE NAME DESIRED CURRENT READY AGE
cattle-fleet-local-system replicaset.apps/fleet-agent-68f4d5d5f7 1 1 1 34s
cattle-fleet-system replicaset.apps/fleet-controller-85564cc978 1 1 1 5m51s
cattle-fleet-system replicaset.apps/gitjob-9dc58fb5b 1 1 1 5m51s
cattle-provisioning-capi-system replicaset.apps/capi-controller-manager-5c57b4b8f7 1 1 1 4m52s
cattle-system replicaset.apps/rancher-58575f9575 1 1 1 6m34s
cattle-system replicaset.apps/rancher-webhook-5c6556f7ff 1 1 1 5m19s
cert-manager replicaset.apps/cert-manager-6c69f9f796 1 1 1 7m14s
cert-manager replicaset.apps/cert-manager-cainjector-584f44558c 1 1 1 7m14s
cert-manager replicaset.apps/cert-manager-webhook-76f9945d6f 1 1 1 7m14s
endpoint-copier-operator replicaset.apps/endpoint-copier-operator-58964b659b 2 2 2 7m16s
kube-system replicaset.apps/cilium-operator-558bbf6cfd 2 2 1 7m32s
kube-system replicaset.apps/rke2-coredns-rke2-coredns-6c8d9bb6d 1 1 1 7m31s
kube-system replicaset.apps/rke2-coredns-rke2-coredns-autoscaler-55fb4bbbcf 1 1 1 7m31s
kube-system replicaset.apps/rke2-metrics-server-544c8c66fc 1 1 1 7m15s
kube-system replicaset.apps/rke2-snapshot-controller-59cc9cd8f4 1 1 1 7m14s
kube-system replicaset.apps/rke2-snapshot-validation-webhook-54c5989b65 1 1 1 7m15s
metallb-system replicaset.apps/metallb-controller-5895d8446d 1 1 1 7m15s
NAMESPACE NAME COMPLETIONS DURATION AGE
kube-system job.batch/helm-install-cert-manager 1/1 85s 8m21s
kube-system job.batch/helm-install-endpoint-copier-operator 1/1 59s 8m21s
kube-system job.batch/helm-install-metallb 1/1 60s 8m21s
kube-system job.batch/helm-install-rancher 1/1 100s 8m21s
kube-system job.batch/helm-install-rke2-cilium 1/1 44s 8m18s
kube-system job.batch/helm-install-rke2-coredns 1/1 45s 8m18s
kube-system job.batch/helm-install-rke2-ingress-nginx 1/1 76s 8m16s
kube-system job.batch/helm-install-rke2-metrics-server 1/1 60s 8m16s
kube-system job.batch/helm-install-rke2-snapshot-controller 1/1 61s 8m15s
kube-system job.batch/helm-install-rke2-snapshot-controller-crd 1/1 60s 8m16s
kube-system job.batch/helm-install-rke2-snapshot-validation-webhook 1/1 60s 8m14s当我们访问 https://192.168.100.50.sslip.io
并使用先前设置的 adminadminadmin 口令登录后,Rancher 仪表板即会显示:
21.7 NeuVector 安装 #
与 Rancher 安装不同,NeuVector 安装不需要在 EIB 中进行任何特殊处理。EIB 将自动隔离 NeuVector 所需的每个映像。
创建定义文件:
apiVersion: 1.0
image:
imageType: iso
arch: x86_64
baseImage: slemicro.iso
outputImageName: eib-image.iso
operatingSystem:
users:
- username: root
encryptedPassword: $6$jHugJNNd3HElGsUZ$eodjVe4te5ps44SVcWshdfWizrP.xAyd71CVEXazBJ/.v799/WRCBXxfYmunlBO2yp1hm/zb4r8EmnrrNCF.P/
kubernetes:
version: v1.28.9+rke2r1
helm:
charts:
- name: neuvector-crd
version: 103.0.3+up2.7.6
repositoryName: rancher-charts
targetNamespace: neuvector
createNamespace: true
installationNamespace: kube-system
valuesFile: neuvector-values.yaml
- name: neuvector
version: 103.0.3+up2.7.6
repositoryName: rancher-charts
targetNamespace: neuvector
createNamespace: true
installationNamespace: kube-system
valuesFile: neuvector-values.yaml
repositories:
- name: rancher-charts
url: https://charts.rancher.io/另外,为 NeuVector 创建 Helm values 文件:
cat << EOF > $CONFIG_DIR/kubernetes/helm/values/neuvector-values.yaml
controller:
replicas: 1
manager:
enabled: false
cve:
scanner:
enabled: false
replicas: 1
k3s:
enabled: true
crdwebhook:
enabled: false
EOF我们来构建映像:
podman run --rm -it --privileged -v $CONFIG_DIR:/eib \ registry.suse.com/edge/edge-image-builder:1.0.2 \ build --definition-file eib-iso-definition.yaml
输出应如下所示:
Generating image customization components... Identifier ................... [SUCCESS] Custom Files ................. [SKIPPED] Time ......................... [SKIPPED] Network ...................... [SUCCESS] Groups ....................... [SKIPPED] Users ........................ [SUCCESS] Proxy ........................ [SKIPPED] Rpm .......................... [SKIPPED] Systemd ...................... [SKIPPED] Elemental .................... [SKIPPED] Suma ......................... [SKIPPED] Populating Embedded Artifact Registry... 100% (6/6, 20 it/min) Embedded Artifact Registry ... [SUCCESS] Keymap ....................... [SUCCESS] Configuring Kubernetes component... The Kubernetes CNI is not explicitly set, defaulting to 'cilium'. Downloading file: rke2_installer.sh Kubernetes ................... [SUCCESS] Certificates ................. [SKIPPED] Building ISO image... Kernel Params ................ [SKIPPED] Image build complete!
置备使用构建映像的节点后,可以校验 NeuVector 安装:
/var/lib/rancher/rke2/bin/kubectl get all -n neuvector --kubeconfig /etc/rancher/rke2/rke2.yaml
输出应类似于以下内容,这表明已成功部署所有组件:
NAME READY STATUS RESTARTS AGE pod/neuvector-controller-pod-bc74745cf-x9fsc 1/1 Running 0 13m pod/neuvector-enforcer-pod-vzw7t 1/1 Running 0 13m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/neuvector-svc-admission-webhook ClusterIP 10.43.240.25 <none> 443/TCP 13m service/neuvector-svc-controller ClusterIP None <none> 18300/TCP,18301/TCP,18301/UDP 13m NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/neuvector-enforcer-pod 1 1 1 1 1 <none> 13m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/neuvector-controller-pod 1/1 1 1 13m NAME DESIRED CURRENT READY AGE replicaset.apps/neuvector-controller-pod-bc74745cf 1 1 1 13m NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE cronjob.batch/neuvector-updater-pod 0 0 * * * False 0 <none> 13m
21.8 Longhorn 安装 #
Longhorn 的官方文档包含
longhorn-images.txt
文件,其中列出了隔离式安装所需的所有映像。我们将在定义文件中包含这些映像。我们来创建定义文件:
apiVersion: 1.0
image:
imageType: iso
arch: x86_64
baseImage: slemicro.iso
outputImageName: eib-image.iso
operatingSystem:
users:
- username: root
encryptedPassword: $6$jHugJNNd3HElGsUZ$eodjVe4te5ps44SVcWshdfWizrP.xAyd71CVEXazBJ/.v799/WRCBXxfYmunlBO2yp1hm/zb4r8EmnrrNCF.P/
kubernetes:
version: v1.28.9+rke2r1
helm:
charts:
- name: longhorn
repositoryName: longhorn
targetNamespace: longhorn-system
createNamespace: true
version: 1.6.1
repositories:
- name: longhorn
url: https://charts.longhorn.io
embeddedArtifactRegistry:
images:
- name: longhornio/csi-attacher:v4.4.2
- name: longhornio/csi-provisioner:v3.6.2
- name: longhornio/csi-resizer:v1.9.2
- name: longhornio/csi-snapshotter:v6.3.2
- name: longhornio/csi-node-driver-registrar:v2.9.2
- name: longhornio/livenessprobe:v2.12.0
- name: longhornio/backing-image-manager:v1.6.1
- name: longhornio/longhorn-engine:v1.6.1
- name: longhornio/longhorn-instance-manager:v1.6.1
- name: longhornio/longhorn-manager:v1.6.1
- name: longhornio/longhorn-share-manager:v1.6.1
- name: longhornio/longhorn-ui:v1.6.1
- name: longhornio/support-bundle-kit:v0.0.36我们来构建映像:
podman run --rm -it --privileged -v $CONFIG_DIR:/eib \ registry.suse.com/edge/edge-image-builder:1.0.2 \ build --definition-file eib-iso-definition.yaml
输出应如下所示:
Generating image customization components... Identifier ................... [SUCCESS] Custom Files ................. [SKIPPED] Time ......................... [SKIPPED] Network ...................... [SUCCESS] Groups ....................... [SKIPPED] Users ........................ [SUCCESS] Proxy ........................ [SKIPPED] Rpm .......................... [SKIPPED] Systemd ...................... [SKIPPED] Elemental .................... [SKIPPED] Suma ......................... [SKIPPED] Populating Embedded Artifact Registry... 100% (13/13, 20 it/min) Embedded Artifact Registry ... [SUCCESS] Keymap ....................... [SUCCESS] Configuring Kubernetes component... The Kubernetes CNI is not explicitly set, defaulting to 'cilium'. Downloading file: rke2_installer.sh Downloading file: rke2-images-core.linux-amd64.tar.zst 100% (782/782 MB, 108 MB/s) Downloading file: rke2-images-cilium.linux-amd64.tar.zst 100% (367/367 MB, 104 MB/s) Downloading file: rke2.linux-amd64.tar.gz 100% (34/34 MB, 108 MB/s) Downloading file: sha256sum-amd64.txt 100% (3.9/3.9 kB, 7.5 MB/s) Kubernetes ................... [SUCCESS] Certificates ................. [SKIPPED] Building ISO image... Kernel Params ................ [SKIPPED] Image build complete!
置备使用构建映像的节点后,可以校验 Longhorn 安装:
/var/lib/rancher/rke2/bin/kubectl get all -n longhorn-system --kubeconfig /etc/rancher/rke2/rke2.yaml
输出应类似于以下内容,这表明已成功部署所有组件:
NAME READY STATUS RESTARTS AGE pod/csi-attacher-5c4bfdcf59-9hgvv 1/1 Running 0 35s pod/csi-attacher-5c4bfdcf59-dt6jl 1/1 Running 0 35s pod/csi-attacher-5c4bfdcf59-swpwq 1/1 Running 0 35s pod/csi-provisioner-667796df57-dfrzw 1/1 Running 0 35s pod/csi-provisioner-667796df57-tvsrt 1/1 Running 0 35s pod/csi-provisioner-667796df57-xszsx 1/1 Running 0 35s pod/csi-resizer-694f8f5f64-6khlb 1/1 Running 0 35s pod/csi-resizer-694f8f5f64-gnr45 1/1 Running 0 35s pod/csi-resizer-694f8f5f64-sbl4k 1/1 Running 0 35s pod/csi-snapshotter-959b69d4b-2k4v8 1/1 Running 0 35s pod/csi-snapshotter-959b69d4b-9d8wl 1/1 Running 0 35s pod/csi-snapshotter-959b69d4b-l2w95 1/1 Running 0 35s pod/engine-image-ei-5cefaf2b-cwd8f 1/1 Running 0 43s pod/instance-manager-f0d17f96bc92f3cc44787a2a347f6a98 1/1 Running 0 43s pod/longhorn-csi-plugin-szv7t 3/3 Running 0 35s pod/longhorn-driver-deployer-9f4fc86-q8fz2 1/1 Running 0 83s pod/longhorn-manager-zp66l 1/1 Running 0 83s pod/longhorn-ui-5f4b7bbf69-k645d 1/1 Running 3 (65s ago) 83s pod/longhorn-ui-5f4b7bbf69-t7xt4 1/1 Running 3 (62s ago) 83s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/longhorn-admission-webhook ClusterIP 10.43.74.59 <none> 9502/TCP 83s service/longhorn-backend ClusterIP 10.43.45.206 <none> 9500/TCP 83s service/longhorn-conversion-webhook ClusterIP 10.43.83.108 <none> 9501/TCP 83s service/longhorn-engine-manager ClusterIP None <none> <none> 83s service/longhorn-frontend ClusterIP 10.43.84.55 <none> 80/TCP 83s service/longhorn-recovery-backend ClusterIP 10.43.75.200 <none> 9503/TCP 83s service/longhorn-replica-manager ClusterIP None <none> <none> 83s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/engine-image-ei-5cefaf2b 1 1 1 1 1 <none> 43s daemonset.apps/longhorn-csi-plugin 1 1 1 1 1 <none> 35s daemonset.apps/longhorn-manager 1 1 1 1 1 <none> 83s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/csi-attacher 3/3 3 3 35s deployment.apps/csi-provisioner 3/3 3 3 35s deployment.apps/csi-resizer 3/3 3 3 35s deployment.apps/csi-snapshotter 3/3 3 3 35s deployment.apps/longhorn-driver-deployer 1/1 1 1 83s deployment.apps/longhorn-ui 2/2 2 2 83s NAME DESIRED CURRENT READY AGE replicaset.apps/csi-attacher-5c4bfdcf59 3 3 3 35s replicaset.apps/csi-provisioner-667796df57 3 3 3 35s replicaset.apps/csi-resizer-694f8f5f64 3 3 3 35s replicaset.apps/csi-snapshotter-959b69d4b 3 3 3 35s replicaset.apps/longhorn-driver-deployer-9f4fc86 1 1 1 83s replicaset.apps/longhorn-ui-5f4b7bbf69 2 2 2 83s
21.9 KubeVirt 和 CDI 安装 #
KubeVirt 和 CDI 的 Helm chart 只会安装各自的操作器。余下的系统将由操作器来部署,这意味着,我们必须在定义文件中包含所有必要的容器映像。我们来创建定义文件:
apiVersion: 1.0
image:
imageType: iso
arch: x86_64
baseImage: slemicro.iso
outputImageName: eib-image.iso
operatingSystem:
users:
- username: root
encryptedPassword: $6$jHugJNNd3HElGsUZ$eodjVe4te5ps44SVcWshdfWizrP.xAyd71CVEXazBJ/.v799/WRCBXxfYmunlBO2yp1hm/zb4r8EmnrrNCF.P/
kubernetes:
version: v1.28.9+rke2r1
helm:
charts:
- name: kubevirt-chart
repositoryName: suse-edge
version: 0.2.4
targetNamespace: kubevirt-system
createNamespace: true
installationNamespace: kube-system
- name: cdi-chart
repositoryName: suse-edge
version: 0.2.3
targetNamespace: cdi-system
createNamespace: true
installationNamespace: kube-system
repositories:
- name: suse-edge
url: oci://registry.suse.com/edge
embeddedArtifactRegistry:
images:
- name: registry.suse.com/suse/sles/15.5/cdi-uploadproxy:1.58.0-150500.6.12.1
- name: registry.suse.com/suse/sles/15.5/cdi-uploadserver:1.58.0-150500.6.12.1
- name: registry.suse.com/suse/sles/15.5/cdi-apiserver:1.58.0-150500.6.12.1
- name: registry.suse.com/suse/sles/15.5/cdi-controller:1.58.0-150500.6.12.1
- name: registry.suse.com/suse/sles/15.5/cdi-importer:1.58.0-150500.6.12.1
- name: registry.suse.com/suse/sles/15.5/cdi-cloner:1.58.0-150500.6.12.1
- name: registry.suse.com/suse/sles/15.5/virt-api:1.1.1-150500.8.12.1
- name: registry.suse.com/suse/sles/15.5/virt-controller:1.1.1-150500.8.12.1
- name: registry.suse.com/suse/sles/15.5/virt-launcher:1.1.1-150500.8.12.1
- name: registry.suse.com/suse/sles/15.5/virt-handler:1.1.1-150500.8.12.1
- name: registry.suse.com/suse/sles/15.5/virt-exportproxy:1.1.1-150500.8.12.1
- name: registry.suse.com/suse/sles/15.5/virt-exportserver:1.1.1-150500.8.12.1我们来构建映像:
podman run --rm -it --privileged -v $CONFIG_DIR:/eib \ registry.suse.com/edge/edge-image-builder:1.0.2 \ build --definition-file eib-iso-definition.yaml
输出应如下所示:
Generating image customization components... Identifier ................... [SUCCESS] Custom Files ................. [SKIPPED] Time ......................... [SKIPPED] Network ...................... [SUCCESS] Groups ....................... [SKIPPED] Users ........................ [SUCCESS] Proxy ........................ [SKIPPED] Rpm .......................... [SKIPPED] Systemd ...................... [SKIPPED] Elemental .................... [SKIPPED] Suma ......................... [SKIPPED] Populating Embedded Artifact Registry... 100% (13/13, 6 it/min) Embedded Artifact Registry ... [SUCCESS] Keymap ....................... [SUCCESS] Configuring Kubernetes component... The Kubernetes CNI is not explicitly set, defaulting to 'cilium'. Downloading file: rke2_installer.sh Kubernetes ................... [SUCCESS] Certificates ................. [SKIPPED] Building ISO image... Kernel Params ................ [SKIPPED] Image build complete!
置备使用构建映像的节点后,可以校验 KubeVirt 和 CDI 的安装。
校验 KubeVirt:
/var/lib/rancher/rke2/bin/kubectl get all -n kubevirt-system --kubeconfig /etc/rancher/rke2/rke2.yaml
输出应类似于以下内容,这表明已成功部署所有组件:
NAME READY STATUS RESTARTS AGE pod/virt-api-7c45477984-z226r 1/1 Running 0 2m4s pod/virt-controller-664d9986b5-8p8gm 1/1 Running 0 98s pod/virt-controller-664d9986b5-v2n4h 1/1 Running 0 98s pod/virt-handler-2fx8c 1/1 Running 0 98s pod/virt-operator-5cf69867dc-hz5s8 1/1 Running 0 2m30s pod/virt-operator-5cf69867dc-kp266 1/1 Running 0 2m30s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubevirt-operator-webhook ClusterIP 10.43.210.235 <none> 443/TCP 2m7s service/kubevirt-prometheus-metrics ClusterIP None <none> 443/TCP 2m7s service/virt-api ClusterIP 10.43.226.140 <none> 443/TCP 2m7s service/virt-exportproxy ClusterIP 10.43.213.201 <none> 443/TCP 2m7s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/virt-handler 1 1 1 1 1 kubernetes.io/os=linux 98s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/virt-api 1/1 1 1 2m4s deployment.apps/virt-controller 2/2 2 2 98s deployment.apps/virt-operator 2/2 2 2 2m30s NAME DESIRED CURRENT READY AGE replicaset.apps/virt-api-7c45477984 1 1 1 2m4s replicaset.apps/virt-controller-664d9986b5 2 2 2 98s replicaset.apps/virt-operator-5cf69867dc 2 2 2 2m30s
校验 CDI:
/var/lib/rancher/rke2/bin/kubectl get all -n cdi-system --kubeconfig /etc/rancher/rke2/rke2.yaml
输出应类似于以下内容,这表明已成功部署所有组件:
NAME READY STATUS RESTARTS AGE pod/cdi-apiserver-db465b888-mdsmm 1/1 Running 0 3m6s pod/cdi-deployment-56c7d74995-vt9sw 1/1 Running 0 3m6s pod/cdi-operator-55c74f4b86-gkt58 1/1 Running 0 3m10s pod/cdi-uploadproxy-7d7b94b968-msg2h 1/1 Running 0 3m6s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/cdi-api ClusterIP 10.43.161.135 <none> 443/TCP 3m6s service/cdi-prometheus-metrics ClusterIP 10.43.161.159 <none> 8080/TCP 3m6s service/cdi-uploadproxy ClusterIP 10.43.25.136 <none> 443/TCP 3m6s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/cdi-apiserver 1/1 1 1 3m6s deployment.apps/cdi-deployment 1/1 1 1 3m6s deployment.apps/cdi-operator 1/1 1 1 3m10s deployment.apps/cdi-uploadproxy 1/1 1 1 3m6s NAME DESIRED CURRENT READY AGE replicaset.apps/cdi-apiserver-db465b888 1 1 1 3m6s replicaset.apps/cdi-deployment-56c7d74995 1 1 1 3m6s replicaset.apps/cdi-operator-55c74f4b86 1 1 1 3m10s replicaset.apps/cdi-uploadproxy-7d7b94b968 1 1 1 3m6s
21.10 查错 #
如果您在构建映像时遇到任何问题,或者想要进一步测试和调试该过程,请参见上游文档。