update

2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
--- a/kubespray/contrib/offline/README.md
+++ b/kubespray/contrib/offline/README.md
@@ -0,0 +1,65 @@
+# Offline deployment
+
+## manage-offline-container-images.sh
+
+Container image collecting script for offline deployment
+
+This script has two features:
+(1) Get container images from an environment which is deployed online.
+(2) Deploy local container registry and register the container images to the registry.
+
+Step(1) should be done online site as a preparation, then we bring the gotten images
+to the target offline environment. if images are from a private registry,
+you need to set `PRIVATE_REGISTRY` environment variable.
+Then we will run step(2) for registering the images to local registry.
+
+Step(1) can be operated with:
+
+```shell
+manage-offline-container-images.sh   create
+```
+
+Step(2) can be operated with:
+
+```shell
+manage-offline-container-images.sh   register
+```
+
+## generate_list.sh
+
+This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main.yml` file.
+
+Run this script will execute `generate_list.yml` playbook in kubespray root directory and generate four files,
+all downloaded files url in files.list, all container images in images.list, jinja2 templates in *.template.
+
+```shell
+./generate_list.sh
+tree temp
+temp
+├── files.list
+├── files.list.template
+├── images.list
+└── images.list.template
+0 directories, 5 files
+```
+
+In some cases you may want to update some component version, you can declare version variables in ansible inventory file or group_vars,
+then run `./generate_list.sh -i [inventory_file]` to update file.list and images.list.
+
+## manage-offline-files.sh
+
+This script will download all files according to `temp/files.list` and run nginx container to provide offline file download.
+
+Step(1) generate `files.list`
+
+```shell
+./generate_list.sh
+```
+
+Step(2) download files and run nginx container
+
+```shell
+./manage-offline-files.sh
+```
+
+when nginx container is running, it can be accessed through <http://127.0.0.1:8080/>.
--- a/kubespray/contrib/offline/docker-daemon.json
+++ b/kubespray/contrib/offline/docker-daemon.json
@@ -0,0 +1 @@
+{ "insecure-registries":["HOSTNAME:5000"] }
--- a/kubespray/contrib/offline/generate_list.sh
+++ b/kubespray/contrib/offline/generate_list.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+set -eo pipefail
+
+CURRENT_DIR=$(cd $(dirname $0); pwd)
+TEMP_DIR="${CURRENT_DIR}/temp"
+REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"
+
+: ${DOWNLOAD_YML:="roles/download/defaults/main.yml"}
+
+mkdir -p ${TEMP_DIR}
+
+# generate all download files url template
+grep 'download_url:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
+    | sed 's/^.*_url: //g;s/\"//g' > ${TEMP_DIR}/files.list.template
+
+# generate all images list template
+sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
+    | sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' \
+    | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template
+
+# add kube-* images to images list template
+# Those container images are downloaded by kubeadm, then roles/download/defaults/main.yml
+# doesn't contain those images. That is reason why here needs to put those images into the
+# list separately.
+KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"
+for i in $KUBE_IMAGES; do
+    echo "{{ kube_image_repo }}/$i:{{ kube_version }}" >> ${TEMP_DIR}/images.list.template
+done
+
+# run ansible to expand templates
+/bin/cp ${CURRENT_DIR}/generate_list.yml ${REPO_ROOT_DIR}
+
+(cd ${REPO_ROOT_DIR} && ansible-playbook $* generate_list.yml && /bin/rm generate_list.yml) || exit 1
--- a/kubespray/contrib/offline/generate_list.yml
+++ b/kubespray/contrib/offline/generate_list.yml
@@ -0,0 +1,19 @@
+---
+- hosts: localhost
+  become: no
+
+  roles:
+    # Just load default variables from roles.
+    - role: kubespray-defaults
+      when: false
+    - role: download
+      when: false
+
+  tasks:
+    # Generate files.list and images.list files from templates.
+    - template:
+        src: ./contrib/offline/temp/{{ item }}.list.template
+        dest: ./contrib/offline/temp/{{ item }}.list
+      with_items:
+        - files
+        - images
--- a/kubespray/contrib/offline/manage-offline-container-images.sh
+++ b/kubespray/contrib/offline/manage-offline-container-images.sh
@@ -0,0 +1,172 @@
+#!/bin/bash
+
+OPTION=$1
+CURRENT_DIR=$(cd $(dirname $0); pwd)
+TEMP_DIR="${CURRENT_DIR}/temp"
+
+IMAGE_TAR_FILE="${CURRENT_DIR}/container-images.tar.gz"
+IMAGE_DIR="${CURRENT_DIR}/container-images"
+IMAGE_LIST="${IMAGE_DIR}/container-images.txt"
+RETRY_COUNT=5
+
+function create_container_image_tar() {
+	set -e
+
+	IMAGES=$(kubectl describe pods --all-namespaces | grep " Image:" | awk '{print $2}' | sort | uniq)
+	# NOTE: etcd and pause cannot be seen as pods.
+	# The pause image is used for --pod-infra-container-image option of kubelet.
+	EXT_IMAGES=$(kubectl cluster-info dump | egrep "quay.io/coreos/etcd:|registry.k8s.io/pause:" | sed s@\"@@g)
+	IMAGES="${IMAGES} ${EXT_IMAGES}"
+
+	rm -f  ${IMAGE_TAR_FILE}
+	rm -rf ${IMAGE_DIR}
+	mkdir  ${IMAGE_DIR}
+	cd     ${IMAGE_DIR}
+
+	sudo docker pull registry:latest
+	sudo docker save -o registry-latest.tar registry:latest
+
+	for image in ${IMAGES}
+	do
+		FILE_NAME="$(echo ${image} | sed s@"/"@"-"@g | sed s/":"/"-"/g)".tar
+		set +e
+		for step in $(seq 1 ${RETRY_COUNT})
+		do
+			sudo docker pull ${image}
+			if [ $? -eq 0 ]; then
+				break
+			fi
+			echo "Failed to pull ${image} at step ${step}"
+			if [ ${step} -eq ${RETRY_COUNT} ]; then
+				exit 1
+			fi
+		done
+		set -e
+		sudo docker save -o ${FILE_NAME}  ${image}
+
+		# NOTE: Here removes the following repo parts from each image
+		# so that these parts will be replaced with Kubespray.
+		# - kube_image_repo: "registry.k8s.io"
+		# - gcr_image_repo: "gcr.io"
+		# - docker_image_repo: "docker.io"
+		# - quay_image_repo: "quay.io"
+		FIRST_PART=$(echo ${image} | awk -F"/" '{print $1}')
+		if [ "${FIRST_PART}" = "registry.k8s.io" ] ||
+		   [ "${FIRST_PART}" = "gcr.io" ] ||
+		   [ "${FIRST_PART}" = "docker.io" ] ||
+		   [ "${FIRST_PART}" = "quay.io" ] ||
+		   [ "${FIRST_PART}" = "${PRIVATE_REGISTRY}" ]; then
+			image=$(echo ${image} | sed s@"${FIRST_PART}/"@@)
+		fi
+		echo "${FILE_NAME}  ${image}" >> ${IMAGE_LIST}
+	done
+
+	cd ..
+	sudo chown ${USER} ${IMAGE_DIR}/*
+	tar -zcvf ${IMAGE_TAR_FILE}  ./container-images
+	rm -rf ${IMAGE_DIR}
+
+	echo ""
+	echo "${IMAGE_TAR_FILE} is created to contain your container images."
+	echo "Please keep this file and bring it to your offline environment."
+}
+
+function register_container_images() {
+	if [ ! -f ${IMAGE_TAR_FILE} ]; then
+		echo "${IMAGE_TAR_FILE} should exist."
+		exit 1
+	fi
+	if [ ! -d ${TEMP_DIR} ]; then
+		mkdir ${TEMP_DIR}
+	fi
+
+	# To avoid "http: server gave http response to https client" error.
+	LOCALHOST_NAME=$(hostname)
+	if [ -d /etc/docker/ ]; then
+		set -e
+		# Ubuntu18.04, RHEL7/CentOS7
+		cp ${CURRENT_DIR}/docker-daemon.json      ${TEMP_DIR}/docker-daemon.json
+		sed -i s@"HOSTNAME"@"${LOCALHOST_NAME}"@  ${TEMP_DIR}/docker-daemon.json
+		sudo cp ${TEMP_DIR}/docker-daemon.json           /etc/docker/daemon.json
+	elif [ -d /etc/containers/ ]; then
+		set -e
+		# RHEL8/CentOS8
+		cp ${CURRENT_DIR}/registries.conf         ${TEMP_DIR}/registries.conf
+		sed -i s@"HOSTNAME"@"${LOCALHOST_NAME}"@  ${TEMP_DIR}/registries.conf
+		sudo cp ${TEMP_DIR}/registries.conf   /etc/containers/registries.conf
+	else
+		echo "docker package(docker-ce, etc.) should be installed"
+		exit 1
+	fi
+
+	tar -zxvf ${IMAGE_TAR_FILE}
+	sudo docker load -i ${IMAGE_DIR}/registry-latest.tar
+	set +e
+	sudo docker container inspect registry >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		sudo docker run --restart=always -d -p 5000:5000 --name registry registry:latest
+	fi
+	set -e
+
+	while read -r line; do
+		file_name=$(echo ${line} | awk '{print $1}')
+		raw_image=$(echo ${line} | awk '{print $2}')
+		new_image="${LOCALHOST_NAME}:5000/${raw_image}"
+		org_image=$(sudo docker load -i ${IMAGE_DIR}/${file_name} | head -n1 | awk '{print $3}')
+		image_id=$(sudo docker image inspect ${org_image} | grep "\"Id\":" | awk -F: '{print $3}'| sed s/'\",'//)
+		if [ -z "${file_name}" ]; then
+			echo "Failed to get file_name for line ${line}"
+			exit 1
+		fi
+		if [ -z "${raw_image}" ]; then
+			echo "Failed to get raw_image for line ${line}"
+			exit 1
+		fi
+		if [ -z "${org_image}" ]; then
+			echo "Failed to get org_image for line ${line}"
+			exit 1
+		fi
+		if [ -z "${image_id}" ]; then
+			echo "Failed to get image_id for file ${file_name}"
+			exit 1
+		fi
+		sudo docker load -i ${IMAGE_DIR}/${file_name}
+		sudo docker tag  ${image_id} ${new_image}
+		sudo docker push ${new_image}
+	done <<< "$(cat ${IMAGE_LIST})"
+
+	echo "Succeeded to register container images to local registry."
+	echo "Please specify ${LOCALHOST_NAME}:5000 for the following options in your inventry:"
+	echo "- kube_image_repo"
+	echo "- gcr_image_repo"
+	echo "- docker_image_repo"
+	echo "- quay_image_repo"
+}
+
+if [ "${OPTION}" == "create" ]; then
+	create_container_image_tar
+elif [ "${OPTION}" == "register" ]; then
+	register_container_images
+else
+	echo "This script has two features:"
+	echo "(1) Get container images from an environment which is deployed online."
+	echo "(2) Deploy local container registry and register the container images to the registry."
+	echo ""
+	echo "Step(1) should be done online site as a preparation, then we bring"
+	echo "the gotten images to the target offline environment. if images are from"
+	echo "a private registry, you need to set PRIVATE_REGISTRY environment variable."
+	echo "Then we will run step(2) for registering the images to local registry."
+	echo ""
+	echo "${IMAGE_TAR_FILE} is created to contain your container images."
+	echo "Please keep this file and bring it to your offline environment."
+	echo ""
+	echo "Step(1) can be operated with:"
+	echo " $ ./manage-offline-container-images.sh   create"
+	echo ""
+	echo "Step(2) can be operated with:"
+	echo " $ ./manage-offline-container-images.sh   register"
+	echo ""
+	echo "Please specify 'create' or 'register'."
+	echo ""
+	exit 1
+fi
--- a/kubespray/contrib/offline/manage-offline-files.sh
+++ b/kubespray/contrib/offline/manage-offline-files.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+CURRENT_DIR=$( dirname "$(readlink -f "$0")" )
+OFFLINE_FILES_DIR_NAME="offline-files"
+OFFLINE_FILES_DIR="${CURRENT_DIR}/${OFFLINE_FILES_DIR_NAME}"
+OFFLINE_FILES_ARCHIVE="${CURRENT_DIR}/offline-files.tar.gz"
+FILES_LIST=${FILES_LIST:-"${CURRENT_DIR}/temp/files.list"}
+NGINX_PORT=8080
+
+# download files
+if [ ! -f "${FILES_LIST}" ]; then
+    echo "${FILES_LIST} should exist, run ./generate_list.sh first."
+    exit 1
+fi
+
+rm -rf "${OFFLINE_FILES_DIR}"
+rm "${OFFLINE_FILES_ARCHIVE}"
+mkdir  "${OFFLINE_FILES_DIR}"
+
+wget -x -P "${OFFLINE_FILES_DIR}" -i "${FILES_LIST}"
+tar -czvf "${OFFLINE_FILES_ARCHIVE}"  "${OFFLINE_FILES_DIR_NAME}"
+
+[ -n "$NO_HTTP_SERVER" ] && echo "skip to run nginx" && exit 0
+
+# run nginx container server
+if command -v nerdctl 1>/dev/null 2>&1; then
+    runtime="nerdctl"
+elif command -v podman 1>/dev/null 2>&1; then
+    runtime="podman"
+elif command -v docker 1>/dev/null 2>&1; then
+    runtime="docker"
+else
+    echo "No supported container runtime found"
+    exit 1
+fi
+
+sudo "${runtime}" container inspect nginx >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    sudo "${runtime}" run \
+        --restart=always -d -p ${NGINX_PORT}:80 \
+        --volume "${OFFLINE_FILES_DIR}:/usr/share/nginx/html/download" \
+        --volume "$(pwd)"/nginx.conf:/etc/nginx/nginx.conf \
+        --name nginx nginx:alpine
+fi
--- a/kubespray/contrib/offline/nginx.conf
+++ b/kubespray/contrib/offline/nginx.conf
@@ -0,0 +1,39 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+include /usr/share/nginx/modules/*.conf;
+events {
+    worker_connections 1024;
+}
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log  /var/log/nginx/access.log  main;
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+    default_type        application/octet-stream;
+    include /etc/nginx/conf.d/*.conf;
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        include /etc/nginx/default.d/*.conf;
+        location / {
+            root    /usr/share/nginx/html/download;
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        }
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+}
--- a/kubespray/contrib/offline/registries.conf
+++ b/kubespray/contrib/offline/registries.conf
@@ -0,0 +1,8 @@
+[registries.search]
+registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
+
+[registries.insecure]
+registries = ['HOSTNAME:5000']
+
+[registries.block]
+registries = []
				`@@ -0,0 +1 @@`
				`{ "insecure-registries":["HOSTNAME:5000"] }`