50 Prepare downstream cluster image for air-gap scenarios #
Edge Image Builder (Chapter 12, Edge Image Builder) is used to prepare a modified SLEMicro base image which is provisioned on downstream cluster hosts.
Much of the configuration is possible with Edge Image Builder, but in this guide, we cover the minimal configurations necessary to set up the downstream cluster for air-gap scenarios.
50.1 Prerequisites for air-gap scenarios #
A container runtime such as Podman or Rancher Desktop is required to run Edge Image Builder.
The base image will be built using the following guide Chapter 64, Building Updated SUSE Linux Micro Images with Kiwi with the profile
Base(orBase-RTfor the Real-Time kernel). The process is the same for both architectures (x86-64 and aarch64).If you want to use SR-IOV or any other workload which require a container image, a local private registry must be deployed and already configured (with/without TLS and/or authentication). This registry will be used to store the images and the helm chart OCI images.
It is required to use a build host with the same architecture of the images being built. In other words, to build an aarch64 image, it is required to use an aarch64 build host, and vice-versa for x86-64 (cross-builds are not supported at this time).
50.2 Image configuration for air-gap scenarios #
When running Edge Image Builder, a directory is mounted from the host, so it is necessary to create a directory structure to store the configuration files used to define the target image.
downstream-cluster-airgap-config.yamlis the image definition file, see Chapter 5, Standalone clusters with Edge Image Builder for more details.The base image folder will contain the output raw image generated following the guide Chapter 64, Building Updated SUSE Linux Micro Images with Kiwi with the profile
Base(orBase-RTfor the Real-Time kernel) must be copied/moved under thebase-imagesfolder.The
networkfolder is optional, see Section 49.2.6, “Additional script for Advanced Network Configuration” for more details.The
custom/scriptsdirectory contains scripts to be run on first-boot:01-fix-growfs.shscript is required to resize the OS root partition on deployment.02-airgap.shscript is required to copy the images to the right place during the image creation process for air-gapped environments.03-performance.shscript is optional and can be used to configure the system for performance tuning.04-sriov.shscript is optional and can be used to configure the system for SR-IOV.
The
custom/filesdirectory contains therke2and thecniimages to be copied to the image during the image creation process. Also, the optionalperformance-settings.shandsriov-auto-filler.shfiles can be included.The
os-filesfolder contains the necessary configuration files to load, at each node boot, thesctpandvfio-pcikernel modules with the required options.
├── downstream-cluster-airgap-config.yaml
├── base-images
│ └── SL-Micro.x86_64-6.2-Base-GM.raw
├── custom
│ ├── files
│ │ ├── install.sh
│ │ ├── rke2-images-cilium.linux-amd64.tar.zst
│ │ ├── rke2-images-core.linux-amd64.tar.zst
│ │ ├── rke2-images-multus.linux-amd64.tar.zst
│ │ ├── rke2-images.linux-amd64.tar.zst
│ │ ├── rke2-images-traefik.linux-amd64.tar.zst
│ │ ├── rke2.linux-amd64.tar.zst
│ │ ├── sha256sum-amd64.txt
│ │ ├── performance-settings.sh
│ │ └── sriov-auto-filler.sh
│ └── scripts
│ ├── 01-fix-growfs.sh
│ ├── 02-airgap.sh
│ ├── 03-performance.sh
│ └── 04-sriov.sh
├── network
│ └── configure-network.sh
└── os-files
└── etc
├── modprobe.d
│ └── vfio-pci-options.conf
└── modules-load.d
├── sctp.conf
└── vfio-pci.conf50.2.1 Downstream cluster image definition file #
The downstream-cluster-airgap-config.yaml file is the main configuration file for the downstream cluster image and the content has been described in the previous section (Section 49.2.5, “Additional configuration for Telco workloads”).
50.2.2 Growfs script #
Currently, a custom script (custom/scripts/01-fix-growfs.sh) is required to grow the file system to match the disk size on first-boot after provisioning. The 01-fix-growfs.sh script contains the following information:
#!/bin/bash
growfs() {
mnt="$1"
dev="$(findmnt --fstab --target ${mnt} --evaluate --real --output SOURCE --noheadings)"
# /dev/sda3 -> /dev/sda, /dev/nvme0n1p3 -> /dev/nvme0n1
parent_dev="/dev/$(lsblk --nodeps -rno PKNAME "${dev}")"
# Last number in the device name: /dev/nvme0n1p42 -> 42
partnum="$(echo "${dev}" | sed 's/^.*[^0-9]\([0-9]\+\)$/\1/')"
ret=0
growpart "$parent_dev" "$partnum" || ret=$?
[ $ret -eq 0 ] || [ $ret -eq 1 ] || exit 1
/usr/lib/systemd/systemd-growfs "$mnt"
}
growfs /50.2.3 Air-gap script #
The following script (custom/scripts/02-airgap.sh) is required to copy the images to the right place during the image creation process:
#!/bin/bash
# create the folder to extract the artifacts there
mkdir -p /opt/rke2-artifacts
mkdir -p /var/lib/rancher/rke2/agent/images
# copy the artifacts
cp install.sh /opt/
cp rke2-images*.tar.zst rke2.linux-amd64.tar.gz sha256sum-amd64.txt /opt/rke2-artifacts/50.2.4 Performance script #
The following optional script (custom/scripts/03-performance.sh) can be used to configure the system for performance tuning:
#!/bin/bash
# create the folder to extract the artifacts there
mkdir -p /opt/performance-settings
# copy the artifacts
cp performance-settings.sh /opt/performance-settings/The content of custom/files/performance-settings.sh is a script that can be used to configure the system for performance tuning and can be downloaded from the following link.
50.2.5 SR-IOV script #
The following optional script (custom/scripts/04-sriov.sh) can be used to configure the system for SR-IOV:
#!/bin/bash
# create the folder to extract the artifacts there
mkdir -p /opt/sriov
# copy the artifacts
cp sriov-auto-filler.sh /opt/sriov/sriov-auto-filler.shThe content of custom/files/sriov-auto-filler.sh is a script that can be used to configure the system for SR-IOV and can be downloaded from the following link.
50.2.6 Telco required kernel modules #
As described for the non-airgap scenario in section (Section 49.2.7, “Telco required kernel modules”).
50.2.7 Preparing the air-gap artifacts #
The following steps are required to prepare the air-gap artifacts using the release container image in order to populate a registry with the specific version artifacts. It handles RKE2 tarball generation, Helm chart OCI mirroring, and container image mirroring in a single command — no separate scripts are needed.
If your private registry requires authentication, create a registry auth file with base64-encoded credentials:
$ echo -n "$(echo -n 'myusername' | base64 -w 0):$(echo -n 'mypassword' | base64 -w 0)" > registry-auth.txtIf you use a Rancher Apps chart repository (required for Longhorn and Rancher-sourced charts), create a Rancher Apps auth file:
$ echo -n "$(echo -n 'myusername@apps.rancher.io' | base64 -w 0):$(echo -n 'mypassword' | base64 -w 0)" > rancher-apps-auth.txt(Optional) If you want to mirror SUSE Private Registry artifacts (Harbor charts/images), create a SUSE Private Registry auth file using your
SCC mirroring credentialsretrieved following the SUSE Private Registry documentation:$ echo -n "$(echo -n 'SUSE_REGISTRY_USERNAME' | base64 -w 0):$(echo -n 'SUSE_REGISTRY_PASSWORD' | base64 -w 0)" > suse-private-registry-auth.txtRun the
mirrorcommand using the release container image to populate your private registry with all required artifacts for a specific release version (RKE2 images, Helm chart OCI images, and container images). Place any auth files and certificates in the current directory so they are accessible inside the container via the-v ./:/opt:zbind mount.Without SUSE Private Registry (Harbor charts/images will be skipped):
$ podman run --rm \ -v ./:/opt:z \ registry.suse.com/edge/3.6/release-manifest:3.6 \ mirror \ -o /opt/output \ -a /opt/registry-auth.txt \ -c /opt/cert.pem \ -r ${REGISTRY_IP}:5000 \ --rancher-apps-authfile /opt/rancher-apps-auth.txt \ --debugwhere
${REGISTRY_IP}is the IP address of the registry instance to populate.With SUSE Private Registry:
$ podman run --rm \ -v ./:/opt:z \ registry.suse.com/edge/3.6/release-manifest:3.6 \ mirror \ -o /opt/output \ -a /opt/registry-auth.txt \ -c /opt/cert.pem \ -r ${MGMT_CLUSTER_REGISTRY_IP}:5000 \ --rancher-apps-authfile /opt/rancher-apps-auth.txt \ --suse-private-registry-authfile /opt/suse-private-registry-auth.txt \ --debugwhere
${MGMT_CLUSTER_REGISTRY_IP}is the reserved static IP address given to the SUSE Private Registry instance deployed in the Management cluster, as described in the previous section (Section 30.3, “Modifications in the kubernetes folder”).Copy the generated RKE2 artifacts from the output directory (
/opt/output`in the example) to the `custom/filesfolder to be consumed by EIB for Downstream clusters during the build process:$ cp output/rke2-images*.tar.zst custom/files/ $ cp output/rke2.linux-amd64.tar.gz custom/files/ $ cp output/sha256sum-amd64.txt custom/files/
The release container image already bundles /release_manifest.yaml and /release_images.yaml internally, so no additional manifest files need to be provided.
For full flag reference and advanced usage, see the seactl documentation.
50.3 Image creation for air-gap scenarios #
Once the directory structure is prepared following the previous sections, run the following command to build the image:
podman run --rm --privileged -it -v $PWD:/eib \
registry.suse.com/edge/3.6/edge-image-builder:1.3.3.1 \
build --definition-file downstream-cluster-airgap-config.yamlThis creates the output ISO image file named eibimage-output-telco.raw, based on the definition described above.
The output image must then be made available via a webserver, either the media-server container enabled via the Management Cluster Documentation (Note)
or some other locally accessible server. In the examples below, we refer to this server as imagecache.local:8080.