github.com/apprenda/kismatic@v1.12.0/docs/disconnected_install.md (about) 1 # Disconnected Installation 2 3 Certain organizations need to run Kubernetes clusters in air-gapped environments, and thus need to perform an installation that is completely disconnected from the internet. The process of performing an installation on nodes with no internet access is called a disconnected installation. 4 5 Being disconnected means that you will not use public repositories or registries to get binaries to your nodes. Instead, before performing the installation, you will sync a local package repository and container image registry with the packages and images required to operate a Kubernetes cluster. 6 7 - [Prerequisites](#prerequisites) 8 - [Planning the installation](#planning-the-installation) 9 - [Installing the cluster](#installing-the-cluster) 10 - [Upgrading your cluster](#upgrading-your-cluster) 11 - [Creating a local package repository](#creating-a-local-package-repository) 12 - [CentOS](#centos-7) 13 - [RHEL 7](#rhel-7) 14 - [Ubuntu 16.04](#ubuntu-1604) 15 - [Seeding a local container registry](#seeding-a-local-container-registry) 16 17 ## Prerequisites 18 19 * Local package repository that is accessible from all nodes. This repository must include the Kubernetes software packages and their transitive dependencies. 20 21 * The local package repository must be configured on all nodes. 22 23 * Package repositories that are not accessible should be disabled or removed. 24 Otherwise, the package manager will attempt to download metadata from these 25 inaccessible repositories, and the installation wil fail. 26 27 * Local docker registry that is accessible from all nodes. 28 This registry must be seeded with the images required for the installation. See [Seeding a local container registry](#seeding-a-local-container-registry). 29 30 ## Planning the installation 31 Before executing the validation or installation stages, you must let KET know that 32 it should perform a disconnected installation. The following plan file options 33 must be considered: 34 35 **disconnected_installation**: This field must be set to `true` when performing a 36 disconnected installation. When `true`, KET will: 37 1. Not configure the upstream package repositories. Instead, KET will assume that the 38 internla repositories have been configured on all nodes. 39 2. Use the local image registry for cluster components, instead of pulling them from 40 Docker Hub, GCR, or other public registries. 41 42 **disable_package_installation**: In most cases, KET is responsible for installing the required packages onto the cluster nodes. If, however, you want to control the installation of the packages, you can set this flag to `true` to prevent KET from installing the packages. More importantly, disabling package installation will enable a set of preflight checks that will ensure the packages have been installed on all nodes. 43 44 ## Installing the cluster 45 46 Once the relevant options in the plan file have been set, and the local repository and local registry have been stood up, you are ready to perform the disconnected installation. 47 48 At this point, you can run `kismatic install apply` to initiate the installation. 49 50 ## Upgrading your cluster 51 Before performing a cluster upgrade, you must: 52 - Update your local package repository to include the new packages. 53 - Seed your local registry using the new version of KET. 54 55 # Creating a local package repository 56 57 ## CentOS 7 58 59 ### Install required utilities 60 We will use `reposync` to download the packages from upstream repositories, and `httpd` to expose our local repository over HTTP. 61 62 ``` 63 yum install yum-utils httpd createrepo 64 ``` 65 66 ### Setup the upstream repositories 67 68 The kubernetes, docker and gluster RPM repositories must be configured on the node to pull the packages. 69 70 ``` 71 # Add docker repo 72 sudo bash -c 'cat <<EOF > /etc/yum.repos.d/docker.repo 73 [docker] 74 name=Docker 75 baseurl=https://download.docker.com/linux/centos/7/x86_64/stable/ 76 enabled=1 77 gpgcheck=1 78 repo_gpgcheck=0 79 gpgkey=https://download.docker.com/linux/centos/gpg 80 EOF' 81 82 # Add Kubernetes repo 83 sudo bash -c 'cat <<EOF > /etc/yum.repos.d/kubernetes.repo 84 [kubernetes] 85 name=Kubernetes 86 baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 87 enabled=1 88 gpgcheck=1 89 repo_gpgcheck=0 90 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg 91 https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg 92 EOF' 93 94 # Add Gluster repo 95 sudo bash -c 'cat <<EOF > /etc/yum.repos.d/gluster.repo 96 [gluster] 97 name=Gluster 98 baseurl=http://buildlogs.centos.org/centos/7/storage/x86_64/gluster-3.8/ 99 enabled=1 100 gpgcheck=1 101 repo_gpgcheck=0 102 gpgkey=https://download.gluster.org/pub/gluster/glusterfs/3.8/3.8.7/rsa.pub 103 EOF' 104 105 # Clean yum cache 106 yum clean all 107 ``` 108 109 ### Download the RPMs using reposync 110 Sync the desired packages to the local machine, and place them in `/var/www/html`. 111 112 ``` 113 reposync -l -p /var/www/html/ -r base -r updates -r docker -r gluster 114 115 # The kubernetes repo is special as it places the packages in an unexpected location. 116 reposync -l -p /var/www/html -r kubernetes 117 mv /var/www/pool/* /var/www/html/kubernetes/ 118 rmdir /var/www/pool 119 ``` 120 121 ### Create a repository 122 Now that we have the RPMs locally, we must generate the metadata files required for the repository. 123 124 ``` 125 for repo in `ls /var/www/html` 126 do 127 createrepo /var/www/html/$repo 128 done 129 ``` 130 131 ### Start Apache server 132 We will use the Apache HTTP server for exposing the repository over HTTP. 133 ``` 134 systemctl enable httpd 135 systemctl start httpd 136 ``` 137 138 ### Configure nodes 139 With this approach, we created five mirrors on the same machine 140 that must be configured on the nodes: 141 * `/base` 142 * `/updates` 143 * `/docker` 144 * `/kubernetes` 145 * `/gluster` 146 147 For example, to configure the base repository that has been created on a machine with hostname 148 `rpm-mirror.example.com`, you can create the file `/etc/yum.repos.d/base.repo` 149 with the following: 150 ``` 151 [base] 152 name=Base 153 baseurl=http://rpm-mirror.example.com/base 154 enabled=1 155 gpgcheck=1 156 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 157 ``` 158 159 The above configuration file must be created for all the repository mirrors listed. 160 161 ## RHEL 7 162 Creating a mirror for nodes that are running RHEL is fairly similar to the process 163 described for CentOS. However, depending on your RHEL distribution, the "base" and 164 "updates" mirror will differ. 165 166 The RHEL 7 AMI on AWS, for example, uses `rhui-REGION-rhel-server-releases` as the 167 repo ID for the RedHat repository. 168 169 ## Ubuntu 16.04 170 171 ### Pre-requisites 172 * GPG Private Key is required to sign the repositories. The generation and management 173 of the key is outside of the scope of this document. This is a [handy cheatsheet](http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/). 174 175 ### Install required utilities 176 We will use [aptly](https://www.aptly.info) to mirror and serve the repository. 177 178 ``` 179 echo "deb http://repo.aptly.info/ squeeze main" >> /etc/apt/sources.list 180 wget -qO - https://www.aptly.info/pubkey.txt | sudo apt-key add - 181 182 apt-get -y update 183 apt-get -y install aptly 184 ``` 185 186 ### Create snapshost of the docker repository 187 ``` 188 wget -O - https://download.docker.com/linux/ubuntu/gpg | gpg --no-default-keyring --keyring trustedkeys.gpg --import 189 aptly -architectures="amd64" mirror create docker https://download.docker.com/linux/ubuntu xenial stable 190 aptly mirror update docker 191 aptly snapshot create docker from mirror docker 192 ``` 193 194 ### Create snapshost of the kubernetes repository 195 ``` 196 wget -O - https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --no-default-keyring --keyring trustedkeys.gpg --import 197 aptly mirror create kubernetes https://packages.cloud.google.com/apt/ kubernetes-xenial main 198 aptly mirror update kubernetes 199 aptly snapshot create kubernetes from mirror kubernetes 200 aptly publish snapshot kubernetes 201 ``` 202 203 ### Create snapshost of the Ubuntu repository 204 205 Note: The filter parameter might have to change, depending on what is available on the 206 Ubuntu image you are using. 207 208 ``` 209 gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keys.gnupg.net --recv-keys 40976EAF437D05B5 3B4FE6ACC0B21F32 210 aptly mirror create \ 211 -architectures=amd64 \ 212 -filter="bridge-utils|nfs-common|socat|libltdl7|python2.7|python-apt|ebtables|libaio1|libibverbs1|libpython2.7|librdmacm1|liburcu4|attr" \ 213 -filter-with-deps \ 214 ubuntu-main http://archive.ubuntu.com/ubuntu xenial main universe 215 aptly mirror update ubuntu-main 216 aptly snapshot create ubuntu-main from mirror ubuntu-main 217 ``` 218 219 ### Create a snapshot of the Gluster repository 220 ``` 221 gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keyserver.ubuntu.com --recv-keys 3FE869A9 222 aptly mirror create gluster ppa:gluster/glusterfs-3.8 223 aptly mirror update gluster 224 aptly snapshot create gluster from mirror gluster 225 ``` 226 227 ### Merge ubuntu, gluster and docker snapshots 228 ``` 229 aptly snapshot merge xenial-repo ubuntu-main gluster docker 230 aptly publish snapshot xenial-repo 231 ``` 232 233 ### Serve the mirrors 234 ``` 235 # Serve the repositories 236 cat <<EOF > /etc/systemd/system/aptly.service 237 [Service] 238 Type=simple 239 ExecStart=/usr/bin/aptly serve -listen=:80 240 User=root 241 EOF 242 243 systemctl daemon-reload 244 systemctl enable aptly 245 systemctl start aptly 246 ``` 247 248 ### Configure nodes 249 The mirror must be configured on all nodes of the cluster, and any repository 250 that is not available from the node must be disabled. 251 252 Sample `/etc/apt/sources.list`: 253 ``` 254 deb http://mirror.example.com xenial main 255 deb http://mirror.example.com kubernetes-xenial main 256 deb [arch=amd64] http://mirror.example.com xenial stable 257 ``` 258 259 ## Seeding a local container registry 260 261 The local registry must contain all the required images before installing the cluster. 262 The `seed-registry` command can be used to seed the registry with the images, or to 263 obtain a list of all the required images. 264 265 For more information about using a local registry, see the [Container Image Registry](./container-registry.md) 266 documentation.