clemenko
commented
1 year ago Ah. Testing a change in the script on rocky 8 now.
Closed MozeBaltyk closed 1 year ago
clemenko
commented
1 year ago Ah. Testing a change in the script on rocky 8 now.
clemenko
commented
1 year ago Just curious @MozeBaltyk do you have an updated satellite on the air gap? The error says you need an updated container-selinux package.
the script is updated and will select which el you are using.
MozeBaltyk
commented
1 year ago Just curious @MozeBaltyk do you have an updated satellite on the air gap? The error says you need an updated
container-selinuxpackage.the script is updated and will select which el you are using.
That's right, I have a Satellite with the classic repository for RHEL8 sync once a week:
dnf repolist all
Updating Subscription Management repositories.
repo id repo name status
rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) enabled
rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) enableI have a package container-selinux already install :
dnf info container-selinux
Updating Subscription Management repositories.
Last metadata expiration check: 2:39:57 ago on Mon Nov 20 14:51:22 2023.
Installed Packages
Name : container-selinux
Epoch : 2
Version : 2.205.0
Release : 2.module+el8.8.0+18438+15d3aa65
Architecture : noarch
Size : 62 k
Source : container-selinux-2.205.0-2.module+el8.8.0+18438+15d3aa65.src.rpm
Repository : @System
From repo : rhel-8-for-x86_64-appstream-rpms
Summary : SELinux policies for container runtimes
URL : https://github.com/containers/container-selinux
License : GPLv2
Description : SELinux policy modules for use with container runtimes.
dnf install container-selinux
Updating Subscription Management repositories.
Last metadata expiration check: 2:39:22 ago on Mon Nov 20 14:51:22 2023.
Package container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!But I assume that the package rke2-selinux-0.14-1.el9.noarch expect container-selinux in epoch 3...
Do I miss some of repos ?
Here my version of RHEL up to date:
cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.8 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.8 (Ootpa)"if I take a look on my oracle_linux, I get the same version of container-linux:
➜ ~ dnf info container-selinux
Oracle Linux 8 BaseOS Latest (x86_64) 1.2 MB/s | 64 MB 00:52
Oracle Linux 8 Application Stream (x86_64) 1.4 MB/s | 50 MB 00:36
Last metadata expiration check: 0:00:13 ago on Mon 20 Nov 2023 05:47:19 PM CET.
Installed Packages
Name : container-selinux
Epoch : 2
Version : 2.205.0
Release : 2.module+el8.8.0+21045+adcb6a64
Architecture : noarch
Size : 62 k
Source : container-selinux-2.205.0-2.module+el8.8.0+21045+adcb6a64.src.rpm
Repository : @System
From repo : ol8_appstream
Summary : SELinux policies for container runtimes
URL : https://github.com/containers/container-selinux
License : GPLv2
Description : SELinux policy modules for use with container runtimes.in airgap script, the function build specify el9 for two packages if I change it with el8 in the build and install process then it works :
function build () {
[...]
echo - download rke, rancher and longhorn
# from https://docs.rke2.io/install/airgap
curl -#OL https://github.com/rancher/rke2/releases/download/v$RKE_VERSION%2Brke2r1/rke2-images.linux-amd64.tar.zst
curl -#OL https://github.com/rancher/rke2/releases/download/v$RKE_VERSION%2Brke2r1/rke2.linux-amd64.tar.gz
curl -#OL https://github.com/rancher/rke2/releases/download/v$RKE_VERSION%2Brke2r1/sha256sum-amd64.txt
curl -#OL https://github.com/rancher/rke2-packaging/releases/download/v$RKE_VERSION%2Brke2r1.stable.0/rke2-common-$RKE_VERSION.rke2r1-0.el9.x86_64.rpm
curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.14.stable.1/rke2-selinux-0.14-1.el9.noarch.rpm
[...]
}Check and see you have the latest version. https://github.com/clemenko/rke_airgap_install/blob/main/air_gap_all_the_things.sh#L44 has the fix.
clemenko
commented
1 year ago @MozeBaltyk did that work?
MozeBaltyk
commented
1 year ago yes, it was working. ( to be honest, I changed manually in the url but I tested the rpm command from the script)
One more suggestion would be to give firewalld command, it could be associated with a condition if firewalld activated then run
# Master
firewall-cmd --zone=public --new-service=rke2 --permanent
firewall-cmd --zone=public --service=rke2 --add-port=443/tcp --permanent
firewall-cmd --zone=public --service=rke2 --add-port=6443/tcp --permanent
firewall-cmd --zone=public --service=rke2 --add-port=9345/tcp --permanent
firewall-cmd --zone=public --service=rke2 --add-port=10250/tcp --permanent
firewall-cmd --zone=public --service=rke2 --add-port=8472/udp --permanent
firewall-cmd --zone=public --add-service=rke2 --permanent
firewall-cmd --reload
# Worker
firewall-cmd --zone=public --new-service=rke2 --permanent
firewall-cmd --zone=public --service=rke2 --add-port=10250/tcp --permanent
firewall-cmd --zone=public --service=rke2 --add-port=8472/udp --permanent
firewall-cmd --zone=public --add-service=rke2 --permanent
firewall-cmd --reloadThanks a lot for your reactivity. I am not on the same timezone. That's why there was some delay between my answer. ;) I am thinking maybe when I will have time to turn your script into ansible roles for the idem potency benefice ...
clemenko
commented
1 year ago Thanks for the idea. I always recommend disabling the software firewalls. :D
MozeBaltyk
commented
1 year ago Thanks for the idea. I always recommend disabling the software firewalls. :D
I say the same about SElinux :P
clemenko
commented
1 year ago lol. I think it is less intrusive. :D Let me know if you run into any other issues!
The packager server is an oracle 8.7, then the tarball is exported to a RHEL 8.8.
It seems that the tarball contain rpm for RHEL 9. It would be nice to add an condition to detect the packager OS then to fetch regarding the OS version...