How to install rke2 selinux on airgapped environments

News Knowledge Base
,
1

How to install rke2 selinux on airgapped environments

Issue Description

This guide provides step-by-step instructions for installing the rke2 selinux package on air-gapped environments. The process includes setting up a local repository using a URL defined in the yum.conf file, downloading the necessary packages on a machine with internet access, and transferring them to the air-gapped environment.

Historically the RKE2 upstream did not package this in airgapped installs. In most cases its not needed. However if encountering errors related to selinux and the instance is airgapped, this article may be relevant. This is planned to be installed by default in future versions (check release notes).

Prerequisites

  • A machine with internet access for downloading the packages
    • If an airgapped machine is not available, the file can be requested from UiPath support.
    • Just provide the output of the command: kubectl get nodes -o wide to UiPath Support so that the version can be checked.
  • An airgapped machine where rke2 will be installed.
  • Embedded Automation Suite Instance (this does not apply to AKS, EKS or Openshift).

Steps

  1. Check if selinux is already installed.
    1. Login to the Automation Suite machine
    2. Run: rpm -qa | grep rke2-selinux
    3. If this returns nothing rke2-selinux is not installed and this article is relevant
    4. If it is installed and there is some issue that seems selinux related, raise a support ticket with a support bundle.
  2. Getting the RPM file:
    1. Get the version of rke2 present in the airgapped instance: 
      1. kubectl get nodes -o wide
      2. Example: 
        1. NAME        STATUS   ROLES                       AGE     VERSION          INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                               KERNEL-VERSION              CONTAINER-RUNTIME
autosuite   Ready    control-plane,etcd,master   2y19d   v1.30.5+rke2r1   99.99.99.99           Red Hat Enterprise Linux 8.5 (Ootpa)   4.18.0-425.3.1.el8.x86_64   containerd://1.7.21-k3s2
        2. In the above output the version is 1.30 with the RKE2-MINOR version being 30.
    2. Get the redhat version: 
      1.  cat /etc/os-release
      2. Example: 
        1. [root@autosuite ~]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

          REDHAT_BUGZILLA_PRODUCT=“Red Hat Enterprise Linux 8”
          
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
          
REDHAT_SUPPORT_PRODUCT=“Red Hat Enterprise Linux”
          
REDHAT_SUPPORT_PRODUCT_VERSION=“8.5”

      3. In the example the LINUX_MAJOR is 8.
    3. On the non-airgapped instance setup the yum repo file. Make sure to update the script to have the correct RKE2_MINOR and LINUX_MAJOR 
      1. export RKE2_MINOR=XX
export LINUX_MAJOR=XX 

        cat << EOF > /etc/yum.repos.d/rancher-rke2-1-${RKE2_MINOR}-latest.repo
        
[rancher-rke2-common-latest]
        
name=Rancher RKE2 Common Latest
        
baseurl=https://rpm.rancher.io/rke2/latest/common/centos/${LINUX_MAJOR}/noarch
        
enabled=1
        
gpgcheck=1
        
gpgkey=https://rpm.rancher.io/public.key
        

        [rancher-rke2-1-${RKE2_MINOR}-latest]
        
name=Rancher RKE2 1.${RKE2_MINOR} Latest
        
baseurl=https://rpm.rancher.io/rke2/latest/1.${RKE2_MINOR}/centos/${LINUX_MAJOR}/x86_64
        
enabled=1
        
gpgcheck=1
        
gpgkey=https://rpm.rancher.io/public.key
        
EOF

    4. Download the rpm file: 
      1. sudo yum install --downloadonly --downloaddir=./rke2-selinux-packages rke2-selinux
    5. The download should only have one file. Transfer this file to each of the airgapped instances.
  3. Once the file has been moved to the airgapped machines, doing one node at a time follow these steps:
    1. Stop the node being updated (Nodes are stopped as the rke2-selinux file needs to label the files which is faster if the workloads are not running): 
      1. export PATH="$PATH:/usr/local/bin:/var/lib/rancher/rke2/bin"
systemctl stop node-drain
rke2-killall.sh
    2. Install the package 
      1. sudo rpm -ivh
    3. Start backup the workloads 
      1. systemctl start rke2-server || systemctl start rke2-agent
systemctl restart node-uncordon
systemctl start node-drain.service
    4. Repeat on the remaining nodes.