November 2023 – 一江春水向东流

KUBERNETES

kubernetes使用本地磁盘进行动态管理pv

前言使用本地磁盘作为pv kubernetes从1.10版本开始支持local volume（本地卷），workload（不仅是statefulsets类型）可以充分利用本地磁盘的优势，从而获取比remote volume（如nas, nfs, cephfs、RBD）更好的性能。在local volume出现之前，statefulsets也可以利用本地磁盘，方法是配置hostPath，并通过nodeSelector或者nodeAffinity绑定到具体node上。但hostPath的问题是，管理员需要手动管理集群各个node的目录，不太方便。以上无论是hostPath还是local volume都不支持动态扩容，并且程序移植改动比较大。由于项目的需要，需要支持动态创建和扩容pv/pvc 本文参考了以下两个开源项目： https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner https://github.com/rancher/local-path-provisioner 经过测试： kubernetes-sigs版不支持动态扩容/动态供给dynamically provisioning，而且需要提前手动在node节点上创建并且mount对应的挂载点。 Rancher版本的local-path-provisioner支持动态创建挂载点，动态创建pv 下面两种方法都介绍一下安全和使用方式，最后推荐使用第三章介绍的local-path-provisioner来进行动态创建pv 第一章使用sig-storage-local-static-provisioner 1.1 拉取官方源码进行安装

git clone https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner.git
cd sig-storage-local-static-provisioner/
git checkout tags/v2.6.0 -b v2.6.0
helm template ./helm/provisioner -f ./helm/provisioner/values.yaml > local-volume-provisioner.generated.yaml
kubectl create -f local-volume-provisioner.generated.yaml

git clone https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner.git

cd sig-storage-local-static-provisioner/

git checkout tags/v2.6.0 -b v2.6.0

helm template ./helm/provisioner -f ./helm/provisioner/values.yaml > local-volume-provisioner.generated.yaml

kubectl create -f local-volume-provisioner.generated.yaml

1.2创建storageclass

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: fast-disks
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer

kind: StorageClass

apiVersion: storage.k8s.io/v1

metadata:

provisioner: kubernetes.io/no-provisioner

volumeBindingMode: WaitForFirstConsumer

1.3挂载磁盘其Provisioner本身其并不提供local volume，但它在各个节点上的provisioner会去动态的“发现”挂载点（discovery directory），当某node的provisioner在/mnt/fast-disks目录下发现有挂载点时，会创建PV，该PV的local.path就是挂载点，并设置nodeAffinity为该node。可以用以下脚本通过mount bind方式创建和挂载磁盘

#!/bin/bash
for i in $(seq 1 5); do
  mkdir -p /mnt/fast-disks-bind/vol${i}
  mkdir -p /mnt/fast-disks/vol${i}
  mount --bind /mnt/fast-disks-bind/vol${i} /mnt/fast-disks/vol${i}
done

#!/bin/bash

for i in $(seq 1 5); do

mkdir -p /mnt/fast-disks-bind/vol${i}

mkdir -p /mnt/fast-disks/vol${i}

mount --bind /mnt/fast-disks-bind/vol${i} /mnt/fast-disks/vol${i}

done

下面是在各个node节点用以上脚本创建挂载点：执行该脚本后，等待一会，执行查询pv命令，就可以发现自动创建了 1.4测试pod是否可以运行

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: local-test
spec:
  serviceName: "local-service"
  replicas: 3
  selector:
    matchLabels:
      app: local-test
  template:
    metadata:
      labels:
        app: local-test
    spec:
      containers:
      - name: test-container
        image: busybox
        command:
        - "/bin/sh"
        args:
        - "-c"
        - "sleep 100000"
        volumeMounts:
        - name: local-vol
          mountPath: /tmp
  volumeClaimTemplates:
  - metadata:
      name: local-vol
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "fast-disks"
      resources:
        requests:
          storage: 2Gi

apiVersion: apps/v1

kind: StatefulSet

metadata:

spec:

serviceName: "local-service"

replicas: 3

selector:

matchLabels:

app: local-test

template:

metadata:

labels:

app: local-test

spec:

containers:

- name: test-container

image: busybox

command:

- "/bin/sh"

args:

- "-c"

- "sleep 100000"

volumeMounts:

- name: local-vol

mountPath: /tmp

volumeClaimTemplates:

- metadata:

spec:

accessModes: [ "ReadWriteOnce" ]

storageClassName: "fast-disks"

resources:

requests:

storage: 2Gi

可以看到，三个pod都正常运行起来了：第二章使用local-path-provisioner 2.1下载yaml文件

wget https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.25/deploy/local-path-storage.yaml

1	wget https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.25/deploy/local-path-storage.yaml

2.2 修改其中有几处需要做修改 2.2.1 删除调试模式删除–debug 2.2.2修改reclaimPolicy Read more…

By sean, 6 months11/23/2023 ago

MIDDLEWARE

在 Nginx 1.25+ 中开启 HTTP/3

对于Nginx来说，在编译时需要配置对于的SSL库，不管是HTTP3.0还是HTTP2.0，始终都要基于HTTPS，而加密算法这块主要有OpenSSL来提供，而BoringSSL是谷歌创建的OpenSSL分支，用于支持TLS1.3的UDP协议0-RTT数据传输的加密算法（可以理解成TLS 1.3是标准协议，BoringSSL是实现工具），BoringSSL的一些特性会在合适的时机同步给OpenSSl。Nginx从1.25.0开始支持QUIC和HTTP/3协议。此外，从1.25.0开始，Linux二进制包中提供了QUIC和HTTP/3支持 QUIC和HTTP/3支持是实验性的安装BoringSSL证书官方推荐了3种SSL库，参考文档https://nginx.org/en/docs/quic.html 我这里使用BoringSSL 使用 BoringSSL 编译 NGINX，需要满足以下要求： gcc 版本大于6 编译BoringSSL 需要go环境支持 cmake 3版本以上升级cmake: workon py_env #yum install ninja-build pip install -U cmake 升级gcc至8：添加源：

vi /etc/yum.repos.d/CentOS-SCLo-scl.repo
[centos-sclo-sclo]
name=CentOS-7 - SCLo sclo
baseurl=http://mirror.centos.org/centos/7/sclo/$basearch/rh/
#mirrorlist=http://mirrorlist.centos.org?arch=$basearch&release=7&repo=sclo-sclo
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo

vi /etc/yum.repos.d/CentOS-SCLo-scl.repo

[centos-sclo-sclo]

name=CentOS-7 - SCLo sclo

baseurl=http://mirror.centos.org/centos/7/sclo/$basearch/rh/

#mirrorlist=http://mirrorlist.centos.org?arch=$basearch&release=7&repo=sclo-sclo

gpgcheck=0

enabled=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo

yum install devtoolset-8 激活：source /opt/rh/devtoolset-8/enable 此时通过gcc –version命令可以看到，gcc版本已经变成8.x.x，值得注意的是这仅仅在当前bash生效，如果需要永久生效，可以请自行添加环境变量。 golang安装： wget https://golang.google.cn/dl/go1.21.4.linux-amd64.tar.gz tar -C /usr/local/ -zxvf go1.21.4.linux-amd64.tar.gz 拉取BoringSSL源码 git Read more…

By sean, 6 months11/08/2023 ago

OS

PaaS私有化产品部署离线安装源适配问题解决指南

前言最新在适配我司产品在信创操作系统各个版本上的安装，在踩了很多坑后，总结出了一套有效的适配流程，在此记录一下。由于信创国产化操作系统都是基于openEuler系统或Centos系统来的，包括系统软件包名字，release号等都修改了，在信创服务器上安装产品其实最大的工作量是需要适配跟系统相关的软件，和编译arm64版的二进制文件，尤其前一个比较难弄，因为有很多信创系统和发行版本，我们的目标是，利用一台x86_64或者arm64架构的机器来构建所有的软件源，基本思路就是：由于官方没有信创docker镜像，需要自己做，首先需要制作信创os docker镜像的流程是：启动一个容器做构建环境(如:centos) –> 配置官方源 –> 通过yum –installroot=… 来创建基本的系统目录 –> 通过tar打包系统 –> docker import做成镜像 docker run起来信创系统docker镜像用作构建环境—> 配置官方源 —通过repotrack下载–> 打包成nexus 适配细节首先是制作os docker镜像，下面是制作脚本：

#!/usr/bin/env bash

# 用法： build.sh iso文件路径
# 例如：build.sh /data/build/os_images/Kylin-Server-V10-SP3-General-Release-2303-ARM64.iso

set -e
set -o pipefail

current_dir=$(
    cd "$(dirname "$0")"
    pwd
)

source $current_dir/tools/color.sh
BUILD_TOOLS="vim vi yum net-tools curl dnf-utils createrepo iproute"

function check_command(){
    local r=0
    `command -v $1 >/dev/null 2>&1` || r=1
    return ${r}
}

install_docker(){
    rpm -qa|grep podman > /dev/null 2>&1 && yum remove -y podman
    if [ "$ARCH" == 'amd64' ]; then centos_repo='Centos-7.repo'; else centos_repo='Centos-altarch-7.repo'; fi
    curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 
    sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/docker-ce.repo 
    curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/${centos_repo} 
    sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/CentOS-Base.repo 
    yum makecache
	yum install docker-ce docker-ce-cli containerd.io -y
	if [ $? -eq 0 ]; then
		mkdir -p /etc/systemd/system/docker.service.d
		cat > /etc/systemd/system/docker.service.d/docker-options.conf << 'EOF'
[Service]
Environment="DOCKER_OPTS= --iptables=true \
--insecure-registry=0.0.0.0/0 \
--registry-mirror=https://dockerhub.xxx.com \
--registry-mirror=https://registry.docker-cn.com \
--registry-mirror=https://mirror.aliyuncs.com \
--registry-mirror=https://docker.mirrors.ustc.edu.cn \
--data-root=/data/docker \
--log-opt max-size=50m --log-opt max-file=5"
EOF
		cat > /etc/systemd/system/docker.service << 'EOF'
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com

[Service]
Type=notify
Environment="DOCKER_STORAGE_OPTIONS=-s overlay2"
Environment=GOTRACEBACK=crash
ExecReload=/bin/kill -s HUP $MAINPID
ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT
Delegate=yes
KillMode=process
ExecStart=/usr/bin/dockerd \
          $DOCKER_OPTS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_DNS_OPTIONS
TasksMax=infinity
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=1min
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target
EOF
	systemctl daemon-reload
	systemctl enable docker
	systemctl start docker
	fi
}

create_multi_platform(){
    if ! sudo docker ps | grep buildkitd >/dev/null 2>&1 || ! sudo docker buildx ls|grep 'multi-platform'>/dev/null 2>&1; then 
        sudo docker run -it --rm --privileged tonistiigi/binfmt --install all
        if [ ! -f ~/.config/buildkit/buildkitd.toml ]; then
        sudo mkdir -p ~/.config/buildkit/
        echo 'debug = true' > ~/.config/buildkit/buildkitd.toml 
        echo 'insecure-entitlements = [ "network.host", "security.insecure" ]' >> ~/.config/buildkit/buildkitd.toml 
        echo '[registry."dockerhub.xxx.com"]' >> ~/.config/buildkit/buildkitd.toml 
        echo '  http = false' >> ~/.config/buildkit/buildkitd.toml 
        echo '  insecure = true' >> ~/.config/buildkit/buildkitd.toml
        fi
        sudo docker buildx create \
        --name multi-platform \
        --use \
        --platform linux/amd64,linux/arm64 \
        --driver docker-container \
        --driver-opt network=host \
        --buildkitd-flags '--allow-insecure-entitlement network.host' \
        --config ~/.config/buildkit/buildkitd.toml
    fi
}

main(){
    cd ${current_dir}
    image_repo=$(find repos/online -name "*$image_name*$image_version*.repo")
    for arch in $image_arch; do
        if [ ! -z "$iso_path" ]; then
            iso_file=$(basename $iso_path)
            iso_dir=$(echo $iso_file|sed 's/.iso//g')
            iso_mount_dir=/mnt/$iso_dir
            [ ! -d "$iso_mount_dir" ] && mkdir -p $iso_mount_dir || (umount -f $iso_mount_dir || true)
            mount "$iso_path" $iso_mount_dir
            cat > repos/local.repo << EOF
[local]
name=local repo
baseurl= file://$iso_mount_dir
enable=1
gpgcheck=0
priority=1
EOF
        fi

        target=${image_name}_${image_version}_${arch}
        target_image=${image_name}:${image_version}-${arch}
        # docker pull --platform linux/$arch centos
        # docker pull --platform linux/$arch dockerhub.xxx.com/os/centos:8
        docker pull dockerhub.xxx.com/os/centos:8-${arch}
        docker rm -f centos_${target} > /dev/null 2>&1 || true

        if [ ! -z "$iso_path" ]; then
            extra_arg="-v $iso_mount_dir:$iso_mount_dir"
        fi

        docker run -d --name centos_${target} --network host \
            -v /var/run/docker.sock:/var/run/docker.sock \
            -v ${current_dir}:/opt/os \
            ${extra_arg} \
            dockerhub.xxx.com/os/centos:8-${arch} \
            sleep 100000

        docker exec centos_${target} bash -c "\
            rm -rf /etc/yum.repos.d/*; \
            if [ ! -z "$iso_path" ]; then \
                cp /opt/os/repos/local.repo /etc/yum.repos.d/local.repo; \
            fi; \
            cp /opt/os/$image_repo /etc/yum.repos.d/$(basename $image_repo); \           
            if [ "$image_name" == "kylin" ]; then \
                cp /opt/os/repos/online/kylin/RPM-GPG-KEY-kylin /etc/pki/rpm-gpg/RPM-GPG-KEY-kylin; \
            elif [ "$image_name" == "uos" ]; then \
                mkdir -p /opt/os/${target}/etc/dnf/vars;\
                cp /opt/os/repos/online/uos/uos-auth-u /etc/dnf/vars/uos-auth-u; \
                cp /opt/os/repos/online/uos/uos-auth-p /etc/dnf/vars/uos-auth-p; \
                cp /opt/os/repos/online/uos/uos-auth-u /opt/os/${target}/etc/dnf/vars/uos-auth-u; \
                cp /opt/os/repos/online/uos/uos-auth-p /opt/os/${target}/etc/dnf/vars/uos-auth-p; \
                if [ "$image_version" == "20-1060e" ]; then \
                    echo 'ufu' > /etc/dnf/vars/StateMode; \
                    echo 'ufu' > /opt/os/${target}/etc/dnf/vars/StateMode; \
                fi; \
            fi; \
            yum clean all; yum makecache; \
            yum -y --installroot=/opt/os/${target} install $BUILD_TOOLS \
            "

        cp /etc/skel/.bash* $current_dir/${target}/root/ 
        echo "" > $current_dir/${target}/root/.bash_history
        rm -rf $current_dir/${target}/core.*

        tar -cvpf ${target}.tar --directory=$current_dir/${target} --exclude=proc --exclude=sys --exclude=dev --exclude=run --exclude=boot .
        
        # check_command docker || install_docker
        # create_multi_platform
        cat ${target}.tar | docker import - $target_image

        #5. 运行镜像，测试镜像是否能正常使用
        docker run --rm --tty $target_image /bin/bash -c 'echo $(grep 'PRETTY_NAME' /etc/os-release) $(uname -m) builded success!!!'
        # clean
        docker rm -f centos_${target}
        umount -f $iso_mount_dir
        rm -rf ${target} ${target}.tar

        if [ $? -ne 0 ]; then
            errorlog "$target_image build Failed!!!!"
            exit
        else
            successlog "$target_image build successfull !"
        fi
    done

    if [ "$push" == "true" ]; then 
        for arch in $image_arch; do
            registry_image="$registry/${image_name}:${image_version}"
            docker tag ${image_name}:${image_version}-${arch} ${registry_image}-${arch}
            docker push ${registry_image}-${arch}
        done
        if [[ "$image_arch" == "amd64 arm64" ]] || \
          (docker images|awk '{print $1":"$2}'|grep ${registry_image}-amd64 >/dev/null 2>&1 && \
           docker images|awk '{print $1":"$2}'|grep ${registry_image}-arm64 >/dev/null 2>&1); then
            docker manifest rm ${registry_image} || true
            docker manifest create --insecure ${registry_image} ${registry_image}-amd64 ${registry_image}-arm64
            docker manifest annotate ${registry_image} ${registry_image}-amd64 --os linux --arch amd64
            docker manifest annotate ${registry_image} ${registry_image}-arm64 --os linux --arch arm64 --variant v8
            docker manifest push --insecure ${registry_image}
            if [ $? -ne 0 ]; then
                errorlog "${registry_image} build Failed!!!!"
                exit
            else
                successlog "${registry_image} build successfull !"
            fi
        fi
    fi
}

# 报错：x509: certificate has expired or is not yet valid，解决：docker.service.d/docker-options.conf里添加：--registry-mirror=https://dockerhub.xxx.com
function Usage() {
INFO="\
功能:构建操作系统docker镜像

用法:$0 [选项] ... [参数] ...

支持参数:
    --image string          [必选参数]镜像名称,如kylin:v10-sp3-arm64,openeuler:20.03-sp3-amd64,如果后面不带架构,如kylin:v10-sp3,则默认同时构建双架构
    --image_arch string     [可选参数]要构建的镜像的架构,默认是'amd64 arm64'
    --iso_path string       [可选参数]不提供此参数,默认从在线官方软件源制作;如提供此参数,则默认以挂载iso文件作为软件源安装软件,如:/data/Kylin-Server-V10-SP3-General-Release-2303-ARM64.iso
    --registry string       [可选参数]镜像仓库地址,比如要推送到dockerhub.xxx.com/os/kylin:v10-sp3,则值为dockerhub.xxx.com/os
    --push                  [可选参数]是否推送至镜像仓库,默认false
    --help                  帮助文档
"

    infolog "$INFO"

}

ARGS=`getopt -o vh --long image:,image_arch:,iso_path:,push,help -- "$@"`
([[ $? -ne 0 ]] || [[ -z "$@" ]]) && Usage && exit
eval set -- "$ARGS"

while true; do
    case "$1" in
        --image)
            case "$2" in
                "") exit 1 ;;
                *)  image=$2; shift 2 ;;
            esac ;;
	    --image_arch)
            case "$2" in
                "") exit 1 ;;
                *)  image_arch=$2; shift 2 ;;
            esac ;;
	    --push)
            push='true';shift ;;
	    --iso_path)
            case "$2" in
                "") exit 1 ;;
                *)  iso_path=$2; shift 2 ;;
            esac ;;
	    --registry)
            case "$2" in
                "") exit 1 ;;
                *)  registry=$2; shift 2 ;;
            esac ;;
        -h|--help|-help)
            Usage; exit 0 ;;
        --)
            shift; break ;;
        *)
            warnlog "Invalid option, use -h or --help to get help message."; exit 1 ;;
    esac
done

: ${image_arch:="amd64 arm64"}
: ${push:=false}
: ${registry:="dockerhub.xxx.com/os"}

image_name=$(echo $image|awk -F':' '{print $1}')
image_tag=$(echo $image|awk -F':' '{print $2}')
image_version=$(echo $image_tag|awk '{gsub(/-x86_64|amd64|-arm64|-aarch64/, "");print}')

if [[ $? == 0 ]] ; then
    main
else
    Usage
    exit 1
fi

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

#!/usr/bin/env bash

# 用法： build.sh iso文件路径

# 例如：build.sh /data/build/os_images/Kylin-Server-V10-SP3-General-Release-2303-ARM64.iso

set -e

set -o pipefail

current_dir=$(

cd "$(dirname "$0")"

pwd

)

source $current_dir/tools/color.sh

BUILD_TOOLS="vim vi yum net-tools curl dnf-utils createrepo iproute"

function check_command(){

local r=0

`command -v $1 >/dev/null 2>&1` || r=1

return ${r}

}

install_docker(){

rpm -qa|grep podman > /dev/null 2>&1 && yum remove -y podman

if [ "$ARCH" == 'amd64' ]; then centos_repo='Centos-7.repo'; else centos_repo='Centos-altarch-7.repo'; fi

curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/docker-ce.repo

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/${centos_repo}

sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/CentOS-Base.repo

yum makecache

yum install docker-ce docker-ce-cli containerd.io -y

if [ $? -eq 0 ]; then

mkdir -p /etc/systemd/system/docker.service.d

cat > /etc/systemd/system/docker.service.d/docker-options.conf << 'EOF'

[Service]

Environment="DOCKER_OPTS= --iptables=true \

--insecure-registry=0.0.0.0/0 \

--registry-mirror=https://dockerhub.xxx.com \

--registry-mirror=https://registry.docker-cn.com \

--registry-mirror=https://mirror.aliyuncs.com \

--registry-mirror=https://docker.mirrors.ustc.edu.cn \

--data-root=/data/docker \

--log-opt max-size=50m --log-opt max-file=5"

EOF

cat > /etc/systemd/system/docker.service << 'EOF'

[Unit]

Description=Docker Application Container Engine

Documentation=http://docs.docker.com

[Service]

Type=notify

Environment="DOCKER_STORAGE_OPTIONS=-s overlay2"

Environment=GOTRACEBACK=crash

ExecReload=/bin/kill -s HUP $MAINPID

ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT

Delegate=yes

KillMode=process

ExecStart=/usr/bin/dockerd \

$DOCKER_OPTS \

$DOCKER_STORAGE_OPTIONS \

$DOCKER_DNS_OPTIONS

TasksMax=infinity

LimitNOFILE=1048576

LimitNPROC=1048576

LimitCORE=infinity

TimeoutStartSec=1min

# restart the docker process if it exits prematurely

Restart=on-failure

StartLimitBurst=3

StartLimitInterval=60s

[Install]

WantedBy=multi-user.target

EOF

systemctl daemon-reload

systemctl enable docker

systemctl start docker

}

create_multi_platform(){

if ! sudo docker ps | grep buildkitd >/dev/null 2>&1 || ! sudo docker buildx ls|grep 'multi-platform'>/dev/null 2>&1; then

sudo docker run -it --rm --privileged tonistiigi/binfmt --install all

if [ ! -f ~/.config/buildkit/buildkitd.toml ]; then

sudo mkdir -p ~/.config/buildkit/

echo 'debug = true' > ~/.config/buildkit/buildkitd.toml

echo 'insecure-entitlements = [ "network.host", "security.insecure" ]' >> ~/.config/buildkit/buildkitd.toml

echo '[registry."dockerhub.xxx.com"]' >> ~/.config/buildkit/buildkitd.toml

echo ' http = false' >> ~/.config/buildkit/buildkitd.toml

echo ' insecure = true' >> ~/.config/buildkit/buildkitd.toml

sudo docker buildx create \

--name multi-platform \

--use \

--platform linux/amd64,linux/arm64 \

--driver docker-container \

--driver-opt network=host \

--buildkitd-flags '--allow-insecure-entitlement network.host' \

--config ~/.config/buildkit/buildkitd.toml

}

main(){

cd ${current_dir}

image_repo=$(find repos/online -name "*$image_name*$image_version*.repo")

for arch in $image_arch; do

if [ ! -z "$iso_path" ]; then

iso_file=$(basename $iso_path)

iso_dir=$(echo $iso_file|sed 's/.iso//g')

iso_mount_dir=/mnt/$iso_dir

[ ! -d "$iso_mount_dir" ] && mkdir -p $iso_mount_dir || (umount -f $iso_mount_dir || true)

mount "$iso_path" $iso_mount_dir

cat > repos/local.repo << EOF

[local]

name=local repo

baseurl= file://$iso_mount_dir

enable=1

gpgcheck=0

priority=1

EOF

target=${image_name}_${image_version}_${arch}

target_image=${image_name}:${image_version}-${arch}

# docker pull --platform linux/$arch centos

# docker pull --platform linux/$arch dockerhub.xxx.com/os/centos:8

docker pull dockerhub.xxx.com/os/centos:8-${arch}

docker rm -f centos_${target} > /dev/null 2>&1 || true

if [ ! -z "$iso_path" ]; then

extra_arg="-v $iso_mount_dir:$iso_mount_dir"

docker run -d --name centos_${target} --network host \

-v /var/run/docker.sock:/var/run/docker.sock \

-v ${current_dir}:/opt/os \

${extra_arg} \

dockerhub.xxx.com/os/centos:8-${arch} \

sleep 100000

docker exec centos_${target} bash -c "\

rm -rf /etc/yum.repos.d/*; \

if [ ! -z "$iso_path" ]; then \

cp /opt/os/repos/local.repo /etc/yum.repos.d/local.repo; \

fi; \

cp /opt/os/$image_repo /etc/yum.repos.d/$(basename $image_repo); \

if [ "$image_name" == "kylin" ]; then \

cp /opt/os/repos/online/kylin/RPM-GPG-KEY-kylin /etc/pki/rpm-gpg/RPM-GPG-KEY-kylin; \

elif [ "$image_name" == "uos" ]; then \

mkdir -p /opt/os/${target}/etc/dnf/vars;\

cp /opt/os/repos/online/uos/uos-auth-u /etc/dnf/vars/uos-auth-u; \

cp /opt/os/repos/online/uos/uos-auth-p /etc/dnf/vars/uos-auth-p; \

cp /opt/os/repos/online/uos/uos-auth-u /opt/os/${target}/etc/dnf/vars/uos-auth-u; \

cp /opt/os/repos/online/uos/uos-auth-p /opt/os/${target}/etc/dnf/vars/uos-auth-p; \

if [ "$image_version" == "20-1060e" ]; then \

echo 'ufu' > /etc/dnf/vars/StateMode; \

echo 'ufu' > /opt/os/${target}/etc/dnf/vars/StateMode; \

fi; \

yum clean all; yum makecache; \

yum -y --installroot=/opt/os/${target} install $BUILD_TOOLS \

cp /etc/skel/.bash* $current_dir/${target}/root/

echo "" > $current_dir/${target}/root/.bash_history

rm -rf $current_dir/${target}/core.*

tar -cvpf ${target}.tar --directory=$current_dir/${target} --exclude=proc --exclude=sys --exclude=dev --exclude=run --exclude=boot .

# check_command docker || install_docker

# create_multi_platform

cat ${target}.tar | docker import - $target_image

#5. 运行镜像，测试镜像是否能正常使用

docker run --rm --tty $target_image /bin/bash -c 'echo $(grep 'PRETTY_NAME' /etc/os-release) $(uname -m) builded success!!!'

# clean

docker rm -f centos_${target}

umount -f $iso_mount_dir

rm -rf ${target} ${target}.tar

if [ $? -ne 0 ]; then

errorlog "$target_image build Failed!!!!"

exit

else

successlog "$target_image build successfull !"

done

if [ "$push" == "true" ]; then

for arch in $image_arch; do

registry_image="$registry/${image_name}:${image_version}"

docker tag ${image_name}:${image_version}-${arch} ${registry_image}-${arch}

docker push ${registry_image}-${arch}

done

if [[ "$image_arch" == "amd64 arm64" ]] || \

(docker images|awk '{print $1":"$2}'|grep ${registry_image}-amd64 >/dev/null 2>&1 && \

docker images|awk '{print $1":"$2}'|grep ${registry_image}-arm64 >/dev/null 2>&1); then

docker manifest rm ${registry_image} || true

docker manifest create --insecure ${registry_image} ${registry_image}-amd64 ${registry_image}-arm64

docker manifest annotate ${registry_image} ${registry_image}-amd64 --os linux --arch amd64

docker manifest annotate ${registry_image} ${registry_image}-arm64 --os linux --arch arm64 --variant v8

docker manifest push --insecure ${registry_image}

if [ $? -ne 0 ]; then

errorlog "${registry_image} build Failed!!!!"

exit

else

successlog "${registry_image} build successfull !"

}

# 报错：x509: certificate has expired or is not yet valid，解决：docker.service.d/docker-options.conf里添加：--registry-mirror=https://dockerhub.xxx.com

function Usage() {

INFO="\

功能:构建操作系统docker镜像

用法:$0 [选项] ... [参数] ...

支持参数:

--image string [必选参数]镜像名称,如kylin:v10-sp3-arm64,openeuler:20.03-sp3-amd64,如果后面不带架构,如kylin:v10-sp3,则默认同时构建双架构

--image_arch string [可选参数]要构建的镜像的架构,默认是'amd64 arm64'

--iso_path string [可选参数]不提供此参数,默认从在线官方软件源制作;如提供此参数,则默认以挂载iso文件作为软件源安装软件,如:/data/Kylin-Server-V10-SP3-General-Release-2303-ARM64.iso

--registry string [可选参数]镜像仓库地址,比如要推送到dockerhub.xxx.com/os/kylin:v10-sp3,则值为dockerhub.xxx.com/os

--push [可选参数]是否推送至镜像仓库,默认false

--help 帮助文档

infolog "$INFO"

}

ARGS=`getopt -o vh --long image:,image_arch:,iso_path:,push,help -- "$@"`

([[ $? -ne 0 ]] || [[ -z "$@" ]]) && Usage && exit

eval set -- "$ARGS"

while true; do

case "$1" in

--image)

case "$2" in

"") exit 1 ;;

*) image=$2; shift 2 ;;

esac ;;

--image_arch)

case "$2" in

"") exit 1 ;;

*) image_arch=$2; shift 2 ;;

esac ;;

--push)

push='true';shift ;;

--iso_path)

case "$2" in

"") exit 1 ;;

*) iso_path=$2; shift 2 ;;

esac ;;

--registry)

case "$2" in

"") exit 1 ;;

*) registry=$2; shift 2 ;;

esac ;;

-h|--help|-help)

Usage; exit 0 ;;

--)

shift; break ;;

warnlog "Invalid option, use -h or --help to get help message."; exit 1 ;;

esac

done

: ${image_arch:="amd64 arm64"}

: ${push:=false}

: ${registry:="dockerhub.xxx.com/os"}

image_name=$(echo $image|awk -F':' '{print $1}')

image_tag=$(echo $image|awk -F':' '{print $2}')

image_version=$(echo $image_tag|awk '{gsub(/-x86_64|amd64|-arm64|-aarch64/, "");print}')

if [[ $? == 0 ]] ; then

main

else

Usage

exit 1

脚本逻辑解析：由于一些信创操作系统中安装软件时需要认证机制，所以需要提前将认证放入对应目录(可以从安装好的os虚机中获取),此认证文件经过测试可以用到其它发行版本上，所以以后版本更新不用再更新此文件脚本参数解析：

功能:构建操作系统docker镜像

./mkimage.sh --help
用法:mkimage.sh [选项] ... [参数] ...

支持参数:
    --image string          [必选参数]镜像名称， 如kylin:v10-sp3-arm64， openeuler:20.03-sp3-amd64, 如果后面不带架构，如kylin:v10-sp3，则默认同时构建双架构
    --image_arch string     [可选参数]要构建的镜像的架构,默认是'amd64 arm64'
    --iso_path string       [可选参数]不提供此参数，默认从在线官方软件源制作；如提供此参数，则默认以挂载iso文件作为软件源安装软件,如：/data/Kylin-Server-V10-SP3-General-Release-2303-ARM64.iso
    --registry string       [可选参数]镜像仓库地址，比如要推送到dockerhub.yonyoucloud.com/os/kylin:v10-sp3, 则值为dockerhub.yonyoucloud.com/os
    --push                  [可选参数]是否推送至镜像仓库,默认false
    --help                  帮助文档

功能:构建操作系统docker镜像

./mkimage.sh --help

用法:mkimage.sh [选项] ... [参数] ...

支持参数:

--image string [必选参数]镜像名称，如kylin:v10-sp3-arm64， openeuler:20.03-sp3-amd64, 如果后面不带架构，如kylin:v10-sp3，则默认同时构建双架构

--image_arch string [可选参数]要构建的镜像的架构,默认是'amd64 arm64'

--iso_path string [可选参数]不提供此参数，默认从在线官方软件源制作；如提供此参数，则默认以挂载iso文件作为软件源安装软件,如：/data/Kylin-Server-V10-SP3-General-Release-2303-ARM64.iso

--registry string [可选参数]镜像仓库地址，比如要推送到dockerhub.yonyoucloud.com/os/kylin:v10-sp3, 则值为dockerhub.yonyoucloud.com/os

--push [可选参数]是否推送至镜像仓库,默认false

--help 帮助文档

–image_arch: 构建的架构，默认两种架构同时构建 –iso_path: 官方发行版.iso后缀的镜像文件地址，如果提供此参数，则os镜像从.iso文件中的repo源进行制作，构建出来的镜像软件版本与.iso文件中的版本保持一致，如果不提供此参数，则脚本默认会从官方在线的repo软件源中去下载发行版对应的软件版本，可能会存在某些软件跟.iso文件中不一致(经过测试，仅中科方德安装openssl时出现了依赖不一致) 定义软件清单下载离线源时，通过定义一下packages.yaml文件，来定义全部所需的软件包： packages.yaml:

---
kubespray:
  common:
    - socat
    - e2fsprogs
    - xfsprogs
    - ebtables
    - bash-completion
    - ipvsadm
    - ipset
    - conntrack

  yum:
    - nss
    - device-mapper-libs
    - conntrack-tools

  apt:
    - python-apt
    - python3-apt
    - aufs-tools
    - apt-transport-https
    - software-properties-common

docker:
  - docker-ce-20.10.17 
  - docker-ce-cli-20.10.17 
  - containerd.io-1.6.7

middleware:
  yum: 
    - keepalived
    - ibus
    - gcc 
    - gcc-c++ 
    - pcre 
    - pcre-devel
    - libtool 
    - libtool-ltdl-devel 
    - libevent-devel 
    - perl 
    - perl-devel 
    - zlib 
    - zlib-devel 
    - expat 
    - gd 
    - gd-devel   
    - make
    - lua 
    - ncurses-devel 
    - flex  
    - libatomic   
    - iproute 
    - procps-ng 
    - fontconfig  
    - bind-utils  
    - libffi-devel 
    - readline 
    - readline-devel
    - tcl
    - cifs-utils
    - openssl
    - openssl-devel
    - openssl-libs
    - chrony
    - libselinux-python
    - python3-libselinux

common:
  - curl
  - jq
  - bc
  - tar
  - telnet
  - expect
  - xz
  - unzip
  - zip
  - nc
  - lrzsz 
  - lsof
  - lvm2
  - sshpass
  - vim
  - wget
  - ethtool
  - net-tools
  - rsync
  - dos2unix
  - ntp 
  - ntpdate
  

yum:
  - nfs-utils
  - createrepo
  - nc
  - httpd-tools

apt:
  - nfs-common
  - apt-transport-https
  - ca-certificates
  - gnupg
  - lsb-release
  - aptitude
  - dpkg-dev
  - gnupg2
  - netcat
  - apache2-utils
  - libgd-dev
  - expat
  - gcc
  - make
  - libpcre3
  - libpcre3-dev
  - zlib1g
  - zlib1g-dev
  - openssl
  - libssl-dev
  - perl

centos7:
  - libselinux-python
  - s3fs-fuse
  
kylin10:
  - compat-openssl10

uos:
  - compat-openssl10
  
openeuler:

nfs:
  - compat-openssl10

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

---

kubespray:

common:

- socat

- e2fsprogs

- xfsprogs

- ebtables

- bash-completion

- ipvsadm

- ipset

- conntrack

yum:

- nss

- device-mapper-libs

- conntrack-tools

apt:

- python-apt

- python3-apt

- aufs-tools

- apt-transport-https

- software-properties-common

docker:

- docker-ce-20.10.17

- docker-ce-cli-20.10.17

- containerd.io-1.6.7

middleware:

yum:

- keepalived

- ibus

- gcc

- gcc-c++

- pcre

- pcre-devel

- libtool

- libtool-ltdl-devel

- libevent-devel

- perl

- perl-devel

- zlib

- zlib-devel

- expat

- gd

- gd-devel

- make

- lua

- ncurses-devel

- flex

- libatomic

- iproute

- procps-ng

- fontconfig

- bind-utils

- libffi-devel

- readline

- readline-devel

- tcl

- cifs-utils

- openssl

- openssl-devel

- openssl-libs

- chrony

- libselinux-python

- python3-libselinux

common:

- curl

- jq

- bc

- tar

- telnet

- expect

- xz

- unzip

- zip

- nc

- lrzsz

- lsof

- lvm2

- sshpass

- vim

- wget

- ethtool

- net-tools

- rsync

- dos2unix

- ntp

- ntpdate

yum:

- nfs-utils

- createrepo

- nc

- httpd-tools

apt:

- nfs-common

- apt-transport-https

- ca-certificates

- gnupg

- lsb-release

- aptitude

- dpkg-dev

- gnupg2

- netcat

- apache2-utils

- libgd-dev

- expat

- gcc

- make

- libpcre3

- libpcre3-dev

- zlib1g

- zlib1g-dev

- openssl

- libssl-dev

- perl

centos7:

- libselinux-python

- s3fs-fuse

kylin10:

- compat-openssl10

uos:

- compat-openssl10

openeuler:

nfs:

- compat-openssl10

定义各系统构建使用的Dockerfile 下面是制作麒麟离线源的Dockerfile:

ARG FROM="dockerhub.xxx.com/os/kylin:v10-sp3"
FROM $FROM as kylin

ARG OS_VERSION=10
ARG BUILD_TOOLS="curl dnf-utils createrepo"
ARG BASE_URL=http://xxx.oss-cn-beijing.aliyuncs.com/download

WORKDIR /kylin/$OS_VERSION/os
COPY packages.yaml .
RUN set -x && ARCH=$(uname -m) \
    && curl -o /usr/bin/yq $BASE_URL/binary/yq-linux-$ARCH && chmod +x /usr/bin/yq \
    && yum install -q -y ${BUILD_TOOLS} || true \
    \
    && yq eval '.common[],.yum[],.kylin10[],.kubespray.common[],.kubespray.yum[],.middleware.yum[]' packages.yaml > packages.list \
    && sort -u packages.list | xargs repotrack -d 9 --destdir "${ARCH}/Packages" 

RUN set -x && ARCH=$(uname -m) \
    && if [ "$ARCH" == 'x86_64' ]; then centos_repo='Centos-7.repo'; else centos_repo='Centos-altarch-7.repo'; fi \
    # install docker
    && curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
    && sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/docker-ce.repo \
    && curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/${centos_repo} \
    && sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/CentOS-Base.repo \
    && yum makecache \
    && yq eval '.docker[]' packages.yaml | xargs repotrack -d 9 --destdir "${ARCH}/Packages" \
    \
    && rm -rf packages.yaml packages.list \
    && createrepo -d "${ARCH}"

FROM scratch
COPY --from=kylin /kylin ./kylin

ARG FROM="dockerhub.xxx.com/os/kylin:v10-sp3"

FROM $FROM as kylin

ARG OS_VERSION=10

ARG BUILD_TOOLS="curl dnf-utils createrepo"

ARG BASE_URL=http://xxx.oss-cn-beijing.aliyuncs.com/download

WORKDIR /kylin/$OS_VERSION/os

COPY packages.yaml .

RUN set -x && ARCH=$(uname -m) \

&& curl -o /usr/bin/yq $BASE_URL/binary/yq-linux-$ARCH && chmod +x /usr/bin/yq \

&& yum install -q -y ${BUILD_TOOLS} || true \

&& yq eval '.common[],.yum[],.kylin10[],.kubespray.common[],.kubespray.yum[],.middleware.yum[]' packages.yaml > packages.list \

&& sort -u packages.list | xargs repotrack -d 9 --destdir "${ARCH}/Packages"

RUN set -x && ARCH=$(uname -m) \

&& if [ "$ARCH" == 'x86_64' ]; then centos_repo='Centos-7.repo'; else centos_repo='Centos-altarch-7.repo'; fi \

# install docker

&& curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \

&& sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/docker-ce.repo \

&& curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/${centos_repo} \

&& sed -i -e 's/$releasever/7/g' -e 's/https/http/g' /etc/yum.repos.d/CentOS-Base.repo \

&& yum makecache \

&& yq eval '.docker[]' packages.yaml | xargs repotrack -d 9 --destdir "${ARCH}/Packages" \

&& rm -rf packages.yaml packages.list \

&& createrepo -d "${ARCH}"

FROM scratch

COPY --from=kylin /kylin ./kylin

中科方德在适配过程中出现了很多问题，总结如下：官方没有docker-ce-20.10.17版本，需要配置docker el8源官方没有sshpass等包，需要配置centos7的源 Read more…

By sean, 7 months11/01/2023 ago