├── .gitignore ├── LICENSE.txt ├── README.md ├── build ├── Dockerfile ├── Makefile └── build.sh ├── config └── default.sh ├── examples ├── ack-aliyunlinux2.json ├── ack-aliyunlinux3.json ├── ack-centos-using-existing-vpc-vswitch.json ├── ack-centos.json ├── ack-optimized-os-1.18.json ├── ack-optimized-os-1.20.json └── ack-optimized-os-all.json ├── hotfix ├── hotfix-ipvlan │ ├── README.md │ ├── ack-aliyunlinux2-ipvlan.json │ └── scripts │ │ ├── installRPMs.sh │ │ └── updateConfig.sh └── hotfix-issue-19 │ ├── README.md │ ├── ack-centos-issue-19.json │ └── scripts │ ├── updateContainerd.sh │ └── updateSystemd.sh └── scripts ├── ack-optimized-os-1.18.sh ├── ack-optimized-os-1.22.sh ├── ack-optimized-os-1.24.sh ├── ack-optimized-os-1.26.sh ├── ack-optimized-os-all.sh ├── ack-optimized-os-anolis-all.sh ├── ack-optimized-os-linux3-all.sh ├── ack-optimized-os-rhel9-all.sh ├── cleanUpKerneles.sh ├── disableTuned.sh ├── reboot.sh ├── set-cgroupv2.sh ├── updateDNS.sh ├── updateKernel.sh └── verify.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | https://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | Copyright 2015-2015 Li Yi (denverdino@gmail.com). 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | https://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Image Build Specification of Alibaba Cloud Container Service for Kubernetes (ACK) 2 | 3 | Notes: The template [ack-centos.json](https://github.com/AliyunContainerService/ack-image-builder/blob/master/ack-centos.json) is used for building custom image for ACK cluster based on the latest published ecs centos public image. 4 | 5 | This repository contains resources and configuration scripts for building a custom base OS Image for ACK with [HashiCorp Packer](https://www.packer.io/). 6 | 7 | ## Supported OS 8 | 9 | * Alibaba Cloud Linux 3 10 | * Alibaba Cloud Linux 2 - deprecated 11 | * CentOS 7.6/7.7/7.8/7.9 - deprecated 12 | * Red Hat Enterprise Linux 9 13 | * Anolis OS 8 14 | 15 | 16 | ## Setup 17 | 18 | You must have [Packer](https://www.packer.io/) installed on your local system. For more information, see [Installing Packer](https://www.packer.io/docs/install/index.html) in the Packer documentation. You must also have Alibaba Cloud account credentials configured so that Packer can make calls to Alibaba Cloud API operations on your behalf. 19 | 20 | For more information, see [Alibaba Cloud builder](https://www.packer.io/docs/builders/alicloud-ecs.html) in the Packer documentation. 21 | 22 | ## Building the OS Image 23 | 24 | Execute following scripts in your shell 25 | 26 | ``` 27 | export ALICLOUD_REGION=XXX 28 | export ALICLOUD_ACCESS_KEY=XXX 29 | export ALICLOUD_SECRET_KEY=XXX 30 | packer build examples/ack-aliyunlinux3.json 31 | ``` 32 | 33 | ## Build ACK-Optimized-OS image 34 | 35 | Execute following scripts in your shell 36 | 37 | ``` 38 | export RUNTIME=XXX 39 | export ALICLOUD_REGION=XXX 40 | export ALICLOUD_ACCESS_KEY=XXX 41 | export ALICLOUD_SECRET_KEY=XXX 42 | packer build examples/ack-optimized-os-all.json 43 | ``` 44 | NOTE: `RUNTIME` only support `docker` and `containerd` 45 | 46 | ```shell 47 | { 48 | "variables": { 49 | "image_name": "ack-optimized_image-1.28-{{timestamp}}", 50 | "source_image": "aliyun_3_9_x64_20G_alibase_20231219.vhd", 51 | "instance_type": "ecs.gn6i-c4g1.xlarge", 52 | "region": "{{env `ALICLOUD_REGION`}}", 53 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 54 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}", 55 | "runtime": "{{env `RUNTIME`}}", 56 | "skip_secrutiy_fix": "{{env `SKIP_SECURITY_FIX`}}" 57 | }, 58 | "builders": [ 59 | { 60 | "type": "alicloud-ecs", 61 | "access_key": "{{user `access_key`}}", 62 | "secret_key": "{{user `secret_key`}}", 63 | "region": "{{user `region`}}", 64 | "image_name": "{{user `image_name`}}", 65 | "source_image": "{{user `source_image`}}", 66 | "ssh_username": "root", 67 | "instance_type": "{{user `instance_type`}}", 68 | "skip_image_validation": "true", 69 | "io_optimized": "true" 70 | } 71 | ], 72 | "provisioners": [ 73 | { 74 | "type": "file", 75 | "source": "scripts/ack-optimized-os-all.sh", 76 | "destination": "/root/" 77 | }, 78 | { 79 | "type": "shell", 80 | "inline": [ 81 | "export RUNTIME={{user `runtime`}}", 82 | "export SKIP_SECURITY_FIX={{user `skip_secrutiy_fix`}}", 83 | "export OS_ARCH=amd64", 84 | "export PRESET_GPU=true", # If you want to download gpu, set PRESET_GPU to true and also set instance_type to gpu instance, supports version 1.20+. 85 | "export NVIDIA_DRIVER_VERSION=460.106.00", # You can set the gpu version, default is 460.91.03 86 | "export KEEP_IMAGE_DATA=true", # If you cache images, you must set KEEP_IMAGE_DATA to true 87 | "export KUBE_VERSION=1.28.9-aliyun.1", # Set KUBE_VERSION according to your cluster version 88 | "bash /root/ack-optimized-os-all.sh", 89 | "ctr -n k8s.io i pull docker.io/library/nginx:1.7.9" # You can cache images into OS image 90 | ] 91 | } 92 | ] 93 | } 94 | ``` 95 | 96 | ## RAM Policy 97 | 98 | If you are using a sub account,the ram policy should at least include actions as below: 99 | 100 | > Note that you'd better release the delete permissions once you have completed your image build task for safety reasons. 101 | 102 | ``` 103 | { 104 | "Version": "1", 105 | "Statement": [ 106 | { 107 | "Action": [ 108 | "ecs:DescribeImages", 109 | "ecs:CreateImage", 110 | "ecs:ModifyImageSharePermission", 111 | "ecs:CreateKeyPair", 112 | "ecs:DeleteKeyPairs", 113 | "ecs:DetachKeyPair", 114 | "ecs:AttachKeyPair", 115 | "ecs:CreateSecurityGroup", 116 | "ecs:DeleteSecurityGroup", 117 | "ecs:AuthorizeSecurityGroupEgress", 118 | "ecs:AuthorizeSecurityGroup", 119 | "ecs:CreateSnapshot", 120 | "ecs:AttachDisk", 121 | "ecs:DetachDisk", 122 | "ecs:DescribeDisks", 123 | "ecs:CreateDisk", 124 | "ecs:DeleteDisk", 125 | "ecs:CreateNetworkInterface", 126 | "ecs:DescribeNetworkInterfaces", 127 | "ecs:AttachNetworkInterface", 128 | "ecs:DetachNetworkInterface", 129 | "ecs:DeleteNetworkInterface", 130 | "ecs:DescribeInstanceAttribute", 131 | "ecs:CreateInstance", 132 | "ecs:DeleteInstance", 133 | "ecs:StartInstance", 134 | "ecs:StopInstance", 135 | "ecs:DescribeInstances" 136 | ], 137 | "Resource": [ 138 | "*" 139 | ], 140 | "Effect": "Allow" 141 | }, 142 | { 143 | "Action": [ 144 | "vpc:CreateVpc", 145 | "vpc:DeleteVpc", 146 | "vpc:DescribeVpcs", 147 | "vpc:CreateVSwitch", 148 | "vpc:DeleteVSwitch", 149 | "vpc:DescribeVSwitches", 150 | "vpc:AllocateEipAddress", 151 | "vpc:AssociateEipAddress", 152 | "vpc:UnassociateEipAddress", 153 | "vpc:DescribeEipAddresses", 154 | "vpc:ReleaseEipAddress" 155 | ], 156 | "Resource": [ 157 | "*" 158 | ], 159 | "Effect": "Allow" 160 | } 161 | ] 162 | } 163 | ``` 164 | 165 | ## Security 166 | 167 | For security issues or concerns, please do not open an issue or pull request on GitHub. Please report any suspected or confirmed security issues to Alibaba Cloud Container Security contact 168 | 169 | -------------------------------------------------------------------------------- /build/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.10 2 | 3 | ADD https://releases.hashicorp.com/packer/1.7.9/packer_1.7.9_linux_amd64.zip /packer_1.7.9_linux_amd64.zip 4 | ADD ./scripts /scripts 5 | ADD ./config /config 6 | RUN unzip packer_1.7.9_linux_amd64.zip && mv packer /bin/packer 7 | 8 | ENTRYPOINT ["packer", "build"] -------------------------------------------------------------------------------- /build/Makefile: -------------------------------------------------------------------------------- 1 | all: docker-container 2 | 3 | PREFIX?=registry.aliyuncs.com/acs 4 | VERSION?=v1.0.0 5 | 6 | docker-container: 7 | docker build --pull -t $(PREFIX)/ack-image-builder:$(VERSION) . 8 | 9 | .PHONY: all docker-container 10 | -------------------------------------------------------------------------------- /build/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | CUR_DIR=$(dirname $(readlink -e -v ${BASH_SOURCE[0]})) 7 | SRC_DIR=$(dirname $CUR_DIR) 8 | 9 | usage() { 10 | cat >&2 <<-EOF 11 | Usage: 12 | $0 build_template_file 13 | Example: 14 | $0 $SRC_DIR/examples/ack-aliyunlinux2.json 15 | EOF 16 | } 17 | 18 | check_params() { 19 | BUILD_TEMPLATE_FILE="$1" 20 | 21 | if [[ -z $BUILD_TEMPLATE_FILE ]]; then 22 | echo "ERROR: must be specify one template file" 23 | usage 24 | return 1 25 | fi 26 | 27 | if ! [[ -f $BUILD_TEMPLATE_FILE ]]; then 28 | echo "ERROR: cannot find file: $BUILD_TEMPLATE_FILE" 29 | return 1 30 | fi 31 | } 32 | 33 | check_env() { 34 | if [[ -z $ALICLOUD_REGION || -z $ALICLOUD_ACCESS_KEY || -z $ALICLOUD_SECRET_KEY ]]; then 35 | echo "ERROR: ALICLOUD_REGION/ALICLOUD_ACCESS_KEY/ALICLOUD_SECRET_KEY must be not empty" 36 | return 1 37 | fi 38 | 39 | if [[ -z "$RUNTIME" ]]; then 40 | echo "WARN: RUNTIME is empty, will set it 'docker' by default" 41 | RUNTIME="docker" 42 | fi 43 | } 44 | 45 | check_docker_image() { 46 | if docker inspect registry.aliyuncs.com/acs/ack-image-builder:v1.0.0 &>/dev/null; then 47 | : 48 | else 49 | make 50 | fi 51 | } 52 | 53 | build_os_image() { 54 | docker run -e ALICLOUD_REGION=$ALICLOUD_REGION \ 55 | -e ALICLOUD_ACCESS_KEY=$ALICLOUD_ACCESS_KEY \ 56 | -e ALICLOUD_SECRET_KEY=$ALICLOUD_SECRET_KEY \ 57 | -e RUNTIME=$RUNTIME \ 58 | -v $BUILD_TEMPLATE_FILE:/scripts/$(basename $BUILD_TEMPLATE_FILE) \ 59 | registry.aliyuncs.com/acs/ack-image-builder:v1.0.0 /scripts/$(basename $BUILD_TEMPLATE_FILE) 60 | } 61 | 62 | main() { 63 | check_params "$@" 64 | check_env 65 | check_docker_image 66 | build_os_image 67 | } 68 | 69 | main "$@" 70 | 71 | -------------------------------------------------------------------------------- /config/default.sh: -------------------------------------------------------------------------------- 1 | # /bin/bash 2 | 3 | # Set timezone 4 | timedatectl set-timezone Asia/Shanghai 5 | 6 | # Set swap off 7 | swapoff -a 8 | sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab 9 | -------------------------------------------------------------------------------- /examples/ack-aliyunlinux2.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "region": "cn-hangzhou", 4 | "image_name": "test_image{{timestamp}}", 5 | "source_image": "aliyun_2_1903_x64_20G_alibase_20210120.vhd", 6 | "instance_type": "ecs.g6.2xlarge", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}" 9 | }, 10 | "builders": [ 11 | { 12 | "type": "alicloud-ecs", 13 | "access_key": "{{user `access_key`}}", 14 | "secret_key": "{{user `secret_key`}}", 15 | "region": "{{user `region`}}", 16 | "image_name": "{{user `image_name`}}", 17 | "source_image": "{{user `source_image`}}", 18 | "ssh_username": "root", 19 | "instance_type": "{{user `instance_type`}}", 20 | "skip_image_validation": "true", 21 | "io_optimized": "true" 22 | } 23 | ], 24 | "provisioners": [ 25 | { 26 | "type": "shell", 27 | "scripts": [ 28 | "scripts/updateKernel.sh", 29 | "scripts/reboot.sh", 30 | "scripts/cleanUpKerneles.sh", 31 | "config/default.sh", 32 | "scripts/disableTuned.sh", 33 | "scripts/verify.sh" 34 | ], 35 | "expect_disconnect": true 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /examples/ack-aliyunlinux3.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "region": "cn-hangzhou", 4 | "image_name": "test_image{{timestamp}}", 5 | "source_image": "aliyun_3_x64_20G_alibase_20221102.vhd", 6 | "instance_type": "ecs.g6.2xlarge", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}" 9 | }, 10 | "builders": [ 11 | { 12 | "type": "alicloud-ecs", 13 | "access_key": "{{user `access_key`}}", 14 | "secret_key": "{{user `secret_key`}}", 15 | "region": "{{user `region`}}", 16 | "image_name": "{{user `image_name`}}", 17 | "source_image": "{{user `source_image`}}", 18 | "ssh_username": "root", 19 | "instance_type": "{{user `instance_type`}}", 20 | "skip_image_validation": "true", 21 | "io_optimized": "true", 22 | "associate_public_ip_address": "true" 23 | } 24 | ], 25 | "provisioners": [ 26 | { 27 | "type": "shell", 28 | "environment_vars": [ 29 | "CGROUP_MODE={{user `cgroup_mode`}}" 30 | ], 31 | "scripts": [ 32 | "scripts/set-cgroupv2.sh", 33 | "scripts/updateKernel.sh", 34 | "scripts/reboot.sh", 35 | "scripts/cleanUpKerneles.sh", 36 | "config/default.sh", 37 | "scripts/disableTuned.sh", 38 | "scripts/verify.sh" 39 | ], 40 | "expect_disconnect": true 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /examples/ack-centos-using-existing-vpc-vswitch.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "region": "cn-hangzhou", 4 | "image_name": "test_image{{timestamp}}", 5 | "source_image": "centos_7_9_x64_20G_alibase_20210128.vhd", 6 | "instance_type": "ecs.g6.2xlarge", 7 | "vpc_id": "vpc-xxxxxx", 8 | "vswitch_id": "vsw-xxxxxx", 9 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 10 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}" 11 | }, 12 | "builders": [ 13 | { 14 | "type": "alicloud-ecs", 15 | "access_key": "{{user `access_key`}}", 16 | "secret_key": "{{user `secret_key`}}", 17 | "region": "{{user `region`}}", 18 | "image_name": "{{user `image_name`}}", 19 | "source_image": "{{user `source_image`}}", 20 | "ssh_username": "root", 21 | "instance_type": "{{user `instance_type`}}", 22 | "vpc_id": "{{user `vpc_id`}}", 23 | "vswitch_id": "{{user `vswitch_id`}}", 24 | "skip_image_validation": "true", 25 | "io_optimized": "true" 26 | } 27 | ], 28 | "provisioners": [ 29 | { 30 | "type": "shell", 31 | "scripts": [ 32 | "scripts/updateKernel.sh", 33 | "scripts/reboot.sh", 34 | "scripts/cleanUpKerneles.sh", 35 | "config/default.sh", 36 | "scripts/verify.sh" 37 | ], 38 | "expect_disconnect": true 39 | } 40 | ] 41 | } 42 | -------------------------------------------------------------------------------- /examples/ack-centos.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "region": "cn-hangzhou", 4 | "image_name": "test_image{{timestamp}}", 5 | "source_image": "centos_7_9_x64_20G_alibase_20210128.vhd", 6 | "instance_type": "ecs.g6.2xlarge", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}" 9 | }, 10 | "builders": [ 11 | { 12 | "type": "alicloud-ecs", 13 | "access_key": "{{user `access_key`}}", 14 | "secret_key": "{{user `secret_key`}}", 15 | "region": "{{user `region`}}", 16 | "image_name": "{{user `image_name`}}", 17 | "source_image": "{{user `source_image`}}", 18 | "ssh_username": "root", 19 | "instance_type": "{{user `instance_type`}}", 20 | "skip_image_validation": "true", 21 | "io_optimized": "true" 22 | } 23 | ], 24 | "provisioners": [ 25 | { 26 | "type": "shell", 27 | "scripts": [ 28 | "scripts/updateKernel.sh", 29 | "scripts/reboot.sh", 30 | "scripts/cleanUpKerneles.sh", 31 | "config/default.sh", 32 | "scripts/verify.sh" 33 | ], 34 | "expect_disconnect": true 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /examples/ack-optimized-os-1.18.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "image_name": "ack-optimized_image-1.18-{{timestamp}}", 4 | "source_image": "aliyun_2_1903_x64_20G_alibase_20210120.vhd", 5 | "instance_type": "ecs.g6.2xlarge", 6 | "region": "{{env `ALICLOUD_REGION`}}", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}", 9 | "runtime": "{{env `RUNTIME`}}", 10 | "skip_secrutiy_fix": "{{env `SKIP_SECURITY_FIX`}}" 11 | }, 12 | "builders": [ 13 | { 14 | "type": "alicloud-ecs", 15 | "access_key": "{{user `access_key`}}", 16 | "secret_key": "{{user `secret_key`}}", 17 | "region": "{{user `region`}}", 18 | "image_name": "{{user `image_name`}}", 19 | "source_image": "{{user `source_image`}}", 20 | "ssh_username": "root", 21 | "instance_type": "{{user `instance_type`}}", 22 | "skip_image_validation": "true", 23 | "io_optimized": "true" 24 | } 25 | ], 26 | "provisioners": [ 27 | { 28 | "type": "file", 29 | "source": "scripts/ack-optimized-os-1.18.sh", 30 | "destination": "/root/" 31 | }, 32 | { 33 | "type": "shell", 34 | "inline": [ 35 | "export RUNTIME={{user `runtime`}}", 36 | "export SKIP_SECURITY_FIX={{user `skip_secrutiy_fix`}}", 37 | "export OS_ARCH=amd64", 38 | "bash /root/ack-optimized-os-1.18.sh" 39 | ] 40 | } 41 | ] 42 | } 43 | -------------------------------------------------------------------------------- /examples/ack-optimized-os-1.20.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "image_name": "ack-optimized_image-1.20-{{timestamp}}", 4 | "source_image": "aliyun_2_1903_x64_20G_alibase_20210120.vhd", 5 | "instance_type": "ecs.g6.2xlarge", 6 | "region": "{{env `ALICLOUD_REGION`}}", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}", 9 | "runtime": "{{env `RUNTIME`}}", 10 | "skip_secrutiy_fix": "{{env `SKIP_SECURITY_FIX`}}" 11 | }, 12 | "builders": [ 13 | { 14 | "type": "alicloud-ecs", 15 | "access_key": "{{user `access_key`}}", 16 | "secret_key": "{{user `secret_key`}}", 17 | "region": "{{user `region`}}", 18 | "image_name": "{{user `image_name`}}", 19 | "source_image": "{{user `source_image`}}", 20 | "ssh_username": "root", 21 | "instance_type": "{{user `instance_type`}}", 22 | "skip_image_validation": "true", 23 | "io_optimized": "true" 24 | } 25 | ], 26 | "provisioners": [ 27 | { 28 | "type": "file", 29 | "source": "scripts/ack-optimized-os-1.20.sh", 30 | "destination": "/root/" 31 | }, 32 | { 33 | "type": "shell", 34 | "inline": [ 35 | "export RUNTIME={{user `runtime`}}", 36 | "export SKIP_SECURITY_FIX={{user `skip_secrutiy_fix`}}", 37 | "export OS_ARCH=amd64", 38 | "bash /root/ack-optimized-os-1.20.sh" 39 | ] 40 | } 41 | ] 42 | } 43 | -------------------------------------------------------------------------------- /examples/ack-optimized-os-all.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "image_name": "ack-optimized_image-1.28-{{timestamp}}", 4 | "source_image": "aliyun_3_9_x64_20G_alibase_20231219.vhd", 5 | "instance_type": "ecs.gn6i-c4g1.xlarge", 6 | "region": "{{env `ALICLOUD_REGION`}}", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}", 9 | "runtime": "{{env `RUNTIME`}}", 10 | "skip_secrutiy_fix": "{{env `SKIP_SECURITY_FIX`}}" 11 | }, 12 | "builders": [ 13 | { 14 | "type": "alicloud-ecs", 15 | "access_key": "{{user `access_key`}}", 16 | "secret_key": "{{user `secret_key`}}", 17 | "region": "{{user `region`}}", 18 | "image_name": "{{user `image_name`}}", 19 | "source_image": "{{user `source_image`}}", 20 | "ssh_username": "root", 21 | "instance_type": "{{user `instance_type`}}", 22 | "skip_image_validation": "true", 23 | "io_optimized": "true" 24 | } 25 | ], 26 | "provisioners": [ 27 | { 28 | "type": "file", 29 | "source": "scripts/ack-optimized-os-all.sh", 30 | "destination": "/root/" 31 | }, 32 | { 33 | "type": "shell", 34 | "inline": [ 35 | "export RUNTIME={{user `runtime`}}", 36 | "export SKIP_SECURITY_FIX={{user `skip_secrutiy_fix`}}", 37 | "export OS_ARCH=amd64", 38 | "export PRESET_GPU=true", 39 | "export NVIDIA_DRIVER_VERSION=460.106.00", 40 | "export KEEP_IMAGE_DATA=true", 41 | "export KUBE_VERSION=1.28.9-aliyun.1", 42 | "bash /root/ack-optimized-os-all.sh", 43 | "ctr -n k8s.io i pull docker.io/library/nginx:1.7.9" 44 | ] 45 | } 46 | ] 47 | } 48 | -------------------------------------------------------------------------------- /hotfix/hotfix-ipvlan/README.md: -------------------------------------------------------------------------------- 1 | This is the template for ack base image to fix issue [#19](https://github.com/AliyunContainerService/ack-image-builder/issues/19) 2 | 3 | Commands to build image: 4 | ``` 5 | export ALICLOUD_ACCESS_KEY=XXX 6 | export ALICLOUD_SECRET_KEY=XXX 7 | packer build ack-aliyunlinux2-ipvlan.json 8 | ``` -------------------------------------------------------------------------------- /hotfix/hotfix-ipvlan/ack-aliyunlinux2-ipvlan.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "region": "cn-hangzhou", 4 | "image_name": "test_image{{timestamp}}", 5 | "source_image": "aliyun_2_1903_x64_20G_alibase_20200529.vhd", 6 | "instance_type": "ecs.g6.large", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}" 9 | }, 10 | "builders": [ 11 | { 12 | "type": "alicloud-ecs", 13 | "access_key": "{{user `access_key`}}", 14 | "secret_key": "{{user `secret_key`}}", 15 | "region": "{{user `region`}}", 16 | "image_name": "{{user `image_name`}}", 17 | "source_image": "{{user `source_image`}}", 18 | "ssh_username": "root", 19 | "instance_type": "{{user `instance_type`}}", 20 | "skip_image_validation": "true", 21 | "io_optimized": "true" 22 | } 23 | ], 24 | "provisioners": [ 25 | { 26 | "type": "shell", 27 | "scripts": [ 28 | "scripts/installRPMs.sh", 29 | "scripts/updateConfig.sh" 30 | ], 31 | "expect_disconnect": true 32 | } 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /hotfix/hotfix-ipvlan/scripts/installRPMs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | curl -LO http://xxx.xx.xx.xxx/kernel-4.19.91-0.1.git.6eb3a5047051.al7.x86_64.rpm 4 | curl -LO http://xxx.xx.xx.xxx/kernel-headers-4.19.91-0.1.git.6eb3a5047051.al7.x86_64.rpm 5 | 6 | yum localinstall -y kernel-4.19.91-0.1.git.6eb3a5047051.al7.x86_64.rpm kernel-headers-4.19.91-0.1.git.6eb3a5047051.al7.x86_64.rpm 7 | 8 | rm -rf kernel-4.19.91-0.1.git.6eb3a5047051.al7.x86_64.rpm kernel-headers-4.19.91-0.1.git.6eb3a5047051.al7.x86_64.rpm -------------------------------------------------------------------------------- /hotfix/hotfix-ipvlan/scripts/updateConfig.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | /usr/sbin/sysctl -w net.ipv4.vs.conn_reuse_mode=1 3 | # 如果压测出现客户端分配不到端口可以改成2 4 | EOF 5 | 6 | chmod +x /root/set-ipvs-sysctls.sh 7 | 8 | echo '*/1 * * * * root bash /root/set-ipvs-sysctls.sh' >> /etc/cron.d/setsysctl 9 | 10 | systemctl reload crond 11 | systemctl restart crond -------------------------------------------------------------------------------- /hotfix/hotfix-issue-19/README.md: -------------------------------------------------------------------------------- 1 | This is the template for ack base image to fix issue [#19](https://github.com/AliyunContainerService/ack-image-builder/issues/19) 2 | 3 | Commands to build image: 4 | ``` 5 | export ALICLOUD_ACCESS_KEY=XXX 6 | export ALICLOUD_SECRET_KEY=XXX 7 | packer build ack-centos-issue-19.json 8 | ``` -------------------------------------------------------------------------------- /hotfix/hotfix-issue-19/ack-centos-issue-19.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "region": "cn-hangzhou", 4 | "image_name": "test_image{{timestamp}}", 5 | "source_image": "centos_7_06_64_20G_alibase_20190619.vhd", 6 | "instance_type": "ecs.g6.large", 7 | "access_key": "{{env `ALICLOUD_ACCESS_KEY`}}", 8 | "secret_key": "{{env `ALICLOUD_SECRET_KEY`}}" 9 | }, 10 | "builders": [ 11 | { 12 | "type": "alicloud-ecs", 13 | "access_key": "{{user `access_key`}}", 14 | "secret_key": "{{user `secret_key`}}", 15 | "region": "{{user `region`}}", 16 | "image_name": "{{user `image_name`}}", 17 | "source_image": "{{user `source_image`}}", 18 | "ssh_username": "root", 19 | "instance_type": "{{user `instance_type`}}", 20 | "skip_image_validation": "true", 21 | "io_optimized": "true" 22 | } 23 | ], 24 | "provisioners": [ 25 | { 26 | "type": "shell", 27 | "scripts": [ 28 | "scripts/updateSystemd.sh", 29 | "scripts/updateContainerd.sh" 30 | ], 31 | "expect_disconnect": true 32 | } 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /hotfix/hotfix-issue-19/scripts/updateContainerd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | curl -LO https://acs-public-mirror.oss-cn-hangzhou.aliyuncs.com/docker-engine/daemon-build/centos/containerd.io-1.2.10-3.2.el7.x86_64.rpm containerd.io-1.2.10-3.2.el7.x86_64.rpm 4 | 5 | yum localinstall -y containerd.io-1.2.10-3.2.el7.x86_64.rpm 6 | 7 | rm -rf containerd.io-1.2.10-3.2.el7.x86_64.rpm -------------------------------------------------------------------------------- /hotfix/hotfix-issue-19/scripts/updateSystemd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | yum install -y systemd-219-67.el7_7.3.x86_64 -------------------------------------------------------------------------------- /scripts/ack-optimized-os-1.18.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "docker" && $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'docker' and 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export RUNTIME 41 | export OS="AliyunOS" 42 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.4.4} 43 | export RUNTIME_VERSION 44 | DOCKER_VERSION=${DOCKER_VERSION:-19.03.5} 45 | export DOCKER_VERSION 46 | export KUBE_VERSION="1.18.8-aliyun.1" 47 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 48 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/$BETA_VERSION" 49 | export ACK_OPTIMIZED_OS_BUILD=1 50 | } 51 | 52 | 53 | download_pkg() { 54 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${KUBE_VERSION}.tar.gz -O 55 | tar -xvf run-${KUBE_VERSION}.tar.gz 56 | } 57 | 58 | source_file() { 59 | source pkg/run/$KUBE_VERSION/kubernetes.sh --role source 60 | } 61 | 62 | install_pkg() { 63 | public::common::sync_ntpd 64 | public::common::install_package 65 | } 66 | 67 | trim_os() { 68 | local pkg_list="acl 69 | aic94xx-firmware 70 | aliyun-cli 71 | alsa-firmware 72 | alsa-lib 73 | alsa-tools-firmware 74 | authconfig 75 | avahi-libs 76 | bind-libs-lite 77 | bind-license 78 | biosdevname 79 | btrfs-progs 80 | cloud 81 | device-mapper-event 82 | device-mapper-event-libs 83 | dmraid 84 | dmraid-events 85 | dosfstools 86 | ed 87 | file 88 | firewalld 89 | firewalld-filesystem 90 | freetype 91 | fxload 92 | GeoIP 93 | geoipupdate 94 | gettext 95 | gettext-libs 96 | glibc-devel 97 | hunspell 98 | hunspell-en 99 | hunspell-en-GB 100 | hunspell-en-US 101 | ivtv-firmware 102 | iwl1000-firmware 103 | iwl100-firmware 104 | iwl105-firmware 105 | iwl135-firmware 106 | iwl2000-firmware 107 | iwl2030-firmware 108 | iwl3160-firmware 109 | iwl3945-firmware 110 | iwl4965-firmware 111 | iwl5000-firmware 112 | iwl5150-firmware 113 | iwl6000-firmware 114 | iwl6000g2a-firmware 115 | iwl6000g2b-firmware 116 | iwl6050-firmware 117 | iwl7260-firmware 118 | jansson 119 | kbd 120 | kbd-legacy 121 | kbd-misc 122 | libaio 123 | libdrm 124 | libmpc 125 | libpciaccess 126 | libpng 127 | libreport-filesystem 128 | lm_sensors-libs 129 | lsscsi 130 | lvm2 131 | m4 132 | mailx 133 | man-db 134 | mariadb-libs 135 | mdadm 136 | microcode_ctl 137 | mpfr 138 | NetworkManager 139 | NetworkManager-libnm 140 | NetworkManager-team 141 | NetworkManager-tui 142 | patch 143 | plymouth 144 | plymouth-scripts 145 | postfix 146 | python3 147 | python3-libs 148 | python3-pip 149 | python3-setuptools 150 | python-decorator 151 | python-IPy 152 | rng-tools 153 | rsync 154 | sgpio 155 | slang 156 | spax 157 | strace 158 | sysstat 159 | tcpdump 160 | teamd 161 | vim-common 162 | vim-enhanced 163 | vim-filesystem 164 | wl1000-firmware 165 | wpa_supplicant 166 | xfsprogs 167 | " 168 | yum remove -y $pkg_list 169 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 170 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 171 | } 172 | 173 | pull_image() { 174 | if [[ "$RUNTIME" = "docker" ]]; then 175 | systemctl start docker 176 | sleep 10 177 | 178 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 179 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.2 180 | else 181 | systemctl start containerd 182 | sleep 10 183 | 184 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 185 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.2 186 | fi 187 | } 188 | 189 | update_os_release() { 190 | if [[ ! -f /etc/image-id ]]; then 191 | touch /etc/image-id 192 | fi 193 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 194 | } 195 | 196 | record_k8s_version() { 197 | cat > /etc/ACK-Optimized-OS <<-EOF 198 | kubelet=$KUBE_VERSION 199 | docker=$DOCKER_VERSION 200 | EOF 201 | } 202 | 203 | post_install() { 204 | if [[ $SKIP_SECURITY_FIX ]]; then 205 | touch /var/.skip-security-fix 206 | fi 207 | } 208 | 209 | cleanup() { 210 | rm -rf ./{addon*,docker*,kubernetes*,pkg,run*} 211 | } 212 | 213 | main() { 214 | trap 'cleanup' EXIT 215 | 216 | check_params "$@" 217 | setup_env 218 | 219 | trim_os 220 | 221 | download_pkg 222 | source_file 223 | install_pkg 224 | pull_image 225 | update_os_release 226 | record_k8s_version 227 | } 228 | 229 | main "$@" 230 | -------------------------------------------------------------------------------- /scripts/ack-optimized-os-1.22.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "docker" && $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'docker' and 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export RUNTIME 41 | export OS="AliyunOS" 42 | export CLOUD_TYPE="public" 43 | export KUBE_VERSION="1.22.15-aliyun.1" 44 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 45 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/" 46 | export ACK_OPTIMIZED_OS_BUILD=1 47 | 48 | if [[ "$RUNTIME" = "docker" ]]; then 49 | RUNTIME_VERSION=${RUNTIME_VERSION:-19.03.15} 50 | export RUNTIME_VERSION 51 | DOCKER_VERSION=${RUNTIME_VERSION:-19.03.15} 52 | export DOCKER_VERSION 53 | else 54 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.5.13} 55 | export RUNTIME_VERSION 56 | fi 57 | 58 | # setup k8s pull image prefix 59 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 60 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 61 | fi 62 | 63 | } 64 | 65 | trim_os() { 66 | local pkg_list="acl 67 | aic94xx-firmware 68 | aliyun-cli 69 | alsa-firmware 70 | alsa-lib 71 | alsa-tools-firmware 72 | authconfig 73 | avahi-libs 74 | bind-libs-lite 75 | bind-license 76 | biosdevname 77 | btrfs-progs 78 | cloud 79 | device-mapper-event 80 | device-mapper-event-libs 81 | dmraid 82 | dmraid-events 83 | dosfstools 84 | ed 85 | file 86 | firewalld 87 | firewalld-filesystem 88 | freetype 89 | fxload 90 | GeoIP 91 | geoipupdate 92 | gettext 93 | gettext-libs 94 | glibc-devel 95 | hunspell 96 | hunspell-en 97 | hunspell-en-GB 98 | hunspell-en-US 99 | ivtv-firmware 100 | iwl1000-firmware 101 | iwl100-firmware 102 | iwl105-firmware 103 | iwl135-firmware 104 | iwl2000-firmware 105 | iwl2030-firmware 106 | iwl3160-firmware 107 | iwl3945-firmware 108 | iwl4965-firmware 109 | iwl5000-firmware 110 | iwl5150-firmware 111 | iwl6000-firmware 112 | iwl6000g2a-firmware 113 | iwl6000g2b-firmware 114 | iwl6050-firmware 115 | iwl7260-firmware 116 | jansson 117 | kbd 118 | kbd-legacy 119 | kbd-misc 120 | libaio 121 | libdrm 122 | libmpc 123 | libpciaccess 124 | libpng 125 | libreport-filesystem 126 | lm_sensors-libs 127 | lsscsi 128 | lvm2 129 | m4 130 | mailx 131 | man-db 132 | mariadb-libs 133 | mdadm 134 | microcode_ctl 135 | mpfr 136 | NetworkManager 137 | NetworkManager-libnm 138 | NetworkManager-team 139 | NetworkManager-tui 140 | patch 141 | plymouth 142 | plymouth-scripts 143 | postfix 144 | python3 145 | python3-libs 146 | python3-pip 147 | python3-setuptools 148 | python-decorator 149 | python-IPy 150 | rng-tools 151 | rsync 152 | sgpio 153 | slang 154 | spax 155 | strace 156 | sysstat 157 | tcpdump 158 | teamd 159 | vim-common 160 | vim-enhanced 161 | vim-filesystem 162 | wl1000-firmware 163 | wpa_supplicant 164 | xfsprogs 165 | " 166 | 167 | yum remove -y $pkg_list 168 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 169 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 170 | } 171 | 172 | download_pkg() { 173 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 174 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 175 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 176 | } 177 | 178 | 179 | source_file() { 180 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 181 | } 182 | 183 | preset_gpu() { 184 | if [[ "$PRESET_GPU" == "true" ]]; then 185 | export SRC_DIR=pkg/run/$RELEASE_VERSION 186 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 187 | source $SRC_DIR/lib/$file_name 188 | done 189 | 190 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 191 | export NVIDIA_DRIVER_VERSION=460.91.03 192 | fi 193 | 194 | nvidia::create_dir 195 | # --nvidia-driver-runfile 指定驱动文件路径 196 | nvidia::prepare_driver_package 197 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 198 | nvidia::prepare_container_runtime_package 199 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 200 | nvidia::prepare_driver_package 201 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 202 | nvidia::deploy_static_pod 203 | 204 | if [[ $RUNTIME == "docker" ]];then 205 | export SKIP_CONTAINER_RUNTIME_CONFIG=true 206 | fi 207 | 208 | nvidia::gpu::installer::main 209 | fi 210 | } 211 | 212 | pull_image() { 213 | if [[ "$RUNTIME" = "docker" ]]; then 214 | systemctl start docker 215 | sleep 10 216 | 217 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 218 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 219 | else 220 | systemctl start containerd 221 | sleep 10 222 | 223 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 224 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 225 | fi 226 | } 227 | 228 | update_os_release() { 229 | if [[ ! -f /etc/image-id ]]; then 230 | touch /etc/image-id 231 | fi 232 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 233 | } 234 | 235 | record_k8s_version() { 236 | cat >/etc/ACK-Optimized-OS <<-EOF 237 | kubelet=$KUBE_VERSION 238 | runtime=$RUNTIME 239 | docker=$DOCKER_VERSION 240 | EOF 241 | } 242 | 243 | post_install() { 244 | if [[ $SKIP_SECURITY_FIX ]]; then 245 | touch /var/.skip-security-fix 246 | fi 247 | } 248 | 249 | mount_data_disk() { 250 | set -e 251 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 252 | return 0 253 | fi 254 | 255 | local runtime_dir 256 | if [[ "$RUNTIME" = "containerd" ]]; then 257 | runtime_dir="containerd" 258 | else 259 | runtime_dir="docker" 260 | fi 261 | 262 | #check to see whether docker or containerd is already mounted. 263 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 264 | # Assume user take over disk management or disk has already mounted. return immediately. 265 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 266 | return 0 267 | fi 268 | 269 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 270 | devices=$(lsblk -l -n -o NAME -d -p) 271 | for dev in $devices; do 272 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 273 | DISK_DEVICE=$dev 274 | break 275 | fi 276 | done 277 | if [ "$DISK_DEVICE" == "" ]; then 278 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 279 | return 0 280 | fi 281 | fi 282 | 283 | # initialize device name. 284 | if [ "$DISK_DEVICE" != "" ]; then 285 | device=$DISK_DEVICE 286 | else 287 | # refuse to mount & format disk if it has only one disk. 288 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 289 | if [ "$diskcnt" -le 1 ]; then 290 | echo "WARNING: node has only one disk, refuse fdisk op." 291 | return 292 | fi 293 | 294 | # search for the last device of /dev/*vd*. compatible with local ssd 295 | # Consider this device to be aliyun disk. 296 | # compatible with legacy installation. 297 | if lsblk -l -n -o NAME -d -p | grep nvme; then 298 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 299 | else 300 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 301 | fi 302 | fi 303 | if [ ! -b "$device" ]; then 304 | echo "auto_fdisk fail: [$device] is not a block device" 305 | return 1 306 | fi 307 | 308 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 309 | 310 | # choose the real partition name. exactly the first partition eg. 311 | # /dev/vda 312 | # /dev/vda1 313 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 314 | 315 | # check existing fs type. xfs must formated with fstype=1 parameter. 316 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 317 | case $fstype in 318 | "") 319 | # not formatted. do mkfs. 320 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 321 | case $AUTO_FDISK_FSTYPE in 322 | "ext4") 323 | mkfs.ext4 -i 8192 "$rdevice" 324 | ;; 325 | "xfs") 326 | mkfs.xfs -n ftype=1 "$rdevice" 327 | ;; 328 | *) 329 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 330 | ;; 331 | esac 332 | fstype="$AUTO_FDISK_FSTYPE" 333 | ;; 334 | "xfs") 335 | # check for xfs parameter. 336 | if ! xfs_info "$rdevice" | grep ftype=1; then 337 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 338 | fi 339 | ;; 340 | esac 341 | 342 | mkdir -p /var/lib/container 343 | mount ${rdevice} /var/lib/container/ 344 | echo "mountDataDiskDone" 345 | } 346 | 347 | cleanup() { 348 | rm -rf /root/ack-deploy 349 | } 350 | 351 | main() { 352 | trap 'cleanup' EXIT 353 | 354 | check_params "$@" 355 | setup_env 356 | 357 | trim_os 358 | 359 | download_pkg 360 | source_file 361 | preset_gpu 362 | pull_image 363 | keep_container_data 364 | update_os_release 365 | record_k8s_version 366 | post_install 367 | } 368 | 369 | main "$@" 370 | -------------------------------------------------------------------------------- /scripts/ack-optimized-os-1.24.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export OS="AliyunOS" 41 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.6.20} 42 | export RUNTIME_VERSION 43 | export CLOUD_TYPE="public" 44 | export KUBE_VERSION="1.24.6-aliyun.1" 45 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 46 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/" 47 | export ACK_OPTIMIZED_OS_BUILD=1 48 | 49 | # setup k8s pull image prefix 50 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 51 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 52 | fi 53 | } 54 | 55 | trim_os() { 56 | local pkg_list="acl 57 | aic94xx-firmware 58 | aliyun-cli 59 | alsa-firmware 60 | alsa-lib 61 | alsa-tools-firmware 62 | authconfig 63 | avahi-libs 64 | bind-libs-lite 65 | bind-license 66 | biosdevname 67 | btrfs-progs 68 | cloud 69 | device-mapper-event 70 | device-mapper-event-libs 71 | dmraid 72 | dmraid-events 73 | dosfstools 74 | ed 75 | file 76 | firewalld 77 | firewalld-filesystem 78 | freetype 79 | fxload 80 | GeoIP 81 | geoipupdate 82 | gettext 83 | gettext-libs 84 | glibc-devel 85 | hunspell 86 | hunspell-en 87 | hunspell-en-GB 88 | hunspell-en-US 89 | ivtv-firmware 90 | iwl1000-firmware 91 | iwl100-firmware 92 | iwl105-firmware 93 | iwl135-firmware 94 | iwl2000-firmware 95 | iwl2030-firmware 96 | iwl3160-firmware 97 | iwl3945-firmware 98 | iwl4965-firmware 99 | iwl5000-firmware 100 | iwl5150-firmware 101 | iwl6000-firmware 102 | iwl6000g2a-firmware 103 | iwl6000g2b-firmware 104 | iwl6050-firmware 105 | iwl7260-firmware 106 | jansson 107 | kbd 108 | kbd-legacy 109 | kbd-misc 110 | libaio 111 | libdrm 112 | libmpc 113 | libpciaccess 114 | libpng 115 | libreport-filesystem 116 | lm_sensors-libs 117 | lsscsi 118 | lvm2 119 | m4 120 | mailx 121 | man-db 122 | mariadb-libs 123 | mdadm 124 | microcode_ctl 125 | mpfr 126 | NetworkManager 127 | NetworkManager-libnm 128 | NetworkManager-team 129 | NetworkManager-tui 130 | patch 131 | plymouth 132 | plymouth-scripts 133 | postfix 134 | python3 135 | python3-libs 136 | python3-pip 137 | python3-setuptools 138 | python-decorator 139 | python-IPy 140 | rng-tools 141 | rsync 142 | sgpio 143 | slang 144 | spax 145 | strace 146 | sysstat 147 | tcpdump 148 | teamd 149 | vim-common 150 | vim-enhanced 151 | vim-filesystem 152 | wl1000-firmware 153 | wpa_supplicant 154 | xfsprogs 155 | " 156 | 157 | yum remove -y $pkg_list 158 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 159 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 160 | } 161 | 162 | download_pkg() { 163 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 164 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 165 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 166 | } 167 | 168 | 169 | source_file() { 170 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 171 | } 172 | 173 | preset_gpu() { 174 | if [[ "$PRESET_GPU" == "true" ]]; then 175 | export SRC_DIR=pkg/run/$RELEASE_VERSION 176 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 177 | source $SRC_DIR/lib/$file_name 178 | done 179 | 180 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 181 | export NVIDIA_DRIVER_VERSION=460.91.03 182 | fi 183 | 184 | nvidia::create_dir 185 | # --nvidia-driver-runfile 指定驱动文件路径 186 | nvidia::prepare_driver_package 187 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 188 | nvidia::prepare_container_runtime_package 189 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 190 | nvidia::prepare_driver_package 191 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 192 | nvidia::deploy_static_pod 193 | 194 | nvidia::gpu::installer::main 195 | 196 | fi 197 | } 198 | 199 | pull_image() { 200 | systemctl start containerd 201 | sleep 10 202 | 203 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 204 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 205 | } 206 | 207 | update_os_release() { 208 | if [[ ! -f /etc/image-id ]]; then 209 | touch /etc/image-id 210 | fi 211 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 212 | } 213 | 214 | record_k8s_version() { 215 | cat >/etc/ACK-Optimized-OS <<-EOF 216 | kubelet=$KUBE_VERSION 217 | runtime=$RUNTIME 218 | docker=$DOCKER_VERSION 219 | EOF 220 | } 221 | 222 | post_install() { 223 | if [[ $SKIP_SECURITY_FIX ]]; then 224 | touch /var/.skip-security-fix 225 | fi 226 | } 227 | 228 | mount_data_disk() { 229 | set -e 230 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 231 | return 0 232 | fi 233 | 234 | local runtime_dir 235 | if [[ "$RUNTIME" = "containerd" ]]; then 236 | runtime_dir="containerd" 237 | else 238 | runtime_dir="docker" 239 | fi 240 | 241 | #check to see whether docker or containerd is already mounted. 242 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 243 | # Assume user take over disk management or disk has already mounted. return immediately. 244 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 245 | return 0 246 | fi 247 | 248 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 249 | devices=$(lsblk -l -n -o NAME -d -p) 250 | for dev in $devices; do 251 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 252 | DISK_DEVICE=$dev 253 | break 254 | fi 255 | done 256 | if [ "$DISK_DEVICE" == "" ]; then 257 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 258 | return 0 259 | fi 260 | fi 261 | 262 | # initialize device name. 263 | if [ "$DISK_DEVICE" != "" ]; then 264 | device=$DISK_DEVICE 265 | else 266 | # refuse to mount & format disk if it has only one disk. 267 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 268 | if [ "$diskcnt" -le 1 ]; then 269 | echo "WARNING: node has only one disk, refuse fdisk op." 270 | return 271 | fi 272 | 273 | # search for the last device of /dev/*vd*. compatible with local ssd 274 | # Consider this device to be aliyun disk. 275 | # compatible with legacy installation. 276 | if lsblk -l -n -o NAME -d -p | grep nvme; then 277 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 278 | else 279 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 280 | fi 281 | fi 282 | if [ ! -b "$device" ]; then 283 | echo "auto_fdisk fail: [$device] is not a block device" 284 | return 1 285 | fi 286 | 287 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 288 | 289 | # choose the real partition name. exactly the first partition eg. 290 | # /dev/vda 291 | # /dev/vda1 292 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 293 | 294 | # check existing fs type. xfs must formated with fstype=1 parameter. 295 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 296 | case $fstype in 297 | "") 298 | # not formatted. do mkfs. 299 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 300 | case $AUTO_FDISK_FSTYPE in 301 | "ext4") 302 | mkfs.ext4 -i 8192 "$rdevice" 303 | ;; 304 | "xfs") 305 | mkfs.xfs -n ftype=1 "$rdevice" 306 | ;; 307 | *) 308 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 309 | ;; 310 | esac 311 | fstype="$AUTO_FDISK_FSTYPE" 312 | ;; 313 | "xfs") 314 | # check for xfs parameter. 315 | if ! xfs_info "$rdevice" | grep ftype=1; then 316 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 317 | fi 318 | ;; 319 | esac 320 | 321 | mkdir -p /var/lib/container 322 | mount ${rdevice} /var/lib/container/ 323 | echo "mountDataDiskDone" 324 | } 325 | 326 | cleanup() { 327 | rm -rf /root/ack-deploy 328 | } 329 | 330 | main() { 331 | trap 'cleanup' EXIT 332 | 333 | check_params "$@" 334 | setup_env 335 | 336 | trim_os 337 | 338 | download_pkg 339 | source_file 340 | preset_gpu 341 | pull_image 342 | keep_container_data 343 | update_os_release 344 | record_k8s_version 345 | post_install 346 | } 347 | 348 | main "$@" 349 | -------------------------------------------------------------------------------- /scripts/ack-optimized-os-1.26.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'containerd' " 35 | usage 36 | fi 37 | 38 | } 39 | 40 | setup_env() { 41 | export OS="AliyunOS" 42 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.6.20} 43 | export RUNTIME_VERSION 44 | export KUBE_VERSION='1.26.3-aliyun.1' 45 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 46 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/$BETA_VERSION" 47 | export ACK_OPTIMIZED_OS_BUILD=1 48 | 49 | # setup k8s pull image prefix 50 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 51 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 52 | fi 53 | } 54 | 55 | 56 | download_pkg() { 57 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 58 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 59 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 60 | } 61 | 62 | 63 | source_file() { 64 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 65 | } 66 | 67 | #preset_gpu() { 68 | # GPU_PACKAGE_URL=http://aliacs-k8s-${REGION}.oss-${REGION}-internal.aliyuncs.com/public/pkg 69 | # if [[ "$PRESET_GPU" == "true" ]]; then 70 | # bash -x pkg/run/$KUBE_VERSION/bin/nvidia-gpu-installer.sh --package-url-prefix ${GPU_PACKAGE_URL} 71 | # fi 72 | #} 73 | 74 | preset_gpu() { 75 | if [[ "$PRESET_GPU" == "true" ]]; then 76 | export SRC_DIR=pkg/run/$RELEASE_VERSION 77 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 78 | source $SRC_DIR/lib/$file_name 79 | done 80 | 81 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 82 | export NVIDIA_DRIVER_VERSION=460.91.03 83 | fi 84 | 85 | nvidia::create_dir 86 | # --nvidia-driver-runfile 指定驱动文件路径 87 | nvidia::prepare_driver_package 88 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 89 | nvidia::prepare_container_runtime_package 90 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 91 | nvidia::prepare_driver_package 92 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 93 | nvidia::deploy_static_pod 94 | 95 | nvidia::gpu::installer::main 96 | 97 | fi 98 | } 99 | 100 | 101 | 102 | 103 | 104 | trim_os() { 105 | local pkg_list="acl 106 | aic94xx-firmware 107 | aliyun-cli 108 | alsa-firmware 109 | alsa-lib 110 | alsa-tools-firmware 111 | authconfig 112 | avahi-libs 113 | bind-libs-lite 114 | bind-license 115 | biosdevname 116 | btrfs-progs 117 | cloud 118 | device-mapper-event 119 | device-mapper-event-libs 120 | dmraid 121 | dmraid-events 122 | dosfstools 123 | ed 124 | file 125 | firewalld 126 | firewalld-filesystem 127 | freetype 128 | fxload 129 | GeoIP 130 | geoipupdate 131 | gettext 132 | gettext-libs 133 | glibc-devel 134 | hunspell 135 | hunspell-en 136 | hunspell-en-GB 137 | hunspell-en-US 138 | ivtv-firmware 139 | iwl1000-firmware 140 | iwl100-firmware 141 | iwl105-firmware 142 | iwl135-firmware 143 | iwl2000-firmware 144 | iwl2030-firmware 145 | iwl3160-firmware 146 | iwl3945-firmware 147 | iwl4965-firmware 148 | iwl5000-firmware 149 | iwl5150-firmware 150 | iwl6000-firmware 151 | iwl6000g2a-firmware 152 | iwl6000g2b-firmware 153 | iwl6050-firmware 154 | iwl7260-firmware 155 | jansson 156 | kbd 157 | kbd-legacy 158 | kbd-misc 159 | libaio 160 | libdrm 161 | libmpc 162 | libpciaccess 163 | libpng 164 | libreport-filesystem 165 | lm_sensors-libs 166 | lsscsi 167 | lvm2 168 | m4 169 | mailx 170 | man-db 171 | mariadb-libs 172 | mdadm 173 | microcode_ctl 174 | mpfr 175 | NetworkManager 176 | NetworkManager-libnm 177 | NetworkManager-team 178 | NetworkManager-tui 179 | patch 180 | plymouth 181 | plymouth-scripts 182 | postfix 183 | python3 184 | python3-libs 185 | python3-pip 186 | python3-setuptools 187 | python-decorator 188 | python-IPy 189 | rng-tools 190 | rsync 191 | sgpio 192 | slang 193 | spax 194 | strace 195 | sysstat 196 | tcpdump 197 | teamd 198 | vim-common 199 | vim-enhanced 200 | vim-filesystem 201 | wl1000-firmware 202 | wpa_supplicant 203 | xfsprogs 204 | " 205 | yum remove -y $pkg_list 206 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 207 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 208 | } 209 | 210 | pull_image() { 211 | systemctl start containerd 212 | sleep 10 213 | 214 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 215 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 216 | } 217 | 218 | update_os_release() { 219 | if [[ ! -f /etc/image-id ]]; then 220 | touch /etc/image-id 221 | fi 222 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 223 | } 224 | 225 | record_k8s_version() { 226 | cat > /etc/ACK-Optimized-OS <<-EOF 227 | kubelet=$KUBE_VERSION 228 | docker=$DOCKER_VERSION 229 | EOF 230 | } 231 | 232 | post_install() { 233 | if [[ "$SKIP_SECURITY_FIX" = "true" ]]; then 234 | touch /var/.skip-security-fix 235 | fi 236 | } 237 | 238 | mount_data_disk() { 239 | set -e 240 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 241 | return 0 242 | fi 243 | 244 | local runtime_dir 245 | if [[ "$RUNTIME" = "containerd" ]]; then 246 | runtime_dir="containerd" 247 | else 248 | runtime_dir="docker" 249 | fi 250 | 251 | #check to see whether docker or containerd is already mounted. 252 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 253 | # Assume user take over disk management or disk has already mounted. return immediately. 254 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 255 | return 0 256 | fi 257 | 258 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 259 | devices=$(lsblk -l -n -o NAME -d -p) 260 | for dev in $devices; do 261 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 262 | DISK_DEVICE=$dev 263 | break 264 | fi 265 | done 266 | if [ "$DISK_DEVICE" == "" ]; then 267 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 268 | return 0 269 | fi 270 | fi 271 | 272 | # initialize device name. 273 | if [ "$DISK_DEVICE" != "" ]; then 274 | device=$DISK_DEVICE 275 | else 276 | # refuse to mount & format disk if it has only one disk. 277 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 278 | if [ "$diskcnt" -le 1 ]; then 279 | echo "WARNING: node has only one disk, refuse fdisk op." 280 | return 281 | fi 282 | 283 | # search for the last device of /dev/*vd*. compatible with local ssd 284 | # Consider this device to be aliyun disk. 285 | # compatible with legacy installation. 286 | if lsblk -l -n -o NAME -d -p | grep nvme; then 287 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 288 | else 289 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 290 | fi 291 | fi 292 | if [ ! -b "$device" ]; then 293 | echo "auto_fdisk fail: [$device] is not a block device" 294 | return 1 295 | fi 296 | 297 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 298 | 299 | # choose the real partition name. exactly the first partition eg. 300 | # /dev/vda 301 | # /dev/vda1 302 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 303 | 304 | # check existing fs type. xfs must formated with fstype=1 parameter. 305 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 306 | case $fstype in 307 | "") 308 | # not formatted. do mkfs. 309 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 310 | case $AUTO_FDISK_FSTYPE in 311 | "ext4") 312 | mkfs.ext4 -i 8192 "$rdevice" 313 | ;; 314 | "xfs") 315 | mkfs.xfs -n ftype=1 "$rdevice" 316 | ;; 317 | *) 318 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 319 | ;; 320 | esac 321 | fstype="$AUTO_FDISK_FSTYPE" 322 | ;; 323 | "xfs") 324 | # check for xfs parameter. 325 | if ! xfs_info "$rdevice" | grep ftype=1; then 326 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 327 | fi 328 | ;; 329 | esac 330 | 331 | mkdir -p /var/lib/container 332 | mount ${rdevice} /var/lib/container/ 333 | echo "mountDataDiskDone" 334 | } 335 | 336 | cleanup() { 337 | rm -rf ./{addon*,docker*,kubernetes*,pkg,run*} 338 | } 339 | 340 | main() { 341 | trap 'cleanup' EXIT 342 | 343 | check_params "$@" 344 | setup_env 345 | 346 | trim_os 347 | 348 | download_pkg 349 | source_file 350 | preset_gpu 351 | pull_image 352 | keep_container_data 353 | update_os_release 354 | record_k8s_version 355 | } 356 | 357 | main "$@" -------------------------------------------------------------------------------- /scripts/ack-optimized-os-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "docker" && $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'docker' and 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export OS="AliyunOS" 41 | 42 | if [[ "$RUNTIME" = "docker" ]]; then 43 | RUNTIME_VERSION=${RUNTIME_VERSION:-19.03.15} 44 | export RUNTIME_VERSION 45 | DOCKER_VERSION=${RUNTIME_VERSION:-19.03.15} 46 | export DOCKER_VERSION 47 | else 48 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.6.20} 49 | export RUNTIME_VERSION 50 | fi 51 | 52 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 53 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/$BETA_VERSION" 54 | export ACK_OPTIMIZED_OS_BUILD=1 55 | 56 | # setup k8s pull image prefix 57 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 58 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 59 | fi 60 | } 61 | 62 | 63 | download_pkg() { 64 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f1) -ge 1 && $(echo "${KUBE_VERSION}" | cut -d. -f2) -ge 20 ]]; then 65 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 66 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 67 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 68 | else 69 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${KUBE_VERSION}.tar.gz -O 70 | tar -xvf run-${KUBE_VERSION}.tar.gz 71 | fi 72 | } 73 | 74 | 75 | source_file() { 76 | if [[ -e "pkg/run/$KUBE_VERSION/kubernetes.sh" ]]; then 77 | source pkg/run/$KUBE_VERSION/kubernetes.sh --role source 78 | install_pkg 79 | elif [[ -e "pkg/run/$RELEASE_VERSION/bin/kubernetes.sh" ]]; then 80 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 81 | fi 82 | } 83 | 84 | install_pkg() { 85 | public::common::sync_ntpd 86 | public::common::install_package 87 | } 88 | 89 | preset_gpu() { 90 | 91 | if [[ "$PRESET_GPU" != "true" ]]; then 92 | return 93 | fi 94 | 95 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -lt 20 ]]; then 96 | return 97 | elif [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -eq 20 ]]; then 98 | for file_name in $(ls pkg/run/$RELEASE_VERSION/lib | grep -v init.sh); do 99 | source pkg/run/$RELEASE_VERSION/lib/$file_name 100 | done 101 | else 102 | export SRC_DIR=pkg/run/$RELEASE_VERSION 103 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 104 | source $SRC_DIR/lib/$file_name 105 | done 106 | fi 107 | 108 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 109 | export NVIDIA_DRIVER_VERSION=460.91.03 110 | fi 111 | 112 | nvidia::create_dir 113 | # --nvidia-driver-runfile 指定驱动文件路径 114 | nvidia::prepare_driver_package 115 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 116 | nvidia::prepare_container_runtime_package 117 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 118 | nvidia::prepare_driver_package 119 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 120 | nvidia::deploy_static_pod 121 | 122 | if [[ $RUNTIME == "docker" ]];then 123 | export SKIP_CONTAINER_RUNTIME_CONFIG=true 124 | fi 125 | 126 | nvidia::gpu::installer::main 127 | 128 | } 129 | 130 | trim_os() { 131 | local pkg_list="acl 132 | aic94xx-firmware 133 | aliyun-cli 134 | alsa-firmware 135 | alsa-lib 136 | alsa-tools-firmware 137 | authconfig 138 | avahi-libs 139 | bind-libs-lite 140 | bind-license 141 | biosdevname 142 | btrfs-progs 143 | cloud 144 | device-mapper-event 145 | device-mapper-event-libs 146 | dmraid 147 | dmraid-events 148 | dosfstools 149 | ed 150 | file 151 | firewalld 152 | firewalld-filesystem 153 | freetype 154 | fxload 155 | GeoIP 156 | geoipupdate 157 | gettext 158 | gettext-libs 159 | glibc-devel 160 | hunspell 161 | hunspell-en 162 | hunspell-en-GB 163 | hunspell-en-US 164 | ivtv-firmware 165 | iwl1000-firmware 166 | iwl100-firmware 167 | iwl105-firmware 168 | iwl135-firmware 169 | iwl2000-firmware 170 | iwl2030-firmware 171 | iwl3160-firmware 172 | iwl3945-firmware 173 | iwl4965-firmware 174 | iwl5000-firmware 175 | iwl5150-firmware 176 | iwl6000-firmware 177 | iwl6000g2a-firmware 178 | iwl6000g2b-firmware 179 | iwl6050-firmware 180 | iwl7260-firmware 181 | jansson 182 | kbd 183 | kbd-legacy 184 | kbd-misc 185 | libaio 186 | libdrm 187 | libmpc 188 | libpciaccess 189 | libpng 190 | libreport-filesystem 191 | lm_sensors-libs 192 | lsscsi 193 | lvm2 194 | m4 195 | mailx 196 | man-db 197 | mariadb-libs 198 | mdadm 199 | microcode_ctl 200 | mpfr 201 | NetworkManager 202 | NetworkManager-libnm 203 | NetworkManager-team 204 | NetworkManager-tui 205 | patch 206 | plymouth 207 | plymouth-scripts 208 | postfix 209 | python3 210 | python3-libs 211 | python3-pip 212 | python3-setuptools 213 | python-decorator 214 | python-IPy 215 | rng-tools 216 | rsync 217 | sgpio 218 | slang 219 | spax 220 | strace 221 | sysstat 222 | tcpdump 223 | teamd 224 | vim-common 225 | vim-enhanced 226 | vim-filesystem 227 | wl1000-firmware 228 | wpa_supplicant 229 | xfsprogs 230 | " 231 | yum remove -y $pkg_list 232 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 233 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 234 | } 235 | 236 | pull_image() { 237 | if [[ "$RUNTIME" = "docker" ]]; then 238 | systemctl start docker 239 | sleep 10 240 | 241 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 242 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 243 | else 244 | systemctl start containerd 245 | sleep 10 246 | 247 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 248 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 249 | fi 250 | } 251 | 252 | update_os_release() { 253 | if [[ ! -f /etc/image-id ]]; then 254 | touch /etc/image-id 255 | fi 256 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 257 | } 258 | 259 | record_k8s_version() { 260 | cat > /etc/ACK-Optimized-OS <<-EOF 261 | kubelet=$KUBE_VERSION 262 | docker=$DOCKER_VERSION 263 | EOF 264 | } 265 | 266 | post_install() { 267 | if [[ $SKIP_SECURITY_FIX ]]; then 268 | touch /var/.skip-security-fix 269 | fi 270 | } 271 | 272 | mount_data_disk() { 273 | set -e 274 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 275 | return 0 276 | fi 277 | 278 | local runtime_dir 279 | if [[ "$RUNTIME" = "containerd" ]]; then 280 | runtime_dir="containerd" 281 | else 282 | runtime_dir="docker" 283 | fi 284 | 285 | #check to see whether docker or containerd is already mounted. 286 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 287 | # Assume user take over disk management or disk has already mounted. return immediately. 288 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 289 | return 0 290 | fi 291 | 292 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 293 | devices=$(lsblk -l -n -o NAME -d -p) 294 | for dev in $devices; do 295 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 296 | DISK_DEVICE=$dev 297 | break 298 | fi 299 | done 300 | if [ "$DISK_DEVICE" == "" ]; then 301 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 302 | return 0 303 | fi 304 | fi 305 | 306 | # initialize device name. 307 | if [ "$DISK_DEVICE" != "" ]; then 308 | device=$DISK_DEVICE 309 | else 310 | # refuse to mount & format disk if it has only one disk. 311 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 312 | if [ "$diskcnt" -le 1 ]; then 313 | echo "WARNING: node has only one disk, refuse fdisk op." 314 | return 315 | fi 316 | 317 | # search for the last device of /dev/*vd*. compatible with local ssd 318 | # Consider this device to be aliyun disk. 319 | # compatible with legacy installation. 320 | if lsblk -l -n -o NAME -d -p | grep nvme; then 321 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 322 | else 323 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 324 | fi 325 | fi 326 | if [ ! -b "$device" ]; then 327 | echo "auto_fdisk fail: [$device] is not a block device" 328 | return 1 329 | fi 330 | 331 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 332 | 333 | # choose the real partition name. exactly the first partition eg. 334 | # /dev/vda 335 | # /dev/vda1 336 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 337 | 338 | # check existing fs type. xfs must formated with fstype=1 parameter. 339 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 340 | case $fstype in 341 | "") 342 | # not formatted. do mkfs. 343 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 344 | case $AUTO_FDISK_FSTYPE in 345 | "ext4") 346 | mkfs.ext4 -i 8192 "$rdevice" 347 | ;; 348 | "xfs") 349 | mkfs.xfs -n ftype=1 "$rdevice" 350 | ;; 351 | *) 352 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 353 | ;; 354 | esac 355 | fstype="$AUTO_FDISK_FSTYPE" 356 | ;; 357 | "xfs") 358 | # check for xfs parameter. 359 | if ! xfs_info "$rdevice" | grep ftype=1; then 360 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 361 | fi 362 | ;; 363 | esac 364 | 365 | mkdir -p /var/lib/container 366 | mount ${rdevice} /var/lib/container/ 367 | echo "mountDataDiskDone" 368 | } 369 | 370 | cleanup_userdata() { 371 | rm -rf /var/lib/cloud 372 | 373 | } 374 | 375 | cleanup() { 376 | rm -rf ./{addon*,docker*,kubernetes*,pkg,run*} 377 | } 378 | 379 | main() { 380 | trap 'cleanup' EXIT 381 | 382 | check_params "$@" 383 | setup_env 384 | 385 | trim_os 386 | 387 | download_pkg 388 | source_file 389 | preset_gpu 390 | pull_image 391 | keep_container_data 392 | update_os_release 393 | record_k8s_version 394 | cleanup_userdata 395 | } 396 | 397 | main "$@" -------------------------------------------------------------------------------- /scripts/ack-optimized-os-anolis-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "docker" && $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'docker' and 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export OS="AliyunOS" 41 | 42 | if [[ "$RUNTIME" = "docker" ]]; then 43 | RUNTIME_VERSION=${RUNTIME_VERSION:-19.03.15} 44 | export RUNTIME_VERSION 45 | DOCKER_VERSION=${RUNTIME_VERSION:-19.03.15} 46 | export DOCKER_VERSION 47 | else 48 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.6.20} 49 | export RUNTIME_VERSION 50 | fi 51 | 52 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 53 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/$BETA_VERSION" 54 | export ACK_OPTIMIZED_OS_BUILD=1 55 | 56 | # setup k8s pull image prefix 57 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 58 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 59 | fi 60 | } 61 | 62 | 63 | download_pkg() { 64 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f1) -ge 1 && $(echo "${KUBE_VERSION}" | cut -d. -f2) -ge 20 ]]; then 65 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 66 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 67 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 68 | else 69 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${KUBE_VERSION}.tar.gz -O 70 | tar -xvf run-${KUBE_VERSION}.tar.gz 71 | fi 72 | } 73 | 74 | 75 | source_file() { 76 | if [[ -e "pkg/run/$KUBE_VERSION/kubernetes.sh" ]]; then 77 | source pkg/run/$KUBE_VERSION/kubernetes.sh --role source 78 | install_pkg 79 | elif [[ -e "pkg/run/$RELEASE_VERSION/bin/kubernetes.sh" ]]; then 80 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 81 | fi 82 | } 83 | 84 | install_pkg() { 85 | public::common::sync_ntpd 86 | public::common::install_package 87 | } 88 | 89 | preset_gpu() { 90 | 91 | if [[ "$PRESET_GPU" != "true" ]]; then 92 | return 93 | fi 94 | 95 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -lt 20 ]]; then 96 | return 97 | elif [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -eq 20 ]]; then 98 | for file_name in $(ls pkg/run/$RELEASE_VERSION/lib | grep -v init.sh); do 99 | source pkg/run/$RELEASE_VERSION/lib/$file_name 100 | done 101 | else 102 | export SRC_DIR=pkg/run/$RELEASE_VERSION 103 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 104 | source $SRC_DIR/lib/$file_name 105 | done 106 | fi 107 | 108 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 109 | export NVIDIA_DRIVER_VERSION=460.91.03 110 | fi 111 | 112 | nvidia::create_dir 113 | # --nvidia-driver-runfile 指定驱动文件路径 114 | nvidia::prepare_driver_package 115 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 116 | nvidia::prepare_container_runtime_package 117 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 118 | nvidia::prepare_driver_package 119 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 120 | nvidia::deploy_static_pod 121 | 122 | if [[ $RUNTIME == "docker" ]];then 123 | export SKIP_CONTAINER_RUNTIME_CONFIG=true 124 | fi 125 | 126 | nvidia::gpu::installer::main 127 | 128 | } 129 | 130 | trim_os() { 131 | local pkg_list="acl 132 | aic94xx-firmware 133 | aliyun-cli 134 | alsa-firmware 135 | alsa-lib 136 | alsa-tools-firmware 137 | authconfig 138 | avahi-libs 139 | bind-libs-lite 140 | bind-license 141 | biosdevname 142 | btrfs-progs 143 | cloud 144 | device-mapper-event 145 | device-mapper-event-libs 146 | dmraid 147 | dmraid-events 148 | dosfstools 149 | ed 150 | file 151 | firewalld 152 | firewalld-filesystem 153 | freetype 154 | fxload 155 | GeoIP 156 | geoipupdate 157 | gettext 158 | gettext-libs 159 | glibc-devel 160 | hunspell 161 | hunspell-en 162 | hunspell-en-GB 163 | hunspell-en-US 164 | ivtv-firmware 165 | iwl1000-firmware 166 | iwl100-firmware 167 | iwl105-firmware 168 | iwl135-firmware 169 | iwl2000-firmware 170 | iwl2030-firmware 171 | iwl3160-firmware 172 | iwl3945-firmware 173 | iwl4965-firmware 174 | iwl5000-firmware 175 | iwl5150-firmware 176 | iwl6000-firmware 177 | iwl6000g2a-firmware 178 | iwl6000g2b-firmware 179 | iwl6050-firmware 180 | iwl7260-firmware 181 | jansson 182 | kbd 183 | kbd-legacy 184 | kbd-misc 185 | libaio 186 | libdrm 187 | libmpc 188 | libpciaccess 189 | libpng 190 | libreport-filesystem 191 | lm_sensors-libs 192 | lsscsi 193 | lvm2 194 | m4 195 | mailx 196 | man-db 197 | mariadb-libs 198 | mdadm 199 | microcode_ctl 200 | mpfr 201 | NetworkManager 202 | NetworkManager-libnm 203 | NetworkManager-team 204 | NetworkManager-tui 205 | patch 206 | plymouth 207 | plymouth-scripts 208 | postfix 209 | python3 210 | python3-libs 211 | python3-pip 212 | python3-setuptools 213 | python-decorator 214 | python-IPy 215 | rng-tools 216 | rsync 217 | sgpio 218 | slang 219 | spax 220 | strace 221 | sysstat 222 | tcpdump 223 | teamd 224 | vim-common 225 | vim-enhanced 226 | vim-filesystem 227 | wl1000-firmware 228 | wpa_supplicant 229 | xfsprogs 230 | " 231 | yum remove -y $pkg_list 232 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 233 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 234 | } 235 | 236 | pull_image() { 237 | if [[ "$RUNTIME" = "docker" ]]; then 238 | systemctl start docker 239 | sleep 10 240 | 241 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 242 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 243 | else 244 | systemctl start containerd 245 | sleep 10 246 | 247 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 248 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 249 | fi 250 | } 251 | 252 | update_os_release() { 253 | if [[ ! -f /etc/image-id ]]; then 254 | touch /etc/image-id 255 | fi 256 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 257 | } 258 | 259 | record_k8s_version() { 260 | cat > /etc/ACK-Optimized-OS <<-EOF 261 | kubelet=$KUBE_VERSION 262 | docker=$DOCKER_VERSION 263 | EOF 264 | } 265 | 266 | post_install() { 267 | if [[ $SKIP_SECURITY_FIX ]]; then 268 | touch /var/.skip-security-fix 269 | fi 270 | } 271 | 272 | mount_data_disk() { 273 | set -e 274 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 275 | return 0 276 | fi 277 | 278 | local runtime_dir 279 | if [[ "$RUNTIME" = "containerd" ]]; then 280 | runtime_dir="containerd" 281 | else 282 | runtime_dir="docker" 283 | fi 284 | 285 | #check to see whether docker or containerd is already mounted. 286 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 287 | # Assume user take over disk management or disk has already mounted. return immediately. 288 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 289 | return 0 290 | fi 291 | 292 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 293 | devices=$(lsblk -l -n -o NAME -d -p) 294 | for dev in $devices; do 295 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 296 | DISK_DEVICE=$dev 297 | break 298 | fi 299 | done 300 | if [ "$DISK_DEVICE" == "" ]; then 301 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 302 | return 0 303 | fi 304 | fi 305 | 306 | # initialize device name. 307 | if [ "$DISK_DEVICE" != "" ]; then 308 | device=$DISK_DEVICE 309 | else 310 | # refuse to mount & format disk if it has only one disk. 311 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 312 | if [ "$diskcnt" -le 1 ]; then 313 | echo "WARNING: node has only one disk, refuse fdisk op." 314 | return 315 | fi 316 | 317 | # search for the last device of /dev/*vd*. compatible with local ssd 318 | # Consider this device to be aliyun disk. 319 | # compatible with legacy installation. 320 | if lsblk -l -n -o NAME -d -p | grep nvme; then 321 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 322 | else 323 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 324 | fi 325 | fi 326 | if [ ! -b "$device" ]; then 327 | echo "auto_fdisk fail: [$device] is not a block device" 328 | return 1 329 | fi 330 | 331 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 332 | 333 | # choose the real partition name. exactly the first partition eg. 334 | # /dev/vda 335 | # /dev/vda1 336 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 337 | 338 | # check existing fs type. xfs must formated with fstype=1 parameter. 339 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 340 | case $fstype in 341 | "") 342 | # not formatted. do mkfs. 343 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 344 | case $AUTO_FDISK_FSTYPE in 345 | "ext4") 346 | mkfs.ext4 -i 8192 "$rdevice" 347 | ;; 348 | "xfs") 349 | mkfs.xfs -n ftype=1 "$rdevice" 350 | ;; 351 | *) 352 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 353 | ;; 354 | esac 355 | fstype="$AUTO_FDISK_FSTYPE" 356 | ;; 357 | "xfs") 358 | # check for xfs parameter. 359 | if ! xfs_info "$rdevice" | grep ftype=1; then 360 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 361 | fi 362 | ;; 363 | esac 364 | 365 | mkdir -p /var/lib/container 366 | mount ${rdevice} /var/lib/container/ 367 | echo "mountDataDiskDone" 368 | } 369 | 370 | cleanup() { 371 | rm -rf ./{addon*,docker*,kubernetes*,pkg,run*} 372 | } 373 | 374 | main() { 375 | trap 'cleanup' EXIT 376 | 377 | check_params "$@" 378 | setup_env 379 | 380 | # trim_os 381 | 382 | download_pkg 383 | source_file 384 | preset_gpu 385 | pull_image 386 | keep_container_data 387 | update_os_release 388 | record_k8s_version 389 | } 390 | 391 | main "$@" -------------------------------------------------------------------------------- /scripts/ack-optimized-os-linux3-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "docker" && $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'docker' and 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export RUNTIME 41 | export OS="AliyunOS" 42 | if [[ "$RUNTIME" = "docker" ]]; then 43 | RUNTIME_VERSION=${RUNTIME_VERSION:-19.03.15} 44 | export RUNTIME_VERSION 45 | DOCKER_VERSION=${RUNTIME_VERSION:-19.03.15} 46 | export DOCKER_VERSION 47 | else 48 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.6.20} 49 | export RUNTIME_VERSION 50 | fi 51 | 52 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 53 | 54 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 55 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/$BETA_VERSION" 56 | export ACK_OPTIMIZED_OS_BUILD=1 57 | 58 | # setup k8s pull image prefix 59 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 60 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 61 | fi 62 | } 63 | 64 | download_pkg() { 65 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f1) -ge 1 && $(echo "${KUBE_VERSION}" | cut -d. -f2) -ge 20 ]]; then 66 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 67 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 68 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 69 | else 70 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${KUBE_VERSION}.tar.gz -O 71 | tar -xvf run-${KUBE_VERSION}.tar.gz 72 | fi 73 | } 74 | 75 | 76 | source_file() { 77 | if [[ -e "pkg/run/$KUBE_VERSION/kubernetes.sh" ]]; then 78 | source pkg/run/$KUBE_VERSION/kubernetes.sh --role source 79 | install_pkg 80 | elif [[ -e "pkg/run/$RELEASE_VERSION/bin/kubernetes.sh" ]]; then 81 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 82 | fi 83 | } 84 | 85 | install_pkg() { 86 | public::common::sync_ntpd 87 | public::common::install_package 88 | } 89 | 90 | preset_gpu() { 91 | 92 | if [[ "$PRESET_GPU" != "true" ]]; then 93 | return 94 | fi 95 | 96 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -lt 20 ]]; then 97 | return 98 | elif [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -eq 20 ]]; then 99 | for file_name in $(ls pkg/run/$RELEASE_VERSION/lib | grep -v init.sh); do 100 | source pkg/run/$RELEASE_VERSION/lib/$file_name 101 | done 102 | else 103 | export SRC_DIR=pkg/run/$RELEASE_VERSION 104 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 105 | source $SRC_DIR/lib/$file_name 106 | done 107 | fi 108 | 109 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 110 | export NVIDIA_DRIVER_VERSION=460.91.03 111 | fi 112 | 113 | nvidia::create_dir 114 | # --nvidia-driver-runfile 指定驱动文件路径 115 | nvidia::prepare_driver_package 116 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 117 | nvidia::prepare_container_runtime_package 118 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 119 | nvidia::prepare_driver_package 120 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 121 | nvidia::deploy_static_pod 122 | 123 | if [[ $RUNTIME == "docker" ]];then 124 | export SKIP_CONTAINER_RUNTIME_CONFIG=true 125 | fi 126 | 127 | nvidia::gpu::installer::main 128 | 129 | } 130 | 131 | trim_os() { 132 | local pkg_list="acl 133 | aic94xx-firmware 134 | aliyun-cli 135 | alsa-firmware 136 | alsa-lib 137 | alsa-tools-firmware 138 | authconfig 139 | avahi-libs 140 | bind-libs-lite 141 | bind-license 142 | biosdevname 143 | btrfs-progs 144 | cloud 145 | device-mapper-event 146 | device-mapper-event-libs 147 | dmraid 148 | dmraid-events 149 | dosfstools 150 | ed 151 | file 152 | firewalld 153 | firewalld-filesystem 154 | freetype 155 | fxload 156 | GeoIP 157 | geoipupdate 158 | gettext 159 | gettext-libs 160 | glibc-devel 161 | hunspell 162 | hunspell-en 163 | hunspell-en-GB 164 | hunspell-en-US 165 | ivtv-firmware 166 | iwl1000-firmware 167 | iwl100-firmware 168 | iwl105-firmware 169 | iwl135-firmware 170 | iwl2000-firmware 171 | iwl2030-firmware 172 | iwl3160-firmware 173 | iwl3945-firmware 174 | iwl4965-firmware 175 | iwl5000-firmware 176 | iwl5150-firmware 177 | iwl6000-firmware 178 | iwl6000g2a-firmware 179 | iwl6000g2b-firmware 180 | iwl6050-firmware 181 | iwl7260-firmware 182 | jansson 183 | kbd 184 | kbd-legacy 185 | kbd-misc 186 | libaio 187 | libdrm 188 | libmpc 189 | libpciaccess 190 | libpng 191 | libreport-filesystem 192 | lm_sensors-libs 193 | lsscsi 194 | lvm2 195 | m4 196 | mailx 197 | man-db 198 | mariadb-libs 199 | mdadm 200 | microcode_ctl 201 | mpfr 202 | NetworkManager 203 | NetworkManager-libnm 204 | NetworkManager-team 205 | NetworkManager-tui 206 | patch 207 | plymouth 208 | plymouth-scripts 209 | postfix 210 | python3 211 | python3-libs 212 | python3-pip 213 | python3-setuptools 214 | python-decorator 215 | python-IPy 216 | rng-tools 217 | rsync 218 | sgpio 219 | slang 220 | spax 221 | strace 222 | sysstat 223 | tcpdump 224 | teamd 225 | vim-common 226 | vim-enhanced 227 | vim-filesystem 228 | wl1000-firmware 229 | wpa_supplicant 230 | xfsprogs 231 | " 232 | yum remove -y $pkg_list 233 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 234 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 235 | } 236 | 237 | pull_image() { 238 | if [[ "$RUNTIME" = "docker" ]]; then 239 | systemctl start docker 240 | sleep 10 241 | 242 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 243 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 244 | else 245 | systemctl start containerd 246 | sleep 10 247 | 248 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 249 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 250 | fi 251 | } 252 | 253 | update_os_release() { 254 | if [[ ! -f /etc/image-id ]]; then 255 | touch /etc/image-id 256 | fi 257 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 258 | } 259 | 260 | record_k8s_version() { 261 | cat > /etc/ACK-Optimized-OS <<-EOF 262 | kubelet=$KUBE_VERSION 263 | docker=$DOCKER_VERSION 264 | EOF 265 | } 266 | 267 | post_install() { 268 | if [[ $SKIP_SECURITY_FIX ]]; then 269 | touch /var/.skip-security-fix 270 | fi 271 | } 272 | 273 | mount_data_disk() { 274 | set -e 275 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 276 | return 0 277 | fi 278 | 279 | local runtime_dir 280 | if [[ "$RUNTIME" = "containerd" ]]; then 281 | runtime_dir="containerd" 282 | else 283 | runtime_dir="docker" 284 | fi 285 | 286 | #check to see whether docker or containerd is already mounted. 287 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 288 | # Assume user take over disk management or disk has already mounted. return immediately. 289 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 290 | return 0 291 | fi 292 | 293 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 294 | devices=$(lsblk -l -n -o NAME -d -p) 295 | for dev in $devices; do 296 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 297 | DISK_DEVICE=$dev 298 | break 299 | fi 300 | done 301 | if [ "$DISK_DEVICE" == "" ]; then 302 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 303 | return 0 304 | fi 305 | fi 306 | 307 | # initialize device name. 308 | if [ "$DISK_DEVICE" != "" ]; then 309 | device=$DISK_DEVICE 310 | else 311 | # refuse to mount & format disk if it has only one disk. 312 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 313 | if [ "$diskcnt" -le 1 ]; then 314 | echo "WARNING: node has only one disk, refuse fdisk op." 315 | return 316 | fi 317 | 318 | # search for the last device of /dev/*vd*. compatible with local ssd 319 | # Consider this device to be aliyun disk. 320 | # compatible with legacy installation. 321 | if lsblk -l -n -o NAME -d -p | grep nvme; then 322 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 323 | else 324 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 325 | fi 326 | fi 327 | if [ ! -b "$device" ]; then 328 | echo "auto_fdisk fail: [$device] is not a block device" 329 | return 1 330 | fi 331 | 332 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 333 | 334 | # choose the real partition name. exactly the first partition eg. 335 | # /dev/vda 336 | # /dev/vda1 337 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 338 | 339 | # check existing fs type. xfs must formated with fstype=1 parameter. 340 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 341 | case $fstype in 342 | "") 343 | # not formatted. do mkfs. 344 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 345 | case $AUTO_FDISK_FSTYPE in 346 | "ext4") 347 | mkfs.ext4 -i 8192 "$rdevice" 348 | ;; 349 | "xfs") 350 | mkfs.xfs -n ftype=1 "$rdevice" 351 | ;; 352 | *) 353 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 354 | ;; 355 | esac 356 | fstype="$AUTO_FDISK_FSTYPE" 357 | ;; 358 | "xfs") 359 | # check for xfs parameter. 360 | if ! xfs_info "$rdevice" | grep ftype=1; then 361 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 362 | fi 363 | ;; 364 | esac 365 | 366 | mkdir -p /var/lib/container 367 | mount ${rdevice} /var/lib/container/ 368 | echo "mountDataDiskDone" 369 | } 370 | 371 | cleanup() { 372 | rm -rf ./{addon*,docker*,kubernetes*,pkg,run*} 373 | } 374 | 375 | main() { 376 | trap 'cleanup' EXIT 377 | 378 | check_params "$@" 379 | setup_env 380 | 381 | # trim_os 382 | 383 | download_pkg 384 | source_file 385 | preset_gpu 386 | pull_image 387 | mount_data_disk 388 | update_os_release 389 | record_k8s_version 390 | } 391 | 392 | main "$@" 393 | -------------------------------------------------------------------------------- /scripts/ack-optimized-os-rhel9-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | usage() { 7 | cat >&2 <<-EOF 8 | Usage: 9 | $0 -r RUNTIME [-s] 10 | 11 | Flags: 12 | -r: sepcify container runtime, available value: docker and containerd 13 | -s: skip security upgrade 14 | 15 | Example: 16 | $0 -r docker -s 17 | $0 -r docker 18 | $0 -r containerd -s 19 | $0 -r containerd 20 | EOF 21 | exit 1 22 | } 23 | 24 | check_params() { 25 | while getopts "r:sh" opt; do 26 | case $opt in 27 | r) RUNTIME="$OPTARG" ; ;; 28 | s) SKIP_SECURITY_FIX="1" ; ;; 29 | h | ?) usage ; ;; 30 | esac 31 | done 32 | 33 | if [[ -z $RUNTIME ]] || [[ $RUNTIME != "docker" && $RUNTIME != "containerd" ]]; then 34 | echo "ERROR: RUNTIME must not be empty, only support 'docker' and 'containerd' " 35 | usage 36 | fi 37 | } 38 | 39 | setup_env() { 40 | export OS="AliyunOS" 41 | 42 | if [[ "$RUNTIME" = "docker" ]]; then 43 | RUNTIME_VERSION=${RUNTIME_VERSION:-19.03.15} 44 | export RUNTIME_VERSION 45 | DOCKER_VERSION=${RUNTIME_VERSION:-19.03.15} 46 | export DOCKER_VERSION 47 | else 48 | RUNTIME_VERSION=${RUNTIME_VERSION:-1.6.20} 49 | export RUNTIME_VERSION 50 | fi 51 | 52 | export REGION=$(curl --retry 10 -sSL http://100.100.100.200/latest/meta-data/region-id) 53 | export PKG_FILE_SERVER="http://aliacs-k8s-$REGION.oss-$REGION-internal.aliyuncs.com/$BETA_VERSION" 54 | export ACK_OPTIMIZED_OS_BUILD=1 55 | 56 | # setup k8s pull image prefix 57 | if [[ -z "$KUBE_REPO_PREFIX" && -n "$REGION" ]]; then 58 | export KUBE_REPO_PREFIX=registry-vpc.$REGION.aliyuncs.com/acs 59 | fi 60 | } 61 | 62 | 63 | download_pkg() { 64 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f1) -ge 1 && $(echo "${KUBE_VERSION}" | cut -d. -f2) -ge 20 ]]; then 65 | export RELEASE_VERSION=$(echo $KUBE_VERSION | awk -F. '{print $1"."$2}') 66 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz -O 67 | tar -xvf run-${RELEASE_VERSION}-linux-${OS_ARCH}.tar.gz 68 | else 69 | curl --retry 4 $PKG_FILE_SERVER/public/pkg/run/run-${KUBE_VERSION}.tar.gz -O 70 | tar -xvf run-${KUBE_VERSION}.tar.gz 71 | fi 72 | } 73 | 74 | 75 | source_file() { 76 | if [[ -e "pkg/run/$KUBE_VERSION/kubernetes.sh" ]]; then 77 | source pkg/run/$KUBE_VERSION/kubernetes.sh --role source 78 | install_pkg 79 | elif [[ -e "pkg/run/$RELEASE_VERSION/bin/kubernetes.sh" ]]; then 80 | ROLE=deploy-nodes pkg/run/$RELEASE_VERSION/bin/kubernetes.sh 81 | fi 82 | } 83 | 84 | install_pkg() { 85 | public::common::sync_ntpd 86 | public::common::install_package 87 | } 88 | 89 | preset_gpu() { 90 | 91 | if [[ "$PRESET_GPU" != "true" ]]; then 92 | return 93 | fi 94 | 95 | if [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -lt 20 ]]; then 96 | return 97 | elif [[ $(echo "${KUBE_VERSION}" | cut -d. -f2) -eq 20 ]]; then 98 | for file_name in $(ls pkg/run/$RELEASE_VERSION/lib | grep -v init.sh); do 99 | source pkg/run/$RELEASE_VERSION/lib/$file_name 100 | done 101 | else 102 | export SRC_DIR=pkg/run/$RELEASE_VERSION 103 | for file_name in $(ls $SRC_DIR/lib | grep -v init.sh | grep -v common.sh | grep -v log.sh); do 104 | source $SRC_DIR/lib/$file_name 105 | done 106 | fi 107 | 108 | if [[ $NVIDIA_DRIVER_VERSION == "" ]];then 109 | export NVIDIA_DRIVER_VERSION=460.91.03 110 | fi 111 | 112 | nvidia::create_dir 113 | # --nvidia-driver-runfile 指定驱动文件路径 114 | nvidia::prepare_driver_package 115 | # --nvidia-container-toolkit-rpms 指定nvidia container toolkit包含的rpm包所在目录 116 | nvidia::prepare_container_runtime_package 117 | # --nvidia-fabricmanager-rpm 指定nvidia fabric manager安装包(rpm格式)路径 118 | nvidia::prepare_driver_package 119 | # --nvidia-device-plugin-yaml 指定nvidia device plugin yaml文件路径 120 | nvidia::deploy_static_pod 121 | 122 | if [[ $RUNTIME == "docker" ]];then 123 | export SKIP_CONTAINER_RUNTIME_CONFIG=true 124 | fi 125 | 126 | nvidia::gpu::installer::main 127 | 128 | } 129 | 130 | trim_os() { 131 | local pkg_list="acl 132 | aic94xx-firmware 133 | aliyun-cli 134 | alsa-firmware 135 | alsa-lib 136 | alsa-tools-firmware 137 | authconfig 138 | avahi-libs 139 | bind-libs-lite 140 | bind-license 141 | biosdevname 142 | btrfs-progs 143 | cloud 144 | device-mapper-event 145 | device-mapper-event-libs 146 | dmraid 147 | dmraid-events 148 | dosfstools 149 | ed 150 | file 151 | firewalld 152 | firewalld-filesystem 153 | freetype 154 | fxload 155 | GeoIP 156 | geoipupdate 157 | gettext 158 | gettext-libs 159 | glibc-devel 160 | hunspell 161 | hunspell-en 162 | hunspell-en-GB 163 | hunspell-en-US 164 | ivtv-firmware 165 | iwl1000-firmware 166 | iwl100-firmware 167 | iwl105-firmware 168 | iwl135-firmware 169 | iwl2000-firmware 170 | iwl2030-firmware 171 | iwl3160-firmware 172 | iwl3945-firmware 173 | iwl4965-firmware 174 | iwl5000-firmware 175 | iwl5150-firmware 176 | iwl6000-firmware 177 | iwl6000g2a-firmware 178 | iwl6000g2b-firmware 179 | iwl6050-firmware 180 | iwl7260-firmware 181 | jansson 182 | kbd 183 | kbd-legacy 184 | kbd-misc 185 | libaio 186 | libdrm 187 | libmpc 188 | libpciaccess 189 | libpng 190 | libreport-filesystem 191 | lm_sensors-libs 192 | lsscsi 193 | lvm2 194 | m4 195 | mailx 196 | man-db 197 | mariadb-libs 198 | mdadm 199 | microcode_ctl 200 | mpfr 201 | NetworkManager 202 | NetworkManager-libnm 203 | NetworkManager-team 204 | NetworkManager-tui 205 | patch 206 | plymouth 207 | plymouth-scripts 208 | postfix 209 | python3 210 | python3-libs 211 | python3-pip 212 | python3-setuptools 213 | python-decorator 214 | python-IPy 215 | rng-tools 216 | rsync 217 | sgpio 218 | slang 219 | spax 220 | strace 221 | sysstat 222 | tcpdump 223 | teamd 224 | vim-common 225 | vim-enhanced 226 | vim-filesystem 227 | wl1000-firmware 228 | wpa_supplicant 229 | xfsprogs 230 | " 231 | yum remove -y $pkg_list 232 | rm -rf /lib/modules/$(uname -r)/kernel/drivers/{media,staging,gpu,usb} 233 | rm -rf /boot/*-rescue-* /boot/*3.10.0* /usr/share/{doc,man} /usr/src 234 | } 235 | 236 | pull_image() { 237 | if [[ "$RUNTIME" = "docker" ]]; then 238 | systemctl start docker 239 | sleep 10 240 | 241 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 242 | docker pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 243 | else 244 | systemctl start containerd 245 | sleep 10 246 | 247 | ctr -n k8s.io i pull registry-${REGION}-vpc.ack.aliyuncs.com/acs/kube-proxy:v${KUBE_VERSION} 248 | ctr -n k8s.io i registry-${REGION}-vpc.ack.aliyuncs.com/acs/pause:3.5 249 | fi 250 | } 251 | 252 | update_os_release() { 253 | if [[ ! -f /etc/image-id ]]; then 254 | touch /etc/image-id 255 | fi 256 | echo "custom_tag:ACK-Optimized-OS" >> /etc/image-id 257 | } 258 | 259 | record_k8s_version() { 260 | cat > /etc/ACK-Optimized-OS <<-EOF 261 | kubelet=$KUBE_VERSION 262 | docker=$DOCKER_VERSION 263 | EOF 264 | } 265 | 266 | post_install() { 267 | if [[ $SKIP_SECURITY_FIX ]]; then 268 | touch /var/.skip-security-fix 269 | fi 270 | } 271 | 272 | mount_data_disk() { 273 | set -e 274 | if [[ "$MOUNT_RUNTIME_DATADISK" != "true" ]]; then 275 | return 0 276 | fi 277 | 278 | local runtime_dir 279 | if [[ "$RUNTIME" = "containerd" ]]; then 280 | runtime_dir="containerd" 281 | else 282 | runtime_dir="docker" 283 | fi 284 | 285 | #check to see whether docker or containerd is already mounted. 286 | if cat /etc/fstab | grep -E "/var/lib/${runtime_dir}"; then 287 | # Assume user take over disk management or disk has already mounted. return immediately. 288 | log_warn " /var/lib/${runtime_dir} has been mounted. return" 289 | return 0 290 | fi 291 | 292 | if [ "$DATA_DISK_SERIAL_ID" != "" ]; then 293 | devices=$(lsblk -l -n -o NAME -d -p) 294 | for dev in $devices; do 295 | if udevadm info --query=all --name=$dev | grep "ID_SERIAL=" | grep "$DATA_DISK_SERIAL_ID"; then 296 | DISK_DEVICE=$dev 297 | break 298 | fi 299 | done 300 | if [ "$DISK_DEVICE" == "" ]; then 301 | log_warn "specified disk device ${DATA_DISK_SERIAL_ID} not found. return" 302 | return 0 303 | fi 304 | fi 305 | 306 | # initialize device name. 307 | if [ "$DISK_DEVICE" != "" ]; then 308 | device=$DISK_DEVICE 309 | else 310 | # refuse to mount & format disk if it has only one disk. 311 | diskcnt=$(lsblk -l -n -o NAME -d -p | wc -l) 312 | if [ "$diskcnt" -le 1 ]; then 313 | echo "WARNING: node has only one disk, refuse fdisk op." 314 | return 315 | fi 316 | 317 | # search for the last device of /dev/*vd*. compatible with local ssd 318 | # Consider this device to be aliyun disk. 319 | # compatible with legacy installation. 320 | if lsblk -l -n -o NAME -d -p | grep nvme; then 321 | device=$(lsblk -l -n -o NAME -d -p | grep nvme | sort | tail -n 1) 322 | else 323 | device=$(lsblk -l -n -o NAME -d -p | sort | tail -n 1) 324 | fi 325 | fi 326 | if [ ! -b "$device" ]; then 327 | echo "auto_fdisk fail: [$device] is not a block device" 328 | return 1 329 | fi 330 | 331 | export DATA_DISK_SERIAL_ID=$(udevadm info --query=all --name=$device | grep ID_SERIAL | sed -n 's/.*ID_SERIAL=\(.*\)/\1/p') 332 | 333 | # choose the real partition name. exactly the first partition eg. 334 | # /dev/vda 335 | # /dev/vda1 336 | rdevice=$(lsblk -l -n -o NAME -p ${device} | head -n 2 | tail -n 1) 337 | 338 | # check existing fs type. xfs must formated with fstype=1 parameter. 339 | fstype=$(lsblk -l -n -f -o FSTYPE $rdevice) 340 | case $fstype in 341 | "") 342 | # not formatted. do mkfs. 343 | AUTO_FDISK_FSTYPE=${AUTO_FDISK_FSTYPE:-ext4} 344 | case $AUTO_FDISK_FSTYPE in 345 | "ext4") 346 | mkfs.ext4 -i 8192 "$rdevice" 347 | ;; 348 | "xfs") 349 | mkfs.xfs -n ftype=1 "$rdevice" 350 | ;; 351 | *) 352 | echo "InvalidFsType" "invalid fs type $AUTO_FDISK_FSTYPE" 353 | ;; 354 | esac 355 | fstype="$AUTO_FDISK_FSTYPE" 356 | ;; 357 | "xfs") 358 | # check for xfs parameter. 359 | if ! xfs_info "$rdevice" | grep ftype=1; then 360 | echo "InvalidXfs" "xfs filesystem must formated with parameter fstype=1, docker required" 361 | fi 362 | ;; 363 | esac 364 | 365 | mkdir -p /var/lib/container 366 | mount ${rdevice} /var/lib/container/ 367 | echo "mountDataDiskDone" 368 | } 369 | 370 | cleanup() { 371 | rm -rf ./{addon*,docker*,kubernetes*,pkg,run*} 372 | } 373 | 374 | main() { 375 | trap 'cleanup' EXIT 376 | 377 | check_params "$@" 378 | setup_env 379 | 380 | # trim_os 381 | 382 | download_pkg 383 | source_file 384 | preset_gpu 385 | pull_image 386 | keep_container_data 387 | update_os_release 388 | record_k8s_version 389 | } 390 | 391 | main "$@" -------------------------------------------------------------------------------- /scripts/cleanUpKerneles.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rpm -q kernel 4 | 5 | yum install -y yum-utils 6 | 7 | package-cleanup --oldkernels --count=1 -y 8 | 9 | yum -y remove yum-utils 10 | 11 | -------------------------------------------------------------------------------- /scripts/disableTuned.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # check if image_id="aliyun_2_1903_x64_20G_alibase_20200529.vhd" and tuned service is off 4 | 5 | if [ -f "/etc/image-id" ]; then 6 | image_id=$(cat /etc/image-id |grep image_id |cut -d "=" -f2) 7 | 8 | if [ "$image_id" = "\"aliyun_2_1903_x64_20G_alibase_20200526.vhd\"" ] || [ "$image_id" = "\"aliyun_2_1903_x64_20G_alibase_20200529.vhd\"" ]; then 9 | systemctl stop tuned 10 | systemctl disable tuned 11 | echo "Succesfully stop and disable tuned" 12 | fi 13 | fi -------------------------------------------------------------------------------- /scripts/reboot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Implementing reboot for kernel updates 4 | reboot 5 | sleep 60 6 | 7 | -------------------------------------------------------------------------------- /scripts/set-cgroupv2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ ! -z $CGROUP_MODE ]] && [[ $CGROUP_MODE =~ .*[v,V]2.* ]]; then 4 | echo "set cgroup mode to $CGROUP_MODE" 5 | if ! grep -q 'systemd.unified_cgroup_hierarchy=1' /etc/default/grub; then 6 | grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1" 7 | grubby --update-kernel=ALL --args="cgroup_no_v1=all" 8 | fi 9 | fi 10 | 11 | 12 | -------------------------------------------------------------------------------- /scripts/updateDNS.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # unlock DNS file in case it was locked 4 | # chattr -i /etc/resolv.conf 5 | 6 | # Using your custom nameserver to replace xxx.xxx.xxx.xxx 7 | # echo -e "nameserver xxx.xxx.xxx.xxx\nnameserver xxx.xxx.xxx.xxx" > /etc/resolv.conf 8 | 9 | # Keep resolv locked to prevent overwriting by cloudinit/NetworkManager 10 | # chattr +i /etc/resolv.conf 11 | -------------------------------------------------------------------------------- /scripts/updateKernel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | yum update -y 4 | yum install -y yum-utils 5 | yum update -y kernel 6 | 7 | -------------------------------------------------------------------------------- /scripts/verify.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | REQUIRED_TOOLS=("cloud-init" "wget" "curl") 4 | CLEANUP_TOOLS=("kubeadm" "kubelet" "kubectl" "kubernetes-cni" "docker") 5 | REQUIRED_KERNEL_VERSION=3.10 6 | REQUIRED_SYSTEMD_VERSION=219 7 | 8 | public::common::log() { 9 | if [ $2 == "fail" ];then 10 | echo -e $(date +"[%Y%m%d %H:%M:%S]: ") $1 "\033[31m Verify Failed! \033[0m" 11 | else 12 | echo -e $(date +"[%Y%m%d %H:%M:%S]: ") $1 "\033[32m Verify Passed! \033[0m" 13 | fi 14 | } 15 | 16 | # func for checking kernel version >= $REQUIRED_KERNEL_VERSION 17 | public::check::kernel() { 18 | current_kernel_version=$(uname -r) 19 | 20 | if [ "$(printf '%s\n' "$REQUIRED_KERNEL_VERSION" "$current_kernel_version" | sort -V | head -n1)" = "$REQUIRED_KERNEL_VERSION" ] ;then 21 | public::common::log "Check if kernel version >= $REQUIRED_KERNEL_VERSION." "pass" 22 | else 23 | public::common::log "Check if kernel version >= $REQUIRED_KERNEL_VERSION." "fail" 24 | exit 1 25 | fi 26 | } 27 | 28 | # check kernel version >= $REQUIRED_KERNEL_VERSION 29 | public::check::kernel 30 | 31 | # func for checking systemd version >= $REQUIRED_SYSTEMD_VERSION 32 | public::check::systemd() { 33 | current_systemd_version=$(systemctl --version|grep systemd |cut -d " " -f2) 34 | 35 | if [ "$(printf '%s\n' "$REQUIRED_SYSTEMD_VERSION" "$current_systemd_version" | sort -V | head -n1)" = "$REQUIRED_SYSTEMD_VERSION" ] ;then 36 | public::common::log "Check if systemd version >= $REQUIRED_SYSTEMD_VERSION." "pass" 37 | else 38 | public::common::log "Check if systemd version >= $REQUIRED_SYSTEMD_VERSION." "fail" 39 | exit 1 40 | fi 41 | } 42 | 43 | # check systemd version >= $REQUIRED_SYSTEMD_VERSION 44 | public::check::systemd 45 | 46 | 47 | # func for checking if permit root login using ssh key on port 22 48 | public::check::permitrootlogin() { 49 | if [ -d "/root/.ssh" ]; then 50 | cp -r /root/.ssh /root/.ssh_bak 51 | fi 52 | mkdir -p /tmp/ack-image-builder 53 | ssh-keygen -t rsa -P '' -f '/tmp/ack-image-builder/id_rsa' 54 | cat /tmp/ack-image-builder/id_rsa > /root/.ssh/id_rsa 55 | cat /tmp/ack-image-builder/id_rsa.pub > /root/.ssh/authorized_keys 56 | chmod 600 /root/.ssh/id_rsa 57 | ssh -o PasswordAuthentication=no -o StrictHostKeyChecking=no root@127.0.0.1 "pwd" 58 | if [ $? -ne 0 ]; then 59 | public::common::log "Check if permit root login using ssh key on port 22." "fail" 60 | exit 1 61 | else 62 | rm -rf /root/.ssh 63 | rm -rf /tmp/ack-image-builder 64 | if [ -d "/root/.ssh_bak" ]; then 65 | mv /root/.ssh_bak /root/.ssh 66 | fi 67 | public::common::log "Check if permit root login using ssh key on port 22." "pass" 68 | fi 69 | } 70 | 71 | # checking if permit root login using ssh key on port 22 72 | public::check::permitrootlogin 73 | 74 | 75 | # func for checking if required tools are installed 76 | public::check::requiredtools() { 77 | for required_tool in ${REQUIRED_TOOLS[@]} 78 | do 79 | which $required_tool >/dev/null 2>&1 80 | if [ $? -ne 0 ];then 81 | public::common::log "Check if $required_tool is installed." "fail" 82 | exit 1 83 | else 84 | public::common::log "Check if $required_tool is installed." "pass" 85 | fi 86 | $required_tool --version > /dev/null 2>&1 87 | if [ $? -ne 0 ];then 88 | public::common::log "$required_tool is installed, but run $required_tool --version failed, may not work well." "fail" 89 | exit 1 90 | else 91 | public::common::log "Check if run $required_tool --version is ok." "pass" 92 | fi 93 | done 94 | } 95 | 96 | # check if required tools are installed 97 | public::check::requiredtools 98 | 99 | 100 | # func for checking if tools are cleaned up 101 | public::check::cleanuptools() { 102 | for cleanup_tool in ${CLEANUP_TOOLS[@]} 103 | do 104 | which $cleanup_tool >/dev/null 2>&1 105 | if [ $? -ne 0 ];then 106 | public::common::log "Check if $cleanup_tool is cleaned up." "pass" 107 | else 108 | public::common::log "Check if $cleanup_tool is cleaned up." "fail" 109 | exit 1 110 | fi 111 | done 112 | } 113 | 114 | # check if clean up kubeadm 115 | public::check::cleanuptools 116 | 117 | 118 | #TODO 119 | #E.g. Check chronyd or ntpd is configured properly 120 | 121 | #E.. Check iptables --------------------------------------------------------------------------------