installer: refactor install script (#220)

Make the install script simpler by leveraging a self-extracting tarball
built with makeself. This adds a new release artifact,
rke2-installer.${GOOS}-${GOARCH}.run, that is a self-extracting version
of the tarball artifact. The install, killall, and uninstall logic has
been moved into this artifact which ends up on hosts, by default, in the
/usr/local/share/rke2/scripts directory.

The install.sh at the root of the repository has been simplified. It
will attempt to detect if yum is available and install via that method.
Lacking yum, it will download and invoke the self-extracting tarball.

.gitignore

@@ -6,5 +6,5 @@
 .idea
 .vscode
 /data
-./rke2
+/rke2
 /build

Dockerfile

@@ -35,7 +35,6 @@ VOLUME /var/lib/rancher/k3s
 
 # Dapper/Drone/CI environment
 FROM build AS dapper
-
 ENV DAPPER_ENV GODEBUG REPO TAG DRONE_TAG PAT_USERNAME PAT_TOKEN KUBERNETES_VERSION DOCKER_BUILDKIT
 ENV DAPPER_OUTPUT ./dist ./bin ./build
 ENV DAPPER_DOCKER_SOCKET true

Vagrantfile

@@ -168,7 +168,7 @@ EOF
         echo 'RKE2_KUBECONFIG_MODE=0644' >> /etc/sysconfig/rke2-server
         systemctl enable --now rke2-server
         cat << 'EOF' > /etc/profile.d/rke2.sh
-export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$(ls -td /var/lib/rancher/rke2/data/*/bin):$PATH
+export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin
 EOF
     SHELL
   end

bundle/etc/profile.d/rke2.sh

@@ -0,0 +1,2 @@
+KUBECONFIG="/etc/rancher/rke2/rke2.yaml"
+PATH="$PATH:/var/lib/rancher/rke2/bin"

bundle/etc/sysctl.d/rke2-cis.conf

@@ -0,0 +1,5 @@
+vm.panic_on_oom=0
+vm.overcommit_memory=1
+kernel.keys.root_maxbytes=25000000
+kernel.panic=10
+kernel.panic_on_oops=1

bundle/share/rke2/rke2.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Rancher Kubernetes Engine v2
+Documentation=https://github.com/rancher/rke2#readme
+Wants=network-online.target
+After=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+EnvironmentFile=-/etc/systemd/system/rke2.env
+KillMode=process
+Delegate=yes
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+TimeoutStartSec=0
+Restart=always
+RestartSec=5s
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=rke2 server
+Type=notify

bundle/share/rke2/scripts/rke2-install.sh

@@ -0,0 +1,115 @@
+#!/bin/sh
+
+if [ "${DEBUG}" = 1 ]; then
+  set -x
+fi
+
+# Environment variables:
+#   - RKE2_*
+#     Environment variables which begin with RKE2_ will be preserved for the
+#     systemd service to use. Setting RKE2_URL without explicitly setting
+#     a systemd exec command will default the command to "agent", and we
+#     enforce that RKE2_TOKEN or RKE2_CLUSTER_SECRET is also set.
+#
+#   - INSTALL_RKE2_SKIP_ENABLE
+#     If set to true will not enable or start rke2 service.
+#     Default is "false".
+#
+#   - INSTALL_RKE2_SKIP_START
+#     If set to true will not start rke2 service.
+#     Default is "false".
+#
+#   - INSTALL_RKE2_VERSION
+#     Version of rke2 to download from github. Will attempt to download from the
+#     stable channel if not specified.
+#
+#   - INSTALL_RKE2_ROOT
+#     Filesystem location to unpack tarball.
+#     Default is "/usr/local".
+#
+#   - INSTALL_RKE2_NAME
+#     Name of systemd service to create.
+#     Default is "rke2".
+#
+#   - INSTALL_RKE2_TYPE
+#     Type of rke2 service. Can be either "server" or "agent".
+#     Default is "server" when unspecified and $RKE2_URL is empty.
+#     Default is "agent" when unspecified and $RKE2_URL not empty.
+#
+
+# make sure we run as root
+if [ ! $(id -u) -eq 0 ]; then
+    echo "$(basename "${0}"): must be run as root" >&2
+    exit 1
+fi
+
+# if no systemd then bail
+command -v systemctl >/dev/null 2>&1 || return
+
+set -e
+
+: "${INSTALL_RKE2_NAME:="rke2"}"
+: "${INSTALL_RKE2_ROOT:="/usr/local"}"
+
+INSTALL_RKE2_ROOT="$(realpath "${INSTALL_RKE2_ROOT}")"
+
+if [ -z "${INSTALL_RKE2_TYPE}" ]; then
+    if [ -z "${RKE2_URL}" ]; then
+        INSTALL_RKE2_TYPE="server"
+    else
+        INSTALL_RKE2_TYPE="agent"
+    fi
+fi
+
+# should we assume selinux?
+if [ -z "${RKE2_SELINUX}" ] && command -v getenforce >/dev/null 2>&1; then
+    if [ -f /usr/share/selinux/packages/rke2.pp ] && [ "$(getenforce)" != "Disabled" ]; then
+        RKE2_SELINUX=true
+    fi
+fi
+
+mkdir -p "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service.d"
+
+# setup service/installation environment file
+if [ -d "${INSTALL_RKE2_ROOT}/lib/systemd/system" ]; then
+cat <<-EOF > "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.env"
+HOME=/root
+INSTALL_RKE2_ROOT=${INSTALL_RKE2_ROOT}
+INSTALL_RKE2_NAME=${INSTALL_RKE2_NAME}
+EOF
+env | grep -E '^RKE2_' | sort >> "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.env"
+fi
+
+# setup the service file
+cp -f "${INSTALL_RKE2_ROOT}/share/rke2/rke2.service" "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service"
+if [ "${RKE2_SELINUX}" = "true" ]; then
+    chcon -t container_unit_file_t "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service" || true
+fi
+
+# setup the service overrides
+cat <<-EOF > "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service.d/00-install.conf"
+[Service]
+EnvironmentFile=-${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.env
+ExecStart=
+ExecStart=${INSTALL_RKE2_ROOT}/bin/rke2 ${INSTALL_RKE2_TYPE}
+EOF
+
+# enable the cis profile
+if [ -n "${RKE2_CIS_PROFILE}" ]; then
+    for conf in "${INSTALL_RKE2_ROOT}"/etc/sysctl.d/*.conf; do
+        cp -f "${conf}" "/etc/sysctl.d/${INSTALL_RKE2_CIS_SYSCTL_PREFIX:="30"}-$(basename "${conf}")"
+    done
+    systemctl restart systemd-sysctl >/dev/null
+fi
+
+# enable the service
+if [ "${INSTALL_RKE2_SKIP_ENABLE="false"}" = "true" ]; then
+    return
+fi
+systemctl enable "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service" > /dev/null
+systemctl daemon-reload >/dev/null
+
+# start the service
+if [ "${INSTALL_RKE2_SKIP_START=false}" != "true" ]; then
+    systemctl restart "${INSTALL_RKE2_NAME}"
+fi

bundle/share/rke2/scripts/rke2-killall.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+
+# make sure we run as root
+if [ ! $(id -u) -eq 0 ]; then
+    echo "$(basename "${0}"): must be run as root" >&2
+    exit 1
+fi
+
+pschildren() {
+    ps -e -o ppid= -o pid= | \
+    sed -e 's/^\s*//g; s/\s\s*/\t/g;' | \
+    grep -w "^$1" | \
+    cut -f2
+}
+
+pstree() {
+    for pid in "$@"; do
+        echo ${pid}
+        for child in $(pschildren ${pid}); do
+            pstree ${child}
+        done
+    done
+}
+
+killtree() {
+    kill -9 $(
+        { set +x; } 2>/dev/null;
+        pstree "$@";
+        set -x;
+    ) 2>/dev/null
+}
+
+getshims() {
+    ps -e -o pid= -o args= | sed -e 's/^ *//; s/\s\s*/\t/;' | grep -w 'rke2/data/[^/]*/bin/containerd-shim' | cut -f1
+}
+
+do_unmount() {
+    { set +x; } 2>/dev/null
+    MOUNTS=
+    while read ignore mount ignore; do
+        MOUNTS="${mount}\n${MOUNTS}"
+    done </proc/self/mounts
+    MOUNTS=$(printf ${MOUNTS} | grep "^$1" | sort -r)
+    if [ -n "${MOUNTS}" ]; then
+        set -x
+        umount ${MOUNTS}
+    else
+        set -x
+    fi
+}
+
+for bin in /var/lib/rancher/rke2/data/**/bin/; do
+    [ -d $bin ] && export PATH=$PATH:$bin:$bin/aux
+done
+
+set -x
+
+for service in /etc/systemd/system/rke2*.service; do
+    [ -s ${service} ] && systemctl stop $(basename ${service})
+done
+
+for service in /etc/init.d/rke2*; do
+    [ -x ${service} ] && ${service} stop
+done
+
+killtree $({ set +x; } 2>/dev/null; getshims; set -x)
+
+do_unmount '/run/k3s'
+do_unmount '/var/lib/rancher/rke2'
+do_unmount '/var/lib/kubelet/pods'
+do_unmount '/run/netns/cni-'
+
+# Delete network interface(s) that match 'master cni0'
+ip link show 2>/dev/null | grep 'master cni0' | while read ignore iface ignore; do
+    iface=${iface%%@*}
+    [ -z "$iface" ] || ip link delete $iface
+done
+ip link delete cni0
+ip link delete flannel.1
+rm -rf /var/lib/cni/
+iptables-save | grep -v KUBE- | grep -v CNI- | iptables-restore

bundle/share/rke2/scripts/rke2-uninstall.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+# make sure we run as root
+if [ ! $(id -u) -eq 0 ]; then
+    echo "$(basename "${0}"): must be run as root" >&2
+    exit 1
+fi
+
+if [ -e "/etc/systemd/system/${INSTALL_RKE2_NAME}.env" ]; then
+    . "/etc/systemd/system/${INSTALL_RKE2_NAME}.env"
+fi
+
+: "${INSTALL_RKE2_ROOT:="/usr/local"}"
+: "${INSTALL_RKE2_NAME:="rke2"}"
+
+if [ -e "${rke2_killall:="$(dirname "$0")/rke2-killall.sh"}" ]; then
+  eval "${rke2_killall}"
+fi
+
+if command -v systemctl >/dev/null 2>&1; then
+    systemctl disable "${INSTALL_RKE2_NAME}" || true
+    systemctl reset-failed "${INSTALL_RKE2_NAME}" || true
+    systemctl daemon-reload
+fi
+
+# remove service files
+rm -f "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service"
+rm -rf "${INSTALL_RKE2_ROOT}/lib/systemd/system/${INSTALL_RKE2_NAME}.service.d"
+
+if (ls ${INSTALL_RKE2_ROOT}/lib/systemd/system/rke2*.service || ls /etc/init.d/rke2*) >/dev/null 2>&1; then
+    set +x; echo 'Additional rke2 services installed, skipping uninstall of rke2'; set -x
+    exit
+fi
+
+set -e
+
+rm -rf /etc/rancher/rke2
+rm -rf /var/lib/kubelet
+rm -rf /var/lib/rancher/rke2
+rm -f "/etc/sysctl.d/*-${INSTALL_RKE2_NAME}-cis.conf"
+rm -f "${INSTALL_RKE2_ROOT}/bin/rke2"
+rm -f "/etc/systemd/system/${INSTALL_RKE2_NAME}.env"