rancher 非docker离线安装
Last updated on December 17, 2025 am
🧙 Questions
使用非docker的方式离线安装rancher
centos7.5
☄️ Ideas
配置免密登录
ssh-copy-id root@120.55.168.57上传rke2安装包
https://github.com/rancher/rke2/releases/tag/v1.28.3%2Brke2r1
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/rke2-images.linux-amd64.tar.zst root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/rke2.linux-amd64.tar.gz root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/sha256sum-amd64.txt root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/install.sh root@120.55.168.57:/tmp创建rke2目录
mkdir -p /data/rancher
ln -s /data/rancher /var/lib/rancher
mkdir -p /data/containers
ln -s /data/containers /var/lib/containers安装rke2
mkdir -p /data/rke2-artifacts
cp /tmp/rke2-images.linux-amd64.tar.zst /data/rke2-artifacts/
cp /tmp/rke2.linux-amd64.tar.gz /data/rke2-artifacts/
cp /tmp/sha256sum-amd64.txt /data/rke2-artifacts/
# 必须要使用root用户执行
cd /tmp
INSTALL_RKE2_ARTIFACT_PATH=/data/rke2-artifacts sh install.sh启动rke2
journalctl -u rke2-server -f 看日志
systemctl enable rke2-server.service
systemctl start rke2-server.service
systemctl status rke2-server.service检查rke2服务
此时k8s已经安装好了
tee -a /etc/profile <<-'EOF'
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
export PATH=$PATH:/var/lib/rancher/rke2/bin
EOF
source /etc/profile
kubectl get nodes
kubectl get pods -n kube-system离线安装helm
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/helm-v3.15.3-linux-amd64.tar.gz root@120.55.168.57:/tmp
cd /tmp
tar -zxvf helm-v3.15.3-linux-amd64.tar.gz
mv /tmp/linux-amd64/helm /usr/bin/helm
helm version离线安装nerdctl
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/nerdctl-2.2.0-linux-amd64.tar.gz root@120.55.168.57:/tmp
cd /tmp
tar -vzxf /tmp/nerdctl-2.2.0-linux-amd64.tar.gz
mv /tmp/nerdctl /usr/bin/nerdctl
mv /tmp/containerd-rootless-setuptool.sh /usr/bin/containerd-rootless-setuptool.sh
mv /tmp/containerd-rootless.sh /usr/bin/containerd-rootless.shhttps://github.com/containerd/nerdctl/blob/main/docs/config.md
mkdir -p /etc/nerdctl
vim /etc/nerdctl/nerdctl.tomldebug = false
debug_full = false
address = "unix:///run/k3s/containerd/containerd.sock"
namespace = "k8s.io"
snapshotter = "stargz"
cgroup_manager = "cgroupfs"
hosts_dir = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]
experimental = true
userns_remap = ""
dns = ["8.8.8.8", "1.1.1.1"]
dns_opts = ["ndots:1", "timeout:2"]
dns_search = ["example.com", "example.org"]
insecure_registry = truewhereis nerdctl
which nerdctl
nerdctl version下载harbor安装包
- https://github.com/goharbor/harbor/releases/tag/v2.14.1
- https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.32/deploy/local-path-storage.yaml
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/harbor-helm-1.18.0.tar.gz root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/harbor-offline-installer-v2.14.1.tgz root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/local-path-provisioner-v0.0.32.yaml root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/local-path-provisioner-v0.0.32-amd64.tar.gz root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/busybox-latest.tar.gz root@120.55.168.57:/tmpnerdctl load -i /tmp/local-path-provisioner-v0.0.32-amd64.tar.gz
nerdctl load -i /tmp/busybox-latest.tar.gz打包helm chart
cd /tmp
tar -vzxf harbor-helm-1.18.0.tar.gz
cd /tmp/harbor-helm-1.18.0
# 修改版本,将2.14.0改成2.14.1
sed -i 's/v2\.14\.0/v2.14.1/g' /tmp/harbor-helm-1.18.0/values.yaml
# 打包
helm package .配置crictl,用于检查镜像是否安装成功
cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/k3s/containerd/containerd.sock
image-endpoint: unix:///run/k3s/containerd/containerd.sock
timeout: 10
debug: false
EOFcd /tmp
tar -xzf /tmp/harbor-offline-installer-v2.14.1.tgz
cd /tmp/harbor
nerdctl load -i /tmp/harbor/harbor.v2.14.1.tar.gz
# 检查是否导入
crictl images安装rancher的local-path-provisioner,挂载本地磁盘
cd /tmp
vim local-path-provisioner-v0.0.32.yaml
# 搜DEFAULT_PATH_FOR_NON_LISTED_NODES,将/opt/local-path-provisioner 改成 /data/local-path-provisioner (自己的磁盘)
kubectl apply -f local-path-provisioner-v0.0.32.yaml
kubectl get pods -n local-path-storage
kubectl get storageclass创建tls证书
注意IP.1的外网ip,一定要改,不然页面无法访问
# 创建目录
mkdir -p /data/harbor/ssl/ && cd /data/harbor/ssl/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=isxcode/OU=Personal/CN=isxcode.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out harbor.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=isxcode/OU=Personal/CN=isxcode.com" \
-key harbor.key \
-out harbor.csr
touch v3.ext
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.isxcode.com
IP.1=120.55.168.57
IP.2=172.19.189.246
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.csr \
-out harbor.crt
openssl x509 -inform PEM -in harbor.crt -out harbor.cert
# nerdctl login 会通过wget请求https,添加centos认证
cp /data/harbor/ssl/* /etc/pki/ca-trust/source/anchors/
update-ca-trust# 创建 secret
# kubectl delete secret harbor-tls -n harbor
kubectl create namespace harbor
kubectl create secret tls harbor-tls \
--cert=/data/harbor/ssl/harbor.cert \
--key=/data/harbor/ssl/harbor.key \
-n harbor
# 查看
kubectl get secret -n harbor -o wide安装harbor
helm upgrade --install harbor /tmp/harbor-helm-1.18.0/harbor-1.18.0.tgz \
--namespace harbor --create-namespace \
--set expose.type=nodePort \
--set expose.tls.enabled=true \
--set expose.tls.certSource=secret \
--set expose.tls.auto.commonName=isxcode.com \
--set expose.tls.secret.secretName=harbor-tls \
--set persistence.persistentVolumeClaim.registry.storageClass=local-path \
--set persistence.persistentVolumeClaim.registry.size=20Gi \
--set persistence.persistentVolumeClaim.redis.storageClass=local-path \
--set persistence.persistentVolumeClaim.redis.size=5Gi \
--set persistence.persistentVolumeClaim.database.storageClass=local-path \
--set persistence.persistentVolumeClaim.database.size=10Gi \
--set persistence.persistentVolumeClaim.jobservice.jobLog.storageClass=local-path \
--set persistence.persistentVolumeClaim.jobservice.jobLog.size=1Gi \
--set persistence.persistentVolumeClaim.trivy.storageClass=local-path \
--set persistence.persistentVolumeClaim.trivy.size=5Gi \
--set externalURL=https://120.55.168.57:30003 \
--set expose.nodePort.ports.https.port=30003 \
--set proxy.httpsPort=30003 \
--set harborAdminPassword=MySecurePass123! \
--set imagePullPolicy=Never \
--wait --timeout=20m
# 需要等待久一点
kubectl -n harbor get podshttps://120.55.168.57:30003
nerdctl login https://172.19.189.246:30003
Enter Username: admin
Enter Password: MySecurePass123!导入rancher的离线镜像 v2.8.5
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/rancher-images.tar.gz root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/rancher-images.txt root@120.55.168.57:/tmp
scp -r /Users/ispong/OneDrive/Downloads/linux/rancher/rancher-load-images.sh root@120.55.168.57:/tmpcd /tmp
chmod +x rancher-load-images.sh
./rancher-load-images.sh --image-list ./rancher-images.txt --registry 172.19.189.246:30003/libraryk8s安装自签证书
scp /Users/ispong/OneDrive/Downloads/linux/rancher/cert-manager-v1.15.1.tgz root@120.55.168.57:/tmp
scp /Users/ispong/OneDrive/Downloads/linux/rancher/cert-manager-crd.yaml root@120.55.168.57:/tmpcd /tmp
kubectl create namespace cert-manager
kubectl apply -f ./cert-manager-crd.yaml
helm install cert-manager /tmp/cert-manager-v1.15.1.tgz \
--namespace cert-manager \
--set image.repository=172.19.189.246:30003/library/quay.io/jetstack/cert-manager-controller \
--set webhook.image.repository=172.19.189.246:30003/library/quay.io/jetstack/cert-manager-webhook \
--set cainjector.image.repository=172.19.189.246:30003/library/quay.io/jetstack/cert-manager-cainjector \
--set startupapicheck.image.repository=172.19.189.246:30003/library/quay.io/jetstack/cert-manager-startupapicheck \
--debug
helm list -A
kubectl -n cert-manager get podsk8s安装rancher
卸载:helm uninstall rancher -n cattle-system
scp /Users/ispong/OneDrive/Downloads/linux/rancher/rancher-2.8.5.tgz root@120.55.168.57:/tmpcd /tmp
kubectl create namespace cattle-system
helm install rancher /tmp/rancher-2.8.5.tgz \
--namespace cattle-system \
--set hostname=isxcode \
--set certmanager.version=1.15.1 \
--set rancherImage=172.19.189.246:30003/library/rancher/rancher \
--set useBundledSystemChart=true \
--set systemDefaultRegistry=172.19.189.246:30003/library \
--set rancherImageTag=v2.8.5 \
--set service.type=NodePort
kubectl -n cattle-system get deploy rancher
kubectl -n cattle-system get pods修改端口号
kubectl edit svc rancher -n cattle-system修改nodePort
ports:
- name: http
nodePort: 30119
port: 80
protocol: TCP
targetPort: 80
- name: https-internal
nodePort: 31257 # 修改这个
port: 443
protocol: TCP
targetPort: 444kubectl get svc -n cattle-system
# NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
# rancher NodePort 10.43.178.130 <none> 80:30119/TCP,443:31257/TCP 6m54s
# rancher-webhook ClusterIP 10.43.207.252 <none> 443/TCP 32s获取密码
kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}{{ "\n" }}'- 访问地址: https://120.55.168.57:31257
- 初始密码: lw6d6dp5m8p98vhgbpjx8t4hpcp9hmrgbvb25hcwngjffn2dfwxw7h
- 自动获取密码:ARA5K27Xuw8bE9MM
🔗 Links
rancher 非docker离线安装
https://ispong.isxcode.com/kubernetes/rancher/rancher 非docker离线安装/