Notes: The template ack-centos.json is used for building custom image for ACK cluster based on the latest published ecs centos public image.
This repository contains resources and configuration scripts for building a custom base OS Image for ACK with HashiCorp Packer.
- Alibaba Cloud Linux 3
- Alibaba Cloud Linux 2 - deprecated
- CentOS 7.6/7.7/7.8/7.9 - deprecated
- Red Hat Enterprise Linux 9
- Anolis OS 8
You must have Packer installed on your local system. For more information, see Installing Packer in the Packer documentation. You must also have Alibaba Cloud account credentials configured so that Packer can make calls to Alibaba Cloud API operations on your behalf.
For more information, see Alibaba Cloud builder in the Packer documentation.
Execute following scripts in your shell
export ALICLOUD_REGION=XXX
export ALICLOUD_ACCESS_KEY=XXX
export ALICLOUD_SECRET_KEY=XXX
packer build examples/ack-aliyunlinux3.json
Execute following scripts in your shell
export RUNTIME=XXX
export ALICLOUD_REGION=XXX
export ALICLOUD_ACCESS_KEY=XXX
export ALICLOUD_SECRET_KEY=XXX
packer build examples/ack-optimized-os-all.json
NOTE: RUNTIME
only support docker
and containerd
{
"variables": {
"image_name": "ack-optimized_image-1.28-{{timestamp}}",
"source_image": "aliyun_3_9_x64_20G_alibase_20231219.vhd",
"instance_type": "ecs.gn6i-c4g1.xlarge",
"region": "{{env `ALICLOUD_REGION`}}",
"access_key": "{{env `ALICLOUD_ACCESS_KEY`}}",
"secret_key": "{{env `ALICLOUD_SECRET_KEY`}}",
"runtime": "{{env `RUNTIME`}}",
"skip_secrutiy_fix": "{{env `SKIP_SECURITY_FIX`}}"
},
"builders": [
{
"type": "alicloud-ecs",
"access_key": "{{user `access_key`}}",
"secret_key": "{{user `secret_key`}}",
"region": "{{user `region`}}",
"image_name": "{{user `image_name`}}",
"source_image": "{{user `source_image`}}",
"ssh_username": "root",
"instance_type": "{{user `instance_type`}}",
"skip_image_validation": "true",
"io_optimized": "true"
}
],
"provisioners": [
{
"type": "file",
"source": "scripts/ack-optimized-os-all.sh",
"destination": "/root/"
},
{
"type": "shell",
"inline": [
"export RUNTIME={{user `runtime`}}",
"export SKIP_SECURITY_FIX={{user `skip_secrutiy_fix`}}",
"export OS_ARCH=amd64",
"export PRESET_GPU=true", # If you want to download gpu, set PRESET_GPU to true and also set instance_type to gpu instance, supports version 1.20+.
"export NVIDIA_DRIVER_VERSION=460.106.00", # You can set the gpu version, default is 460.91.03
"export KEEP_IMAGE_DATA=true", # If you cache images, you must set KEEP_IMAGE_DATA to true
"export KUBE_VERSION=1.28.9-aliyun.1", # Set KUBE_VERSION according to your cluster version
"bash /root/ack-optimized-os-all.sh",
"ctr -n k8s.io i pull docker.io/library/nginx:1.7.9" # You can cache images into OS image
]
}
]
}
If you are using a sub account,the ram policy should at least include actions as below:
Note that you'd better release the delete permissions once you have completed your image build task for safety reasons.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeImages",
"ecs:CreateImage",
"ecs:ModifyImageSharePermission",
"ecs:CreateKeyPair",
"ecs:DeleteKeyPairs",
"ecs:DetachKeyPair",
"ecs:AttachKeyPair",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSnapshot",
"ecs:AttachDisk",
"ecs:DetachDisk",
"ecs:DescribeDisks",
"ecs:CreateDisk",
"ecs:DeleteDisk",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeInstanceAttribute",
"ecs:CreateInstance",
"ecs:DeleteInstance",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DescribeInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:DescribeVpcs",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DescribeVSwitches",
"vpc:AllocateEipAddress",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:ReleaseEipAddress"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
For security issues or concerns, please do not open an issue or pull request on GitHub. Please report any suspected or confirmed security issues to Alibaba Cloud Container Security contact kubernetes-security@service.aliyun.com