From 9f98ac6394faa3d81f0de7f0703aa9d3000cf9cf Mon Sep 17 00:00:00 2001
From: yuyr <yuyr@zgclab.edu.cn>
Date: Sat, 27 Jun 2026 16:47:12 +0800
Subject: [PATCH] =?UTF-8?q?20260627=20ARM64=E5=AE=89=E8=A3=85=E5=8C=85?=
 =?UTF-8?q?=E5=86=85=E7=BD=AE=E7=9B=91=E6=8E=A7=E9=95=9C=E5=83=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 deploy/arm64-installer/.env.example           |  2 +
 .../compose/docker-compose.yml                |  2 +
 deploy/arm64-installer/docs/README.en.md      |  3 +-
 deploy/arm64-installer/docs/README.zh-CN.md   |  3 +-
 deploy/arm64-installer/docs/operations.en.md  |  4 +-
 .../arm64-installer/docs/operations.zh-CN.md  |  4 +-
 deploy/arm64-installer/install.sh             |  1 +
 deploy/arm64-installer/scripts/common.sh      | 20 ++++
 deploy/arm64-installer/self-check.sh          |  3 +-
 deploy/arm64-installer/upgrade.sh             |  2 +-
 .../docker/build_arm64_installer_package.sh   | 95 ++++++++++++++++++-
 11 files changed, 130 insertions(+), 9 deletions(-)

diff --git a/deploy/arm64-installer/.env.example b/deploy/arm64-installer/.env.example
index 63afec4..726d580 100644
--- a/deploy/arm64-installer/.env.example
+++ b/deploy/arm64-installer/.env.example
@@ -63,6 +63,8 @@ METRICS_PORT=9556
 METRICS_POLL_SECS=10
 
 # Prometheus / Grafana.
+# Monitor images are packaged as ARM64 docker-save archives and loaded by install.sh.
+MONITOR_PLATFORM=linux/arm64
 PROMETHEUS_IMAGE=prom/prometheus:v2.55.1
 GRAFANA_IMAGE=grafana/grafana:11.3.1
 PROMETHEUS_PORT=9090
diff --git a/deploy/arm64-installer/compose/docker-compose.yml b/deploy/arm64-installer/compose/docker-compose.yml
index 9a092e0..3221a0c 100644
--- a/deploy/arm64-installer/compose/docker-compose.yml
+++ b/deploy/arm64-installer/compose/docker-compose.yml
@@ -49,6 +49,7 @@ services:
 
   prometheus:
     image: ${PROMETHEUS_IMAGE:-prom/prometheus:v2.55.1}
+    platform: ${MONITOR_PLATFORM:-linux/arm64}
     container_name: ${COMPOSE_PROJECT_NAME:-ours-rp-arm64}-prometheus
     command:
       - --config.file=/etc/prometheus/prometheus.yml
@@ -69,6 +70,7 @@ services:
 
   grafana:
     image: ${GRAFANA_IMAGE:-grafana/grafana:11.3.1}
+    platform: ${MONITOR_PLATFORM:-linux/arm64}
     container_name: ${COMPOSE_PROJECT_NAME:-ours-rp-arm64}-grafana
     depends_on:
       - prometheus
diff --git a/deploy/arm64-installer/docs/README.en.md b/deploy/arm64-installer/docs/README.en.md
index 75a95d2..1276872 100644
--- a/deploy/arm64-installer/docs/README.en.md
+++ b/deploy/arm64-installer/docs/README.en.md
@@ -4,7 +4,7 @@
 
 This package deploys ours RP on a `linux/arm64` server with Docker Compose and continuously runs all five RIR validation.
 
-The package includes the ARM64 runtime image. Runtime state, run artifacts, logs, Prometheus data and Grafana data are persisted through host bind mounts.
+The package includes the ours RP ARM64 runtime image, Prometheus ARM64 image and Grafana ARM64 image, so deployment does not pull application images on the target host. Runtime state, run artifacts, logs, Prometheus data and Grafana data are persisted through host bind mounts.
 
 ## Quick Start
 
@@ -28,6 +28,7 @@ Defaults:
 - `LIVE_TA_REFRESH_BEFORE_SNAPSHOT=1`
 - `HOST_DATA_DIR=/var/lib/ours-rp-arm64`
 - `SOAK_RESTART_POLICY=unless-stopped`
+- `MONITOR_PLATFORM=linux/arm64`
 
 ## First Start Semantics
 
diff --git a/deploy/arm64-installer/docs/README.zh-CN.md b/deploy/arm64-installer/docs/README.zh-CN.md
index a11e2e9..2ff75cc 100644
--- a/deploy/arm64-installer/docs/README.zh-CN.md
+++ b/deploy/arm64-installer/docs/README.zh-CN.md
@@ -4,7 +4,7 @@
 
 本安装包用于在 `linux/arm64` 服务器上通过 Docker Compose 部署 ours RP，并持续运行 all5 RIR 同步验证任务。
 
-安装包内置 ours RP ARM64 runtime 镜像，运行产物、状态数据库、日志、Prometheus 和 Grafana 数据均通过宿主机目录挂载保存。
+安装包内置 ours RP ARM64 runtime、Prometheus ARM64、Grafana ARM64 镜像，部署时不需要现场拉取应用镜像。运行产物、状态数据库、日志、Prometheus 和 Grafana 数据均通过宿主机目录挂载保存。
 
 ## 快速开始
 
@@ -28,6 +28,7 @@ vim .env
 - `LIVE_TA_REFRESH_BEFORE_SNAPSHOT=1`
 - `HOST_DATA_DIR=/var/lib/ours-rp-arm64`
 - `SOAK_RESTART_POLICY=unless-stopped`
+- `MONITOR_PLATFORM=linux/arm64`
 
 ## 首次启动语义
 
diff --git a/deploy/arm64-installer/docs/operations.en.md b/deploy/arm64-installer/docs/operations.en.md
index 5dcda8a..4e4aa22 100644
--- a/deploy/arm64-installer/docs/operations.en.md
+++ b/deploy/arm64-installer/docs/operations.en.md
@@ -10,7 +10,7 @@ The installer is idempotent:
 
 - existing `.env` is kept;
 - existing Docker/Compose installation is reused;
-- repeated image loading is safe;
+- repeated loading of packaged ours RP, Prometheus and Grafana ARM64 images is safe;
 - existing data directory is reused.
 
 ## Start
@@ -42,7 +42,7 @@ Start without waiting for the first snapshot:
 Important checks:
 
 - Docker/Compose availability;
-- runtime image exists;
+- runtime, Prometheus and Grafana images exist;
 - `HOST_DATA_DIR` is writable;
 - Compose config is valid;
 - latest run status;
diff --git a/deploy/arm64-installer/docs/operations.zh-CN.md b/deploy/arm64-installer/docs/operations.zh-CN.md
index aa7b5af..ad1b9f0 100644
--- a/deploy/arm64-installer/docs/operations.zh-CN.md
+++ b/deploy/arm64-installer/docs/operations.zh-CN.md
@@ -10,7 +10,7 @@
 
 - 已有 `.env` 不覆盖；
 - 已安装 Docker/Compose 则跳过；
-- 镜像重复加载是安全的；
+- 包内 ours RP、Prometheus、Grafana ARM64 镜像重复加载是安全的；
 - 数据目录已存在则复用。
 
 ## 启动
@@ -42,7 +42,7 @@
 重点检查项：
 
 - Docker/Compose 可用；
-- runtime 镜像存在；
+- runtime、Prometheus、Grafana 镜像存在；
 - `HOST_DATA_DIR` 可写；
 - Compose 配置合法；
 - 最新 run 状态；
diff --git a/deploy/arm64-installer/install.sh b/deploy/arm64-installer/install.sh
index 82cd4e6..467632e 100755
--- a/deploy/arm64-installer/install.sh
+++ b/deploy/arm64-installer/install.sh
@@ -39,6 +39,7 @@ create_data_dirs
 load_installer_images
 ensure_binfmt_if_needed
 verify_runtime_image
+verify_monitor_images
 compose_cmd --profile core --profile sidecar --profile monitor config >/tmp/ours-rp-arm64-compose-config.yml
 "$SCRIPT_DIR/self-check.sh" --quick
 log "install complete"
diff --git a/deploy/arm64-installer/scripts/common.sh b/deploy/arm64-installer/scripts/common.sh
index ef37af5..573cefc 100755
--- a/deploy/arm64-installer/scripts/common.sh
+++ b/deploy/arm64-installer/scripts/common.sh
@@ -37,6 +37,9 @@ load_env() {
   COMPOSE_PROJECT_NAME="${COMPOSE_PROJECT_NAME:-ours-rp-arm64}"
   RPKI_IMAGE="${RPKI_IMAGE:-ours-rp-runtime-arm64:dev}"
   RPKI_PLATFORM="${RPKI_PLATFORM:-linux/arm64}"
+  MONITOR_PLATFORM="${MONITOR_PLATFORM:-linux/arm64}"
+  PROMETHEUS_IMAGE="${PROMETHEUS_IMAGE:-prom/prometheus:v2.55.1}"
+  GRAFANA_IMAGE="${GRAFANA_IMAGE:-grafana/grafana:11.3.1}"
   FIRST_RUN_WAIT_TIMEOUT_SECS="${FIRST_RUN_WAIT_TIMEOUT_SECS:-7200}"
 }
 
@@ -239,6 +242,23 @@ verify_runtime_image() {
   head -5 /tmp/ours-rp-arm64-rpki-help.txt || true
 }
 
+verify_image_platform() {
+  local image="$1"
+  local expected_platform="$2"
+  local role="$3"
+  local actual_platform
+  docker image inspect "$image" >/dev/null
+  actual_platform="$(docker image inspect --format '{{.Os}}/{{.Architecture}}' "$image" 2>/dev/null || echo unknown)"
+  [[ "$actual_platform" == "$expected_platform" ]] || die "$role image platform mismatch: image=$image expected=$expected_platform actual=$actual_platform"
+}
+
+verify_monitor_images() {
+  load_env
+  require_cmd docker
+  verify_image_platform "$PROMETHEUS_IMAGE" "$MONITOR_PLATFORM" "prometheus"
+  verify_image_platform "$GRAFANA_IMAGE" "$MONITOR_PLATFORM" "grafana"
+}
+
 endpoint_ok() {
   local url="$1"
   curl -fsS --max-time 5 "$url" >/dev/null 2>&1
diff --git a/deploy/arm64-installer/self-check.sh b/deploy/arm64-installer/self-check.sh
index 6f4eab4..ada864f 100755
--- a/deploy/arm64-installer/self-check.sh
+++ b/deploy/arm64-installer/self-check.sh
@@ -30,7 +30,8 @@ docker compose version >/dev/null
 create_data_dirs
 [[ -w "$HOST_DATA_DIR" ]] || die "data dir is not writable: $HOST_DATA_DIR"
 compose_cmd --profile core --profile sidecar --profile monitor config >/dev/null
-docker image inspect "$RPKI_IMAGE" >/dev/null
+verify_image_platform "$RPKI_IMAGE" "$RPKI_PLATFORM" "runtime"
+verify_monitor_images
 if [[ "$QUICK" == "0" ]]; then
   verify_runtime_image
 fi
diff --git a/deploy/arm64-installer/upgrade.sh b/deploy/arm64-installer/upgrade.sh
index 419e43d..1e4220a 100755
--- a/deploy/arm64-installer/upgrade.sh
+++ b/deploy/arm64-installer/upgrade.sh
@@ -9,6 +9,6 @@ install_docker_if_missing
 load_installer_images
 ensure_binfmt_if_needed
 verify_runtime_image
-compose_cmd --profile core --profile sidecar --profile monitor pull --ignore-pull-failures || true
+verify_monitor_images
 compose_cmd --profile core --profile sidecar --profile monitor up -d --force-recreate
 "$SCRIPT_DIR/status.sh" --brief || true
diff --git a/scripts/docker/build_arm64_installer_package.sh b/scripts/docker/build_arm64_installer_package.sh
index 90db5a8..c501b37 100755
--- a/scripts/docker/build_arm64_installer_package.sh
+++ b/scripts/docker/build_arm64_installer_package.sh
@@ -6,9 +6,14 @@ REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 
 IMAGE_TAG="${IMAGE_TAG:-ours-rp-runtime-arm64:dev}"
 IMAGE_TAR="${IMAGE_TAR:-}"
+PROMETHEUS_IMAGE="${PROMETHEUS_IMAGE:-prom/prometheus:v2.55.1}"
+PROMETHEUS_IMAGE_TAR="${PROMETHEUS_IMAGE_TAR:-}"
+GRAFANA_IMAGE="${GRAFANA_IMAGE:-grafana/grafana:11.3.1}"
+GRAFANA_IMAGE_TAR="${GRAFANA_IMAGE_TAR:-}"
 OUT_DIR="${OUT_DIR:-$REPO_ROOT/target/arm64-installer}"
 PACKAGE_PREFIX="${PACKAGE_PREFIX:-ours-rp-arm64-installer}"
 TEMPLATE_DIR="${TEMPLATE_DIR:-$REPO_ROOT/deploy/arm64-installer}"
+MONITOR_PLATFORM="${MONITOR_PLATFORM:-linux/arm64}"
 
 usage() {
   cat <<'USAGE'
@@ -18,6 +23,14 @@ Usage:
 Options:
   --image <tag>       Runtime image tag recorded in package manifest.
   --image-tar <path>  Existing docker save tar/tar.gz to include.
+  --prometheus-image <tag>
+                      Prometheus image tag to record and package.
+  --prometheus-image-tar <path>
+                      Existing Prometheus docker save tar/tar.gz to include.
+  --grafana-image <tag>
+                      Grafana image tag to record and package.
+  --grafana-image-tar <path>
+                      Existing Grafana docker save tar/tar.gz to include.
   --out-dir <path>    Output directory.
   --prefix <name>     Package directory/tar prefix.
   -h, --help          Show help.
@@ -37,6 +50,22 @@ while [[ $# -gt 0 ]]; do
       IMAGE_TAR="$2"
       shift 2
       ;;
+    --prometheus-image)
+      PROMETHEUS_IMAGE="$2"
+      shift 2
+      ;;
+    --prometheus-image-tar)
+      PROMETHEUS_IMAGE_TAR="$2"
+      shift 2
+      ;;
+    --grafana-image)
+      GRAFANA_IMAGE="$2"
+      shift 2
+      ;;
+    --grafana-image-tar)
+      GRAFANA_IMAGE_TAR="$2"
+      shift 2
+      ;;
     --out-dir)
       OUT_DIR="$2"
       shift 2
@@ -76,6 +105,51 @@ EOF
   exit 2
 }
 
+safe_tag_name() {
+  printf '%s' "$1" | tr '/:' '--'
+}
+
+save_image_if_needed() {
+  local image="$1"
+  local existing_tar="$2"
+  local out_dir="$3"
+  local role="$4"
+  if [[ -n "$existing_tar" ]]; then
+    [[ -f "$existing_tar" ]] || {
+      echo "missing $role image tar: $existing_tar" >&2
+      exit 2
+    }
+    printf '%s\n' "$existing_tar"
+    return 0
+  fi
+  if ! docker image inspect "$image" >/dev/null 2>&1; then
+    cat >&2 <<EOF
+missing local $role image: $image
+
+Prepare it before building the installer package, for example:
+  docker pull --platform $MONITOR_PLATFORM $image
+EOF
+    exit 2
+  fi
+  local actual_platform
+  actual_platform="$(docker image inspect --format '{{.Os}}/{{.Architecture}}' "$image" 2>/dev/null || echo unknown)"
+  if [[ "$actual_platform" != "$MONITOR_PLATFORM" ]]; then
+    cat >&2 <<EOF
+wrong platform for $role image: $image
+  expected: $MONITOR_PLATFORM
+  actual:   $actual_platform
+
+Pull the ARM64 variant explicitly:
+  docker pull --platform $MONITOR_PLATFORM $image
+EOF
+    exit 2
+  fi
+  local tar_path="$out_dir/$(safe_tag_name "$image").tar.gz"
+  echo "saving $role image to $tar_path" >&2
+  docker save "$image" | gzip -c > "$tar_path"
+  printf '%s\n' "$tar_path"
+}
+
 mkdir -p "$OUT_DIR"
 commit="$(git -C "$REPO_ROOT" rev-parse --short HEAD 2>/dev/null || echo unknown)"
 timestamp="$(date -u +%Y%m%dT%H%M%SZ)"
@@ -88,11 +162,22 @@ mkdir -p "$stage/images"
 rsync -a --delete "$TEMPLATE_DIR"/ "$stage"/
 cp "$IMAGE_TAR" "$stage/images/"
 
+monitor_image_stage="$OUT_DIR/.monitor-images-$timestamp"
+rm -rf "$monitor_image_stage"
+mkdir -p "$monitor_image_stage"
+prometheus_tar="$(save_image_if_needed "$PROMETHEUS_IMAGE" "$PROMETHEUS_IMAGE_TAR" "$monitor_image_stage" "prometheus")"
+grafana_tar="$(save_image_if_needed "$GRAFANA_IMAGE" "$GRAFANA_IMAGE_TAR" "$monitor_image_stage" "grafana")"
+cp "$prometheus_tar" "$stage/images/"
+cp "$grafana_tar" "$stage/images/"
+
 if [[ -f "$stage/.env.example" ]]; then
   tmp_env="$stage/.env.example.tmp"
-  awk -v image="$IMAGE_TAG" '
+  awk -v image="$IMAGE_TAG" -v prometheus="$PROMETHEUS_IMAGE" -v grafana="$GRAFANA_IMAGE" -v monitor_platform="$MONITOR_PLATFORM" '
     BEGIN { done=0 }
     /^RPKI_IMAGE=/ { print "RPKI_IMAGE=" image; done=1; next }
+    /^PROMETHEUS_IMAGE=/ { print "PROMETHEUS_IMAGE=" prometheus; next }
+    /^GRAFANA_IMAGE=/ { print "GRAFANA_IMAGE=" grafana; next }
+    /^MONITOR_PLATFORM=/ { print "MONITOR_PLATFORM=" monitor_platform; next }
     { print }
     END { if (!done) print "RPKI_IMAGE=" image }
   ' "$stage/.env.example" > "$tmp_env"
@@ -107,11 +192,19 @@ git_status_count=$(git -C "$REPO_ROOT" status --short 2>/dev/null | wc -l | tr -
 image_tag=$IMAGE_TAG
 image_tar=$(basename "$IMAGE_TAR")
 image_tar_size_bytes=$(wc -c < "$IMAGE_TAR")
+prometheus_image=$PROMETHEUS_IMAGE
+prometheus_image_tar=$(basename "$prometheus_tar")
+prometheus_image_tar_size_bytes=$(wc -c < "$prometheus_tar")
+grafana_image=$GRAFANA_IMAGE
+grafana_image_tar=$(basename "$grafana_tar")
+grafana_image_tar_size_bytes=$(wc -c < "$grafana_tar")
 target_platform=linux/arm64
+monitor_platform=$MONITOR_PLATFORM
 EOF
 
 chmod +x "$stage"/*.sh "$stage/scripts"/*.sh
 tar -C "$OUT_DIR" -czf "$tar_path" "$package_name"
+rm -rf "$monitor_image_stage"
 
 {
   echo "package=$tar_path"