20260627 ARM64安装包内置监控镜像

deploy/arm64-installer/.env.example

@@ -63,6 +63,8 @@ METRICS_PORT=9556
 METRICS_POLL_SECS=10
 
 # Prometheus / Grafana.
+# Monitor images are packaged as ARM64 docker-save archives and loaded by install.sh.
+MONITOR_PLATFORM=linux/arm64
 PROMETHEUS_IMAGE=prom/prometheus:v2.55.1
 GRAFANA_IMAGE=grafana/grafana:11.3.1
 PROMETHEUS_PORT=9090

deploy/arm64-installer/compose/docker-compose.yml

@@ -49,6 +49,7 @@ services:
 
   prometheus:
     image: ${PROMETHEUS_IMAGE:-prom/prometheus:v2.55.1}
+    platform: ${MONITOR_PLATFORM:-linux/arm64}
     container_name: ${COMPOSE_PROJECT_NAME:-ours-rp-arm64}-prometheus
     command:
       - --config.file=/etc/prometheus/prometheus.yml
@@ -69,6 +70,7 @@ services:
 
   grafana:
     image: ${GRAFANA_IMAGE:-grafana/grafana:11.3.1}
+    platform: ${MONITOR_PLATFORM:-linux/arm64}
     container_name: ${COMPOSE_PROJECT_NAME:-ours-rp-arm64}-grafana
     depends_on:
       - prometheus

deploy/arm64-installer/docs/README.en.md

@@ -4,7 +4,7 @@
 
 This package deploys ours RP on a `linux/arm64` server with Docker Compose and continuously runs all five RIR validation.
 
-The package includes the ARM64 runtime image. Runtime state, run artifacts, logs, Prometheus data and Grafana data are persisted through host bind mounts.
+The package includes the ours RP ARM64 runtime image, Prometheus ARM64 image and Grafana ARM64 image, so deployment does not pull application images on the target host. Runtime state, run artifacts, logs, Prometheus data and Grafana data are persisted through host bind mounts.
 
 ## Quick Start
 
@@ -28,6 +28,7 @@ Defaults:
 - `LIVE_TA_REFRESH_BEFORE_SNAPSHOT=1`
 - `HOST_DATA_DIR=/var/lib/ours-rp-arm64`
 - `SOAK_RESTART_POLICY=unless-stopped`
+- `MONITOR_PLATFORM=linux/arm64`
 
 ## First Start Semantics
 

deploy/arm64-installer/docs/README.zh-CN.md

@@ -4,7 +4,7 @@
 
 本安装包用于在 `linux/arm64` 服务器上通过 Docker Compose 部署 ours RP，并持续运行 all5 RIR 同步验证任务。
 
-安装包内置 ours RP ARM64 runtime 镜像，运行产物、状态数据库、日志、Prometheus 和 Grafana 数据均通过宿主机目录挂载保存。
+安装包内置 ours RP ARM64 runtime、Prometheus ARM64、Grafana ARM64 镜像，部署时不需要现场拉取应用镜像。运行产物、状态数据库、日志、Prometheus 和 Grafana 数据均通过宿主机目录挂载保存。
 
 ## 快速开始
 
@@ -28,6 +28,7 @@ vim .env
 - `LIVE_TA_REFRESH_BEFORE_SNAPSHOT=1`
 - `HOST_DATA_DIR=/var/lib/ours-rp-arm64`
 - `SOAK_RESTART_POLICY=unless-stopped`
+- `MONITOR_PLATFORM=linux/arm64`
 
 ## 首次启动语义
 

deploy/arm64-installer/docs/operations.en.md

@@ -10,7 +10,7 @@ The installer is idempotent:
 
 - existing `.env` is kept;
 - existing Docker/Compose installation is reused;
-- repeated image loading is safe;
+- repeated loading of packaged ours RP, Prometheus and Grafana ARM64 images is safe;
 - existing data directory is reused.
 
 ## Start
@@ -42,7 +42,7 @@ Start without waiting for the first snapshot:
 Important checks:
 
 - Docker/Compose availability;
-- runtime image exists;
+- runtime, Prometheus and Grafana images exist;
 - `HOST_DATA_DIR` is writable;
 - Compose config is valid;
 - latest run status;

deploy/arm64-installer/docs/operations.zh-CN.md

@@ -10,7 +10,7 @@
 
 - 已有 `.env` 不覆盖；
 - 已安装 Docker/Compose 则跳过；
-- 镜像重复加载是安全的；
+- 包内 ours RP、Prometheus、Grafana ARM64 镜像重复加载是安全的；
 - 数据目录已存在则复用。
 
 ## 启动
@@ -42,7 +42,7 @@
 重点检查项：
 
 - Docker/Compose 可用；
-- runtime 镜像存在；
+- runtime、Prometheus、Grafana 镜像存在；
 - `HOST_DATA_DIR` 可写；
 - Compose 配置合法；
 - 最新 run 状态；

deploy/arm64-installer/install.sh

@@ -39,6 +39,7 @@ create_data_dirs
 load_installer_images
 ensure_binfmt_if_needed
 verify_runtime_image
+verify_monitor_images
 compose_cmd --profile core --profile sidecar --profile monitor config >/tmp/ours-rp-arm64-compose-config.yml
 "$SCRIPT_DIR/self-check.sh" --quick
 log "install complete"

deploy/arm64-installer/scripts/common.sh

@@ -37,6 +37,9 @@ load_env() {
   COMPOSE_PROJECT_NAME="${COMPOSE_PROJECT_NAME:-ours-rp-arm64}"
   RPKI_IMAGE="${RPKI_IMAGE:-ours-rp-runtime-arm64:dev}"
   RPKI_PLATFORM="${RPKI_PLATFORM:-linux/arm64}"
+  MONITOR_PLATFORM="${MONITOR_PLATFORM:-linux/arm64}"
+  PROMETHEUS_IMAGE="${PROMETHEUS_IMAGE:-prom/prometheus:v2.55.1}"
+  GRAFANA_IMAGE="${GRAFANA_IMAGE:-grafana/grafana:11.3.1}"
   FIRST_RUN_WAIT_TIMEOUT_SECS="${FIRST_RUN_WAIT_TIMEOUT_SECS:-7200}"
 }
 
@@ -239,6 +242,23 @@ verify_runtime_image() {
   head -5 /tmp/ours-rp-arm64-rpki-help.txt || true
 }
 
+verify_image_platform() {
+  local image="$1"
+  local expected_platform="$2"
+  local role="$3"
+  local actual_platform
+  docker image inspect "$image" >/dev/null
+  actual_platform="$(docker image inspect --format '{{.Os}}/{{.Architecture}}' "$image" 2>/dev/null || echo unknown)"
+  [[ "$actual_platform" == "$expected_platform" ]] || die "$role image platform mismatch: image=$image expected=$expected_platform actual=$actual_platform"
+}
+
+verify_monitor_images() {
+  load_env
+  require_cmd docker
+  verify_image_platform "$PROMETHEUS_IMAGE" "$MONITOR_PLATFORM" "prometheus"
+  verify_image_platform "$GRAFANA_IMAGE" "$MONITOR_PLATFORM" "grafana"
+}
+
 endpoint_ok() {
   local url="$1"
   curl -fsS --max-time 5 "$url" >/dev/null 2>&1

deploy/arm64-installer/self-check.sh

@@ -30,7 +30,8 @@ docker compose version >/dev/null
 create_data_dirs
 [[ -w "$HOST_DATA_DIR" ]] || die "data dir is not writable: $HOST_DATA_DIR"
 compose_cmd --profile core --profile sidecar --profile monitor config >/dev/null
-docker image inspect "$RPKI_IMAGE" >/dev/null
+verify_image_platform "$RPKI_IMAGE" "$RPKI_PLATFORM" "runtime"
+verify_monitor_images
 if [[ "$QUICK" == "0" ]]; then
   verify_runtime_image
 fi

deploy/arm64-installer/upgrade.sh

@@ -9,6 +9,6 @@ install_docker_if_missing
 load_installer_images
 ensure_binfmt_if_needed
 verify_runtime_image
-compose_cmd --profile core --profile sidecar --profile monitor pull --ignore-pull-failures || true
+verify_monitor_images
 compose_cmd --profile core --profile sidecar --profile monitor up -d --force-recreate
 "$SCRIPT_DIR/status.sh" --brief || true

scripts/docker/build_arm64_installer_package.sh

@@ -6,9 +6,14 @@ REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 
 IMAGE_TAG="${IMAGE_TAG:-ours-rp-runtime-arm64:dev}"
 IMAGE_TAR="${IMAGE_TAR:-}"
+PROMETHEUS_IMAGE="${PROMETHEUS_IMAGE:-prom/prometheus:v2.55.1}"
+PROMETHEUS_IMAGE_TAR="${PROMETHEUS_IMAGE_TAR:-}"
+GRAFANA_IMAGE="${GRAFANA_IMAGE:-grafana/grafana:11.3.1}"
+GRAFANA_IMAGE_TAR="${GRAFANA_IMAGE_TAR:-}"
 OUT_DIR="${OUT_DIR:-$REPO_ROOT/target/arm64-installer}"
 PACKAGE_PREFIX="${PACKAGE_PREFIX:-ours-rp-arm64-installer}"
 TEMPLATE_DIR="${TEMPLATE_DIR:-$REPO_ROOT/deploy/arm64-installer}"
+MONITOR_PLATFORM="${MONITOR_PLATFORM:-linux/arm64}"
 
 usage() {
   cat <<'USAGE'
@@ -18,6 +23,14 @@ Usage:
 Options:
   --image <tag>       Runtime image tag recorded in package manifest.
   --image-tar <path>  Existing docker save tar/tar.gz to include.
+  --prometheus-image <tag>
+                      Prometheus image tag to record and package.
+  --prometheus-image-tar <path>
+                      Existing Prometheus docker save tar/tar.gz to include.
+  --grafana-image <tag>
+                      Grafana image tag to record and package.
+  --grafana-image-tar <path>
+                      Existing Grafana docker save tar/tar.gz to include.
   --out-dir <path>    Output directory.
   --prefix <name>     Package directory/tar prefix.
   -h, --help          Show help.
@@ -37,6 +50,22 @@ while [[ $# -gt 0 ]]; do
       IMAGE_TAR="$2"
       shift 2
       ;;
+    --prometheus-image)
+      PROMETHEUS_IMAGE="$2"
+      shift 2
+      ;;
+    --prometheus-image-tar)
+      PROMETHEUS_IMAGE_TAR="$2"
+      shift 2
+      ;;
+    --grafana-image)
+      GRAFANA_IMAGE="$2"
+      shift 2
+      ;;
+    --grafana-image-tar)
+      GRAFANA_IMAGE_TAR="$2"
+      shift 2
+      ;;
     --out-dir)
       OUT_DIR="$2"
       shift 2
@@ -76,6 +105,51 @@ EOF
   exit 2
 }
 
+safe_tag_name() {
+  printf '%s' "$1" | tr '/:' '--'
+}
+
+save_image_if_needed() {
+  local image="$1"
+  local existing_tar="$2"
+  local out_dir="$3"
+  local role="$4"
+  if [[ -n "$existing_tar" ]]; then
+    [[ -f "$existing_tar" ]] || {
+      echo "missing $role image tar: $existing_tar" >&2
+      exit 2
+    }
+    printf '%s\n' "$existing_tar"
+    return 0
+  fi
+  if ! docker image inspect "$image" >/dev/null 2>&1; then
+    cat >&2 <<EOF
+missing local $role image: $image
+
+Prepare it before building the installer package, for example:
+  docker pull --platform $MONITOR_PLATFORM $image
+EOF
+    exit 2
+  fi
+  local actual_platform
+  actual_platform="$(docker image inspect --format '{{.Os}}/{{.Architecture}}' "$image" 2>/dev/null || echo unknown)"
+  if [[ "$actual_platform" != "$MONITOR_PLATFORM" ]]; then
+    cat >&2 <<EOF
+wrong platform for $role image: $image
+  expected: $MONITOR_PLATFORM
+  actual:   $actual_platform
+
+Pull the ARM64 variant explicitly:
+  docker pull --platform $MONITOR_PLATFORM $image
+EOF
+    exit 2
+  fi
+  local tar_path="$out_dir/$(safe_tag_name "$image").tar.gz"
+  echo "saving $role image to $tar_path" >&2
+  docker save "$image" | gzip -c > "$tar_path"
+  printf '%s\n' "$tar_path"
+}
+
 mkdir -p "$OUT_DIR"
 commit="$(git -C "$REPO_ROOT" rev-parse --short HEAD 2>/dev/null || echo unknown)"
 timestamp="$(date -u +%Y%m%dT%H%M%SZ)"
@@ -88,11 +162,22 @@ mkdir -p "$stage/images"
 rsync -a --delete "$TEMPLATE_DIR"/ "$stage"/
 cp "$IMAGE_TAR" "$stage/images/"
 
+monitor_image_stage="$OUT_DIR/.monitor-images-$timestamp"
+rm -rf "$monitor_image_stage"
+mkdir -p "$monitor_image_stage"
+prometheus_tar="$(save_image_if_needed "$PROMETHEUS_IMAGE" "$PROMETHEUS_IMAGE_TAR" "$monitor_image_stage" "prometheus")"
+grafana_tar="$(save_image_if_needed "$GRAFANA_IMAGE" "$GRAFANA_IMAGE_TAR" "$monitor_image_stage" "grafana")"
+cp "$prometheus_tar" "$stage/images/"
+cp "$grafana_tar" "$stage/images/"
+
 if [[ -f "$stage/.env.example" ]]; then
   tmp_env="$stage/.env.example.tmp"
-  awk -v image="$IMAGE_TAG" '
+  awk -v image="$IMAGE_TAG" -v prometheus="$PROMETHEUS_IMAGE" -v grafana="$GRAFANA_IMAGE" -v monitor_platform="$MONITOR_PLATFORM" '
     BEGIN { done=0 }
     /^RPKI_IMAGE=/ { print "RPKI_IMAGE=" image; done=1; next }
+    /^PROMETHEUS_IMAGE=/ { print "PROMETHEUS_IMAGE=" prometheus; next }
+    /^GRAFANA_IMAGE=/ { print "GRAFANA_IMAGE=" grafana; next }
+    /^MONITOR_PLATFORM=/ { print "MONITOR_PLATFORM=" monitor_platform; next }
     { print }
     END { if (!done) print "RPKI_IMAGE=" image }
   ' "$stage/.env.example" > "$tmp_env"
@@ -107,11 +192,19 @@ git_status_count=$(git -C "$REPO_ROOT" status --short 2>/dev/null | wc -l | tr -
 image_tag=$IMAGE_TAG
 image_tar=$(basename "$IMAGE_TAR")
 image_tar_size_bytes=$(wc -c < "$IMAGE_TAR")
+prometheus_image=$PROMETHEUS_IMAGE
+prometheus_image_tar=$(basename "$prometheus_tar")
+prometheus_image_tar_size_bytes=$(wc -c < "$prometheus_tar")
+grafana_image=$GRAFANA_IMAGE
+grafana_image_tar=$(basename "$grafana_tar")
+grafana_image_tar_size_bytes=$(wc -c < "$grafana_tar")
 target_platform=linux/arm64
+monitor_platform=$MONITOR_PLATFORM
 EOF
 
 chmod +x "$stage"/*.sh "$stage/scripts"/*.sh
 tar -C "$OUT_DIR" -czf "$tar_path" "$package_name"
+rm -rf "$monitor_image_stage"
 
 {
   echo "package=$tar_path"