Automate Topology Manager on Power

Signed-off-by: Aniruddha Nayek <[email protected]>

Author: AniruddhaNayek

README.md

@@ -53,6 +53,7 @@ This repository consists of additional ansible playbooks for the following:
 1. Verify IPI day2 operations
 1. Deploy Openshift Data Foundation operator
 1. Enabling Kdump
+1. Enable Topology Manager on Power
 
 ## Assumptions:
 

examples/all.yaml

@@ -559,3 +559,14 @@ test_pod_image: "quay.io/powercloud/nginx-unprivileged:latest"
 ## ocp-service-controller-function vars
 ocp-service: false
 
+# topology vars
+topology_enabled: false
+single_node_cpuv1: ""
+single_node_cpuv2: ""
+besteffort_cpuv1: ""
+besteffort_cpuv2: ""
+restricted_cpuv1: ""
+restricted_cpuv2: ""
+none_cpuv1: ""
+none_cpuv2: ""
+

examples/topology_vars.yaml

@@ -0,0 +1,13 @@
+---
+# topology vars
+# Set the values below in accordance to the number of NUMA nodes and their partition in worker-1
+
+topology_enabled: false
+single_node_cpuv1: ""
+single_node_cpuv2: ""
+besteffort_cpuv1: ""
+besteffort_cpuv2: ""
+restricted_cpuv1: ""
+restricted_cpuv2: ""
+none_cpuv1: ""
+none_cpuv2: ""

playbooks/main.yml

@@ -75,6 +75,9 @@
 - import_playbook: ocp-disa-stig-compliance.yml
   when: stig_compliance_enabled is defined and stig_compliance_enabled
 
+- import_playbook: topology-manager.yml
+  when: topology_enabled is defined and topology_enabled
+
 - import_playbook: hypershift.yml
   when: >
         (hypershift_install is defined and hypershift_install) or 

playbooks/roles/topology-manager/README.md

@@ -0,0 +1,72 @@
+Validate Topology Manger
+========================
+
+This playbook validates the Topology Manager for which it covers the following use cases:
+
+* Validate Pod Alignment with CPU requests and Topology Manager policy set to Single numa node
+* Validate Pod Alignment with CPU requests and Topology Manager policy set to Best Effort
+* Validate Pod Alignment with CPU requests and Topology Manager policy set to Restricted
+* Validate Pod Alignment with CPU requests and Topology Manager policy set to None
+
+Note: Other few use cases need to be validated manually
+
+- Validate pod alignment with CPU requests for Topology Manager 'single-numa-node' policy - We expect pod scheduling within NUMA locality.
+- Validate pod alignment with CPU requests for Topology Manager 'best-effort' policy - We do not expect any pod scheduling to be rejected as deployments are not restricted to NUMA locality.  
+- Validate pod alignment with CPU requests for Topology Manager 'restricted' policy - The policy will allow the deployments to use resources beyond NUMA locality. 
+- Validate pod alignment with CPU requests for Topology Manager 'none' policy - This would not restrict any deployments from being scheduled .
+
+So, in accordance to these criteria it is expected that all the deploymets get scheduled.
+
+Pre-requisite & Requirements
+----------------------------
+
+- The cluster is in a known good state, without any errors.
+- Analyze the NUMA nodes partition & CPU memory in worker-1 for the above use cases.
+
+Role Variables
+--------------
+
+| Variable          | Required | Comments                                        |
+| ----------------  | -------- | ----------------------------------------------- |
+| topology_enabled  | no       | Set it to true to run this playbook.            |
+| single_node_cpuv1 | yes      | Request desired no. of CPUs for the first pod.  |
+| single_node_cpuv2 | yes      | Request desired no. of CPUs for the second pod. |
+| besteffort_cpuv1  | yes      | Request desired no. of CPUs for the first pod.  |
+| besteffort_cpuv2  | yes      | Request desired no. of CPUs for the second pod. |
+| restricted_cpuv1  | yes      | Request desired no. of CPUs for the first pod.  |
+| restricted_cpuv2  | yes      | Request desired no. of CPUs for the second pod. |
+| none_cpuv1        | yes      | Request desired no. of CPUs for the first pod.  |
+| none_cpuv2        | yes      | Request desired no. of CPUs for the second pod. |
+
+Example Playbook
+----------------
+
+```
+- name: Validate topology manager on Power
+  hosts: bastion
+  roles:
+  - topology-manager
+```
+
+Steps to run playbook
+---------------------
+
+- Copy `ocp4-playbooks-extras/examples/inventory` file to the home or working directory and modify it to add a remote host
+- Copy the `ocp4-playbooks-extras/examples/topology_vars.yaml` to the home or working directory and set the role variables for `roles/topology-manager` with the custom inputs.
+- To execute the playbook run the below sample command
+
+Sample Command
+--------------
+
+ansible-playbook -i inventory -e @topology_vars.yaml ~/ocp4-playbooks-extras/playbooks/topology-manager.yml
+
+License
+-------
+
+See LICENCE.txt
+
+Author Information
+------------------
+
+[email protected]
+

playbooks/roles/topology-manager/defaults/main.yaml

@@ -0,0 +1,4 @@
+---
+# defaults file 
+
+pause_image: "registry.access.redhat.com/ubi8/pause"

playbooks/roles/topology-manager/tasks/besteffort_policy.yml

@@ -0,0 +1,118 @@
+---
+- name: Create kubelet-config with topologyManagerPolicy 'best-effort'
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: machineconfiguration.openshift.io/v1
+      kind: KubeletConfig
+      metadata:
+        name: cpumanager-enabled
+      spec:
+        machineConfigPoolSelector:
+          matchLabels:
+            custom-kubelet: cpumanager-enabled
+        kubeletConfig:
+          cpuManagerPolicy: static
+          cpuManagerReconcilePeriod: 5s
+          topologyManagerPolicy: best-effort
+
+- name: Wait for 2 minutes before checking MCP status
+  pause:
+    minutes: 2
+
+- name: Check mcp status
+  shell: oc get mcp worker | awk 'NR==2 {print $3}'
+  register: mcpstatus
+  until: mcpstatus.stdout == 'True'
+  retries: 20
+  delay: 60
+
+- name: Check the worker node for the updated kubelet.conf
+  shell: oc debug node/worker-1 -q -- chroot /host cat /etc/kubernetes/kubelet.conf | grep -E 'reservedSystemCPUs|cpuManager|topologyManager'
+  register: pa_result
+    
+- name: Verify the updated config
+  debug:
+    var: pa_result.stdout_lines
+
+- name: Create pod with {{ besteffort_cpuv1 }} cpu request
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: "podcpu{{ besteffort_cpuv1 }}"
+        namespace: default
+      spec:
+        nodeSelector:
+          cpumanager: "true"
+        containers:
+        - name: appcntr1
+          image: "{{ pause_image }}"
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/bash", "-c", "--" ]
+          args: [ "while true; do sleep 300000; done;" ]
+          resources:
+            requests:
+              cpu: "{{ besteffort_cpuv1 }}"
+              memory: 100Mi
+            limits:
+              cpu: "{{ besteffort_cpuv1 }}"
+              memory: 100Mi
+
+- name: Verify the pod gets scheduled
+  shell: oc get pod podcpu{{ besteffort_cpuv1 }} | awk 'NR==2 {print $3}' 
+  register: result
+  until: result.stdout == "Running"
+  retries: 5
+  delay: 10
+
+- name: Create pod with {{ besteffort_cpuv2 }} cpu request
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: "podcpu{{ besteffort_cpuv2 }}"
+        namespace: default
+      spec:
+        nodeSelector:
+          cpumanager: "true"
+        containers:
+        - name: appcntr1
+          image: "{{ pause_image }}"
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/bash", "-c", "--" ]
+          args: [ "while true; do sleep 300000; done;" ]
+          resources:
+            requests:
+              cpu: "{{ besteffort_cpuv2 }}"
+              memory: 310Mi
+            limits:
+              cpu: "{{ besteffort_cpuv2 }}"
+              memory: 310Mi
+
+- name: Verify the pod gets scheduled
+  shell: oc get pod podcpu{{ besteffort_cpuv2 }} | awk 'NR==2 {print $3}' 
+  register: result
+  until: result.stdout == "Running"
+  retries: 5
+  delay: 10
+
+- name: Print a simple message
+  debug:
+    msg: "Best-effort policy validated successfully"
+
+- name: Cleanup
+  block:
+  - name: Delete the pods created
+    shell: oc delete pods --all
+  
+  - name: Verify pods deletion
+    shell: oc get pods | wc -l 
+    register: pods_count
+    until: pods_count.stdout | int == 0
+    retries: 10
+    delay: 10

playbooks/roles/topology-manager/tasks/main.yaml

@@ -0,0 +1,28 @@
+---
+# tasks file for playbooks/roles/topology-manager
+
+- name: Check if cluster operators and nodes are healthy
+  include_role:
+    name: check-cluster-health
+
+- name: Setting up CPU manager
+  block:
+  - name: Label node worker-1
+    shell: oc label node worker-1 cpumanager=true
+
+  - name: Enable CPU manager for all workers
+    shell: oc patch mcp worker --type=merge -p '{"metadata":{"labels":{"custom-kubelet":"cpumanager-enabled"}}}'
+    register: patch_result
+    changed_when: "'configured' in patch_result.stdout"
+
+- name: Validate Pod Alignment with CPU requests and Topology Manager policy set to Single Numa Node
+  include_tasks: single_numa_node_policy.yml
+
+- name: Validate Pod Alignment with CPU requests and Topology Manager policy set to Best Effort
+  include_tasks: besteffort_policy.yml
+
+- name: Validate Pod Alignment with CPU requests and Topology Manager policy set to Restricted
+  include_tasks: restricted_policy.yml
+
+- name: Validate Pod Alignment with CPU requests and Topology Manager policy set to None
+  include_tasks: none_policy.yml

playbooks/roles/topology-manager/tasks/none_policy.yml

@@ -0,0 +1,118 @@
+---
+- name: Create kubelet-config with topologyManagerPolicy 'none'
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: machineconfiguration.openshift.io/v1
+      kind: KubeletConfig
+      metadata:
+        name: cpumanager-enabled
+      spec:
+        machineConfigPoolSelector:
+          matchLabels:
+            custom-kubelet: cpumanager-enabled
+        kubeletConfig:
+          cpuManagerPolicy: static
+          cpuManagerReconcilePeriod: 5s
+          topologyManagerPolicy: none
+
+- name: Wait for 2 minutes before checking MCP status
+  pause:
+    minutes: 2
+
+- name: Check mcp status
+  shell: oc get mcp worker | awk 'NR==2 {print $3}'
+  register: mcpstatus
+  until: mcpstatus.stdout == 'True'
+  retries: 20
+  delay: 60
+
+- name: Check the worker node for the updated kubelet.conf
+  shell: oc debug node/worker-1 -q -- chroot /host cat /etc/kubernetes/kubelet.conf | grep -E 'reservedSystemCPUs|cpuManager|topologyManager'
+  register: pa_result
+
+- name: Verify the updated config
+  debug:
+    var: pa_result.stdout_lines
+
+- name: Create pod with {{ none_cpuv1 }} cpu request
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: "podcpu{{ none_cpuv1 }}"
+        namespace: default
+      spec:
+        nodeSelector:
+          kubernetes.io/hostname: worker-1
+        containers:
+        - name: appcntr1
+          image: "{{ pause_image }}"
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/bash", "-c", "--" ]
+          args: [ "while true; do sleep 300000; done;" ]
+          resources:
+            requests:
+              cpu: "{{ none_cpuv1 }}"
+              memory: 200Mi
+            limits:
+              cpu: "{{ none_cpuv1 }}"
+              memory: 200Mi
+
+- name: Verify the pod gets scheduled
+  shell: oc get pod podcpu{{ none_cpuv1 }} | awk 'NR==2 {print $3}'
+  register: result
+  until: result.stdout == "Running"
+  retries: 5
+  delay: 10
+
+- name: Create pod with {{ none_cpuv2 }} cpu request
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: "podcpu{{ none_cpuv2 }}"
+        namespace: default
+      spec:
+        nodeSelector:
+          kubernetes.io/hostname: worker-1
+        containers:
+        - name: appcntr1
+          image: "{{ pause_image }}"
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/bash", "-c", "--" ]
+          args: [ "while true; do sleep 300000; done;" ]
+          resources:
+            requests:
+              cpu: "{{ none_cpuv2 }}"
+              memory: 330Mi
+            limits:
+              cpu: "{{ none_cpuv2 }}"
+              memory: 330Mi
+
+- name: Verify the pod gets scheduled
+  shell: oc get pod podcpu{{ none_cpuv2 }} | awk 'NR==2 {print $3}'
+  register: result
+  until: result.stdout == "Running"
+  retries: 5
+  delay: 10
+
+- name: Print a simple message
+  debug:
+    msg: "None policy validated successfully"
+
+- name: Cleanup
+  block:
+  - name: Delete the pods created
+    shell: oc delete pods --all
+
+  - name: Verify pods deletion
+    shell: oc get pods | wc -l
+    register: pods_count
+    until: pods_count.stdout | int == 0
+    retries: 10
+    delay: 10