Merge pull request #60840 from kquinn1204/TELCODOCS-1310

mburke5678 · web-flow · commit 0839347511c9 · 2023-09-27T14:11:10.000-04:00
TELCODOCS-1310 Rootless DPDK
diff --git a/images/348_OpenShift_rootless_DPDK_0923.png b/images/348_OpenShift_rootless_DPDK_0923.png
diff --git a/modules/nw-multus-tap-object.adoc b/modules/nw-multus-tap-object.adoc
@@ -81,7 +81,80 @@ The following example configures an additional network named `mynet`:
 }
 ----
 
+[id="nw-multus-enable-container_use_devices_{context}"]
+
+== Setting SELinux boolean for the TAP CNI plugin
+
+To create the tap device with the `container_t` SELinux context, enable the `container_use_devices` boolean on the host by using the Machine Config Operator (MCO).
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. Create a new YAML file named, such as `setsebool-container-use-devices.yaml`, with the following details:
++
+[source, yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+  name: 99-worker-setsebool
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    systemd:
+      units:
+      - enabled: true
+        name: setsebool.service
+        contents: |
+          [Unit]
+          Description=Set SELinux boolean for the TAP CNI plugin
+          Before=kubelet.service
+
+          [Service]
+          Type=oneshot
+          ExecStart=/usr/sbin/setsebool container_use_devices=on
+          RemainAfterExit=true
+
+          [Install]
+          WantedBy=multi-user.target graphical.target
+----
++
+
+. Create the new `MachineConfig` object by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f setsebool-container-use-devices.yaml
+----
++
 [NOTE]
 ====
-To create the tap device with the `container_t` SELinux context, enable the `container_use_devices` boolean on the host by using the Machine Config Operator (MCO).
-====
+Applying any changes to the `MachineConfig` object causes all affected nodes to gracefully reboot after the change is applied. This update can take some time to be applied.
+====
++
+. Verify the change is applied by running the following command:
++
+[source,terminal]
+----
+$ oc get machineconfigpools
+----
++
+.Expected output
++
+[source,terminal,options="nowrap",role="white-space-pre"]
+----
+NAME        CONFIG                                                UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+master      rendered-master-e5e0c8e8be9194e7c5a882e047379cfa      True      False      False      3              3                   3                     0                      7d2h
+worker      rendered-worker-d6c9ca107fba6cd76cdcbfcedcafa0f2      True      False      False      3              3                   3                     0                      7d
+----
++
+[NOTE]
+====
+All nodes should be in the updated and ready state.
+====
diff --git a/modules/nw-running-dpdk-rootless-tap.adoc b/modules/nw-running-dpdk-rootless-tap.adoc
@@ -0,0 +1,235 @@
+// Module included in the following assemblies:
+//
+// * networking/hardware_networks/using-dpdk-and-rdma.adoc
+
+:_content-type: PROCEDURE
+[id="nw-running-dpdk-rootless-tap_{context}"]
+= Using the TAP CNI to run a rootless DPDK workload with kernel access
+
+DPDK applications can use `virtio-user` as an exception path to inject certain types of packets, such as log messages, into the kernel for processing. For more information about this feature, see link:https://doc.dpdk.org/guides/howto/virtio_user_as_exception_path.html[Virtio_user as Exception Path].
+
+In OpenShift Container Platform version 4.14 and later, you can use non-privileged pods to run DPDK applications alongside the tap CNI plugin. To enable this functionality, you need to mount the `vhost-net` device by setting the `needVhostNet` parameter to `true` within the `SriovNetworkNodePolicy` object.
+
+.DPDK and TAP example configuration
+image::348_OpenShift_rootless_DPDK_0923.png[DPDK and TAP plugin]
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+* You have installed the SR-IOV Network Operator.
+* You are logged in as a user with `cluster-admin` privileges.
+* Ensure that `setsebools container_use_devices=on` is set as root on all nodes.
++
+[NOTE]
+====
+Use the Machine Config Operator to set this SELinux boolean.
+====
+
+.Procedure
+
+. Create a file, such as `test-namespace.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-namespace
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+----
+
+. Create the new `Namespace` object by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f test-namespace.yaml
+----
+
+. Create a file, such as `sriov-node-network-policy.yaml`, with content like the following example::
++
+[source,yaml]
+----
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovNetworkNodePolicy
+metadata:
+ name: sriovnic
+ namespace: openshift-sriov-network-operator
+spec:
+ deviceType: netdevice <1>
+ isRdma: true <2>
+ needVhostNet: true <3>
+ nicSelector:
+   vendor: "15b3" <4>
+   deviceID: "101b" <5>
+   rootDevices: ["00:05.0"]
+ numVfs: 10
+ priority: 99
+ resourceName: sriovnic
+ nodeSelector:
+    feature.node.kubernetes.io/network-sriov.capable: "true"
+----
+<1> This indicates that the profile is tailored specifically for Mellanox Network Interface Controllers (NICs).
+<2> Setting `isRdma` to `true` is only required for a Mellanox NIC.
+<3> This mounts the `/dev/net/tun` and `/dev/vhost-net` devices into the container so the application can create a tap device and connect the tap device to the DPDK workload.
+<4> The vendor hexadecimal code of the SR-IOV network device. The value 15b3 is associated with a Mellanox NIC.
+<5> The device hexadecimal code of the SR-IOV network device.
+
+. Create the `SriovNetworkNodePolicy` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f sriov-node-network-policy.yaml
+----
+
+. Create the following `SriovNetwork` object, and then save the YAML in the `sriov-network-attachment.yaml` file:
++
+[source,yaml]
+----
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovNetwork
+metadata:
+ name: sriov-network
+ namespace: openshift-sriov-network-operator
+spec:
+ networkNamespace: test-namespace
+ resourceName: sriovnic
+ spoofChk: "off"
+ trust: "on"
+----
++
+[NOTE]
+=====
+See the "Configuring SR-IOV additional network" section for a detailed explanation on each option in `SriovNetwork`.
+=====
++
+An optional library, `app-netutil`, provides several API methods for gathering network information about a container's parent pod.
+
+. Create the `SriovNetwork` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f sriov-network-attachment.yaml
+----
+
+. Create a file, such as `tap-example.yaml`, that defines a network attachment definition, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+ name: tap-one
+ namespace: test-namespace <1>
+spec:
+ config: '{
+   "cniVersion": "0.4.0",
+   "name": "tap",
+   "plugins": [
+     {
+        "type": "tap",
+        "multiQueue": true,
+        "selinuxcontext": "system_u:system_r:container_t:s0"
+     },
+     {
+       "type":"tuning",
+       "capabilities":{
+         "mac":true
+       }
+     }
+   ]
+ }'
+----
+<1> Specify the same `target_namespace` where the `SriovNetwork` object is created.
+
+. Create the `NetworkAttachmentDefinition` object by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f tap-example.yaml
+----
+
+. Create a file, such as `dpdk-pod-rootless.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dpdk-app
+  namespace: test-namespace <1>
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[
+      {"name": "sriov-network", "namespace": "test-namespace"},
+      {"name": "tap-one", "interface": "ext0", "namespace": "test-namespace"}]'
+spec:
+  nodeSelector:
+    kubernetes.io/hostname: "worker-0"
+  securityContext:
+      fsGroup: 1001 <2>
+      runAsGroup: 1001 <3>
+      seccompProfile:
+        type: RuntimeDefault
+  containers:
+  - name: testpmd
+    image: <DPDK_image> <4>
+    securityContext:
+      capabilities:
+        drop: ["ALL"] <5>
+        add: <6>
+          - IPC_LOCK
+          - NET_RAW #for mlx only <7>
+      runAsUser: 1001 <8>
+      privileged: false <9>
+      allowPrivilegeEscalation: true <10>
+      runAsNonRoot: true <11>
+    volumeMounts:
+    - mountPath: /mnt/huge <12>
+      name: hugepages
+    resources:
+      limits:
+        openshift.io/sriovnic: "1" <13>
+        memory: "1Gi"
+        cpu: "4" <14>
+        hugepages-1Gi: "4Gi" <15>
+      requests:
+        openshift.io/sriovnic: "1"
+        memory: "1Gi"
+        cpu: "4"
+        hugepages-1Gi: "4Gi"
+    command: ["sleep", "infinity"]
+  runtimeClassName: performance-cnf-performanceprofile <16>
+  volumes:
+  - name: hugepages
+    emptyDir:
+      medium: HugePages
+----
++
+--
+<1> Specify the same `target_namespace` in which the `SriovNetwork` object is created. If you want to create the pod in a different namespace, change `target_namespace` in both the `Pod` spec and the `SriovNetwork` object.
+<2> Sets the group ownership of volume-mounted directories and files created in those volumes.
+<3> Specify the primary group ID used for running the container.
+<4> Specify the DPDK image that contains your application and the DPDK library used by application.
+<5> Removing all capabilities (`ALL`) from the container's securityContext means that the container has no special privileges beyond what is necessary for normal operation.
+<6> Specify additional capabilities required by the application inside the container for hugepage allocation, system resource allocation, and network interface access. These capabilities must also be set in the binary file by using the `setcap` command.
+<7> Mellanox network interface controller (NIC) requires the `NET_RAW` capability.
+<8> Specify the user ID used for running the container.
+<9> This setting indicates that the container or containers within the pod should not be granted privileged access to the host system.
+<10>  This setting allows a container to escalate its privileges beyond the initial non-root privileges it might have been assigned.
+<11> This setting ensures that the container runs with a non-root user. This helps enforce the principle of least privilege, limiting the potential impact of compromising the container and reducing the attack surface.
+<12> Mount a hugepage volume to the DPDK pod under `/mnt/huge`. The hugepage volume is backed by the emptyDir volume type with the medium being `Hugepages`.
+<13> Optional: Specify the number of DPDK devices allocated for the DPDK pod. If not explicitly specified, this resource request and limit is automatically added by the SR-IOV network resource injector. The SR-IOV network resource injector is an admission controller component managed by SR-IOV Operator. It is enabled by default and can be disabled by setting the `enableInjector` option to `false` in the default `SriovOperatorConfig` CR.
+<14> Specify the number of CPUs. The DPDK pod usually requires exclusive CPUs to be allocated from the kubelet. This is achieved by setting CPU Manager policy to `static` and creating a pod with `Guaranteed` QoS.
+<15> Specify hugepage size `hugepages-1Gi` or `hugepages-2Mi` and the quantity of hugepages that will be allocated to the DPDK pod. Configure `2Mi` and `1Gi` hugepages separately. Configuring `1Gi` hugepage requires adding kernel arguments to Nodes. For example, adding kernel arguments `default_hugepagesz=1GB`, `hugepagesz=1G` and `hugepages=16` will result in `16*1Gi` hugepages be allocated during system boot.
+<16> If your performance profile is not named `cnf-performance profile`, replace that string with the correct performance profile name.
+--
++
+. Create the DPDK pod by running the following command:
++
+[source,terminal]
+----
+$ oc create -f dpdk-pod-rootless.yaml
+----
diff --git a/networking/hardware_networks/using-dpdk-and-rdma.adoc b/networking/hardware_networks/using-dpdk-and-rdma.adoc
@@ -8,12 +8,23 @@ toc::[]
 
 The containerized Data Plane Development Kit (DPDK) application is supported on {product-title}. You can use Single Root I/O Virtualization (SR-IOV) network hardware with the Data Plane Development Kit (DPDK) and with remote direct memory access (RDMA).
 
-For information on supported devices, refer to xref:../../networking/hardware_networks/about-sriov.adoc#supported-devices_about-sriov[Supported devices].
+For information about supported devices, see xref:../../networking/hardware_networks/about-sriov.adoc#supported-devices_about-sriov[Supported devices].
 
 include::modules/nw-sriov-dpdk-example-intel.adoc[leveloffset=+1]
 
 include::modules/nw-sriov-dpdk-example-mellanox.adoc[leveloffset=+1]
 
+include::modules/nw-running-dpdk-rootless-tap.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../networking/multiple_networks/configuring-additional-network.adoc#nw-multus-enable-container_use_devices_configuring-additional-network[Enabling the container_use_devices boolean]
+
+* xref:../../scalability_and_performance/cnf-create-performance-profiles.adoc#cnf-create-performance-profiles[Creating a performance profile]
+
+* xref:../../networking/hardware_networks/configuring-sriov-device.adoc#configuring-sriov-device[Configuring an SR-IOV network device]
+
 include::modules/nw-sriov-concept-dpdk-line-rate.adoc[leveloffset=+1]
 
 include::modules/nw-sriov-example-dpdk-line-rate.adoc[leveloffset=+1]
