more modularization of modules

aireilly · aireilly · commit c413ab6f9bec · 2023-06-21T12:20:06.000+01:00
diff --git a/main.adoc b/main.adoc
@@ -80,6 +80,14 @@ include::modules/cnf-best-practices-linux-capabilities.adoc[leveloffset=+2]
 
 include::modules/cnf-best-practices-openshift-operations.adoc[leveloffset=+2]
 
+include::modules/cnf-best-practices-operations-that-can-not-be-executed-by-openshift.adoc[leveloffset=+2]
+
+include::modules/cnf-best-practices-analyzing-your-application.adoc[leveloffset=+2]
+
+include::modules/cnf-best-practices-finding-the-capabilities-that-an-application-needs.adoc[leveloffset=+2]
+
+include::modules/cnf-best-practices-cnf-securing-cnf-networks.adoc[leveloffset=+2]
+
 include::modules/cnf-best-practices-secrets-management.adoc[leveloffset=+3]
 
 include::modules/cnf-best-practices-scc-permissions-for-an-application.adoc[leveloffset=+3]
diff --git a/modules/cnf-best-practices-analyzing-your-application.adoc b/modules/cnf-best-practices-analyzing-your-application.adoc
@@ -0,0 +1,6 @@
+[id="cnf-best-practices-analyzing-your-application"]
+= Analyzing your application
+
+To find out which capabilities the application needs, Red Hat has developed a SystemTap script (`container_check.stp`). With this tool, the CNF developer can find out what capabilities an application requires in order to run in a container. It also shows the syscalls which were invoked. Find more info at link:https://linuxera.org/capabilities-seccomp-kubernetes/[]
+
+Another tool is `capable` which is part of the BCC tools. It can be installed on RHEL8 with `dnf install bcc`.
diff --git a/modules/cnf-best-practices-cnf-securing-cnf-networks.adoc b/modules/cnf-best-practices-cnf-securing-cnf-networks.adoc
@@ -0,0 +1,12 @@
+[id="cnf-best-practices-cnf-securing-cnf-networks"]
+= Securing CNF networks
+
+CNFs must have the least permissions possible and CNFs must implement Network Policies that drop all traffic by default and permit only the relevant ports and protocols to the narrowest ranges of addresses possible.
+
+.CNF requirement
+[IMPORTANT]
+====
+Applications must define network policies that permit only the minimum network access the application needs to function.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#networking-network-policy-deny-all[networking-network-policy-deny-all]
+====
diff --git a/modules/cnf-best-practices-finding-the-capabilities-that-an-application-needs.adoc b/modules/cnf-best-practices-finding-the-capabilities-that-an-application-needs.adoc
@@ -0,0 +1,114 @@
+[id="cnf-best-practices-finding-the-capabilities-that-an-application-needs"]
+= Finding the capabilities that an application needs
+
+Here is an example of how to find out the capabilities that an application needs. `testpmd` is a DPDK based layer-2 forwarding application. It needs the `CAP_IPC_LOCK` to allocate the hugepage memory.
+
+. Use container_check.stp. We can see `CAP_IPC_LOCK` and `CAP_SYS_RAWIO` are requested by `testpmd` and the relevant syscalls.
++
+[source,terminal]
+----
+$ $ /usr/share/systemtap/examples/profiling/container_check.stp -c 'testpmd -l 1-2 -w 0000:00:09.0 -- -a --portmask=0x8 --nb-cores=1'
+----
++
+.Example output
+[source,terminal]
+----
+[...]
+capabilities used by executables
+    executable:   prob capability
+    testpmd:      cap_ipc_lock
+    testpmd:      cap_sys_rawio
+
+capabilities used by syscalls
+    executable,   syscall ( capability )    : count
+    testpmd,      mlockall ( cap_ipc_lock ) : 1
+    testpmd,      mmap ( cap_ipc_lock )     : 710
+    testpmd,      open ( cap_sys_rawio )    : 1
+    testpmd,      iopl ( cap_sys_rawio )    : 1
+
+failed syscalls
+    executable,          syscall =       errno:   count
+    eal-intr-thread,  epoll_wait =       EINTR:       1
+    lcore-slave-2,          read =            :       1
+    rte_mp_handle,       recvmsg =            :       1
+    stapio,                      =       EINTR:       1
+    stapio,               execve =      ENOENT:       3
+    stapio,        rt_sigsuspend =            :       1
+    testpmd,               flock =      EAGAIN:       5
+    testpmd,                stat =      ENOENT:      10
+    testpmd,               mkdir =      EEXIST:       2
+    testpmd,            readlink =      ENOENT:       3
+    testpmd,              access =      ENOENT:    1141
+    testpmd,              openat =      ENOENT:       1
+    testpmd,                open =      ENOENT:      13
+    [...]
+----
+
+. Use the `capable` command:
++
+[source,terminal]
+----
+$ /usr/share/bcc/tools/capable
+----
+
+. Start the testpmd application from another terminal, and send some test traffic to it. For example:
++
+[source,terminal]
+----
+$ testpmd -l 18-19 -w 0000:01:00.0 -- -a --portmask=0x1 --nb-cores=1
+----
+
+. Check the output of the `capable` command. Below, `CAP_IPC_LOCK` was requested for running `testpmd`.
++
+[source,terminal]
+----
+[...]
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
+[...]
+----
+
+. Also, try to run `testpmd` without `CAP_IPC_LOCK` set with `capsh`. Now we can see that the hugepage memory cannot be allocated.
+
+[source,terminal]
+----
+$ capsh --drop=cap_ipc_lock -- -c testpmd -l 18-19 -w 0000:01:00.0 -- -a --portmask=0x1 --nb-cores=1
+----
++
+.Example output
+[source,terminal]
+----
+EAL: Detected 24 lcore(s)
+EAL: Detected 2 NUMA nodes
+EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
+EAL: No free hugepages reported in hugepages-1048576kB
+EAL: Probing VFIO support...
+EAL: VFIO support initialized
+EAL: PCI device 0000:01:00.0 on NUMA socket 0
+EAL: probe driver: 8086:10fb net_ixgbe
+EAL: using IOMMU type 1 (Type 1)
+EAL: Ignore mapping IO port bar(2)
+EAL: PCI device 0000:01:00.1 on NUMA socket 0
+EAL: probe driver: 8086:10fb net_ixgbe
+EAL: PCI device 0000:07:00.0 on NUMA socket 0
+EAL: probe driver: 8086:1521 net_e1000_igb
+EAL: PCI device 0000:07:00.1 on NUMA socket 0
+EAL: probe driver: 8086:1521 net_e1000_igb
+EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory) testpmd: mlockall() failed with error "Cannot allocate memory" testpmd: create a new mbuf pool <mbuf_pool_socket_0>: n=331456, size=2176, socket=0
+testpmd: preferred mempool ops selected: ring_mp_mc
+EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory) testpmd: create a new mbuf pool <mbuf_pool_socket_1>: n=331456, size=2176,
+socket=1
+testpmd: preferred mempool ops selected: ring_mp_mc
+EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory) EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory)
+----
diff --git a/modules/cnf-best-practices-openshift-operations.adoc b/modules/cnf-best-practices-openshift-operations.adoc
@@ -53,167 +53,3 @@ In OpenShift, multicast is supported for both the default interface (OVN or Open
 * link:https://docs.openshift.com/container-platform/latest/networking/hardware_networks/using-sriov-multicast.html#nw-using-an-sriov-interface-for-multicast_using-sriov-multicast[Configuring an SR-IOV interface for multicast]
 * If your application works as a multicast source and you want to utilize the additional interfaces to carry the multicast traffic, then you don’t need the `NET_ADMIN` capability. Follow the instructions in link:https://docs.openshift.com/container-platform/latest/networking/hardware_networks/using-sriov-multicast.html[Using high performance multicast] to set the correct multicast route in the pod’s routing table.
 
-[id="cnf-best-practices-operations-that-can-not-be-executed-by-openshift"]
-== Operations that can not be executed by OpenShift
-
-All the CNI plugins are only invoked during pod creation and deletion. If your CNF needs perform any operations mentioned above at runtime, the `NET_ADMIN` capability is required.
-
-There are some other functionalities that are not currently supported by any of the OpenShift components which also require `NET_ADMIN` capability:
-
-* Link state modification at runtime
-
-* IP/MAC modification at runtime
-
-* Manipulate pod’s route table or firewall rules at runtime
-
-* SR/IOV VF setting at runtime
-
-* Netlink configuration
-
-* For example, `ethtool` can be used to configure things like rxvlan, txvlan, gso, tso, etc.
-
-* Multicast
-+
-[NOTE]
-====
-If your application works as a receiving member of IGMP groups, you need to specify the NET_ADMIN capability in the pod manifest. So that the app is allowed to assign multicast addresses to the pod interface and join an IGMP group.
-====
-
-* Set `SO_PRIORITY` to a socket to manipulate the 802.1p priority in ethernet frames
-
-* Set `IP_TOS` to a socket to manipulate the DSCP value of IP packets
-
-[id="cnf-best-practices-analyzing-your-application"]
-== Analyzing your application
-
-To find out which capabilities the application needs, Red Hat has developed a SystemTap script (`container_check.stp`). With this tool, the CNF developer can find out what capabilities an application requires in order to run in a container. It also shows the syscalls which were invoked. Find more info at link:https://linuxera.org/capabilities-seccomp-kubernetes/[]
-
-Another tool is `capable` which is part of the BCC tools. It can be installed on RHEL8 with `dnf install bcc`.
-
-[id="cnf-best-practices-example"]
-=== Finding the capabilities that an application needs
-
-Here is an example of how to find out the capabilities that an application needs. `testpmd` is a DPDK based layer-2 forwarding application. It needs the `CAP_IPC_LOCK` to allocate the hugepage memory.
-
-. Use container_check.stp. We can see `CAP_IPC_LOCK` and `CAP_SYS_RAWIO` are requested by `testpmd` and the relevant syscalls.
-+
-[source,terminal]
-----
-$ $ /usr/share/systemtap/examples/profiling/container_check.stp -c 'testpmd -l 1-2 -w 0000:00:09.0 -- -a --portmask=0x8 --nb-cores=1'
-----
-+
-.Example output
-[source,terminal]
-----
-[...]
-capabilities used by executables
-    executable:   prob capability
-    testpmd:      cap_ipc_lock
-    testpmd:      cap_sys_rawio
-
-capabilities used by syscalls
-    executable,   syscall ( capability )    : count
-    testpmd,      mlockall ( cap_ipc_lock ) : 1
-    testpmd,      mmap ( cap_ipc_lock )     : 710
-    testpmd,      open ( cap_sys_rawio )    : 1
-    testpmd,      iopl ( cap_sys_rawio )    : 1
-
-failed syscalls
-    executable,          syscall =       errno:   count
-    eal-intr-thread,  epoll_wait =       EINTR:       1
-    lcore-slave-2,          read =            :       1
-    rte_mp_handle,       recvmsg =            :       1
-    stapio,                      =       EINTR:       1
-    stapio,               execve =      ENOENT:       3
-    stapio,        rt_sigsuspend =            :       1
-    testpmd,               flock =      EAGAIN:       5
-    testpmd,                stat =      ENOENT:      10
-    testpmd,               mkdir =      EEXIST:       2
-    testpmd,            readlink =      ENOENT:       3
-    testpmd,              access =      ENOENT:    1141
-    testpmd,              openat =      ENOENT:       1
-    testpmd,                open =      ENOENT:      13
-    [...]
-----
-
-. Use the `capable` command:
-+
-[source,terminal]
-----
-$ /usr/share/bcc/tools/capable
-----
-
-. Start the testpmd application from another terminal, and send some test traffic to it. For example:
-+
-[source,terminal]
-----
-$ testpmd -l 18-19 -w 0000:01:00.0 -- -a --portmask=0x1 --nb-cores=1
-----
-
-. Check the output of the `capable` command. Below, `CAP_IPC_LOCK` was requested for running `testpmd`.
-+
-[source,terminal]
-----
-[...]
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-0:41:58 0 3591  testpmd CAP_IPC_LOCK  1
-[...]
-----
-
-. Also, try to run `testpmd` without `CAP_IPC_LOCK` set with `capsh`. Now we can see that the hugepage memory cannot be allocated.
-
-[source,terminal]
-----
-$ capsh --drop=cap_ipc_lock -- -c testpmd -l 18-19 -w 0000:01:00.0 -- -a --portmask=0x1 --nb-cores=1
-----
-+
-.Example output
-[source,terminal]
-----
-EAL: Detected 24 lcore(s)
-EAL: Detected 2 NUMA nodes
-EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
-EAL: No free hugepages reported in hugepages-1048576kB
-EAL: Probing VFIO support...
-EAL: VFIO support initialized
-EAL: PCI device 0000:01:00.0 on NUMA socket 0
-EAL: probe driver: 8086:10fb net_ixgbe
-EAL: using IOMMU type 1 (Type 1)
-EAL: Ignore mapping IO port bar(2)
-EAL: PCI device 0000:01:00.1 on NUMA socket 0
-EAL: probe driver: 8086:10fb net_ixgbe
-EAL: PCI device 0000:07:00.0 on NUMA socket 0
-EAL: probe driver: 8086:1521 net_e1000_igb
-EAL: PCI device 0000:07:00.1 on NUMA socket 0
-EAL: probe driver: 8086:1521 net_e1000_igb
-EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory) testpmd: mlockall() failed with error "Cannot allocate memory" testpmd: create a new mbuf pool <mbuf_pool_socket_0>: n=331456, size=2176, socket=0
-testpmd: preferred mempool ops selected: ring_mp_mc
-EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory) testpmd: create a new mbuf pool <mbuf_pool_socket_1>: n=331456, size=2176,
-socket=1
-testpmd: preferred mempool ops selected: ring_mp_mc
-EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory) EAL: cannot set up DMA remapping, error 12 (Cannot allocate memory)
-----
-
-[id="cnf-best-practices-cnf-network-security"]
-== Securing CNF networks
-
-CNFs must have the least permissions possible and CNFs must implement Network Policies that drop all traffic by default and permit only the relevant ports and protocols to the narrowest ranges of addresses possible.
-
-.CNF requirement
-[IMPORTANT]
-====
-Applications must define network policies that permit only the minimum network access the application needs to function.
-
-See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#networking-network-policy-deny-all[networking-network-policy-deny-all]
-====
diff --git a/modules/cnf-best-practices-operations-that-can-not-be-executed-by-openshift.adoc b/modules/cnf-best-practices-operations-that-can-not-be-executed-by-openshift.adoc
@@ -0,0 +1,29 @@
+[id="cnf-best-practices-operations-that-can-not-be-executed-by-openshift"]
+= Operations that can not be executed by OpenShift
+
+All the CNI plugins are only invoked during pod creation and deletion. If your CNF needs perform any operations mentioned above at runtime, the `NET_ADMIN` capability is required.
+
+There are some other functionalities that are not currently supported by any of the OpenShift components which also require `NET_ADMIN` capability:
+
+* Link state modification at runtime
+
+* IP/MAC modification at runtime
+
+* Manipulate pod’s route table or firewall rules at runtime
+
+* SR/IOV VF setting at runtime
+
+* Netlink configuration
+
+* For example, `ethtool` can be used to configure things like rxvlan, txvlan, gso, tso, etc.
+
+* Multicast
++
+[NOTE]
+====
+If your application works as a receiving member of IGMP groups, you need to specify the NET_ADMIN capability in the pod manifest. So that the app is allowed to assign multicast addresses to the pod interface and join an IGMP group.
+====
+
+* Set `SO_PRIORITY` to a socket to manipulate the 802.1p priority in ethernet frames
+
+* Set `IP_TOS` to a socket to manipulate the DSCP value of IP packets
