first pass conversion complete

Author: aireilly

cnf-best-practices.adoc

@@ -0,0 +1,17 @@
+[id="cnf-best-practices-block-storage"]
+= Block Storage
+
+OpenShift Container Platform can provision raw block volumes. These volumes do not have a file system, and can provide performance benefits for applications that either write to the disk directly or implement their own storage service.
+
+There are 2 types of storage connectivity and 2 levels of storage in each. All block storage is located on a NetApp appliance.
+
+The two types of storage connectivity are:
+
+NFS:: This is the default storage type
+
+iSCSI:: This type of storage should ONLY be used if needed by database type applications
+
+More info on Block Volume storage support here:
+
+link:https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html#block-volume-support_understanding-persistent-storage[]
+

modules/cnf-best-practices-block-storage.adoc

@@ -0,0 +1,5 @@
+[id="cnf-best-practices-ci-cd"]
+= CI/CD Framework
+
+Applications should target a CI/CD approach for deployment and validation.
+

modules/cnf-best-practices-ci-cd.adoc

@@ -0,0 +1,5 @@
+[id="cnf-best-practices-cni-ovn"]
+= CNI-OVN
+
+OVN is the default pod network CNI plugin for OpenShift and is supported directly by Red Hat. OVN is Red Hat's CNI for pods. It is a Geneve based overlay that requires L3 reachability between the host nodes. This L3 reachability can be over L2 or a pre-existing overlay network. OpenShift's OVN forwarding is based on flow rules and implemented with nftables on the host OS CNI POD.
+

modules/cnf-best-practices-cni-ovn.adoc

@@ -0,0 +1,19 @@
+[id="cnf-best-practices-container-runtime"]
+= Container Runtime
+
+OpenShift uses CRI-O as a CRI interface for Kubernetes. CRI-O manages runC for container image execution. CRI-O is an open-source container engine that provides a stable, performant platform for running OCI compatible runtimes. CRI-O is developed, tested and released in tandem with Kubernetes major and minor releases. Images should be OCI compliant. Images are recommended to be built using Red Hat's open Universal Base Image. See later sections for additional information on UBI and support.
+
+Red Hat Documentation on CRI-O and Read Only Containers
+
+link:https://blog.openshift.com/add-a-layer-of-security-to-openshift-kubernetes-with-cri-o-in-read-only-mode/[]
+
+link:https://github.com/cri-o/cri-o/blob/master/docs/crio.8.md[]
+
+This environment is maintained through the open source tools:
+
+* runc
+* skopeo
+* buildah
+* podman
+* crio
+

modules/cnf-best-practices-container-runtime.adoc

@@ -0,0 +1,5 @@
+[id="cnf-best-practices-cpu-manager-pinning"]
+= CPU Manager/Pinning
+
+The OpenShift platform can use the Kubernetes CPU Manager to support CPU pinning for applications.
+

modules/cnf-best-practices-cpu-manager-pinning.adoc

@@ -0,0 +1,13 @@
+[id="cnf-best-practices-csi"]
+= Container Storage (CSI)
+
+Pod Volumes are supported via local storage and the CSI for persistent volumes. Local storage is truly ephemeral storage, it is local only to the physical node that a pod is running on and will be lost in the event a pod is killed and recreated. If a Pod requires persistent storage the CSI can be used via kubernetes native primitives persistentVolume (PV) and persistentVolumeClaim (PVC) to
+
+get persistent storage, such as an NFS share via the CSI backed by NetApp Trident.
+
+When using storage with Kubernetes, one can leverage storage classes. Please refer to the Block Storage section 3.3.5 for a description of the available storage classes. Volumes can then be requested based on the parameters of the storage they wish to use.
+
+Network Functions should clear persistent storage by deleting their PVs when removing their application from a cluster.
+
+Red Hat Persistent Storage Documentation:: link:https://docs.openshift.com/container-platform/4.4/storage/container_storage_interface/persistent-storage-csi.html[]
+

modules/cnf-best-practices-csi.adoc

@@ -0,0 +1,96 @@
+[id="cnf-best-practices-developer-guide"]
+= CNF Developer Guide
+
+This section discusses recommendations and requirements for CNF application builders.
+
+== Preface
+
+Cloud-native Network Functions (CNFs) are containerized instances of classic physical or virtual network functions (VNF) which have been decomposed into microservices supporting elasticity, lifecycle management, security, logging, and other capabilities in a Cloud-Native format.
+
+== Goal
+
+This document is mainly for the developers of CNFs, who need to build high-performance Network Functions in a containerized environment. We have created a guide that any partner can take and follow when developing their CNFs so that they can be deployed on the OpenShift Container Platform (OCP) in a secure, efficient and supportable way.
+
+== Non-Goal
+
+This is not a guide on how to build CNF’s functionality.
+
+=== Refactoring
+
+NFs should break their software down into the smallest set of microservices as possible. Running monolithic applications inside of a container is not the operating model to be in.
+
+It is hard to move a 1000LB boulder. However, it is easy when that boulder is broken down into many pieces (pebbles). All containerized network functions (CNFs) should break apart each piece of the functions/services/processes into separate containers. These containers will still be within kubernetes pods and all of the functions that perform a single task should be within the same namespace.
+
+There is a quote that describes this best from link:Lewis and Fowler:# "the microservice architectural []style is an approach to developing a single application as a suite of small services, eachrunning in its own process and communicating with lightweight mechanisms, often an HTTP resource API. These services are built around business capabilities and independently deployable by fully automated deployment machinery. "
+
+=== CNF Security
+
+In OCP, it is possible to run privileged containers that have all of the root capabilities on a host machine, allowing the ability to access resources which are not accessible in ordinary containers. This, however, increases the security risk to the whole cluster. Containers should only request those privileges they need to run their legitimate functions. No containers will be allowed to run with full privileges without an exception.
+
+The general guidelines are:
+
+. Only ask for the necessary privileges and access control settings for your application. 2. If the function required by your CNF can be fulfilled by OCP components, your application should not be requesting escalated privilege to perform this function.
+
+. Avoid using any host system resource if possible.
+
+. Leveraging read only root filesystem when possible.
+
+.CNF Requirement
+[IMPORTANT]
+====
+Only ask for the necessary privileges and access control settings for your application
+====
+
+.CNF Requirement
+[IMPORTANT]
+====
+If the function required by your CNF can be fulfilled by OCP components, your application should not be
+requesting escalated privilege to perform this function.
+====
+
+.CNF Requirement
+[IMPORTANT]
+====
+*Avoid* using any host system resource
+====
+
+.CNF Requirement
+[IMPORTANT]
+====
+*Do not* mount host directories for device access
+====
+
+.CNF Requirement
+[IMPORTANT]
+====
+*Do not* use host network namespace
+====
+
+.CNF Requirement
+[IMPORTANT]
+====
+CNFs may *not* modify the platform in any way
+====
+
+==== Avoid Accessing Resource on Host
+
+It is not recommended for an application to access following resources on the host.
+
+==== Avoid Mounting host directories as volumes
+
+It is not necessary to mount host /sys/ or host /dev/ directory as a volume in a pod in order to use a network device such as SR-IOV VF. The moving of a network interface into the pod network namespace is done automatically by CNI. Mounting the whole /sys/ or /dev/ directory in the container will overwrite the network device descriptor inside the container which causes 'device not found' or 'no such file or directory' error.
+
+Network interface statistics can be queried inside the container using the same /sys/ path as was done when running directly on the host. When running network interfaces in containers, relevant /sys/ statistics interfaces are available inside the container, such as '/sys/class/net/net1/statistics/', '/proc/net/tcp' and '/proc/net/tcp6'.
+
+For running DPDK applications with SR-IOV VF, device specs (in case of vfio-pci) are automatically attached to the container via the Device Plugin. There is no need to mount the /dev/ directory as a volume in the container as the application can find device specs under '/dev/vfio/' in the container.
+
+==== Avoid the host network namespace
+
+Application pods must avoid using hostNetwork. Applications may not use the host network, including nodePort for network communication. Any networking needs beyond the functions provided by the pod network and ingress/egress proxy must be serviced via a MULTUS connected interface.
+
+.CNF Requirement
+[IMPORTANT]
+====
+Applications may *not* use NodePorts or the hostNetwork
+====
+

modules/cnf-best-practices-developer-guide.adoc

@@ -0,0 +1,11 @@
+[id="cnf-best-practices-ephemeral-storage"]
+= Ephemeral Storage
+
+Pods and containers can require ephemeral or transient local storage for their operation. The lifetime of this ephemeral storage does not extend beyond the life of the individual pod, and this ephemeral storage cannot be shared across pods.
+
+.CNF Requirement
+[IMPORTANT]
+====
+PODs must *NOT* place persistent data into ephemeral storage
+====
+