Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 5. Postinstallation configuration

5.1. Postinstallation configuration
Link kopieren

The following procedures are typically performed after OpenShift Virtualization is installed. You can configure the components that are relevant for your environment:

5.2. Specifying nodes for OpenShift Virtualization components
Link kopieren

The default scheduling for virtual machines (VMs) on bare metal nodes is appropriate. Optionally, you can specify the nodes where you want to deploy OpenShift Virtualization Operators, workloads, and controllers by configuring node placement rules.

Note

You can configure node placement rules for some components after installing OpenShift Virtualization, but virtual machines cannot be present if you want to configure node placement rules for workloads.

You can use node placement rules for the following tasks:

  • Deploy virtual machines only on nodes intended for virtualization workloads.
  • Deploy Operators only on infrastructure nodes.
  • Maintain separation between workloads.

Depending on the object, you can use one or more of the following rule types:

nodeSelector
Allows pods to be scheduled on nodes that are labeled with the key-value pair or pairs that you specify in this field. The node must have labels that exactly match all listed pairs.
affinity
Enables you to use more expressive syntax to set rules that match nodes with pods. Affinity also allows for more nuance in how the rules are applied. For example, you can specify that a rule is a preference, not a requirement. If a rule is a preference, pods are still scheduled when the rule is not satisfied.
tolerations
Allows pods to be scheduled on nodes that have matching taints. If a taint is applied to a node, that node only accepts pods that tolerate the taint.

5.2.2. Applying node placement rules
Link kopieren

You can apply node placement rules by editing a 

Subscription
, 
HyperConverged
, or 
HostPathProvisioner
object using the command line.

Prerequisites

  • You have installed the OpenShift CLI (
    oc
    ).
  • You are logged in with cluster administrator permissions.

Procedure

  1. Edit the object in your default editor by running the following command: 

    $ oc edit <resource_type> <resource_name> -n openshift-cnv
  2. Save the file to apply the changes.

5.2.3. Node placement rule examples
Link kopieren

You can specify node placement rules for a OpenShift Virtualization component by editing a 

Subscription
, 
HyperConverged
, or 
HostPathProvisioner
object.

5.2.3.1. Subscription object node placement rule examples
Link kopieren

To specify the nodes where OLM deploys the OpenShift Virtualization Operators, edit the 

Subscription
object during OpenShift Virtualization installation.

Currently, you cannot configure node placement rules for the 

Subscription
object by using the web console.

The 

Subscription
object does not support the 
affinity
node placement rule.

Example Subscription object with nodeSelector rule

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: hco-operatorhub
  namespace: openshift-cnv
spec:
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  name: kubevirt-hyperconverged
  startingCSV: kubevirt-hyperconverged-operator.v4.14.17
  channel: "stable"
  config:
    nodeSelector:
      example.io/example-infra-key: example-infra-value

OLM deploys the OpenShift Virtualization Operators on nodes labeled 

example.io/example-infra-key = example-infra-value
.

Example Subscription object with tolerations rule

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: hco-operatorhub
  namespace: openshift-cnv
spec:
  source:  redhat-operators
  sourceNamespace: openshift-marketplace
  name: kubevirt-hyperconverged
  startingCSV: kubevirt-hyperconverged-operator.v4.14.17
  channel: "stable"
  config:
    tolerations:
    - key: "key"
      operator: "Equal"
      value: "virtualization"
      effect: "NoSchedule"

OLM deploys OpenShift Virtualization Operators on nodes labeled 

key = virtualization:NoSchedule
taint. Only pods with the matching tolerations are scheduled on these nodes.

5.2.3.2. HyperConverged object node placement rule example
Link kopieren

To specify the nodes where OpenShift Virtualization deploys its components, you can edit the 

nodePlacement
object in the 
HyperConverged
custom resource (CR) file that you create during OpenShift Virtualization installation.

Example HyperConverged object with nodeSelector rule

apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
spec:
  infra:
    nodePlacement:
      nodeSelector:
        example.io/example-infra-key: example-infra-value
  workloads:
    nodePlacement:
      nodeSelector:
        example.io/example-workloads-key: example-workloads-value

  • Infrastructure resources are placed on nodes labeled 
    example.io/example-infra-key = example-infra-value
    .
  • Workloads are placed on nodes labeled 
    example.io/example-workloads-key = example-workloads-value
    .

Example HyperConverged object with affinity rule

apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
spec:
  infra:
    nodePlacement:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: example.io/example-infra-key
                operator: In
                values:
                - example-infra-value
  workloads:
    nodePlacement:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: example.io/example-workloads-key
                operator: In
                values:
                - example-workloads-value
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            preference:
              matchExpressions:
              - key: example.io/num-cpus
                operator: Gt
                values:
                - 8

  • Infrastructure resources are placed on nodes labeled 
    example.io/example-infra-key = example-value
    .
  • Workloads are placed on nodes labeled 
    example.io/example-workloads-key = example-workloads-value
    .
  • Nodes that have more than eight CPUs are preferred for workloads, but if they are not available, pods are still scheduled.

Example HyperConverged object with tolerations rule

apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
spec:
  workloads:
    nodePlacement:
      tolerations:
      - key: "key"
        operator: "Equal"
        value: "virtualization"
        effect: "NoSchedule"

Nodes reserved for OpenShift Virtualization components are labeled with the 

key = virtualization:NoSchedule
taint. Only pods with matching tolerations are scheduled on reserved nodes.

5.2.3.3. HostPathProvisioner object node placement rule example
Link kopieren

You can edit the 

HostPathProvisioner
object directly or by using the web console.

Warning

You must schedule the hostpath provisioner (HPP) and the OpenShift Virtualization components on the same nodes. Otherwise, virtualization pods that use the hostpath provisioner cannot run. You cannot run virtual machines.

After you deploy a virtual machine (VM) with the HPP storage class, you can remove the hostpath provisioner pod from the same node by using the node selector. However, you must first revert that change, at least for that specific node, and wait for the pod to run before trying to delete the VM.

You can configure node placement rules by specifying 

nodeSelector
, 
affinity
, or 
tolerations
for the 
spec.workload
field of the 
HostPathProvisioner
object that you create when you install the hostpath provisioner.

Example HostPathProvisioner object with nodeSelector rule

apiVersion: hostpathprovisioner.kubevirt.io/v1beta1
kind: HostPathProvisioner
metadata:
  name: hostpath-provisioner
spec:
  imagePullPolicy: IfNotPresent
  pathConfig:
    path: "</path/to/backing/directory>"
    useNamingPrefix: false
  workload:
    nodeSelector:
      example.io/example-workloads-key: example-workloads-value

Workloads are placed on nodes labeled 

example.io/example-workloads-key = example-workloads-value
.

5.3. Postinstallation network configuration
Link kopieren

By default, OpenShift Virtualization is installed with a single, internal pod network.

After you install OpenShift Virtualization, you can install networking Operators and configure additional networks.

5.3.1. Installing networking Operators
Link kopieren

You must install the Kubernetes NMState Operator to configure a Linux bridge network for live migration or external access to virtual machines (VMs). For installation instructions, see Installing the Kubernetes NMState Operator by using the web console.

You can install the SR-IOV Operator to manage SR-IOV network devices and network attachments. For installation instructions, see Installing the SR-IOV Network Operator.

You can add the MetalLB Operator to manage the lifecycle for an instance of MetalLB on your cluster. For installation instructions, see Installing the MetalLB Operator from the OperatorHub using the web console.

5.3.2. Configuring a Linux bridge network
Link kopieren

After you install the Kubernetes NMState Operator, you can configure a Linux bridge network for live migration or external access to virtual machines (VMs).

5.3.2.1. Creating a Linux bridge NNCP
Link kopieren

You can create a 

NodeNetworkConfigurationPolicy
(NNCP) manifest for a Linux bridge network.

Prerequisites

  • You have installed the Kubernetes NMState Operator.

Procedure

  • Create the 

    NodeNetworkConfigurationPolicy
    manifest. This example includes sample values that you must replace with your own information. 

    apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: br1-eth1-policy
spec:
  desiredState:
    interfaces:
      - name: br1
        description: Linux bridge with eth1 as a port
        type: linux-bridge
        state: up
        ipv4:
          enabled: false
        bridge:
          options:
            stp:
              enabled: false
          port:
            - name: eth1
     
    • metadata.name
      defines the name of the node network configuration policy. 
    • spec.desiredState.interfaces.name
      defines the name of the new Linux bridge. 
    • spec.desiredState.interfaces.description
      is an optional field that can be used to define a human-readable description for the bridge. 
    • spec.desiredState.interfaces.type
      defines the interface type. In this example, the type is a Linux bridge. 
    • spec.desiredState.interfaces.state
      defines the requested state for the interface after creation. 
    • spec.desiredState.interfaces.ipv4.enabled
      defines whether the ipv4 protocol is active. Setting this to 
      false
      disables IPv4 addressing on this bridge. 
    • spec.desiredState.interfaces.bridge.options.stp.enabled
      defines whether STP is active. Setting this to 
      false
      disables STP on this bridge. 
    • spec.desiredState.interfaces.bridge.port.name
      defines the node NIC to which the bridge is attached.

5.3.2.2. Creating a Linux bridge NAD by using the web console
Link kopieren

You can create a network attachment definition (NAD) to provide layer-2 networking to pods and virtual machines by using the OpenShift Container Platform web console.

A Linux bridge network attachment definition is the most efficient method for connecting a virtual machine to a VLAN.

Warning

Configuring IP address management (IPAM) in a network attachment definition for virtual machines is not supported.

Procedure

  1. In the web console, click Networking NetworkAttachmentDefinitions.

  2. Click Create Network Attachment Definition.

    Note

    The network attachment definition must be in the same namespace as the pod or virtual machine.

  3. Enter a unique Name and optional Description.
  4. Select CNV Linux bridge from the Network Type list.
  5. Enter the name of the bridge in the Bridge Name field.
  6. Optional: If the resource has VLAN IDs configured, enter the ID numbers in the VLAN Tag Number field.
  7. Optional: Select MAC Spoof Check to enable MAC spoof filtering. This feature provides security against a MAC spoofing attack by allowing only a single MAC address to exit the pod.
  8. Click Create.

Next steps

5.3.3. Configuring a network for live migration
Link kopieren

After you have configured a Linux bridge network, you can configure a dedicated network for live migration. A dedicated network minimizes the effects of network saturation on tenant workloads during live migration.

5.3.3.1. Configuring a dedicated secondary network for live migration
Link kopieren

To configure a dedicated secondary network for live migration, you must first create a bridge network attachment definition (NAD) by using the CLI. Then, you add the name of the 

NetworkAttachmentDefinition
object to the 
HyperConverged
custom resource (CR).

Prerequisites

  • You installed the OpenShift CLI (
    oc
    ).
  • You logged in to the cluster as a user with the 
    cluster-admin
    role.
  • Each node has at least two Network Interface Cards (NICs).
  • The NICs for live migration are connected to the same VLAN.

Procedure

  1. Create a 

    NetworkAttachmentDefinition
    manifest according to the following example:

    Example configuration file

    apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: my-secondary-network
  namespace: openshift-cnv
spec:
  config: '{
    "cniVersion": "0.3.1",
    "name": "migration-bridge",
    "type": "macvlan",
    "master": "eth1",
    "mode": "bridge",
    "ipam": {
      "type": "whereabouts",
      "range": "10.200.5.0/24"
    }
  }'
     

    • metadata.name
      specifies the name of the 
      NetworkAttachmentDefinition
      object. 
    • config.master
      specifies the name of the NIC to be used for live migration. 
    • config.type
      specifies the name of the CNI plugin that provides the network for the NAD. 
    • config.range
      specifies an IP address range for the secondary network. This range must not overlap the IP addresses of the main network.

  2. Open the 

    HyperConverged
    CR in your default editor by running the following command: 

    $ oc edit hyperconverged kubevirt-hyperconverged -n openshift-cnv

  3. Add the name of the 

    NetworkAttachmentDefinition
    object to the 
    spec.liveMigrationConfig
    stanza of the 
    HyperConverged
    CR:

    Example HyperConverged manifest

    apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
spec:
  liveMigrationConfig:
    completionTimeoutPerGiB: 800
    network: <network>
    parallelMigrationsPerCluster: 5
    parallelOutboundMigrationsPerNode: 2
    progressTimeout: 150
# ...
     

    • spec.liveMigrationConfig.network
      specifies the name of the Multus 
      NetworkAttachmentDefinition
      object to be used for live migrations.
  4. Save your changes and exit the editor. The 
    virt-handler
    pods restart and connect to the secondary network.

Verification

  • When the node that the virtual machine runs on is placed into maintenance mode, the VM automatically migrates to another node in the cluster. You can verify that the migration occurred over the secondary network and not the default pod network by checking the target IP address in the virtual machine instance (VMI) metadata. 

    $ oc get vmi <vmi_name> -o jsonpath='{.status.migrationState.targetNodeAddress}'

5.3.3.2. Selecting a dedicated network by using the web console
Link kopieren

You can select a dedicated network for live migration by using the OpenShift Container Platform web console.

Prerequisites

  • You configured a Multus network for live migration.
  • You created a network attachment definition for the network.

Procedure

  1. Go to Virtualization > Overview in the OpenShift Container Platform web console.
  2. Click the Settings tab and then click Live migration.
  3. Select the network from the Live migration network list.

5.3.4. Configuring an SR-IOV network
Link kopieren

After you install the SR-IOV Operator, you can configure an SR-IOV network.

5.3.4.1. Configuring SR-IOV network devices
Link kopieren

The SR-IOV Network Operator adds the 

SriovNetworkNodePolicy.sriovnetwork.openshift.io
custom resource definition (CRD) to OpenShift Container Platform. You can configure an SR-IOV network device by creating a 
SriovNetworkNodePolicy
custom resource (CR).

Note

When applying the configuration specified in a 

SriovNetworkNodePolicy
object, the SR-IOV Operator might drain the nodes, and in some cases, reboot nodes.

It might take several minutes for a configuration change to apply.

Prerequisites

  • You installed the OpenShift CLI (
    oc
    ).
  • You have access to the cluster as a user with the 
    cluster-admin
    role.
  • You have installed the SR-IOV Network Operator.
  • You have enough available nodes in your cluster to handle the evicted workload from drained nodes.
  • You have not selected any control plane nodes for SR-IOV network device configuration.

Procedure

  1. Create an 

    SriovNetworkNodePolicy
    object, and then save the YAML in the 
    <name>-sriov-node-network.yaml
    file. Replace 
    <name>
    with the name for this configuration. 

    apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: <name>
  namespace: openshift-sriov-network-operator
spec:
  resourceName: <sriov_resource_name>
  nodeSelector:
    feature.node.kubernetes.io/network-sriov.capable: "true"
  priority: <priority>
  mtu: <mtu>
  numVfs: <num>
  nicSelector:
    vendor: "<vendor_code>"
    deviceID: "<device_id>"
    pfNames: ["<pf_name>", ...]
    rootDevices: ["<pci_bus_id>", "..."]
  deviceType: vfio-pci
  isRdma: false
     
    • metadata.name
      specifies a name for the 
      SriovNetworkNodePolicy
      object. 
    • metadata.namespace
      specifies the namespace where the SR-IOV Network Operator is installed. 
    • spec.resourceName
      specifies the resource name of the SR-IOV device plugin. You can create multiple 
      SriovNetworkNodePolicy
      objects for a resource name. 
    • spec.nodeSelector.feature.node.kubernetes.io/network-sriov.capable
      specifies the node selector to select which nodes are configured. Only SR-IOV network devices on selected nodes are configured. The SR-IOV Container Network Interface (CNI) plugin and device plugin are deployed only on selected nodes. 
    • spec.priority
      is an optional field that specifies an integer value between 
      0
      and 
      99
      . A smaller number gets higher priority, so a priority of 
      10
      is higher than a priority of 
      99
      . The default value is 
      99
      . 
    • spec.mtu
      is an optional field that specifies a value for the maximum transmission unit (MTU) of the virtual function. The maximum MTU value can vary for different NIC models. 
    • spec.numVfs
      specifies the number of the virtual functions (VF) to create for the SR-IOV physical network device. For an Intel network interface controller (NIC), the number of VFs cannot be larger than the total VFs supported by the device. For a Mellanox NIC, the number of VFs cannot be larger than 
      127
      . 

    • spec.nicSelector
      selects the Ethernet device for the Operator to configure. You do not need to specify values for all the parameters.

      Note

      It is recommended to identify the Ethernet adapter with enough precision to minimize the possibility of selecting an Ethernet device unintentionally. If you specify 

      rootDevices
      , you must also specify a value for 
      vendor
      , 
      deviceID
      , or 
      pfNames
      .

      If you specify both 

      pfNames
      and 
      rootDevices
      at the same time, ensure that they point to an identical device. 

    • spec.nicSelector.vendor
      is an optional field that specifies the vendor hex code of the SR-IOV network device. The only allowed values are either 
      8086
      or 
      15b3
      . 
    • spec.nicSelector.deviceID
      is an optional field that specifies the device hex code of SR-IOV network device. The only allowed values are 
      158b
      , 
      1015
      , 
      1017
      . 
    • spec.nicSelector.pfNames
      is an optional field that specifies an array of one or more physical function (PF) names for the Ethernet device. 
    • spec.nicSelector.rootDevices
      is an optional field that specifies an array of one or more PCI bus addresses for the physical function of the Ethernet device. Provide the address in the following format: 
      0000:02:00.1
      . 
    • spec.deviceType
      specifies the driver type. The 
      vfio-pci
      driver type is required for virtual functions in OpenShift Virtualization. 

    • spec.isRdma
      is an optional field that specifies whether to enable remote direct memory access (RDMA) mode. For a Mellanox card, set 
      isRdma
      to 
      false
      . The default value is 
      false
      .

      Note

      If 

      isRDMA
      flag is set to 
      true
      , you can continue to use the RDMA enabled VF as a normal network device. A device can be used in either mode.

  2. Optional: Label the SR-IOV capable cluster nodes with 
    SriovNetworkNodePolicy.Spec.NodeSelector
    if they are not already labeled. For more information about labeling nodes, see "Understanding how to update labels on nodes".

  3. Create the 

    SriovNetworkNodePolicy
    object. When running the following command, replace 
    <name>
    with the name for this configuration: 

    $ oc create -f <name>-sriov-node-network.yaml

    After applying the configuration update, all the pods in 

    sriov-network-operator
    namespace transition to the 
    Running
    status.

  4. To verify that the SR-IOV network device is configured, enter the following command. Replace 

    <node_name>
    with the name of a node with the SR-IOV network device that you just configured. 

    $ oc get sriovnetworknodestates -n openshift-sriov-network-operator <node_name> -o jsonpath='{.status.syncStatus}'

Next steps

5.3.5. Enabling load balancer service creation by using the web console
Link kopieren

You can enable the creation of load balancer services for a virtual machine (VM) by using the OpenShift Container Platform web console.

Prerequisites

  • You have configured a load balancer for the cluster.
  • You have logged in as a user with the 
    cluster-admin
    role.
  • You created a network attachment definition for the network.

Procedure

  1. Go to Virtualization Overview.
  2. On the Settings tab, click Cluster.
  3. Expand LoadBalancer service and select Enable the creation of LoadBalancer services for SSH connections to VirtualMachines.

5.4. Postinstallation storage configuration
Link kopieren

The following storage configuration tasks are mandatory:

  • You must configure a default storage class for your cluster. Otherwise, the cluster cannot receive automated boot source updates.
  • You must configure storage profiles if your storage provider is not recognized by CDI. A storage profile provides recommended storage settings based on the associated storage class.

Optional: You can configure local storage by using the hostpath provisioner (HPP).

See the storage configuration overview for more options, including configuring the Containerized Data Importer (CDI), data volumes, and automatic boot source updates.

5.4.1. Configuring local storage by using the HPP
Link kopieren

When you install the OpenShift Virtualization Operator, the Hostpath Provisioner (HPP) Operator is automatically installed. The HPP Operator creates the HPP provisioner.

The HPP is a local storage provisioner designed for OpenShift Virtualization. To use the HPP, you must create an HPP custom resource (CR).

Important

HPP storage pools must not be in the same partition as the operating system. Otherwise, the storage pools might fill the operating system partition. If the operating system partition is full, performance can be effected or the node can become unstable or unusable.

To use the hostpath provisioner (HPP) you must create an associated storage class for the Container Storage Interface (CSI) driver.

When you create a storage class, you set parameters that affect the dynamic provisioning of persistent volumes (PVs) that belong to that storage class. You cannot update a 

StorageClass
object’s parameters after you create it.

Note

Virtual machines use data volumes that are based on local PVs. Local PVs are bound to specific nodes. While a disk image is prepared for consumption by the virtual machine, it is possible that the virtual machine cannot be scheduled to the node where the local storage PV was previously pinned.

To solve this problem, use the Kubernetes pod scheduler to bind the persistent volume claim (PVC) to a PV on the correct node. By using the 

StorageClass
value with 
volumeBindingMode
parameter set to 
WaitForFirstConsumer
, the binding and provisioning of the PV is delayed until a pod is created using the PVC.

Procedure

  1. Create a 

    storageclass_csi.yaml
    file to define the storage class: 

    apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: hostpath-csi
provisioner: kubevirt.io.hostpath-provisioner
reclaimPolicy: Delete
    1 
    
volumeBindingMode: WaitForFirstConsumer
    2 
    
parameters:
  storagePool: my-storage-pool
    3 
    • reclaimPolicy
      specifies whether the underlying storage is deleted or retained when a user deletes a PVC. The two possible 
      reclaimPolicy
      values are 
      Delete
      and 
      Retain
      . If you do not specify a value, the default value is 
      Delete
      . 
    • volumeBindingMode
      specifies the timing of PV creation. The 
      WaitForFirstConsumer
      configuration in this example means that PV creation is delayed until a pod is scheduled to a specific node. 
    • parameters.storagePool
      specifies the name of the storage pool defined in the HPP custom resource (CR).
  2. Save the file and exit.

  3. Create the 

    StorageClass
    object by running the following command: 

    $ oc create -f storageclass_csi.yaml
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben