SupportConsoleDevelopersStart a trialContact

Chapter 4. Deploying workloads on IBM

You can deploy OpenShift sandboxed containers workloads on IBM Z® and IBM® LinuxONE.

Important

Deploying OpenShift sandboxed containers workloads on IBM Z® and IBM® LinuxONE is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Cluster prerequisites

  • You have installed Red Hat OpenShift Container Platform 4.14 or later.
  • Your cluster has three control nodes and two worker nodes.

Deployment flow

While this document refers only to IBM Z®, all procedures also apply to IBM® LinuxONE.

You deploy OpenShift sandboxed containers workloads by performing the following steps:

  1. Configure a libvirt volume on your KVM host.
  2. Create a KVM guest image and upload it to the libvirt volume.
  3. Create a peer pod VM image and upload it to the libvirt volume.
  4. Create a secret for the libvirt provider.
  5. Create a config map for the libvirt provider.
  6. Create an SSH key secret for your KVM host.
  7. Create a KataConfig CR.
  8. Optional: Modify the peer pod VM limit per node.
  9. Configure your workload objects to use the kata-remote runtime class.
Note
  • Cluster nodes and peer pods must be in the same IBM Z® KVM host logical partition (LPAR).
  • Cluster nodes and peer pods must be connected to the same subnet.

4.1. Preparing your environment

Perform the following steps to prepare your environment:

  1. Ensure that your cluster has sufficient resources.
  2. Install the OpenShift sandboxed containers Operator.

4.1.1. Resource requirements

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the limit attribute in the peerpodConfig custom resource (CR).

The peerpodConfig CR, named peerpodconfig-openshift, is created when you create the kataConfig CR and enable peer pods, and is located in the openshift-sandboxed-containers-operator namespace.

The following peerpodConfig CR example displays the default spec values: 

apiVersion: confidentialcontainers.org/v1alpha1
kind: PeerPodConfig
metadata:
  name: peerpodconfig-openshift
  namespace: openshift-sandboxed-containers-operator
spec:
  cloudSecretName: peer-pods-secret
  configMapName: peer-pods-cm
  limit: "10" 1
  nodeSelector:
    node-role.kubernetes.io/kata-oc: ""
1
The default limit is 10 VMs per node.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment. See "Modifying the VM limit per node in peer pods" for more information.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIME_CLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIME_CLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

4.1.2. Installing the OpenShift sandboxed containers Operator

You can install the OpenShift sandboxed containers Operator by using the OpenShift Container Platform web console or command line interface (CLI).

4.1.2.1. Installing the Operator by using the web console

You can install the OpenShift sandboxed containers Operator by using the Red Hat OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Operators OperatorHub.
  2. In the Filter by keyword field, type OpenShift sandboxed containers.
  3. Select the OpenShift sandboxed containers Operator tile and click Install.
  4. On the Install Operator page, select stable from the list of available Update Channel options.

  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

    Note

    Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  6. Verify that Automatic is selected for Approval Strategy. Automatic is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.
  7. Click Install.

The OpenShift sandboxed containers Operator is now installed on your cluster.

Verification

  1. Navigate to Operators Installed Operators.
  2. Verify that the OpenShift sandboxed containers Operator is displayed.

Additional resources

4.1.2.2. Installing the Operator by using the CLI

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a Namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

  2. Create the namespace by running the following command: 

    $ oc create -f Namespace.yaml

  3. Create an OperatorGroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

  4. Create the operator group by running the following command: 

    $ oc create -f OperatorGroup.yaml

  5. Create a Subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.6.0

  6. Create the subscription by running the following command: 

    $ oc create -f Subscription.yaml

The OpenShift sandboxed containers Operator is now installed on your cluster.

Verification

  • Ensure that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.6.0    1.5.3        Succeeded

4.1.2.3. Additional resources

4.2. Deploying workloads by using the command line

You can deploy OpenShift sandboxed containers workloads by using the command line.

4.2.1. Configuring a libvirt volume

You must configure a libvirt volume on your KVM host. Peer pods use the libvirt provider of the Cloud API Adaptor to create and manage virtual machines.

Prerequisites

  • You have installed the OpenShift sandboxed containers Operator on your OpenShift Container Platform cluster by using the OpenShift Container Platform web console or the command line.
  • You have administrator privileges for your KVM host.
  • You have installed podman on your KVM host.
  • You have installed virt-customize on your KVM host.

Procedure

  1. Log in to the KVM host.

  2. Set the name of the libvirt pool by running the following command: 

    $ export LIBVIRT_POOL=<libvirt_pool>

    You need the LIBVIRT_POOL value to create the secret for the libvirt provider.

  3. Set the name of the libvirt pool by running the following command: 

    $ export LIBVIRT_VOL_NAME=<libvirt_volume>

    You need the LIBVIRT_VOL_NAME value to create the secret for the libvirt provider.

  4. Set the path of the default storage pool location, by running the following command: 

    $ export LIBVIRT_POOL_DIRECTORY=<target_directory> 1
    1
    To ensure libvirt has read and write access permissions, use a subdirectory of the libvirt storage directory. The default is /var/lib/libvirt/images/.

  5. Create a libvirt pool by running the following command: 

    $ virsh pool-define-as $LIBVIRT_POOL --type dir --target "$LIBVIRT_POOL_DIRECTORY"

  6. Start the libvirt pool by running the following command: 

    $ virsh pool-start $LIBVIRT_POOL

  7. Create a libvirt volume for the pool by running the following command: 

    $ virsh -c qemu:///system \
  vol-create-as --pool $LIBVIRT_POOL \
  --name $LIBVIRT_VOL_NAME \
  --capacity 20G \
  --allocation 2G \
  --prealloc-metadata \
  --format qcow2

4.2.2. Creating a KVM guest image

You must create a KVM guest image and upload it to the libvirt volume.

Prerequisites

  • IBM z15 or later, or IBM® LinuxONE III or later.
  • At least one LPAR running on RHEL 9 or later with KVM.

Procedure

  1. Log in to your OpenShift Container Platform cluster.

  2. If you have a RHEL subscription, set the subscription environment variables for Red Hat Subscription Management:

    • Set the organization ID by running the following command: 

      $ export ORG_ID=$(cat ~/.rh_subscription/orgid)

    • Set the activation key by running the following command: 

      $ export ACTIVATION_KEY=$(cat ~/.rh_subscription/activation_key)

  3. If you do not have a RHEL subscription, set the subscription values for RHEL:

    • Set the organization ID by running the following command: 

      $ export ORG_ID=<RHEL_ORGID_VALUE> 1
      1
      Specify your RHEL organization ID.

    • Set the activation key by running the following command: 

      $ export ACTIVATION_KEY=<RHEL_ACTIVATION_KEY> 1
      1
      Specify your RHEL activation key.
  4. Log in to your IBM Z® system.

  5. Download the s390x RHEL KVM guest image from the Red Hat Customer Portal to your libvirt storage directory to grant libvirt correct access.

    The default directory is /var/lib/libvirt/images. This image is used to generate the peer pod VM image, which includes the relevant binaries.

  6. Set the IMAGE_URL for the downloaded image by running the following command: 

    $ export IMAGE_URL=<path/to/image> 1
    1
    Specify the path of the KVM guest image.

  7. Register the guest KVM image by running the following command: 

    $ export REGISTER_CMD="subscription-manager register --org=${ORG_ID} \
  --activationkey=${ACTIVATION_KEY}"

  8. Customize the guest KVM image by running the following command: 

    $ virt-customize -v -x -a ${IMAGE_URL} --run-command "${REGISTER_CMD}"

  9. Set the checksum of the image by running the following command: 

    $ export IMAGE_CHECKSUM=$(sha256sum ${IMAGE_URL} | awk '{ print $1 }')

4.2.3. Building a peer pod VM image

You must build a peer pod virtual machine (VM) image and upload it to your libvirt volume.

Procedure

  1. Log in to your OpenShift Container Platform cluster.

  2. Clone the cloud-api-adaptor repository by running the following command: 

    $ git clone --single-branch https://github.com/confidential-containers/cloud-api-adaptor.git

  3. Change into the podvm directory by running the following command: 

    $ cd cloud-api-adaptor && git checkout 8577093

  4. Create a builder image from which the final QCOW2 image is generated.

    • If you have a subscribed RHEL system, run the following command: 

      $ podman build -t podvm_builder_rhel_s390x \
  --build-arg ARCH="s390x" \
  --build-arg GO_VERSION="1.21.3" \
  --build-arg PROTOC_VERSION="25.1" \
  --build-arg PACKER_VERSION="v1.9.4" \
  --build-arg RUST_VERSION="1.72.0" \
  --build-arg YQ_VERSION="v4.35.1" \
  --build-arg YQ_CHECKSUM="sha256:4e6324d08630e7df733894a11830412a43703682d65a76f1fc925aac08268a45" \
  -f podvm/Dockerfile.podvm_builder.rhel .

    • If you have an unsubscribed RHEL system, run the following command: 

      $ podman build -t podvm_builder_rhel_s390x \
  --build-arg ORG_ID=$ORG_ID \
  --build-arg ACTIVATION_KEY=$ACTIVATION_KEY \
  --build-arg ARCH="s390x" \
  --build-arg GO_VERSION="1.21.3" \
  --build-arg PROTOC_VERSION="25.1" \
  --build-arg PACKER_VERSION="v1.9.4" \
  --build-arg RUST_VERSION="1.72.0" \
  --build-arg YQ_VERSION="v4.35.1" \
  --build-arg YQ_CHECKSUM="sha256:4e6324d08630e7df733894a11830412a43703682d65a76f1fc925aac08268a45" \
  -f podvm/Dockerfile.podvm_builder.rhel .

  5. Generate an intermediate image package with the required binaries for running peer pods by running the following command: 

    $ podman build -t podvm_binaries_rhel_s390x \
  --build-arg BUILDER_IMG="podvm_builder_rhel_s390x:latest" \
  --build-arg ARCH=s390x \
  -f podvm/Dockerfile.podvm_binaries.rhel .

    This process takes a significant length of time.

  6. Extract the binaries and build the peer pod QCOW2 image by running the following command: 

    $ podman build -t podvm_rhel_s390x \
  --build-arg ARCH=s390x \
  --build-arg CLOUD_PROVIDER=libvirt \
  --build-arg BUILDER_IMG="localhost/podvm_builder_rhel_s390x:latest" \
  --build-arg BINARIES_IMG="localhost/podvm_binaries_rhel_s390x:latest" \
  -v ${IMAGE_URL}:/tmp/rhel.qcow2:Z \
  --build-arg IMAGE_URL="/tmp/rhel.qcow2" \
  --build-arg IMAGE_CHECKSUM=${IMAGE_CHECKSUM} \
  -f podvm/Dockerfile.podvm.rhel .

  7. Create an image directory environment variable by running the following command: 

    $ export IMAGE_OUTPUT_DIR=<image_output_directory> 1
    1
    Specify a directory for the image.

  8. Create the image directory by running the following command: 

    $ mkdir -p $IMAGE_OUTPUT_DIR

  9. Save the extracted peer pod QCOW2 image by running the following command: 

    $ podman save podvm_rhel_s390x | tar -xO --no-wildcards-match-slash '*.tar' | tar -x -C ${IMAGE_OUTPUT_DIR}

  10. Upload the peer pod QCOW2 image to your libvirt volume: 

    $ virsh -c qemu:///system vol-upload \
  --vol $LIBVIRT_VOL_NAME \
  $IMAGE_OUTPUT_DIR/podvm-*.qcow2 \
  --pool $LIBVIRT_POOL --sparse

4.2.4. Creating a secret

You must create a Secret object on your OpenShift Container Platform cluster.

Prerequisites

  • LIBVIRT_POOL. Use the value you set when you configured libvirt on the KVM host.
  • LIBVIRT_VOL_NAME. Use the value you set when you configured libvirt on the KVM host.

  • LIBVIRT_URI. This value is the default gateway IP address of the libvirt network. Check your libvirt network setup to obtain this value.

    Note

    If libvirt uses the default bridge virtual network, you can obtain the LIBVIRT_URI by running the following commands: 

    $ virtint=$(bridge_line=$(virsh net-info default | grep Bridge);  echo "${bridge_line//Bridge:/}" | tr -d [:blank:])

$ LIBVIRT_URI=$( ip -4 addr show $virtint | grep -oP '(?<=inet\s)\d+(\.\d+){3}')

Procedure

  1. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  CLOUD_PROVIDER: "libvirt"
  LIBVIRT_URI: "<libvirt_gateway_uri>" 1
  LIBVIRT_POOL: "<libvirt_pool>" 2
  LIBVIRT_VOL_NAME: "<libvirt_volume>" 3
    1
    Specify the libvirt URI.
    2
    Specify the libvirt pool.
    3
    Specify the libvirt volume name.

  2. Create the secret object by applying the manifest: 

    $ oc apply -f peer-pods-secret.yaml
Note

If you update the peer pods secret, you must restart the peerpodconfig-ctrl-caa-daemon DaemonSet to apply the changes.

After you update the secret, apply the manifest. Then restart the cloud-api-adaptor pods by running the following command: 

$ oc set env ds/peerpodconfig-ctrl-caa-daemon -n openshift-sandboxed-containers-operator REBOOT="$(date)"

Restarting a daemon set recreates peer pods. It does not update existing pods.

4.2.5. Creating a config map

You must create a config map on your OpenShift Container Platform cluster for your libvirt provider.

Procedure

  1. Create a peer-pods-cm.yaml manifest according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "libvirt"
  PROXY_TIMEOUT: "15m"

  2. Apply the manifest to create a config map: 

    $ oc apply -f peer-pods-cm.yaml

    A config map is created for your libvirt provider.

Note

If you update the peer pods config map, you must restart the peerpodconfig-ctrl-caa-daemon daemonset to apply the changes.

After you update the config map, apply the manifest. Then restart the cloud-api-adaptor pods by running the following command: 

$ oc set env ds/peerpodconfig-ctrl-caa-daemon -n openshift-sandboxed-containers-operator REBOOT="$(date)"

Restarting the daemonset recreates the peer pods. It does not update the existing pods.

4.2.6. Creating an SSH key secret

You must create an SSH key secret object for your KVM host.

Procedure

  1. Log in to your OpenShift Container Platform cluster.

  2. Generate an SSH key pair by running the following command: 

    $ ssh-keygen -f ./id_rsa -N ""

  3. Copy the public SSH key to your KVM host: 

    $ ssh-copy-id -i ./id_rsa.pub <KVM_HOST_IP>

  4. Create the Secret object by running the following command: 

    $ oc create secret generic ssh-key-secret \
    -n openshift-sandboxed-containers-operator \
    --from-file=id_rsa.pub=./id_rsa.pub \
    --from-file=id_rsa=./id_rsa

    The SSH key secret is created.

  5. Delete the SSH keys you created: 

    $ shred -remove id_rsa.pub id_rsa

4.2.7. Creating a KataConfig custom resource

You must create a KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a cluster-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: cluster-kataconfig
spec:
  enablePeerPods: true
  logLevel: info

  2. Optional: To install kata-remote on selected nodes, specify the node labels according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: cluster-kataconfig
spec:
  kataConfigPoolSelector:
    matchLabels:
      <label_key>: '<label_value>' 1
# ...
    1
    Specify the labels of the selected nodes.

  3. Create the KataConfig CR: 

    $ oc create -f cluster-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

Verification

  • Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

See KataConfig status messages for details.

4.2.8. Optional: Modifying the number of peer pod VMs per node

You can change the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
-o jsonpath='{.spec.limit}{"\n"}'

  2. Modify the limit attribute of the peerpodConfig CR by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
--type merge --patch '{"spec":{"limit":"<value>"}}' 1
    1
    Replace <value> with the limit you want to define.

4.2.9. Configuring workload objects

You deploy an OpenShift sandboxed containers workload by configuring kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in the openshift-sandboxed-containers-operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created a secret object for your provider.
  • You have created a config map for your provider.
  • You have created a KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.