Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 1. Configuring system controls and interface attributes using the tuning plugin
To modify kernel parameters and interface attributes at runtime in OpenShift Container Platform, you can use the tuning Container Network Interface (CNI) meta plugin. The plugin operates in a chain with a main CNI plugin and allows you to change sysctls and interface attributes such as promiscuous mode, all-multicast mode, MTU, and MAC address.
1.1. Configuring system controls by using the tuning CNI
To configure interface-level network sysctls in OpenShift Container Platform, you can use the tuning CNI meta plugin in a network attachment definition. Configure the net.ipv4.conf.IFNAME.accept_redirects sysctl to enable accepting and sending ICMP-redirected packets.
Procedure
Create a network attachment definition, such as
tuning-example.yaml, with the following content:apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: <name> namespace: default spec: config: '{ "cniVersion": "0.4.0", "name": "<name>", "plugins": [{ "type": "<main_CNI_plugin>" }, { "type": "tuning", "sysctl": { "net.ipv4.conf.IFNAME.accept_redirects": "1" } } ] }where:
metadata.name- Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
metadata.namespace- Specifies the namespace that the object is associated with.
spec.config.cniVersion- Specifies the CNI specification version.
spec.config.name- Specifies the name for the configuration. It is recommended to match the configuration name to the name value of the network attachment definition.
spec.config.plugins.type- Specifies the name of the main CNI plugin to configure.
spec.config.plugins.tuning.sysctl-
Specifies the sysctl to set. The interface name is represented by the
IFNAMEtoken and is replaced with the actual name of the interface at runtime.
Example network attachment definition
apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: tuningnad namespace: default spec: config: '{ "cniVersion": "0.4.0", "name": "tuningnad", "plugins": [{ "type": "bridge" }, { "type": "tuning", "sysctl": { "net.ipv4.conf.IFNAME.accept_redirects": "1" } } ] }'Apply the YAML by running the following command:
$ oc apply -f tuning-example.yamlExample output
networkattachmentdefinition.k8.cni.cncf.io/tuningnad createdCreate a pod such as
examplepod.yamlwith the network attachment definition similar to the following:apiVersion: v1 kind: Pod metadata: name: tunepod namespace: default annotations: k8s.v1.cni.cncf.io/networks: tuningnad spec: containers: - name: podexample image: centos command: ["/bin/bash", "-c", "sleep INF"] securityContext: runAsUser: 2000 runAsGroup: 3000 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefaultwhere:
metadata.annotations.k8s.v1.cni.cncf.io/networks-
Specifies the name of the configured
NetworkAttachmentDefinition. spec.containers.securityContext.runAsUser- Specifies which user ID the container is run with.
spec.containers.securityContext.runAsGroup- Specifies which primary group ID the containers is run with.
spec.containers.securityContext.allowPrivilegeEscalation-
Specifies if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the
no_new_privsflag gets set on the container process. spec.containers.securityContext.capabilities- Specifies privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
spec.securityContext.runAsNonRoot: true- Specifies that the container will run with a user with any UID other than 0.
spec.securityContext.seccompProfile- Specifies the default seccomp profile for a pod or container workload.
Apply the yaml by running the following command:
$ oc apply -f examplepod.yamlVerify that the pod is created by running the following command:
$ oc get podExample output
NAME READY STATUS RESTARTS AGE tunepod 1/1 Running 0 47sLog in to the pod by running the following command:
$ oc rsh tunepodVerify the values of the configured sysctl flags. For example, find the value
net.ipv4.conf.net1.accept_redirectsby running the following command:sh-4.4# sysctl net.ipv4.conf.net1.accept_redirectsExpected output
net.ipv4.conf.net1.accept_redirects = 1
1.2. Enabling all-multicast mode by using the tuning CNI
To enable all-multicast mode on network interfaces in OpenShift Container Platform, you can use the tuning Container Network Interface (CNI) meta plugin in a network attachment definition. When enabled, the interface receives all multicast packets on the network.
Procedure
Create a network attachment definition, such as
tuning-example.yaml, with the following content:apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: <name> namespace: default spec: config: '{ "cniVersion": "0.4.0", "name": "<name>", "plugins": [{ "type": "<main_CNI_plugin>" }, { "type": "tuning", "allmulti": true } } ] }where:
<name>- Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
default- Specifies the namespace that the object is associated with.
"0.4.0"- Specifies the CNI specification version.
"<name>"- Specifies the name for the configuration. Match the configuration name to the name value of the network attachment definition.
"<main_CNI_plugin>"- Specifies the name of the main CNI plugin to configure.
"tuning"- Specifies the name of the CNI meta plugin.
"true"- Specifies the all-multicast mode of interface. If enabled, all multicast packets on the network will be received by the interface.
Example network attachment definition
apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: setallmulti namespace: default spec: config: '{ "cniVersion": "0.4.0", "name": "setallmulti", "plugins": [ { "type": "bridge" }, { "type": "tuning", "allmulti": true } ] }'Apply the settings specified in the YAML file by running the following command:
$ oc apply -f tuning-allmulti.yamlExample output
networkattachmentdefinition.k8s.cni.cncf.io/setallmulti createdCreate a pod with a network attachment definition similar to that specified in the following
examplepod.yamlsample file:apiVersion: v1 kind: Pod metadata: name: allmultipod namespace: default annotations: k8s.v1.cni.cncf.io/networks: setallmulti spec: containers: - name: podexample image: centos command: ["/bin/bash", "-c", "sleep INF"] securityContext: runAsUser: 2000 runAsGroup: 3000 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefaultwhere:
metadata.annotations.k8s.v1.cni.cncf.io/networks-
Specifies the name of the configured
NetworkAttachmentDefinition. spec.containers.securityContext.runAsUser- Specifies which user ID the container is run with.
spec.containers.securityContext.runAsGroup- Specifies which primary group ID the containers is run with.
spec.containers.securityContext.allowPrivilegeEscalation-
Specifies if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the
no_new_privsflag gets set on the container process. spec.containers.securityContext.capabilities- Specifies privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
spec.containers.securityContext.runAsNonRoot: true- Specifies that the container will run with a user with any UID other than 0.
spec.containers.securityContext.seccompProfile- Specifies the default seccomp profile for a pod or container workload.
Apply the settings specified in the YAML file by running the following command:
$ oc apply -f examplepod.yamlVerify that the pod is created by running the following command:
$ oc get podExample output
NAME READY STATUS RESTARTS AGE allmultipod 1/1 Running 0 23sLog in to the pod by running the following command:
$ oc rsh allmultipodList all the interfaces associated with the pod by running the following command:
sh-4.4# ip linkExample output
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8901 qdisc noqueue state UP mode DEFAULT group default link/ether 0a:58:0a:83:00:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0 3: net1@if24: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether ee:9b:66:a4:ec:1d brd ff:ff:ff:ff:ff:ff link-netnsid 0where:
eth0@if22- Specifies the primary interface.
net1@if24- Specifies the secondary interface configured with the network-attachment-definition that supports the all-multicast mode (ALLMULTI flag).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}