Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 1. Configuring system controls and interface attributes using the tuning plugin

To modify kernel parameters and interface attributes at runtime in OpenShift Container Platform, you can use the tuning Container Network Interface (CNI) meta plugin. The plugin operates in a chain with a main CNI plugin and allows you to change sysctls and interface attributes such as promiscuous mode, all-multicast mode, MTU, and MAC address.

CNI plugin
View larger image
CNI plugin

1.1. Configuring system controls by using the tuning CNI
링크 복사

To configure interface-level network sysctls in OpenShift Container Platform, you can use the tuning CNI meta plugin in a network attachment definition. Configure the net.ipv4.conf.IFNAME.accept_redirects sysctl to enable accepting and sending ICMP-redirected packets.

Procedure

  1. Create a network attachment definition, such as tuning-example.yaml, with the following content: 

    apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: <name>
  namespace: default
spec:
  config: '{
    "cniVersion": "0.4.0",
    "name": "<name>",
    "plugins": [{
       "type": "<main_CNI_plugin>"
      },
      {
       "type": "tuning",
       "sysctl": {
            "net.ipv4.conf.IFNAME.accept_redirects": "1"
        }
      }
     ]
}
    Copy to Clipboard Toggle word wrap

    where:

    name
    Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
    namespace
    Specifies the namespace that the object is associated with.
    cniVersion
    Specifies the CNI specification version.
    name
    Specifies the name for the configuration. It is recommended to match the configuration name to the name value of the network attachment definition.
    main_CNI_plugin
    Specifies the name of the main CNI plugin to configure.
    tuning
    Specifies the name of the CNI meta plugin.
    sysctl
    Specifies the sysctl to set. The interface name is represented by the IFNAME token and is replaced with the actual name of the interface at runtime.

    Example network attachment definition

    apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: tuningnad
  namespace: default
spec:
  config: '{
    "cniVersion": "0.4.0",
    "name": "tuningnad",
    "plugins": [{
      "type": "bridge"
      },
      {
      "type": "tuning",
      "sysctl": {
         "net.ipv4.conf.IFNAME.accept_redirects": "1"
        }
    }
  ]
}'
    Copy to Clipboard Toggle word wrap

  2. Apply the YAML by running the following command: 

    $ oc apply -f tuning-example.yaml
    Copy to Clipboard Toggle word wrap

    Example output

    networkattachmentdefinition.k8.cni.cncf.io/tuningnad created
    Copy to Clipboard Toggle word wrap

  3. Create a pod such as examplepod.yaml with the network attachment definition similar to the following: 

    apiVersion: v1
kind: Pod
metadata:
  name: tunepod
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/networks: tuningnad
spec:
  containers:
  - name: podexample
    image: centos
    command: ["/bin/bash", "-c", "sleep INF"]
    securityContext:
      runAsUser: 2000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
    Copy to Clipboard Toggle word wrap

    where:

    k8s.v1.cni.cncf.io/networks
    Specifies the name of the configured NetworkAttachmentDefinition.
    runAsUser
    Specifies which user ID the container is run with.
    runAsGroup
    Specifies which primary group ID the containers is run with.
    allowPrivilegeEscalation
    Specifies if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the no_new_privs flag gets set on the container process.
    capabilities
    Specifies privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
    runAsNonRoot: true
    Specifies that the container will run with a user with any UID other than 0.
    seccompProfile
    Specifies the default seccomp profile for a pod or container workload.

  4. Apply the yaml by running the following command: 

    $ oc apply -f examplepod.yaml
    Copy to Clipboard Toggle word wrap

  5. Verify that the pod is created by running the following command: 

    $ oc get pod
    Copy to Clipboard Toggle word wrap

    Example output

    NAME      READY   STATUS    RESTARTS   AGE
tunepod   1/1     Running   0          47s
    Copy to Clipboard Toggle word wrap

  6. Log in to the pod by running the following command: 

    $ oc rsh tunepod
    Copy to Clipboard Toggle word wrap

  7. Verify the values of the configured sysctl flags. For example, find the value net.ipv4.conf.net1.accept_redirects by running the following command: 

    sh-4.4# sysctl net.ipv4.conf.net1.accept_redirects
    Copy to Clipboard Toggle word wrap

    Expected output

    net.ipv4.conf.net1.accept_redirects = 1
    Copy to Clipboard Toggle word wrap

1.2. Enabling all-multicast mode by using the tuning CNI
링크 복사

To enable all-multicast mode on network interfaces in OpenShift Container Platform, you can use the tuning Container Network Interface (CNI) meta plugin in a network attachment definition. When enabled, the interface receives all multicast packets on the network.

Procedure

  1. Create a network attachment definition, such as tuning-example.yaml, with the following content: 

    apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: <name>
  namespace: default
spec:
  config: '{
    "cniVersion": "0.4.0",
    "name": "<name>",
    "plugins": [{
       "type": "<main_CNI_plugin>"
      },
      {
       "type": "tuning",
       "allmulti": true
        }
      }
     ]
}
    Copy to Clipboard Toggle word wrap

    where:

    name
    Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
    namespace
    Specifies the namespace that the object is associated with.
    cniVersion
    Specifies the CNI specification version.
    name
    Specifies the name for the configuration. Match the configuration name to the name value of the network attachment definition.
    main_CNI_plugin
    Specifies the name of the main CNI plugin to configure.
    tuning
    Specifies the name of the CNI meta plugin.
    allmulti
    Specifies the all-multicast mode of interface. If enabled, all multicast packets on the network will be received by the interface.

    Example network attachment definition

    apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: setallmulti
  namespace: default
spec:
  config: '{
    "cniVersion": "0.4.0",
    "name": "setallmulti",
    "plugins": [
      {
        "type": "bridge"
      },
      {
        "type": "tuning",
        "allmulti": true
      }
    ]
  }'
    Copy to Clipboard Toggle word wrap

  2. Apply the settings specified in the YAML file by running the following command: 

    $ oc apply -f tuning-allmulti.yaml
    Copy to Clipboard Toggle word wrap

    Example output

    networkattachmentdefinition.k8s.cni.cncf.io/setallmulti created
    Copy to Clipboard Toggle word wrap

  3. Create a pod with a network attachment definition similar to that specified in the following examplepod.yaml sample file: 

    apiVersion: v1
kind: Pod
metadata:
  name: allmultipod
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/networks: setallmulti
spec:
  containers:
  - name: podexample
    image: centos
    command: ["/bin/bash", "-c", "sleep INF"]
    securityContext:
      runAsUser: 2000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
    Copy to Clipboard Toggle word wrap

    where:

    k8s.v1.cni.cncf.io/networks
    Specifies the name of the configured NetworkAttachmentDefinition.
    runAsUser
    Specifies which user ID the container is run with.
    runAsGroup
    Specifies which primary group ID the containers is run with.
    allowPrivilegeEscalation
    Specifies if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the no_new_privs flag gets set on the container process.
    capabilities
    Specifies privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
    runAsNonRoot: true
    Specifies that the container will run with a user with any UID other than 0.
    seccompProfile
    Specifies the default seccomp profile for a pod or container workload.

  4. Apply the settings specified in the YAML file by running the following command: 

    $ oc apply -f examplepod.yaml
    Copy to Clipboard Toggle word wrap

  5. Verify that the pod is created by running the following command: 

    $ oc get pod
    Copy to Clipboard Toggle word wrap

    Example output

    NAME          READY   STATUS    RESTARTS   AGE
allmultipod   1/1     Running   0          23s
    Copy to Clipboard Toggle word wrap

  6. Log in to the pod by running the following command: 

    $ oc rsh allmultipod
    Copy to Clipboard Toggle word wrap

  7. List all the interfaces associated with the pod by running the following command: 

    sh-4.4# ip link
    Copy to Clipboard Toggle word wrap

    Example output

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8901 qdisc noqueue state UP mode DEFAULT group default
    link/ether 0a:58:0a:83:00:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0
3: net1@if24: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether ee:9b:66:a4:ec:1d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    Copy to Clipboard Toggle word wrap

    where:

    eth0@if22
    Specifies the primary interface.
    net1@if24
    Specifies the secondary interface configured with the network-attachment-definition that supports the all-multicast mode (ALLMULTI flag).
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동