Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 4. Using the SR-IOV Network Operator
When you run network-intensive workloads on MicroShift, you need a simplified and declarative method to configure and access high-performance networking interfaces. You can optionally install the SR-IOV Network Operator so that you can expose SR-IOV devices as resources and use NetworkAttachmentDefinitions to access Virtual Functions (VFs).
4.1. Understanding the SR-IOV Network Operator
SR-IOV (Single Root I/O Virtualization) is a specification that allows a single physical Peripheral Component Interconnect Express (PCIe) device that supports SR-IOV, for example, a Physical Function (PF), to appear as multiple separate physical devices known as Virtual Functions (VFs). You can directly assign VFs to pods, which bypasses the host operating system network stack, improves throughput, and reduces latency for network intensive workloads.
The integration of the SR-IOV Network Operator and CNI provider into MicroShift enables declarative access to VFs. As a result, you can expose supported SR-IOV devices as specialized resources within your MicroShift pod for more predictable high-speed networking for demanding workloads. The deployed SR-IOV resources operate in the sriov-network-operator namespace.
You do not need to manually configure SR-IOV through the operating system. You can also treat VFs as resources that can be reliably mapped to your containerized applications. These resources reduce manual error and ensure consistent, low-latency networking for critical applications.
Here are the components of SR-IOV functionality:
- SR-IOV Network Operator: The SR-IOV Network Operator is a Kubernetes component that detects and manages SR-IOV devices. This component exposes the SR-IOV devices as schedulable resources within MicroShift.
- SR-IOV CNI Provider: This Container Network Interface (CNI) provider works with Multus to assign the exposed VFs to the application pods.
- Virtual Functions (VFs): VFs are lightweight PCIe functions exposed by the PF that are assigned to pods.
- NetworkAttachment Definitions: NetworkAttachmentDefinitions are custom resources (CRs) that are used to define the specific network configuration so that application developers can specify the VFs they need access. NetworkAttachmentDefinitions provide the declarative method for accessing VFs.
4.2. Installing the SR-IOV Network Operator
Install the necessary SR-IOV components to enable MicroShift to discover SR-IOV devices and expose them as resources for scheduling.
Prerequisites
- You have the required RPM package containing the SR-IOV Network Operator.
Procedure
-
If provided as an optional RPM, install the required
microshift-sriovRPM package. -
Restart the MicroShift service to deploy the SR-IOV resources in the
sriov-network-operatornamespace. To specify the required VF configuration based on the available hardware, create an
SriovNetworkNodePolicycustom resource (CR). For example, save the following YAML as the filepolicyoneflag-sriov-node-network.yaml:apiVersion: sriovnetwork.openshift.io/v1 kind: SriovNetworkNodePolicy metadata: name: policyoneflag namespace: sriov-network-operator spec: resourceName: policyoneflag nodeSelector: node.kubernetes.io/instance-type: rhde priority: 10 numVfs: 5 nicSelector: pfNames: ["ens5"] deviceType: "netdevice" isRdma: false-
The
metadata.nameparameter specifies the name for the custom resource object. -
The
metadata.namespaceparameter specifies the namespace where the SR-IOV Network Operator is installed. -
The
spec.resourceNameparameter specifies the resource name of the SR-IOV network device plugin. You can create multiple SR-IOV network node policies for a resource name. -
(Optional) The
spec.priorityparameter specifies a priority value. The priority is an integer value between0and99. A smaller value receives higher priority. For example, a priority of10is a higher priority than99. The default value is99. -
The
spec.numVfsparameter specifies the number of the virtual functions (VFs) to create for the SR-IOV physical network device. For an Intel network interface controller (NIC), the number of VFs cannot be larger than the total VFs supported by the device. For a Mellanox NIC, the number of VFs cannot be larger than127. -
The
spec.nicSelectorparameter identifies the device for the Operator to configure. You do not have to specify values for all the parameters. It is recommended to identify the network device with enough precision to avoid selecting a device unintentionally. If you specifyrootDevices, you must also specify a value forvendor,deviceID, orpfNames. If you specify bothpfNamesandrootDevicesat the same time, ensure that they refer to the same device. If you specify a value fornetFilter, then you do not need to specify any other parameter because a network ID is unique. -
(Optional) The
spec.nicSelector.pfNamesparameter specifies an array of one or more physical function (PF) names for the device. -
(Optional) The
spec.deviceTypeparameter specifies the driver type for the virtual functions. The only allowed value isnetdevice. (Optional) The
spec.isRDMAparameter configures whether to enable remote direct memory access (RDMA) mode. The default value isfalse. If thespec.isRdmaparameter is set totrue, you can continue to use the RDMA-enabled VF as a normal network device. A device can be used in either mode. to configure a Mellanox NIC for use with Fast Datapath DPDK applications, setspec.isRdmatotrueand additionally set theneedVhostNetparameter totrueNoteThe
vfio-pcidriver type is not supported.
-
The
Create the
SriovNetworkNodePolicyobject by entering the following command:$ oc create -f policyoneflag-sriov-node-network.yamlAfter applying the configuration update, the workload contains the required resources and dependencies for VF access.
To verify that the SR-IOV network device is configured, enter the following command. Replace
<node_name>with the name of a node with the SR-IOV network device that you just configured. Expected output showsSucceeded.$ oc get sriovnetworknodestates -n sriov-network-operator <node_name> -o jsonpath='{.status.syncStatus}'Deploy an
SriovNetworkcustom resource (CR) which references theSriovNetworkNodePolicyCR and insert themetaPluginsconfiguration, as in the following example CR. The Operator generates aNetworkAttachmentDefinitionCR and the VFs become available to the pods. Save the YAML as the filesriov-network-interface-sysctl.yaml.apiVersion: sriovnetwork.openshift.io/v1 kind: SriovNetwork metadata: name: onevalidflag namespace: sriov-network-operator spec: resourceName: policyoneflag networkNamespace: sysctl-tuning-test ipam: '{ "type": "static" }' capabilities: '{ "mac": true, "ips": true }' metaPlugins : | { "type": "tuning", "capabilities":{ "mac":true }, "sysctl":{ "net.ipv4.conf.IFNAME.accept_redirects": "1" } }-
The
metadata.nameparameter specifies the name for the object. The SR-IOV Network Operator creates aNetworkAttachmentDefinitionobject with the same name. -
The
metadata.namespaceparameter specifies the namespace where the SR-IOV Network Operator is installed. -
The
spec.resourceNameparameter displays the value from theSriovNetworkNodePolicyobject that defines the SR-IOV hardware for this additional network. -
The
spec.networkNamespaceparameter specifies the target namespace for theSriovNetworkobject. Only pods in the target namespace can attach to the additional network. -
The
spec.ipamparameter specifies a configuration object for the IPAM CNI plugin as a YAML block scalar. The plugin manages IP address assignment for the attachment definition. -
(Optional) The
spec.capabilitiesparameter sets capabilities for the additional network. You can specify"{ "ips": true }"to enable IP address support or"{ "mac": true }"to enable MAC address support. -
(Optional) The
spec.metaPluginsparameter is used to add additional capabilities to the device. In this use case set thetypefield totuning. Specify the interface-level networksysctlyou want to set in thesysctlfield.
-
The
Create the
SriovNetworkresource by entering the following command:$ oc create -f sriov-network-interface-sysctl.yaml
Verification
Confirm that the SR-IOV Network Operator created the
NetworkAttachmentDefinitionCR by running the following command:$ oc get network-attachment-definitions -n <namespace>Replace
<namespace>with the value fornetworkNamespaceparameter that you specified in theSriovNetworkobject, for example,sysctl-tuning-test. The expected output shows the name of the NAD CRD and the creation age in minutes.NoteThere might be a delay before the SR-IOV Network Operator creates the CR.
Verify that the tuning CNI is correctly configured and the additional SR-IOV network is attached:
Create a
PodCR. Save the following YAML as the fileexamplepod.yaml:apiVersion: v1 kind: Pod metadata: name: tunepod namespace: sysctl-tuning-test annotations: k8s.v1.cni.cncf.io/networks: |- [ { "name": "onevalidflag", "mac": "0a:56:0a:83:04:0c", "ips": ["10.100.100.200/24"] } ] spec: containers: - name: podexample image: centos command: ["/bin/bash", "-c", "sleep INF"] securityContext: runAsUser: 2000 runAsGroup: 3000 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault-
The
annotations.nameparameter specifies the name of the SR-IOV network attachment definition CR. -
(Optional) The
annotations.macparameter specifies the MAC address for the SR-IOV device that is allocated from the resource type defined in the SR-IOV network attachment definition CR. To use this feature, you also must specify{ "mac": true }in theSriovNetworkobject. -
(Optional) The
annotations.ipsparameter specifies the IP addresses for the SR-IOV device that are allocated from the resource type defined in the SR-IOV network attachment definition CR. Both IPv4 and IPv6 addresses are supported. To use this feature, you also must specify{ "ips": true }in theSriovNetworkobject.
-
The
Create the
PodCR by entering the following command:$ oc apply -f examplepod.yamlVerify that the pod is created by running the following command:
$ oc get pod -n sysctl-tuning-testExample output:
NAME READY STATUS RESTARTS AGE tunepod 1/1 Running 0 47sLog in to the pod by running the following command:
$ oc rsh -n sysctl-tuning-test tunepodVerify the values of the configured sysctl flag. Find the value
net.ipv4.conf.IFNAME.accept_redirectsby running the following command:$ sysctl net.ipv4.conf.net1.accept_redirects
4.3. SR-IOV Network Operator supported devices
The config.yaml file lists the supported network devices for the SR-IOV Network Operator.
SR-IOV Network Operator configuration file
apiVersion: v1
kind: ConfigMap
metadata:
name: supported-nic-ids
data:
Intel_i40e_XXV710: "8086 158a 154c"
Intel_i40e_25G_SFP28: "8086 158b 154c"
Intel_i40e_10G_X710_SFP: "8086 1572 154c"
Intel_ixgbe_10G_X550: "8086 1563 1565"
Intel_ixgbe_82576: "8086 10c9 10ca"
Intel_i40e_X710_X557_AT_10G: "8086 1589 154c"
Intel_i40e_10G_X710_BACKPLANE: "8086 1581 154c"
Intel_i40e_10G_X710_BASE_T: "8086 15ff 154c"
Intel_i40e_XXV710_N3000: "8086 0d58 154c"
Intel_i40e_40G_XL710_QSFP: "8086 1583 154c"
Intel_ice_Columbiaville_E810-CQDA2_2CQDA2: "8086 1592 1889"
Intel_ice_Columbiaville_E810-XXVDA4: "8086 1593 1889"
Intel_ice_Columbiaville_E810-XXVDA2: "8086 159b 1889"
Intel_ice_Columbiaville_E810-XXV_BACKPLANE: "8086 1599 1889"
Intel_ice_Columbiaville_E810: "8086 1591 1889"
Intel_ice_Columbiapark_E823C: "8086 188a 1889"
Intel_ice_Columbiapark_E823L_SFP: "8086 124d 1889"
Intel_ice_Columbiapark_E823L_BACKPLANE: "8086 124c 1889"
Intel_ice_Columbiapark_E825C_BACKPLANE: "8086 579c 1889"
Intel_ice_Columbiapark_E825C_QSFP: "8086 579d 1889"
Intel_ice_Columbiapark_E825C_SFP: "8086 579e 1889"
Intel_ice_Connorsville_E830_QSFP: "8086 12d2 1889"
Intel_ice_Connorsville_E830_SFP: "8086 12d3 1889"
Intel_ice_Connorsville_E835CC_QSFP: "8086 1249 1889"
Intel_ice_Connorsville_E835CC_SFP: "8086 124a 1889"
Nvidia_mlx5_ConnectX-4: "15b3 1013 1014"
Nvidia_mlx5_ConnectX-4LX: "15b3 1015 1016"
Nvidia_mlx5_ConnectX-5: "15b3 1017 1018"
Nvidia_mlx5_ConnectX-5_Ex: "15b3 1019 101a"
Nvidia_mlx5_ConnectX-6: "15b3 101b 101c"
Nvidia_mlx5_ConnectX-6_Dx: "15b3 101d 101e"
Nvidia_mlx5_ConnectX-6_Lx: "15b3 101f 101e"
Nvidia_mlx5_ConnectX-7: "15b3 1021 101e"
Nvidia_mlx5_ConnectX-8: "15b3 1023 101e"
Nvidia_mlx5_MT42822_BlueField-2_integrated_ConnectX-6_Dx: "15b3 a2d6 101e"
Nvidia_mlx5_MT43244_BlueField-3_integrated_ConnectX-7_Dx: "15b3 a2dc 101e"
Broadcom_bnxt_BCM57414_2x25G: "14e4 16d7 16dc"
Broadcom_bnxt_BCM75508_2x100G: "14e4 1750 1806"
Qlogic_qede_QL45000_50G: "1077 1654 1664"
Red_Hat_Virtio_network_device: "1af4 1000 1000"
Red_Hat_Virtio_1_0_network_device: "1af4 1041 1041"
Marvell_OCTEON_TX2_CN96XX: "177d b200 b203"
Marvell_OCTEON_TX2_CN98XX: "177d b100 b103"
Marvell_OCTEON_Fusion_CNF95XX: "177d b600 b603"
Marvell_OCTEON10_CN10XXX: "177d b900 b903"
Marvell_OCTEON_Fusion_CNF105XX: "177d ba00 ba03"
Amazon_Elastic_Network_Adapter: "1d0f ec20 ec20"For the most up-to-date list of supported cards and compatible Red Hat build of MicroShift versions available, see Openshift Single Root I/O Virtualization (SR-IOV) and PTP hardware networks Support Matrix.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}