From 6cba2c73cf43b94c19caaef7e823044a7379c0c5 Mon Sep 17 00:00:00 2001 From: Aidan Reilly <74046732+aireilly@users.noreply.github.com> Date: Fri, 4 Mar 2022 15:44:18 +0000 Subject: [PATCH] adding kata node check features docs --- ...xed-containers-check-node-eligiblilty.adoc | 116 ++++++++++++++++++ ...ploying-sandboxed-container-workloads.adoc | 9 ++ 2 files changed, 125 insertions(+) create mode 100644 modules/sandboxed-containers-check-node-eligiblilty.adoc diff --git a/modules/sandboxed-containers-check-node-eligiblilty.adoc b/modules/sandboxed-containers-check-node-eligiblilty.adoc new file mode 100644 index 0000000000..b3e35d79e8 --- /dev/null +++ b/modules/sandboxed-containers-check-node-eligiblilty.adoc @@ -0,0 +1,116 @@ +// Module included in the following assemblies: +// +// * sandboxed_containers/deploying-sandboxed-container-workloads.adoc + +:_module-type: PROCEDURE +[id="sandboxed-containers-check-node-eligiblilty_{context}"] += Checking whether cluster nodes are eligible to run {sandboxed-containers-first} + +Before running {sandboxed-containers-first}, you can check whether the nodes in your cluster are eligible to run Kata containers. Some cluster nodes might not comply with sandboxed containers' minimum requirements. The most common reason for node ineligibility is the lack of virtualization support on the node. If you attempt to run sandboxed workloads on ineligible nodes, you will experience errors. You can use the Node Feature Discovery Operator (NFD) and a `NodeFeatureDiscovery` resource to automatically check node eligibility. + +[NOTE] +==== +If you want to install the Kata runtime on only selected worker nodes that you know are eligible, apply the `feature.node.kubernetes.io/runtime.kata=true` label to the selected nodes and set `checkNodeEligibility: true` in the `KataConfig` resource. + +Alternatively, to install the Kata runtime on all worker nodes, set `checkNodeEligibility: false` in the `KataConfig` resource. + +In both these scenarios, you do not need to create the `NodeFeatureDiscovery` resource. You should only apply the `feature.node.kubernetes.io/runtime.kata=true` label manually if you are sure that the node is eligible to run Kata containers. +==== + +The following procedure applies the `feature.node.kubernetes.io/runtime.kata=true` label to all eligible nodes and configures the `KataConfig` resource to check for node eligibility. + +.Prerequisites + +* Install the OpenShift CLI (`oc`). +* Log in as a user with `cluster-admin` privileges. +* Install the Node Feature Discovery (NFD) Operator. + +.Procedure + +. Create a `NodeFeatureDiscovery` resource to detect node capabilities suitable for running Kata containers: + +.. Save the following YAML in the `nfd.yaml` file: ++ +[source,yaml] +---- +apiVersion: nfd.openshift.io/v1 +kind: NodeFeatureDiscovery +metadata: + name: nfd-kata + namespace: openshift-nfd +spec: + operand: + namespace: openshift-nfd + image: quay.io/openshift/origin-node-feature-discovery:4.10 + imagePullPolicy: Always + servicePort: 12000 + workerConfig: + configData: | + sources: + custom: + - name: "feature.node.kubernetes.io/runtime.kata" + matchOn: + - cpuId: ["SSE4", "VMX"] + loadedKMod: ["kvm", "kvm_intel"] + - cpuId: ["SSE4", "SVM"] + loadedKMod: ["kvm", "kvm_amd"] +---- + +.. Create the `NodeFeatureDiscovery` custom resource (CR): ++ +[source,terminal] +---- +$ oc create -f nfd.yaml +---- ++ +.Example output +[source,terminal] +---- +nodefeaturediscovery.nfd.openshift.io/nfd-kata created +---- ++ +A `feature.node.kubernetes.io/runtime.kata=true` label is applied to all qualifying worker nodes. + +. Set the `checkNodeEligibility` field to `true` in the `KataConfig` resource to enable the feature, for example: + +.. Save the following YAML in the `kata-config.yaml` file: ++ +[source,yaml] +---- +apiVersion: kataconfiguration.openshift.io/v1 +kind: KataConfig +metadata: + name: example-kataconfig +spec: + checkNodeEligibility: true +---- + +.. Create the `KataConfig` CR: ++ +[source,terminal] +---- +$ oc create -f kata-config.yaml +---- ++ +.Example output +[source,terminal] +---- +kataconfig.kataconfiguration.openshift.io/example-kataconfig created +---- + +.Verification + +* Verify that qualifying nodes in the cluster have the correct label applied: ++ +[source,terminal] +---- +$ oc get nodes --selector='feature.node.kubernetes.io/runtime.kata=true' +---- ++ +.Example output +[source,terminal] +---- +NAME STATUS ROLES AGE VERSION +compute-3.example.com Ready worker 4h38m v1.23.3+e419edf +compute-2.example.com Ready worker 4h35m v1.23.3+e419edf +---- diff --git a/sandboxed_containers/deploying-sandboxed-container-workloads.adoc b/sandboxed_containers/deploying-sandboxed-container-workloads.adoc index ead7e17042..9cc8780768 100644 --- a/sandboxed_containers/deploying-sandboxed-container-workloads.adoc +++ b/sandboxed_containers/deploying-sandboxed-container-workloads.adoc @@ -14,6 +14,14 @@ include::modules/sandboxed-containers-preparing-openshift-cluster.adoc[leveloffs .Additional resources * xref:../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a user-provisioned cluster on bare metal] +include::modules/sandboxed-containers-check-node-eligiblilty.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* For more information about installing the Node Feature Discovery (NFD) Operator, see xref:../hardware_enablement/psap-node-feature-discovery-operator.adoc#installing-the-node-feature-discovery-operator_node-feature-discovery-operator[Installing NFD]. + +[id="deploying-sandboxed-containers-workloads-web-console"] == Deploying {sandboxed-containers-first} workloads using the web console You can deploy {sandboxed-containers-first} workloads from the web console. First, you must install the {sandboxed-containers-operator}, then create the `KataConfig` custom resource (CR). Once you are ready to deploy a workload in a sandboxed container, you must manually add `kata` as the `runtimeClassName` to the workload YAML file. @@ -23,6 +31,7 @@ include::modules/sandboxed-containers-create-kataconfig-resource-web-console.ado //include::modules/sandboxed-containers-selecting-nodes-web-console.adoc[leveloffset=+3] include::modules/sandboxed-containers-deploying-workloads-with-kata-runtime-web.adoc[leveloffset=+2] +[id="deploying-sandboxed-containers-workloads-cli"] == Deploying {sandboxed-containers-first} workloads using the CLI You can deploy {sandboxed-containers-first} workloads using the CLI. First, you must install the {sandboxed-containers-operator}, then create the `KataConfig` custom resource. Once you are ready to deploy a workload in a sandboxed container, you must add `kata` as the `runtimeClassName` to the workload YAML file.