mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
180 lines
5.1 KiB
Plaintext
180 lines
5.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/setting-interface-level-network-sysctls.adoc
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="nw-enabling-all-multi-cni_{context}"]
|
|
= Enabling all-multicast mode by using the tuning CNI
|
|
|
|
[role="_abstract"]
|
|
To enable all-multicast mode on network interfaces in {product-title}, you can use the tuning Container Network Interface (CNI) meta plugin in a network attachment definition. When enabled, the interface receives all multicast packets on the network.
|
|
|
|
.Procedure
|
|
|
|
. Create a network attachment definition, such as `tuning-example.yaml`, with the following content:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: "k8s.cni.cncf.io/v1"
|
|
kind: NetworkAttachmentDefinition
|
|
metadata:
|
|
name: <name>
|
|
namespace: default
|
|
spec:
|
|
config: '{
|
|
"cniVersion": "0.4.0",
|
|
"name": "<name>",
|
|
"plugins": [{
|
|
"type": "<main_CNI_plugin>"
|
|
},
|
|
{
|
|
"type": "tuning",
|
|
"allmulti": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
--
|
|
|
|
`name`:: Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
|
|
`namespace`:: Specifies the namespace that the object is associated with.
|
|
`cniVersion`:: Specifies the CNI specification version.
|
|
`name`:: Specifies the name for the configuration. Match the configuration name to the name value of the network attachment definition.
|
|
`main_CNI_plugin`:: Specifies the name of the main CNI plugin to configure.
|
|
`tuning`:: Specifies the name of the CNI meta plugin.
|
|
`allmulti`:: Specifies the all-multicast mode of interface. If enabled, all multicast packets on the network will be received by the interface.
|
|
|
|
--
|
|
+
|
|
.Example network attachment definition
|
|
[source,yaml]
|
|
----
|
|
apiVersion: "k8s.cni.cncf.io/v1"
|
|
kind: NetworkAttachmentDefinition
|
|
metadata:
|
|
name: setallmulti
|
|
namespace: default
|
|
spec:
|
|
config: '{
|
|
"cniVersion": "0.4.0",
|
|
"name": "setallmulti",
|
|
"plugins": [
|
|
{
|
|
"type": "bridge"
|
|
},
|
|
{
|
|
"type": "tuning",
|
|
"allmulti": true
|
|
}
|
|
]
|
|
}'
|
|
----
|
|
|
|
. Apply the settings specified in the YAML file by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f tuning-allmulti.yaml
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
networkattachmentdefinition.k8s.cni.cncf.io/setallmulti created
|
|
----
|
|
|
|
. Create a pod with a network attachment definition similar to that specified in the following `examplepod.yaml` sample file:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: allmultipod
|
|
namespace: default
|
|
annotations:
|
|
k8s.v1.cni.cncf.io/networks: setallmulti
|
|
spec:
|
|
containers:
|
|
- name: podexample
|
|
image: centos
|
|
command: ["/bin/bash", "-c", "sleep INF"]
|
|
securityContext:
|
|
runAsUser: 2000
|
|
runAsGroup: 3000
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
--
|
|
|
|
`k8s.v1.cni.cncf.io/networks`:: Specifies the name of the configured `NetworkAttachmentDefinition`.
|
|
`runAsUser`:: Specifies which user ID the container is run with.
|
|
`runAsGroup`:: Specifies which primary group ID the containers is run with.
|
|
`allowPrivilegeEscalation`:: Specifies if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the `no_new_privs` flag gets set on the container process.
|
|
`capabilities`:: Specifies privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
|
|
`runAsNonRoot: true`:: Specifies that the container will run with a user with any UID other than 0.
|
|
`seccompProfile`:: Specifies the default seccomp profile for a pod or container workload.
|
|
|
|
--
|
|
|
|
. Apply the settings specified in the YAML file by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f examplepod.yaml
|
|
----
|
|
|
|
. Verify that the pod is created by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pod
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
allmultipod 1/1 Running 0 23s
|
|
----
|
|
|
|
. Log in to the pod by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc rsh allmultipod
|
|
----
|
|
|
|
. List all the interfaces associated with the pod by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
sh-4.4# ip link
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
2: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8901 qdisc noqueue state UP mode DEFAULT group default
|
|
link/ether 0a:58:0a:83:00:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0
|
|
3: net1@if24: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
|
|
link/ether ee:9b:66:a4:ec:1d brd ff:ff:ff:ff:ff:ff link-netnsid 0
|
|
----
|
|
+
|
|
where:
|
|
|
|
`eth0@if22`:: Specifies the primary interface.
|
|
`net1@if24`:: Specifies the secondary interface configured with the network-attachment-definition that supports the all-multicast mode (ALLMULTI flag). |