基于rune(安全运行时)容器和InfiniBand卡(IB模式)的组合场景,主要原理是将容器运行时环境与高性能的InfiniBand网络卡相结合。通过利用rune容器的安全性和隔离性优势,与InfiniBand卡(IB模式)相结合,适用于对安全性和隔离性有一定需求的轻量级传输应用场景。本文将通过Yaml配置信息和参数,演示如何定义SR-IOV网络节点的策略。
操作步骤
配置SriovNetworkNodePolicy对象:
指定切分kubernetes.io/hostname=node-10
节点上,rootDevices: 0000:71:00.0
的PF设备
警告:
创建SR-IOV SriovNetworkNodePolicy对象时,节点应用修改会重启。
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
name: node-policy-5
namespace: eks-managed
spec:
resourceName: mlxnics
nodeSelector:
kubernetes.io/hostname: node-5
nicSelector:
vendor: "15b3"
deviceID: "1017"
rootDevices:
- 0000:71:00.0
deviceType: vfio-pci
numVfs: 3
priority: 50
isRdma: false
linkType: IB
配置SriovIBNetwork对象:
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovIBNetwork
metadata:
name: ibnics
namespace: eks-managed
spec:
ipam: |-
{
"type": "whereabouts",
"range": "192.168.100.0/24",
"gateway": "192.168.100.1",
"exclude": [
"192.168.100.0/26"
]
}
resourceName: mlxnics
linkState: auto
配置 rune(安全运行时) 环境中的业务 Pod:
如果需要对容器(Pod)进行资源限制(limit)的设置,您可以在Pod的request字段中设置limit值。为了实现这个需求,您需要为Pod添加以下的annotation配置:io.katacontainers.config.runtime.sandbox_cgroup_only: "false"
apiVersion: v1
kind: Pod
metadata:
name: sriov-rune-pod-demo
annotations:
k8s.v1.cni.cncf.io/networks: eks-managed/ibnics
io.katacontainers.config.runtime.enable_sriov: "true"
spec:
runtimeClassName: rune
containers:
- name: app-demo
image: hub.ecns.io/test/nginx:latest
imagePullPolicy: Always
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 300000; done;" ]
resources:
requests:
ecnf.io/mlxnics: "1"
limits:
ecnf.io/mlxnics: "1"
nodeName: node-10