blog.epheo.euhttps://blog.epheo.euTechnical articles on OpenShift, Kubernetes, OpenStack, and Linuxen2025, Thibaut LapierreDebugging PostgreSQL Crash Loop in OpenShifthttps://blog.epheo.eu/debug/postgresql_openshift.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>April 20, 2024</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>3 min read</p> </div> </div> </div> </div> </div> </div> <section id="introduction"> <h2>Introduction</h2> <p>This article describes how to fix a common PostgreSQL issue in OpenShift when the database enters a crash loop with a “tuple concurrently updated” error. This problem typically occurs due to an unclean shutdown of the PostgreSQL server, leaving the database in an inconsistent state.</p> </section> <section id="understanding-the-error"> <h2>Understanding the Error</h2> <p>When starting a PostgreSQL pod in OpenShift, you might encounter the following error:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span/>pg_ctl: another server might be running; trying to start server anyway waiting for server to start....LOG: redirecting log output to logging collector process HINT: Future log output will appear in directory "pg_log". ..... done server started =&gt; sourcing /usr/share/container-scripts/postgresql/start/set_passwords.sh ... ERROR: tuple concurrently updated </pre></div> </div> <p>This error indicates that PostgreSQL has detected an issue with its internal data consistency. The “tuple concurrently updated” message suggests that a database tuple (row) was modified by multiple processes simultaneously, leaving the database in an inconsistent state.</p> </section> <section id="step-by-step-solution"> <h2>Step-by-Step Solution</h2> <p>Follow these steps to resolve the issue:</p> <ol class="arabic"> <li><p><strong>Find the problematic PostgreSQL pod</strong></p> <p>First, locate the PostgreSQL pod that is stuck in the crash loop.</p> </li> <li><p><strong>Start a debug session</strong></p> <p>Use the OpenShift command-line tool to start a debug session with the pod:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>debug<span class="w"> </span>pod/&lt;postgres-pod-name&gt; </pre></div> </div> </li> <li><p><strong>Scale down the deployment</strong></p> <p>In another terminal, scale the associated PostgreSQL deployment to zero pods:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>scale<span class="w"> </span>deployment/&lt;postgres-deployment-name&gt;<span class="w"> </span>--replicas<span class="o">=</span><span class="m">0</span> </pre></div> </div> </li> <li><p><strong>Run the PostgreSQL startup script</strong></p> <p>From the debug session terminal, run the PostgreSQL startup script:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>run-postgresql </pre></div> </div> <p>This creates necessary configuration files that will allow you to manage the PostgreSQL server. You should see the same error output described above.</p> </li> <li><p><strong>Stop PostgreSQL cleanly</strong></p> <p>Stop the PostgreSQL server with the following command:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>pg_ctl<span class="w"> </span>stop<span class="w"> </span>-D<span class="w"> </span>/var/lib/pgsql/data/userdata </pre></div> </div> <p>Expected output:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span/>waiting for server to shut down.... done server stopped </pre></div> </div> </li> <li><p><strong>Start PostgreSQL manually</strong></p> <p>Start the PostgreSQL server manually to check if it initializes correctly:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>pg_ctl<span class="w"> </span>start<span class="w"> </span>-D<span class="w"> </span>/var/lib/pgsql/data/userdata </pre></div> </div> <p>Expected output:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span/>server starting LOG: redirecting log output to logging collector process HINT: Future log output will appear in directory "pg_log". </pre></div> </div> <p>The server should remain running without errors.</p> </li> <li><p><strong>Stop PostgreSQL cleanly again</strong></p> <p>Ensure a clean shutdown by stopping PostgreSQL:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>pg_ctl<span class="w"> </span>stop<span class="w"> </span>-D<span class="w"> </span>/var/lib/pgsql/data/userdata </pre></div> </div> <p>Expected output:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span/>waiting for server to shut down.... done server stopped </pre></div> </div> </li> <li><p><strong>Exit the debug session</strong></p> <p>Type <cite>exit</cite> to leave the debug session.</p> </li> <li><p><strong>Scale up the deployment</strong></p> <p>Finally, scale the PostgreSQL deployment back up:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>scale<span class="w"> </span>deployment/&lt;postgres-deployment-name&gt;<span class="w"> </span>--replicas<span class="o">=</span><span class="m">1</span> </pre></div> </div> <p>The PostgreSQL pod should now start normally without crashing.</p> </li> </ol> </section> <section id="why-this-works"> <h2>Why This Works</h2> <p>This procedure works because it:</p> <ol class="arabic simple"> <li><p>Allows PostgreSQL to perform a clean shutdown, ensuring all data is properly written</p></li> <li><p>Clears any potentially corrupted transaction logs</p></li> <li><p>Creates the necessary configuration files needed for proper operation</p></li> <li><p>Eliminates race conditions that might occur during the container’s normal startup process</p></li> </ol> <p>If you encounter this issue frequently with a particular PostgreSQL deployment, consider investigating:</p> <ul class="simple"> <li><p>Storage performance issues</p></li> <li><p>Abrupt pod terminations</p></li> <li><p>Resource constraints causing timeouts during shutdown</p></li> <li><p>Improper backup procedures</p></li> </ul> </section> Sun, 15 Feb 2026 00:00:00 Running vLLM on Strix Halohttps://blog.epheo.eu/notes/strix-halo/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Feb 15, 2026</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>5 min read</p> </div> </div> </div> </div> </div> </div> <p>So I bought this machine, AMD RYZEN AI MAX+ 395 w/ Radeon 8060S and 128GB GTT RAM, and I knew that the ecosystem was still… ongoing. But it really felt like going back to the OpenStack early days, struggling with nightly builds, unreleased patches, vendor forks, etc. Maybe the issue is just Python in the end.</p> <p>In short, AMD Strix Halo (gfx1151) isn’t in upstream vLLM’s supported GPU list yet, so this note walks through building vLLM against ROCm nightly (TheRock) on Fedora 43, including the patches needed to work around missing <code class="docutils literal notranslate"><span class="pre">amdsmi</span></code> support.</p> <p><a class="reference download internal" download="" href="../../_downloads/33f9b0d62ba821d9e4123d893a457560/vllm.sh"><code class="xref download docutils literal notranslate"><span class="pre">Download</span> <span class="pre">the</span> <span class="pre">full</span> <span class="pre">build</span> <span class="pre">script</span></code></a></p> <section id="prerequisites"> <h2>Prerequisites</h2> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>dnf<span class="w"> </span>install<span class="w"> </span>-y<span class="w"> </span><span class="se">\</span> <span class="w"> </span>python3.13<span class="w"> </span>python3.13-devel<span class="w"> </span><span class="se">\</span> <span class="w"> </span>libatomic<span class="w"> </span><span class="se">\</span> <span class="w"> </span>gcc<span class="w"> </span>gcc-c++<span class="w"> </span>make<span class="w"> </span>ffmpeg-free<span class="w"> </span><span class="se">\</span> <span class="w"> </span>aria2<span class="w"> </span><span class="se">\</span> <span class="w"> </span>libdrm-devel<span class="w"> </span>zlib-devel<span class="w"> </span>openssl-devel<span class="w"> </span>procps-ng<span class="w"> </span><span class="se">\</span> <span class="w"> </span>numactl-devel<span class="w"> </span>gperftools-libs<span class="w"> </span>libibverbs-utils </pre></div> </div> </section> <section id="installing-rocm-via-therock-nightly"> <h2>Installing ROCm via TheRock nightly</h2> <p>AMD’s <a class="reference external" href="https://github.com/ROCm/TheRock">TheRock</a> project publishes nightly tarballs to an S3 bucket, indexed by GFX target. We grab the latest one for <code class="docutils literal notranslate"><span class="pre">gfx1151</span></code>:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nv">GFX</span><span class="o">=</span>gfx1151 <span class="nv">ROCM_PATH</span><span class="o">=</span>/opt/rocm <span class="nv">S3</span><span class="o">=</span><span class="s2">"https://therock-nightly-tarball.s3.amazonaws.com"</span> <span class="nv">PREFIX</span><span class="o">=</span><span class="s2">"therock-dist-linux-</span><span class="si">${</span><span class="nv">GFX</span><span class="si">}</span><span class="s2">-7"</span> <span class="nv">KEY</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>curl<span class="w"> </span>-s<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">S3</span><span class="si">}</span><span class="s2">?list-type=2&amp;prefix=</span><span class="si">${</span><span class="nv">PREFIX</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-oP<span class="w"> </span><span class="s1">'(?&lt;=&lt;Key&gt;)[^&lt;]+'</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span><span class="p">|</span><span class="w"> </span>sort<span class="w"> </span>-V<span class="w"> </span><span class="p">|</span><span class="w"> </span>tail<span class="w"> </span>-n1<span class="k">)</span><span class="s2">"</span> aria2c<span class="w"> </span>-x<span class="w"> </span><span class="m">16</span><span class="w"> </span>-s<span class="w"> </span><span class="m">16</span><span class="w"> </span>-j<span class="w"> </span><span class="m">16</span><span class="w"> </span>--file-allocation<span class="o">=</span>none<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">S3</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">KEY</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>-o<span class="w"> </span>therock.tar.gz mkdir<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">"</span> tar<span class="w"> </span>xzf<span class="w"> </span>therock.tar.gz<span class="w"> </span>-C<span class="w"> </span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">"</span><span class="w"> </span>--strip-components<span class="o">=</span><span class="m">1</span> rm<span class="w"> </span>therock.tar.gz </pre></div> </div> </section> <section id="environment-setup"> <h2>Environment setup</h2> <p>TheRock nightlies don’t ship a stable bitcode path, so we locate it dynamically:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nv">BITCODE_PATH</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>find<span class="w"> </span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">"</span><span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span>-name<span class="w"> </span>bitcode<span class="w"> </span>-print<span class="w"> </span>-quit<span class="k">)</span><span class="s2">"</span> </pre></div> </div> <p>Then create a profile script so the environment is set for every shell:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>cat<span class="w"> </span>&gt;<span class="w"> </span>/etc/profile.d/rocm-sdk.sh<span class="w"> </span><span class="s">&lt;&lt;EOF</span> <span class="s">export ROCM_PATH=$ROCM_PATH</span> <span class="s">export HIP_PLATFORM=amd</span> <span class="s">export HIP_PATH=$ROCM_PATH</span> <span class="s">export HIP_CLANG_PATH=$ROCM_PATH/llvm/bin</span> <span class="s">export HIP_DEVICE_LIB_PATH=$BITCODE_PATH</span> <span class="s">export PATH=$ROCM_PATH/bin:$ROCM_PATH/llvm/bin:\$PATH</span> <span class="s">export LD_LIBRARY_PATH=$ROCM_PATH/lib:$ROCM_PATH/lib64:$ROCM_PATH/llvm/lib:\$LD_LIBRARY_PATH</span> <span class="s">export ROCBLAS_USE_HIPBLASLT=1</span> <span class="s">export TORCH_ROCM_AOTRITON_ENABLE_EXPERIMENTAL=1</span> <span class="s">export VLLM_TARGET_DEVICE=rocm</span> <span class="s">export HIP_FORCE_DEV_KERNARG=1</span> <span class="s">export RAY_EXPERIMENTAL_NOSET_ROCR_VISIBLE_DEVICES=1</span> <span class="s">export LD_PRELOAD=/usr/lib64/libtcmalloc_minimal.so.4</span> <span class="s">EOF</span> <span class="nb">source</span><span class="w"> </span>/etc/profile.d/rocm-sdk.sh </pre></div> </div> <p>Notable variables:</p> <ul class="simple"> <li><p><code class="docutils literal notranslate"><span class="pre">TORCH_ROCM_AOTRITON_ENABLE_EXPERIMENTAL</span></code>: enables experimental Triton kernels needed for gfx1151</p></li> <li><p><code class="docutils literal notranslate"><span class="pre">HIP_FORCE_DEV_KERNARG</span></code>: required for Strix Halo’s memory model</p></li> <li><p><code class="docutils literal notranslate"><span class="pre">LD_PRELOAD=libtcmalloc_minimal</span></code>: significant inference throughput gain</p></li> </ul> </section> <section id="installing-pytorch-from-rocm-nightly"> <h2>Installing PyTorch from ROCm nightly</h2> <p>AMD publishes per-target nightly wheels. The index URL must match the GFX target:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>python<span class="w"> </span>-m<span class="w"> </span>pip<span class="w"> </span>install<span class="w"> </span><span class="se">\</span> <span class="w"> </span>--index-url<span class="w"> </span><span class="s2">"https://rocm.nightlies.amd.com/v2-staging/</span><span class="si">${</span><span class="nv">GFX</span><span class="si">}</span><span class="s2">/"</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>--pre<span class="w"> </span>torch<span class="w"> </span>torchaudio<span class="w"> </span>torchvision </pre></div> </div> </section> <section id="building-flash-attention-rocm-fork"> <h2>Building flash-attention (ROCm fork)</h2> <p>ROCm’s fork of flash-attention includes AMD-specific Triton optimizations:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">export</span><span class="w"> </span><span class="nv">FLASH_ATTENTION_TRITON_AMD_ENABLE</span><span class="o">=</span><span class="s2">"TRUE"</span> git<span class="w"> </span>clone<span class="w"> </span>https://github.com/ROCm/flash-attention.git<span class="w"> </span>/opt/flash-attention <span class="nb">cd</span><span class="w"> </span>/opt/flash-attention<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>git<span class="w"> </span>checkout<span class="w"> </span>main_perf python<span class="w"> </span>setup.py<span class="w"> </span>install </pre></div> </div> </section> <section id="patching-building-vllm"> <h2>Patching &amp; building vLLM</h2> <p>vLLM probes <code class="docutils literal notranslate"><span class="pre">amdsmi</span></code> at import time to detect AMD GPUs, but <code class="docutils literal notranslate"><span class="pre">amdsmi</span></code> doesn’t know about Strix Halo yet. The patches:</p> <ol class="arabic simple"> <li><p><strong>Stub out amdsmi in</strong> <code class="docutils literal notranslate"><span class="pre">vllm/platforms/__init__.py</span></code>: disable the import, force <code class="docutils literal notranslate"><span class="pre">is_rocm</span> <span class="pre">=</span> <span class="pre">True</span></code>, and no-op the init/shutdown calls.</p></li> <li><p><strong>Mock amdsmi in</strong> <code class="docutils literal notranslate"><span class="pre">vllm/platforms/rocm.py</span></code>: inject a <code class="docutils literal notranslate"><span class="pre">MagicMock</span></code> module and hardcode <code class="docutils literal notranslate"><span class="pre">device_name</span> <span class="pre">=</span> <span class="pre">"gfx1151"</span></code> so vLLM sees a known ROCm device.</p></li> <li><p><strong>Set the GPU target in</strong> <code class="docutils literal notranslate"><span class="pre">CMakeLists.txt</span></code>: replace the default RDNA4 targets with <code class="docutils literal notranslate"><span class="pre">gfx1151</span></code>.</p></li> </ol> <p>The build script applies these patches via an inline Python script, see <a class="reference download internal" download="" href="../../_downloads/33f9b0d62ba821d9e4123d893a457560/vllm.sh"><code class="xref download docutils literal notranslate"><span class="pre">vllm.sh</span></code></a> for the full patch.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>git<span class="w"> </span>clone<span class="w"> </span>https://github.com/vllm-project/vllm.git<span class="w"> </span>/opt/vllm <span class="nb">cd</span><span class="w"> </span>/opt/vllm <span class="c1"># Apply the amdsmi patches (see vllm.sh for details)</span> <span class="c1"># ...</span> <span class="c1"># Replace default GPU targets</span> sed<span class="w"> </span>-i<span class="w"> </span><span class="s2">"s/gfx1200;gfx1201/</span><span class="si">${</span><span class="nv">GFX</span><span class="si">}</span><span class="s2">/"</span><span class="w"> </span>CMakeLists.txt <span class="c1"># Fedora's GCC produces ABI-incompatible extensions — use ROCm's clang</span> <span class="nb">export</span><span class="w"> </span><span class="nv">CC</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">/llvm/bin/clang"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">CXX</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">/llvm/bin/clang++"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">ROCM_HOME</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">PYTORCH_ROCM_ARCH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GFX</span><span class="s2">"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">HIP_ARCHITECTURES</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GFX</span><span class="s2">"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">AMDGPU_TARGETS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GFX</span><span class="s2">"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">MAX_JOBS</span><span class="o">=</span><span class="s2">"4"</span> <span class="nb">export</span><span class="w"> </span><span class="nv">CMAKE_ARGS</span><span class="o">=</span><span class="s2">"-DROCM_PATH=</span><span class="nv">$ROCM_PATH</span><span class="s2"> -DHIP_PATH=</span><span class="nv">$ROCM_PATH</span><span class="s2"> \</span> <span class="s2"> -DAMDGPU_TARGETS=</span><span class="nv">$GFX</span><span class="s2"> -DHIP_ARCHITECTURES=</span><span class="nv">$GFX</span><span class="s2">"</span> python<span class="w"> </span>-m<span class="w"> </span>pip<span class="w"> </span>wheel<span class="w"> </span>--no-build-isolation<span class="w"> </span>--no-deps<span class="w"> </span>-w<span class="w"> </span>/tmp/dist<span class="w"> </span>-v<span class="w"> </span>. python<span class="w"> </span>-m<span class="w"> </span>pip<span class="w"> </span>install<span class="w"> </span>/tmp/dist/*.whl </pre></div> </div> </section> <section id="bitsandbytes-rocm-fork"> <h2>bitsandbytes (ROCm fork)</h2> <p>For quantized model support, build the ROCm-enabled bitsandbytes fork:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">export</span><span class="w"> </span><span class="nv">CMAKE_PREFIX_PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROCM_PATH</span><span class="s2">"</span> git<span class="w"> </span>clone<span class="w"> </span>-b<span class="w"> </span>rocm_enabled_multi_backend<span class="w"> </span><span class="se">\</span> <span class="w"> </span>https://github.com/ROCm/bitsandbytes.git<span class="w"> </span>/opt/bitsandbytes <span class="nb">cd</span><span class="w"> </span>/opt/bitsandbytes cmake<span class="w"> </span>-S<span class="w"> </span>.<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-DGPU_TARGETS<span class="o">=</span><span class="s2">"</span><span class="nv">$GFX</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-DBNB_ROCM_ARCH<span class="o">=</span><span class="s2">"</span><span class="nv">$GFX</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-DCOMPUTE_BACKEND<span class="o">=</span>hip make<span class="w"> </span>-j<span class="s2">"</span><span class="k">$(</span>nproc<span class="k">)</span><span class="s2">"</span> python<span class="w"> </span>-m<span class="w"> </span>pip<span class="w"> </span>install<span class="w"> </span>.<span class="w"> </span>--no-build-isolation<span class="w"> </span>--no-deps </pre></div> </div> </section> Sun, 15 Feb 2026 00:00:00 How this blog is served to youhttps://blog.epheo.eu/articles/kiss-rust-server/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Aug 16, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>5 min read</p> </div> </div> </div> </div> </div> </div> <p>This blog is just static files, served from a container, behind a Kubernetes Ingress Controller.</p> <p>So a container image containing a whole userland and a fullfledged webserver with all bells and whistle behind yet another fullfledged proxy.</p> <p>Now I thought, we’re in 2025 and disk space is expensive (Yes, I wrote that before it actually became true). An Nginx container image is at least 80MiB, If I would write my very own static web server and run it from a scratch container image I could go down to a few hundred KiB and save… Let’s do the maths: a 1TB NVMe is around 70Euros on Amazon (yes it was) so that’s around 0.00007€ per MiB, assuming my container image will be around 500KiB that’s a whooping 0.005 Euro difference, bargain !</p> <p>So I decided to spend a few days of my summer holidays and go save those 0.005 Euro.</p> <p>Who need logic when you have a goal.</p> <p>Anyhow, I started working on it with my friend Claude, got a functionnal prototype, and finaly came back to reason: this is useless.</p> <p>Unless… unless my 20 monthly visitors were too much for Nginx to handle and I needed a much more performant web server. Let’s set a 1 Million Request per seconds target so if those 20 monthly visitors suddenly decided to connect at the exact same time and all refresh my blog page 50 000 times every seconds, they’d be safe.</p> <p>So I started working again, and got to a 454KiB container image, that serves around 700K requests per seconds from my laptop’s Intel Gen12 and 1M+ RPS on my server !</p> <p>I now host my blog with it, and you, who read, are safe to refresh this page if you want. Unless… unless the ingress controler is now the bottleneck ! Let’s work on a new K8S Ingress Controller (or Gateway API) that implements io_uring and use eBPF.</p> <section id="details"> <h2>Details</h2> <p>KISS (that’s its name) for “Kubernetes Instant Static Server” is taking some shortcuts to achieve its goals.</p> <p>The first and more important one is <strong>no disk I/O</strong>, all content is pre-loaded in RAM and all requests are pre-generated at startup time.</p> <p><strong>Traditional Static Servers</strong> (nginx, Apache):</p> <ul class="simple"> <li><p>Read files from disk per request</p></li> <li><p>Generate HTTP headers per request</p></li> <li><p>Multiple system calls per response</p></li> <li><p>Filesystem caching complexity</p></li> </ul> <p><strong>KISS Approach</strong>:</p> <ul class="simple"> <li><p>All files loaded into memory at startup</p></li> <li><p>HTTP responses pre-generated once</p></li> <li><p>Single write() system call per request</p></li> <li><p>Zero runtime filesystem operations</p></li> </ul> <p>If you are also mindfull of saving some disk space and serving a ridiculous amount of request per seconds without any guaranty, you can also try KISS.</p> <ul class="simple"> <li><p><a class="reference external" href="https://github.com/epheo/kiss">GitHub project</a></p></li> <li><p><a class="reference external" href="https://quay.io/repository/epheo/kiss">Container image on Quay.io</a></p></li> </ul> </section> Sat, 16 Aug 2025 00:00:00 Merging kubeconfig Fileshttps://blog.epheo.eu/notes/merge-kubeconfig.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Apr 25, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>3 min read</p> </div> </div> </div> </div> </div> </div> <p>When working with multiple Kubernetes or OpenShift clusters, you’ll often have multiple kubeconfig files. Kubernetes provides tools to merge these configurations into a single file.</p> <section id="prerequisites"> <h2>Prerequisites</h2> <ul class="simple"> <li><p>Access to the Kubernetes or OpenShift clusters you want to manage</p></li> <li><p>Existing kubeconfig files for each cluster</p></li> <li><p>kubectl or oc command-line tools installed</p></li> </ul> </section> <section id="step-by-step-merge-process"> <h2>Step-by-Step Merge Process</h2> <section id="backup-existing-configuration"> <h3>1. Backup Existing Configuration</h3> <p>Before merging, create a backup of your existing kubeconfig file to ensure you can revert to the original configuration if needed.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>cp<span class="w"> </span>~/.kube/config<span class="w"> </span>~/.kube/config.backup </pre></div> </div> </section> <section id="set-the-kubeconfig-environment-variable"> <h3>2. Set the KUBECONFIG Environment Variable</h3> <p>The KUBECONFIG environment variable allows you to specify multiple kubeconfig files. These files will be merged automatically by kubectl.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">export</span><span class="w"> </span><span class="nv">KUBECONFIG</span><span class="o">=</span>~/.kube/config:/path/to/second-kubeconfig </pre></div> </div> <p>You can add as many kubeconfig files as needed, separating them with colons (on Linux/macOS) or semicolons (on Windows).</p> </section> <section id="merge-the-files"> <h3>3. Merge the Files</h3> <p>Use the kubectl config view command with the <code class="docutils literal notranslate"><span class="pre">--merge</span></code> and <code class="docutils literal notranslate"><span class="pre">--flatten</span></code> options to merge the configurations into a single file.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>config<span class="w"> </span>view<span class="w"> </span>--merge<span class="w"> </span>--flatten<span class="w"> </span>&gt;<span class="w"> </span>~/.kube/merged_kubeconfig </pre></div> </div> </section> <section id="replace-the-original-configuration"> <h3>4. Replace the Original Configuration</h3> <p>Move the merged configuration to the default location.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>mv<span class="w"> </span>~/.kube/merged_kubeconfig<span class="w"> </span>~/.kube/config </pre></div> </div> </section> <section id="verify-the-merged-configuration"> <h3>5. Verify the Merged Configuration</h3> <p>Ensure that the merged configuration works correctly by exploring and managing your contexts:</p> <section id="listing-available-contexts"> <h4>Listing Available Contexts</h4> <p>To view all available contexts in your merged configuration:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>config<span class="w"> </span>get-contexts </pre></div> </div> <p>This command displays a table with all contexts in your kubeconfig file, including: - The current active context (marked with an asterisk *) - Context names - Cluster names - Authentication users - Namespaces (if specified)</p> <p>For a more detailed view of your entire kubeconfig:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>config<span class="w"> </span>view </pre></div> </div> </section> <section id="checking-the-current-context"> <h4>Checking the Current Context</h4> <p>To see which context is currently active:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>config<span class="w"> </span>current-context </pre></div> </div> </section> <section id="switching-between-contexts"> <h4>Switching Between Contexts</h4> <p>To switch to a different context:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>config<span class="w"> </span>use-context<span class="w"> </span>&lt;context-name&gt; </pre></div> </div> </section> </section> </section> Sun, 27 Apr 2025 00:00:00 OpenShift Virtualization Sidecar Implementation Guidehttps://blog.epheo.eu/notes/kubevirt-sidecar.html <span id="kubevirt-sidecar-section"/> <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>April 25, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>8 min read</p> </div> </div> </div> </div> </div> </div> <section id="overview"> <h2>Overview</h2> <p>The Sidecar feature in Kubevirt enables the attachment of additional containers to virtual machine pods. These sidecar containers run alongside the VM container, allowing for enhanced functionality such as monitoring, logging, debugging, and custom modifications to the VM environment without modifying the core VM itself.</p> <p>This document provides instructions for enabling and implementing the Sidecar feature in an OpenShift Container Native Virtualization (CNV) environment.</p> </section> <section id="enabling-the-sidecar-feature-gate"> <h2>Enabling the Sidecar Feature Gate</h2> <p>The Sidecar feature is controlled by a feature gate which must be explicitly enabled:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>annotate<span class="w"> </span>--overwrite<span class="w"> </span>-n<span class="w"> </span>openshift-cnv<span class="w"> </span>hco<span class="w"> </span>kubevirt-hyperconverged<span class="w"> </span><span class="se">\</span> <span class="w"> </span>kubevirt.kubevirt.io/jsonpatch<span class="o">=</span><span class="s1">'[{"op": "add", "path": "/spec/configuration/developerConfiguration/featureGates/-", "value": "Sidecar"}]'</span> </pre></div> </div> <section id="verify-feature-gate-is-enabled"> <h3>Verify Feature Gate is Enabled</h3> <p>To confirm the feature gate has been successfully added:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>get<span class="w"> </span>kubevirt<span class="w"> </span>kubevirt-kubevirt-hyperconverged<span class="w"> </span>-n<span class="w"> </span>openshift-cnv<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.configuration.developerConfiguration.featureGates}'</span> </pre></div> </div> <p>The output should include <code class="docutils literal notranslate"><span class="pre">Sidecar</span></code> in the list of enabled feature gates.</p> </section> </section> <section id="implementing-a-sidecar-container"> <h2>Implementing a Sidecar Container</h2> <section id="kubevirt-hook-types"> <h3>KubeVirt Hook Types</h3> <p>KubeVirt sidecars support different hook types for various modification purposes:</p> <ul class="simple"> <li><p><strong>onDefineDomain</strong>: Modifies the libvirt XML domain definition before VM creation</p></li> <li><p><strong>preCloudInitIso</strong>: Modifies cloud-init data before the ISO is generated</p></li> </ul> </section> <section id="sidecar-script-arguments"> <h3>Sidecar Script Arguments</h3> <p>When writing sidecar scripts, it’s important to understand how arguments are passed to your script:</p> <p>For <strong>onDefineDomain</strong> hook:</p> <ol class="arabic simple"> <li><p><strong>Argument 1</strong>: The hook name (onDefineDomain)</p></li> <li><p><strong>Argument 2</strong>: The <code class="docutils literal notranslate"><span class="pre">--version</span></code> parameter (e.g., v1alpha2)</p></li> <li><p><strong>Argument 3</strong>: The <code class="docutils literal notranslate"><span class="pre">--vmi</span></code> parameter with VMI information as JSON string</p></li> <li><p><strong>Argument 4</strong>: The <code class="docutils literal notranslate"><span class="pre">--domain</span></code> parameter with the current domain XML</p></li> </ol> <p>For <strong>preCloudInitIso</strong> hook:</p> <ol class="arabic simple"> <li><p><strong>Argument 1</strong>: The hook name (preCloudInitIso)</p></li> <li><p><strong>Argument 2</strong>: The <code class="docutils literal notranslate"><span class="pre">--version</span></code> parameter (e.g., v1alpha2)</p></li> <li><p><strong>Argument 3</strong>: The <code class="docutils literal notranslate"><span class="pre">--vmi</span></code> parameter with VMI information as JSON string</p></li> <li><p><strong>Argument 4</strong>: The <code class="docutils literal notranslate"><span class="pre">--cloud-init</span></code> parameter with CloudInitData as JSON</p></li> </ol> <div class="admonition note"> <p class="admonition-title">Note</p> <ul class="simple"> <li><p>Your script should read the input XML/JSON from the appropriate argument (usually the 4th argument).</p></li> <li><p>It must output the modified content to standard output (stdout).</p></li> <li><p>The script must preserve any XML/JSON structure while making targeted modifications.</p></li> <li><p>Any errors should be directed to standard error (stderr).</p></li> </ul> </div> </section> <section id="example-hook-configmap"> <h3>Example Hook ConfigMap</h3> <p>The following ConfigMap provides a script that modifies VM configurations by adding custom metadata to the VM’s libvirt XML definition using the <strong>onDefineDomain</strong> hook:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">xmleditscript</span> <span class="nt">data</span><span class="p">:</span> <span class="w"> </span><span class="nt">script.sh</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="w"> </span><span class="no">#!/bin/sh</span> <span class="w"> </span><span class="no">tempFile=`mktemp --dry-run`</span> <span class="w"> </span><span class="no">echo $4 &gt; $tempFile</span> <span class="w"> </span><span class="no">sed -i "s|&lt;baseBoard&gt;&lt;/baseBoard&gt;|&lt;baseBoard&gt;&lt;entry name='manufacturer'&gt;Radical Edward&lt;/entry&gt;&lt;/baseBoard&gt;|" $tempFile</span> <span class="w"> </span><span class="no">cat $tempFile</span> </pre></div> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>The libvirt domain XML is received as the 4th argument (<cite>$4</cite>), and the script’s standard output is used as the new domain definition to apply. This allows for dynamic modifications to the VM configuration.</p> </div> </section> <section id="using-sidecars-with-vms"> <h3>Using Sidecars with VMs</h3> <p>To add a hook sidecar to a VM, modify the VM manifest to include the required annotations that specify the hook configuration. The ConfigMap containing your script must be referenced in the annotations:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualMachine</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-vm</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span> <span class="w"> </span><span class="nt">hooks.kubevirt.io/hookSidecars</span><span class="p">:</span><span class="w"> </span><span class="s">'[{"args":</span><span class="nv"> </span><span class="s">["--version",</span><span class="nv"> </span><span class="s">"v1alpha2"],</span> <span class="w"> </span><span class="s">"configMap":</span><span class="nv"> </span><span class="s">{"name":</span><span class="nv"> </span><span class="s">"xmleditscript",</span><span class="nv"> </span><span class="s">"key":</span><span class="nv"> </span><span class="s">"script.sh",</span><span class="nv"> </span><span class="s">"hookPath":</span><span class="nv"> </span><span class="s">"/usr/bin/onDefineDomain"}}]'</span> <span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">domain</span><span class="p">:</span> <span class="w"> </span><span class="c1"># VM configuration...</span> <span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">config-volume</span> <span class="w"> </span><span class="nt">configMap</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">xmleditscript</span> </pre></div> </div> </section> </section> <section id="validating-the-sidecar-modifications"> <h2>Validating the Sidecar Modifications</h2> <p>After applying the sidecar configuration, you can verify that the changes have been successfully applied using several methods:</p> <section id="method-1-check-vm-xml-from-virt-launcher-pod"> <h3>Method 1: Check VM XML from virt-launcher Pod</h3> <ol class="arabic simple"> <li><p>Get the virt-launcher pod for your VM:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>virt-launcher-&lt;vm-name&gt; </pre></div> </div> <ol class="arabic simple" start="2"> <li><p>Examine the libvirt XML directly from the virt-launcher pod:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>virt-launcher-&lt;vm-name&gt;-&lt;random-id&gt;<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span>--<span class="w"> </span>virsh<span class="w"> </span>dumpxml<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-A3<span class="w"> </span>manufacturer </pre></div> </div> <ol class="arabic simple" start="3"> <li><p>The output should include the modified XML with the custom manufacturer entry:</p></li> </ol> <div class="highlight-xml notranslate"><div class="highlight"><pre><span/><span class="nt">&lt;entry</span><span class="w"> </span><span class="na">name=</span><span class="s">'manufacturer'</span><span class="nt">&gt;</span>Radical<span class="w"> </span>Edward<span class="nt">&lt;/entry&gt;</span> </pre></div> </div> </section> <section id="method-2-from-inside-the-vm"> <h3>Method 2: From Inside the VM</h3> <p>If your modification affects data visible to the guest OS (like SMBIOS data), you can also verify from inside the VM using tools like dmidecode:</p> <ol class="arabic simple"> <li><p>Connect to the VM console or SSH into the VM</p></li> <li><p>Run dmidecode to check the baseboard manufacturer:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>sudo<span class="w"> </span>dmidecode<span class="w"> </span>-s<span class="w"> </span>baseboard-manufacturer </pre></div> </div> <ol class="arabic simple" start="3"> <li><p>The output should show:</p></li> </ol> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>Radical Edward </pre></div> </div> </section> </section> <section id="references"> <h2>References</h2> <ul class="simple" id="kubevirt-docs"> <li><p><a class="reference external" href="https://kubevirt.io/user-guide/">KubeVirt Documentation</a></p></li> <li><p><a class="reference external" href="https://docs.openshift.com/container-platform/latest/virt/about-virt.html">OpenShift CNV Documentation</a></p></li> <li><p><a class="reference external" href="https://kubernetes.io/docs/concepts/workloads/pods/#how-pods-manage-multiple-containers">Kubernetes Sidecar Patterns</a></p></li> </ul> </section> Sat, 26 Apr 2025 00:00:00 OpenShift Console Bannerhttps://blog.epheo.eu/notes/openshift-banner.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Apr 25, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>2 min read</p> </div> </div> </div> </div> </div> </div> <p>Adding visual indicators to your OpenShift clusters can help users quickly identify which environment they’re working in, potentially preventing accidental changes in production environments.</p> <p>This article demonstrates how to set a console banner in OpenShift to display important information like the cluster name or environment type.</p> <section id="setting-up-a-console-banner"> <h2>Setting up a Console Banner</h2> <p>You can create a banner on the OpenShift web console by creating a <code class="docutils literal notranslate"><span class="pre">ConsoleNotification</span></code> custom resource:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">console.openshift.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConsoleNotification</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">banner</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">backgroundColor</span><span class="p">:</span><span class="w"> </span><span class="s">'#0f4414'</span><span class="w"> </span><span class="c1"># Dark red</span> <span class="w"> </span><span class="nt">color</span><span class="p">:</span><span class="w"> </span><span class="s">'#ffffff'</span><span class="w"> </span><span class="c1"># White text</span> <span class="w"> </span><span class="nt">location</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BannerTop</span> <span class="w"> </span><span class="nt">text</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">If it ain't broke, don't fix it</span> </pre></div> </div> </section> <section id="banner-customization"> <h2>Banner Customization</h2> <p>You can customize the following aspects of the banner:</p> <ul class="simple"> <li><p><strong>backgroundColor</strong>: The background color of the banner (hex color code)</p></li> <li><p><strong>color</strong>: The text color (hex color code)</p></li> <li><p><strong>location</strong>: Where the banner appears. Options include: - <code class="docutils literal notranslate"><span class="pre">BannerTop</span></code>: Displays at the very top of the console (most common) - <code class="docutils literal notranslate"><span class="pre">BannerBottom</span></code>: Displays at the bottom of the console - <code class="docutils literal notranslate"><span class="pre">BannerTopBottom</span></code>: Displays at both top and bottom of the console - <code class="docutils literal notranslate"><span class="pre">AlertBanner</span></code>: Displays as a more prominent alert banner</p></li> <li><p><strong>text</strong>: The message to display to users</p></li> </ul> <section id="example-colors"> <h3>Example Colors</h3> <ul class="simple"> <li><p>Production: <span class="color-prod">Red (#880808)</span></p></li> <li><p>Development: <span class="color-dev">Blue (#0066CC)</span></p></li> <li><p>Testing: <span class="color-test">Green (#2E8B57)</span></p></li> <li><p>Staging: <span class="color-staging">Orange (#FF8C00)</span></p></li> </ul> </section> </section> <section id="common-use-cases"> <h2>Common Use Cases</h2> <ul class="simple"> <li><p>Identifying different clusters (prod, dev, test)</p></li> <li><p>Warning users about scheduled maintenance</p></li> <li><p>Highlighting important information about the environment</p></li> </ul> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Using distinct colors for different environments helps users visually identify which cluster they’re working with, reducing the risk of mistakes.</p> </div> </section> <section id="applying-the-configuration"> <h2>Applying the Configuration</h2> <p>Apply the configuration using the <code class="docutils literal notranslate"><span class="pre">oc</span></code> command:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>banner.yaml </pre></div> </div> <p>To remove the banner:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>delete<span class="w"> </span>consolennotification<span class="w"> </span>banner </pre></div> </div> </section> Sat, 26 Apr 2025 00:00:00 Simple Block Device Backup for OpenShift Lab Environmentshttps://blog.epheo.eu/articles/openshift-borg/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>April 25, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>8 min read</p> </div> </div> </div> </div> </div> </div> <section id="introduction"> <h2>Introduction</h2> <p>Like the Borg collective from Star Trek assimilates technology, BorgBackup assimilates your data.</p> <p>This article shows how to back up and restore LVM Logical Volumes from local storage to FreeNAS using BorgBackup. While not for enterprise production workloads, this method works well for lab environments.</p> </section> <section id="overview-prerequisites"> <h2>Overview &amp; Prerequisites</h2> <p>This backup solution backs up LVM Logical Volumes from Single Node OpenShift local storage to FreeNAS servers using:</p> <ul class="simple"> <li><p><strong>BorgBackup</strong>: For efficient, deduplicated, encrypted backups</p></li> <li><p><strong>Container Image</strong>: Minimal image with BorgBackup and required tools</p></li> <li><p><strong>Kubernetes CronJobs</strong>: For scheduled backups of local LVM volumes</p></li> <li><p><strong>Kubernetes Pods</strong>: For restores to FreeNAS storage</p></li> <li><p><strong>Volume/Device Mounts</strong>: Direct access to LVM block devices on the SNO node</p></li> </ul> <div class="admonition note"> <p class="admonition-title">Note</p> <p>All resources in this article are available in the <a class="reference external" href="https://github.com/epheo/blog">GitHub repository</a>.</p> </div> </section> <section id="step-1-prepare-your-environment"> <h2>Step 1: Prepare Your Environment</h2> <section id="container-image"> <h3>Container Image</h3> <p>Create a container image with BorgBackup:</p> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">Container image definition</span></div> <div class="highlight-dockerfile notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="k">FROM</span><span class="w"> </span><span class="s">fedora:latest</span> <span class="linenos">2</span> <span class="linenos">3</span><span class="k">RUN</span><span class="w"> </span>dnf<span class="w"> </span>install<span class="w"> </span>-y<span class="w"> </span>borgbackup </pre></div> </div> </div> <p>Build and push the image:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">cd</span><span class="w"> </span>borg-container podman<span class="w"> </span>build<span class="w"> </span>-t<span class="w"> </span>registry.example.com/borgbackup:latest<span class="w"> </span>. podman<span class="w"> </span>push<span class="w"> </span>registry.example.com/borgbackup:latest </pre></div> </div> </section> <section id="resource-planning"> <h3>Resource Planning</h3> <p>Allocate resources for backup and restore pods:</p> <ul class="simple"> <li><p><strong>Memory</strong>: 4Gi limit (1Gi request)</p></li> <li><p><strong>CPU</strong>: 2 cores limit (500m request)</p></li> </ul> <p>These values balance performance with efficient resource usage.</p> </section> <section id="storage-architecture"> <h3>Storage Architecture</h3> <p>The backup system uses two storage mechanisms:</p> <ul class="simple"> <li><p><strong>Source LVM Storage</strong>: Direct access to LVM Logical Volumes on the SNO node</p></li> <li><p><strong>FreeNAS Repository Storage</strong>: iSCSI-based persistent volumes for BorgBackup repositories</p></li> </ul> <p>This approach enables efficient backup of LVM volumes to FreeNAS while maintaining block-level operations.</p> </section> </section> <section id="step-2-configure-and-run-backups"> <h2>Step 2: Configure and Run Backups</h2> <p>Create a CronJob for regular backups:</p> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">Example backup cronjob configuration</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">batch/v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">CronJob</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup-cronjob</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="hll"><span class="linenos"> 6</span><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s">"0</span><span class="nv"> </span><span class="s">0</span><span class="nv"> </span><span class="s">31</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">*"</span><span class="w"> </span><span class="c1"># A non-recurring time (e.g., Feb 31st)</span> </span><span class="hll"><span class="linenos"> 7</span><span class="w"> </span><span class="nt">suspend</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span><span class="c1"># Prevents the job from running automatically</span> </span><span class="hll"><span class="linenos"> 8</span><span class="w"> </span><span class="nt">jobTemplate</span><span class="p">:</span> </span><span class="linenos"> 9</span><span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">backup-container</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.desku.be/epheo/borgbackup:latest</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">env</span><span class="p">:</span> <span class="linenos">16</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_CONFIG_DIR</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/borg_config</span> <span class="linenos">18</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_CACHE_DIR</span> <span class="linenos">19</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/borg_cache</span> <span class="linenos">20</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK</span> <span class="linenos">21</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s">"yes"</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">"/bin/bash"</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">"-c"</span><span class="p p-Indicator">]</span> <span class="hll"><span class="linenos">23</span><span class="w"> </span><span class="nt">args</span><span class="p">:</span> </span><span class="hll"><span class="linenos">24</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="p p-Indicator">|</span> </span><span class="linenos">25</span><span class="w"> </span><span class="no">echo "Starting Windows Backup pod with two mounted PVCs"</span> <span class="linenos">26</span><span class="w"> </span><span class="no">mkdir -p $BORG_CONFIG_DIR $BORG_CACHE_DIR</span> <span class="linenos">27</span><span class="w"> </span><span class="no">borg init --encryption=none /backup/</span> <span class="linenos">28</span><span class="w"> </span><span class="no">borg create --read-special /backup::"backup-$(date +%Y-%m-%d_%H-%M-%S)" /dev/windows-block</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">volumeDevices</span><span class="p">:</span> <span class="linenos">30</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">devicePath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/windows-block</span> <span class="linenos">31</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-block</span> <span class="linenos">32</span><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span> <span class="linenos">33</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/backup</span> <span class="linenos">34</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup</span> <span class="linenos">35</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">36</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos">37</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s">"1Gi"</span> <span class="linenos">38</span><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s">"500m"</span> <span class="linenos">39</span><span class="w"> </span><span class="nt">limits</span><span class="p">:</span> <span class="linenos">40</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s">"4Gi"</span> <span class="linenos">41</span><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s">"2"</span> <span class="linenos">42</span><span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OnFailure</span> <span class="linenos">43</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="linenos">44</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-block</span> <span class="linenos">45</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">46</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows</span> <span class="linenos">47</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup</span> <span class="linenos">48</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">49</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup</span> </pre></div> </div> </div> <p>Apply the configuration:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>backup-cronjob.yaml </pre></div> </div> <p>Run an immediate backup:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>create<span class="w"> </span>job<span class="w"> </span>--from<span class="o">=</span>cronjob/&lt;backup-cronjob-name&gt;<span class="w"> </span>manual-backup </pre></div> </div> <div class="admonition important"> <p class="admonition-title">Important</p> <p>Ensure source block devices are accessible to the backup pod.</p> </div> </section> <section id="step-3-monitor-and-manage-your-backups"> <h2>Step 3: Monitor and Manage Your Backups</h2> <section id="checking-backup-status"> <h3>Checking Backup Status</h3> <p>Monitor backup job status:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>get<span class="w"> </span><span class="nb">jobs</span> </pre></div> </div> <p>Example output:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span/>NAME COMPLETIONS DURATION AGE block-backup-manual 1/1 2m15s 10m vm-backup-1682456400 1/1 1m32s 2h </pre></div> </div> </section> <section id="examining-backup-logs"> <h3>Examining Backup Logs</h3> <p>View logs to confirm success or troubleshoot:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>logs<span class="w"> </span>&lt;pod-name&gt; </pre></div> </div> <div class="admonition tip"> <p class="admonition-title">Tip</p> <p>Use <code class="docutils literal notranslate"><span class="pre">kubectl</span> <span class="pre">logs</span> <span class="pre">-f</span> <span class="pre">&lt;pod-name&gt;</span></code> to follow logs in real-time.</p> </div> </section> <section id="managing-backup-archives"> <h3>Managing Backup Archives</h3> <p>List available backups:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Create a temporary pod with the backup volume</span> cat<span class="w"> </span><span class="s">&lt;&lt; EOF | kubectl apply -f -</span> <span class="s">apiVersion: v1</span> <span class="s">kind: Pod</span> <span class="s">metadata:</span> <span class="s"> name: borg-inspector</span> <span class="s">spec:</span> <span class="s"> containers:</span> <span class="s"> - name: borg-inspector</span> <span class="s"> image: registry.desku.be/epheo/borgbackup:latest</span> <span class="s"> command: ["sleep", "3600"]</span> <span class="s"> env:</span> <span class="s"> - name: BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK</span> <span class="s"> value: "yes"</span> <span class="s"> volumeMounts:</span> <span class="s"> - mountPath: /backup</span> <span class="s"> name: backup-volume</span> <span class="s"> volumes:</span> <span class="s"> - name: backup-volume</span> <span class="s"> persistentVolumeClaim:</span> <span class="s"> claimName: windowsdata-backup</span> <span class="s">EOF</span> <span class="c1"># Wait for the pod to start</span> kubectl<span class="w"> </span><span class="nb">wait</span><span class="w"> </span>--for<span class="o">=</span><span class="nv">condition</span><span class="o">=</span>Ready<span class="w"> </span>pod/borg-inspector <span class="c1"># List backups</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span>list<span class="w"> </span>/backup <span class="c1"># Break a lock if needed:</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span><span class="k">break</span>-lock<span class="w"> </span>/backup <span class="c1"># Additional commands:</span> <span class="c1"># Check repository</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span>check<span class="w"> </span>/backup <span class="c1"># Show repository info</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span>info<span class="w"> </span>/backup <span class="c1"># List archive contents</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span>list<span class="w"> </span>/backup::archivename <span class="c1"># Extract files</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span>extract<span class="w"> </span>/backup::archivename<span class="w"> </span>path/to/file <span class="c1"># Prune old archives</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>borg-inspector<span class="w"> </span>--<span class="w"> </span>borg<span class="w"> </span>prune<span class="w"> </span>-v<span class="w"> </span>--list<span class="w"> </span>--keep-within<span class="o">=</span>30d<span class="w"> </span>/backup <span class="c1"># Remove the temporary pod</span> kubectl<span class="w"> </span>delete<span class="w"> </span>pod<span class="w"> </span>borg-inspector </pre></div> </div> </section> </section> <section id="step-4-restore-to-a-local-volume"> <h2>Step 4: Restore to a Local Volume</h2> <p>Restore a backup to a local volume:</p> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">Example restore pod configuration</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Pod</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-restore</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo</span> <span class="linenos"> 6</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">restore-container</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.desku.be/epheo/borgbackup:latest</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">env</span><span class="p">:</span> <span class="linenos">11</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_CONFIG_DIR</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/borg_config</span> <span class="linenos">13</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_CACHE_DIR</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/borg_cache</span> <span class="linenos">15</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s">"yes"</span> <span class="hll"><span class="linenos">17</span><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">"/bin/bash"</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">"-c"</span><span class="p p-Indicator">]</span> </span><span class="linenos">18</span><span class="w"> </span><span class="nt">args</span><span class="p">:</span> <span class="linenos">19</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="linenos">20</span><span class="w"> </span><span class="no">echo "Starting Windows Backup pod with two mounted PVCs"</span> <span class="linenos">21</span><span class="w"> </span><span class="no">mkdir -p $BORG_CONFIG_DIR $BORG_CACHE_DIR</span> <span class="linenos">22</span><span class="w"> </span><span class="no">borg extract --progress --stdout /backup::$(borg list /backup --last 1 --format "{archive}") |dd of=/dev/windows-block</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">volumeDevices</span><span class="p">:</span> <span class="linenos">24</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">devicePath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/windows-block</span> <span class="linenos">25</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-block</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span> <span class="linenos">27</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/backup</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">30</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos">31</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s">"1Gi"</span> <span class="linenos">32</span><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s">"500m"</span> <span class="linenos">33</span><span class="w"> </span><span class="nt">limits</span><span class="p">:</span> <span class="linenos">34</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s">"4Gi"</span> <span class="linenos">35</span><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s">"2"</span> <span class="linenos">36</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="linenos">37</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-block</span> <span class="linenos">38</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">39</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows</span> <span class="linenos">40</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup</span> <span class="linenos">41</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">42</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-backup</span> <span class="linenos">43</span><span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OnFailure</span> </pre></div> </div> </div> <p>Apply the configuration:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>restore-pod.yaml </pre></div> </div> <div class="admonition important"> <p class="admonition-title">Important</p> <p>Ensure target block devices are not in use during restore.</p> </div> </section> <section id="step-5-cross-platform-restoration-process"> <h2>Step 5: Cross-Platform Restoration Process</h2> <p>This section explains how to restore backups from FreeNAS to LVM Logical Volumes on Single Node OpenShift.</p> <section id="prerequisites"> <h3>Prerequisites</h3> <p>Before starting:</p> <ul class="simple"> <li><p>Install Democratic-CSI backend on your SNO cluster</p></li> <li><p>Ensure access to FreeNAS storage with the backup repositories</p></li> <li><p>Verify permissions to create storage resources in the target namespace</p></li> </ul> <p>The process involves three steps:</p> <section id="step-5-1-create-a-reference-to-the-existing-backup-volume"> <h4>Step 5.1: Create a Reference to the Existing Backup Volume</h4> <p>Create a PersistentVolume referencing your FreeNAS volume:</p> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">existing-backup-pv.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolume</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-pv</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">capacity</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500Gi</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">volumeMode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Filesystem</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">persistentVolumeReclaimPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Retain</span> <span class="hll"><span class="linenos">12</span><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">freenas-iscsi-csi</span> </span><span class="linenos">13</span><span class="w"> </span><span class="nt">csi</span><span class="p">:</span> <span class="hll"><span class="linenos">14</span><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">org.democratic-csi.iscsi</span> </span><span class="linenos">15</span><span class="w"> </span><span class="nt">volumeHandle</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-volume-id</span><span class="w"> </span><span class="c1"># ID of your existing volume on FreeNAS</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">volumeAttributes</span><span class="p">:</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">fs_type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ext4</span> </pre></div> </div> </div> <p>Apply it:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>existing-backup-pv.yaml </pre></div> </div> </section> <section id="step-5-2-create-a-claim-for-the-backup-volume"> <h4>Step 5.2: Create a Claim for the Backup Volume</h4> <p>Create a PersistentVolumeClaim:</p> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">existing-backup-pvc.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolumeClaim</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-pvc</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="hll"><span class="linenos"> 9</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> </span><span class="hll"><span class="linenos">10</span><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500Gi</span> </span><span class="linenos">11</span><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">freenas-iscsi-csi</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">volumeName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-pv</span> </pre></div> </div> </div> <p>Apply it:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>existing-backup-pvc.yaml </pre></div> </div> </section> <section id="step-5-3-create-a-restore-pod"> <h4>Step 5.3: Create a Restore Pod</h4> <p>Create a restoration pod:</p> <div class="literal-block-wrapper docutils container" id="id6"> <div class="code-block-caption"><span class="caption-text">restore-from-backup-pod.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Pod</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">restore-from-existing-backup</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">restore-container</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.desku.be/epheo/borgbackup:latest</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">env</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_CONFIG_DIR</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/borg_config</span> <span class="linenos">12</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_CACHE_DIR</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/borg_cache</span> <span class="linenos">14</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK</span> <span class="hll"><span class="linenos">15</span><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s">"yes"</span> </span><span class="linenos">16</span><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">"/bin/bash"</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">"-c"</span><span class="p p-Indicator">]</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">args</span><span class="p">:</span> <span class="linenos">18</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="hll"><span class="linenos">19</span><span class="w"> </span><span class="no">mkdir -p $BORG_CONFIG_DIR $BORG_CACHE_DIR</span> </span><span class="hll"><span class="linenos">20</span><span class="w"> </span><span class="no">borg extract --progress --stdout /existing-backup::$(borg list /existing-backup --last 1 --format "{archive}") | dd of=/dev/target-block bs=4M status=progress</span> </span><span class="linenos">21</span><span class="w"> </span><span class="nt">volumeDevices</span><span class="p">:</span> <span class="linenos">22</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">devicePath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/target-block</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">target-block-device</span> <span class="linenos">24</span><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span> <span class="linenos">25</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/existing-backup</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-volume</span> <span class="linenos">27</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="linenos">28</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-volume</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">30</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-backup-pvc</span> <span class="linenos">31</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">target-block-device</span> <span class="linenos">32</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">33</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">target-device-pvc</span> </pre></div> </div> </div> <p>Apply it:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>restore-from-backup-pod.yaml </pre></div> </div> </section> </section> </section> <section id="step-6-verify-the-restoration"> <h2>Step 6: Verify the Restoration</h2> <p>Verify restored data:</p> <div class="literal-block-wrapper docutils container" id="id7"> <div class="code-block-caption"><span class="caption-text">Verification commands</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="w"> </span><span class="c1"># Create verification directory</span> <span class="w"> </span>kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>restore-from-existing-backup<span class="w"> </span>--<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/mnt/verify <span class="w"> </span><span class="c1"># Mount the restored device</span> <span class="w"> </span>kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>restore-from-existing-backup<span class="w"> </span>--<span class="w"> </span>mount<span class="w"> </span>/dev/target-block<span class="w"> </span>/mnt/verify <span class="w"> </span><span class="c1"># Check contents</span> <span class="w"> </span>kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>restore-from-existing-backup<span class="w"> </span>--<span class="w"> </span>ls<span class="w"> </span>-la<span class="w"> </span>/mnt/verify </pre></div> </div> </div> <div class="admonition tip"> <p class="admonition-title">Tip</p> <p>For block devices with partition tables, use <code class="docutils literal notranslate"><span class="pre">fdisk</span> <span class="pre">-l</span> <span class="pre">/dev/target-block</span></code> before mounting.</p> </div> </section> <section id="step-7-directly-using-existing-block-devices-with-kubernetes"> <h2>Step 7: Directly Using Existing Block Devices with Kubernetes</h2> <p>Recent OpenShift versions can reinstall without wiping disks, preserving LVM Logical Volumes for recovery after reinstallation.</p> <section id="identifying-available-block-devices"> <h3>Identifying Available Block Devices</h3> <p>Identify block devices:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># From a debug pod</span> oc<span class="w"> </span>debug<span class="w"> </span>node/&lt;node-name&gt; chroot<span class="w"> </span>/host <span class="c1"># List devices</span> lsblk <span class="c1"># Get device info</span> blkid<span class="w"> </span>/dev/sdX </pre></div> </div> </section> <section id="direct-persistentvolume-approach"> <h3>Direct PersistentVolume Approach</h3> <p>Create a PersistentVolume referencing the block device:</p> <div class="literal-block-wrapper docutils container" id="id8"> <div class="code-block-caption"><span class="caption-text">local-pv.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolume</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-block-pv</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">capacity</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">50Gi</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">volumeMode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Block</span><span class="w"> </span><span class="c1"># Use Block for raw device or Filesystem for formatted</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">persistentVolumeReclaimPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Retain</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">local-storage</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">local</span><span class="p">:</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/sdX</span><span class="w"> </span><span class="c1"># Replace with your device path</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">nodeAffinity</span><span class="p">:</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">required</span><span class="p">:</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">nodeSelectorTerms</span><span class="p">:</span> <span class="linenos">18</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span> <span class="linenos">19</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/hostname</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">In</span> <span class="linenos">21</span><span class="w"> </span><span class="nt">values</span><span class="p">:</span> <span class="linenos">22</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sno-node-01</span><span class="w"> </span><span class="c1"># Replace with your node name</span> </pre></div> </div> </div> <p>Apply it:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>local-pv.yaml </pre></div> </div> </section> <section id="creating-a-persistentvolumeclaim"> <h3>Creating a PersistentVolumeClaim</h3> <p>Create a PersistentVolumeClaim:</p> <div class="literal-block-wrapper docutils container" id="id9"> <div class="code-block-caption"><span class="caption-text">local-pvc.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolumeClaim</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-block-pvc</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-namespace</span> <span class="linenos"> 6</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">volumeMode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Block</span><span class="w"> </span><span class="c1"># Must match the PV's volumeMode</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">50Gi</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">volumeName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-block-pv</span><span class="w"> </span><span class="c1"># Reference the PV by name</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">local-storage</span> </pre></div> </div> </div> <p>Apply it:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>local-pvc.yaml </pre></div> </div> </section> <section id="using-the-block-device-in-a-pod"> <h3>Using the Block Device in a Pod</h3> <p>Use the block device in a pod:</p> <div class="literal-block-wrapper docutils container" id="id10"> <div class="code-block-caption"><span class="caption-text">block-device-pod.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Pod</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">block-device-pod</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-namespace</span> <span class="linenos"> 6</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">block-user</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.access.redhat.com/ubi8/ubi-minimal:latest</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">"sleep"</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">"infinity"</span><span class="p p-Indicator">]</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">volumeDevices</span><span class="p">:</span><span class="w"> </span><span class="c1"># Use volumeDevices for Block mode</span> <span class="hll"><span class="linenos">12</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">block-vol</span> </span><span class="hll"><span class="linenos">13</span><span class="w"> </span><span class="nt">devicePath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/xvda</span><span class="w"> </span><span class="c1"># Device path in container</span> </span><span class="hll"><span class="linenos">14</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> </span><span class="linenos">15</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">block-vol</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">existing-block-pvc</span> </pre></div> </div> </div> <p>Apply it:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>block-device-pod.yaml </pre></div> </div> </section> <section id="verification"> <h3>Verification</h3> <p>Verify access to the block device:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check pod status</span> kubectl<span class="w"> </span>get<span class="w"> </span>pod<span class="w"> </span>-n<span class="w"> </span>my-namespace<span class="w"> </span>block-device-pod <span class="c1"># Verify block device</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>-n<span class="w"> </span>my-namespace<span class="w"> </span>block-device-pod<span class="w"> </span>--<span class="w"> </span>lsblk <span class="c1"># Format and mount if needed</span> kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>-n<span class="w"> </span>my-namespace<span class="w"> </span>block-device-pod<span class="w"> </span>--<span class="w"> </span>mkfs.ext4<span class="w"> </span>/dev/xvda kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>-n<span class="w"> </span>my-namespace<span class="w"> </span>block-device-pod<span class="w"> </span>--<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/mnt/data kubectl<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>-n<span class="w"> </span>my-namespace<span class="w"> </span>block-device-pod<span class="w"> </span>--<span class="w"> </span>mount<span class="w"> </span>/dev/xvda<span class="w"> </span>/mnt/data </pre></div> </div> <div class="admonition tip"> <p class="admonition-title">Tip</p> <p>Skip formatting for existing formatted devices.</p> </div> <p>This approach gives direct access to block devices while managing them through Kubernetes.</p> </section> </section> <section id="resources-and-references"> <h2>Resources and References</h2> <p>Additional resources:</p> <ul class="simple"> <li><p><a class="reference external" href="https://borgbackup.readthedocs.io/en/stable/deployment/image-backup.html">BorgBackup Image Backup Documentation</a></p></li> <li><p><a class="reference external" href="https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/">Kubernetes CronJob Documentation</a></p></li> <li><p><a class="reference external" href="https://kubernetes.io/docs/concepts/storage/persistent-volumes/">Kubernetes Persistent Volumes</a></p></li> </ul> </section> Fri, 25 Apr 2025 00:00:00 OpenStack OVN Networking - Deep Dive and Debugginghttps://blog.epheo.eu/debug/openstack-ovn.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Aug 22, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>12 min read</p> </div> </div> </div> </div> </div> </div> <p>OVN (Open Virtual Network) provides advanced networking capabilities for OpenStack environments. This article explores how to debug, analyze and understand OVN’s networking components within an OpenStack deployment, helping you troubleshoot and gain deeper insights into the networking layer.</p> <section id="locating-ovn-services"> <h2>Locating OVN Services</h2> <p>OVN in OpenStack typically runs as a clustered service. First, we need to identify where these services are running in our environment.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># pcs status</span> Container<span class="w"> </span>bundle<span class="w"> </span>set:<span class="w"> </span>ovn-dbs-bundle<span class="w"> </span><span class="o">[</span>undercloud-0.ctlplane.redhat.local:8787/rh-osbs/rhosp16-openstack-ovn-northd:pcmklatest<span class="o">]</span> <span class="w"> </span>ovn-dbs-bundle-0<span class="w"> </span><span class="o">(</span>ocf::ovn:ovndb-servers<span class="o">)</span>:<span class="w"> </span>Master<span class="w"> </span>controller-3 <span class="w"> </span>ovn-dbs-bundle-1<span class="w"> </span><span class="o">(</span>ocf::ovn:ovndb-servers<span class="o">)</span>:<span class="w"> </span>Slave<span class="w"> </span>controller-0 <span class="w"> </span>ovn-dbs-bundle-2<span class="w"> </span><span class="o">(</span>ocf::ovn:ovndb-servers<span class="o">)</span>:<span class="w"> </span>Slave<span class="w"> </span>controller-2 <span class="w"> </span>ip-172.17.1.200<span class="w"> </span><span class="o">(</span>ocf::heartbeat:IPaddr2<span class="o">)</span>:<span class="w"> </span>Started<span class="w"> </span>controller-1 </pre></div> </div> <p>We can also inspect the detailed properties of the OVN database service:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># pcs resource show ovn-dbs-bundle</span> Resource:<span class="w"> </span>ovndb_servers<span class="w"> </span><span class="o">(</span><span class="nv">class</span><span class="o">=</span>ocf<span class="w"> </span><span class="nv">provider</span><span class="o">=</span>ovn<span class="w"> </span><span class="nv">type</span><span class="o">=</span>ovndb-servers<span class="o">)</span> <span class="w"> </span>Attributes:<span class="w"> </span><span class="nv">inactive_probe_interval</span><span class="o">=</span><span class="m">180000</span><span class="w"> </span><span class="nv">manage_northd</span><span class="o">=</span>yes<span class="w"> </span><span class="nv">master_ip</span><span class="o">=</span><span class="m">172</span>.17.1.179<span class="w"> </span><span class="nv">nb_master_port</span><span class="o">=</span><span class="m">6641</span><span class="w"> </span><span class="nv">sb_master_port</span><span class="o">=</span><span class="m">6642</span> <span class="w"> </span>Meta<span class="w"> </span>Attrs:<span class="w"> </span>container-attribute-target<span class="o">=</span>host<span class="w"> </span><span class="nv">notify</span><span class="o">=</span><span class="nb">true</span> <span class="w"> </span>Operations:<span class="w"> </span>demote<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>0s<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>50s<span class="w"> </span><span class="o">(</span>ovndb_servers-demote-interval-0s<span class="o">)</span> <span class="w"> </span>monitor<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>10s<span class="w"> </span><span class="nv">role</span><span class="o">=</span>Master<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>60s<span class="w"> </span><span class="o">(</span>ovndb_servers-monitor-interval-10s<span class="o">)</span> <span class="w"> </span>monitor<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>30s<span class="w"> </span><span class="nv">role</span><span class="o">=</span>Slave<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>60s<span class="w"> </span><span class="o">(</span>ovndb_servers-monitor-interval-30s<span class="o">)</span> <span class="w"> </span>notify<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>0s<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>20s<span class="w"> </span><span class="o">(</span>ovndb_servers-notify-interval-0s<span class="o">)</span> <span class="w"> </span>promote<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>0s<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>50s<span class="w"> </span><span class="o">(</span>ovndb_servers-promote-interval-0s<span class="o">)</span> <span class="w"> </span>start<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>0s<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>200s<span class="w"> </span><span class="o">(</span>ovndb_servers-start-interval-0s<span class="o">)</span> <span class="w"> </span>stop<span class="w"> </span><span class="nv">interval</span><span class="o">=</span>0s<span class="w"> </span><span class="nv">timeout</span><span class="o">=</span>200s<span class="w"> </span><span class="o">(</span>ovndb_servers-stop-interval-0s<span class="o">)</span> </pre></div> </div> </section> <section id="executing-ovn-commands-in-the-cluster"> <h2>Executing OVN Commands in the Cluster</h2> <p>Before executing OVN commands, we need to identify which node is running the OVN databases as the master:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>$<span class="w"> </span>ansible<span class="w"> </span>-b<span class="w"> </span>-i<span class="w"> </span>/usr/bin/tripleo-ansible-inventory<span class="w"> </span>-m<span class="w"> </span>shell<span class="w"> </span>-a<span class="w"> </span><span class="s2">"pcs status | grep ovn-dbs-bundle | grep Master"</span><span class="w"> </span>controller-2 controller-3<span class="w"> </span><span class="p">|</span><span class="w"> </span>CHANGED<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="nv">rc</span><span class="o">=</span><span class="m">0</span><span class="w"> </span>&gt;&gt; <span class="w"> </span>ovn-dbs-bundle-0<span class="w"> </span><span class="o">(</span>ocf::ovn:ovndb-servers<span class="o">)</span>:<span class="w"> </span>Master<span class="w"> </span>controller-0 </pre></div> </div> <p>Now that we’ve identified the master node, we can execute read/write operations directly against the OVN Northbound (NB) and Southbound (SB) databases from the corresponding container:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># On the master controller node (controller-2)</span> <span class="o">[</span>root@controller-0<span class="w"> </span>~<span class="o">]</span><span class="c1"># podman exec -it ovn-dbs-bundle-podman-0 bash</span> <span class="c1"># Creating a test logical switch</span> <span class="o">()[</span>root@controller-1<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl ls-add ovn_test_lswitch</span> <span class="c1"># Verifying the switch was created</span> <span class="o">()[</span>root@controller-3<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl ls-list | grep ovn_test_lswitch</span> 9905fd23-1ed2-4f57-b220-77b008b2116e<span class="w"> </span><span class="o">(</span>ovn_test_lswitch<span class="o">)</span> <span class="c1"># Deleting the test switch</span> <span class="o">()[</span>root@controller-1<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl ls-del ovn_test_lswitch</span> <span class="c1"># Confirming the switch was deleted</span> <span class="o">()[</span>root@controller-2<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl ls-list | grep -c ovn_test_lswitch</span> <span class="m">0</span> </pre></div> </div> </section> <section id="remote-ovn-database-access"> <h2>Remote OVN Database Access</h2> <p>We can also run commands from non-master nodes, but we need the Virtual IP (VIP) of the OVN database service:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">[</span>root@controller-2<span class="w"> </span>~<span class="o">]</span><span class="c1"># ovs-vsctl get Open_Vswitch . external_ids:ovn-remote | cut -d':' -f 2</span> <span class="m">172</span>.17.1.213 </pre></div> </div> <p>Using the IP address obtained above, we can execute commands against the OVN databases from any node:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Creating a test logical switch in the NB database</span> <span class="o">()[</span>root@controller-1<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl --db="tcp:172.17.1.59:6641" ls-add ovn_test_lswitch</span> <span class="c1"># Removing the test logical switch</span> <span class="o">()[</span>root@controller-3<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl --db="tcp:172.17.1.156:6641" ls-del ovn_test_lswitch</span> <span class="c1"># Creating a test chassis in the SB database</span> <span class="o">()[</span>root@controller-0<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-sbctl --db="tcp:172.17.1.49:6642" chassis-add ovn_test_chassis geneve 127.0.0.1</span> <span class="c1"># Removing the test chassis</span> <span class="o">()[</span>root@controller-1<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-sbctl --db="tcp:172.17.1.170:6642" chassis-del ovn_test_chassis</span> </pre></div> </div> <p>Note: By default, TCP port 6641 is used for the OVN Northbound database and 6642 for the OVN Southbound database.</p> </section> <section id="understanding-ovn-database-structure"> <h2>Understanding OVN Database Structure</h2> <p>OVN uses two databases to manage the network: the Northbound (NB) and Southbound (SB) databases. Let’s explore their contents to understand how the logical and physical elements relate.</p> <section id="northbound-database-logical-network-elements"> <h3>Northbound Database - Logical Network Elements</h3> <p>The Northbound database defines all the logical networking elements configured through Neutron. By examining this database, we can see the logical routers, ports, and NAT rules:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@controller-1<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl show</span> <span class="o">[</span>...<span class="o">]</span> router<span class="w"> </span>a6b22fb8-6d75-4849-9650-5e255d023591<span class="w"> </span><span class="o">(</span>neutron-a929f25e-e00f-4857-9e35-e0db72c396f2<span class="o">)</span><span class="w"> </span><span class="o">(</span>aka<span class="w"> </span>router1<span class="o">)</span> <span class="w"> </span>port<span class="w"> </span>lrp-36ba33f2-31fc-4f41-a86d-7a8dc6a6bcb6<span class="w"> </span>&lt;-<span class="w"> </span>private1<span class="w"> </span>subnet<span class="w"> </span>interface <span class="w"> </span>mac:<span class="w"> </span><span class="s2">"fa:16:3e:09:9a:bf"</span> <span class="w"> </span>networks:<span class="w"> </span><span class="o">[</span><span class="s2">"192.168.30.1/24"</span><span class="o">]</span> <span class="w"> </span>port<span class="w"> </span>lrp-5c3d686a-1918-4663-88c3-cdd9faa1d3b2<span class="w"> </span>&lt;-<span class="w"> </span>public<span class="w"> </span>subnet<span class="w"> </span>interface <span class="w"> </span>mac:<span class="w"> </span><span class="s2">"fa:16:3e:40:f8:46"</span> <span class="w"> </span>networks:<span class="w"> </span><span class="o">[</span><span class="s2">"10.0.0.36/24"</span><span class="o">]</span> <span class="w"> </span>gateway<span class="w"> </span>chassis:<span class="w"> </span><span class="o">[</span>21347b99-e853-4aa8-b7da-82aee8aa972a<span class="w"> </span>50cf1414-5c00-4aa9-a1d7-8a45de1a72ae<span class="w"> </span>956d66be-6c1a-437f-88ae-247045816147<span class="o">]</span> <span class="w"> </span>port<span class="w"> </span>lrp-b139f4e9-01b9-4642-8835-5790ba8b1142<span class="w"> </span>&lt;-<span class="w"> </span>private2<span class="w"> </span>subnet<span class="w"> </span>interface <span class="w"> </span>mac:<span class="w"> </span><span class="s2">"fa:16:3e:b4:08:73"</span> <span class="w"> </span>networks:<span class="w"> </span><span class="o">[</span><span class="s2">"192.168.40.1/24"</span><span class="o">]</span> <span class="w"> </span>nat<span class="w"> </span>6401e181-0479-4a70-bd9e-06b8ecd83d21<span class="w"> </span>&lt;-<span class="w"> </span>Floating<span class="w"> </span>IP <span class="w"> </span>external<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"10.0.0.130"</span> <span class="w"> </span>logical<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"192.168.40.66"</span> <span class="w"> </span>type:<span class="w"> </span><span class="s2">"dnat_and_snat"</span> <span class="w"> </span>nat<span class="w"> </span>24adb45d-d48a-4c33-84e2-f9642d1a66ae<span class="w"> </span>&lt;-<span class="w"> </span>SNAT<span class="w"> </span>rule<span class="w"> </span><span class="k">for</span><span class="w"> </span>private1<span class="w"> </span>subnet <span class="w"> </span>external<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"10.0.0.182"</span> <span class="w"> </span>logical<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"192.168.30.0/24"</span> <span class="w"> </span>type:<span class="w"> </span><span class="s2">"snat"</span> <span class="w"> </span>nat<span class="w"> </span>f1d6bb14-0f2e-4682-85a8-7b2a92b994bf<span class="w"> </span>&lt;-<span class="w"> </span>Floating<span class="w"> </span>IP <span class="w"> </span>external<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"10.0.0.6"</span> <span class="w"> </span>logical<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"192.168.40.25"</span> <span class="w"> </span>type:<span class="w"> </span><span class="s2">"dnat_and_snat"</span> <span class="w"> </span>nat<span class="w"> </span>182b12fd-e2aa-46c4-adcb-71e6d8276c04<span class="w"> </span>&lt;-<span class="w"> </span>Floating<span class="w"> </span>IP <span class="w"> </span>external<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"10.0.0.146"</span> <span class="w"> </span>logical<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"192.168.30.108"</span> <span class="w"> </span>type:<span class="w"> </span><span class="s2">"dnat_and_snat"</span> <span class="w"> </span>nat<span class="w"> </span>22a78989-5a46-4590-9532-9f31fa783b5a<span class="w"> </span>&lt;-<span class="w"> </span>SNAT<span class="w"> </span>rule<span class="w"> </span><span class="k">for</span><span class="w"> </span>private2<span class="w"> </span>subnet <span class="w"> </span>external<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"10.0.0.194"</span> <span class="w"> </span>logical<span class="w"> </span>ip:<span class="w"> </span><span class="s2">"192.168.40.0/24"</span> <span class="w"> </span>type:<span class="w"> </span><span class="s2">"snat"</span> </pre></div> </div> </section> <section id="southbound-database-physical-mapping"> <h3>Southbound Database - Physical Mapping</h3> <p>The Southbound database maps the logical elements to physical locations in the infrastructure. By examining this database, we can see where instances and network elements are actually running:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@controller-3<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-sbctl show</span> Chassis<span class="w"> </span><span class="s2">"0140f271-2811-47f5-8174-5ca281aaeb41"</span> <span class="w"> </span>hostname:<span class="w"> </span><span class="s2">"compute-2.redhat.local"</span> <span class="w"> </span>Encap<span class="w"> </span>geneve <span class="w"> </span>ip:<span class="w"> </span><span class="s2">"172.17.2.86"</span> <span class="w"> </span>options:<span class="w"> </span><span class="o">{</span><span class="nv">csum</span><span class="o">=</span><span class="s2">"true"</span><span class="o">}</span> <span class="w"> </span>Port_Binding<span class="w"> </span><span class="s2">"a2ff1c60-c074-47c4-9c1e-c768ade269cb"</span><span class="w"> </span>&lt;-<span class="w"> </span>private2_vm1<span class="w"> </span><span class="k">in</span><span class="w"> </span>compute-1 <span class="w"> </span>Port_Binding<span class="w"> </span><span class="s2">"b631ec31-d634-430c-b50e-1b7819ce7dbd"</span><span class="w"> </span>&lt;-<span class="w"> </span>private1_vm1<span class="w"> </span><span class="k">in</span><span class="w"> </span>compute-0 Chassis<span class="w"> </span><span class="s2">"554f96ab-2f35-40c6-a5eb-764067db3188"</span> <span class="w"> </span>hostname:<span class="w"> </span><span class="s2">"compute-0.redhat.local"</span> <span class="w"> </span>Encap<span class="w"> </span>geneve <span class="w"> </span>ip:<span class="w"> </span><span class="s2">"172.17.2.36"</span> <span class="w"> </span>options:<span class="w"> </span><span class="o">{</span><span class="nv">csum</span><span class="o">=</span><span class="s2">"true"</span><span class="o">}</span> <span class="w"> </span>Port_Binding<span class="w"> </span><span class="s2">"2d6249e2-d05c-48fd-81c6-7831cfe107b3"</span><span class="w"> </span>&lt;-<span class="w"> </span>private1_vm2<span class="w"> </span><span class="k">in</span><span class="w"> </span>compute-3 <span class="w"> </span>Port_Binding<span class="w"> </span><span class="s2">"4b0b7e46-9217-4267-a090-418873a8b6f0"</span><span class="w"> </span>&lt;-<span class="w"> </span>private2_vm2<span class="w"> </span><span class="k">in</span><span class="w"> </span>compute-3 Chassis<span class="w"> </span><span class="s2">"21347b99-e853-4aa8-b7da-82aee8aa972a"</span> <span class="w"> </span>hostname:<span class="w"> </span><span class="s2">"controller-2.redhat.local"</span> <span class="w"> </span>Encap<span class="w"> </span>geneve <span class="w"> </span>ip:<span class="w"> </span><span class="s2">"172.17.2.83"</span> <span class="w"> </span>options:<span class="w"> </span><span class="o">{</span><span class="nv">csum</span><span class="o">=</span><span class="s2">"true"</span><span class="o">}</span> <span class="w"> </span>Port_Binding<span class="w"> </span><span class="s2">"cr-lrp-5c3d686a-1918-4663-88c3-cdd9faa1d3b2"</span><span class="w"> </span>&lt;-<span class="w"> </span>Gateway<span class="w"> </span>port<span class="w"> </span><span class="k">in</span><span class="w"> </span>controller-2<span class="w"> </span><span class="o">(</span>SNAT<span class="w"> </span>traffic<span class="o">)</span> <span class="o">[</span>...<span class="o">]</span> </pre></div> </div> </section> </section> <section id="tracing-security-group-rules-through-ovn"> <h2>Tracing Security Group Rules Through OVN</h2> <p>One of the most powerful aspects of OVN is being able to trace how a Neutron Security Group Rule (SGR) is translated through the networking stack. We can follow the path from:</p> <ol class="arabic simple"> <li><p>Neutron Security Group Rule</p></li> <li><p>OVN Access Control List (ACL)</p></li> <li><p>Logical Flow in the Southbound DB</p></li> <li><p>OpenFlow rules on compute nodes</p></li> </ol> <p>Let’s start by examining a security group rule in Neutron:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">(</span>overcloud<span class="o">)</span><span class="w"> </span><span class="o">[</span>stack@undercloud-0<span class="w"> </span>~<span class="o">]</span>$<span class="w"> </span>openstack<span class="w"> </span>security<span class="w"> </span>group<span class="w"> </span>rule<span class="w"> </span>list +--------------------------------------+-------------+-----------+-------------------+------------+--------------------------------------+--------------------------------------+ <span class="p">|</span><span class="w"> </span>ID<span class="w"> </span><span class="p">|</span><span class="w"> </span>IP<span class="w"> </span>Protocol<span class="w"> </span><span class="p">|</span><span class="w"> </span>Ethertype<span class="w"> </span><span class="p">|</span><span class="w"> </span>IP<span class="w"> </span>Range<span class="w"> </span><span class="p">|</span><span class="w"> </span>Port<span class="w"> </span>Range<span class="w"> </span><span class="p">|</span><span class="w"> </span>Remote<span class="w"> </span>Security<span class="w"> </span>Group<span class="w"> </span><span class="p">|</span><span class="w"> </span>Security<span class="w"> </span>Group<span class="w"> </span><span class="p">|</span> +--------------------------------------+-------------+-----------+-------------------+------------+--------------------------------------+--------------------------------------+ <span class="p">|</span><span class="w"> </span>0a6cfa3d-9291-4331-8e52-82b7e3800200<span class="w"> </span><span class="p">|</span><span class="w"> </span>tcp<span class="w"> </span><span class="p">|</span><span class="w"> </span>IPv4<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">192</span>.168.13.116/30<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">9999</span>:9999<span class="w"> </span><span class="p">|</span><span class="w"> </span>None<span class="w"> </span><span class="p">|</span><span class="w"> </span>3e484201-4fba-4d47-b18c-a515b6a1b8f3<span class="w"> </span><span class="p">|</span> +--------------------------------------+-------------+-----------+-------------------+------------+--------------------------------------+--------------------------------------+ </pre></div> </div> <p>Next, we can find the corresponding ACL entry in the OVN Northbound database by searching for the security group rule ID:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@controller-2<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl find ACL external_ids:"neutron\:security_group_rule_id"=0a6cfa3d-9291-4331-8e52-82b7e3800200</span> _uuid<span class="w"> </span>:<span class="w"> </span>fc662a6a-1228-4c04-b1bf-3cb6f6e61c91 action<span class="w"> </span>:<span class="w"> </span>allow-related direction<span class="w"> </span>:<span class="w"> </span>to-lport external_ids<span class="w"> </span>:<span class="w"> </span><span class="o">{</span><span class="s2">"neutron:security_group_rule_id"</span><span class="o">=</span><span class="s2">"0a6cfa3d-9291-4331-8e52-82b7e3800200"</span><span class="o">}</span> label<span class="w"> </span>:<span class="w"> </span><span class="m">0</span> log<span class="w"> </span>:<span class="w"> </span><span class="nb">false</span> match<span class="w"> </span>:<span class="w"> </span><span class="s2">"outport == @pg_3e484201_4fba_4d47_b18c_a515b6a1b8f3 &amp;&amp; ip4 &amp;&amp; ip4.src == 192.168.13.20/30 &amp;&amp; tcp &amp;&amp; tcp.dst == 9999"</span> priority<span class="w"> </span>:<span class="w"> </span><span class="m">1002</span> </pre></div> </div> <p>Then, we can search for the corresponding logical flows in the Southbound database using the ACL’s UUID prefix:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@controller-2<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-sbctl find Logical_Flow external_ids:stage-hint=59ec7790</span> _uuid<span class="w"> </span>:<span class="w"> </span>0e465ba7-2a0d-45c8-9401-4446d8776c71 actions<span class="w"> </span>:<span class="w"> </span><span class="s2">"next;"</span> external_ids<span class="w"> </span>:<span class="w"> </span><span class="o">{</span><span class="nv">source</span><span class="o">=</span><span class="s2">"northd.c:6108"</span>,<span class="w"> </span>stage-hint<span class="o">=</span><span class="s2">"59ec7790"</span>,<span class="w"> </span>stage-name<span class="o">=</span>ls_out_acl<span class="o">}</span> logical_datapath<span class="w"> </span>:<span class="w"> </span>334f6950-34fc-474d-8897-84a2d13846a0 match<span class="w"> </span>:<span class="w"> </span><span class="s2">"reg0[8] == 1 &amp;&amp; (outport == @pg_3e484201_4fba_4d47_b18c_a515b6a1b8f3 &amp;&amp; ip4 &amp;&amp; ip4.src == 192.168.13.186/30 &amp;&amp; tcp &amp;&amp; tcp.dst == 9999)"</span> pipeline<span class="w"> </span>:<span class="w"> </span>egress priority<span class="w"> </span>:<span class="w"> </span><span class="m">2002</span> table_id<span class="w"> </span>:<span class="w"> </span><span class="m">4</span> <span class="nb">hash</span><span class="w"> </span>:<span class="w"> </span><span class="m">0</span> _uuid<span class="w"> </span>:<span class="w"> </span><span class="m">48213015</span>-8c4e-4383-a564-83d5ca516695 actions<span class="w"> </span>:<span class="w"> </span><span class="s2">"reg0[1] = 1; next;"</span> external_ids<span class="w"> </span>:<span class="w"> </span><span class="o">{</span><span class="nv">source</span><span class="o">=</span><span class="s2">"northd.c:6084"</span>,<span class="w"> </span>stage-hint<span class="o">=</span><span class="s2">"59ec7790"</span>,<span class="w"> </span>stage-name<span class="o">=</span>ls_out_acl<span class="o">}</span> logical_datapath<span class="w"> </span>:<span class="w"> </span>334f6950-34fc-474d-8897-84a2d13846a0 match<span class="w"> </span>:<span class="w"> </span><span class="s2">"reg0[7] == 1 &amp;&amp; (outport == @pg_3e484201_4fba_4d47_b18c_a515b6a1b8f3 &amp;&amp; ip4 &amp;&amp; ip4.src == 192.168.13.17/30 &amp;&amp; tcp &amp;&amp; tcp.dst == 9999)"</span> pipeline<span class="w"> </span>:<span class="w"> </span>egress priority<span class="w"> </span>:<span class="w"> </span><span class="m">2002</span> table_id<span class="w"> </span>:<span class="w"> </span><span class="m">4</span> <span class="nb">hash</span><span class="w"> </span>:<span class="w"> </span><span class="m">0</span> </pre></div> </div> <p>Finally, we can verify the actual OpenFlow rules installed on the compute nodes that implement these logical flows:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">[</span>root@compute-0<span class="w"> </span>~<span class="o">]</span><span class="c1"># for i in 1c09a74f 4663ae1f; do ovs-ofctl dump-flows br-int | grep $i; done</span> <span class="w"> </span><span class="nv">cookie</span><span class="o">=</span>0x58a831c2,<span class="w"> </span><span class="nv">duration</span><span class="o">=</span><span class="m">134139</span>.172s,<span class="w"> </span><span class="nv">table</span><span class="o">=</span><span class="m">44</span>,<span class="w"> </span><span class="nv">n_packets</span><span class="o">=</span><span class="m">0</span>,<span class="w"> </span><span class="nv">n_bytes</span><span class="o">=</span><span class="m">0</span>,<span class="w"> </span><span class="nv">idle_age</span><span class="o">=</span><span class="m">18910</span>,<span class="w"> </span><span class="nv">hard_age</span><span class="o">=</span><span class="m">4013</span>,<span class="w"> </span><span class="nv">priority</span><span class="o">=</span><span class="m">2002</span>,tcp,reg0<span class="o">=</span>0x100/0x100,reg15<span class="o">=</span>0x3,metadata<span class="o">=</span>0x8,nw_src<span class="o">=</span><span class="m">192</span>.168.13.144/30,tp_dst<span class="o">=</span><span class="m">9999</span><span class="w"> </span><span class="nv">actions</span><span class="o">=</span>resubmit<span class="o">(</span>,45<span class="o">)</span> <span class="w"> </span><span class="nv">cookie</span><span class="o">=</span>0xf2e670b7,<span class="w"> </span><span class="nv">duration</span><span class="o">=</span><span class="m">128550</span>.798s,<span class="w"> </span><span class="nv">table</span><span class="o">=</span><span class="m">44</span>,<span class="w"> </span><span class="nv">n_packets</span><span class="o">=</span><span class="m">0</span>,<span class="w"> </span><span class="nv">n_bytes</span><span class="o">=</span><span class="m">0</span>,<span class="w"> </span><span class="nv">idle_age</span><span class="o">=</span><span class="m">9762</span>,<span class="w"> </span><span class="nv">hard_age</span><span class="o">=</span><span class="m">8793</span>,<span class="w"> </span><span class="nv">priority</span><span class="o">=</span><span class="m">2002</span>,tcp,reg0<span class="o">=</span>0x80/0x80,reg15<span class="o">=</span>0x3,metadata<span class="o">=</span>0x8,nw_src<span class="o">=</span><span class="m">192</span>.168.13.31/30,tp_dst<span class="o">=</span><span class="m">9999</span><span class="w"> </span><span class="nv">actions</span><span class="o">=</span>load:0x1-&gt;NXM_NX_XXREG0<span class="o">[</span><span class="m">97</span><span class="o">]</span>,resubmit<span class="o">(</span>,45<span class="o">)</span> <span class="c1"># We can also check specific flows for specific ports</span> <span class="o">[</span>root@compute-0<span class="w"> </span>~<span class="o">]</span><span class="c1"># ovs-ofctl dump-flows br-int table=65 | grep 'reg15=0x3,metadata=0x8'</span> <span class="o">[</span>root@compute-2<span class="w"> </span>~<span class="o">]</span><span class="c1"># ovs-ofctl show br-int</span> </pre></div> </div> <p>The values <cite>reg15=0x3,metadata=0x8</cite> identify a particular VM - in this case, csl-log-redhat-0 (192.168.13.92) on compute-0.</p> </section> <section id="packet-tracing-with-ovn-trace"> <h2>Packet Tracing with ovn-trace</h2> <p>One of the most powerful debugging tools in OVN is <code class="docutils literal notranslate"><span class="pre">ovn-trace</span></code>, which allows us to simulate packet flows through the logical network. This tool helps identify issues in packet processing before they reach the physical network.</p> <p>How ovn-trace Works:</p> <ul class="simple"> <li><p>Reads the <code class="docutils literal notranslate"><span class="pre">Logical_Flow</span></code> and other tables from the OVN Southbound database</p></li> <li><p>Simulates a packet’s path through logical networks by following the entire tree of possibilities</p></li> <li><p>Shows how logical flows would process specific types of packets</p></li> <li><p>Only simulates the OVN logical network (not the physical elements)</p></li> <li><p>When used with the <code class="docutils literal notranslate"><span class="pre">--ovs</span></code> option, it will also show the OpenFlow rules installed in the bridge</p></li> </ul> <p>This tool is invaluable for debugging connectivity issues, as it helps isolate whether the problem is in the logical configuration or the physical implementation.</p> <section id="example-tracing-icmp-traffic-between-vms"> <h3>Example: Tracing ICMP Traffic Between VMs</h3> <p>Let’s use <code class="docutils literal notranslate"><span class="pre">ovn-trace</span></code> to explore how an ICMP packet would travel between two guest instances:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@compute-0<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-trace --db="tcp:172.17.1.203:6642" --ovs --friendly-names --ct=new private2 'inport == "4b0b7e46-9217-4267-a090-418873a8b6f0" &amp;&amp; eth.src == fa:16:3e:fe:90:9a &amp;&amp; eth.dst == fa:16:3e:e3:e2:c8 &amp;&amp; ip4.src == 192.168.40.158 &amp;&amp; ip4.dst == 192.168.40.12 &amp;&amp; ip.ttl == 64 &amp;&amp; icmp4.type == 8'</span> <span class="c1">#icmp,reg14=0x3,vlan_tci=0x0000,dl_src=fa:16:3e:ce:02:65,dl_dst=fa:16:3e:5b:01:ec,nw_src=192.168.30.229,nw_dst=192.168.30.48,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0</span> ingress<span class="o">(</span><span class="nv">dp</span><span class="o">=</span><span class="s2">"private2"</span>,<span class="w"> </span><span class="nv">inport</span><span class="o">=</span><span class="s2">"private2_vm2"</span><span class="o">)</span> --------------------------------------------- <span class="o">[</span>...<span class="o">]</span> <span class="w"> </span><span class="m">4</span>.<span class="w"> </span>ls_out_acl<span class="w"> </span><span class="o">(</span>ovn-northd.c:4549<span class="o">)</span>:<span class="w"> </span>!ct.new<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>ct.est<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>!ct.rpl<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>ct_label.blocked<span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="o">(</span><span class="nv">outport</span><span class="w"> </span><span class="o">==</span><span class="w"> </span>@pg_1576d8a3_7db2_40e9_942f_90f7c37a355e<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>ip4<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>ip4.src<span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">0</span>.0.0.0/0<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>icmp4<span class="o">)</span>,<span class="w"> </span>priority<span class="w"> </span><span class="m">2002</span>,<span class="w"> </span>uuid<span class="w"> </span>eda37d0e <span class="w"> </span><span class="nv">cookie</span><span class="o">=</span>0xeda37d0e,<span class="w"> </span><span class="nv">duration</span><span class="o">=</span><span class="m">677279</span>.297s,<span class="w"> </span><span class="nv">table</span><span class="o">=</span><span class="m">44</span>,<span class="w"> </span><span class="nv">n_packets</span><span class="o">=</span><span class="m">127</span>,<span class="w"> </span><span class="nv">n_bytes</span><span class="o">=</span><span class="m">14905</span>,<span class="w"> </span><span class="nv">priority</span><span class="o">=</span><span class="m">2002</span>,ct_state<span class="o">=</span>-new+est-rpl+trk,ct_label<span class="o">=</span><span class="m">0</span>/0x1,icmp,reg15<span class="o">=</span>0x3,metadata<span class="o">=</span>0x3<span class="w"> </span><span class="nv">actions</span><span class="o">=</span>resubmit<span class="o">(</span>,45<span class="o">)</span> <span class="w"> </span>next<span class="p">;</span> <span class="o">[</span>...<span class="o">]</span> <span class="w"> </span><span class="m">9</span>.<span class="w"> </span>ls_out_port_sec_l2<span class="w"> </span><span class="o">(</span>ovn-northd.c:4081<span class="o">)</span>:<span class="w"> </span><span class="nv">outport</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s2">"private2_vm1"</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>eth.dst<span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="o">{</span>fa:16:3e:25:26:50<span class="o">}</span>,<span class="w"> </span>priority<span class="w"> </span><span class="m">50</span>,<span class="w"> </span>uuid<span class="w"> </span>060cf739 <span class="w"> </span><span class="nv">cookie</span><span class="o">=</span>0x60cf739,<span class="w"> </span><span class="nv">duration</span><span class="o">=</span><span class="m">670224</span>.080s,<span class="w"> </span><span class="nv">table</span><span class="o">=</span><span class="m">49</span>,<span class="w"> </span><span class="nv">n_packets</span><span class="o">=</span><span class="m">4626</span>,<span class="w"> </span><span class="nv">n_bytes</span><span class="o">=</span><span class="m">372616</span>,<span class="w"> </span><span class="nv">priority</span><span class="o">=</span><span class="m">50</span>,reg15<span class="o">=</span>0x3,metadata<span class="o">=</span>0x3,dl_dst<span class="o">=</span>fa:16:3e:68:c6:ee<span class="w"> </span><span class="nv">actions</span><span class="o">=</span>resubmit<span class="o">(</span>,64<span class="o">)</span> <span class="w"> </span>output<span class="p">;</span> <span class="w"> </span>/*<span class="w"> </span>output<span class="w"> </span>to<span class="w"> </span><span class="s2">"private2_vm1"</span>,<span class="w"> </span><span class="nb">type</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span>*/ </pre></div> </div> <p>In this trace example, we can see how an ICMP packet from private2_vm2 to private2_vm1 is processed through the logical pipeline. The trace shows several stages including ACL processing (step 4) and port security checks (step 9) before the packet is finally output to the destination VM.</p> </section> </section> <section id="verifying-physical-network-flows"> <h2>Verifying Physical Network Flows</h2> <p>While ovn-trace is extremely helpful for debugging logical flows, sometimes we need to verify how packets are flowing through the physical network infrastructure:</p> <ul class="simple"> <li><p>Let’s explore an ICMP packet delivered to a VM on its compute node</p></li> <li><p>We’ll ping between two guests and expect the packet to be delivered on the correct tap interface</p></li> <li><p>By monitoring the flow’s n_packets field in table 65, we can confirm packet delivery</p></li> </ul> <p>According to the ovn-architecture manual, table 65 performs the final translation between logical ports and physical ports, with the actual packet output happening in this table.</p> <p>First, identify the OpenFlow port number for the VM’s tap interface:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">[</span>root@compute-2<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovs-ofctl show br-int|grep tapf4ada4a0</span> <span class="w"> </span><span class="m">113</span><span class="o">(</span>tap11d54329--3<span class="o">)</span>:<span class="w"> </span>addr:63:75:6e:e0:9f:a8 </pre></div> </div> <p>Then, monitor the OpenFlow rules to see if packets are being delivered:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">[</span>root@compute-0<span class="w"> </span>~<span class="o">]</span><span class="c1"># watch -d -n1 "ovs-ofctl dump-flows br-int table=65 | grep 'output:113'"</span> <span class="nv">cookie</span><span class="o">=</span>0x0,<span class="w"> </span><span class="nv">duration</span><span class="o">=</span><span class="m">819057</span>.906s,<span class="w"> </span><span class="nv">table</span><span class="o">=</span><span class="m">65</span>,<span class="w"> </span><span class="nv">n_packets</span><span class="o">=</span><span class="m">4727</span>,<span class="w"> </span><span class="nv">n_bytes</span><span class="o">=</span><span class="m">412655</span>,<span class="w"> </span><span class="nv">idle_age</span><span class="o">=</span><span class="m">25642</span>,<span class="w"> </span><span class="nv">hard_age</span><span class="o">=</span><span class="m">11420</span>,<span class="w"> </span><span class="nv">priority</span><span class="o">=</span><span class="m">100</span>,reg15<span class="o">=</span>0x3,metadata<span class="o">=</span>0x3<span class="w"> </span><span class="nv">actions</span><span class="o">=</span>output:113 </pre></div> </div> <p>When the <cite>n_packets</cite> counter increases, it confirms that packets are successfully reaching the destination VM’s interface.</p> <p>Note: OpenFlow table numbers in OVN correspond to logical tables as follows: - Ingress pipeline tables: Logical table ID + 8 - Egress pipeline tables: Logical table ID + 40</p> <p>For a detailed explanation of the OVN logical tables, refer to the ovn-northd manual page.</p> </section> <section id="dhcp-in-ovn"> <h2>DHCP in OVN</h2> <p>Unlike in ML2/OVS, OVN serves DHCP locally in the compute nodes. The DHCP requests are sent to ovn-controller and replied according to the database contents. When a VM starts on a hypervisor, ovn-controller will install flows in table 20 with a controller action.</p> <p>We can find the right DHCP_Options row in the NB database (Neutron inserts this every time a subnet is created):</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@controller-3<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-nbctl find DHCP_Options external_ids:subnet_id=ce6193c4-80ef-448c-8153-4b8282eef0f3</span> _uuid<span class="w"> </span>:<span class="w"> </span>c95ccc99-e50f-471c-978e-bf68dafef362 cidr<span class="w"> </span>:<span class="w"> </span><span class="s2">"192.168.30.0/24"</span> external_ids<span class="w"> </span>:<span class="w"> </span><span class="o">{</span><span class="s2">"neutron:revision_number"</span><span class="o">=</span><span class="s2">"0"</span>,<span class="w"> </span><span class="nv">subnet_id</span><span class="o">=</span><span class="s2">"ce6193c4-80ef-448c-8153-4b8282eef0f3"</span><span class="o">}</span> options<span class="w"> </span>:<span class="w"> </span><span class="o">{</span><span class="nv">classless_static_route</span><span class="o">=</span><span class="s2">"{169.254.169.254/32,192.168.30.2, 0.0.0.0/0,192.168.30.1}"</span>,<span class="w"> </span><span class="nv">dns_server</span><span class="o">=</span><span class="s2">"{172.16.0.1, 10.0.0.1}"</span>,<span class="w"> </span><span class="nv">lease_time</span><span class="o">=</span><span class="s2">"43200"</span>,<span class="w"> </span><span class="nv">mtu</span><span class="o">=</span><span class="s2">"1442"</span>,<span class="w"> </span><span class="nv">router</span><span class="o">=</span><span class="s2">"192.168.30.1"</span>,<span class="w"> </span><span class="nv">server_id</span><span class="o">=</span><span class="s2">"192.168.30.1"</span>,<span class="w"> </span><span class="nv">server_mac</span><span class="o">=</span><span class="s2">"fa:16:3e:8c:0e:f5"</span><span class="o">}</span> </pre></div> </div> <p>The options include: * 169.254.169.254/32,192.168.30.2 -&gt; Static route for the metadata service * 0.0.0.0/0,192.168.30.1 -&gt; Default gateway route</p> <p>We can also find the corresponding logical flow in the SB database:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@controller-2<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovn-sbctl find logical_flow external_ids:stage-name=ls_in_dhcp_options</span> _uuid<span class="w"> </span>:<span class="w"> </span>6b422d1e-0a41-4422-9390-e4cc67352e12 actions<span class="w"> </span>:<span class="w"> </span><span class="s2">"reg0[3] = put_dhcp_opts(offerip = 192.168.30.182, classless_static_route = {169.254.169.254/32,192.168.30.2, 0.0.0.0/0,192.168.30.1}, dns_server = {172.16.0.1, 10.0.0.1}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 192.168.30.1, server_id = 192.168.30.1); next;"</span> external_ids<span class="w"> </span>:<span class="w"> </span><span class="o">{</span><span class="nv">source</span><span class="o">=</span><span class="s2">"ovn-northd.c:5413"</span>,<span class="w"> </span>stage-name<span class="o">=</span>ls_in_dhcp_options<span class="o">}</span> logical_datapath<span class="w"> </span>:<span class="w"> </span>3b7964f9-d315-4a93-85fb-c5d485ffeefd match<span class="w"> </span>:<span class="w"> </span><span class="s2">"inport == \"b631ec31-d634-430c-b50e-1b7819ce7dbd\" &amp;&amp; eth.src == fa:16:3e:40:31:2c &amp;&amp; ip4.src == 0.0.0.0 &amp;&amp; ip4.dst == 255.255.255.255 &amp;&amp; udp.src == 68 &amp;&amp; udp.dst == 67"</span> pipeline<span class="w"> </span>:<span class="w"> </span>ingress priority<span class="w"> </span>:<span class="w"> </span><span class="m">100</span> table_id<span class="w"> </span>:<span class="w"> </span><span class="m">12</span> </pre></div> </div> <p>In compute-1 we should be able to see the flow in table 20 (12+8):</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">()[</span>root@compute-3<span class="w"> </span>/<span class="o">]</span><span class="c1"># ovs-ofctl dump-flows br-int |grep bbe8861b</span> <span class="w"> </span><span class="nv">cookie</span><span class="o">=</span>0xbbe8861b,<span class="w"> </span><span class="nv">duration</span><span class="o">=</span><span class="m">780275</span>.467s,<span class="w"> </span><span class="nv">table</span><span class="o">=</span><span class="m">20</span>,<span class="w"> </span><span class="nv">n_packets</span><span class="o">=</span><span class="m">0</span>,<span class="w"> </span><span class="nv">n_bytes</span><span class="o">=</span><span class="m">0</span>,<span class="w"> </span><span class="nv">idle_age</span><span class="o">=</span><span class="m">25685</span>,<span class="w"> </span><span class="nv">hard_age</span><span class="o">=</span><span class="m">29126</span>,<span class="w"> </span><span class="nv">priority</span><span class="o">=</span><span class="m">100</span>,udp,reg14<span class="o">=</span>0x3,metadata<span class="o">=</span>0x2,dl_src<span class="o">=</span>fa:16:3e:c8:4a:a8,nw_src<span class="o">=</span><span class="m">0</span>.0.0.0,nw_dst<span class="o">=</span><span class="m">255</span>.255.255.255,tp_src<span class="o">=</span><span class="m">68</span>,tp_dst<span class="o">=</span><span class="m">67</span><span class="w"> </span><span class="nv">actions</span><span class="o">=</span>controller<span class="o">(</span><span class="nv">userdata</span><span class="o">=</span><span class="m">00</span>.00.00.20.00.00.00.240.00.01.de.10.00.00.98.63.c0.a8.1e.54.79.0e.20.a9.fe.a9.fe.c0.a8.1e.02.00.c0.a8.1e.01.06.08.ac.10.00.01.0a.00.00.01.83.04.00.00.a8.c0.1a.02.05.a2.01.04.ff.ff.ff.00.03.04.c0.a8.1e.01.36.04.c0.a8.1e.01,pause<span class="o">)</span>,resubmit<span class="o">(</span>,21<span class="o">)</span> </pre></div> </div> <p>The <cite>controller</cite> action indicates that DHCP requests will be processed by the local ovn-controller process, which generates responses based on the configuration in the OVN databases.</p> </section> Wed, 23 Apr 2025 00:00:00 DEFMS: Distributed, Encrypted and Free Mail Systemhttps://blog.epheo.eu/notes/defms/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Feb 24, 2018</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>2 min read</p> </div> </div> </div> </div> </div> </div> <p>Let’s have a closer look at the current implementation of our global email delivery system.</p> <p>It scaled out from the very early stage of our network while all mail addresses was summed up in a paper book to our current multi-billion addresses directory quite impressively, the workload and delivery effort is mostly shared across the few biggest current IT and telecom companies and the required bandwidth and data effort is duplicated between all sender, receivers and intermediates of the transmission. Content encryption or signature is still a marginal practice and while normally not accessible by a random tiers, the relevant intermediates and providers do not hesitate to monitor and analyze our day to day exchanges. Content is easily reversible, which so prevent (or at least should prevent) them to have any juridical value.</p> <p>As of today, we used the available technologies and paradigms to scale from an inter-lab experiment to a multi-billion connection delivery network, but as new paradigms and technologies arrived, we now have all the tools to create a new email delivery network, compatible with the current protocols, that better suits our everyday needs.</p> <p>Regarding how fast the importance of this media grew up those past two decades, one would now want to be able to rely on multiple sources for the storage and transport of his messages without having to necessarily trust those third-parties, one would also like to guaranty the integrity, the consistency and the immutability in time of his exchanges with someone. An entirely distributed, partly encrypted and free mail exchange system would allow us to communicate directly with the concerned receivers without restrictions of size, number, consistency or availability of the exchanged messages. Applications are numerous but more importantly this will help us reducing the total amount of storage and bandwith required by mail exchanges.</p> <p>As encryption, peer to peer and data immutability are already widespread principles one remaining pain-point is in the compatibility with our existing systems and protocols. Such a compatibility with actual mail protocols will be achieved by non-ditributed gateway servers, this long-term temporary solution will encrypt and forward all email from standard MX systems to and from DEFMS.</p> Wed, 23 Apr 2025 00:00:00 Advanced File Permissions with ACL on Linuxhttps://blog.epheo.eu/notes/linux/droits-multiples-et-acl/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Aug 06, 2010</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>10 min read</p> </div> </div> </div> </div> </div> </div> <p>Traditional Unix file permissions have a significant limitation: they don’t allow us to grant different access levels to multiple users or groups simultaneously - such as read/write access for some groups while restricting others to read-only access.</p> <p>This is where Access Control Lists (ACLs) come in. ACLs provide a more flexible permission system by allowing multiple access rules per file or directory. Although ACLs come pre-installed on many modern Linux distributions, knowing how to use them effectively remains essential, especially for scenarios like file sharing with Samba or managing multi-user environments.</p> <section id="understanding-the-difference-traditional-permissions-vs-acls"> <h2>Understanding the Difference: Traditional Permissions vs. ACLs</h2> <p>Before diving into ACLs, let’s compare them with traditional Unix permissions:</p> <div class="table-wrapper colwidths-given docutils container"> <table class="docutils align-default"> <colgroup> <col style="width: 30.0%"/> <col style="width: 35.0%"/> <col style="width: 35.0%"/> </colgroup> <thead> <tr class="row-odd"><th class="head"><p>Feature</p></th> <th class="head"><p>Traditional Unix Permissions</p></th> <th class="head"><p>Access Control Lists (ACLs)</p></th> </tr> </thead> <tbody> <tr class="row-even"><td><p>Permission Structure</p></td> <td><p>Simple rwx for owner, group, others</p></td> <td><p>Multiple permission entries for different users/groups</p></td> </tr> <tr class="row-odd"><td><p>Permission Granularity</p></td> <td><p>Limited to three entities</p></td> <td><p>Unlimited entities with specific permissions</p></td> </tr> <tr class="row-even"><td><p>Inheritance Control</p></td> <td><p>Limited (primarily through umask)</p></td> <td><p>Explicit inheritance with default ACLs</p></td> </tr> <tr class="row-odd"><td><p>Management Complexity</p></td> <td><p>Simple to understand and manage</p></td> <td><p>More complex but much more flexible</p></td> </tr> <tr class="row-even"><td><p>Command Tools</p></td> <td><p>chmod, chown, chgrp</p></td> <td><p>getfacl, setfacl</p></td> </tr> <tr class="row-odd"><td><p>Windows Compatibility</p></td> <td><p>Limited</p></td> <td><p>Advanced support for Samba/CIFS sharing</p></td> </tr> </tbody> </table> </div> <p>By understanding these differences, you can make informed decisions about when to use traditional permissions versus ACLs for your file security needs.</p> </section> <section id="practical-use-case"> <h2>Practical Use Case</h2> <p>Let’s consider a Samba file sharing setup in a small business with a directory called “ProjectDocs”. In this scenario:</p> <ul class="simple"> <li><p>The manager needs full control over ProjectDocs</p></li> <li><p>The developers need read and execute permissions</p></li> <li><p>The clients should only have read-only access</p></li> </ul> <p>This is a perfect case where we need to manage the directory permissions with ACLs, as standard Unix permissions would not allow this level of granular control.</p> </section> <section id="implementing-our-use-case"> <h2>Implementing Our Use Case</h2> <p>Let’s implement the scenario described above with specific commands. Assuming you’ve already created a directory called “ProjectDocs”:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Create the directory and test files</span> mkdir<span class="w"> </span>-p<span class="w"> </span>/data/ProjectDocs touch<span class="w"> </span>/data/ProjectDocs/report.doc touch<span class="w"> </span>/data/ProjectDocs/specs.pdf <span class="c1"># Set basic permissions first</span> sudo<span class="w"> </span>chown<span class="w"> </span>manager:managers<span class="w"> </span>/data/ProjectDocs sudo<span class="w"> </span>chmod<span class="w"> </span><span class="m">750</span><span class="w"> </span>/data/ProjectDocs <span class="c1"># Grant full access to the manager</span> sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>u:manager:rwx<span class="w"> </span>/data/ProjectDocs <span class="c1"># Set read and execute permissions for the developers group</span> sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>g:developers:rx<span class="w"> </span>/data/ProjectDocs <span class="c1"># Set read-only permissions for the clients group</span> sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>g:clients:r<span class="w"> </span>/data/ProjectDocs <span class="c1"># Set default ACLs so new files inherit these permissions</span> sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>d:u:manager:rwx<span class="w"> </span>/data/ProjectDocs sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>d:g:developers:rx<span class="w"> </span>/data/ProjectDocs sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>d:g:clients:r<span class="w"> </span>/data/ProjectDocs <span class="c1"># Apply ACLs recursively to existing files</span> sudo<span class="w"> </span>setfacl<span class="w"> </span>-R<span class="w"> </span>-m<span class="w"> </span>u:manager:rwx<span class="w"> </span>/data/ProjectDocs sudo<span class="w"> </span>setfacl<span class="w"> </span>-R<span class="w"> </span>-m<span class="w"> </span>g:developers:rx<span class="w"> </span>/data/ProjectDocs sudo<span class="w"> </span>setfacl<span class="w"> </span>-R<span class="w"> </span>-m<span class="w"> </span>g:clients:r<span class="w"> </span>/data/ProjectDocs </pre></div> </div> <p>After executing these commands, the directory structure will have the exact permissions needed for our scenario: - Manager has full control (read, write, execute) - Developers can read and execute files, but not modify them - Clients can only read the files - All new files created in the directory will automatically inherit these permissions</p> <p>You can verify the configuration with:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>getfacl<span class="w"> </span>/data/ProjectDocs </pre></div> </div> </section> <section id="installation"> <h2>Installation</h2> <p>On most modern Linux distributions, ACL support is pre-installed. If not, you can install it using your package manager:</p> <p>For Red Hat-based systems:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>sudo<span class="w"> </span>dnf<span class="w"> </span>install<span class="w"> </span>acl </pre></div> </div> <p>For Debian-based systems:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>sudo<span class="w"> </span>apt<span class="w"> </span>install<span class="w"> </span>acl </pre></div> </div> </section> <section id="enabling-acl-support"> <h2>Enabling ACL Support</h2> <p>Most modern Linux filesystems (ext4, XFS, Btrfs) have ACL support enabled by default. However, if you need to explicitly enable it, you’ll need to modify the filesystem mount options.</p> <p>First, identify the partition you want to modify. You can use the following command to list your mounted filesystems:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>df<span class="w"> </span>-h </pre></div> </div> <p>Let’s say we need to enable ACLs on <code class="docutils literal notranslate"><span class="pre">/dev/nvme0n1p3</span></code> mounted at <code class="docutils literal notranslate"><span class="pre">/data</span></code>.</p> <p>Edit the <code class="docutils literal notranslate"><span class="pre">/etc/fstab</span></code> file:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>sudo<span class="w"> </span>nano<span class="w"> </span>/etc/fstab </pre></div> </div> <p>Add the <code class="docutils literal notranslate"><span class="pre">acl</span></code> option to your partition’s mount options:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>/dev/nvme0n1p3<span class="w"> </span>/data<span class="w"> </span>ext4<span class="w"> </span>defaults,acl<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">2</span> </pre></div> </div> <p>To apply the changes without rebooting:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>sudo<span class="w"> </span>mount<span class="w"> </span>-o<span class="w"> </span>remount,acl<span class="w"> </span>/data </pre></div> </div> <p>Note: On most modern Linux systems with ext4, XFS, or Btrfs filesystems, ACL support is enabled by default, so this step may not be necessary.</p> </section> <section id="verifying-acl-support"> <h2>Verifying ACL Support</h2> <p>To confirm that your filesystem supports ACLs, you can use one of these methods:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Method 1: Check filesystem capabilities</span> sudo<span class="w"> </span>tune2fs<span class="w"> </span>-l<span class="w"> </span>/dev/nvme0n1p3<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="s2">"Default mount options"</span> <span class="c1"># Method 2: Check if the current mount has ACL support</span> mount<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="s2">"/data"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="s2">"acl"</span> <span class="c1"># Method 3: Test if you can set an ACL (if this succeeds, ACLs are supported)</span> touch<span class="w"> </span>/data/test_acl setfacl<span class="w"> </span>-m<span class="w"> </span>u:nobody:r<span class="w"> </span>/data/test_acl </pre></div> </div> </section> <section id="configuring-acls-for-files-and-directories"> <h2>Configuring ACLs for Files and Directories</h2> <p>There are two main commands for working with ACLs: <code class="docutils literal notranslate"><span class="pre">getfacl</span></code> and <code class="docutils literal notranslate"><span class="pre">setfacl</span></code>.</p> <p>The <code class="docutils literal notranslate"><span class="pre">getfacl</span></code> command lists ACL permissions:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>getfacl<span class="w"> </span>filename </pre></div> </div> <p>It works similar to <code class="docutils literal notranslate"><span class="pre">ls</span> <span class="pre">-l</span></code> but provides more detailed information specific to ACLs. For example, to check permissions on a file named <code class="docutils literal notranslate"><span class="pre">project-report.pdf</span></code>:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>getfacl<span class="w"> </span>project-report.pdf </pre></div> </div> <p>The <code class="docutils literal notranslate"><span class="pre">setfacl</span></code> command configures ACL permissions for a file or directory. Its basic syntax is:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-<span class="o">[</span>option<span class="o">]</span><span class="w"> </span><span class="o">[</span>specification<span class="o">]</span><span class="w"> </span>filename </pre></div> </div> <p>The command can be broken down into these components:</p> <ul class="simple"> <li><p><strong>Options</strong>: - <code class="docutils literal notranslate"><span class="pre">-m</span></code> to add or modify a rule - <code class="docutils literal notranslate"><span class="pre">-b</span></code> to remove all ACL entries - <code class="docutils literal notranslate"><span class="pre">-x</span></code> to remove specific ACL entries</p></li> <li><p><strong>Specification</strong>: <code class="docutils literal notranslate"><span class="pre">[d:]type:name:permissions</span></code> - <code class="docutils literal notranslate"><span class="pre">d:</span></code> (optional) - if present, applies to default ACLs (used for directories) - <code class="docutils literal notranslate"><span class="pre">type</span></code> - can be <code class="docutils literal notranslate"><span class="pre">u</span></code> (user), <code class="docutils literal notranslate"><span class="pre">g</span></code> (group), or <code class="docutils literal notranslate"><span class="pre">o</span></code> (other) - <code class="docutils literal notranslate"><span class="pre">name</span></code> - username or group name (not needed for “other”) - <code class="docutils literal notranslate"><span class="pre">permissions</span></code> - any combination of <code class="docutils literal notranslate"><span class="pre">r</span></code> (read), <code class="docutils literal notranslate"><span class="pre">w</span></code> (write), and <code class="docutils literal notranslate"><span class="pre">x</span></code> (execute)</p></li> </ul> </section> <section id="understanding-acl-masks"> <h2>Understanding ACL Masks</h2> <p>One of the most important concepts in Linux ACLs is the “mask”. The mask defines the maximum permissions that can be granted by any ACL entry for a file or directory. Think of it as an upper bound for permissions.</p> <div class="highlight-text notranslate"><div class="highlight"><pre><span/># Example ACL with mask user::rw- # Owner has read-write user:alex:rwx # User alex has read-write-execute, but... group::r-- # Group owner has read-only mask::r-- # The mask restricts to read-only! other::--- # Others have no permissions </pre></div> </div> <p>In this example, despite giving alex rwx permissions, the effective permissions will be r–, because the mask restricts the maximum permissions to read-only.</p> <p>To explicitly set the mask value:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Set the mask to allow read and execute</span> setfacl<span class="w"> </span>-m<span class="w"> </span>m::rx<span class="w"> </span>project-report.pdf </pre></div> </div> <p>The mask is automatically recalculated when you add or modify ACL entries, unless you use the <code class="docutils literal notranslate"><span class="pre">--no-mask</span></code> option with setfacl.</p> </section> <section id="examples-of-acl-usage"> <h2>Examples of ACL Usage</h2> <ol class="arabic simple"> <li><p>Give write permission to user “alex” on a file:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-m<span class="w"> </span>u:alex:w<span class="w"> </span>project-report.pdf </pre></div> </div> <ol class="arabic simple" start="2"> <li><p>Give read and execute permissions to the “developers” group:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-m<span class="w"> </span>g:developers:rx<span class="w"> </span>project-report.pdf </pre></div> </div> <ol class="arabic simple" start="3"> <li><p>Remove all ACL entries from a file:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-b<span class="w"> </span>project-report.pdf </pre></div> </div> <ol class="arabic simple" start="4"> <li><p>Apply ACLs recursively to a directory and all its contents:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-R<span class="w"> </span>-m<span class="w"> </span>g:developers:rx<span class="w"> </span>ProjectDocs/ </pre></div> </div> <ol class="arabic simple" start="5"> <li><p>Set default ACLs on a directory (new files created in this directory will inherit these ACLs):</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-m<span class="w"> </span>d:g:developers:rx<span class="w"> </span>ProjectDocs/ </pre></div> </div> <ol class="arabic simple" start="6"> <li><p>Give read permission to others (all users not specifically mentioned):</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-m<span class="w"> </span>o::r<span class="w"> </span>project-report.pdf </pre></div> </div> <ol class="arabic simple" start="7"> <li><p>View current ACL settings:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>getfacl<span class="w"> </span>project-report.pdf </pre></div> </div> <ol class="arabic simple" start="8"> <li><p>Remove a specific ACL entry (remove just alex’s permissions):</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-x<span class="w"> </span>u:alex<span class="w"> </span>project-report.pdf </pre></div> </div> <ol class="arabic simple" start="9"> <li><p>Copy ACLs from one file to another:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>getfacl<span class="w"> </span>source_file.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>setfacl<span class="w"> </span>--set-file<span class="o">=</span>-<span class="w"> </span>destination_file.txt </pre></div> </div> <p>The output might look like:</p> <div class="highlight-text notranslate"><div class="highlight"><pre><span/># file: project-report.pdf # owner: manager # group: admin user::rw- user:alex:rw- group::r-- group:developers:r-x mask::rwx other::r-- </pre></div> </div> </section> <section id="troubleshooting-acls"> <h2>Troubleshooting ACLs</h2> <p>When working with ACLs, you might encounter some common issues. Here are solutions for the most frequent problems:</p> <ol class="arabic"> <li><p><strong>ACL Commands Not Working</strong></p> <p>Verify your filesystem supports and has ACLs enabled:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>tune2fs<span class="w"> </span>-l<span class="w"> </span>/dev/nvme0n1p3<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="s2">"Default mount options"</span> </pre></div> </div> <p>Check if the ACL package is installed:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>which<span class="w"> </span>getfacl </pre></div> </div> </li> <li><p><strong>Permission Denied Errors</strong></p> <p>Ensure you have sufficient permissions (usually requires root or ownership):</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check your permissions on the file/directory</span> ls<span class="w"> </span>-la<span class="w"> </span>/path/to/file <span class="c1"># Use sudo if needed</span> sudo<span class="w"> </span>setfacl<span class="w"> </span>-m<span class="w"> </span>u:user:rw<span class="w"> </span>/path/to/file </pre></div> </div> </li> <li><p><strong>ACLs Not Being Applied</strong></p> <p>Check if there’s a restrictive mask:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>getfacl<span class="w"> </span>/path/to/file<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>mask <span class="c1"># Set a more permissive mask if needed</span> setfacl<span class="w"> </span>-m<span class="w"> </span>m::rwx<span class="w"> </span>/path/to/file </pre></div> </div> </li> <li><p><strong>ACLs Lost After Copying Files</strong></p> <p>Use the correct copy command to preserve ACLs:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Use cp with the -a (archive) option</span> cp<span class="w"> </span>-a<span class="w"> </span>source_file<span class="w"> </span>destination_file <span class="c1"># Or use rsync</span> rsync<span class="w"> </span>-av<span class="w"> </span>--acls<span class="w"> </span>source_file<span class="w"> </span>destination_file </pre></div> </div> </li> <li><p><strong>Debugging Complex ACL Issues</strong></p> <p>For more complex issues, use verbose mode with ACL commands:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>setfacl<span class="w"> </span>-v<span class="w"> </span>-m<span class="w"> </span>u:user:rw<span class="w"> </span>/path/to/file </pre></div> </div> </li> </ol> </section> <section id="working-with-acls-in-samba-shares"> <h2>Working with ACLs in Samba Shares</h2> <p>When using Samba to share files with Windows systems, you can manage ACLs through Windows File Explorer. This provides a familiar graphical interface for Windows users while maintaining the security controls you’ve established.</p> <p>To enable this functionality in your Samba configuration, edit <code class="docutils literal notranslate"><span class="pre">/etc/samba/smb.conf</span></code> and ensure these options are set:</p> <div class="highlight-ini notranslate"><div class="highlight"><pre><span/><span class="k">[global]</span> <span class="na">map acl inherit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span> <span class="na">store dos attributes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span> <span class="k">[ProjectDocs]</span> <span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">/data/ProjectDocs</span> <span class="na">read only</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">no</span> <span class="na">acl_xattr</span><span class="o">:</span><span class="s">ignore system acls = yes</span> <span class="na">inherit acls</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span> </pre></div> </div> <p>This configuration allows Windows clients to modify the ACLs through the familiar Windows security dialog, providing a seamless experience across platforms.</p> </section> <section id="conclusion"> <h2>Conclusion</h2> <p>Access Control Lists provide a powerful way to manage complex permission requirements that go beyond the traditional Unix permission model. By understanding how to use <code class="docutils literal notranslate"><span class="pre">getfacl</span></code> and <code class="docutils literal notranslate"><span class="pre">setfacl</span></code>, you can create sophisticated permission structures that meet the needs of multi-user environments while maintaining proper security controls.</p> </section> Wed, 23 Apr 2025 00:00:00 Useful Podman Commandshttps://blog.epheo.eu/notes/podman.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>April 22, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>5 min read</p> </div> </div> </div> </div> </div> </div> <section id="introduction"> <h2>Introduction</h2> <p>This article provides a collection of useful Podman commands and techniques for common container operations. Podman is a daemonless container engine that provides a Docker-compatible command line interface.</p> </section> <section id="squashing-container-images"> <h2>Squashing Container Images</h2> <p>Squashing container images reduces their size by combining multiple layers into one, making distribution more efficient.</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>podman<span class="w"> </span>build<span class="w"> </span>--layers<span class="w"> </span>--force-rm<span class="w"> </span>--squash-all<span class="w"> </span>--tag<span class="w"> </span>squashedimage<span class="w"> </span>-<span class="w"> </span><span class="o">&lt;&lt;&lt;</span><span class="w"> </span><span class="s2">"FROM regsitry/imagetosquash"</span> </pre></div> </div> </section> <section id="container-run-commands"> <h2>Container Run Commands</h2> <p>Here are several useful patterns for running containers with Podman:</p> <p>Running a Gollum wiki server:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>podman<span class="w"> </span>run<span class="w"> </span>--detach<span class="w"> </span>--name<span class="w"> </span>gollum<span class="w"> </span>--security-opt<span class="w"> </span><span class="nv">label</span><span class="o">=</span>disable<span class="w"> </span>--userns<span class="o">=</span>keep-id<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-v<span class="w"> </span>/srv/wiki:/wiki<span class="w"> </span>-p<span class="w"> </span><span class="m">4567</span>:4567<span class="w"> </span>gollumwiki/gollum:master<span class="w"> </span>--default-keybind<span class="w"> </span>vim </pre></div> </div> <p>Running a container with host networking:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>podman<span class="w"> </span>run<span class="w"> </span>-d<span class="w"> </span>--network<span class="w"> </span>host<span class="w"> </span>-v<span class="w"> </span>/var/log/sshoney/:/root/logs/<span class="w"> </span>--name<span class="w"> </span>sshoney<span class="w"> </span>97f3876877e2 </pre></div> </div> <p>Running a MariaDB container in a pod:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>podman<span class="w"> </span>run<span class="w"> </span>--detach<span class="w"> </span>--pod<span class="w"> </span><span class="nv">$POD_NAME</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">MYSQL_ROOT_PASSWORD</span><span class="o">=</span><span class="nv">$DB_PASS</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">MYSQL_PASSWORD</span><span class="o">=</span><span class="nv">$DB_PASS</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">MYSQL_DATABASE</span><span class="o">=</span><span class="nv">$DB_NAME</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">MYSQL_USER</span><span class="o">=</span><span class="nv">$DB_USER</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>--name<span class="w"> </span><span class="nv">$CONTAINER_NAME_DB</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-v<span class="w"> </span><span class="s2">"</span><span class="nv">$PWD</span><span class="s2">/database"</span>:/var/lib/mysql<span class="w"> </span>docker.io/mariadb:latest </pre></div> </div> <p>Running a WordPress container in a pod:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>podman<span class="w"> </span>run<span class="w"> </span>--detach<span class="w"> </span>--pod<span class="w"> </span><span class="nv">$POD_NAME</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">WORDPRESS_DB_HOST</span><span class="o">=</span><span class="m">127</span>.0.0.1:3306<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">WORDPRESS_DB_NAME</span><span class="o">=</span><span class="nv">$DB_NAME</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">WORDPRESS_DB_USER</span><span class="o">=</span><span class="nv">$DB_USER</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="nv">WORDPRESS_DB_PASSWORD</span><span class="o">=</span><span class="nv">$DB_PASS</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>--name<span class="w"> </span><span class="nv">$CONTAINER_NAME_WP</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-v<span class="w"> </span><span class="s2">"</span><span class="nv">$PWD</span><span class="s2">/html"</span>:/var/www/html<span class="w"> </span>docker.io/wordpress </pre></div> </div> </section> <section id="image-transfer-between-systems"> <h2>Image Transfer Between Systems</h2> <p>When direct registry access is unavailable, you can save and load images for transfer:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>podman<span class="w"> </span>image<span class="w"> </span>save<span class="w"> </span>97f3876877e2<span class="w"> </span>-o<span class="w"> </span>97f3876877e2.tgz podman<span class="w"> </span>load<span class="w"> </span>--input<span class="w"> </span>97f3876877e2.tgz </pre></div> </div> </section> <section id="systemd-integration"> <h2>Systemd Integration</h2> <p>Running containers as systemd services allows them to persist even when the user is logged out:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Enable executing processes with logged out shell</span> loginctl<span class="w"> </span>enable-linger<span class="w"> </span>user <span class="c1"># Move to user systemd directory</span> <span class="nb">cd</span><span class="w"> </span>~/.config/systemd/user/ <span class="c1"># Generate systemd files for container</span> podman<span class="w"> </span>generate<span class="w"> </span>systemd<span class="w"> </span>--restart-policy<span class="o">=</span>always<span class="w"> </span>-t<span class="w"> </span><span class="m">1</span><span class="w"> </span>--name<span class="w"> </span>container_name<span class="w"> </span>--files <span class="c1"># Enable and start the service</span> systemctl<span class="w"> </span>--user<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>container-container_name.service </pre></div> </div> </section> Wed, 23 Apr 2025 00:00:00 Layer 2 User Defined Networks for OpenShift Virtualizationhttps://blog.epheo.eu/articles/openshift-layer2-udn/index.html <span id="openshift-layer2-udn"/> <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>April 22, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>20 min read</p> </div> </div> </div> </div> </div> </div> <p>Learn how to set up Layer 2 User Defined Networks (UDN) for VMs in OpenShift Virtualization for isolated tenant networks with multi-node connectivity.</p> <p>This guide shows how to implement UDNs in OpenShift Virtualization for network isolation between VMs within or across namespaces. UDNs create isolated tenant networks separate from the default pod network, enabling complex network layouts and better security.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p>Learn more about OpenShift Virtualization networking in the official <a class="reference external" href="https://docs.openshift.com/container-platform/latest/virt/virtual_machines/vm_networking/">OpenShift Virtualization Documentation</a>.</p> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>This is compatible with OpenShift 4.18 and newer versions.</p> </div> <section id="implementation-steps"> <h2>Implementation Steps</h2> <section id="understand-user-defined-networks"> <h3>1. Understand User Defined Networks</h3> <p>OpenShift Virtualization offers two UDN types:</p> <ol class="arabic simple"> <li><p><strong>UserDefinedNetwork (UDN)</strong>: Creates network isolation within a single namespace.</p></li> <li><p><strong>ClusterUserDefinedNetwork (Cluster UDN)</strong>: Spans multiple namespaces, allowing VMs in different namespaces to communicate while staying isolated from other networks.</p></li> </ol> <section id="layer-2-vs-layer-3-user-defined-networks"> <h4>Layer 2 vs Layer 3 User Defined Networks</h4> <p>UDNs can use either Layer 2 or Layer 3 topology:</p> <div class="note admonition"> <p class="admonition-title">Layer 2 UDN</p> <ul class="simple"> <li><p>Creates a virtual switch across all cluster nodes</p></li> <li><p>All VMs connect to the same subnet regardless of node location</p></li> <li><p>Provides a single broadcast domain</p></li> <li><p>Supports VM live migration between nodes</p></li> <li><p>Best for apps needing Layer 2 adjacency</p></li> <li><p>Simpler to configure</p></li> </ul> </div> <div class="note admonition"> <p class="admonition-title">Layer 3 UDN</p> <ul class="simple"> <li><p>Creates unique Layer 2 segments per node with Layer 3 routing between them</p></li> <li><p>Each node has its own subnet</p></li> <li><p>Controls broadcast traffic within node-specific segments</p></li> <li><p>Better scalability for large deployments</p></li> <li><p>Supports NetworkPolicy for security control</p></li> <li><p>Better for environments with many VMs</p></li> </ul> </div> <div class="tip admonition"> <p class="admonition-title">Primary vs Secondary Networks</p> <ul class="simple"> <li><p>Primary networks handle default traffic</p></li> <li><p>Secondary networks add interfaces for specific traffic</p></li> <li><p>A VM can have one primary but multiple secondary networks</p></li> <li><p>UDNs work as either primary or secondary networks</p></li> </ul> </div> <div class="admonition important"> <p class="admonition-title">Important</p> <p><strong>Compatibility Note:</strong></p> <ul class="simple"> <li><p>Only Layer 2 UDNs work as primary networks for VMs</p></li> <li><p>Layer 3 UDNs only work with regular pods, not VMs</p></li> </ul> </div> <p>This guide focuses on Layer 2 UDNs for VM workloads that need simplicity and migration support.</p> </section> </section> <section id="create-a-namespace-for-user-defined-network"> <h3>2. Create a Namespace for User Defined Network</h3> <p>Create a namespace with the UDN label:</p> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">udn-namespace.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Namespace</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">udn-example</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">k8s.ovn.org/primary-user-defined-network</span><span class="p">:</span><span class="w"> </span><span class="s">""</span> </pre></div> </div> </div> <div class="admonition important"> <p class="admonition-title">Important</p> <p>Add this label when creating the namespace. You cannot add it to existing namespaces.</p> </div> <p>Apply the namespace:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>create<span class="w"> </span>-f<span class="w"> </span>udn-namespace.yaml </pre></div> </div> </section> <section id="create-a-user-defined-network"> <h3>3. Create a User Defined Network</h3> <p>Create a UDN in your namespace:</p> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">udn-example.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s.ovn.org/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">UserDefinedNetwork</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">udn-example</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">udn-example</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">layer2</span><span class="p">:</span> <span class="w"> </span><span class="nt">ipam</span><span class="p">:</span> <span class="w"> </span><span class="nt">lifecycle</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Persistent</span> <span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Primary</span> <span class="w"> </span><span class="nt">subnets</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10.200.0.0/16</span> <span class="w"> </span><span class="nt">topology</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Layer2</span> </pre></div> </div> </div> <p>Apply the UDN:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>create<span class="w"> </span>-f<span class="w"> </span>udn-example.yaml </pre></div> </div> <p>Verify creation:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>userdefinednetwork<span class="w"> </span>-n<span class="w"> </span>udn-example </pre></div> </div> </section> <section id="create-a-vm-on-the-user-defined-network"> <h3>4. Create a VM on the User Defined Network</h3> <p>VMs in a namespace with a UDN automatically use the UDN as their primary network:</p> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">example-vm.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualMachine</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-vm</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">udn-example</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">runStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span> <span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">domain</span><span class="p">:</span> <span class="w"> </span><span class="nt">devices</span><span class="p">:</span> <span class="w"> </span><span class="nt">disks</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rootdisk</span> <span class="w"> </span><span class="nt">disk</span><span class="p">:</span> <span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="w"> </span><span class="nt">interfaces</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="w"> </span><span class="nt">binding</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">l2bridge</span> <span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2Gi</span> <span class="w"> </span><span class="nt">networks</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="w"> </span><span class="nt">pod</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rootdisk</span> <span class="w"> </span><span class="nt">containerDisk</span><span class="p">:</span> <span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">quay.io/containerdisks/fedora:latest</span> </pre></div> </div> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Don’t modify the VM’s network config. The UDN system handles it automatically.</p> </div> <div class="admonition important"> <p class="admonition-title">Important</p> <p>Restart or live migrate the VM after network changes:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Restart the VM:</span> virtctl<span class="w"> </span>restart<span class="w"> </span>example-vm <span class="c1"># Or live migrate (no downtime):</span> virtctl<span class="w"> </span>migrate<span class="w"> </span>example-vm </pre></div> </div> </div> </section> <section id="create-a-cluster-user-defined-network"> <h3>5. Create a Cluster User Defined Network</h3> <p>For cross-namespace communication, create a Cluster UDN:</p> <ol class="arabic"> <li><p>Create namespaces with the proper labels:</p> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">udn-namespaces.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nn">---</span> <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Namespace</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">udn-prod</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">k8s.ovn.org/primary-user-defined-network</span><span class="p">:</span><span class="w"> </span><span class="s">""</span> <span class="w"> </span><span class="nt">cluster-udn</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod</span> <span class="nn">---</span> <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Namespace</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">udn-preprod</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">k8s.ovn.org/primary-user-defined-network</span><span class="p">:</span><span class="w"> </span><span class="s">""</span> <span class="w"> </span><span class="nt">cluster-udn</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod</span> </pre></div> </div> </div> </li> <li><p>Create the Cluster UDN:</p> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">cluster-udn-prod.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s.ovn.org/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterUserDefinedNetwork</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cluster-udn-prod</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span> <span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span> <span class="w"> </span><span class="nt">cluster-udn</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod</span> <span class="w"> </span><span class="nt">network</span><span class="p">:</span> <span class="w"> </span><span class="nt">layer2</span><span class="p">:</span> <span class="w"> </span><span class="nt">ipam</span><span class="p">:</span> <span class="w"> </span><span class="nt">lifecycle</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Persistent</span> <span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Primary</span> <span class="w"> </span><span class="nt">subnets</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10.100.0.0/16</span> <span class="w"> </span><span class="nt">topology</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Layer2</span> </pre></div> </div> </div> </li> <li><p>Apply the config:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>create<span class="w"> </span>-f<span class="w"> </span>cluster-udn-prod.yaml </pre></div> </div> </li> <li><p>Verify creation:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>clusteruserdefinednetwork </pre></div> </div> </li> </ol> </section> </section> <section id="testing-and-validation"> <h2>Testing and Validation</h2> <section id="test-vm-connectivity-within-udn"> <h3>1. Test VM Connectivity within UDN</h3> <ol class="arabic"> <li><p>Create multiple VMs in the same namespace with a UDN</p></li> <li><p>Connect to the VM:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Use console</span> virtctl<span class="w"> </span>console<span class="w"> </span>example-vm <span class="c1"># Or SSH if available</span> virtctl<span class="w"> </span>ssh<span class="w"> </span>example-vm </pre></div> </div> </li> <li><p>Check network config:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>ip<span class="w"> </span>addr<span class="w"> </span>show ip<span class="w"> </span>route </pre></div> </div> </li> <li><p>Test connectivity between VMs:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>ping<span class="w"> </span>&lt;other-vm-ip-address&gt; </pre></div> </div> </li> <li><p>Verify VMs got IP addresses from the UDN subnet</p></li> </ol> </section> <section id="test-vm-connectivity-across-cluster-udn"> <h3>2. Test VM Connectivity across Cluster UDN</h3> <ol class="arabic"> <li><p>Create VMs in different namespaces connected by a Cluster UDN</p></li> <li><p>Check network config in each VM</p></li> <li><p>Test connectivity:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># From VM in namespace 1</span> ping<span class="w"> </span>&lt;vm-ip-in-namespace-2&gt; </pre></div> </div> </li> </ol> </section> <section id="test-north-south-network-access"> <h3>3. Test North/South Network Access</h3> <ol class="arabic"> <li><p>Test external network access:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># From inside the VM</span> ping<span class="w"> </span><span class="m">1</span>.1.1.1 </pre></div> </div> </li> </ol> <div class="admonition important"> <p class="admonition-title">Important</p> <p>Don’t manually configure IP addresses. The UDN controller manages IP allocation through IPAM.</p> </div> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p>For direct north/south connectivity using the existing <code class="docutils literal notranslate"><span class="pre">br-ex</span></code> bridge, see <a class="reference internal" href="../openshift-localnet/index.html#openshift-localnet"><span class="std std-ref">OpenShift Virtualization with Localnet Configuration</span></a>.</p> </div> </section> </section> Tue, 22 Apr 2025 00:00:00 OpenShift Virtualization with Localnet Configurationhttps://blog.epheo.eu/articles/openshift-localnet/index.html <span id="openshift-localnet"/> <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>April 22, 2025</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>15 min read</p> </div> </div> </div> </div> </div> </div> <p>This use case demonstrates how to configure OpenShift Virtualization to leverage the existing <code class="docutils literal notranslate"><span class="pre">br-ex</span></code> OVS bridge for direct north/south connectivity of virtual machines. Instead of using a dedicated interface, this approach reuses the main OpenShift interface to provide IP addresses from your baremetal network to your KubeVirt virtual machines.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p>For more information about OpenShift Virtualization networking, check out the official <a class="reference external" href="https://docs.openshift.com/container-platform/4.18/virt/virtual_machines/vm_networking/">OpenShift Virtualization Documentation</a>.</p> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>This is compatible with OpenShift 4.18 and newer versions.</p> </div> <section id="implementation-steps"> <h2>Implementation Steps</h2> <section id="understanding-localnet-and-br-ex-bridge"> <h3>1. Understanding Localnet and br-ex Bridge</h3> <p>The OpenShift <code class="docutils literal notranslate"><span class="pre">br-ex</span></code> bridge is typically used for external connectivity for the OpenShift cluster. By configuring a localnet mapping to this bridge, we can:</p> <ul class="simple"> <li><p>Allow virtual machines to obtain IP addresses directly from the baremetal network</p></li> <li><p>Enable direct north/south connectivity without network translation</p></li> <li><p>Simplify network architecture by reusing existing resources</p></li> </ul> <div class="admonition note"> <p class="admonition-title">Note</p> <p>The <code class="docutils literal notranslate"><span class="pre">br-ex</span></code> bridge is part of OVN-Kubernetes networking in OpenShift. This approach eliminates the need for dedicated physical interfaces for VM connectivity.</p> </div> </section> <section id="configure-nodenetworkconfigurationpolicy"> <h3>2. Configure NodeNetworkConfigurationPolicy</h3> <p>Create a NodeNetworkConfigurationPolicy (NNCP) to add a localnet mapping to the <code class="docutils literal notranslate"><span class="pre">br-ex</span></code> bridge:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nmstate.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">NodeNetworkConfigurationPolicy</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br-ex-network</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">nodeSelector</span><span class="p">:</span> <span class="w"> </span><span class="nt">node-role.kubernetes.io/worker</span><span class="p">:</span><span class="w"> </span><span class="s">''</span><span class="w"> </span> <span class="w"> </span><span class="nt">desiredState</span><span class="p">:</span> <span class="w"> </span><span class="nt">ovn</span><span class="p">:</span> <span class="w"> </span><span class="nt">bridge-mappings</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">localnet</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br-ex-network</span> <span class="w"> </span><span class="nt">bridge</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br-ex</span><span class="w"> </span> <span class="w"> </span><span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">present</span> </pre></div> </div> <p>Apply the policy:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>br-ex-nncp.yaml </pre></div> </div> </section> <section id="verify-nodenetworkconfigurationpolicy-status"> <h3>3. Verify NodeNetworkConfigurationPolicy Status</h3> <p>Check that the policy has been applied correctly:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>nncp </pre></div> </div> <p>Expected output:</p> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>NAME STATUS REASON br-ex-network Available SuccessfullyConfigured </pre></div> </div> <p>Verify the node network configuration enactments:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>nnce </pre></div> </div> <p>Expected output:</p> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>NAME STATUS STATUS AGE REASON &lt;node-name&gt;.br-ex-network Available &lt;age&gt; SuccessfullyConfigured </pre></div> </div> </section> <section id="create-networkattachmentdefinition"> <h3>4. Create NetworkAttachmentDefinition</h3> <p>Create a NetworkAttachmentDefinition (NAD) that will use the localnet:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s.cni.cncf.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">NetworkAttachmentDefinition</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br-ex-network</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="s">'{</span> <span class="w"> </span><span class="s">"name":"br-ex-network",</span> <span class="w"> </span><span class="s">"type":"ovn-k8s-cni-overlay",</span> <span class="w"> </span><span class="s">"cniVersion":"0.4.0",</span> <span class="w"> </span><span class="s">"topology":"localnet",</span> <span class="w"> </span><span class="s">"netAttachDefName":"default/br-ex-network"</span> <span class="w"> </span><span class="s">}'</span> </pre></div> </div> <p>Apply the NetworkAttachmentDefinition:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>br-ex-network-nad.yaml </pre></div> </div> <section id="vlan-configuration-example"> <h4>VLAN Configuration Example</h4> <p>To configure a NetworkAttachmentDefinition with a specific VLAN ID, use the <code class="docutils literal notranslate"><span class="pre">vlanID</span></code> property in the config. This is particularly useful for environments where network segmentation is required:</p> <div class="admonition tip"> <p class="admonition-title">Tip</p> <p>Using VLANs with localnet can help maintain network isolation while still leveraging the existing physical infrastructure.</p> </div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s.cni.cncf.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">NetworkAttachmentDefinition</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vlan-network</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="w"> </span><span class="no">{</span> <span class="w"> </span><span class="no">"cniVersion": "0.3.1",</span> <span class="w"> </span><span class="no">"name": "vlan-network",</span> <span class="w"> </span><span class="no">"type": "ovn-k8s-cni-overlay",</span> <span class="w"> </span><span class="no">"topology": "localnet",</span> <span class="w"> </span><span class="no">"vlanID": 200,</span> <span class="w"> </span><span class="no">"netAttachDefName": "default/vlan-network"</span> <span class="w"> </span><span class="no">}</span> </pre></div> </div> <p>Apply the VLAN NetworkAttachmentDefinition:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>vlan-network-nad.yaml </pre></div> </div> <p>In this example, the virtual machines connected to this network will receive VLAN tagged traffic with VLAN ID 200.</p> </section> </section> <section id="adding-network-interface-to-virtual-machines"> <h3>5. Adding Network Interface to Virtual Machines</h3> <p>To attach a VM to the localnet bridge, modify your VM definition to include an additional network interface:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualMachine</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-vm</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">runStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span> <span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">domain</span><span class="p">:</span> <span class="w"> </span><span class="nt">devices</span><span class="p">:</span> <span class="w"> </span><span class="nt">disks</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rootdisk</span> <span class="w"> </span><span class="nt">disk</span><span class="p">:</span> <span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="w"> </span><span class="nt">interfaces</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="w"> </span><span class="nt">masquerade</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br-ex-interface</span> <span class="w"> </span><span class="nt">bridge</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2Gi</span> <span class="w"> </span><span class="nt">networks</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="w"> </span><span class="nt">pod</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br-ex-interface</span> <span class="w"> </span><span class="nt">multus</span><span class="p">:</span> <span class="w"> </span><span class="nt">networkName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default/br-ex-network</span> <span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rootdisk</span> <span class="w"> </span><span class="nt">containerDisk</span><span class="p">:</span> <span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">quay.io/containerdisks/fedora:latest</span> </pre></div> </div> </section> </section> <section id="testing-and-validation"> <h2>Testing and Validation</h2> <section id="verify-vm-network-configuration"> <h3>1. Verify VM Network Configuration</h3> <ol class="arabic"> <li><p>Connect to the VM console or SSH:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>virtctl<span class="w"> </span>console<span class="w"> </span>example-vm <span class="c1"># or</span> virtctl<span class="w"> </span>ssh<span class="w"> </span>example-vm </pre></div> </div> </li> <li><p>Check network interfaces:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>ip<span class="w"> </span>addr<span class="w"> </span>show </pre></div> </div> </li> <li><p>Verify you have two interfaces:</p> <ul class="simple"> <li><p>First interface connected to the pod network (<code class="docutils literal notranslate"><span class="pre">default</span></code>)</p></li> <li><p>Second interface connected to the br-ex network with an IP from your baremetal network</p></li> </ul> </li> </ol> </section> <section id="test-external-network-connectivity"> <h3>2. Test External Network Connectivity</h3> <ol class="arabic"> <li><p>Test network connectivity:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># From inside VM</span> ping<span class="w"> </span><span class="m">1</span>.1.1.1 </pre></div> </div> </li> <li><p>Test that external hosts can directly reach the VM on its baremetal IP:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># From an external machine</span> ping<span class="w"> </span>&lt;vm-ip-address&gt; </pre></div> </div> </li> </ol> <div class="admonition important"> <p class="admonition-title">Important</p> <p>VMs using localnet networking will be directly exposed to your physical network, so ensure proper security measures are in place.</p> </div> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p>For isolated tenant networks without physical network exposure, see <a class="reference internal" href="../openshift-layer2-udn/index.html#openshift-layer2-udn"><span class="std std-ref">Layer 2 User Defined Networks for OpenShift Virtualization</span></a>.</p> </div> </section> </section> Tue, 22 Apr 2025 00:00:00 BGP Implementation in Red Hat OpenStack Services on OpenShifthttps://blog.epheo.eu/articles/openstack-bgp/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Nov 20, 2024</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>30 min read</p> </div> </div> </div> </div> </div> </div> <div class="admonition warning"> <p class="admonition-title">Warning</p> <p><strong>Deprecation Notice</strong>: The OVN BGP Agent was deprecated in RHOSO 18.0.10 (Feature Release 3). This component will be removed and replaced in a future release. An alternative BGP integration mechanism will be provided in a future release.</p> </div> <section id="key-components"> <h2>Key Components</h2> <p>RHOSO’s dynamic routing relies on four primary components working together in a distributed architecture that requires dedicated networking nodes:</p> <section id="ovn-bgp-agent"> <h3>OVN BGP Agent</h3> <p>The OVN BGP agent is a Python-based daemon running in the <code class="docutils literal notranslate"><span class="pre">ovn_bgp_agent</span></code> container on Compute and Networker nodes. Its primary functions include:</p> <ul class="simple"> <li><p><strong>Database monitoring</strong>: Monitors the OVN northbound database for VM and floating IP events</p></li> <li><p><strong>Route management</strong>: Triggers FRR to advertise or withdraw routes based on workload lifecycle</p></li> <li><p><strong>Traffic redirection</strong>: Configures Linux kernel networking for proper traffic flow</p></li> <li><p><strong>Interface management</strong>: Manages the <code class="docutils literal notranslate"><span class="pre">bgp-nic</span></code> dummy interface for route advertisement</p></li> </ul> <p>The agent operates by detecting changes in the OVN database and translating these into BGP routing decisions.</p> <div class="admonition note"> <p class="admonition-title">Note</p> <p>In RHOSO 18.0, BGP is deployed through <code class="docutils literal notranslate"><span class="pre">OpenStackControlPlane</span></code> and <code class="docutils literal notranslate"><span class="pre">OpenStackDataPlaneNodeSet</span></code> custom resources managed by the RHOSO operators.</p> </div> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">OVN BGP Agent Configuration (ovn_bgp_agent.conf)</span></div> <div class="highlight-ini notranslate"><div class="highlight"><pre><span/><span class="k">[DEFAULT]</span> <span class="na">debug</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">False</span> <span class="na">reconcile_interval</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">120</span> <span class="na">expose_tenant_network</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">False</span> <span class="na">driver</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">ovn_bgp_driver</span> </pre></div> </div> </div> </section> <section id="frr-container-suite"> <h3>FRR Container Suite</h3> <p>Free Range Routing runs as the <code class="docutils literal notranslate"><span class="pre">frr</span></code> container on all RHOSO nodes, providing enterprise-grade routing capabilities:</p> <ul class="simple"> <li><p><strong>BGP Daemon (bgpd)</strong>: Manages BGP peer relationships and route advertisements</p></li> <li><p><strong>BFD Daemon (bfdd)</strong>: Provides sub-second failure detection</p></li> <li><p><strong>Zebra Daemon</strong>: Interfaces between FRR and the Linux kernel routing table</p></li> <li><p><strong>VTY Shell</strong>: Command-line interface for configuration and monitoring</p></li> </ul> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">Sample FRR Configuration for RHOSO</span></div> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>frr version 8.5 frr defaults traditional hostname rhoso-compute-0 log syslog informational service integrated-vtysh-config ! router bgp 64999 bgp router-id 172.30.1.10 neighbor 172.30.1.254 remote-as 65000 neighbor 172.30.1.254 bfd ! address-family ipv4 unicast redistribute connected maximum-paths 8 exit-address-family ! </pre></div> </div> </div> </section> <section id="kernel-networking-integration"> <h3>Kernel Networking Integration</h3> <p>RHOSO leverages RHEL kernel networking features configured by the OVN BGP agent:</p> <ul class="simple"> <li><p><strong>VRF (Virtual Routing and Forwarding)</strong>: Network isolation using <code class="docutils literal notranslate"><span class="pre">bgp_vrf</span></code></p></li> <li><p><strong>IP Rules</strong>: Direct traffic to appropriate routing tables</p></li> <li><p><strong>Dummy Interface</strong>: The <code class="docutils literal notranslate"><span class="pre">bgp-nic</span></code> interface for route advertisement</p></li> <li><p><strong>OVS Integration</strong>: Flow rules redirecting traffic to the OVN overlay</p></li> </ul> </section> <section id="dedicated-networking-nodes"> <h3>Dedicated Networking Nodes</h3> <p>RHOSO BGP deployments <strong>require</strong> dedicated networking nodes with specific architectural constraints:</p> <ul class="simple"> <li><p><strong>Mandatory Architecture</strong>: BGP dynamic routing cannot function without dedicated networker nodes</p></li> <li><p><strong>DVR Integration</strong>: Must be deployed with Distributed Virtual Routing (DVR) enabled</p></li> <li><p><strong>Traffic Gateway Role</strong>: Networker nodes host neutron router gateways and CR-LRP (Chassis Redirect Logical Router Ports)</p></li> <li><p><strong>North-South Traffic</strong>: All external traffic to tenant networks flows through networker nodes</p></li> <li><p><strong>BGP Advertisement</strong>: Both compute and networker nodes run FRR and OVN BGP agent containers</p></li> </ul> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">Networker Node Configuration Requirements</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="c1"># OpenShift node labels for dedicated networking</span> <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Node</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rhoso-networker-0</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">node-role.kubernetes.io/rhoso-networker</span><span class="p">:</span><span class="w"> </span><span class="s">""</span> <span class="w"> </span><span class="nt">feature.node.kubernetes.io/network-sriov.capable</span><span class="p">:</span><span class="w"> </span><span class="s">"true"</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="c1"># Networker nodes require specific networking capabilities</span> <span class="w"> </span><span class="c1"># and dedicated hardware for external connectivity</span> </pre></div> </div> </div> <p><strong>Architecture Constraints</strong>:</p> <ul class="simple"> <li><p><strong>Control Plane OVN Gateways</strong>: Not supported with BGP (incompatible)</p></li> <li><p><strong>Octavia Load Balancer</strong>: Cannot be used with BGP dynamic routing</p></li> <li><p><strong>BFD Limitations</strong>: Bi-directional forwarding detection has known issues</p></li> </ul> </section> </section> <section id="network-architecture"> <h2>Network Architecture</h2> <section id="rhoso-bgp-network-topology"> <h3>RHOSO BGP Network Topology</h3> <object data="../../_images/mermaid-1f784973343563afc39307e72c054134f4642996.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- graph TB subgraph "External Network" TOR1[ToR Switch 1&lt;br/&gt;AS 65000] TOR2[ToR Switch 2&lt;br/&gt;AS 65000] EXT[External Networks&lt;br/&gt;192.0.2.0/24] end subgraph "OpenShift Cluster" subgraph "RHOSO Control Plane" CP1[Controller Pod 1&lt;br/&gt;172.30.1.1] CP2[Controller Pod 2&lt;br/&gt;172.30.1.2] CP3[Controller Pod 3&lt;br/&gt;172.30.1.3] end subgraph "RHOSO Compute Nodes" CN1[Compute Node 1&lt;br/&gt;FRR + OVN BGP Agent] CN2[Compute Node 2&lt;br/&gt;FRR + OVN BGP Agent] CN3[Compute Node 3&lt;br/&gt;FRR + OVN BGP Agent] end subgraph "OVN Overlay" VM1[VM 10.0.0.10&lt;br/&gt;Floating IP: 192.0.2.10] VM2[VM 10.0.0.20&lt;br/&gt;Floating IP: 192.0.2.20] LB[Load Balancer&lt;br/&gt;192.0.2.100] end end TOR1 -.-&gt;|eBGP&lt;br/&gt;AS 64999| CN1 TOR1 -.-&gt;|eBGP&lt;br/&gt;AS 64999| CN2 TOR2 -.-&gt;|eBGP&lt;br/&gt;AS 64999| CN2 TOR2 -.-&gt;|eBGP&lt;br/&gt;AS 64999| CN3 CN1 --&gt; VM1 CN2 --&gt; VM2 CN3 --&gt; LB TOR1 &lt;--&gt; EXT TOR2 &lt;--&gt; EXT</p></object> </section> <section id="bgp-component-interactions"> <h3>BGP Component Interactions</h3> <p>The following diagram shows detailed interactions between all RHOSO BGP components as they operate within the OpenShift container environment:</p> <object data="../../_images/mermaid-0da1aed5a8fd807f5eb70c0ae52f5e314a90e3c4.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- graph TB subgraph "External Infrastructure" PEER1[BGP Peer 1&lt;br/&gt;ToR Switch&lt;br/&gt;AS 65000] PEER2[BGP Peer 2&lt;br/&gt;ToR Switch&lt;br/&gt;AS 65000] end subgraph "OpenShift Node (Compute/Networker)" subgraph "Container Runtime" subgraph "FRR Container" BGPD[BGP Daemon&lt;br/&gt;bgpd] ZEBRA[Zebra Daemon&lt;br/&gt;Route Manager] BFD[BFD Daemon&lt;br/&gt;bfdd] VTY[VTY Shell&lt;br/&gt;vtysh] end subgraph "OVN BGP Agent Container" AGENT[OVN BGP Agent&lt;br/&gt;Python Daemon] DRIVER[BGP Speaker Driver&lt;br/&gt;ovn_bgp_driver] end end subgraph "Host Kernel" KRTAB[Kernel Routing Table] BGPNIC[bgp-nic Interface&lt;br/&gt;Dummy Interface] BRVRF[bgp_vrf&lt;br/&gt;VRF Instance] IPRULES[IP Rules &amp; Routes] end subgraph "OVS Integration" BREX[br-ex&lt;br/&gt;Provider Bridge] FLOWS[OVS Flow Rules] end subgraph "OVN Database" OVNNB[(OVN Northbound&lt;br/&gt;Database)] OVNSB[(OVN Southbound&lt;br/&gt;Database)] end end %% External BGP Sessions PEER1 &lt;==&gt;|TCP 179&lt;br/&gt;BGP Session| BGPD PEER2 &lt;==&gt;|TCP 179&lt;br/&gt;BGP Session| BGPD %% Internal Component Interactions BGPD &lt;--&gt; ZEBRA BGPD &lt;--&gt; BFD ZEBRA &lt;--&gt; KRTAB ZEBRA &lt;--&gt; BGPNIC %% OVN BGP Agent Monitoring AGENT --&gt; OVNNB AGENT --&gt; OVNSB AGENT --&gt; BGPNIC AGENT --&gt; IPRULES AGENT --&gt; FLOWS %% Route Advertisement Flow BGPNIC --&gt; KRTAB KRTAB --&gt; ZEBRA ZEBRA --&gt; BGPD BGPD --&gt; PEER1 BGPD --&gt; PEER2 %% Traffic Redirection IPRULES --&gt; BREX FLOWS --&gt; BREX BRVRF --&gt; BREX %% Configuration Management VTY -.-&gt; BGPD VTY -.-&gt; ZEBRA VTY -.-&gt; BFD DRIVER -.-&gt; AGENT</p></object> </section> <section id="traffic-flow-process"> <h3>Traffic Flow Process</h3> <p>When a VM is created or a floating IP is assigned, the following sequence occurs:</p> <object data="../../_images/mermaid-7f60109a513012013de3bb667123cbe409eaa73e.svg" type="image/svg+xml"> <p class="warning">sequenceDiagram participant OVN as OVN Database participant Agent as OVN BGP Agent participant FRR as FRR BGP Daemon participant Kernel as Linux Kernel participant Peer as BGP Peer OVN-&gt;&gt;Agent: VM created with IP 192.0.2.10 Agent-&gt;&gt;Agent: Add IP to bgp-nic interface Agent-&gt;&gt;Kernel: Configure IP rules and routes Agent-&gt;&gt;Kernel: Configure OVS flows Kernel-&gt;&gt;FRR: Route appears in kernel table FRR-&gt;&gt;Peer: Advertise route 192.0.2.10/32 Peer-&gt;&gt;Peer: Update routing table Note over Agent,Kernel: Traffic redirection configured Note over FRR,Peer: Route convergence complete</p></object> </section> </section> <section id="private-network-advertising"> <h2>Private Network Advertising</h2> <p>RHOSO BGP supports advertising private tenant networks, though this feature is disabled by default due to security implications.</p> <section id="tenant-network-exposure-configuration"> <h3>Tenant Network Exposure Configuration</h3> <p><strong>Default Behavior</strong>: By default, only floating IPs and provider network IPs are advertised via BGP. Private tenant networks remain isolated within the OVN overlay.</p> <p><strong>Enabling Tenant Network Advertisement</strong>:</p> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">OVN BGP Agent Configuration with Tenant Network Exposure</span></div> <div class="highlight-ini notranslate"><div class="highlight"><pre><span/><span class="k">[DEFAULT]</span> <span class="na">debug</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">False</span> <span class="na">reconcile_interval</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">120</span> <span class="na">expose_tenant_network</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">True</span> <span class="na">driver</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">ovn_bgp_driver</span> </pre></div> </div> </div> <p><strong>Security Considerations</strong>:</p> <ul class="simple"> <li><p><strong>Network Isolation</strong>: Enabling tenant network exposure breaks traditional OpenStack network isolation</p></li> <li><p><strong>Routing Policies</strong>: External routers must implement proper filtering to maintain security boundaries</p></li> <li><p><strong>Non-Overlapping CIDRs</strong>: Tenant networks must use unique, non-overlapping IP ranges</p></li> <li><p><strong>Access Control</strong>: External network infrastructure must enforce tenant access policies</p></li> </ul> </section> <section id="traffic-flow-for-tenant-networks"> <h3>Traffic Flow for Tenant Networks</h3> <p>When tenant network advertising is enabled, traffic follows a specific path through dedicated networking nodes:</p> <object data="../../_images/mermaid-c886ef295aa2214c41347733ae33c848b5a5b68d.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- graph TD CLIENT[External Client&lt;br/&gt;203.0.113.100] TOR[ToR Switch&lt;br/&gt;BGP AS 65000&lt;br/&gt;Routes: 10.1.0.0/24] subgraph NETWORKER ["Networker Node"] FRR1[FRR Container&lt;br/&gt;BGP: AS 64999&lt;br/&gt;Advertises: 10.1.0.0/24] AGENT1[OVN BGP Agent&lt;br/&gt;Monitors OVN DB&lt;br/&gt;Configures CR-LRP] KERNEL1[Host Kernel&lt;br/&gt;IP Rules &amp; Routes] BREX1[br-ex Bridge&lt;br/&gt;Provider Bridge] CRLRP1[CR-LRP Gateway&lt;br/&gt;10.1.0.1] end subgraph COMPUTE ["Compute Node - OVN Overlay"] LROUTER[Logical Router&lt;br/&gt;tenant-router-1] LSWITCH[Logical Switch&lt;br/&gt;tenant-net-1&lt;br/&gt;10.1.0.0/24] VM[Tenant VM&lt;br/&gt;10.1.0.10] end %% Main Traffic Flow (Top to Bottom) CLIENT --&gt;|1. Send packet&lt;br/&gt;dst: 10.1.0.10| TOR TOR --&gt;|2. BGP route lookup&lt;br/&gt;forward to networker| KERNEL1 KERNEL1 --&gt;|3. Apply IP rules&lt;br/&gt;route to br-ex| BREX1 BREX1 --&gt;|4. Traffic injection&lt;br/&gt;enter OVN overlay| CRLRP1 CRLRP1 --&gt;|5. L3 gateway&lt;br/&gt;route to logical switch| LROUTER LROUTER --&gt;|6. ARP resolution&lt;br/&gt;L3 to L2 forwarding| LSWITCH LSWITCH --&gt;|7. MAC lookup&lt;br/&gt;deliver packet| VM %% BGP Advertisement Flow (Dashed) AGENT1 -.-&gt;|Monitor tenant&lt;br/&gt;network events| LSWITCH AGENT1 -.-&gt;|Configure gateway&lt;br/&gt;on networker node| CRLRP1 AGENT1 -.-&gt;|Add route to&lt;br/&gt;bgp-nic interface| FRR1 FRR1 -.-&gt;|BGP UPDATE&lt;br/&gt;advertise 10.1.0.0/24| TOR</p></object> <p><strong>Key Technical Details</strong>:</p> <ul class="simple"> <li><p><strong>CR-LRP Role</strong>: Chassis Redirect Logical Router Ports serve as the entry point for external traffic to tenant networks</p></li> <li><p><strong>Networker Node Gateway</strong>: All north-south traffic to tenant networks must traverse the networker node hosting the neutron router gateway</p></li> <li><p><strong>Route Advertisement</strong>: The OVN BGP agent on networker nodes advertises neutron router gateway ports when tenant network exposure is enabled</p></li> </ul> </section> <section id="implementation-requirements"> <h3>Implementation Requirements</h3> <p><strong>Network Planning</strong>:</p> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">Tenant Network BGP Advertisement Example</span></div> <div class="highlight-text notranslate"><div class="highlight"><pre><span/># Tenant network configuration router bgp 64999 # Advertise tenant network ranges address-family ipv4 unicast network 10.0.0.0/24 # Tenant network 1 network 10.1.0.0/24 # Tenant network 2 network 10.2.0.0/24 # Tenant network 3 exit-address-family # Route filtering for security ip prefix-list TENANT-NETWORKS permit 10.0.0.0/8 le 24 route-map TENANT-FILTER permit 10 match ip address prefix-list TENANT-NETWORKS </pre></div> </div> </div> <p><strong>Operational Considerations</strong>:</p> <ul class="simple"> <li><p><strong>Network Overlap Detection</strong>: Implement monitoring to detect and prevent CIDR overlaps</p></li> <li><p><strong>Route Filtering</strong>: Configure external routers with appropriate filters to prevent route leaks</p></li> <li><p><strong>Multi-Tenancy</strong>: Consider impact on tenant isolation and implement additional security measures</p></li> <li><p><strong>Troubleshooting Complexity</strong>: Private network advertising increases troubleshooting complexity</p></li> </ul> </section> </section> <section id="real-world-deployment-scenarios"> <h2>Real-World Deployment Scenarios</h2> <section id="enterprise-multi-zone-deployment"> <h3>Enterprise Multi-Zone Deployment</h3> <p><strong>Use Case</strong>: Large enterprise with RHOSO deployed across multiple OpenShift clusters in different availability zones.</p> <p><strong>Multi-Zone Network Topology</strong>:</p> <object data="../../_images/mermaid-898baf3ab09f2979bd4b9b70ccb35378fc0015d7.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- graph TB subgraph "Enterprise WAN" WAN[Enterprise WAN&lt;br/&gt;Core Network&lt;br/&gt;AS 65000] MPLS[MPLS/VPN Backbone] end subgraph "Availability Zone 1 (East)" subgraph "Zone 1 Network Infrastructure" TOR1A[ToR Switch 1A&lt;br/&gt;AS 65001] TOR1B[ToR Switch 1B&lt;br/&gt;AS 65001] SPINE1[Spine Switch 1&lt;br/&gt;AS 65001] end subgraph "OpenShift Cluster 1" subgraph "RHOSO Control Plane 1" CP1A[Controller Pod 1A] CP1B[Controller Pod 1B] end subgraph "Networker Nodes Zone 1" NN1A[Networker 1A&lt;br/&gt;BGP AS 64999&lt;br/&gt;Router-ID: 10.1.1.1] NN1B[Networker 1B&lt;br/&gt;BGP AS 64999&lt;br/&gt;Router-ID: 10.1.1.2] end subgraph "Compute Nodes Zone 1" CN1A[Compute 1A] CN1B[Compute 1B] CN1C[Compute 1C] end end subgraph "Workloads Zone 1" VIP1[Control Plane VIP&lt;br/&gt;203.0.113.10] TENANT1[Tenant Networks&lt;br/&gt;10.1.0.0/16] FIP1[Floating IPs&lt;br/&gt;203.0.113.100~200] end end subgraph "Availability Zone 2 (West)" subgraph "Zone 2 Network Infrastructure" TOR2A[ToR Switch 2A&lt;br/&gt;AS 65002] TOR2B[ToR Switch 2B&lt;br/&gt;AS 65002] SPINE2[Spine Switch 2&lt;br/&gt;AS 65002] end subgraph "OpenShift Cluster 2" subgraph "RHOSO Control Plane 2" CP2A[Controller Pod 2A] CP2B[Controller Pod 2B] end subgraph "Networker Nodes Zone 2" NN2A[Networker 2A&lt;br/&gt;BGP AS 64998&lt;br/&gt;Router-ID: 10.2.1.1] NN2B[Networker 2B&lt;br/&gt;BGP AS 64998&lt;br/&gt;Router-ID: 10.2.1.2] end subgraph "Compute Nodes Zone 2" CN2A[Compute 2A] CN2B[Compute 2B] CN2C[Compute 2C] end end subgraph "Workloads Zone 2" VIP2[Control Plane VIP&lt;br/&gt;203.0.113.11] TENANT2[Tenant Networks&lt;br/&gt;10.2.0.0/16] FIP2[Floating IPs&lt;br/&gt;203.0.113.201~255] end end %% WAN Connectivity WAN &lt;--&gt; MPLS MPLS &lt;--&gt; SPINE1 MPLS &lt;--&gt; SPINE2 %% Zone 1 Internal BGP SPINE1 &lt;--&gt; TOR1A SPINE1 &lt;--&gt; TOR1B TOR1A -.-&gt;|eBGP| NN1A TOR1A -.-&gt;|eBGP| CN1A TOR1B -.-&gt;|eBGP| NN1B TOR1B -.-&gt;|eBGP| CN1B %% Zone 2 Internal BGP SPINE2 &lt;--&gt; TOR2A SPINE2 &lt;--&gt; TOR2B TOR2A -.-&gt;|eBGP| NN2A TOR2A -.-&gt;|eBGP| CN2A TOR2B -.-&gt;|eBGP| NN2B TOR2B -.-&gt;|eBGP| CN2B %% Inter-Zone BGP Peering NN1A -.-&gt;|iBGP via WAN| NN2A NN1B -.-&gt;|iBGP via WAN| NN2B %% Workload Distribution NN1A --&gt; VIP1 NN1A --&gt; TENANT1 NN1A --&gt; FIP1 NN2A --&gt; VIP2 NN2A --&gt; TENANT2 NN2A --&gt; FIP2</p></object> <p><strong>Technical Implementation</strong>:</p> <div class="literal-block-wrapper docutils container" id="id6"> <div class="code-block-caption"><span class="caption-text">Multi-Zone BGP Configuration</span></div> <div class="highlight-text notranslate"><div class="highlight"><pre><span/># Zone 1 Configuration (AS 64999) router bgp 64999 bgp router-id 10.1.1.1 # Local zone ToR peering (eBGP) neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.253 remote-as 65001 # Inter-zone peering (iBGP confederation or eBGP) neighbor 10.2.1.1 remote-as 64998 neighbor 10.2.1.1 ebgp-multihop 3 address-family ipv4 unicast # Advertise zone-specific networks network 203.0.113.10/32 # Control plane VIP network 203.0.113.100/28 # Zone 1 floating IPs network 10.1.0.0/16 # Zone 1 tenant networks (if enabled) # ECMP for load balancing maximum-paths 4 maximum-paths ibgp 4 # Route filtering between zones neighbor 10.2.1.1 route-map ZONE2-IN in neighbor 10.2.1.1 route-map ZONE1-OUT out exit-address-family # Zone 2 Configuration (AS 64998) router bgp 64998 bgp router-id 10.2.1.1 # Local zone ToR peering (eBGP) neighbor 10.2.1.254 remote-as 65002 neighbor 10.2.1.253 remote-as 65002 # Inter-zone peering neighbor 10.1.1.1 remote-as 64999 neighbor 10.1.1.1 ebgp-multihop 3 address-family ipv4 unicast # Advertise zone-specific networks network 203.0.113.11/32 # Control plane VIP network 203.0.113.201/28 # Zone 2 floating IPs network 10.2.0.0/16 # Zone 2 tenant networks (if enabled) maximum-paths 4 maximum-paths ibgp 4 exit-address-family </pre></div> </div> </div> <p><strong>Benefits</strong>: - <strong>Geographic Distribution</strong>: Workloads distributed across multiple data centers - <strong>Fault Isolation</strong>: Zone failures don’t impact other zones - <strong>Load Distribution</strong>: Traffic distributed based on BGP routing policies - <strong>Disaster Recovery</strong>: Automatic failover between zones via BGP route withdrawal - <strong>Scalability</strong>: Independent scaling of compute and network resources per zone</p> </section> <section id="control-plane-high-availability"> <h3>Control Plane High Availability</h3> <p><strong>Use Case</strong>: RHOSO control plane services distributed across OpenShift nodes with BGP-advertised VIPs.</p> <object data="../../_images/mermaid-81c478a0c2dec8183f75386d00bbde2fb078a282.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- graph LR subgraph "OpenShift Cluster" CP1[Control Plane Pod 1&lt;br/&gt;Node: ocp-master-1] CP2[Control Plane Pod 2&lt;br/&gt;Node: ocp-master-2] CP3[Control Plane Pod 3&lt;br/&gt;Node: ocp-master-3] VIP[Control Plane VIP&lt;br/&gt;192.0.2.100] end subgraph "External Network" Client[API Clients] BGP[BGP Router] end CP1 -.-&gt; VIP CP2 -.-&gt; VIP CP3 -.-&gt; VIP VIP --&gt; BGP BGP --&gt; Client</p></object> <p><strong>Implementation Details</strong>: - Kubernetes-native HA manages VIP assignment - OVN BGP agent advertises active VIP location - Sub-second failover with BFD - No single point of failure</p> </section> <section id="dedicated-networker-node-deployment"> <h3>Dedicated Networker Node Deployment</h3> <p><strong>Use Case</strong>: Enterprise RHOSO deployment with dedicated networking infrastructure for BGP routing and tenant network isolation.</p> <p><strong>Architecture Requirements</strong>:</p> <object data="../../_images/mermaid-820dad70607ac4dd50f61621c458f7289a6d4b99.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- graph TB subgraph "External Infrastructure" TOR1[ToR Switch 1&lt;br/&gt;AS 65000] TOR2[ToR Switch 2&lt;br/&gt;AS 65000] FW[Enterprise Firewall] end subgraph "OpenShift Cluster" subgraph "Control Plane Nodes" CP1[Master 1] CP2[Master 2] CP3[Master 3] end subgraph "Dedicated Networker Nodes" NN1[Networker 1&lt;br/&gt;FRR + OVN BGP Agent&lt;br/&gt;CR-LRP Host] NN2[Networker 2&lt;br/&gt;FRR + OVN BGP Agent&lt;br/&gt;CR-LRP Host] end subgraph "Compute Nodes" CN1[Compute 1&lt;br/&gt;FRR + OVN BGP Agent] CN2[Compute 2&lt;br/&gt;FRR + OVN BGP Agent] CN3[Compute 3&lt;br/&gt;FRR + OVN BGP Agent] end end subgraph "Tenant Networks" T1[Tenant A: 10.1.0.0/24] T2[Tenant B: 10.2.0.0/24] T3[Tenant C: 10.3.0.0/24] end TOR1 -.-&gt;|eBGP| NN1 TOR1 -.-&gt;|eBGP| CN1 TOR2 -.-&gt;|eBGP| NN2 TOR2 -.-&gt;|eBGP| CN2 NN1 --&gt; T1 NN1 --&gt; T2 NN2 --&gt; T2 NN2 --&gt; T3 FW &lt;--&gt; TOR1 FW &lt;--&gt; TOR2</p></object> <p><strong>Benefits</strong>: - <strong>Dedicated Traffic Path</strong>: All north-south traffic controlled through networker nodes - <strong>High Availability</strong>: Multiple networker nodes provide redundancy for tenant network access - <strong>Security Isolation</strong>: Clear separation between compute and networking functions - <strong>Scalability</strong>: Independent scaling of compute and network infrastructure</p> <p><strong>Deployment Considerations</strong>: - <strong>Hardware Requirements</strong>: Networker nodes need enhanced networking capabilities - <strong>Network Connectivity</strong>: Direct physical connections to external infrastructure - <strong>DVR Requirement</strong>: Must be deployed with Distributed Virtual Routing enabled - <strong>Monitoring</strong>: Enhanced monitoring required for CR-LRP and gateway functions</p> </section> </section> <section id="configuration-and-deployment"> <h2>Configuration and Deployment</h2> <section id="prerequisites"> <h3>Prerequisites</h3> <p>RHOSO dynamic routing requires:</p> <ul class="simple"> <li><p><strong>RHOSO 18.0 or later</strong> with ML2/OVN mechanism driver</p></li> <li><p><strong>OpenShift 4.18+</strong> with appropriate node networking</p></li> <li><p><strong>BGP-capable network infrastructure</strong> (ToR switches, routers)</p></li> <li><p><strong>Dedicated networker nodes</strong> (mandatory for BGP deployments)</p></li> <li><p><strong>Distributed Virtual Routing (DVR)</strong> enabled</p></li> <li><p><strong>Proper network planning</strong> for ASN assignment and IP addressing</p></li> </ul> <p><strong>Critical Architecture Requirements</strong>:</p> <ul class="simple"> <li><p><strong>No Control Plane OVN Gateways</strong>: BGP is incompatible with control plane OVN gateway deployments</p></li> <li><p><strong>No Octavia Load Balancer</strong>: Cannot be used simultaneously with BGP dynamic routing</p></li> <li><p><strong>No Distributed Control Plane</strong>: RHOSO dynamic routing does not support distributed control planes across datacenters</p></li> <li><p><strong>Non-overlapping CIDRs</strong>: When using tenant network advertising, all networks must use unique IP ranges</p></li> <li><p><strong>External BGP Peers</strong>: Network infrastructure must support BGP peering and route filtering</p></li> </ul> <div class="admonition note"> <p class="admonition-title">Note</p> <p><strong>Cross-Datacenter Deployment Design Considerations</strong></p> <p>RHOSO BGP deployments across datacenters require additional planning and design considerations:</p> <ul class="simple"> <li><p><strong>Control Plane Design</strong>: Consider the implications of control plane service communication patterns across WAN links</p></li> <li><p><strong>Network Latency Planning</strong>: Evaluate network latency requirements for optimal OpenStack service performance</p></li> <li><p><strong>Database Architecture</strong>: Plan for database replication, backup, and disaster recovery strategies</p></li> <li><p><strong>Storage Design</strong>: Consider storage architecture options that balance performance, availability, and data locality</p></li> </ul> <p><strong>Alternative Options</strong>: Red Hat’s <strong>Distributed Compute Node (DCN)</strong> architecture provides a proven approach for multi-site deployments with centralized control planes and distributed compute resources.</p> </div> </section> <section id="openshift-integration"> <h3>OpenShift Integration</h3> <p>RHOSO BGP services integrate with OpenShift through:</p> <p><strong>Pod Deployment</strong>: BGP containers run as privileged pods with host networking <strong>ConfigMaps</strong>: Configuration stored as Kubernetes ConfigMaps <strong>Monitoring</strong>: Integration with OpenShift monitoring and alerting <strong>Networking</strong>: Uses OpenShift SDN or OVN-Kubernetes for pod networking</p> </section> </section> <section id="production-operations"> <h2>Production Operations</h2> <section id="monitoring-and-observability"> <h3>Monitoring and Observability</h3> <p>RHOSO BGP monitoring leverages OpenShift’s native observability:</p> <p><strong>Prometheus Metrics</strong>: FRR and OVN BGP agent export metrics <strong>Grafana Dashboards</strong>: Pre-built dashboards for BGP performance <strong>Alerting</strong>: Automated alerts for BGP session failures <strong>Logging</strong>: Centralized logging through OpenShift logging stack</p> <div class="literal-block-wrapper docutils container" id="id7"> <div class="code-block-caption"><span class="caption-text">BGP Status Monitoring Commands</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check BGP session status</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>vtysh<span class="w"> </span>-c<span class="w"> </span><span class="s1">'show bgp summary'</span> <span class="c1"># View route advertisements</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>vtysh<span class="w"> </span>-c<span class="w"> </span><span class="s1">'show ip bgp neighbors advertised-routes'</span> <span class="c1"># Check OVN BGP agent status</span> oc<span class="w"> </span>logs<span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>-l<span class="w"> </span><span class="nv">app</span><span class="o">=</span>ovn-bgp-agent<span class="w"> </span>--tail<span class="o">=</span><span class="m">50</span> </pre></div> </div> </div> </section> <section id="scaling-operations"> <h3>Scaling Operations</h3> <p>Adding new compute capacity with BGP requires:</p> <ol class="arabic simple"> <li><p><strong>OpenShift node addition</strong>: Standard OpenShift node scaling procedures</p></li> <li><p><strong>Automatic BGP configuration</strong>: DaemonSets ensure BGP services on new nodes</p></li> <li><p><strong>Network validation</strong>: Verify BGP peering and route advertisement</p></li> <li><p><strong>Workload validation</strong>: Test VM connectivity through new nodes</p></li> </ol> </section> <section id="network-failure-and-recovery"> <h3>Network Failure and Recovery</h3> <p>RHOSO BGP deployments implement automated failure detection and recovery mechanisms:</p> <object data="../../_images/mermaid-39cbce7ede9a99d07db65c7e65fff90bcd0dcf9b.svg" type="image/svg+xml"> <p class="warning">--- config: theme: neutral --- flowchart TD START([Normal Operation&lt;br/&gt;BGP Sessions Active]) --&gt; MONITOR{Monitoring&lt;br/&gt;Systems} MONITOR --&gt;|BGP Session Failure| BGP_FAIL[BGP Session Down] MONITOR --&gt;|Node Failure| NODE_FAIL[Networker Node Down] MONITOR --&gt;|BFD Timeout| BFD_FAIL[BFD Session Timeout] BGP_FAIL --&gt; BGP_DETECT{Failure Detection&lt;br/&gt;Method} BGP_DETECT --&gt;|BFD Enabled| BFD_FAST[Sub-second Detection&lt;br/&gt;100~300ms] BGP_DETECT --&gt;|BGP Keepalive Only| BGP_SLOW[Standard Detection&lt;br/&gt;30~90 seconds] BFD_FAST --&gt; WITHDRAW_ROUTES[Withdraw BGP Routes&lt;br/&gt;from Failed Peer] BGP_SLOW --&gt; WITHDRAW_ROUTES BFD_FAIL --&gt; WITHDRAW_ROUTES NODE_FAIL --&gt; CR_LRP_CHECK{CR-LRP Migration&lt;br/&gt;Available?} CR_LRP_CHECK --&gt;|Yes| CR_LRP_MIGRATE[Migrate CR-LRP to&lt;br/&gt;Healthy Networker Node] CR_LRP_CHECK --&gt;|No| TENANT_OUTAGE[Tenant Network&lt;br/&gt;Connectivity Lost] WITHDRAW_ROUTES --&gt; REROUTE[Traffic Rerouted&lt;br/&gt;via Remaining Peers] CR_LRP_MIGRATE --&gt; REROUTE REROUTE --&gt; RECOVERY_CHECK{Service&lt;br/&gt;Recovery?} RECOVERY_CHECK --&gt;|BGP Peer Recovery| PEER_RECOVERY[Re-establish&lt;br/&gt;BGP Session] RECOVERY_CHECK --&gt;|Node Recovery| NODE_RECOVERY[Node Rejoins&lt;br/&gt;Cluster] PEER_RECOVERY --&gt; READVERTISE[Re-advertise&lt;br/&gt;BGP Routes] NODE_RECOVERY --&gt; POD_RESTART[Restart BGP&lt;br/&gt;Services] POD_RESTART --&gt; READVERTISE READVERTISE --&gt; CONVERGE[Network&lt;br/&gt;Convergence] CONVERGE --&gt; START TENANT_OUTAGE --&gt; MANUAL_INTERVENTION[Manual Intervention&lt;br/&gt;Required] MANUAL_INTERVENTION --&gt;|Add Networker Node| NODE_RECOVERY</p></object> <p><strong>Failure Scenarios and Recovery Times</strong>:</p> <div class="table-wrapper colwidths-given docutils container" id="id8"> <table class="docutils align-default" id="id8"> <caption><span class="caption-text">RHOSO BGP Failure Recovery Matrix</span></caption> <colgroup> <col style="width: 30.0%"/> <col style="width: 25.0%"/> <col style="width: 25.0%"/> <col style="width: 20.0%"/> </colgroup> <thead> <tr class="row-odd"><th class="head"><p>Failure Type</p></th> <th class="head"><p>Detection Time</p></th> <th class="head"><p>Recovery Time</p></th> <th class="head"><p>Impact Level</p></th> </tr> </thead> <tbody> <tr class="row-even"><td><p>BGP Session Failure (BFD enabled)</p></td> <td><p>100~300ms</p></td> <td><p>1~3 seconds</p></td> <td><p>Low (alternate paths)</p></td> </tr> <tr class="row-odd"><td><p>BGP Session Failure (no BFD)</p></td> <td><p>30~90 seconds</p></td> <td><p>30~120 seconds</p></td> <td><p>Medium (delayed reroute)</p></td> </tr> <tr class="row-even"><td><p>Single Networker Node</p></td> <td><p>5~15 seconds</p></td> <td><p>10~30 seconds</p></td> <td><p>Medium (CR-LRP migration)</p></td> </tr> <tr class="row-odd"><td><p>Multiple Networker Nodes</p></td> <td><p>5~15 seconds</p></td> <td><p>Manual intervention</p></td> <td><p>High (tenant isolation)</p></td> </tr> <tr class="row-even"><td><p>Compute Node</p></td> <td><p>30~60 seconds</p></td> <td><p>60~180 seconds</p></td> <td><p>Low (workload migration)</p></td> </tr> </tbody> </table> </div> <p><strong>Automated Recovery Mechanisms</strong>:</p> <ul class="simple"> <li><p><strong>BGP Route Withdrawal</strong>: Automatic route withdrawal upon session failure</p></li> <li><p><strong>BFD Fast Detection</strong>: Sub-second failure detection with proper BFD configuration</p></li> <li><p><strong>CR-LRP Migration</strong>: Automatic migration of Chassis Redirect Logical Router Ports</p></li> <li><p><strong>Traffic Rerouting</strong>: ECMP and alternate path utilization</p></li> <li><p><strong>Session Re-establishment</strong>: Automatic BGP session recovery</p></li> </ul> </section> </section> <section id="troubleshooting"> <h2>Troubleshooting</h2> <section id="common-issues-and-solutions"> <h3>Common Issues and Solutions</h3> <p><strong>BGP Sessions Not Establishing</strong></p> <p>Symptoms: BGP peers show “Idle” or “Connect” state</p> <div class="literal-block-wrapper docutils container" id="id9"> <div class="code-block-caption"><span class="caption-text">Diagnosis Commands</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check BGP peer status</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>vtysh<span class="w"> </span>-c<span class="w"> </span><span class="s1">'show bgp neighbors'</span> <span class="c1"># Verify network connectivity</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>ping<span class="w"> </span>&lt;peer-ip&gt; <span class="c1"># Check firewall rules</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>ss<span class="w"> </span>-tulpn<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="m">179</span> </pre></div> </div> </div> <p><strong>Solution</strong>: Verify network connectivity, ASN configuration, and firewall rules allowing TCP port 179.</p> <p><strong>Routes Not Being Advertised</strong></p> <p>Symptoms: External networks cannot reach RHOSO workloads</p> <div class="literal-block-wrapper docutils container" id="id10"> <div class="code-block-caption"><span class="caption-text">Diagnosis and Resolution</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check if IPs are on bgp-nic interface</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/ovn-bgp-agent<span class="w"> </span>--<span class="w"> </span>ip<span class="w"> </span>addr<span class="w"> </span>show<span class="w"> </span>bgp-nic <span class="c1"># Verify FRR is redistributing connected routes</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>vtysh<span class="w"> </span>-c<span class="w"> </span><span class="s1">'show running-config'</span> <span class="c1"># Check OVN BGP agent logs</span> oc<span class="w"> </span>logs<span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>-l<span class="w"> </span><span class="nv">app</span><span class="o">=</span>ovn-bgp-agent </pre></div> </div> </div> <p><strong>Solution</strong>: Ensure OVN BGP agent is running and FRR has “redistribute connected” configured.</p> <p><strong>Tenant Networks Not Reachable</strong></p> <p>Symptoms: External clients cannot reach VMs on tenant networks despite <cite>expose_tenant_network = True</cite></p> <div class="literal-block-wrapper docutils container" id="id11"> <div class="code-block-caption"><span class="caption-text">Tenant Network Troubleshooting</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check if tenant network exposure is enabled</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/ovn-bgp-agent<span class="w"> </span>--<span class="w"> </span>grep<span class="w"> </span>expose_tenant_network<span class="w"> </span>/etc/ovn_bgp_agent/ovn_bgp_agent.conf <span class="c1"># Verify CR-LRP (Chassis Redirect Logical Router Ports) are active on networker nodes</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/ovn-bgp-agent<span class="w"> </span>--<span class="w"> </span>ovn-sbctl<span class="w"> </span>show<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>cr-lrp <span class="c1"># Check neutron router gateway port advertisement</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>vtysh<span class="w"> </span>-c<span class="w"> </span><span class="s1">'show ip bgp | grep 10.0.0'</span> </pre></div> </div> </div> <p><strong>Solution</strong>: Verify networker nodes are hosting CR-LRP and neutron router gateways are properly advertised.</p> <p><strong>Networker Node Failures</strong></p> <p>Symptoms: Complete loss of external connectivity to tenant networks</p> <div class="literal-block-wrapper docutils container" id="id12"> <div class="code-block-caption"><span class="caption-text">Networker Node Failure Diagnosis</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check networker node health</span> oc<span class="w"> </span>get<span class="w"> </span>nodes<span class="w"> </span>-l<span class="w"> </span>node-role.kubernetes.io/rhoso-networker <span class="c1"># Verify networker pods are running</span> oc<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>-l<span class="w"> </span><span class="nv">app</span><span class="o">=</span>rhoso-networker <span class="c1"># Check CR-LRP failover status</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/ovn-bgp-agent<span class="w"> </span>--<span class="w"> </span>ovn-sbctl<span class="w"> </span>find<span class="w"> </span>Chassis_Redirect_Port <span class="c1"># Verify BGP session status on remaining networker nodes</span> oc<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-n<span class="w"> </span>openstack<span class="w"> </span>ds/frr-bgp<span class="w"> </span>--<span class="w"> </span>vtysh<span class="w"> </span>-c<span class="w"> </span><span class="s1">'show bgp summary'</span> </pre></div> </div> </div> <p><strong>Solution</strong>: Ensure multiple networker nodes are deployed for high availability and CR-LRP can migrate between nodes.</p> <p><strong>Slow Convergence</strong></p> <p>Symptoms: Long failover times during node or network failures</p> <div class="literal-block-wrapper docutils container" id="id13"> <div class="code-block-caption"><span class="caption-text">BFD Configuration for Fast Convergence</span></div> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>router bgp 64999 neighbor 172.30.1.254 bfd neighbor 172.30.1.254 bfd profile fast-detect bfd profile fast-detect detect-multiplier 3 receive-interval 100 transmit-interval 100 </pre></div> </div> </div> </section> <section id="known-issues"> <h3>Known Issues</h3> <ul class="simple"> <li><p><strong>Floating IP port forwarding</strong>: Port forwarding with floating IPs fails when BGP dynamic routing is enabled (BZ 2160481)</p></li> <li><p><strong>Multicast routing</strong>: Multicast routing is not supported with BGP dynamic routing (BZ 2163477)</p></li> </ul> </section> <section id="performance-tuning"> <h3>Performance Tuning</h3> <p><strong>ECMP Configuration</strong></p> <div class="literal-block-wrapper docutils container" id="id14"> <div class="code-block-caption"><span class="caption-text">Optimized ECMP Settings</span></div> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>router bgp 64999 maximum-paths 8 maximum-paths ibgp 8 bestpath as-path multipath-relax </pre></div> </div> </div> <p><strong>BGP Timers Optimization</strong></p> <div class="literal-block-wrapper docutils container" id="id15"> <div class="code-block-caption"><span class="caption-text">Production BGP Timers</span></div> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>router bgp 64999 neighbor 172.30.1.254 timers 10 30 neighbor 172.30.1.254 capability extended-nexthop </pre></div> </div> </div> </section> </section> Wed, 20 Nov 2024 00:00:00 Dual Interface Routing with NGINX Ingress in Kuberneteshttps://blog.epheo.eu/articles/k8s-nginx-ingress-sharding/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Aug 16, 2024</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>15 min read</p> </div> </div> </div> </div> </div> </div> <p>While I would consider this a basic requirement I never understood why Kubernetes Ingress Routers didn’t natively provides a way to expose private endpoints on one interface and public ones on a second interface (OpenShift does it quite well).</p> <p>The following describes how one would implement true network separation in Kubernetes using dual interface routing with NGINX ingress controllers and externalIPs services and enable isolation between public and private services.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://kubernetes.io/docs/concepts/services-networking/service/#externalips">https://kubernetes.io/docs/concepts/services-networking/service/#externalips</a></p> </div> <section id="architecture-overview"> <h2>Architecture Overview</h2> <p>Our dual interface implementation consists of:</p> <ul class="simple"> <li><p><strong>Public Interface (eth0)</strong>: Routes external traffic to public services</p></li> <li><p><strong>Private Interface (eth1)</strong>: Routes internal traffic to private services</p></li> <li><p><strong>ExternalIPs Services</strong>: Bind NGINX controllers to specific interface IPs</p></li> <li><p><strong>Ingress Class Selection</strong>: Applications choose routing via ingress class</p></li> </ul> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>External Clients ├── Public Interface (168.119.158.20:80/443) │ └── nginx-public-external Service (externalIPs) │ └── nginx-ingress-public Controller │ ├── blog.epheo.eu (public blog) │ └── epheo.eu (personal site) │ └── Private Interface (172.16.0.11:80/443) └── nginx-private-external Service (externalIPs) └── nginx-ingress-private Controller ├── argocd (GitOps management) └── git (Git server) </pre></div> </div> </section> <section id="implementation-details"> <h2>Implementation Details</h2> <section id="network-interface-configuration"> <h3>Network Interface Configuration</h3> <p>The implementation assumes two network interfaces on Kubernetes nodes:</p> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>eth0: 168.119.158.20 # Public interface (firewall: 80/443 only) eth1: 172.16.0.11 # Private interface (no firewall restrictions) </pre></div> </div> </section> <section id="externalips-services-setup"> <h3>ExternalIPs Services Setup</h3> <p>Create services that bind NGINX controllers to specific interface IPs:</p> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">nginx-public-external.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-public-external</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-ingress-public</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-public-external</span> <span class="w"> </span><span class="nt">app.kubernetes.io/component</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking</span> <span class="w"> </span><span class="nt">app.kubernetes.io/instance</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-external-services</span> <span class="w"> </span><span class="nt">app.kubernetes.io/part-of</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">platform</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterIP</span> <span class="w"> </span><span class="nt">externalIPs</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">168.119.158.20</span><span class="w"> </span><span class="c1"># eth0 public interface</span> <span class="w"> </span><span class="nt">ports</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> <span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> <span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">443</span> <span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">443</span> <span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https</span> <span class="w"> </span><span class="nt">selector</span><span class="p">:</span> <span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ingress-nginx</span> <span class="w"> </span><span class="nt">app.kubernetes.io/instance</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-ingress-public</span> <span class="w"> </span><span class="nt">app.kubernetes.io/component</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">controller</span> </pre></div> </div> </div> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">nginx-private-external.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-private-external</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-ingress-private</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-private-external</span> <span class="w"> </span><span class="nt">app.kubernetes.io/component</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking</span> <span class="w"> </span><span class="nt">app.kubernetes.io/instance</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-external-services</span> <span class="w"> </span><span class="nt">app.kubernetes.io/part-of</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">platform</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterIP</span> <span class="w"> </span><span class="nt">externalIPs</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">172.16.0.11</span><span class="w"> </span><span class="c1"># eth1 private interface</span> <span class="w"> </span><span class="nt">ports</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> <span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> <span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">443</span> <span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">443</span> <span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https</span> <span class="w"> </span><span class="nt">selector</span><span class="p">:</span> <span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ingress-nginx</span> <span class="w"> </span><span class="nt">app.kubernetes.io/instance</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-ingress-private</span> <span class="w"> </span><span class="nt">app.kubernetes.io/component</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">controller</span> </pre></div> </div> </div> </section> <section id="nginx-controller-configuration"> <h3>NGINX Controller Configuration</h3> <p>Configure separate NGINX ingress controllers for each interface:</p> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">public-controller-values.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">controller</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-public</span> <span class="w"> </span><span class="nt">ingressClass</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-public</span> <span class="w"> </span><span class="nt">ingressClassResource</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-public</span> <span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span> <span class="w"> </span><span class="nt">controllerValue</span><span class="p">:</span><span class="w"> </span><span class="s">"k8s.io/nginx-public"</span> <span class="w"> </span><span class="c1"># Minimal configuration for reliable operation</span> <span class="w"> </span><span class="nt">config</span><span class="p">:</span> <span class="w"> </span><span class="nt">use-forwarded-headers</span><span class="p">:</span><span class="w"> </span><span class="s">"true"</span> <span class="w"> </span><span class="nt">compute-full-forwarded-for</span><span class="p">:</span><span class="w"> </span><span class="s">"true"</span> <span class="w"> </span><span class="nt">use-proxy-protocol</span><span class="p">:</span><span class="w"> </span><span class="s">"false"</span> <span class="w"> </span><span class="c1"># Resource configuration</span> <span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100m</span> <span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">90Mi</span> <span class="w"> </span><span class="nt">limits</span><span class="p">:</span> <span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500m</span> <span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">256Mi</span> </pre></div> </div> </div> <p>The private controller uses an identical configuration with <code class="docutils literal notranslate"><span class="pre">nginx-private</span></code> replacing <code class="docutils literal notranslate"><span class="pre">nginx-public</span></code> and <code class="docutils literal notranslate"><span class="pre">k8s.io/nginx-private</span></code> as the controller value.</p> </section> </section> <section id="application-configuration"> <h2>Application Configuration</h2> <section id="public-service-example"> <h3>Public Service Example</h3> <p>Configure public-facing applications to use the public ingress class:</p> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">public-app-ingress.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ingress</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo-eu</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo-eu</span> <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span> <span class="w"> </span><span class="nt">cert-manager.io/cluster-issuer</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">letsencrypt-prod</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-public</span> <span class="w"> </span><span class="nt">tls</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo.eu</span> <span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo-eu-tls</span> <span class="w"> </span><span class="nt">rules</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo.eu</span> <span class="w"> </span><span class="nt">http</span><span class="p">:</span> <span class="w"> </span><span class="nt">paths</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span> <span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Prefix</span> <span class="w"> </span><span class="nt">backend</span><span class="p">:</span> <span class="w"> </span><span class="nt">service</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo-eu</span> <span class="w"> </span><span class="nt">port</span><span class="p">:</span> <span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> </pre></div> </div> </div> </section> <section id="private-service-example"> <h3>Private Service Example</h3> <p>Configure administrative and internal services to use the private ingress class:</p> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">argocd-ingress.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ingress</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd-server</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd</span> <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span> <span class="w"> </span><span class="nt">cert-manager.io/cluster-issuer</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">self-signed-issuer</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-private</span> <span class="w"> </span><span class="nt">tls</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd.def.ms</span> <span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd-server-tls</span> <span class="w"> </span><span class="nt">rules</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd.def.ms</span> <span class="w"> </span><span class="nt">http</span><span class="p">:</span> <span class="w"> </span><span class="nt">paths</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span> <span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Prefix</span> <span class="w"> </span><span class="nt">backend</span><span class="p">:</span> <span class="w"> </span><span class="nt">service</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd-server</span> <span class="w"> </span><span class="nt">port</span><span class="p">:</span> <span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> </pre></div> </div> </div> </section> </section> <section id="verification"> <h2>Verification</h2> <p>Verify the ingress controllers are running and routing correctly:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check both controllers are running</span> kubectl<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>-n<span class="w"> </span>nginx-ingress-public kubectl<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>-n<span class="w"> </span>nginx-ingress-private <span class="c1"># Verify services have correct externalIPs</span> kubectl<span class="w"> </span>get<span class="w"> </span>svc<span class="w"> </span>-n<span class="w"> </span>nginx-ingress-public<span class="w"> </span>nginx-public-external kubectl<span class="w"> </span>get<span class="w"> </span>svc<span class="w"> </span>-n<span class="w"> </span>nginx-ingress-private<span class="w"> </span>nginx-private-external <span class="c1"># Test public routing</span> curl<span class="w"> </span>-H<span class="w"> </span><span class="s2">"Host: epheo.eu"</span><span class="w"> </span>http://168.119.158.20 <span class="c1"># Test private routing</span> curl<span class="w"> </span>-H<span class="w"> </span><span class="s2">"Host: argocd.def.ms"</span><span class="w"> </span>http://172.16.0.11 </pre></div> </div> </section> Fri, 16 Aug 2024 00:00:00 Kubernetes Secret Management with SOPS + Age + Githttps://blog.epheo.eu/articles/k8s-sops-secrets/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Aug 16, 2024</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>15 min read</p> </div> </div> </div> </div> </div> </div> <p>I don’t like managing secrets in Kubernetes. Solutions like HashiCorp Vault are complicated and resource-intensive. Kubeseal was actually great but now that Bitnami got aquired by Broadcom, I’m concerned about the future of the apiVersion: bitnami.com/ API domain.</p> <p>I wanted something fully transparent, so I can work with normal secrets in my repo, git commit, have the secrets provisioned on my k8s cluster and never have to care about encryption and secret management.</p> <p>This repo boilerplate uses SOPS (Secrets OPerationS), AGE encryption and advanced gitattributes filters in order to provide a transparent workflow for developers to manage their secrets.</p> <p>While this may be enough by itself we can also use sops-secrets-operator when using ArgoCD or Flux for GitOps.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://github.com/getsops/sops">https://github.com/getsops/sops</a> <a class="reference external" href="https://github.com/FiloSottile/age">https://github.com/FiloSottile/age</a></p> </div> <p>All configurations and examples are available in the <a class="reference external" href="https://github.com/epheo/k8s-sops-secrets-boilerplate">k8s-sops-secrets-boilerplate repository</a>.</p> <section id="why-sops-age-for-secret-management"> <h2>Why SOPS + Age for Secret Management?</h2> <section id="advantages-of-this-approach"> <h3>Advantages of This Approach</h3> <ol class="arabic simple"> <li><p><strong>Transparency</strong>: Secrets appear as plain text in your working directory</p></li> <li><p><strong>Simplicity</strong>: No external secret management infrastructure required</p></li> <li><p><strong>Git Integration</strong>: Automatic encryption when committing to Git</p></li> <li><p><strong>Developer Friendly</strong>: Works with existing tooling and workflows</p></li> <li><p><strong>Secure</strong>: Strong encryption with Age’s modern cryptographic design</p></li> <li><p><strong>Selective</strong>: Only encrypt what needs to be encrypted using annotations</p></li> </ol> </section> <section id="architecture-overview"> <h3>Architecture Overview</h3> <p>The workflow is completely transparent:</p> <ol class="arabic simple"> <li><p>Edit secrets in plain text locally</p></li> <li><p>Git automatically encrypts them when staging changes</p></li> <li><p>Secrets are stored encrypted in the upstream repository</p></li> <li><p>Working directory always shows decrypted content</p></li> </ol> </section> </section> <section id="setting-up-the-environment"> <h2>Setting Up the Environment</h2> <section id="installing-required-tools"> <h3>Installing Required Tools</h3> <p>First, install the required dependencies and tools:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Install Python dependencies</span> pip3<span class="w"> </span>install<span class="w"> </span>PyYAML <span class="c1"># Install SOPS</span> curl<span class="w"> </span>-LO<span class="w"> </span>https://github.com/getsops/sops/releases/download/v3.9.1/sops-v3.9.1.linux.amd64 sudo<span class="w"> </span>mv<span class="w"> </span>sops-v3.9.1.linux.amd64<span class="w"> </span>/usr/local/bin/sops sudo<span class="w"> </span>chmod<span class="w"> </span>+x<span class="w"> </span>/usr/local/bin/sops <span class="c1"># Install Age</span> curl<span class="w"> </span>-LO<span class="w"> </span>https://github.com/FiloSottile/age/releases/latest/download/age-v1.1.1-linux-amd64.tar.gz tar<span class="w"> </span>xf<span class="w"> </span>age-v1.1.1-linux-amd64.tar.gz sudo<span class="w"> </span>mv<span class="w"> </span>age/age*<span class="w"> </span>/usr/local/bin/ sudo<span class="w"> </span>chmod<span class="w"> </span>+x<span class="w"> </span>/usr/local/bin/age* </pre></div> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Check the <a class="reference external" href="https://github.com/getsops/sops/releases">SOPS releases</a> and <a class="reference external" href="https://github.com/FiloSottile/age/releases">Age releases</a> pages for latest versions.</p> </div> </section> <section id="generating-age-keys"> <h3>Generating Age Keys</h3> <p>Create encryption keys for your project:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Create age directory and generate key pair</span> mkdir<span class="w"> </span>-p<span class="w"> </span>.age age-keygen<span class="w"> </span>-o<span class="w"> </span>.age/age.key <span class="c1"># Extract the public key for SOPS configuration</span> grep<span class="w"> </span><span class="s2">"public key:"</span><span class="w"> </span>.age/age.key <span class="c1"># Add age directory to gitignore</span> <span class="nb">echo</span><span class="w"> </span><span class="s2">".age/"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>.gitignore <span class="c1"># Secure the private key</span> chmod<span class="w"> </span><span class="m">600</span><span class="w"> </span>.age/age.key </pre></div> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Store the private key securely and share only the public key with team members who need to encrypt secrets.</p> </div> </section> </section> <section id="project-configuration"> <h2>Project Configuration</h2> <section id="sops-configuration"> <h3>SOPS Configuration</h3> <p>Create a <cite>.sops.yaml</cite> configuration file in your repository root:</p> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">.sops.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">creation_rules</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">\.secrets\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(data|stringData)$'</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secrets/.*\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(data|stringData)$'</span> </pre></div> </div> </div> <p>Key configuration options:</p> <ul class="simple"> <li><p><strong>path_regex</strong>: Files matching this pattern will be encrypted</p></li> <li><p><strong>age</strong>: Public key for encryption</p></li> <li><p><strong>encrypted_regex</strong>: Only encrypt specified YAML keys (data, stringData for secrets)</p></li> </ul> </section> <section id="git-filter-setup"> <h3>Git Filter Setup</h3> <p>The repository includes Python scripts for Git filter integration. First, make them executable:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Make filter scripts executable</span> chmod<span class="w"> </span>+x<span class="w"> </span>sops-clean.py<span class="w"> </span>sops-smudge.py </pre></div> </div> <p>Configure Git to automatically encrypt/decrypt files:</p> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">.gitattributes</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>*.secrets.yaml<span class="w"> </span><span class="nv">filter</span><span class="o">=</span>sops<span class="w"> </span><span class="nv">diff</span><span class="o">=</span>sops *.secrets.yml<span class="w"> </span><span class="nv">filter</span><span class="o">=</span>sops<span class="w"> </span><span class="nv">diff</span><span class="o">=</span>sops secrets/*.yaml<span class="w"> </span><span class="nv">filter</span><span class="o">=</span>sops<span class="w"> </span><span class="nv">diff</span><span class="o">=</span>sops secrets/*.yml<span class="w"> </span><span class="nv">filter</span><span class="o">=</span>sops<span class="w"> </span><span class="nv">diff</span><span class="o">=</span>sops </pre></div> </div> </div> <p>Configure Git filters using the Python scripts:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Configure SOPS filters with Python scripts</span> git<span class="w"> </span>config<span class="w"> </span>filter.sops.clean<span class="w"> </span><span class="s1">'./sops-clean.py'</span> git<span class="w"> </span>config<span class="w"> </span>filter.sops.smudge<span class="w"> </span><span class="s1">'./sops-smudge.py'</span> git<span class="w"> </span>config<span class="w"> </span>filter.sops.required<span class="w"> </span><span class="nb">true</span> </pre></div> </div> </section> <section id="environment-variables"> <h3>Environment Variables</h3> <p>Set required environment variables to point to your age key:</p> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">.envrc (if using direnv)</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">export</span><span class="w"> </span><span class="nv">SOPS_AGE_KEY_FILE</span><span class="o">=</span>.age/age.key </pre></div> </div> </div> <p>Or add to your shell profile:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">echo</span><span class="w"> </span><span class="s1">'export SOPS_AGE_KEY_FILE=.age/age.key'</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>~/.bashrc </pre></div> </div> </section> </section> <section id="creating-encrypted-secrets"> <h2>Creating Encrypted Secrets</h2> <section id="basic-secret-creation"> <h3>Basic Secret Creation</h3> <p>Create a Kubernetes secret with transparent encryption:</p> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">app.secrets.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">app-secrets</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">production</span> <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span> <span class="w"> </span><span class="c1"># This annotation ensures the secret is managed by our system</span> <span class="w"> </span><span class="nt">secrets.k8s.io/managed-by</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops</span> <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Opaque</span> <span class="nt">data</span><span class="p">:</span> <span class="w"> </span><span class="nt">database-url</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cG9zdGdyZXNxbDovL3VzZXI6cGFzc3dvcmRAZGIuZXhhbXBsZS5jb20vbXlkYg==</span> <span class="w"> </span><span class="nt">api-key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bG9sLCB5b3UgcmVhbGx5IHRob3VnaHQgSSBkaWQsIHJpZ2h0ID8K</span> <span class="nt">stringData</span><span class="p">:</span> <span class="w"> </span><span class="nt">config.json</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="w"> </span><span class="no">{</span> <span class="w"> </span><span class="no">"database": {</span> <span class="w"> </span><span class="no">"host": "db.example.com",</span> <span class="w"> </span><span class="no">"port": 5432,</span> <span class="w"> </span><span class="no">"username": "myuser",</span> <span class="w"> </span><span class="no">"password": "mypassword"</span> <span class="w"> </span><span class="no">},</span> <span class="w"> </span><span class="no">"api": {</span> <span class="w"> </span><span class="no">"key": "super-secret-api-key",</span> <span class="w"> </span><span class="no">"endpoint": "https://api.example.com"</span> <span class="w"> </span><span class="no">}</span> <span class="w"> </span><span class="no">}</span> </pre></div> </div> </div> <p>When you edit this file locally, you see plain text. When committed to Git, only the <cite>data</cite> and <cite>stringData</cite> sections are encrypted.</p> </section> <section id="tls-certificate-secrets"> <h3>TLS Certificate Secrets</h3> <p>Manage TLS certificates securely:</p> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">tls.secrets.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">app-tls</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">production</span> <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span> <span class="nt">data</span><span class="p">:</span> <span class="w"> </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="w"> </span><span class="no">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t</span> <span class="w"> </span><span class="no">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="no">BAMMGnNlbGYtc2lnbmVkLWNlcnRpZmljYXRlLTAwHhcNMjEwMzEwMTYwNDAxWhcN</span> <span class="w"> </span><span class="no">...</span> <span class="w"> </span><span class="no">LS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==</span> <span class="w"> </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="w"> </span><span class="no">LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0t</span> <span class="w"> </span><span class="no">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="no">wxPBDkdPPDGBX8YXbMR7cGVOcLd9qnkL4Zx7gV7lY1P5zt8jRB9XvV4qS4A1z8PF</span> <span class="w"> </span><span class="no">...</span> <span class="w"> </span><span class="no">LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==</span> </pre></div> </div> </div> </section> </section> <section id="working-with-encrypted-secrets"> <h2>Working with Encrypted Secrets</h2> <section id="daily-workflow"> <h3>Daily Workflow</h3> <p>The beauty of this system is its transparency:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Edit secrets normally - they appear as plain text</span> vim<span class="w"> </span>app.secrets.yaml <span class="c1"># Add the file to Git - it gets encrypted automatically</span> git<span class="w"> </span>add<span class="w"> </span>app.secrets.yaml <span class="c1"># Commit - the encrypted version is stored</span> git<span class="w"> </span>commit<span class="w"> </span>-m<span class="w"> </span><span class="s2">"Update database credentials"</span> <span class="c1"># Other team members can clone and immediately see decrypted content</span> git<span class="w"> </span>clone<span class="w"> </span>&lt;repository&gt; <span class="nb">cd</span><span class="w"> </span>&lt;project&gt; cat<span class="w"> </span>app.secrets.yaml<span class="w"> </span><span class="c1"># Shows decrypted content</span> </pre></div> </div> </section> <section id="manual-encryption-decryption"> <h3>Manual Encryption/Decryption</h3> <p>For advanced use cases, use SOPS directly:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Encrypt a file manually</span> sops<span class="w"> </span>--encrypt<span class="w"> </span>--in-place<span class="w"> </span>secrets/app.secrets.yaml <span class="c1"># Decrypt a file manually</span> sops<span class="w"> </span>--decrypt<span class="w"> </span>secrets/app.secrets.yaml <span class="c1"># Edit encrypted file directly</span> sops<span class="w"> </span>secrets/app.secrets.yaml <span class="c1"># View decrypted content without modifying</span> sops<span class="w"> </span>--decrypt<span class="w"> </span>secrets/app.secrets.yaml<span class="w"> </span><span class="p">|</span><span class="w"> </span>less </pre></div> </div> </section> <section id="key-rotation"> <h3>Key Rotation</h3> <p>Rotate encryption keys periodically:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Generate new Age key</span> age-keygen<span class="w"> </span>-o<span class="w"> </span>new-key.txt <span class="c1"># Update .sops.yaml with new public key</span> <span class="c1"># Re-encrypt all secrets with new key</span> find<span class="w"> </span>.<span class="w"> </span>-name<span class="w"> </span><span class="s2">"*.secrets.yaml"</span><span class="w"> </span>-exec<span class="w"> </span>sops<span class="w"> </span>updatekeys<span class="w"> </span><span class="o">{}</span><span class="w"> </span><span class="se">\;</span> <span class="c1"># Update team members' key files</span> cp<span class="w"> </span>new-key.txt<span class="w"> </span>.age/age.key </pre></div> </div> </section> </section> <section id="kubernetes-integration"> <h2>Kubernetes Integration</h2> <section id="sops-secrets-operator"> <h3>SOPS Secrets Operator</h3> <p>For automated secret management, deploy the SOPS Secrets Operator:</p> <div class="literal-block-wrapper docutils container" id="id6"> <div class="code-block-caption"><span class="caption-text">sops-secrets-operator.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Namespace</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-secrets-operator</span> <span class="nn">---</span> <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span> <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span> <span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-secrets-operator</span> <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-secrets-operator</span> <span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span> <span class="w"> </span><span class="nt">selector</span><span class="p">:</span> <span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span> <span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-secrets-operator</span> <span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-secrets-operator</span> <span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-secrets-operator</span> <span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">manager</span> <span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">isindir/sops-secrets-operator:0.12.0</span> <span class="w"> </span><span class="nt">env</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">WATCH_NAMESPACE</span> <span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s">""</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SOPS_AGE_KEY</span> <span class="w"> </span><span class="nt">valueFrom</span><span class="p">:</span> <span class="w"> </span><span class="nt">secretKeyRef</span><span class="p">:</span> <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sops-age-key</span> <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">key.txt</span> <span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100m</span> <span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">128Mi</span> <span class="w"> </span><span class="nt">limits</span><span class="p">:</span> <span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500m</span> <span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">512Mi</span> </pre></div> </div> </div> <p>The operator automatically syncs encrypted secrets from Git to Kubernetes secrets.</p> </section> </section> <section id="advanced-patterns"> <h2>Advanced Patterns</h2> <section id="conditional-encryption"> <h3>Conditional Encryption</h3> <p>Use SOPS path-based rules for selective encryption:</p> <div class="literal-block-wrapper docutils container" id="id7"> <div class="code-block-caption"><span class="caption-text">.sops.yaml (advanced)</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">creation_rules</span><span class="p">:</span> <span class="w"> </span><span class="c1"># Production secrets - always encrypted</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod/.*\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">agexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(data|stringData|password|secret|key|token)$'</span> <span class="w"> </span><span class="c1"># Development secrets - only sensitive fields</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dev/.*\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">agexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(password|secret|key|token)$'</span> <span class="w"> </span><span class="c1"># Test secrets - minimal encryption</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">test/.*\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">agexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(password)$'</span> </pre></div> </div> </div> </section> <section id="multi-key-management"> <h3>Multi-Key Management</h3> <p>Support multiple teams with different keys:</p> <div class="literal-block-wrapper docutils container" id="id8"> <div class="code-block-caption"><span class="caption-text">.sops.yaml (multi-team)</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="nt">creation_rules</span><span class="p">:</span> <span class="w"> </span><span class="c1"># Platform team secrets</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">platform/.*\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">&gt;-</span> <span class="w"> </span><span class="no">agexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,</span> <span class="w"> </span><span class="no">age1xyz...platform-team-key</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(data|stringData)$'</span> <span class="w"> </span><span class="c1"># Development team secrets</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/.*\.ya?ml$</span> <span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">&gt;-</span> <span class="w"> </span><span class="no">age1abc...dev-team-key,</span> <span class="w"> </span><span class="no">agexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span> <span class="w"> </span><span class="nt">encrypted_regex</span><span class="p">:</span><span class="w"> </span><span class="s">'^(data|stringData)$'</span> </pre></div> </div> </div> </section> </section> <section id="audit-and-compliance"> <h2>Audit and Compliance</h2> <p>Track secret changes with Git history:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># View secret change history</span> git<span class="w"> </span>log<span class="w"> </span>--oneline<span class="w"> </span>--<span class="w"> </span>secrets/ <span class="c1"># See who changed secrets</span> git<span class="w"> </span>blame<span class="w"> </span>secrets/production.secrets.yaml <span class="c1"># Diff encrypted secrets</span> git<span class="w"> </span>diff<span class="w"> </span>HEAD~1<span class="w"> </span>secrets/production.secrets.yaml </pre></div> </div> </section> <section id="testing-and-validation"> <h2>Testing and Validation</h2> <section id="repository-testing-framework"> <h3>Repository Testing Framework</h3> <p>The repository includes comprehensive end-to-end testing scripts:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Quick filter testing - tests Git filters work correctly</span> ./run-e2e-tests.sh<span class="w"> </span><span class="nb">local</span> <span class="c1"># Complete GitOps workflow test - full end-to-end validation</span> ./run-e2e-tests.sh<span class="w"> </span>full </pre></div> </div> <p>These tests validate:</p> <ul class="simple"> <li><p>Git filter encryption/decryption functionality</p></li> <li><p>SOPS configuration correctness</p></li> <li><p>Complete GitOps workflow with ArgoCD/Flux integration</p></li> <li><p>Secret operator deployment and management</p></li> </ul> </section> <section id="manual-validation-scripts"> <h3>Manual Validation Scripts</h3> <p>Create additional validation scripts for your workflow:</p> <div class="literal-block-wrapper docutils container" id="id9"> <div class="code-block-caption"><span class="caption-text">validate-secrets.sh</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="ch">#!/bin/bash</span> <span class="c1"># Validate all secret files can be decrypted</span> find<span class="w"> </span>.<span class="w"> </span>-name<span class="w"> </span><span class="s2">"*.secrets.yaml"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nb">read</span><span class="w"> </span>file<span class="p">;</span><span class="w"> </span><span class="k">do</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Validating </span><span class="nv">$file</span><span class="s2">..."</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span>sops<span class="w"> </span>--decrypt<span class="w"> </span><span class="s2">"</span><span class="nv">$file</span><span class="s2">"</span><span class="w"> </span>&gt;<span class="w"> </span>/dev/null<span class="w"> </span><span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"✓ </span><span class="nv">$file</span><span class="s2"> is valid"</span> <span class="w"> </span><span class="k">else</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"✗ </span><span class="nv">$file</span><span class="s2"> failed validation"</span> <span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span> <span class="w"> </span><span class="k">fi</span> <span class="k">done</span> <span class="c1"># Check for unencrypted sensitive data</span> <span class="k">if</span><span class="w"> </span>grep<span class="w"> </span>-r<span class="w"> </span><span class="s2">"password:\|secret:\|key:"</span><span class="w"> </span>.<span class="w"> </span>--include<span class="o">=</span><span class="s2">"*.yaml"</span><span class="w"> </span>--exclude<span class="o">=</span><span class="s2">"*.secrets.yaml"</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"⚠ Found potential unencrypted secrets"</span> <span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span> <span class="k">fi</span> <span class="nb">echo</span><span class="w"> </span><span class="s2">"All validations passed"</span> </pre></div> </div> </div> </section> <section id="debugging-commands"> <h3>Debugging Commands</h3> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Test SOPS configuration</span> sops<span class="w"> </span>--config<span class="w"> </span>.sops.yaml<span class="w"> </span>encrypt<span class="w"> </span>/dev/null <span class="c1"># Verify Age key</span> age-keygen<span class="w"> </span>-y<span class="w"> </span>.age/age.key <span class="c1"># Check Git filters</span> git<span class="w"> </span>config<span class="w"> </span>--list<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>sops <span class="c1"># Test encryption/decryption</span> <span class="nb">echo</span><span class="w"> </span><span class="s2">"test: secret"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sops<span class="w"> </span>--encrypt<span class="w"> </span>/dev/stdin<span class="w"> </span><span class="p">|</span><span class="w"> </span>sops<span class="w"> </span>--decrypt<span class="w"> </span>/dev/stdin <span class="c1"># Test Git filter scripts</span> ./sops-clean.py<span class="w"> </span>&lt;<span class="w"> </span>test.secrets.yaml ./sops-smudge.py<span class="w"> </span>&lt;<span class="w"> </span>encrypted-test.yaml </pre></div> </div> </section> </section> Fri, 16 Aug 2024 00:00:00 Running Mistral:7b LLM on OpenShifthttps://blog.epheo.eu/articles/openshift-ollama/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Feb 05, 2024</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>10 min read</p> </div> </div> </div> </div> </div> </div> <p>Running your local LLM model with Ollama on your OpenShift cluster.</p> <p><a class="reference external" href="https://ollama.ai/">Ollama</a> is an open-source tool that simplifies running and managing Large Language Models (LLMs) locally. It provides a simple API for managing model lifecycles and making inference requests.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://mistral.ai/news/announcing-mistral-7b/">https://mistral.ai/news/announcing-mistral-7b/</a></p> </div> <p>Mistral is a powerful Large Language Model trained by a French start-up that currently outperforms other models of the same size. By combining Mistral with Ollama on OpenShift, you can run a production-grade LLM environment within your own infrastructure.</p> <p>All the files and configurations referenced in this article are available in the <a class="reference external" href="https://github.com/epheo/openshift-ollama">openshift-ollama GitHub repository</a>.</p> <section id="running-mistral-7b-on-openshift"> <h2>Running Mistral:7B on OpenShift</h2> <section id="architecture-overview"> <h3>Architecture Overview</h3> <p>Our deployment consists of the following components:</p> <ol class="arabic simple"> <li><p>An Ollama server pod with GPU access for model execution</p></li> <li><p>Persistent storage for model weights and cache</p></li> <li><p>Internal and external routes for API access</p></li> <li><p>Optional integration with client applications (Telegram bot, VSCode plugins, iOS app)</p></li> </ol> </section> <section id="deploying-ollama"> <h3>Deploying Ollama</h3> <p>First, we’ll create the required OpenShift namespace:</p> <p>Within an ollama namespace</p> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">openshift-ollama.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos">2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Namespace</span> <span class="linenos">3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> </pre></div> </div> </div> <p>We create the PVC and Deployment using the ollama official container image:</p> <p><a class="reference external" href="https://hub.docker.com/r/ollama/ollama">https://hub.docker.com/r/ollama/ollama</a></p> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">openshift-ollama.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nn">---</span> <span class="linenos"> 2</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 3</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolumeClaim</span> <span class="linenos"> 4</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama-storage</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos"> 7</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">volumeMode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Filesystem</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100Gi</span> <span class="linenos">14</span> <span class="linenos">15</span><span class="nn">---</span> <span class="linenos">16</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span> <span class="linenos">17</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span> <span class="linenos">18</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">19</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">21</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">selector</span><span class="p">:</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span> <span class="linenos">24</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">25</span><span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">27</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">30</span><span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="linenos">31</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">32</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama/ollama:latest</span> <span class="linenos">33</span><span class="w"> </span><span class="nt">ports</span><span class="p">:</span> <span class="linenos">34</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span> <span class="linenos">35</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">11434</span> <span class="linenos">36</span><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span> <span class="linenos">37</span><span class="w"> </span><span class="nt">terminationMessagePath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/termination-log</span> <span class="linenos">38</span><span class="w"> </span><span class="nt">terminationMessagePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">File</span> <span class="linenos">39</span><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span> <span class="linenos">40</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/.ollama</span> <span class="linenos">41</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama-storage</span> <span class="linenos">42</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">43</span><span class="w"> </span><span class="nt">limits</span><span class="p">:</span> <span class="linenos">44</span><span class="w"> </span><span class="nt">nvidia.com/gpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span> <span class="linenos">45</span><span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span> <span class="linenos">46</span><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span> <span class="linenos">47</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="linenos">48</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama-storage</span> <span class="linenos">49</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">50</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama-storage</span> </pre></div> </div> </div> <p>We notice the <strong>nvidia.com/gpu: 1</strong> resources parameter.</p> </section> <section id="exposing-the-ollama-api-endpoint"> <h3>Exposing the Ollama API endpoint</h3> <p>We expose the Ollama API endpoint both internally (for other containers like our Telegram Bot) and externally (for services such as VSCode plugins or mobile apps).</p> <div class="admonition warning"> <p class="admonition-title">Warning</p> <p>Security note: The external endpoint in this setup is only exposed on a private network accessed via VPN. Since we haven’t configured authentication for this endpoint, exposing it to a public IP would create a significant security risk.</p> </div> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">openshift-ollama.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nn">---</span> <span class="linenos"> 2</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 3</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span> <span class="linenos"> 4</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos"> 7</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterIP</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">selector</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">ports</span><span class="p">:</span> <span class="linenos">12</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span> <span class="linenos">16</span> <span class="linenos">17</span><span class="nn">---</span> <span class="linenos">18</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Route</span> <span class="linenos">19</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">route.openshift.io/v1</span> <span class="linenos">20</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">21</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">24</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">25</span><span class="w"> </span><span class="nt">to</span><span class="p">:</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span> <span class="linenos">27</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">null</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span> <span class="linenos">30</span><span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span> </pre></div> </div> </div> </section> <section id="running-mistral-llm-on-ollama"> <h3>Running Mistral LLM on Ollama</h3> <p>Now that our Ollama service is up and running, we can pull the Mistral:7b model using the exposed API endpoint:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>$<span class="w"> </span>curl<span class="w"> </span>-X<span class="w"> </span>POST<span class="w"> </span>http://<span class="k">$(</span>oc<span class="w"> </span>get<span class="w"> </span>route<span class="w"> </span>ollama<span class="w"> </span>-n<span class="w"> </span>ollama<span class="w"> </span>-ojsonpath<span class="o">=</span><span class="s1">'{.spec.host}'</span><span class="k">)</span>/api/pull<span class="w"> </span>-d<span class="w"> </span><span class="s1">'{"name": "mistral:7b"}'</span> </pre></div> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Depending on your network speed and GPU capabilities, this may take several minutes as it downloads and prepares the model.</p> </div> <p>After the download is complete, we can validate that our model has been successfully loaded:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>$<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>http://<span class="k">$(</span>oc<span class="w"> </span>get<span class="w"> </span>route<span class="w"> </span>ollama<span class="w"> </span>-n<span class="w"> </span>ollama<span class="w"> </span>-ojsonpath<span class="o">=</span><span class="s1">'{.spec.host}'</span><span class="k">)</span>/api/tags<span class="w"> </span><span class="p">|</span>jq<span class="w"> </span>. <span class="o">{</span> <span class="w"> </span><span class="s2">"models"</span>:<span class="w"> </span><span class="o">[</span> <span class="w"> </span><span class="o">{</span> <span class="w"> </span><span class="s2">"name"</span>:<span class="w"> </span><span class="s2">"mistral:7b"</span>, <span class="w"> </span><span class="s2">"model"</span>:<span class="w"> </span><span class="s2">"mistral:7b"</span>, <span class="w"> </span><span class="s2">"modified_at"</span>:<span class="w"> </span><span class="s2">"2024-02-03T19:44:00.872177836Z"</span>, <span class="w"> </span><span class="s2">"size"</span>:<span class="w"> </span><span class="m">4109865159</span>, <span class="w"> </span><span class="s2">"digest"</span>:<span class="w"> </span><span class="s2">"61e88e884507ba5e06c49b40e6226884b2a16e872382c2b44a42f2d119d804a5"</span>, <span class="w"> </span><span class="s2">"details"</span>:<span class="w"> </span><span class="o">{</span> <span class="w"> </span><span class="s2">"parent_model"</span>:<span class="w"> </span><span class="s2">""</span>, <span class="w"> </span><span class="s2">"format"</span>:<span class="w"> </span><span class="s2">"gguf"</span>, <span class="w"> </span><span class="s2">"family"</span>:<span class="w"> </span><span class="s2">"llama"</span>, <span class="w"> </span><span class="s2">"families"</span>:<span class="w"> </span><span class="o">[</span> <span class="w"> </span><span class="s2">"llama"</span> <span class="w"> </span><span class="o">]</span>, <span class="w"> </span><span class="s2">"parameter_size"</span>:<span class="w"> </span><span class="s2">"7B"</span>, <span class="w"> </span><span class="s2">"quantization_level"</span>:<span class="w"> </span><span class="s2">"Q4_0"</span> <span class="w"> </span><span class="o">}</span> <span class="w"> </span><span class="o">}</span> <span class="w"> </span><span class="o">]</span> <span class="o">}</span> </pre></div> </div> <p>The response contains important information:</p> <ul class="simple"> <li><p><strong>format</strong>: GGUF (GPT-Generated Unified Format) - optimized for inference</p></li> <li><p><strong>family</strong>: llama - the base architecture family</p></li> <li><p><strong>parameter_size</strong>: 7B - the model has 7 billion parameters</p></li> <li><p><strong>quantization_level</strong>: Q4_0 - the precision level of the model weights</p></li> </ul> <section id="creating-custom-models-with-specializations"> <h4>Creating Custom Models with Specializations</h4> <p>One of Ollama’s powerful features is the ability to create custom models with specialized behaviors without retraining. Let’s create a model specialized in OpenShift documentation:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>$<span class="w"> </span>curl<span class="w"> </span>http://<span class="k">$(</span>oc<span class="w"> </span>get<span class="w"> </span>route<span class="w"> </span>ollama<span class="w"> </span>-n<span class="w"> </span>ollama<span class="w"> </span>-ojsonpath<span class="o">=</span><span class="s1">'{.spec.host}'</span><span class="k">)</span>/api/create<span class="w"> </span>-d<span class="w"> </span><span class="s1">'{</span> <span class="s1"> "name": "ocplibrarian",</span> <span class="s1"> "modelfile": "FROM mistral:7b\nSYSTEM You are a Librarian, specialized in retrieving content from the OpenShift documentation."</span> <span class="s1">}'</span> </pre></div> </div> <p>This creates a new model called “ocplibrarian” that inherits all capabilities from Mistral:7b but has been given a specific persona and purpose through the SYSTEM instruction.</p> </section> </section> <section id="alternative-models-openhermes-2-5"> <h3>Alternative Models: OpenHermes 2.5</h3> <p>Mistral is one of many models you can run on Ollama. Let’s also try OpenHermes 2.5, an instruction-tuned variant of Mistral that offers improved performance on many tasks:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>$<span class="w"> </span>curl<span class="w"> </span>-X<span class="w"> </span>POST<span class="w"> </span>http://<span class="k">$(</span>oc<span class="w"> </span>get<span class="w"> </span>route<span class="w"> </span>ollama<span class="w"> </span>-n<span class="w"> </span>ollama<span class="w"> </span>-ojsonpath<span class="o">=</span><span class="s1">'{.spec.host}'</span><span class="k">)</span>/api/pull<span class="w"> </span>-d<span class="w"> </span><span class="s1">'{"name": "openhermes2.5-mistral:7b-q4_K_M"}'</span> </pre></div> </div> <p>After pulling the model, we can create a customized version with a specific personality:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>$<span class="w"> </span>curl<span class="w"> </span>http://<span class="k">$(</span>oc<span class="w"> </span>get<span class="w"> </span>route<span class="w"> </span>ollama<span class="w"> </span>-n<span class="w"> </span>ollama<span class="w"> </span>-ojsonpath<span class="o">=</span><span class="s1">'{.spec.host}'</span><span class="k">)</span>/api/create<span class="w"> </span>-d<span class="w"> </span><span class="s1">'{</span> <span class="s1"> "name": "hermes2",</span> <span class="s1"> "modelfile": "FROM openhermes2.5-mistral:7b-q4_K_M\nSYSTEM You are \"Hermes 2\", a conversational AI assistant developed by Teknium. Your purpose is to assist users with helpful, accurate information and engaging conversation."</span> <span class="s1">}'</span> </pre></div> </div> <p>The model is now available as “hermes2” and carries the specified system prompt that defines its behavior.</p> </section> </section> <section id="interacting-with-the-llm"> <h2>Interacting with the LLM</h2> <section id="building-a-telegram-bot-interface"> <h3>Building a Telegram Bot Interface</h3> <p>For a practical demonstration of the Ollama API, let’s create a simple Telegram bot that serves as an interface to our LLM. We’ll call it <strong>Tellama</strong>.</p> <p>The core functionality retrieves user messages from Telegram, forwards them to the Ollama API, and returns the LLM’s responses:</p> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">tellama.py</span></div> <div class="highlight-python notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="k">async</span> <span class="k">def</span><span class="w"> </span><span class="nf">chat</span><span class="p">(</span><span class="n">update</span><span class="p">:</span> <span class="n">Update</span><span class="p">,</span> <span class="n">context</span><span class="p">:</span> <span class="n">ContextTypes</span><span class="o">.</span><span class="n">DEFAULT_TYPE</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kc">None</span><span class="p">:</span> <span class="linenos"> 2</span> <span class="n">data</span> <span class="o">=</span> <span class="p">{</span> <span class="linenos"> 3</span> <span class="s2">"model"</span><span class="p">:</span> <span class="s2">"mistral:7b"</span><span class="p">,</span> <span class="linenos"> 4</span> <span class="s2">"messages"</span><span class="p">:</span> <span class="p">[</span> <span class="linenos"> 5</span> <span class="p">{</span> <span class="linenos"> 6</span> <span class="s2">"role"</span><span class="p">:</span> <span class="s2">"user"</span><span class="p">,</span> <span class="linenos"> 7</span> <span class="s2">"content"</span><span class="p">:</span> <span class="n">update</span><span class="o">.</span><span class="n">message</span><span class="o">.</span><span class="n">text</span> <span class="linenos"> 8</span> <span class="p">}</span> <span class="linenos"> 9</span> <span class="p">],</span> <span class="linenos">10</span> <span class="s2">"stream"</span><span class="p">:</span> <span class="kc">False</span> <span class="linenos">11</span> <span class="p">}</span> <span class="linenos">12</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">OLLAMA_ENDPOINT</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">data</span> <span class="p">)</span> <span class="linenos">13</span> <span class="linenos">14</span> <span class="k">if</span> <span class="n">response</span><span class="o">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="linenos">15</span> <span class="n">ollama_response</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="n">json</span><span class="p">()</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'message'</span><span class="p">)</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'content'</span><span class="p">)</span> <span class="linenos">16</span> <span class="k">await</span> <span class="n">update</span><span class="o">.</span><span class="n">message</span><span class="o">.</span><span class="n">reply_text</span><span class="p">(</span><span class="n">ollama_response</span><span class="p">)</span> <span class="linenos">17</span> <span class="k">else</span><span class="p">:</span> <span class="linenos">18</span> <span class="k">await</span> <span class="n">update</span><span class="o">.</span><span class="n">message</span><span class="o">.</span><span class="n">reply_text</span><span class="p">(</span><span class="s1">'Sorry, there was an error processing your request.'</span><span class="p">)</span> </pre></div> </div> </div> <p>This implementation is intentionally simple and has some limitations: - No conversation history or context is maintained between messages - No support for streaming responses - Limited error handling</p> <p>These limitations could be addressed in a more robust implementation, but this serves as a good starting point for testing the API.</p> <section id="deploying-the-telegram-bot-on-openshift"> <h4>Deploying the Telegram Bot on OpenShift</h4> <p>Now let’s containerize our Python script using a UBI (Universal Base Image) container and deploy it to our OpenShift cluster:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Build the container image</span> <span class="nb">cd</span><span class="w"> </span>tellama podman<span class="w"> </span>build<span class="w"> </span>. <span class="c1"># Get the image ID and OpenShift registry URL</span> <span class="nb">export</span><span class="w"> </span><span class="nv">image_id</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="k">$(</span>podman<span class="w"> </span>images<span class="w"> </span>--format<span class="w"> </span>json<span class="w"> </span><span class="p">|</span>jq<span class="w"> </span>.<span class="o">[</span><span class="m">0</span><span class="o">]</span>.Id<span class="k">)</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-c<span class="w"> </span><span class="m">2</span>-13<span class="k">)</span> <span class="nb">export</span><span class="w"> </span><span class="nv">ocp_registry</span><span class="o">=</span><span class="k">$(</span>oc<span class="w"> </span>get<span class="w"> </span>route<span class="w"> </span>default-route<span class="w"> </span>-n<span class="w"> </span>openshift-image-registry<span class="w"> </span>-ojsonpath<span class="o">=</span><span class="s1">'{.spec.host}'</span><span class="k">)</span> <span class="c1"># Push to the OpenShift internal registry</span> podman<span class="w"> </span>login<span class="w"> </span>-u<span class="w"> </span>&lt;user&gt;<span class="w"> </span>-p<span class="w"> </span><span class="k">$(</span>oc<span class="w"> </span>whoami<span class="w"> </span>-t<span class="k">)</span><span class="w"> </span><span class="si">${</span><span class="nv">ocp_registry</span><span class="si">}</span> podman<span class="w"> </span>push<span class="w"> </span><span class="nv">$image_id</span><span class="w"> </span>docker://<span class="si">${</span><span class="nv">ocp_registry</span><span class="si">}</span>/ollama/tellama:latest </pre></div> </div> <p>After creating a new Telegram bot messaging @botfather we create a new Secret containing the Telegram Token.</p> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">ollama-secret.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos">2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span> <span class="linenos">3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama-secret</span> <span class="linenos">5</span><span class="nt">stringData</span><span class="p">:</span> <span class="linenos">6</span><span class="w"> </span><span class="nt">TELEGRAM_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;your_telegram_token&gt;</span> <span class="linenos">7</span><span class="w"> </span><span class="nt">OLLAMA_ENDPOINT</span><span class="p">:</span><span class="w"> </span><span class="s">"http://ollama/api/chat"</span> </pre></div> </div> </div> <p>We can now deploy our created image within the OpenShift cluster. Replacing the <strong>image:</strong> with the value of <strong>$ocp_registry</strong></p> <div class="literal-block-wrapper docutils container" id="id6"> <div class="code-block-caption"><span class="caption-text">tellama.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nn">---</span> <span class="linenos"> 2</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span> <span class="linenos"> 3</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span> <span class="linenos"> 4</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tellama</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos"> 7</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">selector</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">containers</span><span class="p">:</span> <span class="linenos">17</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tellama</span> <span class="linenos">18</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default-route-openshift-image-registry.apps.da2.epheo.eu/ollama/tellama:latest</span> <span class="linenos">19</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">envFrom</span><span class="p">:</span> <span class="linenos">21</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ollama-secret</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span> <span class="linenos">24</span><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span> </pre></div> </div> </div> </section> </section> <section id="integrating-with-development-tools"> <h3>Integrating with Development Tools</h3> <section id="developer-experience-with-vscode-extensions"> <h4>Developer Experience with VSCode Extensions</h4> <p>With our Ollama service running, we can integrate it with various development tools. Here are some VSCode extensions that work well with self-hosted LLMs:</p> <p><strong>Continue</strong>: A VSCode extension similar to GitHub Copilot that can leverage your self-hosted LLM for code completion, explanation, and generation.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://github.com/continuedev/continue">https://github.com/continuedev/continue</a></p> </div> <figure class="align-center"> <a class="reference internal image-reference" href="https://github.com/continuedev/continue/raw/main/media/readme.gif"><img alt="https://github.com/continuedev/continue/raw/main/media/readme.gif" src="https://github.com/continuedev/continue/raw/main/media/readme.gif" style="width: 100%;"/> </a> </figure> <p>You can install Continue directly from the VSCode extension marketplace. After installation, you’ll need to configure it to use your self-hosted Ollama service:</p> <ol class="arabic simple"> <li><p>Create or edit the <code class="docutils literal notranslate"><span class="pre">~/.continue/config.json</span></code> configuration file</p></li> <li><p>Add Ollama as your LLM provider with the appropriate endpoint</p></li> </ol> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Replace the example endpoint with your actual Ollama route: <code class="docutils literal notranslate"><span class="pre">oc</span> <span class="pre">get</span> <span class="pre">route</span> <span class="pre">ollama</span> <span class="pre">-n</span> <span class="pre">ollama</span> <span class="pre">-ojsonpath='{.spec.host}'</span></code></p> </div> <div class="highlight-json notranslate"><div class="highlight"><pre><span/><span class="p">{</span> <span class="w"> </span><span class="nt">"models"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nt">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mistral"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"provider"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ollama"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mistral:7b"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"apiBase"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://ollama-ollama.apps.da2.epheo.eu"</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">]</span> <span class="p">}</span> </pre></div> </div> <p><strong>commitollama</strong> is a specialized VSCode extension that generates meaningful Git commit messages using your self-hosted LLM.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://github.com/JepriCreations/commitollama">https://github.com/JepriCreations/commitollama</a></p> </div> <p>Configuration is straightforward through your VSCode settings:</p> <div class="highlight-json notranslate"><div class="highlight"><pre><span/><span class="p">{</span> <span class="w"> </span><span class="nt">"commitollama.custom.endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://ollama-ollama.apps.da2.epheo.eu"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"commitollama.model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"custom"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"commitollama.custom.model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mistral:7b"</span> <span class="p">}</span> </pre></div> </div> <p>With this configuration, you can simply stage your changes and let commitollama analyze the diff to generate descriptive commit messages.</p> <figure class="align-center"> <a class="reference internal image-reference" href="https://raw.githubusercontent.com/jepricreations/commitollama/main/commitollama-demo.gif"><img alt="https://raw.githubusercontent.com/jepricreations/commitollama/main/commitollama-demo.gif" src="https://raw.githubusercontent.com/jepricreations/commitollama/main/commitollama-demo.gif" style="width: 100%;"/> </a> </figure> </section> </section> <section id="mobile-integration-enchanted-for-ios"> <h3>Mobile Integration: Enchanted for iOS</h3> <p>For on-the-go access to your self-hosted LLM, you can use Enchanted, an open-source iOS application specifically designed for Ollama compatibility.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://github.com/AugustDev/enchanted">https://github.com/AugustDev/enchanted</a></p> </div> <p>Enchanted offers a ChatGPT-like interface for interacting with your self-hosted models, providing a clean, intuitive mobile experience with features like:</p> <ul class="simple"> <li><p>Conversation history</p></li> <li><p>Different model selection</p></li> <li><p>Conversation context management</p></li> <li><p>Share and export options</p></li> </ul> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Since our Ollama endpoint is exposed on a private network, your iOS device can connect either through a local WiFi network or by configuring a VPN connection to your network.</p> </div> <a class="reference internal image-reference" href="../../_images/ollama-enchanted-appstore.jpg"><img alt="../../_images/ollama-enchanted-appstore.jpg" src="../../_images/ollama-enchanted-appstore.jpg" style="width: 49%;"/> </a> <a class="reference internal image-reference" href="../../_images/ollama-enchanted-settings.jpg"><img alt="../../_images/ollama-enchanted-settings.jpg" src="../../_images/ollama-enchanted-settings.jpg" style="width: 49%;"/> </a> </section> </section> <section id="performance-considerations"> <h2>Performance Considerations</h2> <section id="gpu-selection"> <h3>GPU Selection</h3> <p>While any NVIDIA GPU can run these models, performance varies considerably:</p> <ul class="simple"> <li><p><strong>RTX 3080/3090 or better</strong>: Excellent for running multiple 7B models</p></li> <li><p><strong>CPU-only</strong>: Functional but with much slower inference speeds (5-10x slower)</p></li> </ul> </section> <section id="model-quantization"> <h3>Model Quantization</h3> <p>Quantization reduces model precision to improve performance at a small cost to accuracy:</p> <ul class="simple"> <li><p><strong>Q4_0</strong>: Fastest inference, lowest VRAM usage (4-bit quantization)</p></li> <li><p><strong>Q5_K_M</strong>: Good balance between quality and performance</p></li> <li><p><strong>Q8_0</strong>: Higher quality results but requires more VRAM and slower inference</p></li> </ul> </section> <section id="memory-requirements"> <h3>Memory Requirements</h3> <p>Typical memory requirements for a 7B parameter model:</p> <ul class="simple"> <li><p>Full precision (FP16): ~14GB VRAM</p></li> <li><p>Q8_0 quantization: ~7GB VRAM</p></li> <li><p>Q4_0 quantization: ~4GB VRAM</p></li> </ul> </section> </section> <section id="troubleshooting"> <h2>Troubleshooting</h2> <p>For common issues and their solutions, refer to the <a class="reference external" href="https://github.com/epheo/openshift-ollama/blob/main/troubleshooting.md">troubleshooting guide</a>.</p> <p>Common challenges include:</p> <ol class="arabic simple"> <li><p>GPU detection issues</p></li> <li><p>Memory limitations</p></li> <li><p>Network connectivity problems</p></li> <li><p>Model loading failures</p></li> </ol> </section> <section id="security-considerations"> <h2>Security Considerations</h2> <p>When deploying LLM services like Ollama, consider these important security aspects:</p> <section id="authentication"> <h3>Authentication</h3> <p>The default Ollama API has no built-in authentication. For production use, consider:</p> <ul class="simple"> <li><p>Implementing a reverse proxy with authentication</p></li> <li><p>Using OpenShift network policies to restrict access</p></li> <li><p>Creating application-specific API keys</p></li> </ul> </section> <section id="data-privacy"> <h3>Data Privacy</h3> <p>One of the main advantages of self-hosting LLMs is data privacy:</p> <ul class="simple"> <li><p>All prompts and completions remain within your infrastructure</p></li> <li><p>No data is sent to third-party services</p></li> <li><p>Sensitive information can be processed safely</p></li> </ul> <p>However, remember that the model itself may contain biases or potentially generate problematic content. Implement appropriate guardrails for your specific use case.</p> </section> <section id="resource-isolation"> <h3>Resource Isolation</h3> <p>Use OpenShift’s resource management features to ensure your Ollama deployment:</p> <ul class="simple"> <li><p>Has appropriate resource limits to prevent cluster resource exhaustion</p></li> <li><p>Is isolated from other critical workloads</p></li> <li><p>Has priority classes set according to your needs</p></li> </ul> </section> </section> Mon, 05 Feb 2024 00:00:00 Setting up a Virtual Workstation in OpenShift with VFIO Passthroughhttps://blog.epheo.eu/articles/openshift-workstation/index.html <div class="sd-container-fluid sd-sphinx-override sd-p-0 sd-mt-2 sd-mb-4 docutils"> <div class="sd-row sd-row-cols-2 sd-gx-2 sd-gy-1 docutils"> <div class="sd-col sd-d-flex-row sd-align-minor-center docutils"> <div class="sd-container-fluid sd-sphinx-override docutils"> <div class="sd-row sd-row-cols-2 sd-row-cols-xs-2 sd-row-cols-sm-3 sd-row-cols-md-3 sd-row-cols-lg-3 sd-gx-3 sd-gy-1 docutils"> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-calendar" viewBox="0 0 16 16" aria-hidden="true"><path d="M4.75 0a.75.75 0 0 1 .75.75V2h5V.75a.75.75 0 0 1 1.5 0V2h1.25c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V3.75C1 2.784 1.784 2 2.75 2H4V.75A.75.75 0 0 1 4.75 0ZM2.5 7.5v6.75c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V7.5Zm10.75-4H2.75a.25.25 0 0 0-.25.25V6h11V3.75a.25.25 0 0 0-.25-.25Z"/></svg></span>Feb 27, 2023</p> </div> <div class="sd-col sd-col-auto sd-d-flex-row sd-align-minor-center docutils"> <p class="sd-p-0 sd-m-0"><span class="sd-pr-2"><svg version="1.1" width="16.0px" height="16.0px" class="sd-octicon sd-octicon-clock" viewBox="0 0 16 16" aria-hidden="true"><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7-3.25v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5a.75.75 0 0 1 1.5 0Z"/></svg></span>25 min read</p> </div> </div> </div> </div> </div> </div> <p>This guide explains how to configure OpenShift as a workstation with GPU PCI passthrough using Container Native Virtualization (CNV) on a single OpenShift node (SNO). This setup delivers near-native performance for GPU-intensive applications while leveraging Kubernetes orchestration capabilities.</p> <p><strong>Key Benefits:</strong></p> <ul class="simple"> <li><p>Run containerized workloads and virtual machines on the same hardware</p></li> <li><p>Use a single GPU for both Kubernetes pods and VMs by switching driver binding</p></li> <li><p>Achieve near-native performance for gaming and professional applications in VMs</p></li> <li><p>Maintain Kubernetes/OpenShift flexibility for other workloads</p></li> </ul> <p>In testing, this configuration successfully ran Microsoft Flight Simulator in a Windows VM with performance comparable to a bare metal Windows installation.</p> <p><strong>Hardware Used:</strong></p> <div class="table-wrapper colwidths-given docutils container"> <table class="docutils align-default"> <colgroup> <col style="width: 20.0%"/> <col style="width: 80.0%"/> </colgroup> <thead> <tr class="row-odd"><th class="head"><p>Component</p></th> <th class="head"><p>Specification</p></th> </tr> </thead> <tbody> <tr class="row-even"><td><p><strong>CPU</strong></p></td> <td><p>AMD Ryzen 9 3950X (16-Core, 32-Threads)</p></td> </tr> <tr class="row-odd"><td><p><strong>Memory</strong></p></td> <td><p>64GB DDR4 3200MHz</p></td> </tr> <tr class="row-even"><td><p><strong>GPU</strong></p></td> <td><p>Nvidia RTX 3080 FE 10GB</p></td> </tr> <tr class="row-odd"><td><p><strong>Storage</strong></p></td> <td><div class="line-block"> <div class="line">2x 2TB NVMe Disks (VM storage)</div> <div class="line">1x 500GB SSD Disk (OpenShift root system)</div> </div> </td> </tr> <tr class="row-even"><td><p><strong>Network</strong></p></td> <td><p>10Gbase-CX4 Mellanox Ethernet</p></td> </tr> </tbody> </table> </div> <p>Similar configurations with Intel CPUs should work with minor adjustments noted throughout this guide.</p> <section id="installing-openshift-sno"> <h2>Installing OpenShift SNO</h2> <div class="admonition warning"> <p class="admonition-title">Warning</p> <p>The OpenShift assisted installer formats the first 512 bytes of any disk with a bootable partition. Back up and remove any existing partition tables you want to preserve. See the <a class="reference external" href="https://github.com/openshift/assisted-service/blob/d37ac44051be76e95676f33b8361c04eae290357/internal/host/hostcommands/install_cmd.go#L232">assisted-service source code</a> for details.</p> </div> <section id="openshift-installation"> <h3>OpenShift Installation</h3> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/installing_on_a_single_node/install-sno-installing-sno">https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/installing_on_a_single_node/install-sno-installing-sno</a></p> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>You can use the OpenShift web UI installer in Red Hat Hybrid Cloud Console. This guides you through installation with the Assisted Installer service:</p> <p><a class="reference external" href="https://console.redhat.com/openshift/assisted-installer/clusters">https://console.redhat.com/openshift/assisted-installer/clusters</a></p> <p>This also provides an automated way to install multiple Operators from Day 0.</p> <dl class="simple"> <dt>Relevant Operators for this setup:</dt><dd><ul class="simple"> <li><p>Logical Volume Manager Storage</p></li> <li><p>NMState</p></li> <li><p>Node Feature Discovery</p></li> <li><p>NVIDIA GPU</p></li> <li><p>OpenShift Virtualization</p></li> </ul> </dd> </dl> </div> <p>After backing up existing file systems and removing bootable partitions, proceed with the OpenShift Single Node installation.</p> <p>CoreOS requires an entire disk for installation:</p> <ol class="arabic simple"> <li><p>500GB SSD for the OpenShift operating system</p></li> <li><p>Two 2TB NVMe disks for persistent volumes as LVM Physical volumes in the same Volume Group</p></li> <li><p>This setup enables flexible VM storage management while keeping the system installation separate</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="ch">#!/bin/bash</span> <span class="linenos"> 2</span> <span class="linenos"> 3</span><span class="nv">OCP_VERSION</span><span class="o">=</span>latest-4.10 <span class="linenos"> 4</span> <span class="linenos"> 5</span>curl<span class="w"> </span>-k<span class="w"> </span>https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz<span class="w"> </span>&gt;<span class="w"> </span>oc.tar.gz <span class="linenos"> 6</span>tar<span class="w"> </span>zxf<span class="w"> </span>oc.tar.gz <span class="linenos"> 7</span>chmod<span class="w"> </span>+x<span class="w"> </span>oc<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>mv<span class="w"> </span>oc<span class="w"> </span>~/.local/bin/ <span class="linenos"> 8</span> <span class="linenos"> 9</span>curl<span class="w"> </span>-k<span class="w"> </span>https://mirror.openshift.com/pub/openshift-v4/clients/ocp/<span class="nv">$OCP_VERSION</span>/openshift-install-linux.tar.gz<span class="w"> </span>&gt;<span class="w"> </span>openshift-install-linux.tar.gz <span class="linenos">10</span>tar<span class="w"> </span>zxvf<span class="w"> </span>openshift-install-linux.tar.gz <span class="linenos">11</span>chmod<span class="w"> </span>+x<span class="w"> </span>openshift-install<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>mv<span class="w"> </span>openshift-install<span class="w"> </span>~/.local/bin/ <span class="linenos">12</span> <span class="linenos">13</span>curl<span class="w"> </span><span class="k">$(</span>openshift-install<span class="w"> </span>coreos<span class="w"> </span>print-stream-json<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>location<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>x86_64<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>iso<span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="se">\"</span><span class="w"> </span>-f4<span class="k">)</span><span class="w"> </span>&gt;<span class="w"> </span>rhcos-live.x86_64.iso </pre></div> </div> <div class="literal-block-wrapper docutils container" id="id1"> <div class="code-block-caption"><span class="caption-text">install-config.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="c1"># This file contains the configuration for an OpenShift cluster installation.</span> <span class="linenos"> 2</span> <span class="linenos"> 3</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 4</span> <span class="linenos"> 5</span><span class="c1"># The base domain for the cluster.</span> <span class="linenos"> 6</span><span class="nt">baseDomain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo.eu</span> <span class="linenos"> 7</span> <span class="linenos"> 8</span><span class="c1"># Configuration for the compute nodes.</span> <span class="linenos"> 9</span><span class="nt">compute</span><span class="p">:</span> <span class="linenos">10</span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">worker</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0</span><span class="w"> </span> <span class="linenos">12</span> <span class="linenos">13</span><span class="c1"># Configuration for the control plane nodes.</span> <span class="linenos">14</span><span class="nt">controlPlane</span><span class="p">:</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">master</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span><span class="w"> </span> <span class="linenos">17</span> <span class="linenos">18</span><span class="c1"># Metadata for the cluster.</span> <span class="linenos">19</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">da2</span> <span class="linenos">21</span> <span class="linenos">22</span><span class="c1"># Networking configuration for the cluster.</span> <span class="linenos">23</span><span class="nt">networking</span><span class="p">:</span> <span class="linenos">24</span><span class="w"> </span><span class="nt">networkType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OVNKubernetes</span> <span class="linenos">25</span><span class="w"> </span><span class="nt">clusterNetwork</span><span class="p">:</span> <span class="linenos">26</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">cidr</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10.128.0.0/14</span> <span class="linenos">27</span><span class="w"> </span><span class="nt">hostPrefix</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">23</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">serviceNetwork</span><span class="p">:</span> <span class="linenos">29</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">172.30.0.0/16</span> <span class="linenos">30</span> <span class="linenos">31</span><span class="c1"># Platform configuration for the cluster.</span> <span class="linenos">32</span><span class="nt">platform</span><span class="p">:</span> <span class="linenos">33</span><span class="w"> </span><span class="nt">none</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">34</span> <span class="linenos">35</span><span class="c1"># Configuration for bootstrapping the cluster.</span> <span class="linenos">36</span><span class="nt">bootstrapInPlace</span><span class="p">:</span> <span class="linenos">37</span><span class="w"> </span><span class="nt">installationDisk</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/sda</span> <span class="linenos">38</span> <span class="linenos">39</span><span class="c1"># Pull secret for accessing the OpenShift registry.</span> <span class="linenos">40</span><span class="nt">pullSecret</span><span class="p">:</span><span class="w"> </span><span class="s">'{"auths":{"cloud.openshift.com":{"auth":"XXXXXXXX"}}}'</span><span class="w"> </span> <span class="linenos">41</span> <span class="linenos">42</span><span class="c1"># SSH key for accessing the cluster nodes.</span> <span class="linenos">43</span><span class="nt">sshKey</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="linenos">44</span><span class="w"> </span><span class="no">ssh-rsa AAAAB3XXXXXXXXXXXXXXXXXXXXXXXXX</span> </pre></div> </div> </div> <div class="literal-block-wrapper docutils container" id="id2"> <div class="code-block-caption"><span class="caption-text">Generate OpenShift Container Platform assets</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>mkdir<span class="w"> </span>ocp<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>cp<span class="w"> </span>install-config.yaml<span class="w"> </span>ocp openshift-install<span class="w"> </span>--dir<span class="o">=</span>ocp<span class="w"> </span>create<span class="w"> </span>single-node-ignition-config </pre></div> </div> </div> <div class="literal-block-wrapper docutils container" id="id3"> <div class="code-block-caption"><span class="caption-text">Embed the ignition data into the RHCOS ISO:</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="nb">alias</span><span class="w"> </span>coreos-installer<span class="o">=</span><span class="s1">'podman run --privileged --rm \</span> <span class="s1"> -v /dev:/dev -v /run/udev:/run/udev -v $PWD:/data \</span> <span class="s1"> -w /data quay.io/coreos/coreos-installer:release'</span> cp<span class="w"> </span>ocp/bootstrap-in-place-for-live-iso.ign<span class="w"> </span>iso.ign coreos-installer<span class="w"> </span>iso<span class="w"> </span>ignition<span class="w"> </span>embed<span class="w"> </span>-fi<span class="w"> </span>iso.ign<span class="w"> </span>rhcos-live.x86_64.iso dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>discovery_image_sno.iso<span class="w"> </span><span class="nv">of</span><span class="o">=</span>/dev/usbkey<span class="w"> </span><span class="nv">status</span><span class="o">=</span>progress </pre></div> </div> </div> <p>After copying the ISO to a USB drive, boot your workstation from it to install OpenShift.</p> </section> <section id="installing-cnv-operator"> <h3>Installing CNV Operator</h3> <p>Enable Intel VT or AMD-V hardware virtualization extensions in your BIOS/UEFI settings.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/virtualization/installing">https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/virtualization/installing</a></p> </div> <div class="literal-block-wrapper docutils container" id="id4"> <div class="code-block-caption"><span class="caption-text">cnv-resources.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="c1"># This YAML file contains Kubernetes resources for installing the KubeVirt Hyperconverged Operator (HCO) on the OpenShift Container Platform.</span> <span class="linenos"> 2</span><span class="c1"># It creates a namespace named "openshift-cnv", an operator group named "kubevirt-hyperconverged-group" in the "openshift-cnv" namespace, and a subscription named "hco-operatorhub" in the "openshift-cnv" namespace.</span> <span class="linenos"> 3</span><span class="c1"># The subscription specifies the source, source namespace, name, starting CSV, and channel for the KubeVirt Hyperconverged Operator.</span> <span class="linenos"> 4</span> <span class="linenos"> 5</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 6</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Namespace</span> <span class="linenos"> 7</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-cnv</span> <span class="linenos"> 9</span><span class="nn">---</span> <span class="linenos">10</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">operators.coreos.com/v1</span> <span class="linenos">11</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OperatorGroup</span> <span class="linenos">12</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt-hyperconverged-group</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-cnv</span> <span class="linenos">15</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">targetNamespaces</span><span class="p">:</span> <span class="linenos">17</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-cnv</span> <span class="linenos">18</span><span class="nn">---</span> <span class="linenos">19</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">operators.coreos.com/v1alpha1</span> <span class="linenos">20</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Subscription</span> <span class="linenos">21</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">hco-operatorhub</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-cnv</span> <span class="linenos">24</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">25</span><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">redhat-operators</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">sourceNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-marketplace</span> <span class="linenos">27</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt-hyperconverged</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">startingCSV</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt-hyperconverged-operator.v4.10.0</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">channel</span><span class="p">:</span><span class="w"> </span><span class="s">"stable"</span> </pre></div> </div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>cnv-resources.yaml </pre></div> </div> <div class="literal-block-wrapper docutils container" id="id5"> <div class="code-block-caption"><span class="caption-text">Installing Virtctl client on your desktop</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>subscription-manager<span class="w"> </span>repos<span class="w"> </span>--enable<span class="w"> </span>cnv-4.10-for-rhel-8-x86_64-rpms dnf<span class="w"> </span>install<span class="w"> </span>kubevirt-virtctl </pre></div> </div> </div> </section> </section> <section id="configuring-openshift-for-gpu-passthrough"> <h2>Configuring OpenShift for GPU Passthrough</h2> <p>Since we’re working with a single GPU, additional configuration is required.</p> <p>We’ll use MachineConfig to configure our node. In a single-node OpenShift setup, all MachineConfig changes apply to the master machineset. In multi-node clusters, these would apply to workers instead.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://github.com/openshift/machine-config-operator/blob/master/docs/SingleNodeOpenShift.md">https://github.com/openshift/machine-config-operator/blob/master/docs/SingleNodeOpenShift.md</a></p> </div> <section id="setting-kernel-boot-arguments"> <h3>Setting Kernel Boot Arguments</h3> <p>To enable GPU passthrough, we need to pass several kernel arguments at boot time via the MachineConfigOperator:</p> <ul class="simple"> <li><p><strong>amd_iommu=on</strong>: Enables IOMMU support for AMD platforms (use intel_iommu=on for Intel CPUs)</p></li> <li><p><strong>vga=off</strong>: Disables VGA console output during boot</p></li> <li><p><strong>rdblaclist=nouveau</strong>: Blacklists the Nouveau open-source NVIDIA driver</p></li> <li><p><strong>video=efifb:off</strong>: Disables EFI framebuffer console output</p></li> </ul> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://www.reddit.com/r/VFIO/comments/cktnhv/bar_0_cant_reserve/">https://www.reddit.com/r/VFIO/comments/cktnhv/bar_0_cant_reserve/</a> <a class="reference external" href="https://www.reddit.com/r/VFIO/comments/mx5td8/bar_3_cant_reserve_mem_0xc00000000xc1ffffff_64bit/">https://www.reddit.com/r/VFIO/comments/mx5td8/bar_3_cant_reserve_mem_0xc00000000xc1ffffff_64bit/</a> <a class="reference external" href="https://docs.kernel.org/fb/fbcon.html">https://docs.kernel.org/fb/fbcon.html</a></p> </div> <div class="literal-block-wrapper docutils container" id="id6"> <div class="code-block-caption"><span class="caption-text">Setting Kernel Arguments at boot time.</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">variant</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift</span> <span class="linenos"> 2</span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">4.10.0</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100-vfio</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">machineconfiguration.openshift.io/role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">master</span> <span class="linenos"> 7</span><span class="nt">openshift</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">kernel_arguments</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">amd_iommu=on</span> <span class="linenos">10</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vga=off</span> <span class="linenos">11</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rdblaclist=nouveau</span> <span class="linenos">12</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">'video=efifb:off'</span> </pre></div> </div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="nb">cd</span><span class="w"> </span>articles/openshift-workstation/machineconfig/build <span class="linenos">2</span>butane<span class="w"> </span>-d<span class="w"> </span>.<span class="w"> </span>vfio-prepare.bu<span class="w"> </span>-o<span class="w"> </span>../vfio-prepare.yaml <span class="linenos">3</span>oc<span class="w"> </span>patch<span class="w"> </span>MachineConfig<span class="w"> </span><span class="m">100</span>-vfio<span class="w"> </span>--type<span class="o">=</span>merge<span class="w"> </span>-p<span class="w"> </span>../vfio-prepare.yaml </pre></div> </div> <div class="admonition note"> <p class="admonition-title">Note</p> <p>Intel CPU users: use intel_iommu=on instead of amd_iommu=on.</p> </div> </section> <section id="installing-the-nvidia-gpu-operator"> <h3>Installing the NVIDIA GPU Operator</h3> <p>The NVIDIA GPU Operator simplifies GPU management in Kubernetes environments.</p> <section id="step-1-install-the-operator"> <h4>Step 1: Install the Operator</h4> <p>Via OpenShift web console: 1. Go to <strong>Operators</strong> → <strong>OperatorHub</strong> 2. Search for “NVIDIA GPU Operator” 3. Select the operator and click <strong>Install</strong> 4. Keep default settings and click <strong>Install</strong></p> <p>Or via CLI:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>create<span class="w"> </span>-f<span class="w"> </span>https://raw.githubusercontent.com/NVIDIA/gpu-operator/master/deployments/git/operator-namespace.yaml oc<span class="w"> </span>create<span class="w"> </span>-f<span class="w"> </span>https://raw.githubusercontent.com/NVIDIA/gpu-operator/master/deployments/git/operator-source.yaml </pre></div> </div> </section> <section id="step-2-configure-the-clusterpolicy"> <h4>Step 2: Configure the ClusterPolicy</h4> <p>Set <code class="docutils literal notranslate"><span class="pre">sandboxWorkloads.enabled</span></code> to <code class="docutils literal notranslate"><span class="pre">true</span></code> to enable the components needed for GPU passthrough:</p> <div class="literal-block-wrapper docutils container" id="id7"> <div class="code-block-caption"><span class="caption-text">sandboxWorkloadsEnabled.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterPolicy</span> <span class="linenos">2</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">3</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gpu-cluster-policy</span> <span class="linenos">4</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">5</span><span class="w"> </span><span class="nt">sandboxWorkloads</span><span class="p">:</span> <span class="linenos">6</span><span class="w"> </span><span class="nt">defaultWorkload</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">container</span> <span class="linenos">7</span><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> </pre></div> </div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>patch<span class="w"> </span>ClusterPolicy<span class="w"> </span>gpu-cluster-policy<span class="w"> </span>--type<span class="o">=</span>merge<span class="w"> </span>-p<span class="w"> </span>sandboxWorkloadsEnabled.yaml </pre></div> </div> <p>The NVIDIA GPU Operator doesn’t officially support consumer-grade GPUs and won’t automatically bind the GPU audio device to the vfio-pci driver. We’ll handle this manually with the following machine config:</p> <div class="literal-block-wrapper docutils container" id="id8"> <div class="code-block-caption"><span class="caption-text">vfio-prepare.bu</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">variant</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift</span> <span class="linenos"> 2</span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">4.10.0</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100-vfio</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">machineconfiguration.openshift.io/role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">master</span> <span class="linenos"> 7</span><span class="nt">storage</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">files</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/usr/local/bin/vfio-prepare</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0755</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">overwrite</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">local</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./vfio-prepare.sh</span> <span class="linenos">14</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/modules-load.d/vfio-pci.conf</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0644</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">overwrite</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span> <span class="linenos">18</span><span class="w"> </span><span class="nt">inline</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vfio-pci</span> <span class="linenos">19</span><span class="nt">systemd</span><span class="p">:</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">units</span><span class="p">:</span> <span class="linenos">21</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vfioprepare.service</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="linenos">24</span><span class="w"> </span><span class="no">[Unit]</span> <span class="linenos">25</span><span class="w"> </span><span class="no">Description=Prepare vfio devices</span> <span class="linenos">26</span><span class="w"> </span><span class="no">After=ignition-firstboot-complete.service</span> <span class="linenos">27</span><span class="w"> </span><span class="no">Before=kubelet.service crio.service</span> <span class="linenos">28</span> <span class="linenos">29</span><span class="w"> </span><span class="no">[Service]</span> <span class="linenos">30</span><span class="w"> </span><span class="no">Type=oneshot</span> <span class="linenos">31</span><span class="w"> </span><span class="no">ExecStart=/usr/local/bin/vfio-prepare</span> <span class="linenos">32</span> <span class="linenos">33</span><span class="w"> </span><span class="no">[Install]</span> <span class="linenos">34</span><span class="w"> </span><span class="no">WantedBy=kubelet.service</span> </pre></div> </div> </div> <div class="literal-block-wrapper docutils container" id="id9"> <div class="code-block-caption"><span class="caption-text">vfio-prepare.sh</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="ch">#!/bin/bash</span> <span class="linenos"> 2</span> <span class="linenos"> 3</span>vfio_attach<span class="w"> </span><span class="o">()</span><span class="w"> </span><span class="o">{</span> <span class="linenos"> 4</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span>-f<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">path</span><span class="si">}</span><span class="s2">/driver/unbind"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$address</span><span class="w"> </span>&gt;<span class="w"> </span><span class="si">${</span><span class="nv">path</span><span class="si">}</span>/driver/unbind <span class="linenos"> 6</span><span class="w"> </span><span class="k">fi</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span>vfio-pci<span class="w"> </span>&gt;<span class="w"> </span><span class="si">${</span><span class="nv">path</span><span class="si">}</span>/driver_override <span class="linenos"> 8</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$address</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/drivers/vfio-pci/bind<span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="se">\</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$name</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/drivers/vfio-pci/new_id<span class="w"> </span><span class="o">||</span><span class="nb">true</span> <span class="linenos">10</span><span class="o">}</span> <span class="linenos">11</span> <span class="linenos">12</span><span class="c1"># 0a:00.1 Audio device [0403]: NVIDIA Corporation GA102 High Definition Audio Controller [10de:1aef] (rev a1)</span> <span class="linenos">13</span><span class="nv">address</span><span class="o">=</span><span class="m">0000</span>:0a:00.1 <span class="linenos">14</span><span class="nv">path</span><span class="o">=</span>/sys/bus/pci/devices/0000<span class="se">\:</span>0a<span class="se">\:</span><span class="m">00</span>.1 <span class="linenos">15</span><span class="nv">name</span><span class="o">=</span><span class="s2">"10de 1467"</span> <span class="linenos">16</span>vfio_attach </pre></div> </div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="nb">cd</span><span class="w"> </span>articles/openshift-workstation/machineconfig/build <span class="linenos">2</span>butane<span class="w"> </span>-d<span class="w"> </span>.<span class="w"> </span>vfio-prepare.bu<span class="w"> </span>-o<span class="w"> </span>../vfio-prepare.yaml <span class="linenos">3</span>oc<span class="w"> </span>patch<span class="w"> </span>MachineConfig<span class="w"> </span><span class="m">100</span>-vfio<span class="w"> </span>--type<span class="o">=</span>merge<span class="w"> </span>-p<span class="w"> </span>../vfio-prepare.yaml </pre></div> </div> </section> </section> <section id="dynamically-switching-gpu-drivers"> <h3>Dynamically Switching GPU Drivers</h3> <p>A key advantage of this setup is using a single GPU for both container workloads and VMs without rebooting.</p> <section id="use-case-scenario"> <h4>Use Case Scenario</h4> <ul class="simple"> <li><p>Single NVIDIA GPU shared between container workloads and VMs</p></li> <li><p>Container workloads require the NVIDIA kernel driver</p></li> <li><p>VMs with GPU passthrough require the VFIO-PCI driver</p></li> <li><p>Switching between modes without rebooting</p></li> </ul> </section> <section id="driver-switching-using-node-labels"> <h4>Driver Switching Using Node Labels</h4> <p>The NVIDIA GPU Operator with sandbox workloads enabled lets you switch driver bindings using node labels:</p> <p><strong>For container workloads (NVIDIA driver):</strong></p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Replace 'da2' with your node name</span> oc<span class="w"> </span>label<span class="w"> </span>node<span class="w"> </span>da2<span class="w"> </span>--overwrite<span class="w"> </span>nvidia.com/gpu.workload.config<span class="o">=</span>container </pre></div> </div> <p><strong>For VM passthrough (VFIO-PCI driver):</strong></p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Replace 'da2' with your node name</span> oc<span class="w"> </span>label<span class="w"> </span>node<span class="w"> </span>da2<span class="w"> </span>--overwrite<span class="w"> </span>nvidia.com/gpu.workload.config<span class="o">=</span>vm-passthrough </pre></div> </div> </section> <section id="notes-on-driver-switching"> <h4>Notes on Driver Switching</h4> <ul class="simple"> <li><p>Driver switching takes a few minutes</p></li> <li><p>Verify current driver with <code class="docutils literal notranslate"><span class="pre">lspci</span> <span class="pre">-nnk</span> <span class="pre">|</span> <span class="pre">grep</span> <span class="pre">-A3</span> <span class="pre">NVIDIA</span></code></p></li> <li><p>Stop all GPU workloads before switching drivers</p></li> <li><p>No reboot is usually required</p></li> <li><p>Can be occasionally unreliable and may require a reboot</p></li> </ul> </section> </section> <section id="adding-gpu-as-a-hardware-device"> <h3>Adding GPU as a Hardware Device</h3> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://github.com/kubevirt/kubevirt/blob/main/docs/devel/host-devices-and-device-plugins.md">https://github.com/kubevirt/kubevirt/blob/main/docs/devel/host-devices-and-device-plugins.md</a></p> </div> <p>First, identify the GPU’s Vendor and Product ID:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>lspci<span class="w"> </span>-nnk<span class="w"> </span><span class="p">|</span>grep<span class="w"> </span>VGA </pre></div> </div> <p>Then, identify the device name provided by gpu-feature-discovery:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>nodes<span class="w"> </span>da2<span class="w"> </span>-ojson<span class="w"> </span><span class="p">|</span>jq<span class="w"> </span>.status.capacity<span class="w"> </span><span class="p">|</span>grep<span class="w"> </span>nvidia </pre></div> </div> <p>Now, add the GPU to the permitted host devices:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">HyperConverged</span> <span class="linenos"> 2</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 3</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt-hyperconverged</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-cnv</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">permittedHostDevices</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">pciHostDevices</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">externalResourceProvider</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">pciDeviceSelector</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10DE:2206</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">resourceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nvidia.com/GA102_GEFORCE_RTX_3080</span> </pre></div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>patch<span class="w"> </span>hyperconverged<span class="w"> </span>kubevirt-hyperconverged<span class="w"> </span>-n<span class="w"> </span>openshift-cnv<span class="w"> </span>--type<span class="o">=</span>merge<span class="w"> </span>-f<span class="w"> </span>hyperconverged.yaml </pre></div> </div> <p>The <cite>pciDeviceSelector</cite> specifies the vendor:device ID, while <cite>resourceName</cite> specifies the resource name in Kubernetes/OpenShift.</p> </section> </section> <section id="passthrough-usb-controllers-to-vms"> <h2>Passthrough USB Controllers to VMs</h2> <p>For a complete desktop experience, you’ll want to pass through an entire USB controller to your VM for better performance and flexibility.</p> <section id="identifying-a-suitable-usb-controller"> <h3>Identifying a Suitable USB Controller</h3> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/virtualization/index#virt-configuring-pci-passthrough">https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/virtualization/index#virt-configuring-pci-passthrough</a></p> </div> <ol class="arabic"> <li><p>List all USB controllers:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>lspci<span class="w"> </span>-nnk<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-i<span class="w"> </span>usb </pre></div> </div> <p>Example output:</p> <div class="highlight-text notranslate"><div class="highlight"><pre><span/>0b:00.3 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Matisse USB 3.0 Host Controller [1022:149c] </pre></div> </div> </li> <li><p>Note the PCI address (e.g., <cite>0b:00.3</cite>) and device ID (<cite>1022:149c</cite>).</p></li> <li><p>Check the IOMMU group:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>find<span class="w"> </span>/sys/kernel/iommu_groups/<span class="w"> </span>-iname<span class="w"> </span><span class="s2">"*0b:00.3*"</span> <span class="c1"># Shows which IOMMU group contains this device</span> ls<span class="w"> </span>/sys/kernel/iommu_groups/27/devices/ <span class="c1"># Lists all devices in the same IOMMU group</span> </pre></div> </div> </li> <li><p><strong>Important</strong>: For clean passthrough, the USB controller should ideally be alone in its IOMMU group. If other devices share the group, you’ll need to pass those through as well.</p></li> </ol> </section> <section id="adding-the-usb-controller-as-a-permitted-device"> <h3>Adding the USB Controller as a Permitted Device</h3> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://access.redhat.com/solutions/6250271">https://access.redhat.com/solutions/6250271</a> <a class="reference external" href="https://kubevirt.io/user-guide/virtual_machines/host-devices/#listing-permitted-devices">https://kubevirt.io/user-guide/virtual_machines/host-devices/#listing-permitted-devices</a></p> </div> <p>Add the controller’s Vendor and Product IDs to permitted host devices:</p> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">HyperConverged</span> <span class="linenos"> 2</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 3</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt-hyperconverged</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift-cnv</span> <span class="linenos"> 5</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">permittedHostDevices</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">pciHostDevices</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">pciDeviceSelector</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1022:149C</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">resourceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">devices.kubevirt.io/USB3_Controller</span> <span class="linenos">10</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">pciDeviceSelector</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">8086:2723</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">resourceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">intel.com/WIFI_Controller</span> </pre></div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>patch<span class="w"> </span>hyperconverged<span class="w"> </span>kubevirt-hyperconverged<span class="w"> </span>-n<span class="w"> </span>openshift-cnv<span class="w"> </span>--type<span class="o">=</span>merge<span class="w"> </span>-f<span class="w"> </span>hyperconverged.yaml </pre></div> </div> </section> <section id="binding-the-usb-controller-to-vfio-pci-driver"> <h3>Binding the USB Controller to VFIO-PCI Driver</h3> <div class="literal-block-wrapper docutils container" id="id10"> <div class="code-block-caption"><span class="caption-text">vfio-prepare.bu</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">variant</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">openshift</span> <span class="linenos"> 2</span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">4.10.0</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100-vfio</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">machineconfiguration.openshift.io/role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">master</span> <span class="linenos"> 7</span><span class="nt">storage</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">files</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/usr/local/bin/vfio-prepare</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0755</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">overwrite</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">local</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./vfio-prepare.sh</span> <span class="linenos">14</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/modules-load.d/vfio-pci.conf</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0644</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">overwrite</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span> <span class="linenos">18</span><span class="w"> </span><span class="nt">inline</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vfio-pci</span> <span class="linenos">19</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/modprobe.d/vfio.conf</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0644</span> <span class="linenos">21</span><span class="w"> </span><span class="nt">overwrite</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">inline</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="linenos">24</span><span class="w"> </span><span class="no">options vfio-pci ids=8086:2723,1022:149c</span> <span class="linenos">25</span><span class="nt">systemd</span><span class="p">:</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">units</span><span class="p">:</span> <span class="linenos">27</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vfioprepare.service</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="linenos">30</span><span class="w"> </span><span class="no">[Unit]</span> <span class="linenos">31</span><span class="w"> </span><span class="no">Description=Prepare vfio devices</span> <span class="linenos">32</span><span class="w"> </span><span class="no">After=ignition-firstboot-complete.service</span> <span class="linenos">33</span><span class="w"> </span><span class="no">Before=kubelet.service crio.service</span> <span class="linenos">34</span> <span class="linenos">35</span><span class="w"> </span><span class="no">[Service]</span> <span class="linenos">36</span><span class="w"> </span><span class="no">Type=oneshot</span> <span class="linenos">37</span><span class="w"> </span><span class="no">ExecStart=/usr/local/bin/vfio-prepare</span> <span class="linenos">38</span> <span class="linenos">39</span><span class="w"> </span><span class="no">[Install]</span> <span class="linenos">40</span><span class="w"> </span><span class="no">WantedBy=kubelet.service</span> <span class="linenos">41</span><span class="nt">openshift</span><span class="p">:</span> <span class="linenos">42</span><span class="w"> </span><span class="nt">kernel_arguments</span><span class="p">:</span> <span class="linenos">43</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">amd_iommu=on</span> <span class="linenos">44</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vga=off</span> <span class="linenos">45</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rdblaclist=nouveau</span> <span class="linenos">46</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">'video=efifb:off'</span> </pre></div> </div> </div> <p>Create a script to unbind the USB controller from its current driver and bind it to vfio-pci:</p> <div class="literal-block-wrapper docutils container" id="id11"> <div class="code-block-caption"><span class="caption-text">vfio-prepare.sh</span></div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="ch">#!/bin/bash</span> <span class="linenos"> 2</span> <span class="linenos"> 3</span>vfio_attach<span class="w"> </span><span class="o">()</span><span class="w"> </span><span class="o">{</span> <span class="linenos"> 4</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span>-f<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">path</span><span class="si">}</span><span class="s2">/driver/unbind"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$address</span><span class="w"> </span>&gt;<span class="w"> </span><span class="si">${</span><span class="nv">path</span><span class="si">}</span>/driver/unbind <span class="linenos"> 6</span><span class="w"> </span><span class="k">fi</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span>vfio-pci<span class="w"> </span>&gt;<span class="w"> </span><span class="si">${</span><span class="nv">path</span><span class="si">}</span>/driver_override <span class="linenos"> 8</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$address</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/drivers/vfio-pci/bind<span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="se">\</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$name</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/drivers/vfio-pci/new_id<span class="w"> </span><span class="o">||</span><span class="nb">true</span> <span class="linenos">10</span><span class="o">}</span> <span class="linenos">11</span> <span class="linenos">12</span><span class="c1"># 0a:00.1 Audio device [0403]: NVIDIA Corporation GA102 High Definition Audio Controller [10de:1aef] (rev a1)</span> <span class="linenos">13</span><span class="nv">address</span><span class="o">=</span><span class="m">0000</span>:0a:00.1 <span class="linenos">14</span><span class="nv">path</span><span class="o">=</span>/sys/bus/pci/devices/0000<span class="se">\:</span>0a<span class="se">\:</span><span class="m">00</span>.1 <span class="linenos">15</span><span class="nv">name</span><span class="o">=</span><span class="s2">"10de 1467"</span> <span class="linenos">16</span>vfio_attach <span class="linenos">17</span> <span class="linenos">18</span><span class="c1"># Bind "useless" device to vfio-pci to satisfy IOMMU group</span> <span class="linenos">19</span><span class="nv">address</span><span class="o">=</span><span class="m">0000</span>:07:00.0 <span class="linenos">20</span><span class="nv">path</span><span class="o">=</span>/sys/bus/pci/devices/0000<span class="se">\:</span><span class="m">07</span><span class="se">\:</span><span class="m">00</span>.0 <span class="linenos">21</span><span class="nv">name</span><span class="o">=</span><span class="s2">"1043 87c0"</span> <span class="linenos">22</span>vfio_attach <span class="linenos">23</span> <span class="linenos">24</span><span class="c1"># Unbind USB switch and handle via vfio-pci kernel driver</span> <span class="linenos">25</span><span class="nv">address</span><span class="o">=</span><span class="m">0000</span>:07:00.1 <span class="linenos">26</span><span class="nv">path</span><span class="o">=</span>/sys/bus/pci/devices/0000<span class="se">\:</span><span class="m">07</span><span class="se">\:</span><span class="m">00</span>.1 <span class="linenos">27</span><span class="nv">name</span><span class="o">=</span><span class="s2">"1043 87c0"</span> <span class="linenos">28</span>vfio_attach <span class="linenos">29</span> <span class="linenos">30</span><span class="c1"># Unbind USB switch and handle via vfio-pci kernel driver</span> <span class="linenos">31</span><span class="nv">address</span><span class="o">=</span><span class="m">0000</span>:07:00.3 <span class="linenos">32</span><span class="nv">path</span><span class="o">=</span>/sys/bus/pci/devices/0000<span class="se">\:</span><span class="m">07</span><span class="se">\:</span><span class="m">00</span>.3 <span class="linenos">33</span><span class="nv">name</span><span class="o">=</span><span class="s2">"1022 149c"</span> <span class="linenos">34</span>vfio_attach <span class="linenos">35</span> <span class="linenos">36</span><span class="c1"># Unbind USB switch and handle via vfio-pci kernel driver</span> <span class="linenos">37</span><span class="nv">address</span><span class="o">=</span><span class="m">0000</span>:0c:00.3 <span class="linenos">38</span><span class="nv">path</span><span class="o">=</span>/sys/bus/pci/devices/0000<span class="se">\:</span>0c<span class="se">\:</span><span class="m">00</span>.3 <span class="linenos">39</span><span class="nv">name</span><span class="o">=</span><span class="s2">"1022 148c"</span> <span class="linenos">40</span>vfio_attach </pre></div> </div> </div> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="linenos">1</span><span class="nb">cd</span><span class="w"> </span>articles/openshift-workstation/machineconfig/build <span class="linenos">2</span>butane<span class="w"> </span>-d<span class="w"> </span>.<span class="w"> </span>vfio-prepare.bu<span class="w"> </span>-o<span class="w"> </span>../vfio-prepare.yaml <span class="linenos">3</span>oc<span class="w"> </span>patch<span class="w"> </span>MachineConfig<span class="w"> </span><span class="m">100</span>-vfio<span class="w"> </span>--type<span class="o">=</span>merge<span class="w"> </span>-p<span class="w"> </span>../vfio-prepare.yaml </pre></div> </div> </section> </section> <section id="creating-vms-with-gpu-passthrough"> <h2>Creating VMs with GPU Passthrough</h2> <p>This section explains how to create VMs that can use GPU passthrough, using existing LVM Logical Volumes with UEFI boot.</p> <section id="creating-persistent-volumes-from-lvm-disks"> <h3>Creating Persistent Volumes from LVM Disks</h3> <p>First, make LVM volumes available to OpenShift via Persistent Volume Claims (PVCs). This assumes you have the Local Storage Operator installed.</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/storage/configuring-persistent-storage#lvms-installing-lvms-with-web-console_logical-volume-manager-storage">https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/storage/configuring-persistent-storage#lvms-installing-lvms-with-web-console_logical-volume-manager-storage</a></p> </div> <ol class="arabic simple"> <li><p>Create a YAML file for each VM disk:</p></li> </ol> <div class="literal-block-wrapper docutils container" id="id12"> <div class="code-block-caption"><span class="caption-text">fedora_pvc.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nn">---</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolumeClaim</span> <span class="linenos"> 3</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span> <span class="linenos"> 4</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fedora35</span> <span class="linenos"> 6</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span> <span class="linenos"> 8</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">volumeMode</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Block</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">100Gi</span><span class="w"> </span> <span class="linenos">13</span><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">lvms-vg1</span> </pre></div> </div> </div> <ol class="arabic simple" start="2"> <li><p>Apply the YAML:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>fedora35.yaml </pre></div> </div> <ol class="arabic simple" start="3"> <li><p>Verify the PV and PVC are bound:</p></li> </ol> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/>oc<span class="w"> </span>get<span class="w"> </span>pv oc<span class="w"> </span>get<span class="w"> </span>pvc<span class="w"> </span>-n<span class="w"> </span>&lt;your-namespace&gt; </pre></div> </div> </section> <section id="defining-vms-with-gpu-passthrough"> <h3>Defining VMs with GPU Passthrough</h3> <p>Key configuration elements for desktop VMs with GPU passthrough:</p> <ol class="arabic"> <li><p><strong>GPU Passthrough</strong>: Pass the entire physical GPU to the VM</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://kubevirt.io/user-guide/virtual_machines/host-devices/#pci-passthrough">https://kubevirt.io/user-guide/virtual_machines/host-devices/#pci-passthrough</a></p> </div> </li> <li><p><strong>Disable Virtual VGA</strong>: Remove the emulated VGA device</p> <div class="admonition seealso"> <p class="admonition-title">See also</p> <p><a class="reference external" href="https://kubevirt.io/api-reference/master/definitions.html#_v1_devices">https://kubevirt.io/api-reference/master/definitions.html#_v1_devices</a></p> </div> </li> <li><p><strong>USB Controller Passthrough</strong>: For connecting peripherals directly</p></li> <li><p><strong>UEFI Boot</strong>: For compatibility with modern OSes and GPU drivers</p></li> <li><p><strong>CPU/Memory Configuration</strong>: Based on workload requirements</p></li> </ol> <div class="literal-block-wrapper docutils container" id="id13"> <div class="code-block-caption"><span class="caption-text">fedora.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt.io/v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualMachine</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fedora</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">epheo</span> <span class="linenos"> 6</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">runStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Halted</span> <span class="linenos"> 8</span><span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos">10</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos">11</span><span class="w"> </span><span class="nt">kubevirt.io/domain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fedora</span> <span class="linenos">12</span><span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="linenos">13</span><span class="w"> </span><span class="nt">architecture</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">amd64</span> <span class="linenos">14</span><span class="w"> </span><span class="nt">domain</span><span class="p">:</span> <span class="linenos">15</span><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span> <span class="linenos">16</span><span class="w"> </span><span class="nt">cores</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">8</span> <span class="linenos">17</span><span class="w"> </span><span class="nt">model</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">host-passthrough</span> <span class="linenos">18</span><span class="w"> </span><span class="nt">sockets</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2</span> <span class="linenos">19</span><span class="w"> </span><span class="nt">threads</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span> <span class="linenos">20</span><span class="w"> </span><span class="nt">features</span><span class="p">:</span> <span class="linenos">21</span><span class="w"> </span><span class="nt">acpi</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">22</span><span class="w"> </span><span class="nt">smm</span><span class="p">:</span> <span class="linenos">23</span><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span> <span class="linenos">24</span><span class="w"> </span><span class="nt">firmware</span><span class="p">:</span> <span class="linenos">25</span><span class="w"> </span><span class="nt">bootloader</span><span class="p">:</span> <span class="linenos">26</span><span class="w"> </span><span class="nt">efi</span><span class="p">:</span> <span class="linenos">27</span><span class="w"> </span><span class="nt">secureBoot</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"> </span><span class="c1"># For Nvidia Driver...</span> <span class="linenos">28</span><span class="w"> </span><span class="nt">devices</span><span class="p">:</span> <span class="linenos">29</span><span class="w"> </span><span class="nt">disks</span><span class="p">:</span> <span class="linenos">30</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">bootOrder</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span> <span class="linenos">31</span><span class="w"> </span><span class="nt">disk</span><span class="p">:</span> <span class="linenos">32</span><span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="linenos">33</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pvdisk</span> <span class="linenos">34</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">disk</span><span class="p">:</span> <span class="linenos">35</span><span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="linenos">36</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloudinitdisk</span> <span class="linenos">37</span><span class="w"> </span><span class="nt">autoattachGraphicsDevice</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span> <span class="linenos">38</span><span class="w"> </span><span class="nt">gpus</span><span class="p">:</span> <span class="linenos">39</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nvidia.com/GA102_GEFORCE_RTX_3080</span> <span class="linenos">40</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gpuvideo</span> <span class="linenos">41</span><span class="w"> </span><span class="nt">hostDevices</span><span class="p">:</span> <span class="linenos">42</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">devices.kubevirt.io/USB3_Controller</span> <span class="linenos">43</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">usbcontroller</span> <span class="linenos">44</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">devices.kubevirt.io/USB3_Controller</span> <span class="linenos">45</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">usbcontroller2</span> <span class="linenos">46</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">intel.com/WIFI_Controller</span> <span class="linenos">47</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">wificontroller</span> <span class="linenos">48</span><span class="w"> </span><span class="nt">interfaces</span><span class="p">:</span> <span class="linenos">49</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">masquerade</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">50</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="linenos">51</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">bridge</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">52</span><span class="w"> </span><span class="nt">model</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="linenos">53</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nic-0</span> <span class="linenos">54</span><span class="w"> </span><span class="nt">networkInterfaceMultiqueue</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos">55</span><span class="w"> </span><span class="nt">rng</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">56</span><span class="w"> </span><span class="nt">machine</span><span class="p">:</span> <span class="linenos">57</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">q35</span> <span class="linenos">58</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos">59</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos">60</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">16G</span> <span class="linenos">61</span><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fedora</span> <span class="linenos">62</span><span class="w"> </span><span class="nt">networks</span><span class="p">:</span> <span class="linenos">63</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span> <span class="linenos">64</span><span class="w"> </span><span class="nt">pod</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos">65</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">multus</span><span class="p">:</span> <span class="linenos">66</span><span class="w"> </span><span class="nt">networkName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br1</span> <span class="linenos">67</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nic-0</span> <span class="linenos">68</span><span class="w"> </span><span class="nt">terminationGracePeriodSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0</span> <span class="linenos">69</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="linenos">70</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">71</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="s">'fedora35'</span> <span class="linenos">72</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pvdisk</span> <span class="linenos">73</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">cloudInitNoCloud</span><span class="p">:</span> <span class="linenos">74</span><span class="w"> </span><span class="nt">userData</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span> <span class="linenos">75</span><span class="w"> </span><span class="no">#cloud-config</span> <span class="linenos">76</span><span class="w"> </span><span class="no">password: fedora</span> <span class="linenos">77</span><span class="w"> </span><span class="no">chpasswd: { expire: False }</span> <span class="linenos">78</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloudinitdisk</span> </pre></div> </div> </div> <div class="literal-block-wrapper docutils container" id="id14"> <div class="code-block-caption"><span class="caption-text">windows.yaml</span></div> <div class="highlight-yaml notranslate"><div class="highlight"><pre><span/><span class="linenos"> 1</span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubevirt.io/v1</span> <span class="linenos"> 2</span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualMachine</span> <span class="linenos"> 3</span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 4</span><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span> <span class="linenos"> 5</span><span class="w"> </span><span class="nt">vm.kubevirt.io/os</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows10</span> <span class="linenos"> 6</span><span class="w"> </span><span class="nt">vm.kubevirt.io/workload</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">desktop</span> <span class="linenos"> 7</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows</span> <span class="linenos"> 8</span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 9</span><span class="w"> </span><span class="nt">runStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Manual</span> <span class="linenos"> 10</span><span class="w"> </span><span class="nt">template</span><span class="p">:</span> <span class="linenos"> 11</span><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span> <span class="linenos"> 12</span><span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="linenos"> 13</span><span class="w"> </span><span class="nt">kubevirt.io/domain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows</span> <span class="linenos"> 14</span><span class="w"> </span><span class="nt">spec</span><span class="p">:</span> <span class="linenos"> 15</span><span class="w"> </span><span class="nt">architecture</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">amd64</span> <span class="linenos"> 16</span><span class="w"> </span><span class="nt">domain</span><span class="p">:</span> <span class="linenos"> 17</span><span class="w"> </span><span class="nt">clock</span><span class="p">:</span> <span class="linenos"> 18</span><span class="w"> </span><span class="nt">timer</span><span class="p">:</span> <span class="linenos"> 19</span><span class="w"> </span><span class="nt">hpet</span><span class="p">:</span> <span class="linenos"> 20</span><span class="w"> </span><span class="nt">present</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span> <span class="linenos"> 21</span><span class="w"> </span><span class="nt">hyperv</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 22</span><span class="w"> </span><span class="nt">pit</span><span class="p">:</span> <span class="linenos"> 23</span><span class="w"> </span><span class="nt">tickPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">delay</span> <span class="linenos"> 24</span><span class="w"> </span><span class="nt">rtc</span><span class="p">:</span> <span class="linenos"> 25</span><span class="w"> </span><span class="nt">tickPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">catchup</span> <span class="linenos"> 26</span><span class="w"> </span><span class="nt">utc</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 27</span><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span> <span class="linenos"> 28</span><span class="w"> </span><span class="nt">cores</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">8</span> <span class="linenos"> 29</span><span class="w"> </span><span class="nt">dedicatedCpuPlacement</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos"> 30</span><span class="w"> </span><span class="nt">sockets</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2</span> <span class="linenos"> 31</span><span class="w"> </span><span class="nt">threads</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span> <span class="linenos"> 32</span><span class="w"> </span><span class="nt">devices</span><span class="p">:</span> <span class="linenos"> 33</span><span class="w"> </span><span class="nt">autoattachGraphicsDevice</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span> <span class="linenos"> 34</span><span class="w"> </span><span class="nt">disks</span><span class="p">:</span> <span class="linenos"> 35</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">cdrom</span><span class="p">:</span> <span class="linenos"> 36</span><span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sata</span> <span class="linenos"> 37</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-guest-tools</span> <span class="linenos"> 38</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">bootOrder</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span> <span class="linenos"> 39</span><span class="w"> </span><span class="nt">disk</span><span class="p">:</span> <span class="linenos"> 40</span><span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="linenos"> 41</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pvdisk</span> <span class="linenos"> 42</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">disk</span><span class="p">:</span> <span class="linenos"> 43</span><span class="w"> </span><span class="nt">bus</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="linenos"> 44</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pvdisk1</span> <span class="linenos"> 45</span><span class="w"> </span><span class="nt">gpus</span><span class="p">:</span> <span class="linenos"> 46</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nvidia.com/GA102_GEFORCE_RTX_3080</span> <span class="linenos"> 47</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gpuvideo</span> <span class="linenos"> 48</span><span class="w"> </span><span class="nt">hostDevices</span><span class="p">:</span> <span class="linenos"> 49</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">devices.kubevirt.io/USB3_Controller</span> <span class="linenos"> 50</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">usbcontroller</span> <span class="linenos"> 51</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">devices.kubevirt.io/USB3_Controller</span> <span class="linenos"> 52</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">usbcontroller2</span> <span class="linenos"> 53</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">deviceName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">intel.com/WIFI_Controller</span> <span class="linenos"> 54</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">wificontroller</span> <span class="linenos"> 55</span><span class="w"> </span><span class="nt">interfaces</span><span class="p">:</span> <span class="linenos"> 56</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">bridge</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 57</span><span class="w"> </span><span class="nt">model</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">virtio</span> <span class="linenos"> 58</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nic-0</span> <span class="linenos"> 59</span><span class="w"> </span><span class="nt">networkInterfaceMultiqueue</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos"> 60</span><span class="w"> </span><span class="nt">rng</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 61</span><span class="w"> </span><span class="nt">tpm</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 62</span><span class="w"> </span><span class="nt">features</span><span class="p">:</span> <span class="linenos"> 63</span><span class="w"> </span><span class="nt">acpi</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 64</span><span class="w"> </span><span class="nt">apic</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 65</span><span class="w"> </span><span class="nt">hyperv</span><span class="p">:</span> <span class="linenos"> 66</span><span class="w"> </span><span class="nt">frequencies</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 67</span><span class="w"> </span><span class="nt">ipi</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 68</span><span class="w"> </span><span class="nt">reenlightenment</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 69</span><span class="w"> </span><span class="nt">relaxed</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 70</span><span class="w"> </span><span class="nt">reset</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 71</span><span class="w"> </span><span class="nt">runtime</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 72</span><span class="w"> </span><span class="nt">spinlocks</span><span class="p">:</span> <span class="linenos"> 73</span><span class="w"> </span><span class="nt">spinlocks</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">8191</span> <span class="linenos"> 74</span><span class="w"> </span><span class="nt">synic</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 75</span><span class="w"> </span><span class="nt">synictimer</span><span class="p">:</span> <span class="linenos"> 76</span><span class="w"> </span><span class="nt">direct</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 77</span><span class="w"> </span><span class="nt">tlbflush</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 78</span><span class="w"> </span><span class="nt">vapic</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 79</span><span class="w"> </span><span class="nt">vpindex</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 80</span><span class="w"> </span><span class="nt">smm</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span> <span class="linenos"> 81</span><span class="w"> </span><span class="nt">firmware</span><span class="p">:</span> <span class="linenos"> 82</span><span class="w"> </span><span class="nt">bootloader</span><span class="p">:</span> <span class="linenos"> 83</span><span class="w"> </span><span class="nt">efi</span><span class="p">:</span> <span class="linenos"> 84</span><span class="w"> </span><span class="nt">secureBoot</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span> <span class="linenos"> 85</span><span class="w"> </span><span class="nt">machine</span><span class="p">:</span> <span class="linenos"> 86</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">q35</span> <span class="linenos"> 87</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span> <span class="linenos"> 88</span><span class="w"> </span><span class="nt">hugepages</span><span class="p">:</span> <span class="linenos"> 89</span><span class="w"> </span><span class="nt">pageSize</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1Gi</span> <span class="linenos"> 90</span><span class="w"> </span><span class="nt">resources</span><span class="p">:</span> <span class="linenos"> 91</span><span class="w"> </span><span class="nt">requests</span><span class="p">:</span> <span class="linenos"> 92</span><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">32Gi</span> <span class="linenos"> 93</span><span class="w"> </span><span class="nt">evictionStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">None</span> <span class="linenos"> 94</span><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows</span> <span class="linenos"> 95</span><span class="w"> </span><span class="nt">networks</span><span class="p">:</span> <span class="linenos"> 96</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">multus</span><span class="p">:</span> <span class="linenos"> 97</span><span class="w"> </span><span class="nt">networkName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">br1</span> <span class="linenos"> 98</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nic-0</span> <span class="linenos"> 99</span><span class="w"> </span><span class="nt">terminationGracePeriodSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">3600</span> <span class="linenos">100</span><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span> <span class="linenos">101</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerDisk</span><span class="p">:</span> <span class="linenos">102</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.redhat.io/container-native-virtualization/virtio-win-rhel9@sha256:0c536c7aba76eb9c1e75a8f2dc2bbfa017e90314d55b242599ea41f42ba4434f</span> <span class="linenos">103</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows-guest-tools</span> <span class="linenos">104</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pvdisk</span> <span class="linenos">105</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">106</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windows</span> <span class="linenos">107</span><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pvdisk1</span> <span class="linenos">108</span><span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span> <span class="linenos">109</span><span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">windowsdata</span> </pre></div> </div> </div> </section> </section> <section id="future-improvements"> <h2>Future Improvements</h2> <p>Some potential future improvements to this setup:</p> <ul class="simple"> <li><p>Using MicroShift instead of OpenShift to reduce Control Plane footprint</p></li> <li><p>Running Linux Desktop in containers instead of VMs</p></li> <li><p>Implementing more efficient resource allocation with CPU pinning and huge pages</p></li> </ul> </section> <section id="troubleshooting"> <h2>Troubleshooting</h2> <section id="iommu-group-issues"> <h3>IOMMU Group Issues</h3> <p><strong>Problem:</strong> VM fails to start with:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="o">{</span><span class="s2">"component"</span>:<span class="s2">"virt-launcher"</span>,<span class="s2">"level"</span>:<span class="s2">"error"</span>,<span class="s2">"msg"</span>:<span class="s2">"Failed to start VirtualMachineInstance"</span>, <span class="s2">"reason"</span>:<span class="s2">"virError... vfio 0000:07:00.1: group 19 is not viable</span> <span class="s2">Please ensure all devices within the iommu_group are bound to their vfio bus driver."</span><span class="o">}</span> </pre></div> </div> <p><strong>Diagnosis:</strong> Not all devices in the IOMMU group are bound to vfio-pci. Check:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Check devices in the IOMMU group</span> ls<span class="w"> </span>/sys/kernel/iommu_groups/19/devices/ <span class="c1"># Check what these devices are</span> lspci<span class="w"> </span>-nnks<span class="w"> </span><span class="m">07</span>:00.0 </pre></div> </div> <p><strong>Solution:</strong> Bind all devices in the IOMMU group to vfio-pci:</p> <div class="highlight-bash notranslate"><div class="highlight"><pre><span/><span class="c1"># Add to vfio-prepare.sh</span> <span class="nb">echo</span><span class="w"> </span><span class="s2">"vfio-pci"</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/devices/0000:03:08.0/driver_override <span class="nb">echo</span><span class="w"> </span><span class="s2">"vfio-pci"</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/devices/0000:07:00.0/driver_override <span class="nb">echo</span><span class="w"> </span><span class="s2">"vfio-pci"</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/devices/0000:07:00.1/driver_override <span class="nb">echo</span><span class="w"> </span><span class="s2">"vfio-pci"</span><span class="w"> </span>&gt;<span class="w"> </span>/sys/bus/pci/devices/0000:07:00.3/driver_override <span class="c1"># Unbind from current drivers, then bind to vfio-pci</span> </pre></div> </div> </section> <section id="common-issues-and-solutions"> <h3>Common Issues and Solutions</h3> <p><strong>No display output after GPU passthrough:</strong></p> <ul class="simple"> <li><p>Disable virtual VGA in VM spec</p></li> <li><p>Pass through both GPU and audio device</p></li> <li><p>Install proper GPU drivers inside VM</p></li> </ul> <p><strong>Performance issues in Windows VM:</strong></p> <ul class="simple"> <li><p>Configure CPU pinning correctly</p></li> <li><p>Enable huge pages for better memory performance</p></li> <li><p>Install latest NVIDIA drivers in VM</p></li> <li><p>Disable Windows Game Bar and overlay software</p></li> </ul> <p><strong>GPU driver switching fails:</strong></p> <ul class="simple"> <li><p>Stop all GPU workloads before switching</p></li> <li><p>Check GPU operator logs: <code class="docutils literal notranslate"><span class="pre">oc</span> <span class="pre">logs</span> <span class="pre">-n</span> <span class="pre">nvidia-gpu-operator</span> <span class="pre">&lt;pod-name&gt;</span></code></p></li> <li><p>Verify IOMMU is enabled in BIOS/UEFI</p></li> </ul> <p>For further troubleshooting, check logs:</p> <ul class="simple"> <li><p>virt-handler: <code class="docutils literal notranslate"><span class="pre">oc</span> <span class="pre">logs</span> <span class="pre">-n</span> <span class="pre">openshift-cnv</span> <span class="pre">virt-handler-&lt;hash&gt;</span></code></p></li> <li><p>virt-launcher: <code class="docutils literal notranslate"><span class="pre">oc</span> <span class="pre">logs</span> <span class="pre">-n</span> <span class="pre">&lt;namespace&gt;</span> <span class="pre">virt-launcher-&lt;vm-name&gt;-&lt;hash&gt;</span></code></p></li> <li><p>nvidia-driver-daemonset: <code class="docutils literal notranslate"><span class="pre">oc</span> <span class="pre">logs</span> <span class="pre">-n</span> <span class="pre">nvidia-gpu-operator</span> <span class="pre">nvidia-driver-daemonset-&lt;hash&gt;</span></code></p></li> </ul> </section> </section> Mon, 27 Feb 2023 00:00:00