To create single-root I/O virtualization (SR-IOV) ports on a network that has port security disabled, define a compute machine set that includes the ports as items in the spec.template.spec.providerSpec.value.ports
list. This difference from the standard SR-IOV compute machine set is due to the automatic security group and allowed address pair configuration that occurs for ports that are created by using the network and subnet interfaces.
Ports that you define for machines subnets require:
-
Allowed address pairs for the API and ingress virtual IP ports
-
The compute security group
-
Attachment to the machines network and subnet
|
Only parameters that are specific to SR-IOV deployments where port security is disabled are described in this sample. To review a more general sample, see Sample YAML for a compute machine set custom resource that uses SR-IOV on RHOSP".
|
An example compute machine set that uses SR-IOV networks and has port security disabled
apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
labels:
machine.openshift.io/cluster-api-cluster: <infrastructure_id>
machine.openshift.io/cluster-api-machine-role: <node_role>
machine.openshift.io/cluster-api-machine-type: <node_role>
name: <infrastructure_id>-<node_role>
namespace: openshift-machine-api
spec:
replicas: <number_of_replicas>
selector:
matchLabels:
machine.openshift.io/cluster-api-cluster: <infrastructure_id>
machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<node_role>
template:
metadata:
labels:
machine.openshift.io/cluster-api-cluster: <infrastructure_id>
machine.openshift.io/cluster-api-machine-role: <node_role>
machine.openshift.io/cluster-api-machine-type: <node_role>
machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<node_role>
spec:
metadata: {}
providerSpec:
value:
apiVersion: openstackproviderconfig.openshift.io/v1alpha1
cloudName: openstack
cloudsSecret:
name: openstack-cloud-credentials
namespace: openshift-machine-api
flavor: <nova_flavor>
image: <glance_image_name_or_location>
kind: OpenstackProviderSpec
ports:
- allowedAddressPairs: (1)
- ipAddress: <API_VIP_port_IP>
- ipAddress: <ingress_VIP_port_IP>
fixedIPs:
- subnetID: <machines_subnet_UUID> (2)
nameSuffix: nodes
networkID: <machines_network_UUID> (2)
securityGroups:
- <compute_security_group_UUID> (3)
- networkID: <SRIOV_network_UUID>
nameSuffix: sriov
fixedIPs:
- subnetID: <SRIOV_subnet_UUID>
tags:
- sriov
vnicType: direct
portSecurity: False
primarySubnet: <machines_subnet_UUID>
serverMetadata:
Name: <infrastructure_ID>-<node_role>
openshiftClusterID: <infrastructure_id>
tags:
- openshiftClusterID=<infrastructure_id>
trunk: false
userDataSecret:
name: worker-user-data
1 |
Specify allowed address pairs for the API and ingress ports. |
2 |
Specify the machines network and subnet. |
3 |
Specify the compute machines security group. |
|
Trunking is enabled for ports that are created by entries in the networks and subnets lists. The names of ports that are created from these lists follow the pattern <machine_name>-<nameSuffix> . The nameSuffix field is required in port definitions.
You can enable trunking for each port.
Optionally, you can add tags to ports as part of their tags lists.
|
If your cluster uses Kuryr and the RHOSP SR-IOV network has port security disabled, the primary port for compute machines must have:
-
The value of the spec.template.spec.providerSpec.value.networks.portSecurityEnabled
parameter set to false
.
-
For each subnet, the value of the spec.template.spec.providerSpec.value.networks.subnets.portSecurityEnabled
parameter set to false
.
-
The value of spec.template.spec.providerSpec.value.securityGroups
set to empty: []
.
An example section of a compute machine set for a cluster on Kuryr that uses SR-IOV and has port security disabled
...
networks:
- subnets:
- uuid: <machines_subnet_UUID>
portSecurityEnabled: false
portSecurityEnabled: false
securityGroups: []
...
In that case, you can apply the compute security group to the primary VM interface after the VM is created. For example, from a command line:
$ openstack port set --enable-port-security --security-group <infrastructure_id>-<node_role> <main_port_ID>
|
After you deploy compute machines that are SR-IOV-capable, you must label them as such. For example, from a command line, enter:
$ oc label node <NODE_NAME> feature.node.kubernetes.io/network-sriov.capable="true"
|