Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qat: drop AppArmor annotations #1860

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

qat: drop AppArmor annotations #1860

wants to merge 2 commits into from

Conversation

mythi
Copy link
Contributor

@mythi mythi commented Sep 30, 2024
edited
Loading

It's been GA since k8s 1.30 so we can enable it unconditionally starting with our 0.32 release.

Fixes: #1818
Fixes: #1887

@mythi mythi force-pushed the PR-2024-022 branch 3 times, most recently from 84e99cb to d40efb3 Compare October 4, 2024 07:39
@mythi mythi marked this pull request as ready for review October 4, 2024 08:03
@mythi
Copy link
Contributor Author

mythi commented Oct 4, 2024

TODO: @hj-johannes-lee is still checking whether the vfio-pci.ids= cmdline settings can an alternative to Unconfined.

@hj-johannes-lee
Copy link
Contributor

hj-johannes-lee commented Oct 8, 2024
edited
Loading

Unfortunately vfio-pci.ids= way does not alternate apparmor related matters.
There is no difference between having it or not.

@mythi
Copy link
Contributor Author

mythi commented Oct 18, 2024

Unfortunately vfio-pci.ids= way does not alternate apparmor related matters. There is no difference between having it or not.

I took a closer look. vfio-pci.ids= can help here but we are handling the new_id write errors a bit wrong. This function could just print a warning and not error so that the plugin fails.

@mythi
qat: drop setupDeviceIDs()
43f4dae 
setupDeviceIDs() is obsoleted and the preferred approach is driver_override.

The new_id mechanism was added way before we had the initcontainer support in place.
Furthermore, at least for vfio-pci we don't need it at all if the driver uses
ids=8086:<qat VF dev IDs>.

Drop write attemps to new_id and move the corresponding functionality to
qat-init.sh. With this, we can drop the Apparmor policies from the plugin.

Signed-off-by: Mikko Ylinen <[email protected]>
@mythi
qat: drop AppArmor annotations
7180f99 
"unconfined" annotation was needed to get writes to new_id / bind
to succeed.

However, many things have changed:

* new_id should not be used anymore and it was dropped in the plugin.
* QAT initcontainer has assumed the role of HW initialization.
* vfio-pci is the preferred "dpdkDriver" and starting with QAT Gen4, it
is the only available VF driver so unbind isn't necessary.

The suggested approach is to configure ids=8086:<qat VF IDs> to
vfio-pci parameters. Alternatively, the initcontainer will take care
of binding QAT VFs to vfio-pci through driver_override.

Signed-off-by: Mikko Ylinen <[email protected]>
@mythi mythi marked this pull request as draft October 18, 2024 12:46
@mythi mythi changed the title qat: set AppArmorProfile and drop AppArmor annotations qat: drop AppArmor annotations Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bart0sh bart0sh Awaiting requested review from bart0sh bart0sh is a code owner

@ozhuraki ozhuraki Awaiting requested review from ozhuraki ozhuraki is a code owner

@hj-johannes-lee hj-johannes-lee Awaiting requested review from hj-johannes-lee hj-johannes-lee is a code owner

@tkatila tkatila Awaiting requested review from tkatila tkatila is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

qat: don't set device IDs in the plugin Update Apparmor configuration and related docs
2 participants
@mythi @hj-johannes-lee