qat: drop AppArmor annotations #1860
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mythi
force-pushed
the
PR-2024-022
branch
3 times, most recently
from
84e99cb to
d40efb3
Compare
mythi
requested review from
bart0sh,
ozhuraki,
hj-johannes-lee and
tkatila
as code owners
|
TODO: @hj-johannes-lee is still checking whether the |
|
Unfortunately |
I took a closer look. |
mythi
changed the title
mythi
force-pushed
the
PR-2024-022
branch
3 times, most recently
from
5cabe2a to
2989f53
Compare
hj-johannes-lee
approved these changes
Jan 15, 2025
QAT device plugin has some initialization functions that require special SecurityContext parameters (e.g., setting Apparmor policies on some OSes). It's better to move all of the initialization to the privileged init-container that is already taking care some parts of it. With this change, we default to vfio-pci "DpdkDrv". Signed-off-by: Mikko Ylinen <[email protected]>
setupDeviceIDs() is obsoleted and the preferred approach is driver_override already implemented in qat-init.sh initcontainer. The new_id mechanism was added way before we had the initcontainer support in place. Furthermore, at least for vfio-pci we don't need it at all if the driver uses ids=8086:<qat VF dev IDs>. Drop write attemps to new_id in favor of the initcontainer functionality. Signed-off-by: Mikko Ylinen <[email protected]>
"unconfined" annotation was needed to get writes to new_id / bind to succeed on AppArmor enabled OSes. However, many things have changed: * new_id should not be used anymore and it was dropped in the plugin. * QAT initcontainer has assumed the role of HW initialization. * vfio-pci is the preferred "dpdkDriver" and starting with QAT Gen4, it is the only available VF driver so unbind isn't necessary. * k8s AppArmor is "GA" since 1.30 and the annotation is deprecated. As of now, the initcontainer will take care of binding QAT VFs to vfio-pci so the plugin does not neeed to set AppArmor at all. Signed-off-by: Mikko Ylinen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It's been GA since k8s 1.30 so we can enable it unconditionally starting with our 0.32 release.
Fixes: #1818
Fixes: #1887