Paul Bastide

Author: Paul Bastide

  • 🚀 Builds for OpenShift 1.5 is now GA!

    Now available on OpenShift 4.16–4.19, this release brings powerful new features for building container images natively on your cluster—including support for ppc64le!

    🔧 Highlights:

    • NodeSelector & Scheduler support via shp CLI
    • Shallow Git cloning for faster builds

    💡 Built on Shipwright, Builds 1.5 simplifies image creation with Kubernetes-native APIs, Buildah/S2I strategies, and full CLI + web console integration.

    Perfect for teams running on IBM Power Systems or running Multi-Architecture Compute clusters. Start building smarter, faster, and more consistently across all the architectures in your cluster.

    📘 Learn more: https://docs.redhat.com/en/documentation/builds_for_red_hat_openshift/1.5/html/release_notes/ob-release-notes

  • Great News… IBM has Open Source Wheel Packages for Linux on Power

    Priya Seth posted about Open Source Wheel Packages for Linux on Power:

    IBM provides a dedicated repository of Python wheel packages optimized for the Linux on Power (ppc64le) architecture. These pre-built binaries simplify Python development on Power systems by eliminating the need to compile packages from source—saving time and reducing complexity.

    Wheel files (.whl) are the standard for distributing pre-compiled Python packages. For developers working on Power architecture, having access to architecture-specific wheels ensures compatibility and speeds up development.

    IBM hosts a curated collection of open-source Python wheels for the ppc64le platform listed at https://open-source-edge.developerfirst.ibm.com/

    Use pip to download the package without installing it:

    pip download <package_name>==<version> --prefer-binary --index-url=https://wheels.developerfirst.ibm.com/ppc64le/linux --verbose --no-deps

    Replace <package_name> and <version> with the desired values.

    Whether you’re building AI models, data pipelines, or enterprise applications, this repository helps accelerate your Python development on Power.

    You can also refer to https://community.ibm.com/community/user/blogs/nikhil-kalbande/2025/08/01/install-wheels-from-ibm-python-wheel-repository

  • Optimizing Workloads with NUMA-Aware CPU Distribution in Kubernetes

    DRAFT This is not a complete article. I haven’t yet fully tested and vetted the steps I built. I will come back and hopefully update.

    Kubernetes 1.30 introduces a powerful enhancement to CPU resource management: the ability to distribute CPUs across NUMA nodes using a new CPUManager policy. This feature, part of KEP-2902, enables better performance and resource utilization on multi-NUMA systems by spreading workloads instead of concentrating them on a single node.

    Non-Uniform Memory Access (NUMA) is a memory design used in modern multi-socket systems where each CPU socket has its own local memory. Accessing local memory is faster than accessing memory attached to another CPU. Therefore, NUMA-aware scheduling is crucial for performance-sensitive workloads.

    Traditionally, Kubernetes’ CPUManager used a “packed” policy, allocating CPUs from a single NUMA node to reduce latency. However, this can lead to resource contention and underutilization in systems with multiple NUMA nodes.

    • High-throughput applications like databases or analytics engines
    • Multi-threaded workloads that benefit from parallelism
    • NUMA-aware applications that manage memory locality explicitly

    The new “distributed” policy spreads CPU allocations across NUMA nodes, improving parallelism and overall system throughput.

    To enable the distributed CPUManager Policy, here is a step-by-step guide to enable and use this feature on Kubernetes v1.30+:

    1. Label the nodes you want to be enabled with cpumanager and the distributed policy.
    oc label node worker-0 custom-kubelet=cpumanager-enabled
    1. Create a custom KubeletConfig to allow the CPUManager to use distributed cpuManagerPolicy.
    cat << EOF | oc apply -f -
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
  name: cpumanager-enabled
spec:
  machineConfigPoolSelector:
    matchLabels:
      custom-kubelet: cpumanager-enabled
  kubeletConfig:
     cpuManagerPolicy: distributed 
     cpuManagerReconcilePeriod: 5s 
EOF
    1. Wait for the Node to restart the Kubelet
    2. Create a Pod to request Guaranteed QoS by specifying equal CPU requests and limits:
    apiVersion: v1
kind: Pod
metadata:
  name: numa-aware-pod
spec:
  containers:
  - name: workload
    image: your-image
    resources:
      requests:
        cpu: "4"
      limits:
        cpu: "4"

    Kubernetes will now distribute the 4 CPUs across NUMA nodes instead of packing them on one.

    To visualize the difference, here’s a conceptual graphic to illustrate the difference between the two policies:

    Packed Policy:

    NUMA Node 0: [CPU0, CPU1, CPU2, CPU3, CPU4, CPU5, CPU6, CPU7] ← All assigned here
NUMA Node 1: [CPU0 ]

    Distributed Policy:

    NUMA Node 0: [CPU0, CPU1, CPU2, CPU3]
NUMA Node 1: [CPU0, CPU1, CPU2, CPU3] ← Balanced across nodes

    This balance reduces memory contention and improves cache locality for distributed workloads.

    This enhancement gives Kubernetes administrators more control over CPU topology, enabling better performance tuning for complex workloads. It’s a great step forward in making Kubernetes more NUMA-aware and suitable for high-performance computing environments.b

  • 🚀 In-Place Pod Resize in Kubernetes: What You Need to Know

    DRAFT This is not a complete article. I haven’t yet fully tested and vetted the steps I built. I will come back and hopefully update.

    In Kubernetes v1.33, In-Place Pod Resize has entered Beta. This feature allows you to resize the CPU and memory resources of containers in a running Pod without needing to restart them. This feature is fairly nice for Power customers who scale their systems vertically. You would need to also restart the kubelet.

    One no longer has to change the resource requests or limits of a pod in Kubernetes and restart the Pod. This restart was disruptive for long-running workloads.

    With in-place pod resize, autoscaling workloads, improving stateful applications is a real win.

    1. Enable the InPlacePodVerticalScaling featuregate in a kind config called kind-cluster-config.yaml
    kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  InPlacePodVerticalScaling: true
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          v: "1"
    scheduler:
        extraArgs:
          v: "1"
    controllerManager:
        extraArgs:
          v: "1"
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        v: "1"
- role: worker
  kubeadmConfigPatches:
  - |
    kind: JoinConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        v: "1"
    1. Download kind
    mkdir -p dev-cache
GOBIN=$(PWD)/dev-cache/ go install sigs.k8s.io/kind@v0.29.0
    1. Start the kind cluster
    KIND_EXPERIMENTAL_PROVIDER=podman dev-cache/kind create cluster \
		--image quay.io/powercloud/kind-node:v1.33.1 \
		--name test \
		--config kind-cluster-config.yaml\
		--wait 5m
    1. Create a namespace
    apiVersion: v1
kind: Namespace
metadata:
  labels:
    kubernetes.io/metadata.name: resize-test
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.24
  name: resize-test
    1. Create a Pod
    apiVersion: v1
kind: Pod
metadata:
  name: resize-test
spec:
  containers:
  - name: resize-test
    image: registry.access.redhat.com/ubi9/ubi
    resizePolicy:
    - resourceName: cpu
      restartPolicy: NotRequired
    - resourceName: memory
      restartPolicy: NotRequired
    resources:
      limits:
        memory: "200Mi"
        cpu: "1"
      requests:
        memory: "200Mi"
        cpu: "1"
    1. Edit kubectl edit pod/test -n resize-test
    2. Check kubectl describe pod/test -n resize-test
    3. Check oc rsh pod/test and run lscpu to see the size changed

    You’ve seen how this feature functions with Kubernetes and can resize your Pod without a restart.

    References

    1. Kubernetes v1.33: In-Place Pod Resize Graduated to Beta
    2. Resize CPU and Memory Resources assigned to Containers

  • Playing with Container Lifecycle Hooks and ContainerStopSignals

    DRAFT This is not a complete article. I haven’t yet fully tested and vetted the steps I built. I will come back and hopefully update.

    Kubernetes orchestrates Pods across multiple nodes. When a Pod lands on a node, the Kubelet admits the Pod and its containers, and manages the lifecycle of the containers. When the Pod is terminated, the kubelet sends a SIGTERM signal to the running processes. In Kubernetes Enhancement – Container Stop Signals #4960, custom Pod stopSignal is allowed: spec.containers[].lifecycle.stopSignal and you can use one of sixty-five additional stop signals to stop the Pod. While behind a feature gate, you can see supportedStopSignalsLinux.

    For example, a user may use SIGQUIT signal to stop a container in the Pod. To do so with kind,

    1. Enable the ContainerStopSignals featuregate in a kind config called kind-cluster-config.yaml
    kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  ContainerStopSignals: true
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          v: "1"
    scheduler:
        extraArgs:
          v: "1"
    controllerManager:
        extraArgs:
          v: "1"
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        v: "1"
- role: worker
  kubeadmConfigPatches:
  - |
    kind: JoinConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        v: "1"
    1. Download kind
    mkdir -p dev-cache
GOBIN=$(PWD)/dev-cache/ go install sigs.k8s.io/kind@v0.29.0
    1. Start the kind cluster
    KIND_EXPERIMENTAL_PROVIDER=podman dev-cache/kind create cluster \
		--image quay.io/powercloud/kind-node:v1.33.1 \
		--name test \
		--config kind-cluster-config.yaml\
		--wait 5m
    1. Create a namespace
    apiVersion: v1
kind: Namespace
metadata:
  labels:
    kubernetes.io/metadata.name: lifecycle-test
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.24
  name: lifecycle-test
    1. Create a Pod
    apiVersion: v1
kind: Pod
metadata:
  name: test
  namespace: lifecycle-test
spec:
  containers:
  - name: test
    command: ["/bin/sh", "-c"]
    args:
      - function cleanup() { echo "CALLED SIGQUIT"; };
        trap cleanup SIGQUIT;
        sleep infinity
    image: registry.access.redhat.com/ubi9/ubi
    lifecycle:
      stopSignal: SIGQUIT
    1. Check kubectl describe pod/test -n lifecycle-test

    You’ve seen how this feature functions with Kubernetes and can take advantage of ContainerStopSignals in your environment.

    References

    1. Tracker: Kubernetes Enhancement – Container Stop Signals #4960 issue 30051
    2. KEP-4960: Container Stop Signals
    3. Kubernetes Documentation: Container Lifecycle Hooks
    4. An Introductory Guide to Managing the Kubernetes Pods Lifecycle
    5. Stop Signals

  • Great Job Team: Next-generation DataStage is now supported on IBM Power (ppc64le) with 5.2.0

    The IBM Team announced support for DataStage on IBM Power.

    IBM Cloud Pak for Data now supports the DataStage service on IBM Power servers. This means that you can run your data integration and extract, transform, and load (ETL) workloads directly on IBM Power, just like you already do on x86. With this update, it is easier than ever to use your existing Power infrastructure for modern data and AI projects.

    With the release of IBM DataStage 5.2.0, the DataStage service is now officially supported on IBM Power (ppc64le). This enables clients to run enterprise-grade ETL and data integration workloads on the Power platform, offering flexibility, performance, and consistency across architectures.

    See https://www.ibm.com/docs/en/software-hub/5.2.x?topic=requirements-ppc64le-hardware and https://community.ibm.com/community/user/blogs/yussuf-shaikh/2025/07/15/datastage-5-2-0-is-now-supported-on-ibm-power

  • Using procMount in your Kubernetes Pod

    Recently, I ran across Kubernetes Enhancement Proposal (KEP) 4265 where the authors update the Pod.spec.procMount capability to manage /proc visibility in a Pod’s security context. With this KEP moving to on-by default in v1.29.0, Unmasked disables masking and allows all paths in /proc (not just read-only).

    What this means is the Default procMount prevents containers from accessing sensitive kernel data or interacting with host-level processes. With this enhancement, you can run unprivileged containers inside a container (a container-in-a-container), build container images within a Pod, and use buildah in a Pod.

    The authors said it best in the KEP:

    The /proc filesystem is a virtual interface to kernel data structures. By default, Kubernetes instructs container runtimes to mask or restrict access to certain paths within /proc to prevent accidental or malicious exposure of host information. But this becomes problematic when users want to:

    Here is an example of creating a Pod:

    1. create the project
    oc new-project proc-mount-example
    1. Create the Pod
    cat << EOF | oc apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: nested-container-builder
  namespace: proc-mount-example
spec:
  securityContext:
    runAsUser: 0
  containers:
  - name: builder
    image: registry.access.redhat.com/ubi9/ubi
    securityContext:
      privileged: true
      procMount: Unmasked
    command: ["/bin/sh"]
    args: ["-c", "sleep 3600"]
EOF
    1. Switch to terminal and install podman
    oc rsh nested-container-builder
dnf install -y podman
    1. Change the Shell (so you know when the parent is in focus…)
    export PS1="parent-container# "
podman run --name abcd --rm -it registry.access.redhat.com/ubi9/ubi sh
    1. Run a privileged command again
    parent-container# podman run --name abcd --rm -it registry.access.redhat.com/ubi9/ubi sh
sh-5.1# dnf install -y podman
    1. Now Run another in the nested one, you’ll see a failure in the /dev/net/tun.
    sh-5.1# podman run --name abcd --rm -it registry.access.redhat.com/ubi9/ubi sh
Trying to pull registry.access.redhat.com/ubi9/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob ea2f7ff2baa2 done   | 
Copying config 4da9fa8b5a done   | 
Writing manifest to image destination
Storing signatures
ERRO[0018] Preparing container d402a22ebe452597a83b3795639f86e333c1dbb142703737d6d705c6a6f445c7: setting up Pasta: pasta failed with exit code 1:
                Failed to open() /dev/net/tun: No such file or directory
                                                                        Failed to set up tap device in namespace 
Error: mounting storage for container d402a22ebe452597a83b3795639f86e333c1dbb142703737d6d705c6a6f445c7: creating overlay mount to /var/lib/containers/storage/overlay/ab589890d52b88e51f1f945b55d07ac465de1cefd2411d8fab33b4d2769c4404/merged, mount_data="lowerdir=/var/lib/containers/storage/overlay/l/K6CXJGRTW32MPWEIMAH4IGCNZ5,upperdir=/var/lib/containers/storage/overlay/ab589890d52b88e51f1f945b55d07ac465de1cefd2411d8fab33b4d2769c4404/diff,workdir=/var/lib/containers/storage/overlay/ab589890d52b88e51f1f945b55d07ac465de1cefd2411d8fab33b4d2769c4404/work,nodev,volatile": using mount program /usr/bin/fuse-overlayfs: unknown argument ignored: lazytime
fuse: device not found, try 'modprobe fuse' first
fuse-overlayfs: cannot mount: No such file or directory
: exit status 1

    It has the default access:

    • Default: Maintains the current behavior—masking sensitive /proc paths. If procMount is not specified, it defaults to Default, ensuring backward compatibility and preserving security for most workloads.
    • Unmasked: Bypasses the default masking, giving the container full access to /proc.

    Allowing unmasked access to /proc is a privileged operation. A container with root access and an unmasked /proc could potentially interact with the host system in dangerous ways. This powerful feature should be carefully used.

    Good luck.

    References

  • Configuring KubeletConfig for podsPerCore and maxPods

    I found a useful KubeletConfig.

    In Kubernetes, the podsPerCore parameter, when used in node configuration, specifies the maximum number of pods that can run on a node based on the number of its CPU cores. The default value for podsPerCore is 0, which essentially disables this limit, meaning there’s no constraint imposed based on the number of cores.

    You can check your current settings using:

    $ oc debug node/worker-1
sh-4.4# chroot /host
sh-4.4# cat /etc/kubernetes/kubelet.conf | grep maxPods
  "maxPods": 250,
sh-4.4# cat /etc/kubernetes/kubelet.conf | grep podsPerCore
  "podsPerCore": 10,

    In you environment substitute worker-1 for a node name of a ndoe that belongs to your MachineConfigPool.

    You can change your configuration using:

    apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
  name: set-max-pods-core 
spec:
  machineConfigPoolSelector:
    matchLabels:
      pools.operator.machineconfiguration.openshift.io/worker: "" 
  kubeletConfig:
    podsPerCore: 10 
    maxPods: 250

    Reference

    1. podsPerCore – https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/postinstallation_configuration/post-install-node-tasks
    2. defaults – https://access.redhat.com/solutions/6998814

  • odf: Disk type is not compatible with the selected backing storage

    Here is how I worked around Disk type is not compatible with the selected backing storage:

    1. Encoded the queue/rotational = 0
    cat << EOF | base64 -w0
ACTION=="add|change", SUBSYSTEM=="block", KERNEL=="dm-[1,3]",  ATTR{queue/rotational}="0"
EOF

    Encoded

    QUNUSU9OPT0iYWRkfGNoYW5nZSIsIFNVQlNZU1RFTT09ImJsb2NrIiwgS0VSTkVMPT0iZG0tWzEsM10iLCAgQVRUUntxdWV1ZS9yb3RhdGlvbmFsfT0iMCIK
    1. Create the MachineConfig – 99-worker-udev-non-rotational
    cat << EOF > ./99-worker-udev-configuration.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-worker-udev-non-rotational
spec:
  config:
    ignition:
      version: 3.2.0  
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf-8;base64,QUNUSU9OPT0iYWRkfGNoYW5nZSIsIFNVQlNZU1RFTT09ImJsb2NrIiwgS0VSTkVMPT0iZG0tWzEsM10iLCAgQVRUUntxdWV1ZS9yb3RhdGlvbmFsfT0iMCIK
          verification: {}
        filesystem: root
        mode: 420
        path: /etc/udev/rules.d/99-worker-udev-non-rotational.rules
EOF
oc apply -f 99-worker-udev-configuration.yaml

    Check the MachineConfigPool/worker, and then proceeded with the setup.

    Yamls

    Here are the YAMLs:

    apiVersion: local.storage.openshift.io/v1alpha1
kind: LocalVolumeDiscovery
metadata:
  name: auto-discover-devices
  namespace: openshift-local-storage
spec:
  nodeSelector:
    nodeSelectorTerms:
      - matchExpressions:
          - key: kubernetes.io/hostname
            operator: In
            values:
              - worker1.removed
              - worker2.removed
              - worker3.removed

    apiVersion: local.storage.openshift.io/v1alpha1
kind: LocalVolumeSet
metadata:
  name: lvs-san-x
  namespace: openshift-local-storage
spec:
  deviceInclusionSpec:
    deviceTypes:
      - disk
      - part
      - mpath
    minSize: 1Gi
  nodeSelector:
    nodeSelectorTerms:
      - matchExpressions:
          - key: kubernetes.io/hostname
            operator: In
            values:
              - worker1.removed
              - worker2.removed
              - worker3.removed
  storageClassName: lvs-san-x
  volumeMode: Block

    References

    1. Override device rotational flag in OCS/ODF environments https://access.redhat.com/articles/6547891

  • Introducing the Open Source Edge for IBM Power

    Learn more about what the IBM Power team is doing with OpenSource.

    The IBM Power team is excited to introduce Open Source Edge for IBM Power, an evolution of our previous tool, the Open Source Power Availability Tool (OSPAT) for finding open source packages for Power. While OSPAT provided a snapshot of available packages that are updated periodically, Open Source Edge takes things further by offering more details, more currency, real-time data access, and interactive features to help you explore the open source resources that are available on Power.


    Open Source Edge offers all Power developers and users a central location to keep on top of the latest packages and their versions available for Linux on Power. While designing solutions, it is often critical to compose a solution with a variety of components, and in the software world, those components and their versions change rapidly. Also, with an increasingly turbulent security environment, understanding not just which versions are available, but the composition of those individual components, the individual security profile of each component, and having transparency into the build process and environment becomes increasingly critical.

    Read more at https://open-source-edge.developerfirst.ibm.com/ and https://community.ibm.com/community/user/blogs/hiro-miyamoto/2025/06/26/introducing-the-open-source-edge-for-ibm-power