Paul Bastide

Category: IBM Power Systems

  • Multi-Arch Tuning Operator 1.1.0 Released

    The Red Hat team has released a new version of the Multi-Arch Tuning Operator.

    In Multi-Arch Compute clusters, the Multiarch Tuning Operator influences the scheduling of Pods, so application run on the supported architecture.

    You can learn more about it at https://catalog.redhat.com/software/containers/multiarch-tuning/multiarch-tuning-operator-bundle/661659e9c5bced223a7f7244

    Addendum

    My colleague, Punith, worked with the Red Hat team to add NodeAffinityScoring and plugin support to the Multi-Arch Tuning Operator and ClusterPodPlacementConfig. This feature allows users to define cluster-wide preferences for specific architectures, influencing how the Kubernetes scheduler places pods. It helps optimize workload distribution based on preferred node architecture.

    	Spec:
	    Plugins:
		NodeAffinityScoring:
		   enabled: true
		   platforms:
		   - architecture: ppc64le
		     weight: 100
		   - architecture: amd64
		     weight: 50

  • FIPS support in Go 1.24

    Kudos to the Red Hat team. link

    The benefits of native FIPS support in Go 1.24

    The introduction of the FIPS Cryptographic Module in Go 1.24 marks a watershed moment for the language’s security capabilities. This new module provides FIPS 140-3-compliant implementations of cryptographic algorithms, seamlessly integrated into the standard library. What makes this particularly noteworthy is its transparent implementation. Existing Go applications can leverage FIPS-compliant cryptography without requiring code changes.

    Build-time configuration through the GOFIPS140 environment variable, allowing developers to select specific versions of the Go Cryptographic Module.

    GOFIPS140=true go build

    Runtime control via the fips140 GODEBUG setting, enabling dynamic FIPS mode activation.

    GODEBUG=

    Keep these in your toolbox along with GOARCH=ppc64le

  • Updates to Open Source Container images for Power on IBM Container Registry

    The IBM Linux on Power team pushed new images to their public open source container images in the IBM Container Registry (ICR). This should assure end users that IBM has authentically built these containers in a secure environment.

    The new container images are:

    Image NameTag NameProject LicensesImage Pull CommandLast Published
    fluentd-kubernetes-daemonsetv1.14.3-debian-forward-1.0Apache-2.0podman pull icr.io/ppc64le-oss/fluentd-kubernetes-daemonset:v1.14.3-debian-forward-1.0March 17, 2025
    cloudnative-pg/pgbouncer1.23.0Apache-2.0podman pull icr.io/ppc64le-oss/cloudnative-pg/pgbouncer:1.23.0March 17, 2025

  • Red Hat OpenShift Container Platform 4.18 Now Available on IBM Power

    Red Hat OpenShift 4.18 Now Available on IBM Power Red Hat® OpenShift® 4.18 has been released and adds improvements and new capabilities to OpenShift Container Platform components. Based on Kubernetes 1.31 and CRI-O 1.31, Red Hat OpenShift 4.18 focused on core improvements with enhanced network flexibility.

    You can download 4.18.1 from the mirror at https://mirror.openshift.com/pub/openshift-v4/multi/clients/ocp/4.18.1/ppc64le/

  • Nest Accelerator and Urandom… I think

    The NX accelerator has random number generation capabilities.

    What what happens if the random-number entropy pool runs out of numbers? If you are reading from the /dev/random device, your application will block waiting for new numbers to be generated. Alternatively the urandom device is non-blocking, and will create random numbers on the fly, re-using some of the entropy in the pool. This can lead to numbers that are less random than required for some use cases.

    Well, the Power9 and Power10 servers use the nest accelerator to generate the pseudo random numbers and maintains the pool.

    Each processor chip in a Power9 and Power10 server has an on-chip “nest” accelerator called the NX unit that provides specialized functions for general data compression, gzip compression, encryption, and random number generation. These accelerators are used transparently across the systems software stack to speed up operations related to Live Partition Migration, IPSec, JFS2 Encrypted File Systems, PKCS11 encryption, and random number generation through /dev/random and /dev/urandom.

    Kind of cool, I’ll have to find some more details to verify it and use it.

  • vim versus plain vi: One Compelling Reason

    My colleague, Michael Q, introduced me to a vim extension that left me saying… that’s awesome.

    set cuc which enables Cursor Column, and when I use it with set number, it’s awesome to see correct indenting

    The commands are:

    1. Shift + :
    2. set cuc and enter
    3. Shift + :
    4. set number and enter
    `set cuc` which enables *Cursor Column*, and when I use it with `set number`, it's awesome to see correct indenting

    Use set nocuc to disable

    Good luck…

    Post Script

    • Install vim with dnf install -y vim

    Reference VimTrick: set cuc

  • Cool Plugin… kube-health

    kube-health has a new release v0.3.0. I’ve been following along on this tool for a while.

    Here’s why:

    1. It allows you to poll a single resource and see if it’s OK… in the aggregate. You can see the status of subresources at the same time.
    2. It’s super simple to watch the resource until it exits cleanly or fails…

    Kudos to iNecas for a wonderful tool.

    The following is an image from the github site. demo.svg

  • Custom nftable firewall rules in OpenShift

    Here is a good references for using OpenShift:

    Custom nftable firewall rules in OpenShift: https://access.redhat.com/articles/7090422

    It’s a supported method for implementing custom nftables firewall rules in OpenShift clusters. It is intended for cluster administrators who are responsible for managing network security policies within their OpenShift environments.

  • k8s-etcd-decryptor

    I’m making a mental note that this tool from @simonkrenger k8s-etcd-decryptor is a life saver – I’ve used it once during development and need to get data out of etcd.

    The tool decrypts the AES-CBC-encrypted objects from etcd. Note, AES-CBC is one of two encyrption types AES-GCM, and is not covered by the tool.

    You can read more about encryption in OpenShift at Chapter 15. Encrypting etcd data

  • Source-to-Image (S2I) Builder Image Updated

    Red Hat has updated the Source-to-Image (S2I) Builder Image to v1.5.0. It now supports FIPS builds on IBM Power, see the release tag for more details tag

    You can learn more about using it at Source-to-image docs.

    Per the docs you can follow the instructions:

    1. Log in to the OpenShift Container Platform web console using your login credentials. The default view for the OpenShift Container Platform web console is the Administrator perspective.
    2. Use the perspective switcher to switch to the Developer perspective.
    3. In the +Add view, use the Project drop-down list to select an existing project or create a new project.
    4. Click All services in the Developer Catalog tile.
    5. Click Builder Images under Type to see the available S2I images.

    Good luck with your builds