Blog

OpenShift Container Platform and CGroups: Notes
My notes from OCP/Cgroups debugging and usage.

What is attaching the BPF program to my cgroup?

When you create a Pod, the API Server reconciles the resource, and the Kube Scheduler is triggered to assign it to a Node. On the Node, the Kubelet converts to the OCI specification, enriches the container with host-device specific resources, and dispatches it to cri-o. cri-o, using the default container runtime launcher – runc or crun, and using the runc/crun configuration it launches and manages the container with SystemD, and attaches an eBPF program that controls device access.

If you are seeing EPERM issues accessing a device, perhaps you don’t have the right access set at the Pod level, you may be able to use a Device Plugin.

Options for adding Devices
You have a couple of things to look at:
1. volumeDevices
2. io.kubernetes.cri-o.Devices
3. cri-o config drop-in
4. crun or runc with DeviceAllow https://github.com/containers/crun https://github.com/containers/crun/blob/017b5fddcb0a29938295d9a28fdc901164c77d74/contrib/seccomp-notify-plugin-rust/src/mknod.rs#L9
5. A custom device plugin like https://github.com/IBM/power-device-plugin
Note, it give R/W to the full device.
Requires selinux-relabeling to be disabled

You may need to stop selinux from relabeling the files when you run as randomized ids. The cloud pak describes an excelent way to disable selinux relabeling: https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=1-disabling-selinux-relabeling

You can confirm the file details using:
```
sh-5.1$ ls -alZ /mnt/example/myfile.log
-rw-r--r--. 1 xuser wheel system_u:object_r:container_file_t:s0 1053201 Dec 11 19:45 /mnt/example/myfile.log
```
Switching Container Runtime Launchers

You can switch your Container Runtime from runc to crun using:
```
cat << EOF | oc apply -f -
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
metadata:
 name: container-crun
spec:
 machineConfigPoolSelector:
   matchLabels:
     pools.operator.machineconfiguration.openshift.io/worker: '' 
 containerRuntimeConfig:
   logLevel: debug 
   overlaySize: 1G 
   defaultRuntime: "crun"
EOF
```
container_use_devices

Allows containers to use any device volume mounted into container, see https://github.com/containers/container-selinux/blob/main/container.te#L39
```
$ getsebool -a | grep container_use_devices
container_use_devices --> off
```
More details on creating a MachineConfig is at https://docs.openshift.com/container-platform/4.16/networking/multiple_networks/configuring-additional-network.html

blktrace

blktrace is a superb tool. You’ll just have to put the kernel in debug mode.
```
blktrace -d /dev/sdf
```
We also built a crio config script.

https://www.redhat.com/en/blog/open-container-initiative-hooks-admission-control-podman

https://www.redhat.com/en/blog/extending-the-runtime-functionality
2025-02-03
Regenerating OCP Certificates
For those with OpenShift Container Platform nodes that must support FIPS, and you’ve previously generated the certificates on a non-FIPS node. You must execute these steps from a FIPS-compliant environment, such as a RHEL server booted in FIPS mode.

Then you can follow the Red Hat Customer Portal document Regenerating Openshift Cluster Certificates, which shows you:
1. Regenerate the Leaf Certificates using oc adm ocp-certificates regenerate-leaf
2. Regenerate the Top-Level Certificates using oc adm ocp-certificates regenerate-top-level
There is also a really cool command to restart the Kubelet oc adm restart-kubelet nodes --all --directive=RemoveKubeletKubeconfig

This document is tried and true, and the best one to regenerate your certificates for your cluster.

I’m blogging about this so I can find these key commands and the link when I need it again.
2025-01-31
vim versus plain vi: One Compelling Reason
My colleague, Michael Q, introduced me to a vim extension that left me saying… that’s awesome.

set cuc which enables Cursor Column, and when I use it with set number, it’s awesome to see correct indenting

The commands are:
1. Shift + :
2. set cuc and enter
3. Shift + :
4. set number and enter
Use set nocuc to disable

Good luck…

Post Script
- Install vim with dnf install -y vim
Reference VimTrick: set cuc
2025-01-24
Cool Plugin… kube-health
kube-health has a new release v0.3.0. I’ve been following along on this tool for a while.

Here’s why:
1. It allows you to poll a single resource and see if it’s OK… in the aggregate. You can see the status of subresources at the same time.
2. It’s super simple to watch the resource until it exits cleanly or fails…
Kudos to iNecas for a wonderful tool.

The following is an image from the github site.
2025-01-22
Custom nftable firewall rules in OpenShift

Here is a good references for using OpenShift:

Custom nftable firewall rules in OpenShift: https://access.redhat.com/articles/7090422

It’s a supported method for implementing custom nftables firewall rules in OpenShift clusters. It is intended for cluster administrators who are responsible for managing network security policies within their OpenShift environments.

2025-01-17
k8s-etcd-decryptor

I’m making a mental note that this tool from @simonkrenger k8s-etcd-decryptor is a life saver – I’ve used it once during development and need to get data out of etcd.

The tool decrypts the AES-CBC-encrypted objects from etcd. Note, AES-CBC is one of two encyrption types AES-GCM, and is not covered by the tool.

You can read more about encryption in OpenShift at Chapter 15. Encrypting etcd data

2025-01-17
Source-to-Image (S2I) Builder Image Updated
Red Hat has updated the Source-to-Image (S2I) Builder Image to v1.5.0. It now supports FIPS builds on IBM Power, see the release tag for more details tag

You can learn more about using it at Source-to-image docs.

Per the docs you can follow the instructions:
1. Log in to the OpenShift Container Platform web console using your login credentials. The default view for the OpenShift Container Platform web console is the Administrator perspective.
2. Use the perspective switcher to switch to the Developer perspective.
3. In the +Add view, use the Project drop-down list to select an existing project or create a new project.
4. Click All services in the Developer Catalog tile.
5. Click Builder Images under Type to see the available S2I images.
Good luck with your builds
2025-01-14
mirror registry for Red Hat OpenShift

The mirror registry for Red Hat OpenShift is a small-scale container registry included with OpenShift Container Platform subscriptions. As of 4Q 2024, you can now use it with ppc64le.

2025-01-09
IBM API Connect is now available on OpenShift on Power through Cloud Pak for Integration

Impressive work done by my colleagues to make API Connect available on IBM Power:

IBM API Connect is now available on IBM Power. Running IBM API Connect on Red Hat OpenShift, clients can leverage the scalable API platform for creating, socializing, managing, and monetizing APIs as they modernize on IBM Power. Read the announcement to learn more: https://ibm.biz/BdGxhp

#IBM #IBMPower #cp4i #RedHat #OpenShift #API #APIConnect #APIManagement

2025-01-02
Updates to the Open Source Container images for Power now available in IBM Container Registry
The IBM Linux on Power team updated the open source container images list on their IBM Container Registry (ICR). You can find out more at https://community.ibm.com/community/user/powerdeveloper/blogs/priya-seth/2023/04/05/open-source-containers-for-power-in-icr
- redis v7.4.1-bv podman pull icr.io/ppc64le-oss/redis-ppc64le:v7.4.1-bv Nov 21, 2024
- mongodb 6.0.13-bv podman pull icr.io/ppc64le-oss/mongodb-ppc64le:6.0.13-bv Nov 21, 2024
- rocketchat 6.11.1 MIT podman pull icr.io/ppc64le-oss/rocketchat-ppc64le:6.11.1 Nov 21, 202
The milvus 2.4.11 container is added to the list of OpenSource Containers:
```
podman pull icr.io/ppc64le-oss/milvus-ppc64le:v2.4.11
```
2024-11-25