代码拉取完成,页面将自动刷新
From 5e222e930e66be63da7c6adb724ebec571d16687 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng2221dd1@zoho.com.cn>
Date: Mon, 10 May 2021 15:16:30 +0800
Subject: [PATCH] isgx: add support isgx for sgx device plugin operator
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
build sgx device plugin operator container image:
1. make intel-deviceplugin-operator
deployment:
// deploy device plugin operator
1. kubectl apply -k ./deployments/operator/default
// deploy sgx node feature discovery to label node
2. kubectl apply -k ./deployments/sgx_nfd
// deploy sgx device plugin with operator
3. kubectl apply -f ./deployments/operator/samples/deviceplugin_v1_sgxdeviceplugin.yaml
github.com/intel/intel-device-plugins-for-kubernetes ‹main*› » kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
cert-manager cert-manager-7dd5854bb4-6jdt9 1/1 Running 1 29h
cert-manager cert-manager-cainjector-64c949654c-5hqmc 1/1 Running 1 29h
cert-manager cert-manager-webhook-6bdffc7c9d-rcp9h 1/1 Running 1 29h
default helloworld-d75bf5f9f-8m2dj 1/1 Running 0 5h47m
default helloworld-d75bf5f9f-zq28g 1/1 Running 0 5h47m
inteldeviceplugins-system inteldeviceplugins-controller-manager-7ccfccb5d-58v29 2/2 Running 0 5h51m
inteldeviceplugins-system sgxdeviceplugin-sample-bzfb2-gdxsd 1/1 Running 0 4m58s
kube-system calico-kube-controllers-69496d8b75-btf2r 1/1 Running 5 16d
kube-system calico-node-6p57t 1/1 Running 5 16d
kube-system coredns-6d56c8448f-5lkrn 1/1 Running 5 16d
kube-system coredns-6d56c8448f-7gbxc 1/1 Running 5 16d
kube-system etcd-lifeng 1/1 Running 5 16d
kube-system kube-apiserver-lifeng 1/1 Running 6 16d
kube-system kube-controller-manager-lifeng 1/1 Running 5 16d
kube-system kube-proxy-nvhd9 1/1 Running 5 16d
kube-system kube-scheduler-lifeng 1/1 Running 5 16d
node-feature-discovery nfd-master-866c6ddff9-mtsgx 1/1 Running 0 70m
node-feature-discovery nfd-worker-d2wll 1/1 Running 0 7m56s
Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
---
.../intel-deviceplugin-operator.Dockerfile | 2 +-
cmd/sgx_plugin/sgx_plugin.go | 1 -
deployments/sgx_nfd/nfd-worker.conf | 3 +-
pkg/controllers/sgx/controller.go | 161 ++++++++++++++----
4 files changed, 131 insertions(+), 36 deletions(-)
diff --git a/build/docker/intel-deviceplugin-operator.Dockerfile b/build/docker/intel-deviceplugin-operator.Dockerfile
index e4a8580..52d8e0e 100644
--- a/build/docker/intel-deviceplugin-operator.Dockerfile
+++ b/build/docker/intel-deviceplugin-operator.Dockerfile
@@ -27,7 +27,7 @@ RUN mkdir /install_root \
--no-boot-update \
&& rm -rf /install_root/var/lib/swupd/*
-RUN cd cmd/operator; GO111MODULE=${GO111MODULE} go install; cd -
+RUN cd cmd/operator; go env -w GOPROXY=https://goproxy.cn; GO111MODULE=${GO111MODULE} go install; cd -
RUN chmod a+x /go/bin/operator \
&& install -D /go/bin/operator /install_root/usr/local/bin/intel_deviceplugin_operator \
&& install -D ${DIR}/LICENSE /install_root/usr/local/share/package-licenses/intel-device-plugins-for-kubernetes/LICENSE \
diff --git a/cmd/sgx_plugin/sgx_plugin.go b/cmd/sgx_plugin/sgx_plugin.go
index 9c92153..c3aeb79 100644
--- a/cmd/sgx_plugin/sgx_plugin.go
+++ b/cmd/sgx_plugin/sgx_plugin.go
@@ -72,7 +72,6 @@ func (dp *devicePlugin) scan() (dpapi.DeviceTree, error) {
iSgxDevicePath := path.Join(dp.devfsDir, "isgx")
if _, err := os.Stat(iSgxDevicePath); err != nil {
-
// Assume that both /dev/sgx_enclave and /dev/sgx_provision must be present.
sgxEnclavePath := path.Join(dp.devfsDir, "sgx_enclave")
sgxProvisionPath := path.Join(dp.devfsDir, "sgx_provision")
diff --git a/deployments/sgx_nfd/nfd-worker.conf b/deployments/sgx_nfd/nfd-worker.conf
index 6dfc016..9f3366c 100644
--- a/deployments/sgx_nfd/nfd-worker.conf
+++ b/deployments/sgx_nfd/nfd-worker.conf
@@ -2,5 +2,4 @@ sources:
custom:
- name: "intel.sgx"
matchOn:
- - kConfig: ["X86_SGX"]
- cpuId: ["SGX", "SGXLC"]
+ - cpuId: ["SGX"]
diff --git a/pkg/controllers/sgx/controller.go b/pkg/controllers/sgx/controller.go
index 6848e55..982fc89 100644
--- a/pkg/controllers/sgx/controller.go
+++ b/pkg/controllers/sgx/controller.go
@@ -17,6 +17,7 @@ package sgx
import (
"context"
+ "os"
"reflect"
"strconv"
"strings"
@@ -92,6 +93,130 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
yes := true
charDevice := v1.HostPathCharDev
directoryOrCreate := v1.HostPathDirectoryOrCreate
+
+ if _, err := os.Stat("/dev/isgx"); err != nil {
+ return &apps.DaemonSet{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: c.ns,
+ GenerateName: devicePlugin.Name + "-",
+ Labels: map[string]string{
+ "app": appLabel,
+ },
+ },
+ Spec: apps.DaemonSetSpec{
+ Selector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "app": appLabel,
+ },
+ },
+ Template: v1.PodTemplateSpec{
+ ObjectMeta: metav1.ObjectMeta{
+ Labels: map[string]string{
+ "app": appLabel,
+ },
+ },
+ Spec: v1.PodSpec{
+ InitContainers: []v1.Container{
+ {
+ Image: devicePlugin.Spec.InitImage,
+ ImagePullPolicy: "IfNotPresent",
+ Name: "intel-sgx-initcontainer",
+ SecurityContext: &v1.SecurityContext{
+ ReadOnlyRootFilesystem: &yes,
+ },
+ VolumeMounts: []v1.VolumeMount{
+ {
+ MountPath: "/etc/kubernetes/node-feature-discovery/source.d/",
+ Name: "nfd-source-hooks",
+ },
+ },
+ },
+ },
+ Containers: []v1.Container{
+ {
+ Name: appLabel,
+ Args: getPodArgs(devicePlugin),
+ Image: devicePlugin.Spec.Image,
+ ImagePullPolicy: "IfNotPresent",
+ SecurityContext: &v1.SecurityContext{
+ ReadOnlyRootFilesystem: &yes,
+ },
+ VolumeMounts: []v1.VolumeMount{
+ {
+ Name: "sgxdevices",
+ MountPath: "/dev/sgx",
+ ReadOnly: true,
+ },
+ {
+ Name: "sgx-enclave",
+ MountPath: "/dev/sgx_enclave",
+ ReadOnly: true,
+ },
+ {
+ Name: "sgx-provision",
+ MountPath: "/dev/sgx_provision",
+ ReadOnly: true,
+ },
+ {
+ Name: "kubeletsockets",
+ MountPath: "/var/lib/kubelet/device-plugins",
+ },
+ },
+ },
+ },
+ NodeSelector: nodeSelector,
+ Volumes: []v1.Volume{
+ {
+ Name: "sgxdevices",
+ VolumeSource: v1.VolumeSource{
+ HostPath: &v1.HostPathVolumeSource{
+ Path: "/dev/sgx",
+ Type: &directoryOrCreate,
+ },
+ },
+ },
+ {
+ Name: "sgx-enclave",
+ VolumeSource: v1.VolumeSource{
+ HostPath: &v1.HostPathVolumeSource{
+ Path: "/dev/sgx_enclave",
+ Type: &charDevice,
+ },
+ },
+ },
+ {
+ Name: "sgx-provision",
+ VolumeSource: v1.VolumeSource{
+ HostPath: &v1.HostPathVolumeSource{
+ Path: "/dev/sgx_provision",
+ Type: &charDevice,
+ },
+ },
+ },
+ {
+ Name: "kubeletsockets",
+ VolumeSource: v1.VolumeSource{
+ HostPath: &v1.HostPathVolumeSource{
+ Path: "/var/lib/kubelet/device-plugins",
+ },
+ },
+ },
+ {
+ Name: "nfd-source-hooks",
+ VolumeSource: v1.VolumeSource{
+ HostPath: &v1.HostPathVolumeSource{
+ Path: "/etc/kubernetes/node-feature-discovery/source.d/",
+ Type: &directoryOrCreate,
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ }
+ }
+
return &apps.DaemonSet{
ObjectMeta: metav1.ObjectMeta{
Namespace: c.ns,
@@ -140,18 +265,8 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
},
VolumeMounts: []v1.VolumeMount{
{
- Name: "sgxdevices",
- MountPath: "/dev/sgx",
- ReadOnly: true,
- },
- {
- Name: "sgx-enclave",
- MountPath: "/dev/sgx_enclave",
- ReadOnly: true,
- },
- {
- Name: "sgx-provision",
- MountPath: "/dev/sgx_provision",
+ Name: "sgx-isgx",
+ MountPath: "/dev/isgx",
ReadOnly: true,
},
{
@@ -164,28 +279,10 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
NodeSelector: nodeSelector,
Volumes: []v1.Volume{
{
- Name: "sgxdevices",
- VolumeSource: v1.VolumeSource{
- HostPath: &v1.HostPathVolumeSource{
- Path: "/dev/sgx",
- Type: &directoryOrCreate,
- },
- },
- },
- {
- Name: "sgx-enclave",
- VolumeSource: v1.VolumeSource{
- HostPath: &v1.HostPathVolumeSource{
- Path: "/dev/sgx_enclave",
- Type: &charDevice,
- },
- },
- },
- {
- Name: "sgx-provision",
+ Name: "sgx-isgx",
VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{
- Path: "/dev/sgx_provision",
+ Path: "/dev/isgx",
Type: &charDevice,
},
},
--
2.25.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手