A guide to TAP devices in Red Hat OpenShift pods
The ability to build TAP devices in Red Hat Openshift pods containers is provided by the TAP device plugin. For user space programs, a TAP device offers frame reception and transmission. Rather than receiving frames from a standard network interface, it can be thought of as an interface that receives them from user space applications and writes them to the user space application instead of sending them via a traditional network interface. Please visit https://www.kernel.org/doc/html/v5.8/networking/tuntap.html for further information.
Installing
A Developer Preview of the feature will be offered in OpenShift 4.13. There are no more installation steps needed.
Configuring a TAP device
This is an example of a TAP device CNI plugin configuration:
{ "type": "tap", "multiQueue": true, "selinuxcontext": "system_u:system_r:container_t:s0" "owner": 0, "group": 0, "ipam": {...} }
A description of each of the configuration section’s unique attributes is provided below:
- “Tap” is the plugin’s type.
- MultiQueue – Enable multiqueue
- SELinuxcontext – This is the context in which the TAP device is created for systems that have the SELinux security module activated.
- Owner – The person whose TAP device is owned. The TAP device will not have an assigned owner if not specified. If a user id is provided, the owner will be that user, with 0 serving as the root user.
- Group – The organization that owns the tap device. The TAP device will not have an assigned owner if not specified. If provided, the group will consist of the users with the given group id.
An OpenShift network-attachment-definition must be built in order to configure a TAP plugin:
apiVersion: k8s.cni.cncf.io/v1 kind: NetworkAttachmentDefinition metadata: name: tap namespace: mmirecki spec: config: '{ "cniVersion": "0.4.0", "name": "tap", "plugins": [ { "type": "tap", "owner": 0, "group": 0, "multiQueue": true, "selinuxcontext": "system_u:system_r:container_t:s0" "ipam": {...} } ] }'
The networks annotation of a pod must then include the above-created network:
--- apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/networks: '[ { "name": "tap", "namespace": "mmirecki", "interface": "ext0", "mac": "50:00:00:00:00:10" } ]'
Example use case
Making TAP devices for use with DPDK applications is an example of a use case for tap devices.
Several DPDK apps send low-volume traffic, like logs or messages, using the standard kernel networking. The slow path communication between the DPDK workload and the kernel networking can be accomplished by the DPDK application via a TAP device.
Status
The developer preview version of OpenShift 4.13 will have the TAP device capability.