文章目录
关闭节点的SELinux
虽不建议在生产环境关闭SELinux, 但是关闭SELinux 可以提示2% - 3%的性能。
- 创建内容为下的05-worker-kernelarg-selinuxoff.yaml文件,其中定义了关闭selinux的MachinConfig。
$ cat << EOF > 05-worker-kernelarg-selinuxoff.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 05-worker-kernelarg-selinuxoff
spec:
config:
ignition:
version: 3.2.0
kernelArguments:
- selinux=0
EOF
- 执行命令创建MachineConfig对象
$ oc create -f 05-worker-kernelarg-selinuxoff.yaml
- 执行命令,查看节点的更新状态。
oc get nodes
ip-10-0-136-161.ec2.internal Ready worker 28m v1.20.0
ip-10-0-136-243.ec2.internal Ready master 34m v1.20.0
ip-10-0-141-105.ec2.internal Ready,SchedulingDisabled worker 28m v1.20.0
ip-10-0-142-249.ec2.internal Ready master 34m v1.20.0
ip-10-0-153-150.ec2.internal Ready master 34m v1.20.0
- 在节点更新完,可进入节点查看selinux的状态已经为“selinux=0”。
$ oc debug node/ip-10-0-141-105.ec2.internal
Starting pod/ip-10-0-141-105ec2internal-debug ...
To use host binaries, run `chroot /host`
sh-4.2# cat /host/proc/cmdline
BOOT_IMAGE=/ostree/rhcos-... console=tty0 console=ttyS0,115200n8
rootflags=defaults,prjquota rw root=UUID=fd0... ostree=/ostree/boot.0/rhcos/16...
coreos.oem.id=qemu coreos.oem.id=ec2 ignition.platform.id=ec2 selinux=0
启动节点的实时kernel
- 创建内容如下的99-worker-realtime.yaml文件。
$ cat << EOF > 99-worker-realtime.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: "worker"
name: 99-worker-realtime
spec:
kernelType: realtime
EOF
- 执行命令创建MachineConfig对象
$ oc create -f 99-worker-realtime.yaml
- 执行命令,查看节点的更新状态。
oc get nodes
ip-10-0-136-161.ec2.internal Ready worker 28m v1.20.0
ip-10-0-136-243.ec2.internal Ready master 34m v1.20.0
ip-10-0-141-105.ec2.internal Ready,SchedulingDisabled worker 28m v1.20.0
ip-10-0-142-249.ec2.internal Ready master 34m v1.20.0
ip-10-0-153-150.ec2.internal Ready master 34m v1.20.0
- 在节点更新完,可进入节点查看selinux的状态已经为“PREEMPT RT”。
$ oc debug node/ip-10-0-143-147.us-east-2.compute.internal
Starting pod/ip-10-0-143-147us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
sh-4.4# uname -a
Linux <worker_node> 4.18.0-147.3.1.rt24.96.el8_1.x86_64 #1 SMP PREEMPT RT
Wed Nov 27 18:29:55 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux