《OpenShift 4.x Hands-on Lab》

文章目录

• 关闭节点的SELinux
• 启动节点的实时kernel

关闭节点的SELinux

虽不建议在生产环境关闭SELinux, 但是关闭SELinux 可以提示2% - 3%的性能。

1. 创建内容为下的05-worker-kernelarg-selinuxoff.yaml文件，其中定义了关闭selinux的MachinConfig。

$ cat << EOF > 05-worker-kernelarg-selinuxoff.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 05-worker-kernelarg-selinuxoff
spec:
  config:
    ignition:
      version: 3.2.0
  kernelArguments:
    - selinux=0
EOF

2. 执行命令创建MachineConfig对象

$ oc create -f 05-worker-kernelarg-selinuxoff.yaml

3. 执行命令，查看节点的更新状态。

oc get nodes
ip-10-0-136-161.ec2.internal   Ready                      worker   28m   v1.20.0
ip-10-0-136-243.ec2.internal   Ready                      master   34m   v1.20.0
ip-10-0-141-105.ec2.internal   Ready,SchedulingDisabled   worker   28m   v1.20.0
ip-10-0-142-249.ec2.internal   Ready                      master   34m   v1.20.0
ip-10-0-153-150.ec2.internal   Ready                      master   34m   v1.20.0

4. 在节点更新完，可进入节点查看selinux的状态已经为“selinux=0”。

$ oc debug node/ip-10-0-141-105.ec2.internal
Starting pod/ip-10-0-141-105ec2internal-debug ...
To use host binaries, run `chroot /host`

sh-4.2# cat /host/proc/cmdline
BOOT_IMAGE=/ostree/rhcos-... console=tty0 console=ttyS0,115200n8
rootflags=defaults,prjquota rw root=UUID=fd0... ostree=/ostree/boot.0/rhcos/16...
coreos.oem.id=qemu coreos.oem.id=ec2 ignition.platform.id=ec2 selinux=0

启动节点的实时kernel

1. 创建内容如下的99-worker-realtime.yaml文件。

$ cat << EOF > 99-worker-realtime.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: "worker"
  name: 99-worker-realtime
spec:
  kernelType: realtime
EOF

2. 执行命令创建MachineConfig对象

$ oc create -f 99-worker-realtime.yaml

3. 执行命令，查看节点的更新状态。

oc get nodes
ip-10-0-136-161.ec2.internal   Ready                      worker   28m   v1.20.0
ip-10-0-136-243.ec2.internal   Ready                      master   34m   v1.20.0
ip-10-0-141-105.ec2.internal   Ready,SchedulingDisabled   worker   28m   v1.20.0
ip-10-0-142-249.ec2.internal   Ready                      master   34m   v1.20.0
ip-10-0-153-150.ec2.internal   Ready                      master   34m   v1.20.0

4. 在节点更新完，可进入节点查看selinux的状态已经为“PREEMPT RT”。

$ oc debug node/ip-10-0-143-147.us-east-2.compute.internal
Starting pod/ip-10-0-143-147us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`

sh-4.4# uname -a
Linux <worker_node> 4.18.0-147.3.1.rt24.96.el8_1.x86_64 #1 SMP PREEMPT RT
        Wed Nov 27 18:29:55 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux