|
1 | | -# Intel QuickAssist Technology QAT Engine Docker README |
| 1 | +# Intel® QuickAssist Technology(QAT) OpenSSL\* Engine Container support |
2 | 2 |
|
3 | | -This document covers the usage of the Intel® QuickAssist Technology Software in Linux* containers. |
4 | | -It explains about the environment setup to run QAT Engine test on the docker container, docker build and docker run commands. |
| 3 | +Supports below Dockerfiles which can be built into docker images on the platforms |
| 4 | +with [Intel® QuickAssist 4xxx Series](https://www.intel.com/content/www/us/en/products/details/processors/xeon/scalable.html) |
| 5 | +QAT device. |
5 | 6 |
|
6 | | -#### Platform Supported |
| 7 | +* [QAT crypto base](#qat-crypto-base) |
| 8 | +* [HAproxy with QAT crypto base](#haproxy-with-qat-crypto-base) |
7 | 9 |
|
8 | | -It supports all the platform that is supported by QATLIB.(i.e.,SPR,EMR) |
| 10 | +## QAT crypto base |
| 11 | +This Dockerfile(qat_crypto_base/Dockerfile) with qatengine is built on top of latest OpenSSL, QAT_HW(qatlib intree driver) |
| 12 | +and QAT_SW with software versions mentioned in [software_requirements](../docs/software_requirements.md) section. |
| 13 | +This contains QAT_HW and QAT_SW co-existence build and works as defined in [co-existence section](../docs/qat_coex.md#qat_hw-and-qat_sw-co-existence) |
9 | 14 |
|
10 | | -#### Pre-requisites |
| 15 | +## Haproxy with QAT crypto base |
| 16 | +This Dockerfile(haproxy/Dockerfile) is built with Haproxy release version v2.8.0 along |
| 17 | +with QAT crypto base mentioned above. Sample Haproxy configuration file is located at `haproxy/haproxy.cfg` |
| 18 | +which can be modified as per the required use case and to be mounted from the host to the container using |
| 19 | +`-v /usr/local/etc/haproxy/haproxy.cfg`. |
11 | 20 |
|
12 | | -Refer https://intel.github.io/quickassist/AppNotes/Containers/setup.html#updating-the-bios-settings |
| 21 | +## Docker setup and testing |
13 | 22 |
|
14 | | -Note: The host shouldn't have qatlib installed and don't run qat service. |
| 23 | +Refer [here](https://intel.github.io/quickassist/AppNotes/Containers/setup.html) |
| 24 | +for setting up the host for QAT_HW (qatlib intree) if the platform has QAT 4xxx Hardware |
| 25 | +device. Stop QAT service if any running on the host. |
15 | 26 |
|
16 | | -# Steps to be followed in order to set the desired services in the devices |
| 27 | +### QAT_HW settings |
| 28 | +Follow the below steps to enable required service. The service can be asym only, sym only or both |
| 29 | +in step 2 depending on the particular use case. Configure the required service only to get best performance. |
17 | 30 |
|
| 31 | +1. Bring down the QAT devices |
18 | 32 | ``` |
19 | | -## Bring down the QAT devices |
20 | 33 | for i in `lspci -D -d :4940| awk '{print $1}'`; do echo down > /sys/bus/pci/devices/$i/qat/state;done |
| 34 | +``` |
21 | 35 |
|
22 | | -## Set up the services to crypto alone |
| 36 | +2. Set up the required crypto service(s) |
| 37 | +``` |
23 | 38 | for i in `lspci -D -d :4940| awk '{print $1}'`; do echo “sym;asym “ > /sys/bus/pci/devices/$i/qat/cfg_services;done |
| 39 | +``` |
24 | 40 |
|
25 | | -## Bring up the QAT devices |
| 41 | +3. Bring up the QAT devices |
| 42 | +``` |
26 | 43 | for i in `lspci -D -d :4940| awk '{print $1}'`; do echo up> /sys/bus/pci/devices/$i/qat/state;done |
| 44 | +``` |
27 | 45 |
|
28 | | -## Check the status of the QAT devices |
| 46 | +4. Check the status of the QAT devices |
| 47 | +``` |
29 | 48 | for i in `lspci -D -d :4940| awk '{print $1}'`; do cat /sys/bus/pci/devices/$i/qat/state;done |
| 49 | +``` |
30 | 50 |
|
31 | | -## Enable VF for the PF in the host |
| 51 | +5. Enable VF for the PF in the host |
| 52 | +``` |
32 | 53 | for i in `lspci -D -d :4940| awk '{print $1}'`; do echo 16|sudo tee /sys/bus/pci/devices/$i/sriov_numvfs; done |
| 54 | +``` |
33 | 55 |
|
34 | | -## Add QAT group and Permission to the VF devices in the host |
| 56 | +6. Add QAT group and Permission to the VF devices in the host |
| 57 | +``` |
35 | 58 | chown root.qat /dev/vfio/* |
36 | 59 | chmod 660 /dev/vfio/* |
37 | 60 | ``` |
38 | 61 |
|
39 | | -#### Two separate Dockerfile file structure: |
40 | | - |
41 | | -1. QAT Crypto base dockerfile |
42 | | - - docker/qat_crypto_base/Dockerfile |
43 | | -2. HAproxy + Crypto base dockerfile |
44 | | - - docker/haproxy/Dockerfile |
45 | | - |
46 | | -#### Docker Command |
| 62 | +### Image creation |
47 | 63 |
|
48 | | -# Command to build docker image |
| 64 | +Docker images can be build using the below command with appropiate image name. |
49 | 65 |
|
50 | 66 | ``` |
51 | 67 | docker build --build-arg GID=$(getent group qat | cut -d ':' -f 3) -t <docker_image_name> <path-to-dockerfile> --no-cache |
52 | 68 | ``` |
53 | 69 | Note: GID is the group id of qat group in the host. |
54 | 70 |
|
55 | | -# Command for Container creation and execution |
56 | | - |
57 | | -### Test using OpenSSL\* speed utility |
| 71 | +### Testing QAT Crypto base using OpenSSL\* speed utility |
58 | 72 |
|
59 | 73 | ``` |
60 | 74 | docker run -it --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) --cpuset-cpus <2-n+1> --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 < docker_image_name> openssl speed -engine qatengine -elapsed -async_jobs 72 -multi <n> <algo> |
61 | 75 | ``` |
62 | | -### Test using HAproxy\* haproxy utility |
63 | 76 |
|
64 | | -``` |
65 | | -Server command: docker run --rm -it --cpuset-cpus <2-n+1> --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 -v /usr/local/etc/haproxy/:/usr/local/etc/haproxy/ -d -p 8080:8080 < docker_image_name> haproxy -f /usr/local/etc/haproxy/haproxy.cfg |
| 77 | +### Testing Haproxy |
66 | 78 |
|
67 | | -Client command: openssl s_time -connect optical1:8080 -cipher AES128-SHA256 -www /20b-file.html -time 5 |
68 | 79 | ``` |
| 80 | +Server command: docker run --rm -it --cpuset-cpus <2-n+1> --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 -v /usr/local/etc/haproxy/:/usr/local/etc/haproxy/ -d -p 8080:8080 < docker_image_name> haproxy -f /usr/local/etc/haproxy/haproxy.cfg |
69 | 81 |
|
70 | | -Note: n is number of process or thread |
71 | | - |
72 | | -# The below link explains in detail about the parameters passed in the docker run command |
73 | | - |
74 | | - https://intel.github.io/quickassist/AppNotes/Containers/run.html |
75 | | - |
76 | | -Note: 8080 port to be used for starting the haproxy service.HAproxy config file mounted from the host to the container using -v /usr/local/etc/haproxy/haproxy.cfg. |
| 82 | +Client command: openssl s_time -connect <server_ip>:8080 -cipher AES128-SHA256 -www /20b-file.html -time 5 |
| 83 | +``` |
77 | 84 |
|
| 85 | +Note: n is number of process or thread. 8080 port to be used for starting the haproxy service. HAproxy config file mounted from the host to the container using -v /usr/local/etc/haproxy/haproxy.cfg. |
0 commit comments