404
Not Found
Examples And Demos
Table of Contents
This page contains usage examples and demos.
Demos
Usage demo
Demo Use Case
A demo on the benefits of using node feature discovery can be found in the source code repository under demo/.
Not Found
Not Found
git clone https://github.com/kubernetes-sigs/node-feature-discovery
+ Developer Guide · Node Feature Discovery
Developer Guide
Table of contents
Building from Source
Download the source code
git clone https://github.com/kubernetes-sigs/node-feature-discovery
cd node-feature-discovery
Docker Build
Build the container image
See customizing the build below for altering the container image registry, for example.
make
Push the container image
Optional, this example with Docker.
docker push <IMAGE_TAG>
@@ -110,4 +110,4 @@ nfd-worker.
sleep). [Default: 60s]
NOTE Some feature sources need certain directories and/or files from the host mounted inside the NFD container. Thus, you need to provide Docker with the correct --volume options in order for them to work correctly when run stand-alone directly with docker run. See the template spec for up-to-date information about the required volume mounts.
Documentation
All documentation resides under the docs directory in the source tree. It is designed to be served as a html site by GitHub Pages.
Building the documentation is containerized in order to fix the build environment. The recommended way for developing documentation is to run:
make site-serve
This will build the documentation in a container and serve it under localhost:4000/ making it easy to verify the results. Any changes made to the docs/ will automatically re-trigger a rebuild and are reflected in the served content and can be inspected with a simple browser refresh.
In order to just build the html documentation run:
make site-build
-
This will generate html documentation under docs/_site/.
Node Feature Discovery master
\ No newline at end of file
+This will generate html documentation under docs/_site/.
Advanced topics and reference.
Advanced topics and reference.
To quickly view available command line flags execute nfd-master --help. In a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-master --help
+ Master Cmdline Reference · Node Feature Discovery
NFD-Master Commandline Flags
Table of Contents
- -h, –help
- –version
- –prune
- –port
- –ca-file
- –cert-file
- –key-file
- –verify-node-name
- –no-publish
- –label-whitelist
- –extra-label-ns
- –resource-labels
To quickly view available command line flags execute nfd-master --help. In a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-master --help
-h, –help
Print usage and exit.
–version
Print version and exit.
–prune
The --prune flag is a sub-command like option for cleaning up the cluster. It causes nfd-master to remove all NFD related labels, annotations and extended resources from all Node objects of the cluster and exit.
–port
The --port flag specifies the TCP port that nfd-master listens for incoming requests.
Default: 8080
Example:
nfd-master --port=443
–ca-file
The --ca-file is one of the three flags (together with --cert-file and --key-file) controlling master-worker mutual TLS authentication on the nfd-master side. This flag specifies the TLS root certificate that is used for authenticating incoming connections. NFD-Worker side needs to have matching key and cert files configured in order for the incoming requests to be accepted.
Default: empty
Note: Must be specified together with --cert-file and --key-file
Example:
nfd-master --ca-file=/opt/nfd/ca.crt --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key
–cert-file
The --cert-file is one of the three flags (together with --ca-file and --key-file) controlling master-worker mutual TLS authentication on the nfd-master side. This flag specifies the TLS certificate presented for authenticating outgoing traffic towards nfd-worker.
Default: empty
Note: Must be specified together with --ca-file and --key-file
Example:
nfd-master --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key --ca-file=/opt/nfd/ca.crt
@@ -9,4 +9,4 @@
–label-whitelist
The --label-whitelist specifies a regular expression for filtering feature labels based on their name. Each label must match against the given reqular expression in order to be published.
Note: The regular expression is only matches against the "basename" part of the label, i.e. to the part of the name after ‘/'. The label namespace is omitted.
Default: empty
Example:
nfd-master --label-whitelist='.*cpuid\.'
–extra-label-ns
The --extra-label-ns flag specifies a comma-separated list of allowed feature label namespaces. By default, nfd-master only allows creating labels in the default feature.node.kubernetes.io label namespace. This option can be used to allow vendor-specific namespaces for custom labels from the local and custom feature sources.
The same namespace control and this flag applies Extended Resources (created with --resource-labels), too.
Default: empty
Example:
nfd-master --extra-label-ns=vendor-1.com,vendor-2.io
–resource-labels
The --resource-labels flag specifies a comma-separated list of features to be advertised as extended resources instead of labels. Features that have integer values can be published as Extended Resources by listing them in this flag.
Default: empty
Example:
nfd-master --resource-labels=vendor-1.com/feature-1,vendor-2.io/feature-2
-
Node Feature Discovery master
\ No newline at end of file
+To quickly view available command line flags execute nfd-worker --help. In a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-worker --help
+ Worker Cmdline Reference · Node Feature Discovery
NFD-Worker Commandline Flags
Table of Contents
- -h, –help
- –version
- –config
- –options
- –server
- –ca-file
- –cert-file
- –key-file
- –server-name-override
- –sources
- –no-publish
- –label-whitelist
- –oneshot
- –sleep-interval
To quickly view available command line flags execute nfd-worker --help. In a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-worker --help
-h, –help
Print usage and exit.
–version
Print version and exit.
–config
The --config flag specifies the path of the nfd-worker configuration file to use.
Default: /etc/kubernetes/node-feature-discovery/nfd-worker.conf
Example:
nfd-worker --config=/opt/nfd/worker.conf
–options
The --options flag may be used to specify and override configuration file options directly from the command line. The required format is the same as in the config file i.e. JSON or YAML. Configuration options specified via this flag will override those from the configuration file:
Default: empty
Example:
nfd-worker --options='{"sources":{"cpu":{"cpuid":{"attributeWhitelist":["AVX","AVX2"]}}}}'
–server
The --server flag specifies the address of the nfd-master endpoint where to connect to.
Default: localhost:8080
Example:
nfd-worker --server=nfd-master.nfd.svc.cluster.local:443
@@ -11,4 +11,4 @@
–label-whitelist
The --label-whitelist specifies a regular expression for filtering feature labels based on their name. Each label must match against the given reqular expression in order to be published.
Note: The regular expression is only matches against the "basename" part of the label, i.e. to the part of the name after ‘/'. The label namespace is omitted.
Default: empty
Example:
nfd-worker --label-whitelist='.*cpuid\.'
–oneshot
The --oneshot flag causes nfd-worker to exit after one pass of feature detection.
Default: false
Example:
nfd-worker --oneshot --no-publish
–sleep-interval
The --sleep-interval specifies the interval between feature re-detection (and node re-labeling). A non-positive value implies infinite sleep interval, i.e. no re-detection or re-labeling is done.
Default: 60s
Example:
nfd-worker --sleep-interval=1h
-
Node Feature Discovery master
\ No newline at end of file
+You can reach us via the following channels:
This is a SIG-node subproject, hosted under the Kubernetes SIGs organization in Github. The project was established in 2016 and was migrated to Kubernetes SIGs in 2018.
This is open source software released under the Apache 2.0 License.
You can reach us via the following channels:
This is a SIG-node subproject, hosted under the Kubernetes SIGs organization in Github. The project was established in 2016 and was migrated to Kubernetes SIGs in 2018.
This is open source software released under the Apache 2.0 License.
Deployment using the Node Feature Discovery Operator is recommended to be done via operatorhub.io.
kubectl create -f https://operatorhub.io/install/nfd-operator.yaml
+ Deployment and Usage · Node Feature Discovery
Deployment and Usage
Table of Contents
Requirements
- Linux (x86_64/Arm64/Arm)
- kubectl (properly set up and configured to work with your Kubernetes cluster)
Deployment options
Operator
Deployment using the Node Feature Discovery Operator is recommended to be done via operatorhub.io.
- You need to have OLM installed. If you don't, take a look at the latest release for detailed instructions.
- Install the operator:
kubectl create -f https://operatorhub.io/install/nfd-operator.yaml
- Create NodeFeatureDiscovery resource (in
nfd namespace here): cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
@@ -57,4 +57,4 @@ kubectl delete clusterrolebinding nfd-master
Removing Feature Labels
NFD-Master has a special --prune command line flag for removing all nfd-related node labels, annotations and extended resources from the cluster.
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-prune.yaml.template
kubectl -n node-feature-discovery wait job.batch/nfd-prune --for=condition=complete && \
kubectl -n node-feature-discovery delete job/nfd-prune
-
NOTE: You must run prune before removing the RBAC rules (serviceaccount, clusterrole and clusterrolebinding).
Node Feature Discovery master
\ No newline at end of file
+NOTE: You must run prune before removing the RBAC rules (serviceaccount, clusterrole and clusterrolebinding).
This page contains usage examples and demos.
A demo on the benefits of using node feature discovery can be found in the source code repository under demo/.
This page contains usage examples and demos.
A demo on the benefits of using node feature discovery can be found in the source code repository under demo/.
Feature discovery in nfd-worker is performed by a set of separate modules called feature sources. Most of them are specifically responsible for certain domain of features (e.g. cpu). In addition there are two highly customizable feature sources that work accross the system.
Each discovered feature is advertised a label in the Kubernetes Node object. The published node labels encode a few pieces of information:
feature.node.kubernetes.io)cpu).cpuid.AESNI from cpu).Feature label names adhere to the following pattern:
<namespace>/<source name>-<feature name>[.<attribute name>]
-The last component (i.e. attribute-name) is optional, and only used if a feature logically has sub-hierarchy, e.g. sriov.capable and sriov.configure from the network source.
The --sources flag controls which sources to use for discovery.
Note: Consecutive runs of nfd-worker will update the labels on a given node. If features are not discovered on a consecutive run, the corresponding label will be removed. This includes any restrictions placed on the consecutive run, such as restricting discovered features with the –label-whitelist option.
The cpu feature source supports the following labels:
| Feature name | Attribute | Description |
|---|---|---|
| cpuid | <cpuid flag> | CPU capability is supported |
| hardware_multithreading | Hardware multithreading, such as Intel HTT, enabled (number of logical CPUs is greater than physical CPUs) | |
| power | sst_bf.enabled | Intel SST-BF (Intel Speed Select Technology - Base frequency) enabled |
| pstate | turbo | Set to ‘true' if turbo frequencies are enabled in Intel pstate driver, set to ‘false' if they have been disabled. |
| rdt | RDTMON | Intel RDT Monitoring Technology |
| RDTCMT | Intel Cache Monitoring (CMT) | |
| RDTMBM | Intel Memory Bandwidth Monitoring (MBM) | |
| RDTL3CA | Intel L3 Cache Allocation Technology | |
| RDTL2CA | Intel L2 Cache Allocation Technology | |
| RDTMBA | Intel Memory Bandwidth Allocation (MBA) Technology |
The (sub-)set of CPUID attributes to publish is configurable via the attributeBlacklist and attributeWhitelist cpuid options of the cpu source. If whitelist is specified, only whitelisted attributes will be published. With blacklist, only blacklisted attributes are filtered out. attributeWhitelist has priority over attributeBlacklist. For examples and more information about configurability, see configuration. By default, the following CPUID flags have been blacklisted: BMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT, RDRAND, RDSEED, RDTSCP, SGX, SSE, SSE2, SSE3, SSE4.1, SSE4.2 and SSSE3.
NOTE The cpuid features advertise supported CPU capabilities, that is, a capability might be supported but not enabled.
| Attribute | Description |
|---|---|
| ADX | Multi-Precision Add-Carry Instruction Extensions (ADX) |
| AESNI | Advanced Encryption Standard (AES) New Instructions (AES-NI) |
| AVX | Advanced Vector Extensions (AVX) |
| AVX2 | Advanced Vector Extensions 2 (AVX2) |
| Attribute | Description |
|---|---|
| IDIVA | Integer divide instructions available in ARM mode |
| IDIVT | Integer divide instructions available in Thumb mode |
| THUMB | Thumb instructions |
| FASTMUL | Fast multiplication |
| VFP | Vector floating point instruction extension (VFP) |
| VFPv3 | Vector floating point extension v3 |
| VFPv4 | Vector floating point extension v4 |
| VFPD32 | VFP with 32 D-registers |
| HALF | Half-word loads and stores |
| EDSP | DSP extensions |
| NEON | NEON SIMD instructions |
| LPAE | Large Physical Address Extensions |
| Attribute | Description |
|---|---|
| AES | Announcing the Advanced Encryption Standard |
| EVSTRM | Event Stream Frequency Features |
| FPHP | Half Precision(16bit) Floating Point Data Processing Instructions |
| ASIMDHP | Half Precision(16bit) Asimd Data Processing Instructions |
| ATOMICS | Atomic Instructions to the A64 |
| ASIMRDM | Support for Rounding Double Multiply Add/Subtract |
| PMULL | Optional Cryptographic and CRC32 Instructions |
| JSCVT | Perform Conversion to Match Javascript |
| DCPOP | Persistent Memory Support |
The Custom feature source allows the user to define features based on a mix of predefined rules. A rule is provided input witch affects its process of matching for a defined feature.
To aid in making Custom Features clearer, we define a general and a per rule nomenclature, keeping things as consistent as possible.
Rule :Represents a matching logic that is used to match on a feature.
+ Feature Discovery · Node Feature Discovery
Feature Discovery
Table of Contents
Feature discovery in nfd-worker is performed by a set of separate modules called feature sources. Most of them are specifically responsible for certain domain of features (e.g. cpu). In addition there are two highly customizable feature sources that work accross the system.
Feature labels
Each discovered feature is advertised a label in the Kubernetes Node object. The published node labels encode a few pieces of information:
- Namespace, (all built-in labels use
feature.node.kubernetes.io) - The source for each label (e.g.
cpu). - The name of the discovered feature as it appears in the underlying source, (e.g.
cpuid.AESNI from cpu). - The value of the discovered feature.
Feature label names adhere to the following pattern:
<namespace>/<source name>-<feature name>[.<attribute name>]
+
The last component (i.e. attribute-name) is optional, and only used if a feature logically has sub-hierarchy, e.g. sriov.capable and sriov.configure from the network source.
The --sources flag controls which sources to use for discovery.
Note: Consecutive runs of nfd-worker will update the labels on a given node. If features are not discovered on a consecutive run, the corresponding label will be removed. This includes any restrictions placed on the consecutive run, such as restricting discovered features with the –label-whitelist option.
Feature Sources
CPU
The cpu feature source supports the following labels:
Feature name Attribute Description cpuid <cpuid flag> CPU capability is supported hardware_multithreading Hardware multithreading, such as Intel HTT, enabled (number of logical CPUs is greater than physical CPUs) power sst_bf.enabled Intel SST-BF (Intel Speed Select Technology - Base frequency) enabled pstate turbo Set to ‘true' if turbo frequencies are enabled in Intel pstate driver, set to ‘false' if they have been disabled. rdt RDTMON Intel RDT Monitoring Technology RDTCMT Intel Cache Monitoring (CMT) RDTMBM Intel Memory Bandwidth Monitoring (MBM) RDTL3CA Intel L3 Cache Allocation Technology RDTL2CA Intel L2 Cache Allocation Technology RDTMBA Intel Memory Bandwidth Allocation (MBA) Technology
The (sub-)set of CPUID attributes to publish is configurable via the attributeBlacklist and attributeWhitelist cpuid options of the cpu source. If whitelist is specified, only whitelisted attributes will be published. With blacklist, only blacklisted attributes are filtered out. attributeWhitelist has priority over attributeBlacklist. For examples and more information about configurability, see configuration. By default, the following CPUID flags have been blacklisted: BMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT, RDRAND, RDSEED, RDTSCP, SGX, SSE, SSE2, SSE3, SSE4.1, SSE4.2 and SSSE3.
NOTE The cpuid features advertise supported CPU capabilities, that is, a capability might be supported but not enabled.
X86 CPUID Attributes (Partial List)
Attribute Description ADX Multi-Precision Add-Carry Instruction Extensions (ADX) AESNI Advanced Encryption Standard (AES) New Instructions (AES-NI) AVX Advanced Vector Extensions (AVX) AVX2 Advanced Vector Extensions 2 (AVX2)
Arm CPUID Attribute (Partial List)
Attribute Description IDIVA Integer divide instructions available in ARM mode IDIVT Integer divide instructions available in Thumb mode THUMB Thumb instructions FASTMUL Fast multiplication VFP Vector floating point instruction extension (VFP) VFPv3 Vector floating point extension v3 VFPv4 Vector floating point extension v4 VFPD32 VFP with 32 D-registers HALF Half-word loads and stores EDSP DSP extensions NEON NEON SIMD instructions LPAE Large Physical Address Extensions
Arm64 CPUID Attribute (Partial List)
Attribute Description AES Announcing the Advanced Encryption Standard EVSTRM Event Stream Frequency Features FPHP Half Precision(16bit) Floating Point Data Processing Instructions ASIMDHP Half Precision(16bit) Asimd Data Processing Instructions ATOMICS Atomic Instructions to the A64 ASIMRDM Support for Rounding Double Multiply Add/Subtract PMULL Optional Cryptographic and CRC32 Instructions JSCVT Perform Conversion to Match Javascript DCPOP Persistent Memory Support
Custom
The Custom feature source allows the user to define features based on a mix of predefined rules. A rule is provided input witch affects its process of matching for a defined feature. The rules are specified in the nfd-worker configuration file. See configuration for instructions and examples how to set-up and manage the worker configuration.
To aid in making Custom Features clearer, we define a general and a per rule nomenclature, keeping things as consistent as possible.
General Nomenclature & Definitions
Rule :Represents a matching logic that is used to match on a feature.
Rule Input :The input a Rule is provided. This determines how a Rule performs the match operation.
Matcher :A composition of Rules, each Matcher may be composed of at most one instance of each Rule.
-
Custom Features Format (using the Nomenclature defined above)
- name: <feature name>
- matchOn:
- - <Rule-1>: <Rule-1 Input>
- [<Rule-2>: <Rule-2 Input>]
- - <Matcher-2>
+
Custom Features Format (using the Nomenclature defined above)
Rules are specified under sources.custom in the nfd-worker configuration file.
sources:
+ custom:
+ - name: <feature name>
+ matchOn:
+ - <Rule-1>: <Rule-1 Input>
+ [<Rule-2>: <Rule-2 Input>]
+ - <Matcher-2>
+ - ...
+ - ...
+ - <Matcher-N>
+ - <custom feature 2>
- ...
- ...
- - <Matcher-N>
-- <custom feature 2>
-- ...
-- ...
-- <custom feature M>
+ - <custom feature M>
Matching process
Specifying Rules to match on a feature is done by providing a list of Matchers. Each Matcher contains one or more Rules.
Logical OR is performed between Matchers and logical AND is performed between Rules of a given Matcher.
Rules
PciId Rule
Nomenclature
Attribute :A PCI attribute.
Element :An identifier of the PCI attribute.
The PciId Rule allows matching the PCI devices in the system on the following Attributes: class,vendor and device. A list of Elements is provided for each Attribute.
Format
pciId :
@@ -90,4 +92,4 @@ feature.node.kubernetes.io/override_source-OVERRIDE_VALUE=123
override.namespace/value=456
NFD tries to run any regular files found from the hooks directory. Any additional data files your hook might need (e.g. a configuration file) should be placed in a separate directory in order to avoid NFD unnecessarily trying to execute these. You can use a subdirectory under the hooks directory, for example /etc/kubernetes/node-feature-discovery/source.d/conf/.
NOTE! NFD will blindly run any executables placed/mounted in the hooks directory. It is the user's responsibility to review the hooks for e.g. possible security implications.
NOTE! Be careful when creating and/or updating hook or feature files while NFD is running. In order to avoid race conditions you should write into a temporary file (outside the source.d and features.d directories), and, atomically create/update the original file by doing a filesystem move operation.
Extended resources
This feature is experimental and by no means a replacement for the usage of device plugins.
Labels which have integer values, can be promoted to Kubernetes extended resources by listing them to the master --resource-labels command line flag. These labels won't then show in the node label section, they will appear only as extended resources.
An example use-case for the extended resources could be based on a hook which creates a label for the node SGX EPC memory section size. By giving the name of that label in the --resource-labels flag, that value will then turn into an extended resource of the node, allowing PODs to request that resource and the Kubernetes scheduler to schedule such PODs to only those nodes which have a sufficient capacity of said resource left.
Similar to labels, the default namespace feature.node.kubernetes.io is automatically prefixed to the extended resource, if the promoted label doesn't have a namespace.
Example usage of the command line arguments, using a new namespace: nfd-master --resource-labels=my_source-my.feature,sgx.some.ns/epc --extra-label-ns=sgx.some.ns
The above would result in following extended resources provided that related labels exist:
sgx.some.ns/epc: <label value>
feature.node.kubernetes.io/my_source-my.feature: <label value>
-
Node Feature Discovery master
\ No newline at end of file
+Welcome to Node Feature Discovery – a Kubernetes add-on for detecting hardware features and system configuration!
Continue to:
Introduction for more details on the project.
Quick start for quick step-by-step instructions on how to get NFD running on your cluster.
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template
+ Get started · Node Feature Discovery
Node Feature Discovery
Welcome to Node Feature Discovery – a Kubernetes add-on for detecting hardware features and system configuration!
Continue to:
-
Introduction for more details on the project.
-
Quick start for quick step-by-step instructions on how to get NFD running on your cluster.
Quick-start – the short-short version
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template
namespace/node-feature-discovery created
...
@@ -19,4 +19,4 @@
"feature.node.kubernetes.io/cpu-cpuid.AESNI": "true",
...
-
Node Feature Discovery master
\ No newline at end of file
+This software enables node feature discovery for Kubernetes. It detects hardware features available on each node in a Kubernetes cluster, and advertises those features using node labels.
NFD consists of two software components:
NFD-Master is the daemon responsible for communication towards the Kubernetes API. That is, it receives labeling requests from the worker and modifies node objects accordingly.
NFD-Worker is a daemon responsible for feature detection. It then communicates the information to nfd-master which does the actual node labeling. One instance of nfd-worker is supposed to be running on each node of the cluster,
Feature discovery is divided into domain-specific feature sources:
Each feature source is responsible for detecting a set of features which. in turn, are turned into node feature labels. Feature labels are prefixed with feature.node.kubernetes.io/ and also contain the name of the feature source. Non-standard user-specific feature labels can be created with the local and custom feature sources.
An overview of the default feature labels:
{
+ Introduction · Node Feature Discovery
Introduction
Table of Contents
This software enables node feature discovery for Kubernetes. It detects hardware features available on each node in a Kubernetes cluster, and advertises those features using node labels.
NFD consists of two software components:
- nfd-master
- nfd-worker
NFD-Master
NFD-Master is the daemon responsible for communication towards the Kubernetes API. That is, it receives labeling requests from the worker and modifies node objects accordingly.
NFD-Worker
NFD-Worker is a daemon responsible for feature detection. It then communicates the information to nfd-master which does the actual node labeling. One instance of nfd-worker is supposed to be running on each node of the cluster,
Feature Discovery
Feature discovery is divided into domain-specific feature sources:
- CPU
- IOMMU
- Kernel
- Memory
- Network
- PCI
- Storage
- System
- USB
- Custom (rule-based custom features)
- Local (hooks for user-specific features)
Each feature source is responsible for detecting a set of features which. in turn, are turned into node feature labels. Feature labels are prefixed with feature.node.kubernetes.io/ and also contain the name of the feature source. Non-standard user-specific feature labels can be created with the local and custom feature sources.
An overview of the default feature labels:
{
"feature.node.kubernetes.io/cpu-<feature-name>": "true",
"feature.node.kubernetes.io/custom-<feature-name>": "true",
"feature.node.kubernetes.io/iommu-<feature-name>": "true",
@@ -11,4 +11,4 @@
"feature.node.kubernetes.io/usb-<device label>.present": "<feature value>",
"feature.node.kubernetes.io/<file name>-<feature name>": "<feature value>"
}
-
Node Annotations
NFD also annotates nodes it is running on:
Annotation Description nfd.node.kubernetes.io/master.version Version of the nfd-master instance running on the node. Informative use only. nfd.node.kubernetes.io/worker.version Version of the nfd-worker instance running on the node. Informative use only. nfd.node.kubernetes.io/feature-labels Comma-separated list of node labels managed by NFD. NFD uses this internally so must not be edited by users. nfd.node.kubernetes.io/extended-resources Comma-separated list of node extended resources managed by NFD. NFD uses this internally so must not be edited by users.
Unapplicable annotations are not created, i.e. for example master.version is only created on nodes running nfd-master.
Node Feature Discovery master
\ No newline at end of file
+NFD also annotates nodes it is running on:
| Annotation | Description |
|---|---|
| nfd.node.kubernetes.io/master.version | Version of the nfd-master instance running on the node. Informative use only. |
| nfd.node.kubernetes.io/worker.version | Version of the nfd-worker instance running on the node. Informative use only. |
| nfd.node.kubernetes.io/feature-labels | Comma-separated list of node labels managed by NFD. NFD uses this internally so must not be edited by users. |
| nfd.node.kubernetes.io/extended-resources | Comma-separated list of node extended resources managed by NFD. NFD uses this internally so must not be edited by users. |
Unapplicable annotations are not created, i.e. for example master.version is only created on nodes running nfd-master.
Minimal steps to deploy latest released version of NFD in your cluster.
Deploy nfd-master – creates a new namespace, service and required RBAC rules
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template
+ Quick Start · Node Feature Discovery
Quick Start
Minimal steps to deploy latest released version of NFD in your cluster.
Installation
Deploy nfd-master – creates a new namespace, service and required RBAC rules
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template
Deploy nfd-worker as a daemonset
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template
Verify
Wait until NFD master and worker are running.
$ kubectl -n node-feature-discovery get ds,deploy
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
@@ -30,4 +30,4 @@ spec:
See that the pod is running on a desired node
$ kubectl get po feature-dependent-pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
feature-dependent-pod 1/1 Running 0 23s 10.36.0.4 node-2 <none> <none>
-
Node Feature Discovery master
\ No newline at end of file
+This software enables node feature discovery for Kubernetes. It detects\nhardware features available on each node in a Kubernetes cluster, and\nadvertises those features using node labels.
\n\nNFD consists of two software components:
\n\nNFD-Master is the daemon responsible for communication towards the Kubernetes\nAPI. That is, it receives labeling requests from the worker and modifies node\nobjects accordingly.
\n\nNFD-Worker is a daemon responsible for feature detection. It then communicates\nthe information to nfd-master which does the actual node labeling. One\ninstance of nfd-worker is supposed to be running on each node of the cluster,
\n\nFeature discovery is divided into domain-specific feature sources:
\n\nEach feature source is responsible for detecting a set of features which. in\nturn, are turned into node feature labels. Feature labels are prefixed with\nfeature.node.kubernetes.io/ and also contain the name of the feature source.\nNon-standard user-specific feature labels can be created with the local and\ncustom feature sources.
An overview of the default feature labels:
\n\n{\n \"feature.node.kubernetes.io/cpu-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/custom-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/iommu-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/kernel-<feature name>\": \"<feature value>\",\n \"feature.node.kubernetes.io/memory-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/network-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/pci-<device label>.present\": \"true\",\n \"feature.node.kubernetes.io/storage-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/system-<feature name>\": \"<feature value>\",\n \"feature.node.kubernetes.io/usb-<device label>.present\": \"<feature value>\",\n \"feature.node.kubernetes.io/<file name>-<feature name>\": \"<feature value>\"\n}\nNFD also annotates nodes it is running on:
\n\n| Annotation | \nDescription | \n
|---|---|
| nfd.node.kubernetes.io/master.version | \nVersion of the nfd-master instance running on the node. Informative use only. | \n
| nfd.node.kubernetes.io/worker.version | \nVersion of the nfd-worker instance running on the node. Informative use only. | \n
| nfd.node.kubernetes.io/feature-labels | \nComma-separated list of node labels managed by NFD. NFD uses this internally so must not be edited by users. | \n
| nfd.node.kubernetes.io/extended-resources | \nComma-separated list of node extended resources managed by NFD. NFD uses this internally so must not be edited by users. | \n
Unapplicable annotations are not created, i.e. for example master.version is only created on nodes running nfd-master.
\n\n","dir":"/get-started/","name":"introduction.md","path":"get-started/introduction.md","url":"/get-started/introduction.html"},{"title":"Get started","layout":"default","sort":1,"content":"Welcome to Node Feature Discovery – a Kubernetes add-on for detecting hardware\nfeatures and system configuration!
\n\nContinue to:
\n\nIntroduction for more details on the\nproject.
\nQuick start for quick step-by-step\ninstructions on how to get NFD running on your cluster.
\n$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template\n namespace/node-feature-discovery created\n...\n\n$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template\n daemonset.apps/nfd-worker created\n\n$ kubectl -n node-feature-discovery get all\n NAME READY STATUS RESTARTS AGE\n pod/nfd-master-555458dbbc-sxg6w 1/1 Running 0 56s\n pod/nfd-worker-mjg9f 1/1 Running 0 17s\n...\n\n$ kubectl get no -o json | jq .items[].metadata.labels\n {\n \"beta.kubernetes.io/arch\": \"amd64\",\n \"beta.kubernetes.io/os\": \"linux\",\n \"feature.node.kubernetes.io/cpu-cpuid.ADX\": \"true\",\n \"feature.node.kubernetes.io/cpu-cpuid.AESNI\": \"true\",\n...\n\ngit clone https://github.com/kubernetes-sigs/node-feature-discovery\ncd node-feature-discovery\nSee customizing the build below for altering the\ncontainer image registry, for example.
\n\nmake\nOptional, this example with Docker.
\n\ndocker push <IMAGE_TAG>\nTo use your published image from the step above instead of the\nk8s.gcr.io/nfd/node-feature-discovery image, edit image\nattribute in the spec template(s) to the new location\n(<registry-name>/<image-name>[:<version>]).
The yamls makefile generates deployment specs matching your locally built\nimage. See build customization below for\nconfigurability, e.g. changing the deployment namespace.
K8S_NAMESPACE=my-ns make yamls\nkubectl apply -f nfd-master.yaml\nkubectl apply -f nfd-worker-daemonset.yaml\nAlternatively, deploying worker and master in the same pod:
\n\nK8S_NAMESPACE=my-ns make yamls\nkubectl apply -f nfd-master.yaml\nkubectl apply -f nfd-daemonset-combined.yaml\nOr worker as a one-shot job:
\n\nK8S_NAMESPACE=my-ns make yamls\nkubectl apply -f nfd-master.yaml\nNUM_NODES=$(kubectl get no -o jsonpath='{.items[*].metadata.name}' | wc -w)\nsed s\"/NUM_NODES/$NUM_NODES/\" nfd-worker-job.yaml | kubectl apply -f -\nYou can also build the binaries locally
\n\nmake build\nThis will compile binaries under bin/
There are several Makefile variables that control the build process and the\nname of the resulting container image. The following are targeted targeted for\nbuild customization and they can be specified via environment variables or\nmakefile overrides.
\n\n| Variable | \nDescription | \nDefault value | \n
|---|---|---|
| HOSTMOUNT_PREFIX | \nPrefix of system directories for feature discovery (local builds) | \n/ (local builds) /host- (container builds) | \n
| IMAGE_BUILD_CMD | \nCommand to build the image | \ndocker build | \n
| IMAGE_BUILD_EXTRA_OPTS | \nExtra options to pass to build command | \nempty | \n
| IMAGE_PUSH_CMD | \nCommand to push the image to remote registry | \ndocker push | \n
| IMAGE_REGISTRY | \nContainer image registry to use | \nk8s.gcr.io/nfd | \n
| IMAGE_TAG_NAME | \nContainer image tag name | \n<nfd version> | \n
| IMAGE_EXTRA_TAG_NAMES | \nAdditional container image tag(s) to create when building image | \nempty | \n
| K8S_NAMESPACE | \nnfd-master and nfd-worker namespace | \nkube-system | \n
| KUBECONFIG | \nKubeconfig for running e2e-tests | \nempty | \n
| E2E_TEST_CONFIG | \nParameterization file of e2e-tests (see example) | \nempty | \n
For example, to use a custom registry:
\n\nmake IMAGE_REGISTRY=<my custom registry uri>\nOr to specify a build tool different from Docker, It can be done in 2 ways:
\n\nIMAGE_BUILD_CMD=\"buildah bud\" make\nmake IMAGE_BUILD_CMD=\"buildah bud\"\nUnit tests are automatically run as part of the container image build. You can\nalso run them manually in the source code tree by simply running:
\n\nmake test\nEnd-to-end tests are built on top of the e2e test framework of Kubernetes, and,\nthey required a cluster to run them on. For running the tests on your test\ncluster you need to specify the kubeconfig to be used:
\n\nmake e2e-test KUBECONFIG=$HOME/.kube/config\nYou can run NFD locally, either directly on your host OS or in containers for\ntesting and development purposes. This may be useful e.g. for checking\nfeatures-detection.
\n\nWhen running as a standalone container labeling is expected to fail because\nKubernetes API is not available. Thus, it is recommended to use --no-publish\ncommand line flag. E.g.
$ export NFD_CONTAINER_IMAGE=gcr.io/k8s-staging-nfd/node-feature-discovery:master\n$ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master --no-publish\n2019/02/01 14:48:21 Node Feature Discovery Master <NFD_VERSION>\n2019/02/01 14:48:21 gRPC server serving on port: 8080\nCommand line flags of nfd-master:
\n\n$ docker run --rm ${NFD_CONTAINER_IMAGE} nfd-master --help\n...\nUsage:\n nfd-master [--prune] [--no-publish] [--label-whitelist=<pattern>] [--port=<port>]\n [--ca-file=<path>] [--cert-file=<path>] [--key-file=<path>]\n [--verify-node-name] [--extra-label-ns=<list>] [--resource-labels=<list>]\n [--kubeconfig=<path>]\n nfd-master -h | --help\n nfd-master --version\n\n Options:\n -h --help Show this screen.\n --version Output version and exit.\n --prune Prune all NFD related attributes from all nodes\n of the cluster and exit.\n --kubeconfig=<path> Kubeconfig to use [Default: ]\n --port=<port> Port on which to listen for connections.\n [Default: 8080]\n --ca-file=<path> Root certificate for verifying connections\n [Default: ]\n --cert-file=<path> Certificate used for authenticating connections\n [Default: ]\n --key-file=<path> Private key matching --cert-file\n [Default: ]\n --verify-node-name Verify worker node name against CN from the TLS\n certificate. Only has effect when TLS authentication\n has been enabled.\n --no-publish Do not publish feature labels\n --label-whitelist=<pattern> Regular expression to filter label names to\n publish to the Kubernetes API server.\n NB: the label namespace is omitted i.e. the filter\n is only applied to the name part after '/'.\n [Default: ]\n --extra-label-ns=<list> Comma separated list of allowed extra label namespaces\n [Default: ]\n --resource-labels=<list> Comma separated list of labels to be exposed as extended resources.\n [Default: ]\nIn order to run nfd-worker as a “stand-alone” container against your\nstandalone nfd-master you need to run them in the same network namespace:
\n\n$ docker run --rm --network=container:nfd-test ${NFD_CONTAINER_IMAGE} nfd-worker\n2019/02/01 14:48:56 Node Feature Discovery Worker <NFD_VERSION>\n...\nIf you just want to try out feature discovery without connecting to nfd-master,\npass the --no-publish flag to nfd-worker.
Command line flags of nfd-worker:
\n\n$ docker run --rm ${NFD_CONTAINER_IMAGE} nfd-worker --help\n...\nnfd-worker.\n\n Usage:\n nfd-worker [--no-publish] [--sources=<sources>] [--label-whitelist=<pattern>]\n [--oneshot | --sleep-interval=<seconds>] [--config=<path>]\n [--options=<config>] [--server=<server>] [--server-name-override=<name>]\n [--ca-file=<path>] [--cert-file=<path>] [--key-file=<path>]\n nfd-worker -h | --help\n nfd-worker --version\n\n Options:\n -h --help Show this screen.\n --version Output version and exit.\n --config=<path> Config file to use.\n [Default: /etc/kubernetes/node-feature-discovery/nfd-worker.conf]\n --options=<config> Specify config options from command line. Config\n options are specified in the same format as in the\n config file (i.e. json or yaml). These options\n will override settings read from the config file.\n [Default: ]\n --ca-file=<path> Root certificate for verifying connections\n [Default: ]\n --cert-file=<path> Certificate used for authenticating connections\n [Default: ]\n --key-file=<path> Private key matching --cert-file\n [Default: ]\n --server=<server> NFD server address to connecto to.\n [Default: localhost:8080]\n --server-name-override=<name> Name (CN) expect from server certificate, useful\n in testing\n [Default: ]\n --sources=<sources> Comma separated list of feature sources.\n [Default: cpu,custom,iommu,kernel,local,memory,network,pci,storage,system,usb]\n --no-publish Do not publish discovered features to the\n cluster-local Kubernetes API server.\n --label-whitelist=<pattern> Regular expression to filter label names to\n publish to the Kubernetes API server.\n NB: the label namespace is omitted i.e. the filter\n is only applied to the name part after '/'.\n [Default: ]\n --oneshot Label once and exit.\n --sleep-interval=<seconds> Time to sleep between re-labeling. Non-positive\n value implies no re-labeling (i.e. infinite\n sleep). [Default: 60s]\nNOTE Some feature sources need certain directories and/or files from the\nhost mounted inside the NFD container. Thus, you need to provide Docker with the\ncorrect --volume options in order for them to work correctly when run\nstand-alone directly with docker run. See the\ntemplate spec\nfor up-to-date information about the required volume mounts.
All documentation resides under the\ndocs\ndirectory in the source tree. It is designed to be served as a html site by\nGitHub Pages.
\n\nBuilding the documentation is containerized in order to fix the build\nenvironment. The recommended way for developing documentation is to run:
\n\nmake site-serve\nThis will build the documentation in a container and serve it under\nlocalhost:4000/ making it easy to verify the results.\nAny changes made to the docs/ will automatically re-trigger a rebuild and are\nreflected in the served content and can be inspected with a simple browser\nrefresh.
In order to just build the html documentation run:
\n\nmake site-build\nThis will generate html documentation under docs/_site/.
Advanced topics and reference.
\n","dir":"/advanced/","name":"index.md","path":"advanced/index.md","url":"/advanced/"},{"title":"Master Cmdline Reference","layout":"default","sort":2,"content":"To quickly view available command line flags execute nfd-master --help.\nIn a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-master --help\nPrint usage and exit.
\n\nPrint version and exit.
\n\nThe --prune flag is a sub-command like option for cleaning up the cluster. It\ncauses nfd-master to remove all NFD related labels, annotations and extended\nresources from all Node objects of the cluster and exit.
The --port flag specifies the TCP port that nfd-master listens for incoming requests.
Default: 8080
\n\nExample:
\n\nnfd-master --port=443\nThe --ca-file is one of the three flags (together with --cert-file and\n--key-file) controlling master-worker mutual TLS authentication on the\nnfd-master side. This flag specifies the TLS root certificate that is used for\nauthenticating incoming connections. NFD-Worker side needs to have matching key\nand cert files configured in order for the incoming requests to be accepted.
Default: empty
\n\nNote: Must be specified together with --cert-file and --key-file
Example:
\n\nnfd-master --ca-file=/opt/nfd/ca.crt --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key\nThe --cert-file is one of the three flags (together with --ca-file and\n--key-file) controlling master-worker mutual TLS authentication on the\nnfd-master side. This flag specifies the TLS certificate presented for\nauthenticating outgoing traffic towards nfd-worker.
Default: empty
\n\nNote: Must be specified together with --ca-file and --key-file
Example:
\n\nnfd-master --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key --ca-file=/opt/nfd/ca.crt\nThe --key-file is one of the three flags (together with --ca-file and\n--cert-file) controlling master-worker mutual TLS authentication on the\nnfd-master side. This flag specifies the private key corresponding the given\ncertificate file (--cert-file) that is used for authenticating outgoing\ntraffic.
Default: empty
\n\nNote: Must be specified together with --cert-file and --ca-file
Example:
\n\nnfd-master --key-file=/opt/nfd/master.key --cert-file=/opt/nfd/master.crt --ca-file=/opt/nfd/ca.crt\nThe --verify-node-name flag controls the NodeName based authorization of\nincoming requests and only has effect when mTLS authentication has been enabled\n(with --ca-file, --cert-file and --key-file). If enabled, the worker node\nname of the incoming must match with the CN in its TLS certificate. Thus,\nworkers are only able to label the node they are running on (or the node whose\ncertificate they present), and, each worker must have an individual\ncertificate.
Node Name based authorization is disabled by default and thus it is possible\nfor all nfd-worker pods in the cluster to use one shared certificate, making\nNFD deployment much easier.
\n\nDefault: false
\n\nExample:
\n\nnfd-master --verify-node-name --ca-file=/opt/nfd/ca.crt \\\n --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key\nThe --no-publish flag disables all communication with the Kubernetes API\nserver, making a “dry-run” flag for nfd-master. No Labels, Annotations or\nExtendedResources (or any other properties of any Kubernetes API objects) are\nmodified.
Default: false
\n\nExample:
\n\nnfd-master --no-publish\nThe --label-whitelist specifies a regular expression for filtering feature\nlabels based on their name. Each label must match against the given reqular\nexpression in order to be published.
Note: The regular expression is only matches against the “basename” part of the\nlabel, i.e. to the part of the name after ‘/’. The label namespace is omitted.
\n\nDefault: empty
\n\nExample:
\n\nnfd-master --label-whitelist='.*cpuid\\.'\nThe --extra-label-ns flag specifies a comma-separated list of allowed feature\nlabel namespaces. By default, nfd-master only allows creating labels in the\ndefault feature.node.kubernetes.io label namespace. This option can be used\nto allow vendor-specific namespaces for custom labels from the local and custom\nfeature sources.
The same namespace control and this flag applies Extended Resources (created\nwith --resource-labels), too.
Default: empty
\n\nExample:
\n\nnfd-master --extra-label-ns=vendor-1.com,vendor-2.io\nThe --resource-labels flag specifies a comma-separated list of features to be\nadvertised as extended resources instead of labels. Features that have integer\nvalues can be published as Extended Resources by listing them in this flag.
Default: empty
\n\nExample:
\n\nnfd-master --resource-labels=vendor-1.com/feature-1,vendor-2.io/feature-2\nMinimal steps to deploy latest released version of NFD in your cluster.
\n\nDeploy nfd-master – creates a new namespace, service and required RBAC rules
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template\nDeploy nfd-worker as a daemonset
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template\nWait until NFD master and worker are running.
\n\n$ kubectl -n node-feature-discovery get ds,deploy\nNAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE\ndaemonset.apps/nfd-worker 3 3 3 3 3 <none> 5s\nNAME READY UP-TO-DATE AVAILABLE AGE\ndeployment.apps/nfd-master 1/1 1 1 17s\nCheck that NFD feature labels have been created
\n\n$ kubectl get no -o json | jq .items[].metadata.labels\n{\n \"beta.kubernetes.io/arch\": \"amd64\",\n \"beta.kubernetes.io/os\": \"linux\",\n \"feature.node.kubernetes.io/cpu-cpuid.ADX\": \"true\",\n \"feature.node.kubernetes.io/cpu-cpuid.AESNI\": \"true\",\n \"feature.node.kubernetes.io/cpu-cpuid.AVX\": \"true\",\n...\nCreate a pod targeting a distinguishing feature (select a valid feature from\nthe list printed on the previous step)
\n\n$ cat << EOF | kubectl apply -f -\napiVersion: v1\nkind: Pod\nmetadata:\n name: feature-dependent-pod\nspec:\n containers:\n - image: k8s.gcr.io/pause\n name: pause\n nodeSelector:\n # Select a valid feature\n feature.node.kubernetes.io/cpu-cpuid.AESNI: 'true'\nEOF\npod/feature-dependent-pod created\nSee that the pod is running on a desired node
\n\n$ kubectl get po feature-dependent-pod -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nfeature-dependent-pod 1/1 Running 0 23s 10.36.0.4 node-2 <none> <none>\nYou can reach us via the following channels:
\n\nThis is a\nSIG-node\nsubproject, hosted under the\nKubernetes SIGs organization in Github.\nThe project was established in 2016 and was migrated to Kubernetes SIGs in 2018.
\n\nThis is open source software released under the Apache 2.0 License.
\n","dir":"/contributing/","name":"index.md","path":"contributing/index.md","url":"/contributing/"},{"title":"Worker Cmdline Reference","layout":"default","sort":3,"content":"To quickly view available command line flags execute nfd-worker --help.\nIn a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-worker --help\nPrint usage and exit.
\n\nPrint version and exit.
\n\nThe --config flag specifies the path of the nfd-worker configuration file to\nuse.
Default: /etc/kubernetes/node-feature-discovery/nfd-worker.conf
\n\nExample:
\n\nnfd-worker --config=/opt/nfd/worker.conf\nThe --options flag may be used to specify and override configuration file\noptions directly from the command line. The required format is the same as in\nthe config file i.e. JSON or YAML. Configuration options specified via this\nflag will override those from the configuration file:
Default: empty
\n\nExample:
\n\nnfd-worker --options='{\"sources\":{\"cpu\":{\"cpuid\":{\"attributeWhitelist\":[\"AVX\",\"AVX2\"]}}}}'\nThe --server flag specifies the address of the nfd-master endpoint where to\nconnect to.
Default: localhost:8080
\n\nExample:
\n\nnfd-worker --server=nfd-master.nfd.svc.cluster.local:443\nThe --ca-file is one of the three flags (together with --cert-file and\n--key-file) controlling the mutual TLS authentication on the worker side.\nThis flag specifies the TLS root certificate that is used for verifying the\nauthenticity of nfd-master.
Default: empty
\n\nNote: Must be specified together with --cert-file and --key-file
Example:
\n\nnfd-worker --ca-file=/opt/nfd/ca.crt --cert-file=/opt/nfd/worker.crt --key-file=/opt/nfd/worker.key\nThe --cert-file is one of the three flags (together with --ca-file and\n--key-file) controlling mutual TLS authentication on the worker side. This\nflag specifies the TLS certificate presented for authenticating outgoing\nrequests.
Default: empty
\n\nNote: Must be specified together with --ca-file and --key-file
Example:
\n\nnfd-workerr --cert-file=/opt/nfd/worker.crt --key-file=/opt/nfd/worker.key --ca-file=/opt/nfd/ca.crt\nThe --key-file is one of the three flags (together with --ca-file and\n--cert-file) controlling the mutual TLS authentication on the worker side.\nThis flag specifies the private key corresponding the given certificate file\n(--cert-file) that is used for authenticating outgoing requests.
Default: empty
\n\nNote: Must be specified together with --cert-file and --ca-file
Example:
\n\nnfd-worker --key-file=/opt/nfd/worker.key --cert-file=/opt/nfd/worker.crt --ca-file=/opt/nfd/ca.crt\nThe --server-name-override flag specifies the common name (CN) which to\nexpect from the nfd-master TLS certificate. This flag is mostly intended for\ndevelopment and debugging purposes.
Default: empty
\n\nExample:
\n\nnfd-worker --server-name-override=localhost\nThe --sources flag specifies a comma-separated list of enabled feature\nsources.
Default: cpu,custom,iommu,kernel,local,memory,network,pci,storage,system,usb
\n\nExample:
\n\nnfd-worker --sources=kernel,system,local\nThe --no-publish flag disables all communication with the nfd-master, making\nit a “dry-run” flag for nfd-worker. NFD-Worker runs feature detection normally,\nbut no labeling requests are sent to nfd-master.
Default: false
\n\nExample:
\n\nnfd-worker --no-publish\nThe --label-whitelist specifies a regular expression for filtering feature\nlabels based on their name. Each label must match against the given reqular\nexpression in order to be published.
Note: The regular expression is only matches against the “basename” part of the\nlabel, i.e. to the part of the name after ‘/’. The label namespace is omitted.
\n\nDefault: empty
\n\nExample:
\n\nnfd-worker --label-whitelist='.*cpuid\\.'\nThe --oneshot flag causes nfd-worker to exit after one pass of feature\ndetection.
Default: false
\n\nExample:
\n\nnfd-worker --oneshot --no-publish\nThe --sleep-interval specifies the interval between feature re-detection (and\nnode re-labeling). A non-positive value implies infinite sleep interval, i.e.\nno re-detection or re-labeling is done.
Default: 60s
\n\nExample:
\n\nnfd-worker --sleep-interval=1h\nDeployment using the\nNode Feature Discovery Operator\nis recommended to be done via\noperatorhub.io.
\n\nkubectl create -f https://operatorhub.io/install/nfd-operator.yaml\nnfd namespace here):\n cat << EOF | kubectl apply -f -\napiVersion: v1\nkind: Namespace\nmetadata:\n name: nfd\n---\napiVersion: nfd.kubernetes.io/v1alpha1\nkind: NodeFeatureDiscovery\nmetadata:\n name: my-nfd-deployment\n namespace: nfd\nEOF\nThe template specs provided in the repo can be used directly:
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template\nThis will required RBAC rules and deploy nfd-master (as a deployment) and\nnfd-worker (as a daemonset) in the node-feature-discovery namespace.
Alternatively you can download the templates and customize the deployment\nmanually.
\n\nYou can also run nfd-master and nfd-worker inside the same pod
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-daemonset-combined.yaml.template\nThis creates a DaemonSet runs both nfd-worker and nfd-master in the same Pod.\nIn this case no nfd-master is run on the master node(s), but, the worker nodes\nare able to label themselves which may be desirable e.g. in single-node setups.
\n\nFeature discovery can alternatively be configured as a one-shot job.\nThe Job template may be used to achieve this:
\n\nNUM_NODES=$(kubectl get no -o jsonpath='{.items[*].metadata.name}' | wc -w)\ncurl -fs https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-job.yaml.template | \\\n sed s\"/NUM_NODES/$NUM_NODES/\" | \\\n kubectl apply -f -\nThe example above launces as many jobs as there are non-master nodes. Note that\nthis approach does not guarantee running once on every node. For example,\ntainted, non-ready nodes or some other reasons in Job scheduling may cause some\nnode(s) will run extra job instance(s) to satisfy the request.
\n\nIf you want to use the latest development version (master branch) you need to\nbuild your own custom image.\nSee the Developer Guide for instructions how to\nbuild images and deploy them on your cluster.
\n\nNFD-Master runs as a deployment (with a replica count of 1), by default\nit prefers running on the cluster’s master nodes but will run on worker\nnodes if no master nodes are found.
\n\nFor High Availability, you should simply increase the replica count of\nthe deployment object. You should also look into adding\ninter-pod\naffinity to prevent masters from running on the same node.\nHowever note that inter-pod affinity is costly and is not recommended\nin bigger clusters.
\n\nNFD-Master listens for connections from nfd-worker(s) and connects to the\nKubernetes API server to add node labels advertised by them.
\n\nIf you have RBAC authorization enabled (as is the default e.g. with clusters\ninitialized with kubeadm) you need to configure the appropriate ClusterRoles,\nClusterRoleBindings and a ServiceAccount in order for NFD to create node\nlabels. The provided template will configure these for you.
\n\nNFD-Worker is preferably run as a Kubernetes DaemonSet. This assures\nre-labeling on regular intervals capturing changes in the system configuration\nand mames sure that new nodes are labeled as they are added to the cluster.\nWorker connects to the nfd-master service to advertise hardware features.
\n\nWhen run as a daemonset, nodes are re-labeled at an interval specified using\nthe --sleep-interval option. In the\ntemplate\nthe default interval is set to 60s which is also the default when no\n--sleep-interval is specified. Also, the configuration file is re-read on\neach iteration providing a simple mechanism of run-time reconfiguration.
NFD supports mutual TLS authentication between the nfd-master and nfd-worker\ninstances. That is, nfd-worker and nfd-master both verify that the other end\npresents a valid certificate.
\n\nTLS authentication is enabled by specifying --ca-file, --key-file and\n--cert-file args, on both the nfd-master and nfd-worker instances.\nThe template specs provided with NFD contain (commented out) example\nconfiguration for enabling TLS authentication.
The Common Name (CN) of the nfd-master certificate must match the DNS name of\nthe nfd-master Service of the cluster. By default, nfd-master only check that\nthe nfd-worker has been signed by the specified root certificate (–ca-file).\nAdditional hardening can be enabled by specifying –verify-node-name in\nnfd-master args, in which case nfd-master verifies that the NodeName presented\nby nfd-worker matches the Common Name (CN) of its certificate. This means that\neach nfd-worker requires a individual node-specific TLS certificate.
\n\nNFD-Worker supports a configuration file. The default location is\n/etc/kubernetes/node-feature-discovery/nfd-worker.conf, but,\nthis can be changed by specifying the--config command line flag.\nConfiguration file is re-read on each labeling pass (determined by\n--sleep-interval) which makes run-time re-configuration of nfd-worker\npossible.
Worker configuration file is read inside the container, and thus, Volumes and\nVolumeMounts are needed to make your configuration available for NFD. The\npreferred method is to use a ConfigMap which provides easy deployment and\nre-configurability. For example, create a config map using the example config\nas a template:
\n\ncp nfd-worker.conf.example nfd-worker.conf\nvim nfd-worker.conf # edit the configuration\nkubectl create configmap nfd-worker-config --from-file=nfd-worker.conf\nThen, configure Volumes and VolumeMounts in the Pod spec (just the relevant\nsnippets shown below):
\n\n...\n containers:\n volumeMounts:\n - name: nfd-worker-config\n mountPath: \"/etc/kubernetes/node-feature-discovery/\"\n...\n volumes:\n - name: nfd-worker-config\n configMap:\n name: nfd-worker-config\n...\nYou could also use other types of volumes, of course. That is, hostPath if\ndifferent config for different nodes would be required, for example.
\n\nThe (empty-by-default)\nexample config\nis used as a config in the NFD Docker image. Thus, this can be used as a default\nconfiguration in custom-built images.
\n\nConfiguration options can also be specified via the --options command line\nflag, in which case no mounts need to be used. The same format as in the config\nfile must be used, i.e. JSON (or YAML). For example:
--options='{\"sources\": { \"pci\": { \"deviceClassWhitelist\": [\"12\"] } } }'\nConfiguration options specified from the command line will override those read\nfrom the config file.
\n\nNodes with specific features can be targeted using the nodeSelector field. The\nfollowing example shows how to target nodes with Intel TurboBoost enabled.
apiVersion: v1\nkind: Pod\nmetadata:\n labels:\n env: test\n name: golang-test\nspec:\n containers:\n - image: golang\n name: go1\n nodeSelector:\n feature.node.kubernetes.io/cpu-pstate.turbo: 'true'\nFor more details on targeting nodes, see\nnode selection.
\n\nIf you followed the deployment instructions above you can simply do:
\n\nkubectl -n nfd delete NodeFeatureDiscovery my-nfd-deployment\nOptionally, you can also remove the namespace:
\n\nkubectl delete ns nfd\nSee the node-feature-discovery-operator and OLM project\ndocumentation for instructions for uninstalling the operator and operator\nlifecycle manager, respectively.
\n\nNFD_NS=node-feature-discovery\nkubectl -n $NFD_NS delete ds nfd-worker\nkubectl -n $NFD_NS delete deploy nfd-master\nkubectl -n $NFD_NS delete svc nfd-master\nkubectl -n $NFD_NS delete sa nfd-master\nkubectl delete clusterrole nfd-master\nkubectl delete clusterrolebinding nfd-master\nNFD-Master has a special --prune command line flag for removing all\nnfd-related node labels, annotations and extended resources from the cluster.
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-prune.yaml.template\nkubectl -n node-feature-discovery wait job.batch/nfd-prune --for=condition=complete && \\\n kubectl -n node-feature-discovery delete job/nfd-prune\nNOTE: You must run prune before removing the RBAC rules (serviceaccount,\nclusterrole and clusterrolebinding).
\n\n\n","dir":"/get-started/","name":"deployment-and-usage.md","path":"get-started/deployment-and-usage.md","url":"/get-started/deployment-and-usage.html"},{"title":"Feature Discovery","layout":"default","sort":4,"content":"Feature discovery in nfd-worker is performed by a set of separate modules\ncalled feature sources. Most of them are specifically responsible for certain\ndomain of features (e.g. cpu). In addition there are two highly customizable\nfeature sources that work accross the system.
\n\nEach discovered feature is advertised a label in the Kubernetes Node object.\nThe published node labels encode a few pieces of information:
\n\nfeature.node.kubernetes.io)cpu).cpuid.AESNI from cpu).Feature label names adhere to the following pattern:
\n\n<namespace>/<source name>-<feature name>[.<attribute name>]\nThe last component (i.e. attribute-name) is optional, and only used if a\nfeature logically has sub-hierarchy, e.g. sriov.capable and\nsriov.configure from the network source.
The --sources flag controls which sources to use for discovery.
Note: Consecutive runs of nfd-worker will update the labels on a\ngiven node. If features are not discovered on a consecutive run, the corresponding\nlabel will be removed. This includes any restrictions placed on the consecutive run,\nsuch as restricting discovered features with the –label-whitelist option.
\n\nThe cpu feature source supports the following labels:
\n\n| Feature name | \nAttribute | \nDescription | \n
|---|---|---|
| cpuid | \n<cpuid flag> | \nCPU capability is supported | \n
| hardware_multithreading | \n\n | Hardware multithreading, such as Intel HTT, enabled (number of logical CPUs is greater than physical CPUs) | \n
| power | \nsst_bf.enabled | \nIntel SST-BF (Intel Speed Select Technology - Base frequency) enabled | \n
| pstate | \nturbo | \nSet to ‘true’ if turbo frequencies are enabled in Intel pstate driver, set to ‘false’ if they have been disabled. | \n
| rdt | \nRDTMON | \nIntel RDT Monitoring Technology | \n
| \n | RDTCMT | \nIntel Cache Monitoring (CMT) | \n
| \n | RDTMBM | \nIntel Memory Bandwidth Monitoring (MBM) | \n
| \n | RDTL3CA | \nIntel L3 Cache Allocation Technology | \n
| \n | RDTL2CA | \nIntel L2 Cache Allocation Technology | \n
| \n | RDTMBA | \nIntel Memory Bandwidth Allocation (MBA) Technology | \n
The (sub-)set of CPUID attributes to publish is configurable via the\nattributeBlacklist and attributeWhitelist cpuid options of the cpu source.\nIf whitelist is specified, only whitelisted attributes will be published. With\nblacklist, only blacklisted attributes are filtered out. attributeWhitelist\nhas priority over attributeBlacklist. For examples and more information\nabout configurability, see configuration.\nBy default, the following CPUID flags have been blacklisted:\nBMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT,\nRDRAND, RDSEED, RDTSCP, SGX, SSE, SSE2, SSE3, SSE4.1, SSE4.2 and SSSE3.
NOTE The cpuid features advertise supported CPU capabilities, that is, a\ncapability might be supported but not enabled.
\n\n| Attribute | \nDescription | \n
|---|---|
| ADX | \nMulti-Precision Add-Carry Instruction Extensions (ADX) | \n
| AESNI | \nAdvanced Encryption Standard (AES) New Instructions (AES-NI) | \n
| AVX | \nAdvanced Vector Extensions (AVX) | \n
| AVX2 | \nAdvanced Vector Extensions 2 (AVX2) | \n
| Attribute | \nDescription | \n
|---|---|
| IDIVA | \nInteger divide instructions available in ARM mode | \n
| IDIVT | \nInteger divide instructions available in Thumb mode | \n
| THUMB | \nThumb instructions | \n
| FASTMUL | \nFast multiplication | \n
| VFP | \nVector floating point instruction extension (VFP) | \n
| VFPv3 | \nVector floating point extension v3 | \n
| VFPv4 | \nVector floating point extension v4 | \n
| VFPD32 | \nVFP with 32 D-registers | \n
| HALF | \nHalf-word loads and stores | \n
| EDSP | \nDSP extensions | \n
| NEON | \nNEON SIMD instructions | \n
| LPAE | \nLarge Physical Address Extensions | \n
| Attribute | \nDescription | \n
|---|---|
| AES | \nAnnouncing the Advanced Encryption Standard | \n
| EVSTRM | \nEvent Stream Frequency Features | \n
| FPHP | \nHalf Precision(16bit) Floating Point Data Processing Instructions | \n
| ASIMDHP | \nHalf Precision(16bit) Asimd Data Processing Instructions | \n
| ATOMICS | \nAtomic Instructions to the A64 | \n
| ASIMRDM | \nSupport for Rounding Double Multiply Add/Subtract | \n
| PMULL | \nOptional Cryptographic and CRC32 Instructions | \n
| JSCVT | \nPerform Conversion to Match Javascript | \n
| DCPOP | \nPersistent Memory Support | \n
The Custom feature source allows the user to define features based on a mix of\npredefined rules. A rule is provided input witch affects its process of\nmatching for a defined feature.
\n\nTo aid in making Custom Features clearer, we define a general and a per rule\nnomenclature, keeping things as consistent as possible.
\n\nRule :Represents a matching logic that is used to match on a feature.\nRule Input :The input a Rule is provided. This determines how a Rule performs the match operation.\nMatcher :A composition of Rules, each Matcher may be composed of at most one instance of each Rule.\n- name: <feature name>\n matchOn:\n - <Rule-1>: <Rule-1 Input>\n [<Rule-2>: <Rule-2 Input>]\n - <Matcher-2>\n - ...\n - ...\n - <Matcher-N>\n- <custom feature 2>\n- ...\n- ...\n- <custom feature M>\nSpecifying Rules to match on a feature is done by providing a list of Matchers.\nEach Matcher contains one or more Rules.
\n\nLogical OR is performed between Matchers and logical AND is performed\nbetween Rules of a given Matcher.
\n\nAttribute :A PCI attribute.\nElement :An identifier of the PCI attribute.\nThe PciId Rule allows matching the PCI devices in the system on the following\nAttributes: class,vendor and device. A list of Elements is provided for\neach Attribute.
pciId :\n class: [<class id>, ...]\n vendor: [<vendor id>, ...]\n device: [<device id>, ...]\nMatching is done by performing a logical OR between Elements of an Attribute\nand logical AND between the specified Attributes for each PCI device in the\nsystem. At least one Attribute must be specified. Missing attributes will not\npartake in the matching process.
\n\nAttribute :A USB attribute.\nElement :An identifier of the USB attribute.\nThe UsbId Rule allows matching the USB devices in the system on the following\nAttributes: class,vendor and device. A list of Elements is provided for\neach Attribute.
usbId :\n class: [<class id>, ...]\n vendor: [<vendor id>, ...]\n device: [<device id>, ...]\nMatching is done by performing a logical OR between Elements of an Attribute\nand logical AND between the specified Attributes for each USB device in the\nsystem. At least one Attribute must be specified. Missing attributes will not\npartake in the matching process.
\n\nElement :A kernel module\nThe LoadedKMod Rule allows matching the loaded kernel modules in the system\nagainst a provided list of Elements.
\n\nloadedKMod : [<kernel module>, ...]\nMatching is done by performing logical AND for each provided Element, i.e\nthe Rule will match if all provided Elements (kernel modules) are loaded in the\nsystem.
\n\nElement :A CPUID flag\nThe Rule allows matching the available CPUID flags in the system against a\nprovided list of Elements.
\n\ncpuId : [<CPUID flag string>, ...]\nMatching is done by performing logical AND for each provided Element, i.e the\nRule will match if all provided Elements (CPUID flag strings) are available in\nthe system.
\n\nElement :A Kconfig option\nThe Rule allows matching the kconfig options in the system against a provided\nlist of Elements.
\n\nkConfig: [<kernel config option ('y' or 'm') or '=<value>'>, ...]\nMatching is done by performing logical AND for each provided Element, i.e the\nRule will match if all provided Elements (kernel config options) are enabled\n(y or m) or matching =<value> in the kernel.
custom:\n - name: \"my.kernel.feature\"\n matchOn:\n - loadedKMod: [\"kmod1\", \"kmod2\"]\n - name: \"my.pci.feature\"\n matchOn:\n - pciId:\n vendor: [\"15b3\"]\n device: [\"1014\", \"1017\"]\n - name: \"my.usb.feature\"\n matchOn:\n - usbId:\n vendor: [\"1d6b\"]\n device: [\"0003\"]\n - name: \"my.combined.feature\"\n matchOn:\n - loadedKMod : [\"vendor_kmod1\", \"vendor_kmod2\"]\n pciId:\n vendor: [\"15b3\"]\n device: [\"1014\", \"1017\"]\n - name: \"my.accumulated.feature\"\n matchOn:\n - loadedKMod : [\"some_kmod1\", \"some_kmod2\"]\n - pciId:\n vendor: [\"15b3\"]\n device: [\"1014\", \"1017\"]\n - name: \"my.kernel.featureneedscpu\"\n matchOn:\n - kConfig: [\"KVM_INTEL\"]\n - cpuId: [\"VMX\"]\n - name: \"my.kernel.modulecompiler\"\n matchOn:\n - kConfig: [\"GCC_VERSION=100101\"]\n loadedKMod: [\"kmod1\"]\nIn the example above:
\n\nfeature.node.kubernetes.io/custom-my.kernel.feature=true if the node has\nkmod1 AND kmod2 kernel modules loaded.feature.node.kubernetes.io/custom-my.pci.feature=true if the node contains\na PCI device with a PCI vendor ID of 15b3 AND PCI device ID of 1014 OR\n1017.feature.node.kubernetes.io/custom-my.usb.feature=true if the node contains\na USB device with a USB vendor ID of 1d6b AND USB device ID of 0003.feature.node.kubernetes.io/custom-my.combined.feature=true if\nvendor_kmod1 AND vendor_kmod2 kernel modules are loaded AND the node\ncontains a PCI device\nwith a PCI vendor ID of 15b3 AND PCI device ID of 1014 or 1017.feature.node.kubernetes.io/custom-my.accumulated.feature=true if\nsome_kmod1 AND some_kmod2 kernel modules are loaded OR the node\ncontains a PCI device\nwith a PCI vendor ID of 15b3 AND PCI device ID of 1014 OR 1017.feature.node.kubernetes.io/custom-my.kernel.featureneedscpu=true if\nKVM_INTEL kernel config is enabled AND the node CPU supports VMX\nvirtual machine extensionsfeature.node.kubernetes.io/custom-my.kernel.modulecompiler=true if the\nin-tree kmod1 kernel module is loaded AND it’s built with\nGCC_VERSION=100101.Some feature labels which are common and generic are defined statically in the\ncustom feature source. A user may add additional Matchers to these feature\nlabels by defining them in the nfd-worker configuration file.
| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| rdma | \ncapable | \nThe node has an RDMA capable Network adapter | \n
| rdma | \nenabled | \nThe node has the needed RDMA modules loaded to run RDMA traffic | \n
The iommu feature source supports the following labels:
\n\n| Feature name | \nDescription | \n
|---|---|
| enabled | \nIOMMU is present and enabled in the kernel | \n
The kernel feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| config | \n<option name> | \nKernel config option is enabled (set ‘y’ or ‘m’). Default options are NO_HZ, NO_HZ_IDLE, NO_HZ_FULL and PREEMPT | \n
| selinux | \nenabled | \nSelinux is enabled on the node | \n
| version | \nfull | \nFull kernel version as reported by /proc/sys/kernel/osrelease (e.g. ‘4.5.6-7-g123abcde’) | \n
| \n | major | \nFirst component of the kernel version (e.g. ‘4’) | \n
| \n | minor | \nSecond component of the kernel version (e.g. ‘5’) | \n
| \n | revision | \nThird component of the kernel version (e.g. ‘6’) | \n
Kernel config file to use, and, the set of config options to be detected are\nconfigurable.\nSee configuration for\nmore information.
\n\nThe memory feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| numa | \n\n | Multiple memory nodes i.e. NUMA architecture detected | \n
| nv | \npresent | \nNVDIMM device(s) are present | \n
| nv | \ndax | \nNVDIMM region(s) configured in DAX mode are present | \n
The network feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| sriov | \ncapable | \nSingle Root Input/Output Virtualization (SR-IOV) enabled Network Interface Card(s) present | \n
| \n | configured | \nSR-IOV virtual functions have been configured | \n
The pci feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| <device label> | \npresent | \nPCI device is detected | \n
| <device label> | \nsriov.capable | \nSingle Root Input/Output Virtualization (SR-IOV) enabled PCI device present | \n
<device label> is composed of raw PCI IDs, separated by underscores. The set\nof fields used in <device label> is configurable, valid fields being class,\nvendor, device, subsystem_vendor and subsystem_device. Defaults are\nclass and vendor. An example label using the default label fields:
feature.node.kubernetes.io/pci-1200_8086.present=true\nAlso the set of PCI device classes that the feature source detects is\nconfigurable. By default, device classes (0x)03, (0x)0b40 and (0x)12, i.e.\nGPUs, co-processors and accelerator cards are detected.
\n\nThe usb feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| <device label> | \npresent | \nUSB device is detected | \n
<device label> is composed of raw USB IDs, separated by underscores. The set\nof fields used in <device label> is configurable, valid fields being class,\nvendor, and device. Defaults are class, vendor and device. An\nexample label using the default label fields:
feature.node.kubernetes.io/usb-fe_1a6e_089a.present=true\nSee configuration for more information on NFD\nconfig.
\n\nThe storage feature source supports the following labels:
\n\n| Feature name | \nDescription | \n
|---|---|
| nonrotationaldisk | \nNon-rotational disk, like SSD, is present in the node | \n
The system feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| os_release | \nID | \nOperating system identifier | \n
| \n | VERSION_ID | \nOperating system version identifier (e.g. ‘6.7’) | \n
| \n | VERSION_ID.major | \nFirst component of the OS version id (e.g. ‘6’) | \n
| \n | VERSION_ID.minor | \nSecond component of the OS version id (e.g. ‘7’) | \n
NFD has a special feature source named local which is designed for getting\nthe labels from user-specific feature detector. It provides a mechanism for\nusers to implement custom feature sources in a pluggable way, without modifying\nnfd source code or Docker images. The local feature source can be used to\nadvertise new user-specific features, and, for overriding labels created by the\nother feature sources.
\n\nThe local feature source gets its labels by two different ways:
\n\n/etc/kubernetes/node-feature-discovery/source.d/ directory. The hook files\nmust be executable and they are supposed to print all discovered features in\nstdout, one per line. With ELF binaries static linking is recommended as\nthe selection of system libraries available in the NFD release image is very\nlimited. Other runtimes currently supported by the NFD stock image are bash\nand perl./etc/kubernetes/node-feature-discovery/features.d/ directory. The file\ncontent is expected to be similar to the hook output (described above).These directories must be available inside the Docker image so Volumes and\nVolumeMounts must be used if standard NFD images are used. The given template\nfiles mount by default the source.d and the features.d directories\nrespectively from /etc/kubernetes/node-feature-discovery/source.d/ and\n/etc/kubernetes/node-feature-discovery/features.d/ from the host. You should\nupdate them to match your needs.
In both cases, the labels can be binary or non binary, using either <name> or\n<name>=<value> format.
Unlike the other feature sources, the name of the file, instead of the name of\nthe feature source (that would be local in this case), is used as a prefix in\nthe label name, normally. However, if the <name> of the label starts with a\nslash (/) it is used as the label name as is, without any additional prefix.\nThis makes it possible for the user to fully control the feature label names,\ne.g. for overriding labels created by other feature sources.
You can also override the default namespace of your labels using this format:\n<namespace>/<name>[=<value>]. You must whitelist your namespace using the\n--extra-label-ns option on the master. In this case, the name of the\nfile will not be added to the label name. For example, if you want to add the\nlabel my.namespace.org/my-label=value, your hook output or file must contains\nmy.namespace.org/my-label=value and you must add\n--extra-label-ns=my.namespace.org on the master command line.
stderr output of the hooks is propagated to NFD log so it can be used for\ndebugging and logging.
One use case for the hooks and/or feature files is detecting features in other\nPods outside NFD, e.g. in Kubernetes device plugins. It is possible to mount\nthe source.d and/or features.d directories common with the NFD Pod and\ndeploy the custom hooks/features there. NFD will periodically scan the\ndirectories and run any hooks and read any feature files it finds. The\nexample nfd-worker deployment template\ncontains hostPath mounts for sources.d and features.d directories. By\nusing the same mounts in the secondary Pod (e.g. device plugin) you have\ncreated a shared area for delivering hooks and feature files to NFD.
User has a shell script\n/etc/kubernetes/node-feature-discovery/source.d/my-source which has the\nfollowing stdout output:
MY_FEATURE_1\nMY_FEATURE_2=myvalue\n/override_source-OVERRIDE_BOOL\n/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nwhich, in turn, will translate into the following node labels:
\n\nfeature.node.kubernetes.io/my-source-MY_FEATURE_1=true\nfeature.node.kubernetes.io/my-source-MY_FEATURE_2=myvalue\nfeature.node.kubernetes.io/override_source-OVERRIDE_BOOL=true\nfeature.node.kubernetes.io/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nUser has a file /etc/kubernetes/node-feature-discovery/features.d/my-source\nwhich contains the following lines:
MY_FEATURE_1\nMY_FEATURE_2=myvalue\n/override_source-OVERRIDE_BOOL\n/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nwhich, in turn, will translate into the following node labels:
\n\nfeature.node.kubernetes.io/my-source-MY_FEATURE_1=true\nfeature.node.kubernetes.io/my-source-MY_FEATURE_2=myvalue\nfeature.node.kubernetes.io/override_source-OVERRIDE_BOOL=true\nfeature.node.kubernetes.io/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nNFD tries to run any regular files found from the hooks directory. Any\nadditional data files your hook might need (e.g. a configuration file) should\nbe placed in a separate directory in order to avoid NFD unnecessarily trying to\nexecute these. You can use a subdirectory under the hooks directory, for\nexample /etc/kubernetes/node-feature-discovery/source.d/conf/.
NOTE! NFD will blindly run any executables placed/mounted in the hooks\ndirectory. It is the user’s responsibility to review the hooks for e.g.\npossible security implications.
\n\nNOTE! Be careful when creating and/or updating hook or feature files while\nNFD is running. In order to avoid race conditions you should write into a\ntemporary file (outside the source.d and features.d directories), and,\natomically create/update the original file by doing a filesystem move\noperation.
This feature is experimental and by no means a replacement for the usage of\ndevice plugins.
\n\nLabels which have integer values, can be promoted to Kubernetes extended\nresources by listing them to the master --resource-labels command line flag.\nThese labels won’t then show in the node label section, they will appear only\nas extended resources.
An example use-case for the extended resources could be based on a hook which\ncreates a label for the node SGX EPC memory section size. By giving the name of\nthat label in the --resource-labels flag, that value will then turn into an\nextended resource of the node, allowing PODs to request that resource and the\nKubernetes scheduler to schedule such PODs to only those nodes which have a\nsufficient capacity of said resource left.
Similar to labels, the default namespace feature.node.kubernetes.io is\nautomatically prefixed to the extended resource, if the promoted label doesn’t\nhave a namespace.
Example usage of the command line arguments, using a new namespace:\nnfd-master --resource-labels=my_source-my.feature,sgx.some.ns/epc --extra-label-ns=sgx.some.ns
The above would result in following extended resources provided that related\nlabels exist:
\n\n sgx.some.ns/epc: <label value>\n feature.node.kubernetes.io/my_source-my.feature: <label value>\nThis page contains usage examples and demos.
\n\n![\"asciicast\"](\"https://asciinema.org/a/247316.svg\")
A demo on the benefits of using node feature discovery can be found in the\nsource code repository under\ndemo/.
\n","dir":"/get-started/","name":"examples-and-demos.md","path":"get-started/examples-and-demos.md","url":"/get-started/examples-and-demos.html"}] \ No newline at end of file +[{"title":"Introduction","layout":"default","sort":1,"content":"This software enables node feature discovery for Kubernetes. It detects\nhardware features available on each node in a Kubernetes cluster, and\nadvertises those features using node labels.
\n\nNFD consists of two software components:
\n\nNFD-Master is the daemon responsible for communication towards the Kubernetes\nAPI. That is, it receives labeling requests from the worker and modifies node\nobjects accordingly.
\n\nNFD-Worker is a daemon responsible for feature detection. It then communicates\nthe information to nfd-master which does the actual node labeling. One\ninstance of nfd-worker is supposed to be running on each node of the cluster,
\n\nFeature discovery is divided into domain-specific feature sources:
\n\nEach feature source is responsible for detecting a set of features which. in\nturn, are turned into node feature labels. Feature labels are prefixed with\nfeature.node.kubernetes.io/ and also contain the name of the feature source.\nNon-standard user-specific feature labels can be created with the local and\ncustom feature sources.
An overview of the default feature labels:
\n\n{\n \"feature.node.kubernetes.io/cpu-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/custom-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/iommu-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/kernel-<feature name>\": \"<feature value>\",\n \"feature.node.kubernetes.io/memory-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/network-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/pci-<device label>.present\": \"true\",\n \"feature.node.kubernetes.io/storage-<feature-name>\": \"true\",\n \"feature.node.kubernetes.io/system-<feature name>\": \"<feature value>\",\n \"feature.node.kubernetes.io/usb-<device label>.present\": \"<feature value>\",\n \"feature.node.kubernetes.io/<file name>-<feature name>\": \"<feature value>\"\n}\nNFD also annotates nodes it is running on:
\n\n| Annotation | \nDescription | \n
|---|---|
| nfd.node.kubernetes.io/master.version | \nVersion of the nfd-master instance running on the node. Informative use only. | \n
| nfd.node.kubernetes.io/worker.version | \nVersion of the nfd-worker instance running on the node. Informative use only. | \n
| nfd.node.kubernetes.io/feature-labels | \nComma-separated list of node labels managed by NFD. NFD uses this internally so must not be edited by users. | \n
| nfd.node.kubernetes.io/extended-resources | \nComma-separated list of node extended resources managed by NFD. NFD uses this internally so must not be edited by users. | \n
Unapplicable annotations are not created, i.e. for example master.version is only created on nodes running nfd-master.
\n\n","dir":"/get-started/","name":"introduction.md","path":"get-started/introduction.md","url":"/get-started/introduction.html"},{"title":"Get started","layout":"default","sort":1,"content":"Welcome to Node Feature Discovery – a Kubernetes add-on for detecting hardware\nfeatures and system configuration!
\n\nContinue to:
\n\nIntroduction for more details on the\nproject.
\nQuick start for quick step-by-step\ninstructions on how to get NFD running on your cluster.
\n$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template\n namespace/node-feature-discovery created\n...\n\n$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template\n daemonset.apps/nfd-worker created\n\n$ kubectl -n node-feature-discovery get all\n NAME READY STATUS RESTARTS AGE\n pod/nfd-master-555458dbbc-sxg6w 1/1 Running 0 56s\n pod/nfd-worker-mjg9f 1/1 Running 0 17s\n...\n\n$ kubectl get no -o json | jq .items[].metadata.labels\n {\n \"beta.kubernetes.io/arch\": \"amd64\",\n \"beta.kubernetes.io/os\": \"linux\",\n \"feature.node.kubernetes.io/cpu-cpuid.ADX\": \"true\",\n \"feature.node.kubernetes.io/cpu-cpuid.AESNI\": \"true\",\n...\n\ngit clone https://github.com/kubernetes-sigs/node-feature-discovery\ncd node-feature-discovery\nSee customizing the build below for altering the\ncontainer image registry, for example.
\n\nmake\nOptional, this example with Docker.
\n\ndocker push <IMAGE_TAG>\nTo use your published image from the step above instead of the\nk8s.gcr.io/nfd/node-feature-discovery image, edit image\nattribute in the spec template(s) to the new location\n(<registry-name>/<image-name>[:<version>]).
The yamls makefile generates deployment specs matching your locally built\nimage. See build customization below for\nconfigurability, e.g. changing the deployment namespace.
K8S_NAMESPACE=my-ns make yamls\nkubectl apply -f nfd-master.yaml\nkubectl apply -f nfd-worker-daemonset.yaml\nAlternatively, deploying worker and master in the same pod:
\n\nK8S_NAMESPACE=my-ns make yamls\nkubectl apply -f nfd-master.yaml\nkubectl apply -f nfd-daemonset-combined.yaml\nOr worker as a one-shot job:
\n\nK8S_NAMESPACE=my-ns make yamls\nkubectl apply -f nfd-master.yaml\nNUM_NODES=$(kubectl get no -o jsonpath='{.items[*].metadata.name}' | wc -w)\nsed s\"/NUM_NODES/$NUM_NODES/\" nfd-worker-job.yaml | kubectl apply -f -\nYou can also build the binaries locally
\n\nmake build\nThis will compile binaries under bin/
There are several Makefile variables that control the build process and the\nname of the resulting container image. The following are targeted targeted for\nbuild customization and they can be specified via environment variables or\nmakefile overrides.
\n\n| Variable | \nDescription | \nDefault value | \n
|---|---|---|
| HOSTMOUNT_PREFIX | \nPrefix of system directories for feature discovery (local builds) | \n/ (local builds) /host- (container builds) | \n
| IMAGE_BUILD_CMD | \nCommand to build the image | \ndocker build | \n
| IMAGE_BUILD_EXTRA_OPTS | \nExtra options to pass to build command | \nempty | \n
| IMAGE_PUSH_CMD | \nCommand to push the image to remote registry | \ndocker push | \n
| IMAGE_REGISTRY | \nContainer image registry to use | \nk8s.gcr.io/nfd | \n
| IMAGE_TAG_NAME | \nContainer image tag name | \n<nfd version> | \n
| IMAGE_EXTRA_TAG_NAMES | \nAdditional container image tag(s) to create when building image | \nempty | \n
| K8S_NAMESPACE | \nnfd-master and nfd-worker namespace | \nkube-system | \n
| KUBECONFIG | \nKubeconfig for running e2e-tests | \nempty | \n
| E2E_TEST_CONFIG | \nParameterization file of e2e-tests (see example) | \nempty | \n
For example, to use a custom registry:
\n\nmake IMAGE_REGISTRY=<my custom registry uri>\nOr to specify a build tool different from Docker, It can be done in 2 ways:
\n\nIMAGE_BUILD_CMD=\"buildah bud\" make\nmake IMAGE_BUILD_CMD=\"buildah bud\"\nUnit tests are automatically run as part of the container image build. You can\nalso run them manually in the source code tree by simply running:
\n\nmake test\nEnd-to-end tests are built on top of the e2e test framework of Kubernetes, and,\nthey required a cluster to run them on. For running the tests on your test\ncluster you need to specify the kubeconfig to be used:
\n\nmake e2e-test KUBECONFIG=$HOME/.kube/config\nYou can run NFD locally, either directly on your host OS or in containers for\ntesting and development purposes. This may be useful e.g. for checking\nfeatures-detection.
\n\nWhen running as a standalone container labeling is expected to fail because\nKubernetes API is not available. Thus, it is recommended to use --no-publish\ncommand line flag. E.g.
$ export NFD_CONTAINER_IMAGE=gcr.io/k8s-staging-nfd/node-feature-discovery:master\n$ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master --no-publish\n2019/02/01 14:48:21 Node Feature Discovery Master <NFD_VERSION>\n2019/02/01 14:48:21 gRPC server serving on port: 8080\nCommand line flags of nfd-master:
\n\n$ docker run --rm ${NFD_CONTAINER_IMAGE} nfd-master --help\n...\nUsage:\n nfd-master [--prune] [--no-publish] [--label-whitelist=<pattern>] [--port=<port>]\n [--ca-file=<path>] [--cert-file=<path>] [--key-file=<path>]\n [--verify-node-name] [--extra-label-ns=<list>] [--resource-labels=<list>]\n [--kubeconfig=<path>]\n nfd-master -h | --help\n nfd-master --version\n\n Options:\n -h --help Show this screen.\n --version Output version and exit.\n --prune Prune all NFD related attributes from all nodes\n of the cluster and exit.\n --kubeconfig=<path> Kubeconfig to use [Default: ]\n --port=<port> Port on which to listen for connections.\n [Default: 8080]\n --ca-file=<path> Root certificate for verifying connections\n [Default: ]\n --cert-file=<path> Certificate used for authenticating connections\n [Default: ]\n --key-file=<path> Private key matching --cert-file\n [Default: ]\n --verify-node-name Verify worker node name against CN from the TLS\n certificate. Only has effect when TLS authentication\n has been enabled.\n --no-publish Do not publish feature labels\n --label-whitelist=<pattern> Regular expression to filter label names to\n publish to the Kubernetes API server.\n NB: the label namespace is omitted i.e. the filter\n is only applied to the name part after '/'.\n [Default: ]\n --extra-label-ns=<list> Comma separated list of allowed extra label namespaces\n [Default: ]\n --resource-labels=<list> Comma separated list of labels to be exposed as extended resources.\n [Default: ]\nIn order to run nfd-worker as a “stand-alone” container against your\nstandalone nfd-master you need to run them in the same network namespace:
\n\n$ docker run --rm --network=container:nfd-test ${NFD_CONTAINER_IMAGE} nfd-worker\n2019/02/01 14:48:56 Node Feature Discovery Worker <NFD_VERSION>\n...\nIf you just want to try out feature discovery without connecting to nfd-master,\npass the --no-publish flag to nfd-worker.
Command line flags of nfd-worker:
\n\n$ docker run --rm ${NFD_CONTAINER_IMAGE} nfd-worker --help\n...\nnfd-worker.\n\n Usage:\n nfd-worker [--no-publish] [--sources=<sources>] [--label-whitelist=<pattern>]\n [--oneshot | --sleep-interval=<seconds>] [--config=<path>]\n [--options=<config>] [--server=<server>] [--server-name-override=<name>]\n [--ca-file=<path>] [--cert-file=<path>] [--key-file=<path>]\n nfd-worker -h | --help\n nfd-worker --version\n\n Options:\n -h --help Show this screen.\n --version Output version and exit.\n --config=<path> Config file to use.\n [Default: /etc/kubernetes/node-feature-discovery/nfd-worker.conf]\n --options=<config> Specify config options from command line. Config\n options are specified in the same format as in the\n config file (i.e. json or yaml). These options\n will override settings read from the config file.\n [Default: ]\n --ca-file=<path> Root certificate for verifying connections\n [Default: ]\n --cert-file=<path> Certificate used for authenticating connections\n [Default: ]\n --key-file=<path> Private key matching --cert-file\n [Default: ]\n --server=<server> NFD server address to connecto to.\n [Default: localhost:8080]\n --server-name-override=<name> Name (CN) expect from server certificate, useful\n in testing\n [Default: ]\n --sources=<sources> Comma separated list of feature sources.\n [Default: cpu,custom,iommu,kernel,local,memory,network,pci,storage,system,usb]\n --no-publish Do not publish discovered features to the\n cluster-local Kubernetes API server.\n --label-whitelist=<pattern> Regular expression to filter label names to\n publish to the Kubernetes API server.\n NB: the label namespace is omitted i.e. the filter\n is only applied to the name part after '/'.\n [Default: ]\n --oneshot Label once and exit.\n --sleep-interval=<seconds> Time to sleep between re-labeling. Non-positive\n value implies no re-labeling (i.e. infinite\n sleep). [Default: 60s]\nNOTE Some feature sources need certain directories and/or files from the\nhost mounted inside the NFD container. Thus, you need to provide Docker with the\ncorrect --volume options in order for them to work correctly when run\nstand-alone directly with docker run. See the\ntemplate spec\nfor up-to-date information about the required volume mounts.
All documentation resides under the\ndocs\ndirectory in the source tree. It is designed to be served as a html site by\nGitHub Pages.
\n\nBuilding the documentation is containerized in order to fix the build\nenvironment. The recommended way for developing documentation is to run:
\n\nmake site-serve\nThis will build the documentation in a container and serve it under\nlocalhost:4000/ making it easy to verify the results.\nAny changes made to the docs/ will automatically re-trigger a rebuild and are\nreflected in the served content and can be inspected with a simple browser\nrefresh.
In order to just build the html documentation run:
\n\nmake site-build\nThis will generate html documentation under docs/_site/.
Advanced topics and reference.
\n","dir":"/advanced/","name":"index.md","path":"advanced/index.md","url":"/advanced/"},{"title":"Master Cmdline Reference","layout":"default","sort":2,"content":"To quickly view available command line flags execute nfd-master --help.\nIn a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-master --help\nPrint usage and exit.
\n\nPrint version and exit.
\n\nThe --prune flag is a sub-command like option for cleaning up the cluster. It\ncauses nfd-master to remove all NFD related labels, annotations and extended\nresources from all Node objects of the cluster and exit.
The --port flag specifies the TCP port that nfd-master listens for incoming requests.
Default: 8080
\n\nExample:
\n\nnfd-master --port=443\nThe --ca-file is one of the three flags (together with --cert-file and\n--key-file) controlling master-worker mutual TLS authentication on the\nnfd-master side. This flag specifies the TLS root certificate that is used for\nauthenticating incoming connections. NFD-Worker side needs to have matching key\nand cert files configured in order for the incoming requests to be accepted.
Default: empty
\n\nNote: Must be specified together with --cert-file and --key-file
Example:
\n\nnfd-master --ca-file=/opt/nfd/ca.crt --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key\nThe --cert-file is one of the three flags (together with --ca-file and\n--key-file) controlling master-worker mutual TLS authentication on the\nnfd-master side. This flag specifies the TLS certificate presented for\nauthenticating outgoing traffic towards nfd-worker.
Default: empty
\n\nNote: Must be specified together with --ca-file and --key-file
Example:
\n\nnfd-master --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key --ca-file=/opt/nfd/ca.crt\nThe --key-file is one of the three flags (together with --ca-file and\n--cert-file) controlling master-worker mutual TLS authentication on the\nnfd-master side. This flag specifies the private key corresponding the given\ncertificate file (--cert-file) that is used for authenticating outgoing\ntraffic.
Default: empty
\n\nNote: Must be specified together with --cert-file and --ca-file
Example:
\n\nnfd-master --key-file=/opt/nfd/master.key --cert-file=/opt/nfd/master.crt --ca-file=/opt/nfd/ca.crt\nThe --verify-node-name flag controls the NodeName based authorization of\nincoming requests and only has effect when mTLS authentication has been enabled\n(with --ca-file, --cert-file and --key-file). If enabled, the worker node\nname of the incoming must match with the CN in its TLS certificate. Thus,\nworkers are only able to label the node they are running on (or the node whose\ncertificate they present), and, each worker must have an individual\ncertificate.
Node Name based authorization is disabled by default and thus it is possible\nfor all nfd-worker pods in the cluster to use one shared certificate, making\nNFD deployment much easier.
\n\nDefault: false
\n\nExample:
\n\nnfd-master --verify-node-name --ca-file=/opt/nfd/ca.crt \\\n --cert-file=/opt/nfd/master.crt --key-file=/opt/nfd/master.key\nThe --no-publish flag disables all communication with the Kubernetes API\nserver, making a “dry-run” flag for nfd-master. No Labels, Annotations or\nExtendedResources (or any other properties of any Kubernetes API objects) are\nmodified.
Default: false
\n\nExample:
\n\nnfd-master --no-publish\nThe --label-whitelist specifies a regular expression for filtering feature\nlabels based on their name. Each label must match against the given reqular\nexpression in order to be published.
Note: The regular expression is only matches against the “basename” part of the\nlabel, i.e. to the part of the name after ‘/’. The label namespace is omitted.
\n\nDefault: empty
\n\nExample:
\n\nnfd-master --label-whitelist='.*cpuid\\.'\nThe --extra-label-ns flag specifies a comma-separated list of allowed feature\nlabel namespaces. By default, nfd-master only allows creating labels in the\ndefault feature.node.kubernetes.io label namespace. This option can be used\nto allow vendor-specific namespaces for custom labels from the local and custom\nfeature sources.
The same namespace control and this flag applies Extended Resources (created\nwith --resource-labels), too.
Default: empty
\n\nExample:
\n\nnfd-master --extra-label-ns=vendor-1.com,vendor-2.io\nThe --resource-labels flag specifies a comma-separated list of features to be\nadvertised as extended resources instead of labels. Features that have integer\nvalues can be published as Extended Resources by listing them in this flag.
Default: empty
\n\nExample:
\n\nnfd-master --resource-labels=vendor-1.com/feature-1,vendor-2.io/feature-2\nMinimal steps to deploy latest released version of NFD in your cluster.
\n\nDeploy nfd-master – creates a new namespace, service and required RBAC rules
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template\nDeploy nfd-worker as a daemonset
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template\nWait until NFD master and worker are running.
\n\n$ kubectl -n node-feature-discovery get ds,deploy\nNAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE\ndaemonset.apps/nfd-worker 3 3 3 3 3 <none> 5s\nNAME READY UP-TO-DATE AVAILABLE AGE\ndeployment.apps/nfd-master 1/1 1 1 17s\nCheck that NFD feature labels have been created
\n\n$ kubectl get no -o json | jq .items[].metadata.labels\n{\n \"beta.kubernetes.io/arch\": \"amd64\",\n \"beta.kubernetes.io/os\": \"linux\",\n \"feature.node.kubernetes.io/cpu-cpuid.ADX\": \"true\",\n \"feature.node.kubernetes.io/cpu-cpuid.AESNI\": \"true\",\n \"feature.node.kubernetes.io/cpu-cpuid.AVX\": \"true\",\n...\nCreate a pod targeting a distinguishing feature (select a valid feature from\nthe list printed on the previous step)
\n\n$ cat << EOF | kubectl apply -f -\napiVersion: v1\nkind: Pod\nmetadata:\n name: feature-dependent-pod\nspec:\n containers:\n - image: k8s.gcr.io/pause\n name: pause\n nodeSelector:\n # Select a valid feature\n feature.node.kubernetes.io/cpu-cpuid.AESNI: 'true'\nEOF\npod/feature-dependent-pod created\nSee that the pod is running on a desired node
\n\n$ kubectl get po feature-dependent-pod -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nfeature-dependent-pod 1/1 Running 0 23s 10.36.0.4 node-2 <none> <none>\nYou can reach us via the following channels:
\n\nThis is a\nSIG-node\nsubproject, hosted under the\nKubernetes SIGs organization in Github.\nThe project was established in 2016 and was migrated to Kubernetes SIGs in 2018.
\n\nThis is open source software released under the Apache 2.0 License.
\n","dir":"/contributing/","name":"index.md","path":"contributing/index.md","url":"/contributing/"},{"title":"Worker Cmdline Reference","layout":"default","sort":3,"content":"To quickly view available command line flags execute nfd-worker --help.\nIn a docker container:
docker run gcr.io/k8s-staging-nfd/node-feature-discovery:master nfd-worker --help\nPrint usage and exit.
\n\nPrint version and exit.
\n\nThe --config flag specifies the path of the nfd-worker configuration file to\nuse.
Default: /etc/kubernetes/node-feature-discovery/nfd-worker.conf
\n\nExample:
\n\nnfd-worker --config=/opt/nfd/worker.conf\nThe --options flag may be used to specify and override configuration file\noptions directly from the command line. The required format is the same as in\nthe config file i.e. JSON or YAML. Configuration options specified via this\nflag will override those from the configuration file:
Default: empty
\n\nExample:
\n\nnfd-worker --options='{\"sources\":{\"cpu\":{\"cpuid\":{\"attributeWhitelist\":[\"AVX\",\"AVX2\"]}}}}'\nThe --server flag specifies the address of the nfd-master endpoint where to\nconnect to.
Default: localhost:8080
\n\nExample:
\n\nnfd-worker --server=nfd-master.nfd.svc.cluster.local:443\nThe --ca-file is one of the three flags (together with --cert-file and\n--key-file) controlling the mutual TLS authentication on the worker side.\nThis flag specifies the TLS root certificate that is used for verifying the\nauthenticity of nfd-master.
Default: empty
\n\nNote: Must be specified together with --cert-file and --key-file
Example:
\n\nnfd-worker --ca-file=/opt/nfd/ca.crt --cert-file=/opt/nfd/worker.crt --key-file=/opt/nfd/worker.key\nThe --cert-file is one of the three flags (together with --ca-file and\n--key-file) controlling mutual TLS authentication on the worker side. This\nflag specifies the TLS certificate presented for authenticating outgoing\nrequests.
Default: empty
\n\nNote: Must be specified together with --ca-file and --key-file
Example:
\n\nnfd-workerr --cert-file=/opt/nfd/worker.crt --key-file=/opt/nfd/worker.key --ca-file=/opt/nfd/ca.crt\nThe --key-file is one of the three flags (together with --ca-file and\n--cert-file) controlling the mutual TLS authentication on the worker side.\nThis flag specifies the private key corresponding the given certificate file\n(--cert-file) that is used for authenticating outgoing requests.
Default: empty
\n\nNote: Must be specified together with --cert-file and --ca-file
Example:
\n\nnfd-worker --key-file=/opt/nfd/worker.key --cert-file=/opt/nfd/worker.crt --ca-file=/opt/nfd/ca.crt\nThe --server-name-override flag specifies the common name (CN) which to\nexpect from the nfd-master TLS certificate. This flag is mostly intended for\ndevelopment and debugging purposes.
Default: empty
\n\nExample:
\n\nnfd-worker --server-name-override=localhost\nThe --sources flag specifies a comma-separated list of enabled feature\nsources.
Default: cpu,custom,iommu,kernel,local,memory,network,pci,storage,system,usb
\n\nExample:
\n\nnfd-worker --sources=kernel,system,local\nThe --no-publish flag disables all communication with the nfd-master, making\nit a “dry-run” flag for nfd-worker. NFD-Worker runs feature detection normally,\nbut no labeling requests are sent to nfd-master.
Default: false
\n\nExample:
\n\nnfd-worker --no-publish\nThe --label-whitelist specifies a regular expression for filtering feature\nlabels based on their name. Each label must match against the given reqular\nexpression in order to be published.
Note: The regular expression is only matches against the “basename” part of the\nlabel, i.e. to the part of the name after ‘/’. The label namespace is omitted.
\n\nDefault: empty
\n\nExample:
\n\nnfd-worker --label-whitelist='.*cpuid\\.'\nThe --oneshot flag causes nfd-worker to exit after one pass of feature\ndetection.
Default: false
\n\nExample:
\n\nnfd-worker --oneshot --no-publish\nThe --sleep-interval specifies the interval between feature re-detection (and\nnode re-labeling). A non-positive value implies infinite sleep interval, i.e.\nno re-detection or re-labeling is done.
Default: 60s
\n\nExample:
\n\nnfd-worker --sleep-interval=1h\nDeployment using the\nNode Feature Discovery Operator\nis recommended to be done via\noperatorhub.io.
\n\nkubectl create -f https://operatorhub.io/install/nfd-operator.yaml\nnfd namespace here):\n cat << EOF | kubectl apply -f -\napiVersion: v1\nkind: Namespace\nmetadata:\n name: nfd\n---\napiVersion: nfd.kubernetes.io/v1alpha1\nkind: NodeFeatureDiscovery\nmetadata:\n name: my-nfd-deployment\n namespace: nfd\nEOF\nThe template specs provided in the repo can be used directly:
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-master.yaml.template\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-daemonset.yaml.template\nThis will required RBAC rules and deploy nfd-master (as a deployment) and\nnfd-worker (as a daemonset) in the node-feature-discovery namespace.
Alternatively you can download the templates and customize the deployment\nmanually.
\n\nYou can also run nfd-master and nfd-worker inside the same pod
\n\nkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-daemonset-combined.yaml.template\nThis creates a DaemonSet runs both nfd-worker and nfd-master in the same Pod.\nIn this case no nfd-master is run on the master node(s), but, the worker nodes\nare able to label themselves which may be desirable e.g. in single-node setups.
\n\nFeature discovery can alternatively be configured as a one-shot job.\nThe Job template may be used to achieve this:
\n\nNUM_NODES=$(kubectl get no -o jsonpath='{.items[*].metadata.name}' | wc -w)\ncurl -fs https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-worker-job.yaml.template | \\\n sed s\"/NUM_NODES/$NUM_NODES/\" | \\\n kubectl apply -f -\nThe example above launces as many jobs as there are non-master nodes. Note that\nthis approach does not guarantee running once on every node. For example,\ntainted, non-ready nodes or some other reasons in Job scheduling may cause some\nnode(s) will run extra job instance(s) to satisfy the request.
\n\nIf you want to use the latest development version (master branch) you need to\nbuild your own custom image.\nSee the Developer Guide for instructions how to\nbuild images and deploy them on your cluster.
\n\nNFD-Master runs as a deployment (with a replica count of 1), by default\nit prefers running on the cluster’s master nodes but will run on worker\nnodes if no master nodes are found.
\n\nFor High Availability, you should simply increase the replica count of\nthe deployment object. You should also look into adding\ninter-pod\naffinity to prevent masters from running on the same node.\nHowever note that inter-pod affinity is costly and is not recommended\nin bigger clusters.
\n\nNFD-Master listens for connections from nfd-worker(s) and connects to the\nKubernetes API server to add node labels advertised by them.
\n\nIf you have RBAC authorization enabled (as is the default e.g. with clusters\ninitialized with kubeadm) you need to configure the appropriate ClusterRoles,\nClusterRoleBindings and a ServiceAccount in order for NFD to create node\nlabels. The provided template will configure these for you.
\n\nNFD-Worker is preferably run as a Kubernetes DaemonSet. This assures\nre-labeling on regular intervals capturing changes in the system configuration\nand mames sure that new nodes are labeled as they are added to the cluster.\nWorker connects to the nfd-master service to advertise hardware features.
\n\nWhen run as a daemonset, nodes are re-labeled at an interval specified using\nthe --sleep-interval option. In the\ntemplate\nthe default interval is set to 60s which is also the default when no\n--sleep-interval is specified. Also, the configuration file is re-read on\neach iteration providing a simple mechanism of run-time reconfiguration.
NFD supports mutual TLS authentication between the nfd-master and nfd-worker\ninstances. That is, nfd-worker and nfd-master both verify that the other end\npresents a valid certificate.
\n\nTLS authentication is enabled by specifying --ca-file, --key-file and\n--cert-file args, on both the nfd-master and nfd-worker instances.\nThe template specs provided with NFD contain (commented out) example\nconfiguration for enabling TLS authentication.
The Common Name (CN) of the nfd-master certificate must match the DNS name of\nthe nfd-master Service of the cluster. By default, nfd-master only check that\nthe nfd-worker has been signed by the specified root certificate (–ca-file).\nAdditional hardening can be enabled by specifying –verify-node-name in\nnfd-master args, in which case nfd-master verifies that the NodeName presented\nby nfd-worker matches the Common Name (CN) of its certificate. This means that\neach nfd-worker requires a individual node-specific TLS certificate.
\n\nNFD-Worker supports a configuration file. The default location is\n/etc/kubernetes/node-feature-discovery/nfd-worker.conf, but,\nthis can be changed by specifying the--config command line flag.\nConfiguration file is re-read on each labeling pass (determined by\n--sleep-interval) which makes run-time re-configuration of nfd-worker\npossible.
Worker configuration file is read inside the container, and thus, Volumes and\nVolumeMounts are needed to make your configuration available for NFD. The\npreferred method is to use a ConfigMap which provides easy deployment and\nre-configurability. For example, create a config map using the example config\nas a template:
\n\ncp nfd-worker.conf.example nfd-worker.conf\nvim nfd-worker.conf # edit the configuration\nkubectl create configmap nfd-worker-config --from-file=nfd-worker.conf\nThen, configure Volumes and VolumeMounts in the Pod spec (just the relevant\nsnippets shown below):
\n\n...\n containers:\n volumeMounts:\n - name: nfd-worker-config\n mountPath: \"/etc/kubernetes/node-feature-discovery/\"\n...\n volumes:\n - name: nfd-worker-config\n configMap:\n name: nfd-worker-config\n...\nYou could also use other types of volumes, of course. That is, hostPath if\ndifferent config for different nodes would be required, for example.
\n\nThe (empty-by-default)\nexample config\nis used as a config in the NFD Docker image. Thus, this can be used as a default\nconfiguration in custom-built images.
\n\nConfiguration options can also be specified via the --options command line\nflag, in which case no mounts need to be used. The same format as in the config\nfile must be used, i.e. JSON (or YAML). For example:
--options='{\"sources\": { \"pci\": { \"deviceClassWhitelist\": [\"12\"] } } }'\nConfiguration options specified from the command line will override those read\nfrom the config file.
\n\nNodes with specific features can be targeted using the nodeSelector field. The\nfollowing example shows how to target nodes with Intel TurboBoost enabled.
apiVersion: v1\nkind: Pod\nmetadata:\n labels:\n env: test\n name: golang-test\nspec:\n containers:\n - image: golang\n name: go1\n nodeSelector:\n feature.node.kubernetes.io/cpu-pstate.turbo: 'true'\nFor more details on targeting nodes, see\nnode selection.
\n\nIf you followed the deployment instructions above you can simply do:
\n\nkubectl -n nfd delete NodeFeatureDiscovery my-nfd-deployment\nOptionally, you can also remove the namespace:
\n\nkubectl delete ns nfd\nSee the node-feature-discovery-operator and OLM project\ndocumentation for instructions for uninstalling the operator and operator\nlifecycle manager, respectively.
\n\nNFD_NS=node-feature-discovery\nkubectl -n $NFD_NS delete ds nfd-worker\nkubectl -n $NFD_NS delete deploy nfd-master\nkubectl -n $NFD_NS delete svc nfd-master\nkubectl -n $NFD_NS delete sa nfd-master\nkubectl delete clusterrole nfd-master\nkubectl delete clusterrolebinding nfd-master\nNFD-Master has a special --prune command line flag for removing all\nnfd-related node labels, annotations and extended resources from the cluster.
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/nfd-prune.yaml.template\nkubectl -n node-feature-discovery wait job.batch/nfd-prune --for=condition=complete && \\\n kubectl -n node-feature-discovery delete job/nfd-prune\nNOTE: You must run prune before removing the RBAC rules (serviceaccount,\nclusterrole and clusterrolebinding).
\n\n\n","dir":"/get-started/","name":"deployment-and-usage.md","path":"get-started/deployment-and-usage.md","url":"/get-started/deployment-and-usage.html"},{"title":"Feature Discovery","layout":"default","sort":4,"content":"Feature discovery in nfd-worker is performed by a set of separate modules\ncalled feature sources. Most of them are specifically responsible for certain\ndomain of features (e.g. cpu). In addition there are two highly customizable\nfeature sources that work accross the system.
\n\nEach discovered feature is advertised a label in the Kubernetes Node object.\nThe published node labels encode a few pieces of information:
\n\nfeature.node.kubernetes.io)cpu).cpuid.AESNI from cpu).Feature label names adhere to the following pattern:
\n\n<namespace>/<source name>-<feature name>[.<attribute name>]\nThe last component (i.e. attribute-name) is optional, and only used if a\nfeature logically has sub-hierarchy, e.g. sriov.capable and\nsriov.configure from the network source.
The --sources flag controls which sources to use for discovery.
Note: Consecutive runs of nfd-worker will update the labels on a\ngiven node. If features are not discovered on a consecutive run, the corresponding\nlabel will be removed. This includes any restrictions placed on the consecutive run,\nsuch as restricting discovered features with the –label-whitelist option.
\n\nThe cpu feature source supports the following labels:
\n\n| Feature name | \nAttribute | \nDescription | \n
|---|---|---|
| cpuid | \n<cpuid flag> | \nCPU capability is supported | \n
| hardware_multithreading | \n\n | Hardware multithreading, such as Intel HTT, enabled (number of logical CPUs is greater than physical CPUs) | \n
| power | \nsst_bf.enabled | \nIntel SST-BF (Intel Speed Select Technology - Base frequency) enabled | \n
| pstate | \nturbo | \nSet to ‘true’ if turbo frequencies are enabled in Intel pstate driver, set to ‘false’ if they have been disabled. | \n
| rdt | \nRDTMON | \nIntel RDT Monitoring Technology | \n
| \n | RDTCMT | \nIntel Cache Monitoring (CMT) | \n
| \n | RDTMBM | \nIntel Memory Bandwidth Monitoring (MBM) | \n
| \n | RDTL3CA | \nIntel L3 Cache Allocation Technology | \n
| \n | RDTL2CA | \nIntel L2 Cache Allocation Technology | \n
| \n | RDTMBA | \nIntel Memory Bandwidth Allocation (MBA) Technology | \n
The (sub-)set of CPUID attributes to publish is configurable via the\nattributeBlacklist and attributeWhitelist cpuid options of the cpu source.\nIf whitelist is specified, only whitelisted attributes will be published. With\nblacklist, only blacklisted attributes are filtered out. attributeWhitelist\nhas priority over attributeBlacklist. For examples and more information\nabout configurability, see configuration.\nBy default, the following CPUID flags have been blacklisted:\nBMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT,\nRDRAND, RDSEED, RDTSCP, SGX, SSE, SSE2, SSE3, SSE4.1, SSE4.2 and SSSE3.
NOTE The cpuid features advertise supported CPU capabilities, that is, a\ncapability might be supported but not enabled.
\n\n| Attribute | \nDescription | \n
|---|---|
| ADX | \nMulti-Precision Add-Carry Instruction Extensions (ADX) | \n
| AESNI | \nAdvanced Encryption Standard (AES) New Instructions (AES-NI) | \n
| AVX | \nAdvanced Vector Extensions (AVX) | \n
| AVX2 | \nAdvanced Vector Extensions 2 (AVX2) | \n
| Attribute | \nDescription | \n
|---|---|
| IDIVA | \nInteger divide instructions available in ARM mode | \n
| IDIVT | \nInteger divide instructions available in Thumb mode | \n
| THUMB | \nThumb instructions | \n
| FASTMUL | \nFast multiplication | \n
| VFP | \nVector floating point instruction extension (VFP) | \n
| VFPv3 | \nVector floating point extension v3 | \n
| VFPv4 | \nVector floating point extension v4 | \n
| VFPD32 | \nVFP with 32 D-registers | \n
| HALF | \nHalf-word loads and stores | \n
| EDSP | \nDSP extensions | \n
| NEON | \nNEON SIMD instructions | \n
| LPAE | \nLarge Physical Address Extensions | \n
| Attribute | \nDescription | \n
|---|---|
| AES | \nAnnouncing the Advanced Encryption Standard | \n
| EVSTRM | \nEvent Stream Frequency Features | \n
| FPHP | \nHalf Precision(16bit) Floating Point Data Processing Instructions | \n
| ASIMDHP | \nHalf Precision(16bit) Asimd Data Processing Instructions | \n
| ATOMICS | \nAtomic Instructions to the A64 | \n
| ASIMRDM | \nSupport for Rounding Double Multiply Add/Subtract | \n
| PMULL | \nOptional Cryptographic and CRC32 Instructions | \n
| JSCVT | \nPerform Conversion to Match Javascript | \n
| DCPOP | \nPersistent Memory Support | \n
The Custom feature source allows the user to define features based on a mix of\npredefined rules. A rule is provided input witch affects its process of\nmatching for a defined feature. The rules are specified in the\nnfd-worker configuration file. See\nconfiguration for instructions and\nexamples how to set-up and manage the worker configuration.
\n\nTo aid in making Custom Features clearer, we define a general and a per rule\nnomenclature, keeping things as consistent as possible.
\n\nRule :Represents a matching logic that is used to match on a feature.\nRule Input :The input a Rule is provided. This determines how a Rule performs the match operation.\nMatcher :A composition of Rules, each Matcher may be composed of at most one instance of each Rule.\nRules are specified under sources.custom in the nfd-worker configuration\nfile.
sources:\n custom:\n - name: <feature name>\n matchOn:\n - <Rule-1>: <Rule-1 Input>\n [<Rule-2>: <Rule-2 Input>]\n - <Matcher-2>\n - ...\n - ...\n - <Matcher-N>\n - <custom feature 2>\n - ...\n - ...\n - <custom feature M>\nSpecifying Rules to match on a feature is done by providing a list of Matchers.\nEach Matcher contains one or more Rules.
\n\nLogical OR is performed between Matchers and logical AND is performed\nbetween Rules of a given Matcher.
\n\nAttribute :A PCI attribute.\nElement :An identifier of the PCI attribute.\nThe PciId Rule allows matching the PCI devices in the system on the following\nAttributes: class,vendor and device. A list of Elements is provided for\neach Attribute.
pciId :\n class: [<class id>, ...]\n vendor: [<vendor id>, ...]\n device: [<device id>, ...]\nMatching is done by performing a logical OR between Elements of an Attribute\nand logical AND between the specified Attributes for each PCI device in the\nsystem. At least one Attribute must be specified. Missing attributes will not\npartake in the matching process.
\n\nAttribute :A USB attribute.\nElement :An identifier of the USB attribute.\nThe UsbId Rule allows matching the USB devices in the system on the following\nAttributes: class,vendor and device. A list of Elements is provided for\neach Attribute.
usbId :\n class: [<class id>, ...]\n vendor: [<vendor id>, ...]\n device: [<device id>, ...]\nMatching is done by performing a logical OR between Elements of an Attribute\nand logical AND between the specified Attributes for each USB device in the\nsystem. At least one Attribute must be specified. Missing attributes will not\npartake in the matching process.
\n\nElement :A kernel module\nThe LoadedKMod Rule allows matching the loaded kernel modules in the system\nagainst a provided list of Elements.
\n\nloadedKMod : [<kernel module>, ...]\nMatching is done by performing logical AND for each provided Element, i.e\nthe Rule will match if all provided Elements (kernel modules) are loaded in the\nsystem.
\n\nElement :A CPUID flag\nThe Rule allows matching the available CPUID flags in the system against a\nprovided list of Elements.
\n\ncpuId : [<CPUID flag string>, ...]\nMatching is done by performing logical AND for each provided Element, i.e the\nRule will match if all provided Elements (CPUID flag strings) are available in\nthe system.
\n\nElement :A Kconfig option\nThe Rule allows matching the kconfig options in the system against a provided\nlist of Elements.
\n\nkConfig: [<kernel config option ('y' or 'm') or '=<value>'>, ...]\nMatching is done by performing logical AND for each provided Element, i.e the\nRule will match if all provided Elements (kernel config options) are enabled\n(y or m) or matching =<value> in the kernel.
custom:\n - name: \"my.kernel.feature\"\n matchOn:\n - loadedKMod: [\"kmod1\", \"kmod2\"]\n - name: \"my.pci.feature\"\n matchOn:\n - pciId:\n vendor: [\"15b3\"]\n device: [\"1014\", \"1017\"]\n - name: \"my.usb.feature\"\n matchOn:\n - usbId:\n vendor: [\"1d6b\"]\n device: [\"0003\"]\n - name: \"my.combined.feature\"\n matchOn:\n - loadedKMod : [\"vendor_kmod1\", \"vendor_kmod2\"]\n pciId:\n vendor: [\"15b3\"]\n device: [\"1014\", \"1017\"]\n - name: \"my.accumulated.feature\"\n matchOn:\n - loadedKMod : [\"some_kmod1\", \"some_kmod2\"]\n - pciId:\n vendor: [\"15b3\"]\n device: [\"1014\", \"1017\"]\n - name: \"my.kernel.featureneedscpu\"\n matchOn:\n - kConfig: [\"KVM_INTEL\"]\n - cpuId: [\"VMX\"]\n - name: \"my.kernel.modulecompiler\"\n matchOn:\n - kConfig: [\"GCC_VERSION=100101\"]\n loadedKMod: [\"kmod1\"]\nIn the example above:
\n\nfeature.node.kubernetes.io/custom-my.kernel.feature=true if the node has\nkmod1 AND kmod2 kernel modules loaded.feature.node.kubernetes.io/custom-my.pci.feature=true if the node contains\na PCI device with a PCI vendor ID of 15b3 AND PCI device ID of 1014 OR\n1017.feature.node.kubernetes.io/custom-my.usb.feature=true if the node contains\na USB device with a USB vendor ID of 1d6b AND USB device ID of 0003.feature.node.kubernetes.io/custom-my.combined.feature=true if\nvendor_kmod1 AND vendor_kmod2 kernel modules are loaded AND the node\ncontains a PCI device\nwith a PCI vendor ID of 15b3 AND PCI device ID of 1014 or 1017.feature.node.kubernetes.io/custom-my.accumulated.feature=true if\nsome_kmod1 AND some_kmod2 kernel modules are loaded OR the node\ncontains a PCI device\nwith a PCI vendor ID of 15b3 AND PCI device ID of 1014 OR 1017.feature.node.kubernetes.io/custom-my.kernel.featureneedscpu=true if\nKVM_INTEL kernel config is enabled AND the node CPU supports VMX\nvirtual machine extensionsfeature.node.kubernetes.io/custom-my.kernel.modulecompiler=true if the\nin-tree kmod1 kernel module is loaded AND it’s built with\nGCC_VERSION=100101.Some feature labels which are common and generic are defined statically in the\ncustom feature source. A user may add additional Matchers to these feature\nlabels by defining them in the nfd-worker configuration file.
| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| rdma | \ncapable | \nThe node has an RDMA capable Network adapter | \n
| rdma | \nenabled | \nThe node has the needed RDMA modules loaded to run RDMA traffic | \n
The iommu feature source supports the following labels:
\n\n| Feature name | \nDescription | \n
|---|---|
| enabled | \nIOMMU is present and enabled in the kernel | \n
The kernel feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| config | \n<option name> | \nKernel config option is enabled (set ‘y’ or ‘m’). Default options are NO_HZ, NO_HZ_IDLE, NO_HZ_FULL and PREEMPT | \n
| selinux | \nenabled | \nSelinux is enabled on the node | \n
| version | \nfull | \nFull kernel version as reported by /proc/sys/kernel/osrelease (e.g. ‘4.5.6-7-g123abcde’) | \n
| \n | major | \nFirst component of the kernel version (e.g. ‘4’) | \n
| \n | minor | \nSecond component of the kernel version (e.g. ‘5’) | \n
| \n | revision | \nThird component of the kernel version (e.g. ‘6’) | \n
Kernel config file to use, and, the set of config options to be detected are\nconfigurable.\nSee configuration for\nmore information.
\n\nThe memory feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| numa | \n\n | Multiple memory nodes i.e. NUMA architecture detected | \n
| nv | \npresent | \nNVDIMM device(s) are present | \n
| nv | \ndax | \nNVDIMM region(s) configured in DAX mode are present | \n
The network feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| sriov | \ncapable | \nSingle Root Input/Output Virtualization (SR-IOV) enabled Network Interface Card(s) present | \n
| \n | configured | \nSR-IOV virtual functions have been configured | \n
The pci feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| <device label> | \npresent | \nPCI device is detected | \n
| <device label> | \nsriov.capable | \nSingle Root Input/Output Virtualization (SR-IOV) enabled PCI device present | \n
<device label> is composed of raw PCI IDs, separated by underscores. The set\nof fields used in <device label> is configurable, valid fields being class,\nvendor, device, subsystem_vendor and subsystem_device. Defaults are\nclass and vendor. An example label using the default label fields:
feature.node.kubernetes.io/pci-1200_8086.present=true\nAlso the set of PCI device classes that the feature source detects is\nconfigurable. By default, device classes (0x)03, (0x)0b40 and (0x)12, i.e.\nGPUs, co-processors and accelerator cards are detected.
\n\nThe usb feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| <device label> | \npresent | \nUSB device is detected | \n
<device label> is composed of raw USB IDs, separated by underscores. The set\nof fields used in <device label> is configurable, valid fields being class,\nvendor, and device. Defaults are class, vendor and device. An\nexample label using the default label fields:
feature.node.kubernetes.io/usb-fe_1a6e_089a.present=true\nSee configuration for more information on NFD\nconfig.
\n\nThe storage feature source supports the following labels:
\n\n| Feature name | \nDescription | \n
|---|---|
| nonrotationaldisk | \nNon-rotational disk, like SSD, is present in the node | \n
The system feature source supports the following labels:
\n\n| Feature | \nAttribute | \nDescription | \n
|---|---|---|
| os_release | \nID | \nOperating system identifier | \n
| \n | VERSION_ID | \nOperating system version identifier (e.g. ‘6.7’) | \n
| \n | VERSION_ID.major | \nFirst component of the OS version id (e.g. ‘6’) | \n
| \n | VERSION_ID.minor | \nSecond component of the OS version id (e.g. ‘7’) | \n
NFD has a special feature source named local which is designed for getting\nthe labels from user-specific feature detector. It provides a mechanism for\nusers to implement custom feature sources in a pluggable way, without modifying\nnfd source code or Docker images. The local feature source can be used to\nadvertise new user-specific features, and, for overriding labels created by the\nother feature sources.
\n\nThe local feature source gets its labels by two different ways:
\n\n/etc/kubernetes/node-feature-discovery/source.d/ directory. The hook files\nmust be executable and they are supposed to print all discovered features in\nstdout, one per line. With ELF binaries static linking is recommended as\nthe selection of system libraries available in the NFD release image is very\nlimited. Other runtimes currently supported by the NFD stock image are bash\nand perl./etc/kubernetes/node-feature-discovery/features.d/ directory. The file\ncontent is expected to be similar to the hook output (described above).These directories must be available inside the Docker image so Volumes and\nVolumeMounts must be used if standard NFD images are used. The given template\nfiles mount by default the source.d and the features.d directories\nrespectively from /etc/kubernetes/node-feature-discovery/source.d/ and\n/etc/kubernetes/node-feature-discovery/features.d/ from the host. You should\nupdate them to match your needs.
In both cases, the labels can be binary or non binary, using either <name> or\n<name>=<value> format.
Unlike the other feature sources, the name of the file, instead of the name of\nthe feature source (that would be local in this case), is used as a prefix in\nthe label name, normally. However, if the <name> of the label starts with a\nslash (/) it is used as the label name as is, without any additional prefix.\nThis makes it possible for the user to fully control the feature label names,\ne.g. for overriding labels created by other feature sources.
You can also override the default namespace of your labels using this format:\n<namespace>/<name>[=<value>]. You must whitelist your namespace using the\n--extra-label-ns option on the master. In this case, the name of the\nfile will not be added to the label name. For example, if you want to add the\nlabel my.namespace.org/my-label=value, your hook output or file must contains\nmy.namespace.org/my-label=value and you must add\n--extra-label-ns=my.namespace.org on the master command line.
stderr output of the hooks is propagated to NFD log so it can be used for\ndebugging and logging.
One use case for the hooks and/or feature files is detecting features in other\nPods outside NFD, e.g. in Kubernetes device plugins. It is possible to mount\nthe source.d and/or features.d directories common with the NFD Pod and\ndeploy the custom hooks/features there. NFD will periodically scan the\ndirectories and run any hooks and read any feature files it finds. The\nexample nfd-worker deployment template\ncontains hostPath mounts for sources.d and features.d directories. By\nusing the same mounts in the secondary Pod (e.g. device plugin) you have\ncreated a shared area for delivering hooks and feature files to NFD.
User has a shell script\n/etc/kubernetes/node-feature-discovery/source.d/my-source which has the\nfollowing stdout output:
MY_FEATURE_1\nMY_FEATURE_2=myvalue\n/override_source-OVERRIDE_BOOL\n/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nwhich, in turn, will translate into the following node labels:
\n\nfeature.node.kubernetes.io/my-source-MY_FEATURE_1=true\nfeature.node.kubernetes.io/my-source-MY_FEATURE_2=myvalue\nfeature.node.kubernetes.io/override_source-OVERRIDE_BOOL=true\nfeature.node.kubernetes.io/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nUser has a file /etc/kubernetes/node-feature-discovery/features.d/my-source\nwhich contains the following lines:
MY_FEATURE_1\nMY_FEATURE_2=myvalue\n/override_source-OVERRIDE_BOOL\n/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nwhich, in turn, will translate into the following node labels:
\n\nfeature.node.kubernetes.io/my-source-MY_FEATURE_1=true\nfeature.node.kubernetes.io/my-source-MY_FEATURE_2=myvalue\nfeature.node.kubernetes.io/override_source-OVERRIDE_BOOL=true\nfeature.node.kubernetes.io/override_source-OVERRIDE_VALUE=123\noverride.namespace/value=456\nNFD tries to run any regular files found from the hooks directory. Any\nadditional data files your hook might need (e.g. a configuration file) should\nbe placed in a separate directory in order to avoid NFD unnecessarily trying to\nexecute these. You can use a subdirectory under the hooks directory, for\nexample /etc/kubernetes/node-feature-discovery/source.d/conf/.
NOTE! NFD will blindly run any executables placed/mounted in the hooks\ndirectory. It is the user’s responsibility to review the hooks for e.g.\npossible security implications.
\n\nNOTE! Be careful when creating and/or updating hook or feature files while\nNFD is running. In order to avoid race conditions you should write into a\ntemporary file (outside the source.d and features.d directories), and,\natomically create/update the original file by doing a filesystem move\noperation.
This feature is experimental and by no means a replacement for the usage of\ndevice plugins.
\n\nLabels which have integer values, can be promoted to Kubernetes extended\nresources by listing them to the master --resource-labels command line flag.\nThese labels won’t then show in the node label section, they will appear only\nas extended resources.
An example use-case for the extended resources could be based on a hook which\ncreates a label for the node SGX EPC memory section size. By giving the name of\nthat label in the --resource-labels flag, that value will then turn into an\nextended resource of the node, allowing PODs to request that resource and the\nKubernetes scheduler to schedule such PODs to only those nodes which have a\nsufficient capacity of said resource left.
Similar to labels, the default namespace feature.node.kubernetes.io is\nautomatically prefixed to the extended resource, if the promoted label doesn’t\nhave a namespace.
Example usage of the command line arguments, using a new namespace:\nnfd-master --resource-labels=my_source-my.feature,sgx.some.ns/epc --extra-label-ns=sgx.some.ns
The above would result in following extended resources provided that related\nlabels exist:
\n\n sgx.some.ns/epc: <label value>\n feature.node.kubernetes.io/my_source-my.feature: <label value>\nThis page contains usage examples and demos.
\n\n
A demo on the benefits of using node feature discovery can be found in the\nsource code repository under\ndemo/.
\n","dir":"/get-started/","name":"examples-and-demos.md","path":"get-started/examples-and-demos.md","url":"/get-started/examples-and-demos.html"}] \ No newline at end of file diff --git a/master/search.html b/master/search.html index b3e61b900..bd355616e 100644 --- a/master/search.html +++ b/master/search.html @@ -1 +1 @@ -