mirrors/node-feature-discovery
mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-31 04:04:51 +00:00
Code Activity
node-feature-discovery/source/cpu/cpu.go
Markus Lehtonen f62b057bcd cpu: re-organize security features 
Move existing security/trusted-execution related features (i.e. SGX and
SE) under the same "security" feature, deprecating the old features. The
motivation for the change is to keep the source code and user interface
more organized as we experience a constant inflow of similar security
related features. This change will affect the user interface so it is
less painful to do it early on.

New feature labels will be:

  feature.node.kubernetes.io/cpu-security.se.enabled
  feature.node.kubernetes.io/cpu-security.sgx.enabled

and correspondingly new "cpu.security" feature with "se.enabled" and
"sgx.enabled" elements will be available for custom rules, for example:

      - name: "sample sgx rule"
        labels:
          sgx.sample.feature: "true"
        matchFeatures:
          - feature: cpu.security
            matchExpressions:
              "sgx.enabled": {op: IsTrue}

At the same time deprecate old labels "cpu-sgx.enabled" and
"cpu-se.enabled" feature labels and the corresponding features for
custom rules. These will be removed in the future causing an effective
change in NFDs user interface.
2022-06-28 13:38:31 +03:00

338 lines
8.2 KiB
Go
Raw Blame History

/*
Copyright 2018-2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package cpu
import (
"io/ioutil"
"strconv"
"k8s.io/klog/v2"
"github.com/klauspost/cpuid/v2"
"sigs.k8s.io/node-feature-discovery/pkg/api/feature"
"sigs.k8s.io/node-feature-discovery/pkg/utils"
"sigs.k8s.io/node-feature-discovery/source"
)
// Name of this feature source
const Name = "cpu"
const (
CpuidFeature = "cpuid"
Cpumodel = "model"
CstateFeature = "cstate"
PstateFeature = "pstate"
RdtFeature = "rdt"
SeFeature = "se" // DEPRECATED in v0.12: will be removed in the future
SecurityFeature = "security"
SgxFeature = "sgx" // DEPRECATED in v0.12: will be removed in the future
SstFeature = "sst"
TopologyFeature = "topology"
)
// Configuration file options
type cpuidConfig struct {
AttributeBlacklist []string `json:"attributeBlacklist,omitempty"`
AttributeWhitelist []string `json:"attributeWhitelist,omitempty"`
}
// Config holds configuration for the cpu source.
type Config struct {
Cpuid cpuidConfig `json:"cpuid,omitempty"`
}
// newDefaultConfig returns a new config with pre-populated defaults
func newDefaultConfig() *Config {
return &Config{
cpuidConfig{
AttributeBlacklist: []string{
"BMI1",
"BMI2",
"CLMUL",
"CMOV",
"CX16",
"ERMS",
"F16C",
"HTT",
"LZCNT",
"MMX",
"MMXEXT",
"NX",
"POPCNT",
"RDRAND",
"RDSEED",
"RDTSCP",
"SGX",
"SGXLC",
"SSE",
"SSE2",
"SSE3",
"SSE4",
"SSE42",
"SSSE3",
},
AttributeWhitelist: []string{},
},
}
}
// Filter for cpuid labels
type keyFilter struct {
keys map[string]struct{}
whitelist bool
}
// cpuSource implements the FeatureSource, LabelSource and ConfigurableSource interfaces.
type cpuSource struct {
config *Config
cpuidFilter *keyFilter
features *feature.DomainFeatures
}
// Singleton source instance
var (
src = cpuSource{config: newDefaultConfig(), cpuidFilter: &keyFilter{}}
_ source.FeatureSource = &src
_ source.LabelSource = &src
_ source.ConfigurableSource = &src
)
func (s *cpuSource) Name() string { return Name }
// NewConfig method of the LabelSource interface
func (s *cpuSource) NewConfig() source.Config { return newDefaultConfig() }
// GetConfig method of the LabelSource interface
func (s *cpuSource) GetConfig() source.Config { return s.config }
// SetConfig method of the LabelSource interface
func (s *cpuSource) SetConfig(conf source.Config) {
switch v := conf.(type) {
case *Config:
s.config = v
s.initCpuidFilter()
default:
klog.Fatalf("invalid config type: %T", conf)
}
}
// Priority method of the LabelSource interface
func (s *cpuSource) Priority() int { return 0 }
// GetLabels method of the LabelSource interface
func (s *cpuSource) GetLabels() (source.FeatureLabels, error) {
labels := source.FeatureLabels{}
features := s.GetFeatures()
// CPUID
for f := range features.Keys[CpuidFeature].Elements {
if s.cpuidFilter.unmask(f) {
labels["cpuid."+f] = true
}
}
// CPU model
for k, v := range features.Values[Cpumodel].Elements {
labels["model."+k] = v
}
// Cstate
for k, v := range features.Values[CstateFeature].Elements {
labels["cstate."+k] = v
}
// Pstate
for k, v := range features.Values[PstateFeature].Elements {
labels["pstate."+k] = v
}
// RDT
for k := range features.Keys[RdtFeature].Elements {
labels["rdt."+k] = true
}
// Security
for k, v := range features.Values[SecurityFeature].Elements {
labels["security."+k] = v
}
// SGX
for k, v := range features.Values[SgxFeature].Elements {
labels["sgx."+k] = v
}
// Secure Execution
for k, v := range features.Values[SeFeature].Elements {
labels["se."+k] = v
}
// SST
for k, v := range features.Values[SstFeature].Elements {
labels["power.sst_"+k] = v
}
// Hyperthreading
if v, ok := features.Values[TopologyFeature].Elements["hardware_multithreading"]; ok {
labels["hardware_multithreading"] = v
}
return labels, nil
}
// Discover method of the FeatureSource Interface
func (s *cpuSource) Discover() error {
s.features = feature.NewDomainFeatures()
// Detect CPUID
s.features.Keys[CpuidFeature] = feature.NewKeyFeatures(getCpuidFlags()...)
// Detect CPU model
s.features.Values[Cpumodel] = feature.NewValueFeatures(getCPUModel())
// Detect cstate configuration
cstate, err := detectCstate()
if err != nil {
klog.Errorf("failed to detect cstate: %v", err)
} else {
s.features.Values[CstateFeature] = feature.NewValueFeatures(cstate)
}
// Detect pstate features
pstate, err := detectPstate()
if err != nil {
klog.Error(err)
}
s.features.Values[PstateFeature] = feature.NewValueFeatures(pstate)
// Detect RDT features
s.features.Keys[RdtFeature] = feature.NewKeyFeatures(discoverRDT()...)
// Detect SGX features
s.features.Values[SecurityFeature] = feature.NewValueFeatures(discoverSecurity())
// Detect SGX features
//
// DEPRECATED in v0.12: will be removed in the future
if val, ok := s.features.Values[SecurityFeature].Elements["sgx.enabled"]; ok {
s.features.Values[SgxFeature] = feature.NewValueFeatures(map[string]string{"enabled": val})
}
// Detect Secure Execution features
//
// DEPRECATED in v0.12: will be removed in the future
if val, ok := s.features.Values[SecurityFeature].Elements["se.enabled"]; ok {
s.features.Values[SeFeature] = feature.NewValueFeatures(map[string]string{"enabled": val})
}
// Detect SST features
s.features.Values[SstFeature] = feature.NewValueFeatures(discoverSST())
// Detect hyper-threading
s.features.Values[TopologyFeature] = feature.NewValueFeatures(discoverTopology())
utils.KlogDump(3, "discovered cpu features:", " ", s.features)
return nil
}
// GetFeatures method of the FeatureSource Interface
func (s *cpuSource) GetFeatures() *feature.DomainFeatures {
if s.features == nil {
s.features = feature.NewDomainFeatures()
}
return s.features
}
func getCPUModel() map[string]string {
cpuModelInfo := make(map[string]string)
cpuModelInfo["vendor_id"] = cpuid.CPU.VendorID.String()
cpuModelInfo["family"] = strconv.Itoa(cpuid.CPU.Family)
cpuModelInfo["id"] = strconv.Itoa(cpuid.CPU.Model)
return cpuModelInfo
}
func discoverTopology() map[string]string {
features := make(map[string]string)
if ht, err := haveThreadSiblings(); err != nil {
klog.Errorf("failed to detect hyper-threading: %v", err)
} else {
features["hardware_multithreading"] = strconv.FormatBool(ht)
}
return features
}
// Check if any (online) CPUs have thread siblings
func haveThreadSiblings() (bool, error) {
files, err := ioutil.ReadDir(source.SysfsDir.Path("bus/cpu/devices"))
if err != nil {
return false, err
}
for _, file := range files {
// Try to read siblings from topology
siblings, err := ioutil.ReadFile(source.SysfsDir.Path("bus/cpu/devices", file.Name(), "topology/thread_siblings_list"))
if err != nil {
return false, err
}
for _, char := range siblings {
// If list separator found, we determine that there are multiple siblings
if char == ',' || char == '-' {
return true, nil
}
}
}
// No siblings were found
return false, nil
}
func (s *cpuSource) initCpuidFilter() {
newFilter := keyFilter{keys: map[string]struct{}{}}
if len(s.config.Cpuid.AttributeWhitelist) > 0 {
for _, k := range s.config.Cpuid.AttributeWhitelist {
newFilter.keys[k] = struct{}{}
}
newFilter.whitelist = true
} else {
for _, k := range s.config.Cpuid.AttributeBlacklist {
newFilter.keys[k] = struct{}{}
}
newFilter.whitelist = false
}
s.cpuidFilter = &newFilter
}
func (f keyFilter) unmask(k string) bool {
if f.whitelist {
if _, ok := f.keys[k]; ok {
return true
}
} else {
if _, ok := f.keys[k]; !ok {
return true
}
}
return false
}
func init() {
source.Register(&src)
}
View git blame Copy permalink