Merge pull request #303 from mregmi/main

DSA: add L2 tests and test README for DSA

Author: uMartinXu

security/dsa_rbac.yaml

@@ -0,0 +1,36 @@
+# Copyright (c) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: intel-dsa
+  namespace: intel-dsa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: intel-dsa
+  namespace: intel-dsa
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - intel-dsa-scc
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: intel-dsa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: intel-dsa
+subjects:
+- kind: ServiceAccount
+  name: intel-dsa
+  namespace: intel-dsa

security/dsa_scc.yaml

@@ -0,0 +1,42 @@
+# Copyright (c) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: security.openshift.io/v1
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: 
+- SYS_RAWIO
+defaultAddCapabilities: null
+fsGroup:
+   type: MustRunAs
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: 'SCC for Intel DSA based workload'
+  name: intel-dsa-scc
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+seccompProfiles:
+- runtime/default
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- ephemeral
+- persistentVolumeClaim
+- projected
+- secret

tests/l2/dsa/README.md

@@ -0,0 +1,79 @@
+### Verify Intel® Data Streaming Accelerator (DSA) Technology provisioning
+This workload runs [accel-config](https://github.com/intel/idxd-config) sample tests using RedHat built and distributed accel-config RPM packages from the rhel-9-for-x86_64-baseos-rpms repo. Refer to the [accel config readme](https://github.com/intel/idxd-config/blob/stable/README.md) for more details. 
+
+*	Build the workload container image
+
+Please replace the credentials in buildconfig yaml with your RedHat account login credentials. 
+
+```
+$ oc apply -f https://raw.githubusercontent.com/intel/intel-technology-enabling-for-openshift/main/tests/l2/dsa/dsa_build.yaml 
+```
+
+* Create SCC intel-dsa-scc for Intel DSA based workload, if this SCC is not created   
+  
+```
+$ oc apply -f https://raw.githubusercontent.com/intel/intel-technology-enabling-for-openshift/main/security/dsa_scc.yaml
+```
+      
+* Create the intel-dsa service account to use intel-dsa-scc
+  
+```
+$ oc apply -f https://raw.githubusercontent.com/intel/intel-technology-enabling-for-openshift/main/security/dsa_rbac.yaml
+```
+
+* Deploy the accel-config workload job with intel-dsa service account
+  
+```
+$ oc apply -f https://raw.githubusercontent.com/intel/intel-technology-enabling-for-openshift/main/tests/l2/dsa/dsa_job.yaml
+```
+
+* Check the results.
+``` 
+  $ oc get pods
+  intel-dsa-workload-244xm   0/1     Completed   0          3m12s
+```
+
+* sample test logs
+```
+$ oc logs intel-dsa-workload-244xm
+dsa0/wq0.1
+dsa0
+Testing with 'block on fault' flag ON
+Performing dedicated WQ NOOP testing
+Testing 1 bytes
+[ info] alloc wq 1 dedicated size 16 addr 0x7f0cde00b000 batch sz 0x400 xfer sz 0x80000000
+[ info] testnoop: tflags 0x1 num_desc 1
+[ info] preparing descriptor for noop
+[ info] Submitted all noop jobs
+[ info] verifying task result for 0x2041620
+[ info] test with op 0 passed
+Testing 4096 bytes
+[ info] alloc wq 1 dedicated size 16 addr 0x7fd4881da000 batch sz 0x400 xfer sz 0x80000000
+[ info] testnoop: tflags 0x1 num_desc 1
+[ info] preparing descriptor for noop
+[ info] Submitted all noop jobs
+[ info] verifying task result for 0x82f620
+[ info] test with op 0 passed
+Testing 65536 bytes
+[ info] alloc wq 1 dedicated size 16 addr 0x7f462bbed000 batch sz 0x400 xfer sz 0x80000000
+[ info] testnoop: tflags 0x1 num_desc 1
+[ info] preparing descriptor for noop
+[ info] Submitted all noop jobs
+[ info] verifying task result for 0xe4e620
+[ info] test with op 0 passed
+Testing 1048576 bytes
+[ info] alloc wq 1 dedicated size 16 addr 0x7fac2ac0c000 batch sz 0x400 xfer sz 0x80000000
+[ info] testnoop: tflags 0x1 num_desc 1
+[ info] preparing descriptor for noop
+[ info] Submitted all noop jobs
+[ info] verifying task result for 0xf21620
+[ info] test with op 0 passed
+Testing 2097152 bytes
+[ info] alloc wq 1 dedicated size 16 addr 0x7f7426a5c000 batch sz 0x400 xfer sz 0x80000000
+[ info] testnoop: tflags 0x1 num_desc 1
+[ info] preparing descriptor for noop
+[ info] Submitted all noop jobs
+[ info] verifying task result for 0xeec620
+[ info] test with op 0 passed
+Performing shared WQ NOOP testing
+```

tests/l2/dsa/dsa_build.yaml

@@ -0,0 +1,60 @@
+# Copyright (c) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: intel-dsa-workload
+  namespace: intel-dsa
+spec: {}
+---
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: intel-dsa-workload
+  namespace: intel-dsa
+spec:
+  triggers:
+    - type: "ConfigChange"
+    - type: "ImageChange"
+  runPolicy: "Serial"
+  source:
+    type: Dockerfile
+    dockerfile: |
+        
+        ARG BUILDER=registry.access.redhat.com/ubi9:latest
+        FROM ${BUILDER} 
+        RUN subscription-manager register  --username=${USERNAME} --password=${PASSWORD} && \
+            subscription-manager attach --auto && \
+            dnf repolist --disablerepo=* && \
+            subscription-manager repos --enable rhel-9-for-x86_64-baseos-rpms --enable codeready-builder-for-rhel-9-x86_64-rpms && \
+            dnf -y update && \
+            dnf install -y gcc g++ make cmake autoconf automake libtool pkg-config \
+              git asciidoc xmlto libuuid-devel json-c-devel zlib-devel openssl-devel \
+              pciutils accel-config
+        RUN git clone -b accel-config-v4.1.8 https://github.com/intel/idxd-config && \
+          cd idxd-config && ./autogen.sh && ./configure CFLAGS='-g -O2' --prefix=/usr \
+          --sysconfdir=/etc --libdir=/usr/lib64 --enable-test=yes && make && make install
+  strategy:
+    type: Docker
+    noCache: true
+    dockerStrategy:
+      buildArgs:
+          - name: "BUILDER"
+            value: "registry.access.redhat.com/ubi9:latest"
+      env:
+          - name: "USERNAME"
+            valueFrom:
+              secretKeyRef:
+                key: username
+                name: rh-auth
+          - name: "PASSWORD"
+            valueFrom:
+              secretKeyRef:
+                key: password
+                name: rh-auth
+
+  output:
+    to:
+      kind: ImageStreamTag
+      name: intel-dsa-workload:latest

tests/l2/dsa/dsa_job.yaml

@@ -0,0 +1,29 @@
+# Copyright (c) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: intel-dsa-workload
+  namespace: intel-dsa
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: intel-dsa-job
+        image: image-registry.openshift-image-registry.svc:5000/intel-dsa/intel-dsa-workload:latest
+        imagePullPolicy: IfNotPresent
+        workingDir: "/usr/libexec/accel-config/test/"
+        command:
+          - "./dsa_user_test_runner.sh"
+        args:
+          - "--skip-config"
+        capabilities:
+          add:
+            [SYS_RAWIO]
+        resources:
+          limits:
+            dsa.intel.com/wq-user-dedicated: 1
+      restartPolicy: Never
+      serviceAccountName: intel-dsa