Supports below Dockerfiles which can be built into docker images on the platforms with Intel® QuickAssist 4xxx Series QAT device.
This Dockerfile(qat_crypto_base/Dockerfile) with qatengine is built on top of latest OpenSSL, QAT_HW(qatlib intree driver) and QAT_SW with software versions mentioned in software_requirements section. This contains QAT_HW and QAT_SW co-existence build and works as defined in co-existence section
This Dockerfile(haproxy/Dockerfile) is built with Haproxy release version v3.3.0 along
with QAT crypto base mentioned above. Sample Haproxy configuration file is located at haproxy/haproxy.cfg
which can be modified as per the required use case and to be mounted from the host to the container using
-v /usr/local/etc/haproxy/haproxy.cfg.
Refer here for setting up the host for QAT_HW (qatlib intree) if the platform has QAT 4xxx Hardware device. Stop QAT service if any running on the host.
Follow the below steps to enable required service. The service can be asym only, sym only or both in step 2 depending on the particular use case. Configure the required service only to get best performance.
- Bring down the QAT devices
for i in `lspci -D -d :4940| awk '{print $1}'`; do echo down > /sys/bus/pci/devices/$i/qat/state;done
- Set up the required crypto service(s)
for i in `lspci -D -d :4940| awk '{print $1}'`; do echo “sym;asym“ > /sys/bus/pci/devices/$i/qat/cfg_services;done
- Bring up the QAT devices
for i in `lspci -D -d :4940| awk '{print $1}'`; do echo up> /sys/bus/pci/devices/$i/qat/state;done
- Check the status of the QAT devices
for i in `lspci -D -d :4940| awk '{print $1}'`; do cat /sys/bus/pci/devices/$i/qat/state;done
- Enable VF for the PF in the host
for i in `lspci -D -d :4940| awk '{print $1}'`; do echo 16|sudo tee /sys/bus/pci/devices/$i/sriov_numvfs; done
- Add QAT group and Permission to the VF devices in the host
chown root:qat /dev/vfio/*
chmod 660 /dev/vfio/*
Docker images can be built using the below command with appropriate image name.
docker build --build-arg GID=$(getent group qat | cut -d ':' -f 3) -t <docker_image_name> <path-to-dockerfile> --no-cache
Note: GID is the group id of qat group in the host.
docker run -it --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) --cpuset-cpus <2-n+1> --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 < docker_image_name> openssl speed -engine qatengine -elapsed -async_jobs 72 -multi <n> <algo>
Server command: docker run --rm -it --cpuset-cpus <2-n+1> --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 -v /usr/local/etc/haproxy/:/usr/local/etc/haproxy/ -d -p 8080:8080 < docker_image_name> haproxy -f /usr/local/etc/haproxy/haproxy.cfg
Client command: openssl s_time -connect <server_ip>:8080 -cipher AES128-SHA256 -www /20b-file.html -time 5
Note: n is number of process or thread. 8080 port to be used for starting the haproxy service. HAproxy config file mounted from the host to the container using -v /usr/local/etc/haproxy/haproxy.cfg.