Configure DPDK on CN-Series Firewall

Configure DPDK on CN-Series Firewall

Table of Contents

Configure DPDK on CN-Series Firewall

Data Plane Development Kit (DPDK) provides a simple framework for fast packet processing in dataplane applications.
Where Can I Use This?
What Do I Need?
  • CN-Series
  • CN-Series 10.2.x or above Container Images
  • Panorama
    running PAN-OS 10.2.x or above version
  • Helm 3.6 or above version client
Data Plane Development Kit (DPDK) provides a simple framework for fast packet processing in dataplane applications.
DPDK mode is supported on CN-Series Firewall as a Kubernetes Container Network Function (CNF) only.
DHCP IPAM is not supported in DPDK mode.

System Requirements

To run a DPDK application, you must make the following customizations on your target machine.
  • Kernel Configuration
    —Enable the HUGETLBFS option in the host OS kernel.
  • KNI and UIO/VFIO
    —Insert KNI and UIO/VFIO in the host OS kernel.
  • Hugepages
    1. Reserve hugepages
      • Reserve hugepages during runtime, before the pods starts. Add the number of hugepages required to the
        file in the
        directory corresponding to a specific page size (in KB). For example, use the following command for a single-node system if 1024 of 2M pages are required.
        echo 1024 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
      • Reserve hugepages during boot. For example, to reserve hugepage of memory 4G as four 1G pages, the following options should be passed to the kernel.
        default_hugepagesz=1G hugepagesz=1G hugepages=4
    2. Use hugepages with DPDK
      —Create mount points for hugepages because PanOS 10.2 uses DPDK secondary processes.
      The following is a sample command to create hugepage of size 1 GB for DPDK use.
      mkdir /mnt/huge mount -t hugetlbfs pagesize=1GB /mnt/huge
    3. Restart the kubelet service on the host after enabling hugepages using the following command.
      sudo systemctl restart kubelet
    4. Check
      to make sure the size matches the hugepage size. If the size does not match the hugepage size, update the size using the following command.
      echo 2147483648 > /sys/fs/cgroup/hugetlb/kubepods.slice/hugetlb.2MB.limit_in_bytes
      In a pod, applications can allocate and consume pre-allocated hugepages of multiple sizes. Applications consume hugepages through container level resource requirements using resource name hugepages-<size>. For example,
      Unlike CPU or memory, hugepages do not support over commit.
      Privileged mode is enabled to access host device space. To list and bind network devices to a container, mount
      to the container so that DPDK can access files within the directory.
      Following is a code snippet to enable hugepages on DPDK.
      requests: cpu: "1" memory: "4Gi" hugepages-2Mi: 4Gi limits: cpu: "1" memory: "4Gi" hugepages-2Mi: 4Gi volumeMounts: - mountPath: /sys name: sys - mountPath: /dev name: dev - mountPath: /dev/shm name: dshm - mountPath: /run/tmp name: hosttmp - mountPath: /etc/pan-fw-sw name: sw-secret envFrom: - configMapRef: name: pan-ngfw-config-0 env: - name: CPU_REQUEST valueFrom: resourceFieldRef: containerName: pan-ngfw-container resource: requests.cpu - name: CPU_LIMIT valueFrom: resourceFieldRef: containerName: pan-ngfw-container resource: limits.cpu - name: MEMORY_REQUEST valueFrom: resourceFieldRef: containerName: pan-ngfw-container resource: requests.memory - name: MEMORY_LIMIT valueFrom: resourceFieldRef: containerName: pan-ngfw-container resource: limits.memory - name: MY_POD_UUID valueFrom: fieldRef: fieldPath: metadata.uid - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: MY_POD_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: MY_POD_IP valueFrom: fieldRef: fieldPath: status.podIP volumes: - name: sys hostPath: path: /sys - name: dev hostPath: path: /dev - name: hosttmp hostPath: path: /tmp/pan - name: dshm emptyDir: medium: Memory - name: sw-secret secret: secretName: pan-fw-sw
  • NUMA and CPU Pinning
    —Multiple DPDK process cannot run on the same core because it causes memory pool cache corruption among other issues. The secondary processes are pinned to a different core. Use CPU pinning options in
    to control secondary processes.
  • Config and Pod Changes
    • Enable
      PAN_DATA_MODE: "dpdk"
      DPDK is not the default mode for CN-Series-as-a-kubernetes-CNF.
    • Match the
      parameter with the hugepage memory request in
      If the hugepage memory is not available, it defaults to MMAP.
For more information, see DPDK system requirements.
You can set up DPDK on on-premises worker nodes and AWS EKS cluster

Recommended For You