openshift
diff --git a/‎modules/nw-openstack-ovs-dpdk-testpmd-pod.adoc‎
Lines changed: 8 additions & 4 deletions b/‎modules/nw-openstack-ovs-dpdk-testpmd-pod.adoc‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎modules/nw-running-dpdk-rootless-tap.adoc‎
Lines changed: 57 additions & 51 deletions b/‎modules/nw-running-dpdk-rootless-tap.adoc‎
Lines changed: 57 additions & 51 deletions
diff --git a/‎modules/nw-sriov-app-netutil.adoc‎
Lines changed: 1 addition & 0 deletions b/‎modules/nw-sriov-app-netutil.adoc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/nw-sriov-concept-dpdk-line-rate.adoc‎
Lines changed: 3 additions & 3 deletions b/‎modules/nw-sriov-concept-dpdk-line-rate.adoc‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎modules/nw-sriov-create-object.adoc‎
Lines changed: 10 additions & 6 deletions b/‎modules/nw-sriov-create-object.adoc‎
Lines changed: 10 additions & 6 deletions
@@ -6,6 +6,7 @@
 [id="nw-openstack-ovs-dpdk-testpmd-pod_{context}"]
 = A test pod template for clusters that use OVS-DPDK on OpenStack
 
+[role="_abstract"]
 The following `testpmd` pod demonstrates container creation with huge pages, reserved CPUs, and the SR-IOV port.
 
 .An example `testpmd` pod
@@ -35,7 +36,7 @@ spec:
         memory: 1000Mi
         hugepages-1Gi: 1Gi
         cpu: '2'
-        openshift.io/dpdk1: 1 <1>
+        openshift.io/dpdk1: 1
       limits:
         hugepages-1Gi: 1Gi
         cpu: '2'
@@ -45,11 +46,14 @@ spec:
       - mountPath: /mnt/huge
         name: hugepage
         readOnly: False
-  runtimeClassName: performance-cnf-performanceprofile <2>
+  runtimeClassName: performance-cnf-performanceprofile
   volumes:
   - name: hugepage
     emptyDir:
       medium: HugePages
 ----
-<1> The name `dpdk1` in this example is a user-created `SriovNetworkNodePolicy` resource. You can substitute this name for that of a resource that you create.
-<2> If your performance profile is not named `cnf-performance profile`, replace that string with the correct performance profile name.
+
+--
+* The name `dpdk1` in this example is a user-created `SriovNetworkNodePolicy` resource. You can substitute this name for that of a resource that you create.
+* If your performance profile is not named `cnf-performance profile`, replace that string with the correct performance profile name.
+--
@@ -6,9 +6,10 @@
 [id="nw-running-dpdk-rootless-tap_{context}"]
 = Using the TAP CNI to run a rootless DPDK workload with kernel access
 
+[role="_abstract"]
 DPDK applications can use `virtio-user` as an exception path to inject certain types of packets, such as log messages, into the kernel for processing. For more information about this feature, see link:https://doc.dpdk.org/guides/howto/virtio_user_as_exception_path.html[Virtio_user as Exception Path].
 
-In OpenShift Container Platform version 4.14 and later, you can use non-privileged pods to run DPDK applications alongside the tap CNI plugin. To enable this functionality, you need to mount the `vhost-net` device by setting the `needVhostNet` parameter to `true` within the `SriovNetworkNodePolicy` object.
+In {product-title} version 4.14 and later, you can use non-privileged pods to run DPDK applications alongside the tap CNI plugin. To enable this functionality, you need to mount the `vhost-net` device by setting the `needVhostNet` parameter to `true` within the `SriovNetworkNodePolicy` object.
 
 .DPDK and TAP example configuration
 image::348_OpenShift_rootless_DPDK_0923.png[DPDK and TAP plugin]
@@ -27,7 +28,7 @@ Use the Machine Config Operator to set this SELinux boolean.
 
 .Procedure
 
-. Create a file, such as `test-namespace.yaml`, with content like the following example:
+. Create a file, such as `test-namespace.yaml`, with content such as the following example:
 +
 [source,yaml]
 ----
@@ -49,7 +50,7 @@ metadata:
 $ oc apply -f test-namespace.yaml
 ----
 
-. Create a file, such as `sriov-node-network-policy.yaml`, with content like the following example::
+. Create a file, such as `sriov-node-network-policy.yaml`, with content such as the following example:
 +
 [source,yaml]
 ----
@@ -59,24 +60,27 @@ metadata:
  name: sriovnic
  namespace: openshift-sriov-network-operator
 spec:
- deviceType: netdevice <1>
- isRdma: true <2>
- needVhostNet: true <3>
+ deviceType: netdevice
+ isRdma: true
+ needVhostNet: true
  nicSelector:
-   vendor: "15b3" <4>
-   deviceID: "101b" <5>
+   vendor: "15b3"
+   deviceID: "101b"
    rootDevices: ["00:05.0"]
  numVfs: 10
  priority: 99
  resourceName: sriovnic
  nodeSelector:
     feature.node.kubernetes.io/network-sriov.capable: "true"
 ----
-<1> This indicates that the profile is tailored specifically for Mellanox Network Interface Controllers (NICs).
-<2> Setting `isRdma` to `true` is only required for a Mellanox NIC.
-<3> This mounts the `/dev/net/tun` and `/dev/vhost-net` devices into the container so the application can create a tap device and connect the tap device to the DPDK workload.
-<4> The vendor hexadecimal code of the SR-IOV network device. The value 15b3 is associated with a Mellanox NIC.
-<5> The device hexadecimal code of the SR-IOV network device.
++
+where:
++
+`spec.deviceType`:: Specifies that the profile is tailored specifically for Mellanox Network Interface Controllers (NICs). Set to `netdevice`.
+`spec.isRdma`:: Setting to `true` is only required for a Mellanox NIC.
+`spec.needVhostNet`:: Setting to `true` mounts the `/dev/net/tun` and `/dev/vhost-net` devices into the container so the application can create a tap device and connect the tap device to the DPDK workload.
+`spec.nicSelector.vendor`:: Specifies the vendor hexadecimal code of the SR-IOV network device. The value `"15b3"` is associated with a Mellanox NIC.
+`spec.nicSelector.deviceID`:: Specifies the device hexadecimal code of the SR-IOV network device.
 
 . Create the `SriovNetworkNodePolicy` object by running the following command:
 +
@@ -115,15 +119,15 @@ An optional library, `app-netutil`, provides several API methods for gathering n
 $ oc create -f sriov-network-attachment.yaml
 ----
 
-. Create a file, such as `tap-example.yaml`, that defines a network attachment definition, with content like the following example:
+. Create a file, such as `tap-example.yaml`, that defines a network attachment definition, with content such as the following example:
 +
 [source,yaml]
 ----
 apiVersion: "k8s.cni.cncf.io/v1"
 kind: NetworkAttachmentDefinition
 metadata:
  name: tap-one
- namespace: test-namespace <1>
+ namespace: test-namespace
 spec:
  config: '{
    "cniVersion": "0.4.0",
@@ -143,7 +147,10 @@ spec:
    ]
  }'
 ----
-<1> Specify the same `target_namespace` where the `SriovNetwork` object is created.
++
+where:
++
+`metadata.namespace`:: Specifies the same `target_namespace` where the `SriovNetwork` object is created.
 
 . Create the `NetworkAttachmentDefinition` object by running the following command:
 +
@@ -152,15 +159,15 @@ spec:
 $ oc apply -f tap-example.yaml
 ----
 
-. Create a file, such as `dpdk-pod-rootless.yaml`, with content like the following example:
+. Create a file, such as `dpdk-pod-rootless.yaml`, with content such as the following example:
 +
 [source,yaml]
 ----
 apiVersion: v1
 kind: Pod
 metadata:
   name: dpdk-app
-  namespace: test-namespace <1>
+  namespace: test-namespace
   annotations:
     k8s.v1.cni.cncf.io/networks: '[
       {"name": "sriov-network", "namespace": "test-namespace"},
@@ -169,64 +176,63 @@ spec:
   nodeSelector:
     kubernetes.io/hostname: "worker-0"
   securityContext:
-      fsGroup: 1001 <2>
-      runAsGroup: 1001 <3>
+      fsGroup: 1001
+      runAsGroup: 1001
       seccompProfile:
         type: RuntimeDefault
   containers:
   - name: testpmd
-    image: <DPDK_image> <4>
+    image: <DPDK_image>
     securityContext:
       capabilities:
-        drop: ["ALL"] <5>
-        add: <6>
+        drop: ["ALL"]
+        add:
           - IPC_LOCK
-          - NET_RAW #for mlx only <7>
-      runAsUser: 1001 <8>
-      privileged: false <9>
-      allowPrivilegeEscalation: true <10>
-      runAsNonRoot: true <11>
+          - NET_RAW #for mlx only
+      runAsUser: 1001
+      privileged: false
+      allowPrivilegeEscalation: true
+      runAsNonRoot: true
     volumeMounts:
-    - mountPath: /mnt/huge <12>
+    - mountPath: /mnt/huge
       name: hugepages
     resources:
       limits:
-        openshift.io/sriovnic: "1" <13>
+        openshift.io/sriovnic: "1"
         memory: "1Gi"
-        cpu: "4" <14>
-        hugepages-1Gi: "4Gi" <15>
+        cpu: "4"
+        hugepages-1Gi: "4Gi"
       requests:
         openshift.io/sriovnic: "1"
         memory: "1Gi"
         cpu: "4"
         hugepages-1Gi: "4Gi"
     command: ["sleep", "infinity"]
-  runtimeClassName: performance-cnf-performanceprofile <16>
+  runtimeClassName: performance-cnf-performanceprofile
   volumes:
   - name: hugepages
     emptyDir:
       medium: HugePages
 ----
 +
---
-<1> Specify the same `target_namespace` in which the `SriovNetwork` object is created. If you want to create the pod in a different namespace, change `target_namespace` in both the `Pod` spec and the `SriovNetwork` object.
-<2> Sets the group ownership of volume-mounted directories and files created in those volumes.
-<3> Specify the primary group ID used for running the container.
-<4> Specify the DPDK image that contains your application and the DPDK library used by application.
-<5> Removing all capabilities (`ALL`) from the container's securityContext means that the container has no special privileges beyond what is necessary for normal operation.
-<6> Specify additional capabilities required by the application inside the container for hugepage allocation, system resource allocation, and network interface access. These capabilities must also be set in the binary file by using the `setcap` command.
-<7> Mellanox network interface controller (NIC) requires the `NET_RAW` capability.
-<8> Specify the user ID used for running the container.
-<9> This setting indicates that the container or containers within the pod should not be granted privileged access to the host system.
-<10>  This setting allows a container to escalate its privileges beyond the initial non-root privileges it might have been assigned.
-<11> This setting ensures that the container runs with a non-root user. This helps enforce the principle of least privilege, limiting the potential impact of compromising the container and reducing the attack surface.
-<12> Mount a hugepage volume to the DPDK pod under `/mnt/huge`. The hugepage volume is backed by the emptyDir volume type with the medium being `Hugepages`.
-<13> Optional: Specify the number of DPDK devices allocated for the DPDK pod. If not explicitly specified, this resource request and limit is automatically added by the SR-IOV network resource injector. The SR-IOV network resource injector is an admission controller component managed by SR-IOV Operator. It is enabled by default and can be disabled by setting the `enableInjector` option to `false` in the default `SriovOperatorConfig` CR.
-<14> Specify the number of CPUs. The DPDK pod usually requires exclusive CPUs to be allocated from the kubelet. This is achieved by setting CPU Manager policy to `static` and creating a pod with `Guaranteed` QoS.
-<15> Specify hugepage size `hugepages-1Gi` or `hugepages-2Mi` and the quantity of hugepages that will be allocated to the DPDK pod. Configure `2Mi` and `1Gi` hugepages separately. Configuring `1Gi` hugepage requires adding kernel arguments to Nodes. For example, adding kernel arguments `default_hugepagesz=1GB`, `hugepagesz=1G` and `hugepages=16` will result in `16*1Gi` hugepages be allocated during system boot.
-<16> If your performance profile is not named `cnf-performance profile`, replace that string with the correct performance profile name.
---
+where:
 +
+`metadata.namespace`:: Specifies the same `target_namespace` in which the `SriovNetwork` object is created. If you want to create the pod in a different namespace, change `target_namespace` in both the `Pod` spec and the `SriovNetwork` object.
+`spec.securityContext.fsGroup`:: Sets the group ownership of volume-mounted directories and files created in those volumes.
+`spec.securityContext.runAsGroup`:: Specifies the primary group ID used for running the container.
+`spec.containers.image`:: Specifies the DPDK image that contains your application and the DPDK library used by application.
+`spec.containers.securityContext.capabilities.drop`:: Removing all capabilities (`ALL`) from the container's `securityContext` means that the container has no special privileges beyond what is necessary for normal operation.
+`spec.containers.securityContext.capabilities.add`:: Specifies additional capabilities required by the application inside the container for hugepage allocation, system resource allocation, and network interface access. These capabilities must also be set in the binary file by using the `setcap` command. Mellanox network interface controller (NIC) requires the `NET_RAW` capability.
+`spec.containers.securityContext.runAsUser`:: Specifies the user ID used for running the container.
+`spec.containers.securityContext.privileged`:: Setting to `false` indicates that the container or containers within the pod should not be granted privileged access to the host system.
+`spec.containers.securityContext.allowPrivilegeEscalation`:: Setting to `true` allows a container to escalate its privileges beyond the initial non-root privileges it might have been assigned.
+`spec.containers.securityContext.runAsNonRoot`:: Setting to `true` ensures that the container runs with a non-root user. This helps enforce the principle of least privilege, limiting the potential impact of compromising the container and reducing the attack surface.
+`spec.containers.volumeMounts.mountPath`:: Specifies the path where a hugepage volume is mounted in the DPDK pod. The hugepage volume is backed by the `emptyDir` volume type with the medium being `Hugepages`.
+`spec.containers.resources.limits.openshift.io/sriovnic`:: Optional: Specifies the number of DPDK devices allocated for the DPDK pod. If not explicitly specified, this resource request and limit is automatically added by the SR-IOV network resource injector. The SR-IOV network resource injector is an admission controller component managed by SR-IOV Operator. It is enabled by default and can be disabled by setting the `enableInjector` option to `false` in the default `SriovOperatorConfig` CR.
+`spec.containers.resources.limits.cpu`:: Specifies the number of CPUs. The DPDK pod usually requires exclusive CPUs to be allocated from the kubelet. This is achieved by setting CPU Manager policy to `static` and creating a pod with `Guaranteed` QoS.
+`spec.containers.resources.limits.hugepages-1Gi`:: Specifies the hugepage size `hugepages-1Gi` or `hugepages-2Mi` and the quantity of hugepages that will be allocated to the DPDK pod. Configure `2Mi` and `1Gi` hugepages separately. Configuring `1Gi` hugepage requires adding kernel arguments to Nodes. For example, adding kernel arguments `default_hugepagesz=1GB`, `hugepagesz=1G` and `hugepages=16` will result in `16*1Gi` hugepages be allocated during system boot.
+`spec.runtimeClassName`:: Specifies the performance profile runtime class. If your performance profile is not named `cnf-performance profile`, replace that string with the correct performance profile name.
+
 . Create the DPDK pod by running the following command:
 +
 [source,terminal]
 
@@ -6,6 +6,7 @@
 [id="nw-sriov-app-netutil_{context}"]
 = DPDK library for use with container applications
 
+[role="_abstract"]
 An link:https://github.com/openshift/app-netutil[optional library], `app-netutil`, provides several API methods for gathering network information about a pod from within a container running within that pod.
 
 This library can assist with integrating SR-IOV virtual functions (VFs) in Data Plane Development Kit (DPDK) mode into the container.
 
@@ -6,6 +6,7 @@
 [id="nw-sriov-example-dpdk-line-rate_{context}"]
 = Overview of achieving a specific DPDK line rate
 
+[role="_abstract"]
 To achieve a specific Data Plane Development Kit (DPDK) line rate, deploy a Node Tuning Operator and configure Single Root I/O Virtualization (SR-IOV). You must also tune the DPDK settings for the following resources:
 
 - Isolated CPUs
@@ -17,13 +18,12 @@ To achieve a specific Data Plane Development Kit (DPDK) line rate, deploy a Node
 In previous versions of {product-title}, the Performance Addon Operator was used to implement automatic tuning to achieve low latency performance for {product-title} applications. In {product-title} 4.11 and later, this functionality is part of the Node Tuning Operator.
 ====
 
-.DPDK test environment
-The following diagram shows the components of a traffic-testing environment:
+The following diagram shows the components of a DPDK test environment:
 
 image::261_OpenShift_DPDK_0722.png[DPDK test environment]
 
 - **Traffic generator**: An application that can generate high-volume packet traffic.
-- **SR-IOV-supporting NIC**: A network interface card compatible with SR-IOV. The card runs a number of virtual functions on a physical interface.
+- **SR-IOV-supporting NIC**: A network interface controller (NIC) compatible with SR-IOV. The card runs several virtual functions on a physical interface.
 - **Physical Function (PF)**: A PCI Express (PCIe) function of a network adapter that supports the SR-IOV interface.
 - **Virtual Function (VF)**:  A lightweight PCIe function on a network adapter that supports SR-IOV. The VF is associated with the PCIe PF on the network adapter. The VF represents a virtualized instance of the network adapter.
 - **Switch**: A network switch. Nodes can also be connected back-to-back.
 
@@ -6,6 +6,7 @@
 [id="nw-sriov-create-object_{context}"]
 = Example SR-IOV network operator
 
+[role="_abstract"]
 The following is an example definition of an `sriovNetwork` object. In this case, Intel and Mellanox configurations are identical:
 [source,yaml]
 ----
@@ -16,11 +17,11 @@ metadata:
   namespace: openshift-sriov-network-operator
 spec:
   ipam: '{"type": "host-local","ranges": [[{"subnet": "10.0.1.0/24"}]],"dataDir":
-   "/run/my-orchestrator/container-ipam-state-1"}' <1>
-  networkNamespace: dpdk-test <2>
+   "/run/my-orchestrator/container-ipam-state-1"}'
+  networkNamespace: dpdk-test
   spoofChk: "off"
   trust: "on"
-  resourceName: dpdk_nic_1 <3>
+  resourceName: dpdk_nic_1
 ---
 apiVersion: sriovnetwork.openshift.io/v1
 kind: SriovNetwork
@@ -35,6 +36,9 @@ spec:
   trust: "on"
   resourceName: dpdk_nic_2
 ----
-<1> You can use a different IP Address Management (IPAM) implementation, such as Whereabouts. For more information, see _Dynamic IP address assignment configuration with Whereabouts_.
-<2> You must request the `networkNamespace` where the network attachment definition will be created. You must create the `sriovNetwork` CR under the `openshift-sriov-network-operator` namespace.
-<3> The `resourceName` value must match that of the `resourceName` created under the `sriovNetworkNodePolicy`.
+
+--
+* You can use a different IP Address Management (IPAM) implementation, such as Whereabouts. For more information, see _Dynamic IP address assignment configuration with Whereabouts_.
+* You must request the `networkNamespace` where the network attachment definition will be created. You must create the `sriovNetwork` CR under the `openshift-sriov-network-operator` namespace.
+* The `resourceName` value must match that of the `resourceName` created under the `sriovNetworkNodePolicy`.
+--