Intel® QAT + NGINX* Container
In this section we will again use the container image generated in previous section. This time we will actually configure and utilize NGINX.
Prior to running NGINX, we need to configure the application for usage. This includes:
Create working directory that will be used to launch NGINX container
Create OpenSSL Configuration file that enables QAT_Engine as the default Engine
Create self-signed Public Key pair that will be used by NGINX for https traffic
Create NGINX configuration file
Working Directory
This directory will contain the configuration files that will be passed to the NGINX container.
Create a working directory.
mkdir ~/tmp/nginx cd ~/tmp/nginx
OpenSSL Configuration File
This configuration file enables QAT_Engine as the default Engine within OpenSSL.
Create a file named openssl.cnf.
vi openssl.cnfAdd the following content to the file openssl.cnf:
openssl_conf = openssl_init [ openssl_init ] engines = engine_section [ engine_section ] qat = qat_section [ qat_section ] engine_id = qatengine default_algorithms = ALL
Create Key Pair
In example container we are using self-signed private/public key pair.
Create the SSL certificates.
sudo openssl req -x509 -new -batch -nodes -subj '/CN=localhost' -keyout tls.key -out tls.pem
NGINX Configuration File
This section includes the NGINX configuration file that enables QAT_Engine.
Create a file named nginx.conf.
vi nginx.confAdd the following content to the file nginx.conf:
user root; worker_processes 8; load_module /usr/lib64/nginx/ngx_ssl_engine_qat_module.so; events { worker_connections 102400; } ssl_engine { use_engine qatengine; default_algorithms RSA; qat_engine { qat_offload_mode async; qat_notify_mode poll; qat_poll_mode heuristic; qat_shutting_down_release on; } } http { include mime.types; default_type application/octet-stream; keepalive_timeout 0; # HTTPS server server { ssl_asynch on; listen 443 ssl; server_name localhost; ssl_certificate /etc/ssl/certs/tls.crt; ssl_certificate_key /etc/ssl/certs/tls.key; ssl_session_cache off; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256; ssl_ecdh_curve X25519; ssl_prefer_server_ciphers off; location / { root html; index index.html index.htm; } } }
Running the Container
In this section we start the NGINX container used the previously created container and the configuration files created in the steps above.
Run the image previously built in a container.
docker run --rm -it --cap-add=IPC_LOCK -p 9000:443 --cpuset-cpus 10-20 --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) -v "${PWD}"/tls.pem:/etc/ssl/certs/tls.crt -v "${PWD}"/tls.key:/etc/ssl/certs/tls.key -v "$PWD"/nginx.conf:/usr/share/nginx/conf/nginx.conf intel/openssl-qat-engine:develNote
-p 9000:443- This opens port 9000 and maps this to port 443. Port 443 is the port running in the NGINX container listening for web requests.All QAT VFs are provided to this container
-v "${PWD}"/tls.pem:/etc/ssl/certs/tls.crt- This maps the tls.pem file created earlier to appropriate location with the container image. This same format is used to provide the other required files.
Within the running container, run the NGINX server.
nginx
Quick Test
We can send web request to the NGINX server to verify stack is functional.
From the host, verify the NGINX server is running.
curl -k https://localhost:9000Note
The requests are going to port 9000. In the previous step we mapped port 9000 to port 443 which is the port NGINX web server is listening on.
You should see an output similar to the following:
<!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>