NSX-T CNI plug-in must be installed on the Kubernetes nodes.
For Ubuntu, installing the NSX-T CNI plug-in will copy the AppArmor profile file ncp-apparmor to /etc/apparmor.d and load it. Before the install, the AppArmor service must be running and the directory /etc/apparmor.d must exist. Otherwise, the install will fail. You can check whether the AppArmor module is enabled with the following command:
sudo cat /sys/module/apparmor/parameters/enabled
You can check whether the AppArmor service is started with the following command:
sudo /etc/init.d/apparmor status
If the AppArmor service is not running when you install the NSX-T CNI plug-in, the install will display the following message when it finishes:
subprocess installed post-installation script returned error exit status 1
The message indicates that all the installation steps completed except the loading of the AppArmor profile.
The ncp-apparmor profile file provides an AppArmor profile for NSX node agent called node-agent-apparmor, which differs from the docker-default profile in the following ways:
The deny mount rule is removed.
The mount rule is added.
Some network, capability, file, and umount options are added.
You can replace the node-agent-apparmor profile with a different profile. However, the profile name node-agent-apparmor is referenced in the file nsx-node-agent-ds.yml, which is used in the installation of NSX node agent. If you use a different profile, you must specify the profile name in nsx-node-agent-ds.yml, under the section spec:template:metadata:annotations, in the following entry:
- Download the installation file appropriate to your Linux distribution.
The filename is nsx-cni-18.104.22.168.0.xxxxxxx-1.x86_64.rpm or nsx-cni-22.214.171.124.0.xxxxxxx.deb, where xxxxxxx is the build number.
- Install the rpm or deb file downloaded in step 1.
The plug-in is installed in /opt/cni/bin. The CNI configuration file 10.net.conf is copied to /etc/cni/net.d. The rpm will also install the configuration file /etc/cni/net.d/99-loopback.conf for the loopback plug-in.