NSX-T CNI plug-in must be installed on the Kubernetes nodes.

About this task

For Ubuntu, installing the NSX-T CNI plug-in will copy the AppArmor profile file ncp-apparmor to /etc/apparmor.d and load it. Before the install, the AppArmor service must be running and the directory /etc/apparmor.d must exist. Otherwise, the install will fail. You can check whether the AppArmor module is enabled with the following command:

    sudo cat /sys/module/apparmor/parameters/enabled

You can check whether the AppArmor service is started with the following command:

    sudo /etc/init.d/apparmor status

If the AppArmor service is not running when you install the NSX-T CNI plug-in, the install will display the following message when it finishes:

    subprocess installed post-installation script returned error exit status 1

The message indicates that all the installation steps completed except the loading of the AppArmor profile.

The ncp-apparmor profile file provides an AppArmor profile for NSX node agent called node-agent-apparmor, which differs from the docker-default profile in the following ways:

  • The deny mount rule is removed.

  • The mount rule is added.

  • Some network, capability, file, and umount options are added.

You can replace the node-agent-apparmor profile with a different profile. However, the profile name node-agent-apparmor is referenced in the file nsx-node-agent-ds.yml, which is used in the installation of NSX node agent. If you use a different profile, you must specify the profile name in nsx-node-agent-ds.yml, under the section spec:template:metadata:annotations, in the following entry:

    container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/<profile-name>

Procedure

  1. Download the installation file appropriate to your Linux distribution.

    The filename is nsx-cni-1.0.0.0.0.xxxxxxx-1.x86_64.rpm or nsx-cni-1.0.0.0.0.xxxxxxx.deb, where xxxxxxx is the build number.

  2. Install the rpm or deb file downloaded in step 1.

    The plug-in is installed in /opt/cni/bin. The CNI configuration file 10.net.conf is copied to /etc/cni/net.d. The rpm will also install the configuration file /etc/cni/net.d/99-loopback.conf for the loopback plug-in.