asynch_mode_nginx
asynch_mode_nginx copied to clipboard
intel
Only qatengine engine name allowed
looks like only:
ssl_engine {
use_engine qatengine;
...
}
is allowed. I'm building QAT Engine separately for both HW and SW paths: qat-sw and qat-hw but
ssl_engine {
use_engine qat-sw;
...
}
gives: nginx: [emerg] invalid engine type "qat-sw" in /usr/share/nginx/conf/nginx.conf:20
Hi @mythi, If you want to use qat_sw, please configure qatengine to sw mode before compiling, otherwise, if you want to use qat-hw, then please configure it to hw mode before compiling. Please keep use_engine qatengine unchanged.
Please keep use_engine qatengine unchanged.
why? I have my qat SW configured engine built with engine-id qat-sw and I cannot use that with NGINX. That's why I submitted this issue.
@mythi qatengine will decide to use SW or HW automatically according to the type of algorithms. Some of the algorithms (RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF, HKDF, X25519, X448) are supported by HW. These algorithms (RSA, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, X25519) are supported by qat SW. For other algorithms, will be offloaded to CPU.
qatengine will decide to use SW of HW automatically according to the type of algorithms.
I still want to decide what the name of my engine is since QAT Engine build system allows me to do that.
If you want to use your own engine, you can change it to whatever you want. But if you want to use qatengine, please just set it to qatengine. There's no engine named qat-sw or qat-hw. For more information, please refer to qatengine
There's no engine named qat-sw or qat-hw.
As I wrote the engine name can be anything. I'm building qat-hw and qat-sw:
https://github.com/intel/intel-device-plugins-for-kubernetes/blob/d62164f4c17b91b683dacefdb7c1ed7e156fd1f2/demo/openssl-qat-engine/Dockerfile#L45-L65
To allow asynch_mode_nginx to be used with arbitrary engine names I submitted this issue.
Hi @mythi Your configuration is correct. However, this is a limitation in Nginx. qatengine is working as a module inside Nginx, its name is "qatengine", which can be modified at https://github.com/intel/asynch_mode_nginx/blob/d9823cd5feaf6d37ec0c1baafd82d0bbef57585f/modules/nginx_qat_module/ngx_ssl_engine_qat_module.c#L164
Before Nginx starts, it will firstly confirm whether the engine name it supports is provided in the config file, if not, it will report an error.
So, a way to solve this issue is just modify the engine name in https://github.com/intel/asynch_mode_nginx/blob/d9823cd5feaf6d37ec0c1baafd82d0bbef57585f/modules/nginx_qat_module/ngx_ssl_engine_qat_module.c#L164 to whatever you want (like "qat_sw"), then recompile Nginx.
Before Nginx starts, it will firstly confirm whether the engine name it supports is provided in the config file, if not, it will report an error.
but then why the module assumes the engine id is the same as the module name? If the module init reads the config, it can take whatever is the use_engine value, right?
Hi @mythi, sorry for late reply, we have created a ticket to follow this issue, thanks for your suggestion.
@mythi We have already support both QAT_HW and QAT_SW offloading in one QATEngine build in the latest QATEngine v0.6.14 release. Will this help you to save the seperate build for different platform? Detailed information in the Readme.
@daweiq it does not make this issue go away. As long as QAT Engine supports building with custom engine-ids, I'm expecting NGINX to allow me to use the engine-id I've configured.
Looking at the README, it seems it forces me to know about these bitmaps and maintain a custom openssl.cnf. The way it can be done, e.g., with Haproxy looks more user friendly:
ssl-engine qat-hw RSA DSA EC
ssl-engine qat-sw CIPHERS