Intel® QuickAssist Technology(QAT) OpenSSL\* Engine Container support

April 10, 2026 · View on GitHub

Supports below Dockerfiles which can be built into docker images on the platforms with Intel® QuickAssist 4xxx Series QAT device.

QAT crypto base
HAproxy with QAT crypto base

QAT crypto base

This Dockerfile(qat_crypto_base/Dockerfile) with qatengine is built on top of latest OpenSSL, QAT_HW(qatlib intree driver) and QAT_SW with software versions mentioned in software_requirements section. This contains QAT_HW and QAT_SW co-existence build and works as defined in co-existence section

Haproxy with QAT crypto base

This Dockerfile(haproxy/Dockerfile) is built with Haproxy release version v3.3.0 along with QAT crypto base mentioned above. Sample Haproxy configuration file is located at haproxy/haproxy.cfg which can be modified as per the required use case and to be mounted from the host to the container using -v /usr/local/etc/haproxy/haproxy.cfg.

Docker setup and testing

Refer here for setting up the host for QAT_HW (qatlib intree) if the platform has QAT 4xxx Hardware device. Stop QAT service if any running on the host.

QAT_HW settings

Follow the below steps to enable required service. The service can be asym only, sym only or both in step 2 depending on the particular use case. Configure the required service only to get best performance.

Bring down the QAT devices

    for i in `lspci -D -d :4940| awk '{print \$1}'`; do echo down > /sys/bus/pci/devices/$i/qat/state;done

Set up the required crypto service(s)

    for i in `lspci -D -d :4940| awk '{print \$1}'`; do echo “sym;asym“ > /sys/bus/pci/devices/$i/qat/cfg_services;done

Bring up the QAT devices

    for i in `lspci -D -d :4940| awk '{print \$1}'`; do echo up> /sys/bus/pci/devices/$i/qat/state;done

Check the status of the QAT devices

    for i in `lspci -D -d :4940| awk '{print \$1}'`; do cat /sys/bus/pci/devices/$i/qat/state;done

Enable VF for the PF in the host

    for i in `lspci -D -d :4940| awk '{print \$1}'`; do echo 16|sudo tee /sys/bus/pci/devices/$i/sriov_numvfs; done

Add QAT group and Permission to the VF devices in the host

    chown root:qat /dev/vfio/*
    chmod 660 /dev/vfio/*

Image creation

Docker images can be built using the below command with appropriate image name.

docker build --build-arg GID=$(getent group qat | cut -d ':' -f 3) -t <docker_image_name> <path-to-dockerfile> --no-cache

Note: GID is the group id of qat group in the host.

Testing QAT Crypto base using OpenSSL* speed utility

docker run -it --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done)  --cpuset-cpus  <2-n+1> --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 < docker_image_name> openssl speed -engine qatengine -elapsed -async_jobs 72  -multi <n> <algo>

Testing Haproxy

Server command: docker run --rm -it  --cpuset-cpus <2-n+1> --cap-add=IPC_LOCK --security-opt seccomp=unconfined --security-opt apparmor=unconfined $(for i in `ls /dev/vfio/*`; do echo --device $i; done) --env QAT_POLICY=1 --ulimit memlock=524288000:524288000 -v /usr/local/etc/haproxy/:/usr/local/etc/haproxy/ -d -p 8080:8080 < docker_image_name> haproxy -f /usr/local/etc/haproxy/haproxy.cfg

Client command: openssl s_time -connect <server_ip>:8080 -cipher AES128-SHA256 -www /20b-file.html -time 5

Note: n is number of process or thread. 8080 port to be used for starting the haproxy service. HAproxy config file mounted from the host to the container using -v /usr/local/etc/haproxy/haproxy.cfg.