diff options
-rw-r--r-- | vagrant/tests/vFW/README.md | 50 | ||||
-rw-r--r-- | vagrant/tests/vFW/Vagrantfile | 66 | ||||
-rw-r--r-- | vagrant/tests/vFW/diagram.png | bin | 0 -> 246934 bytes | |||
-rwxr-xr-x | vagrant/tests/vFW/firewall | 96 | ||||
-rwxr-xr-x | vagrant/tests/vFW/packetgen | 83 | ||||
-rwxr-xr-x | vagrant/tests/vFW/sink | 48 |
6 files changed, 343 insertions, 0 deletions
diff --git a/vagrant/tests/vFW/README.md b/vagrant/tests/vFW/README.md new file mode 100644 index 00000000..f54a555f --- /dev/null +++ b/vagrant/tests/vFW/README.md @@ -0,0 +1,50 @@ +# vFirewall ONAP Use Case + +This use case is composed of three virtual functions (VFs) running in +separate Ubuntu Virtual Machines: + + * [Packet generator][1]: Sends packets to the packet sink through the +firewall. This includes a script that periodically generates different +volumes of traffic. + * [Firewall][2]: Reports the volume of traffic passing though to the +ONAP DCAE collector. + * [Traffic sink][3]: Displays the traffic volume that lands at the sink +VM using the link http://192.168.20.250:667 through your browser +and enable automatic page refresh by clicking the "Off" button. You +can see the traffic volume in the charts. + +![Diagram](diagram.png) + +## Adjust packet generator: + +The packet generator contains 10 streams: fw\_udp1, fw\_udp2, +fw\_udp3, . . . , fw\_udp10. Each stream generates 100 packets every +10 seconds. The */opt/run\_traffic\_fw\_demo.sh* script on the packet +generator VM starts automatically and alternates high traffic (i.e. +10 active streams at the same time) and low traffic (1 active stream) +every 5 minutes. + +To enable a stream, include `{"id":"fw_udp1", "is-enabled":"true"}` +in the *pg-stream* bracket. + +To adjust the traffic volume produced by the packet generator, run the +following command in a shell: + +``` + curl -X PUT \ + -H "Authorization: Basic YWRtaW46YWRtaW4=" \ + -H "Content-Type: application/json" \ + -H "Cache-Control: no-cache" \ + -d '{"pg-streams":{"pg-stream": [{"id":"fw_udp1", "is-enabled":"true"},{"id":"fw_udp2", "is-enabled":"true"},{"id":"fw_udp3", "is-enabled":"true"},{"id":"fw_udp4", "is-enabled":"true"},{"id":"fw_udp5", "is-enabled":"true"}]}}' \ + "http://192.168.10.200:8183/restconf/config/sample-plugin:sample-plugin/pg-streams" +``` + +The command above enables 5 streams. + +## License + +Apache-2.0 + +[1]: packetgen +[2]: firewall +[3]: sink diff --git a/vagrant/tests/vFW/Vagrantfile b/vagrant/tests/vFW/Vagrantfile new file mode 100644 index 00000000..cabe6504 --- /dev/null +++ b/vagrant/tests/vFW/Vagrantfile @@ -0,0 +1,66 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +vars = { + "demo_artifacts_version" => "1.3.0", + 'vfw_private_ip_0' => '192.168.10.100', + 'vfw_private_ip_1' => '192.168.20.100', + 'vfw_private_ip_2' => '10.10.100.2', + 'vpg_private_ip_0' => '192.168.10.200', + 'vpg_private_ip_1' => '10.0.100.3', + 'vsn_private_ip_0' => '192.168.20.250', + 'vsn_private_ip_1' => '10.10.100.4', + 'dcae_collector_ip' => '10.0.4.1', + 'dcae_collector_port' => '8081', + 'protected_net_gw' => '192.168.20.100', + 'protected_net_cidr' => '192.168.20.0/24', + 'protected_private_net_cidr' => '192.168.10.0/24', + 'onap_private_net_cidr' => '10.10.0.0/16' +} + +if ENV['no_proxy'] != nil or ENV['NO_PROXY'] + $no_proxy = ENV['NO_PROXY'] || ENV['no_proxy'] || "127.0.0.1,localhost" + $subnet = "192.168.121" + # NOTE: This range is based on vagrant-libivirt network definition + (1..27).each do |i| + $no_proxy += ",#{$subnet}.#{i}" + end +end + +Vagrant.configure("2") do |config| + config.vm.box = "elastic/ubuntu-16.04-x86_64" + + if ENV['http_proxy'] != nil and ENV['https_proxy'] != nil + if not Vagrant.has_plugin?('vagrant-proxyconf') + system 'vagrant plugin install vagrant-proxyconf' + raise 'vagrant-proxyconf was installed but it requires to execute again' + end + config.proxy.http = ENV['http_proxy'] || ENV['HTTP_PROXY'] || "" + config.proxy.https = ENV['https_proxy'] || ENV['HTTPS_PROXY'] || "" + config.proxy.no_proxy = $no_proxy + end + + config.vm.provider 'libvirt' do |v| + v.cpu_mode = 'host-passthrough' # DPDK requires Supplemental Streaming SIMD Extensions 3 (SSSE3) + end + + config.vm.define :packetgen do |packetgen| + packetgen.vm.hostname = "packetgen" + packetgen.vm.provision 'shell', path: 'packetgen', env: vars + packetgen.vm.network :private_network, :ip => vars['vpg_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # unprotected_private_net_cidr + packetgen.vm.network :private_network, :ip => vars['vpg_private_ip_1'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr + end + config.vm.define :firewall do |firewall| + firewall.vm.hostname = "firewall" + firewall.vm.provision 'shell', path: 'firewall', env: vars + firewall.vm.network :private_network, :ip => vars['vfw_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # unprotected_private_net_cidr + firewall.vm.network :private_network, :ip => vars['vfw_private_ip_1'], :type => :static, :netmask => "255.255.255.0" # protected_private_net_cidr + firewall.vm.network :private_network, :ip => vars['vfw_private_ip_2'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr + end + config.vm.define :sink do |sink| + sink.vm.hostname = "sink" + sink.vm.provision 'shell', path: 'sink', env: vars + sink.vm.network :private_network, :ip => vars['vsn_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # protected_private_net_cidr + sink.vm.network :private_network, :ip => vars['vsn_private_ip_1'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr + end +end diff --git a/vagrant/tests/vFW/diagram.png b/vagrant/tests/vFW/diagram.png Binary files differnew file mode 100644 index 00000000..4cf95f2f --- /dev/null +++ b/vagrant/tests/vFW/diagram.png diff --git a/vagrant/tests/vFW/firewall b/vagrant/tests/vFW/firewall new file mode 100755 index 00000000..93d4f2a3 --- /dev/null +++ b/vagrant/tests/vFW/firewall @@ -0,0 +1,96 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +# install_dependencies() - Install required dependencies +function install_dependencies { + apt-get update + apt-get install -y -qq wget openjdk-8-jre bridge-utils net-tools bsdmainutils make gcc libcurl4-gnutls-dev +} + +# install_vpp() - Install VPP +function install_vpp { + local RELEASE=".stable.1609" + + apt-get update + apt-get install -y -qq apt-transport-https + echo "deb [trusted=yes] https://nexus.fd.io/content/repositories/fd.io$RELEASE.ubuntu.$(lsb_release -c -s).main/ ./" | tee -a /etc/apt/sources.list.d/99fd.io.list + apt-get update + apt-get install -y -qq vpp vpp-lib vpp-plugins vpp-dpdk-dkms +} + +function _untar_url { + local repo_url="https://nexus.onap.org/content/repositories/staging/org/onap/demo/vnf/" + local file_subpath=$1 + + wget -q -O tmp_file.tar.gz "${repo_url}/${file_subpath}" + sha1=$(wget ${repo_url}/${file_subpath}.sha1 -q -O -) + if [[ $(sha1sum tmp_file.tar.gz | awk '{print $1}') != "$sha1" ]]; then + echo "The downloaded file is corrupted" + exit 1 + fi + tar -zmxf tmp_file.tar.gz + rm tmp_file.tar.gz +} + +# install_vfw_scripts() - +function install_vfw_scripts { + local version=$(cat /opt/config/demo_artifacts_version.txt) + local ves_path=VES + local ves_reporting_path="${ves_path}/evel/evel-library" + + pushd /opt + wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_firewall_init,vfirewall}.sh + chmod +x *.sh + + _untar_url "sample-distribution/${version}/sample-distribution-${version}-hc.tar.gz" + mkdir -p honeycomb + mv sample-distribution-$version honeycomb + + _untar_url "ves5/ves/${version}/ves-${version}-demo.tar.gz" + mv ves-$version $ves_path + + _untar_url "ves5/ves_vfw_reporting/${version}/ves_vfw_reporting-${version}-demo.tar.gz" + mkdir -p $ves_reporting_path/code + mv ves_vfw_reporting-$version $ves_reporting_path/code/VESreporting + + chmod +x $ves_reporting_path/code/VESreporting/go-client.sh + pushd $ves_reporting_path/bldjobs/ + make clean + make + sleep 1 + popd + + # TODO(electrocucaracha) Fix it in upstream + sed -i 's/start vpp/systemctl start vpp/g' v_firewall_init.sh + mv vfirewall.sh /etc/init.d + update-rc.d vfirewall.sh defaults + systemctl start firewall + popd +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt +echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +install_dependencies +install_vpp +install_vfw_scripts diff --git a/vagrant/tests/vFW/packetgen b/vagrant/tests/vFW/packetgen new file mode 100755 index 00000000..51d5c676 --- /dev/null +++ b/vagrant/tests/vFW/packetgen @@ -0,0 +1,83 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +# install_dependencies() - Install required dependencies +function install_dependencies { + apt-get update + apt-get install -y -qq wget openjdk-8-jre bridge-utils net-tools bsdmainutils +} + +# install_vpp() - Install VPP +function install_vpp { + local RELEASE=".stable.1609" + + apt-get update + apt-get install -y -qq apt-transport-https + echo "deb [trusted=yes] https://nexus.fd.io/content/repositories/fd.io$RELEASE.ubuntu.$(lsb_release -c -s).main/ ./" | tee -a /etc/apt/sources.list.d/99fd.io.list + apt-get update + apt-get install -y -qq vpp vpp-lib vpp-plugins vpp-dpdk-dkms +} + +function _untar_url { + local repo_url="https://nexus.onap.org/content/repositories/staging/org/onap/demo/vnf/" + local file_subpath=$1 + + wget -q -O tmp_file.tar.gz "${repo_url}/${file_subpath}" + sha1=$(wget ${repo_url}/${file_subpath}.sha1 -q -O -) + if [[ $(sha1sum tmp_file.tar.gz | awk '{print $1}') != "$sha1" ]]; then + echo "The downloaded file is corrupted" + exit 1 + fi + tar -zmxf tmp_file.tar.gz + rm tmp_file.tar.gz +} + +# install_vfw_scripts() - +function install_vfw_scripts { + local version=$(cat /opt/config/demo_artifacts_version.txt) + + pushd /opt + wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_packetgen_init,vpacketgen,run_traffic_fw_demo}.sh + chmod +x *.sh + + _untar_url "sample-distribution/${version}/sample-distribution-${version}-hc.tar.gz" + mv sample-distribution-$version honeycomb + + _untar_url "vfw/vfw_pg_streams/$version/vfw_pg_streams-$version-demo.tar.gz" + mv vfw_pg_streams-$version pg_streams + + sed -i 's/"restconf-binding-address": "127.0.0.1",/"restconf-binding-address": "0.0.0.0",/g' /opt/honeycomb/config/honeycomb.json + + # TODO(electrocucaracha) Fix it in upstream + sed -i 's/start vpp/systemctl start vpp/g' v_packetgen_init.sh + sed -i 's|/opt/honeycomb/sample-distribution-\$VERSION/honeycomb|/opt/honeycomb/honeycomb|g' v_packetgen_init.sh + mv vpacketgen.sh /etc/init.d/ + update-rc.d vpacketgen.sh defaults + systemctl start packetgen + popd +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +install_dependencies +install_vpp +install_vfw_scripts diff --git a/vagrant/tests/vFW/sink b/vagrant/tests/vFW/sink new file mode 100755 index 00000000..5604198f --- /dev/null +++ b/vagrant/tests/vFW/sink @@ -0,0 +1,48 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +# install_dependencies() - Install required dependencies +function install_dependencies { + apt-get update + apt install -y wget darkstat net-tools + + # Configure and run Darkstat + sed -i "s/START_DARKSTAT=.*/START_DARKSTAT=yes/g;s/INTERFACE=.*/INTERFACE=\"-i eth1\"/g" /etc/darkstat/init.cfg + + systemctl restart darkstat +} + +# install_vfw_scripts() - +function install_vfw_scripts { + pushd /opt + wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_sink_init,vsink}.sh + chmod +x *.sh + + mv vsink.sh /etc/init.d + update-rc.d vsink.sh defaults + systemctl start sink + popd +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$protected_net_gw" > /opt/config/protected_net_gw.txt +echo "$protected_private_net_cidr" > /opt/config/unprotected_net.txt + +install_dependencies +install_vfw_scripts |