From e711aa83716d2dcca5c0129602e9dc500b281e4b Mon Sep 17 00:00:00 2001 From: Victor Morales Date: Wed, 6 Feb 2019 13:12:43 -0800 Subject: Add vFW scripts folder The bash scripts that are used for testing the Firewall ONAP use case are hosted in an external repo. This change includes the latest working version for those scripts. Change-Id: Ic2d371a3e715d867cb4e61e0ad13da812edeea45 Signed-off-by: Victor Morales Issue-ID: MULTICLOUD-301 --- vagrant/tests/vFW/README.md | 50 ++++++++++++++++++++++ vagrant/tests/vFW/Vagrantfile | 66 +++++++++++++++++++++++++++++ vagrant/tests/vFW/diagram.png | Bin 0 -> 246934 bytes vagrant/tests/vFW/firewall | 96 ++++++++++++++++++++++++++++++++++++++++++ vagrant/tests/vFW/packetgen | 83 ++++++++++++++++++++++++++++++++++++ vagrant/tests/vFW/sink | 48 +++++++++++++++++++++ 6 files changed, 343 insertions(+) create mode 100644 vagrant/tests/vFW/README.md create mode 100644 vagrant/tests/vFW/Vagrantfile create mode 100644 vagrant/tests/vFW/diagram.png create mode 100755 vagrant/tests/vFW/firewall create mode 100755 vagrant/tests/vFW/packetgen create mode 100755 vagrant/tests/vFW/sink diff --git a/vagrant/tests/vFW/README.md b/vagrant/tests/vFW/README.md new file mode 100644 index 00000000..f54a555f --- /dev/null +++ b/vagrant/tests/vFW/README.md @@ -0,0 +1,50 @@ +# vFirewall ONAP Use Case + +This use case is composed of three virtual functions (VFs) running in +separate Ubuntu Virtual Machines: + + * [Packet generator][1]: Sends packets to the packet sink through the +firewall. This includes a script that periodically generates different +volumes of traffic. + * [Firewall][2]: Reports the volume of traffic passing though to the +ONAP DCAE collector. + * [Traffic sink][3]: Displays the traffic volume that lands at the sink +VM using the link http://192.168.20.250:667 through your browser +and enable automatic page refresh by clicking the "Off" button. You +can see the traffic volume in the charts. + +![Diagram](diagram.png) + +## Adjust packet generator: + +The packet generator contains 10 streams: fw\_udp1, fw\_udp2, +fw\_udp3, . . . , fw\_udp10. Each stream generates 100 packets every +10 seconds. The */opt/run\_traffic\_fw\_demo.sh* script on the packet +generator VM starts automatically and alternates high traffic (i.e. +10 active streams at the same time) and low traffic (1 active stream) +every 5 minutes. + +To enable a stream, include `{"id":"fw_udp1", "is-enabled":"true"}` +in the *pg-stream* bracket. + +To adjust the traffic volume produced by the packet generator, run the +following command in a shell: + +``` + curl -X PUT \ + -H "Authorization: Basic YWRtaW46YWRtaW4=" \ + -H "Content-Type: application/json" \ + -H "Cache-Control: no-cache" \ + -d '{"pg-streams":{"pg-stream": [{"id":"fw_udp1", "is-enabled":"true"},{"id":"fw_udp2", "is-enabled":"true"},{"id":"fw_udp3", "is-enabled":"true"},{"id":"fw_udp4", "is-enabled":"true"},{"id":"fw_udp5", "is-enabled":"true"}]}}' \ + "http://192.168.10.200:8183/restconf/config/sample-plugin:sample-plugin/pg-streams" +``` + +The command above enables 5 streams. + +## License + +Apache-2.0 + +[1]: packetgen +[2]: firewall +[3]: sink diff --git a/vagrant/tests/vFW/Vagrantfile b/vagrant/tests/vFW/Vagrantfile new file mode 100644 index 00000000..cabe6504 --- /dev/null +++ b/vagrant/tests/vFW/Vagrantfile @@ -0,0 +1,66 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +vars = { + "demo_artifacts_version" => "1.3.0", + 'vfw_private_ip_0' => '192.168.10.100', + 'vfw_private_ip_1' => '192.168.20.100', + 'vfw_private_ip_2' => '10.10.100.2', + 'vpg_private_ip_0' => '192.168.10.200', + 'vpg_private_ip_1' => '10.0.100.3', + 'vsn_private_ip_0' => '192.168.20.250', + 'vsn_private_ip_1' => '10.10.100.4', + 'dcae_collector_ip' => '10.0.4.1', + 'dcae_collector_port' => '8081', + 'protected_net_gw' => '192.168.20.100', + 'protected_net_cidr' => '192.168.20.0/24', + 'protected_private_net_cidr' => '192.168.10.0/24', + 'onap_private_net_cidr' => '10.10.0.0/16' +} + +if ENV['no_proxy'] != nil or ENV['NO_PROXY'] + $no_proxy = ENV['NO_PROXY'] || ENV['no_proxy'] || "127.0.0.1,localhost" + $subnet = "192.168.121" + # NOTE: This range is based on vagrant-libivirt network definition + (1..27).each do |i| + $no_proxy += ",#{$subnet}.#{i}" + end +end + +Vagrant.configure("2") do |config| + config.vm.box = "elastic/ubuntu-16.04-x86_64" + + if ENV['http_proxy'] != nil and ENV['https_proxy'] != nil + if not Vagrant.has_plugin?('vagrant-proxyconf') + system 'vagrant plugin install vagrant-proxyconf' + raise 'vagrant-proxyconf was installed but it requires to execute again' + end + config.proxy.http = ENV['http_proxy'] || ENV['HTTP_PROXY'] || "" + config.proxy.https = ENV['https_proxy'] || ENV['HTTPS_PROXY'] || "" + config.proxy.no_proxy = $no_proxy + end + + config.vm.provider 'libvirt' do |v| + v.cpu_mode = 'host-passthrough' # DPDK requires Supplemental Streaming SIMD Extensions 3 (SSSE3) + end + + config.vm.define :packetgen do |packetgen| + packetgen.vm.hostname = "packetgen" + packetgen.vm.provision 'shell', path: 'packetgen', env: vars + packetgen.vm.network :private_network, :ip => vars['vpg_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # unprotected_private_net_cidr + packetgen.vm.network :private_network, :ip => vars['vpg_private_ip_1'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr + end + config.vm.define :firewall do |firewall| + firewall.vm.hostname = "firewall" + firewall.vm.provision 'shell', path: 'firewall', env: vars + firewall.vm.network :private_network, :ip => vars['vfw_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # unprotected_private_net_cidr + firewall.vm.network :private_network, :ip => vars['vfw_private_ip_1'], :type => :static, :netmask => "255.255.255.0" # protected_private_net_cidr + firewall.vm.network :private_network, :ip => vars['vfw_private_ip_2'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr + end + config.vm.define :sink do |sink| + sink.vm.hostname = "sink" + sink.vm.provision 'shell', path: 'sink', env: vars + sink.vm.network :private_network, :ip => vars['vsn_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # protected_private_net_cidr + sink.vm.network :private_network, :ip => vars['vsn_private_ip_1'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr + end +end diff --git a/vagrant/tests/vFW/diagram.png b/vagrant/tests/vFW/diagram.png new file mode 100644 index 00000000..4cf95f2f Binary files /dev/null and b/vagrant/tests/vFW/diagram.png differ diff --git a/vagrant/tests/vFW/firewall b/vagrant/tests/vFW/firewall new file mode 100755 index 00000000..93d4f2a3 --- /dev/null +++ b/vagrant/tests/vFW/firewall @@ -0,0 +1,96 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +# install_dependencies() - Install required dependencies +function install_dependencies { + apt-get update + apt-get install -y -qq wget openjdk-8-jre bridge-utils net-tools bsdmainutils make gcc libcurl4-gnutls-dev +} + +# install_vpp() - Install VPP +function install_vpp { + local RELEASE=".stable.1609" + + apt-get update + apt-get install -y -qq apt-transport-https + echo "deb [trusted=yes] https://nexus.fd.io/content/repositories/fd.io$RELEASE.ubuntu.$(lsb_release -c -s).main/ ./" | tee -a /etc/apt/sources.list.d/99fd.io.list + apt-get update + apt-get install -y -qq vpp vpp-lib vpp-plugins vpp-dpdk-dkms +} + +function _untar_url { + local repo_url="https://nexus.onap.org/content/repositories/staging/org/onap/demo/vnf/" + local file_subpath=$1 + + wget -q -O tmp_file.tar.gz "${repo_url}/${file_subpath}" + sha1=$(wget ${repo_url}/${file_subpath}.sha1 -q -O -) + if [[ $(sha1sum tmp_file.tar.gz | awk '{print $1}') != "$sha1" ]]; then + echo "The downloaded file is corrupted" + exit 1 + fi + tar -zmxf tmp_file.tar.gz + rm tmp_file.tar.gz +} + +# install_vfw_scripts() - +function install_vfw_scripts { + local version=$(cat /opt/config/demo_artifacts_version.txt) + local ves_path=VES + local ves_reporting_path="${ves_path}/evel/evel-library" + + pushd /opt + wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_firewall_init,vfirewall}.sh + chmod +x *.sh + + _untar_url "sample-distribution/${version}/sample-distribution-${version}-hc.tar.gz" + mkdir -p honeycomb + mv sample-distribution-$version honeycomb + + _untar_url "ves5/ves/${version}/ves-${version}-demo.tar.gz" + mv ves-$version $ves_path + + _untar_url "ves5/ves_vfw_reporting/${version}/ves_vfw_reporting-${version}-demo.tar.gz" + mkdir -p $ves_reporting_path/code + mv ves_vfw_reporting-$version $ves_reporting_path/code/VESreporting + + chmod +x $ves_reporting_path/code/VESreporting/go-client.sh + pushd $ves_reporting_path/bldjobs/ + make clean + make + sleep 1 + popd + + # TODO(electrocucaracha) Fix it in upstream + sed -i 's/start vpp/systemctl start vpp/g' v_firewall_init.sh + mv vfirewall.sh /etc/init.d + update-rc.d vfirewall.sh defaults + systemctl start firewall + popd +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt +echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +install_dependencies +install_vpp +install_vfw_scripts diff --git a/vagrant/tests/vFW/packetgen b/vagrant/tests/vFW/packetgen new file mode 100755 index 00000000..51d5c676 --- /dev/null +++ b/vagrant/tests/vFW/packetgen @@ -0,0 +1,83 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +# install_dependencies() - Install required dependencies +function install_dependencies { + apt-get update + apt-get install -y -qq wget openjdk-8-jre bridge-utils net-tools bsdmainutils +} + +# install_vpp() - Install VPP +function install_vpp { + local RELEASE=".stable.1609" + + apt-get update + apt-get install -y -qq apt-transport-https + echo "deb [trusted=yes] https://nexus.fd.io/content/repositories/fd.io$RELEASE.ubuntu.$(lsb_release -c -s).main/ ./" | tee -a /etc/apt/sources.list.d/99fd.io.list + apt-get update + apt-get install -y -qq vpp vpp-lib vpp-plugins vpp-dpdk-dkms +} + +function _untar_url { + local repo_url="https://nexus.onap.org/content/repositories/staging/org/onap/demo/vnf/" + local file_subpath=$1 + + wget -q -O tmp_file.tar.gz "${repo_url}/${file_subpath}" + sha1=$(wget ${repo_url}/${file_subpath}.sha1 -q -O -) + if [[ $(sha1sum tmp_file.tar.gz | awk '{print $1}') != "$sha1" ]]; then + echo "The downloaded file is corrupted" + exit 1 + fi + tar -zmxf tmp_file.tar.gz + rm tmp_file.tar.gz +} + +# install_vfw_scripts() - +function install_vfw_scripts { + local version=$(cat /opt/config/demo_artifacts_version.txt) + + pushd /opt + wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_packetgen_init,vpacketgen,run_traffic_fw_demo}.sh + chmod +x *.sh + + _untar_url "sample-distribution/${version}/sample-distribution-${version}-hc.tar.gz" + mv sample-distribution-$version honeycomb + + _untar_url "vfw/vfw_pg_streams/$version/vfw_pg_streams-$version-demo.tar.gz" + mv vfw_pg_streams-$version pg_streams + + sed -i 's/"restconf-binding-address": "127.0.0.1",/"restconf-binding-address": "0.0.0.0",/g' /opt/honeycomb/config/honeycomb.json + + # TODO(electrocucaracha) Fix it in upstream + sed -i 's/start vpp/systemctl start vpp/g' v_packetgen_init.sh + sed -i 's|/opt/honeycomb/sample-distribution-\$VERSION/honeycomb|/opt/honeycomb/honeycomb|g' v_packetgen_init.sh + mv vpacketgen.sh /etc/init.d/ + update-rc.d vpacketgen.sh defaults + systemctl start packetgen + popd +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +install_dependencies +install_vpp +install_vfw_scripts diff --git a/vagrant/tests/vFW/sink b/vagrant/tests/vFW/sink new file mode 100755 index 00000000..5604198f --- /dev/null +++ b/vagrant/tests/vFW/sink @@ -0,0 +1,48 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +# install_dependencies() - Install required dependencies +function install_dependencies { + apt-get update + apt install -y wget darkstat net-tools + + # Configure and run Darkstat + sed -i "s/START_DARKSTAT=.*/START_DARKSTAT=yes/g;s/INTERFACE=.*/INTERFACE=\"-i eth1\"/g" /etc/darkstat/init.cfg + + systemctl restart darkstat +} + +# install_vfw_scripts() - +function install_vfw_scripts { + pushd /opt + wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_sink_init,vsink}.sh + chmod +x *.sh + + mv vsink.sh /etc/init.d + update-rc.d vsink.sh defaults + systemctl start sink + popd +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$protected_net_gw" > /opt/config/protected_net_gw.txt +echo "$protected_private_net_cidr" > /opt/config/unprotected_net.txt + +install_dependencies +install_vfw_scripts -- cgit 1.2.3-korg