diff options
author | Michal Ptacek <m.ptacek@partner.samsung.com> | 2019-07-04 13:34:53 +0200 |
---|---|---|
committer | Michal Ptacek <m.ptacek@partner.samsung.com> | 2019-07-05 08:04:56 +0200 |
commit | 2a96f15ba63d572e9989a99fd4c4cc32a8d6b84f (patch) | |
tree | 3daad7e47bc154c6267f61b6010426a30728de19 /docs | |
parent | 26297040c0a6344107a57029db59ce637d9c1980 (diff) |
Adding notes from vFWCL in Dublin
This is just to share notes from the vFWCL exercise in Dublin.
Issue-ID: OOM-1900
Change-Id: I76cc577342a8e25a900b119462ff6c7768189382
Signed-off-by: Michal Ptacek <m.ptacek@partner.samsung.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/images/vFWCL-dublin.jpg | bin | 0 -> 130332 bytes | |||
-rw-r--r-- | docs/vFWCL-notes.rst | 337 |
2 files changed, 337 insertions, 0 deletions
diff --git a/docs/images/vFWCL-dublin.jpg b/docs/images/vFWCL-dublin.jpg Binary files differnew file mode 100644 index 00000000..a943a5d4 --- /dev/null +++ b/docs/images/vFWCL-dublin.jpg diff --git a/docs/vFWCL-notes.rst b/docs/vFWCL-notes.rst new file mode 100644 index 00000000..17a49399 --- /dev/null +++ b/docs/vFWCL-notes.rst @@ -0,0 +1,337 @@ +************************************* +vFWCL on Dublin ONAP offline platform +************************************* + +|image0| + +This document is collecting notes we have from running vFirewall demo on offline Dublin platform +installed by ONAP offline installer tool. + +Overall it was much easier in compare with earlier version, however following steps are still needed. + +Some of the most relevant materials are available on following links: + +* `oom_quickstart_guide.html <https://docs.onap.org/en/dublin/submodules/oom.git/docs/oom_quickstart_guide.html>`_ +* `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ + + +.. contents:: Table of Contents + :depth: 2 + + + +Step 1. Preconditions - before ONAP deployment +============================================== + +Understanding of the underlying OpenStack deployment is required from anyone applying these instructions. + +In addition, installation-specific location of the helm charts on the infra node must be known. +In this document it is referred to as <helm_charts_dir> + +Snippets below are describing areas we need to configure for successfull vFWCL demo. + +Pay attention to them and configure it (ideally before deployment) accordingly. + +**1) <helm_charts_dir>/onap/values.yaml**:: + + + ################################################################# + # Global configuration overrides. + # !!! VIM specific entries are in APPC / Robot & SO parts !!! + ################################################################# + global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + nodePortPrefixExt: 304 + + # ONAP Repository + # Uncomment the following to enable the use of a single docker + # repository but ONLY if your repository mirrors all ONAP + # docker images. This includes all images from dockerhub and + # any other repository that hosts images for ONAP components. + #repository: nexus3.onap.org:10001 + repositoryCred: + user: docker + password: docker + + # readiness check - temporary repo until images migrated to nexus3 + readinessRepository: oomk8s + # logging agent - temporary repo until images migrated to nexus3 + loggingRepository: docker.elastic.co + + # image pull policy + pullPolicy: Always + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + enableDefaultStorageclass: false + parameters: {} + storageclassProvisioner: kubernetes.io/no-provisioner + volumeReclaimPolicy: Retain + + # override default resource limit flavor for all charts + flavor: unlimited + + # flag to enable debugging - application support required + debugEnabled: false + + ################################################################# + # Enable/disable and configure helm charts (ie. applications) + # to customize the ONAP deployment. + ################################################################# + aaf: + enabled: true + aai: + enabled: true + appc: + enabled: true + config: + openStackType: "OpenStackProvider" + openStackName: "OpenStack" + openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" + openStackServiceTenantName: "service" + openStackDomain: "default" + openStackUserName: "onap-tieto" + openStackEncryptedPassword: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" + cassandra: + enabled: true + clamp: + enabled: true + cli: + enabled: true + consul: + enabled: true + contrib: + enabled: true + dcaegen2: + enabled: true + pnda: + enabled: true + dmaap: + enabled: true + esr: + enabled: true + log: + enabled: true + sniro-emulator: + enabled: true + oof: + enabled: true + mariadb-galera: + enabled: true + msb: + enabled: true + multicloud: + enabled: true + nbi: + enabled: true + config: + # openstack configuration + openStackRegion: "Yolo" + openStackVNFTenantId: "1234" + nfs-provisioner: + enabled: true + policy: + enabled: true + pomba: + enabled: true + portal: + enabled: true + robot: + enabled: true + appcUsername: "appc@appc.onap.org" + appcPassword: "demo123456!" + openStackKeyStoneUrl: "http://10.20.30.40:5000" + openStackPublicNetId: "9403ceea-0738-4908-a826-316c8541e4bb" + openStackPublicNetworkName: "rc3-offline-network" + openStackTenantId: "b1ce7742d956463999923ceaed71786e" + openStackUserName: "onap-tieto" + ubuntu14Image: "trusty" + openStackPrivateNetId: "3c7aa2bd-ba14-40ce-8070-6a0d6a617175" + openStackPrivateSubnetId: "2bcb9938-9c94-4049-b580-550a44dc63b3" + openStackPrivateNetCidr: "10.0.0.0/16" + openStackSecurityGroup: "onap_sg" + openStackOamNetworkCidrPrefix: "10.0" + dcaeCollectorIp: "10.8.8.22" # this IP is taken from k8s host + vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPwF2bYm2QuqZpjuAcZDJTcFdUkKv4Hbd/3qqbxf6g5ZgfQarCi+mYnKe9G9Px3CgFLPdgkBBnMSYaAzMjdIYOEdPKFTMQ9lIF0+i5KsrXvszWraGKwHjAflECfpTAWkPq2UJUvwkV/g7NS5lJN3fKa9LaqlXdtdQyeSBZAUJ6QeCE5vFUplk3X6QFbMXOHbZh2ziqu8mMtP+cWjHNBB47zHQ3RmNl81Rjv+QemD5zpdbK/h6AahDncOY3cfN88/HPWrENiSSxLC020sgZNYgERqfw+1YhHrclhf3jrSwCpZikjl7rqKroua2LBI/yeWEta3amTVvUnR2Y7gM8kHyh Generated-by-Nova" + demoArtifactsVersion: "1.4.0" # Dublin prefered is 1.4.0 + demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" + scriptVersion: "1.4.0" # Dublin prefered is 1.4.0 + rancherIpAddress: "10.8.8.8" # this IP is taken from infra node + config: + # instructions how to generate this value properly are in OOM quick quide mentioned above + openStackEncryptedPasswordHere: "f7920677e15e2678b0f33736189e8965" + + sdc: + enabled: true + sdnc: + enabled: true + + replicaCount: 1 + + mysql: + replicaCount: 1 + so: + enabled: true + config: + openStackUserName: "onap-tieto" + openStackRegion: "RegionOne" + openStackKeyStoneUrl: "http://10.20.30.40:5000" + openStackServiceTenantName: "services" + # instructions how to generate this value properly are in OOM quick quide mentioned above + openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + so-catalog-db-adapter: + config: + openStackUserName: "onap-tieto" + openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" + # instructions how to generate this value properly are in OOM quick quide mentioned above + openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" + + uui: + enabled: true + vfc: + enabled: true + vid: + enabled: true + vnfsdk: + enabled: true + modeling: + enabled: true + + +**2) <helm_charts_dir>/robot/resources/config/eteshare/config/vm_properties.py**:: + + # following patch is required because in Dublin public network is hardcoded + # reported in TEST-166 and is implemented in El-Alto + # just add following row into file + GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK = '{{ .Values.openStackPublicNetworkName }}' + + + +Step 2. Preconditions - after ONAP deployment +============================================= + + +Run HealthChecks after successful deployment, all of them must pass + +Relevant robot scripts are under <helm_charts_dir>/oom/kubernetes/robot + +:: + + [root@tomas-infra robot]# ./ete-k8s.sh onap health + + 61 critical tests, 61 passed, 0 failed + 61 tests total, 61 passed, 0 failed + +very useful page describing commands for `manual checking of HC’s <https://wiki.onap.org/display/DW/Robot+Healthcheck+Tests+on+ONAP+Components#RobotHealthcheckTestsonONAPComponents-ApplicationController(APPC)Healthcheck>`_ + +Step 3. Patch public network +============================ + +This is the last part of correction for `TEST-166 <https://jira.onap.org/browse/TEST-166>`_ needed for Dublin branch. + +:: + + [root@tomas-infra helm_charts]# kubectl get pods -n onap | grep robot + onap-robot-robot-5c7c46bbf4-4zgkn 1/1 Running 0 3h15m + [root@tomas-infra helm_charts]# kubectl exec -it onap-robot-robot-5c7c46bbf4-4zgkn bash + root@onap-robot-robot-5c7c46bbf4-4zgkn:/# cd /var/opt/ONAP/ + root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/demo_preload.robot + root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/policy_check_vfw.robot + root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/validate_vfw.robot + + +Step 4. Set private key for robot when accessing VNFs +===================================================== + +This is workaround for ticket `TEST-167 <https://jira.onap.org/browse/TEST-167>`_, as of now robot is using following file as private key +*/var/opt/ONAP/robot/assets/keys/onap_dev.pvt* + +One can either set it to own private key, corresponding with public key inserted into VMs from *vnfPubKey* param +OR +set mount own private key into robot container and change GLOBAL_VM_PRIVATE_KEY in */var/opt/ONAP/robot/resources/global_properties.robot* + + +Step 5. robot init - demo services distribution +================================================ + +Run following robot script to execute both init_customer + distribute + +:: + + # demo-k8s.sh <namespace> init + + [root@tomas-infra robot]# ./demo-k8s.sh onap init + + + +Step 6. robot instantiateVFW +============================ + +Following tag is used for whole vFWCL testcase. It will deploy single heat stack with 3 VMs and set policies and APPC mount point for vFWCL to happen. + +:: + + # demo-k8s.sh <namespace> instantiateVFW + + root@tomas-infra robot]# ./demo-k8s.sh onap instantiateVFW + +Step 7. fix CloseLoopName in tca microservice +============================================= + +In Dublin scope, tca microservice is configured with hardcoded entries from `tcaSpec.json <https://gerrit.onap.org/r/gitweb?p=dcaegen2/analytics/tca.git;a=blob;f=dpo/tcaSpec.json;h=8e69c068ea47300707b8131fbc8d71e9a47af8a2;hb=HEAD#l278>`_ + +After updating operational policy within instantiateVFW robot tag execution, one must change CloseLoopName in tca to match with generated +value in policy. This is done in two parts: + +a) get correct value + +:: + + # from drools container, i.e. drools in Dublin is not mapped to k8s host + curl -k --silent --user 'demo@people.osaaf.org:demo123456!' -X GET https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops --insecure + + + # alternatively same value can be obtained from telemetry console in drools container + telemetry + https://localhost:9696/policy/pdp/engine> cd controllers/usecases/drools/facts/usecases/controlloops + https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops> get + HTTP/1.1 200 OK + Content-Length: 62 + Content-Type: application/json + Date: Tue, 25 Jun 2019 07:18:56 GMT + Server: Jetty(9.4.14.v20181114) + [ + "ControlLoop-vFirewall-da1fd2be-2a26-4704-ab99-cd80fe1cf89c" + ] + +b) update the tca microservice + +see Preconditions part in `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ +This step will be automated in El-Alto, it's tracked in `TEST-168 <https://jira.onap.org/browse/TEST-168>`_ + +Step 8. verify vFW +================== + +Verify VFWCL. This step is just to verify CL functionality, which can be also verified by checking DarkStat GUI on vSINK VM <sink_ip:667> + +:: + + # demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address> + # e.g. where 10.8.8.5 is IP from public network dedicated to vPKG VM + root@tomas-infra robot]# ./demo-k8s.sh onap vfwclosedloop 10.8.8.5 + +.. |image0| image:: images/vFWCL-dublin.jpg + :width: 387px + :height: 393px |