diff options
-rwxr-xr-x | build/build_nexus_blob.sh | 41 | ||||
-rwxr-xr-x | build/download/clean_docker_images.py | 71 | ||||
-rw-r--r-- | build/download/downloader.py | 4 | ||||
-rw-r--r-- | docs/images/vFWCL-dublin.jpg | bin | 0 -> 130332 bytes | |||
-rw-r--r-- | docs/vFWCL-notes.rst | 337 |
5 files changed, 435 insertions, 18 deletions
diff --git a/build/build_nexus_blob.sh b/build/build_nexus_blob.sh index f3edb482..5f4ed0ff 100755 --- a/build/build_nexus_blob.sh +++ b/build/build_nexus_blob.sh @@ -53,31 +53,41 @@ NEXUS_EMAIL=admin@example.org LOCAL_PATH="$(readlink -f $(dirname ${0}))" #Defaults +DOCKER_LOAD="false" DATA_DIR="$(realpath ${LOCAL_PATH}/../../resources)" NEXUS_DATA_DIR="${DATA_DIR}/nexus_data" LISTS_DIR="${LOCAL_PATH}/data_lists" usage () { echo " Example usage: build_nexus_blob.sh --input-directory </path/to/downloaded/files/dir> --output-directory - </path/to/output/dir> --resource-list-directory </path/to/dir/with/resource/list> + </path/to/output/dir> --resource-list-directory </path/to/dir/with/resource/list> [--load-docker-images] - -i | --input-directory directory containing file needed to create nexus blob. The structure of this directory must organized as described in build guide - -o | --output-directory - -rl | --resource-list-directory directory with files containing docker, pypi and npm lists + -i | --input-directory directory containing file needed to create nexus blob. The structure of this directory must organized as described in build guide + -ld | --load-docker-images load docker images from stored files in the input directory + -o | --output-directory + -rl | --resource-list-directory directory with files containing docker, pypi and npm lists " exit 1 } -while [ "$1" != "" ]; do - case $1 in +load_docker_images () { + for ARCHIVE in $(sed $'s/\r// ; /^#/d ; s/\:/\_/g ; s/\//\_/g ; s/$/\.tar/g' ${1} | awk '{ print $1 }'); do + docker load -i ${NXS_SRC_DOCKER_IMG_DIR}/${ARCHIVE} + done +} + +while [ "${1}" != "" ]; do + case ${1} in -i | --input-directory ) shift - DATA_DIR=$1 + DATA_DIR="${1}" + ;; + -ld | --load-docker-images ) DOCKER_LOAD="true" ;; -o | --output-directory ) shift - NEXUS_DATA_DIR=$1 + NEXUS_DATA_DIR="${1}" ;; -rl | --resource-list-directory ) shift - LISTS_DIR=$1 + LISTS_DIR="${1}" ;; -h | --help ) usage ;; @@ -179,13 +189,12 @@ fi # Docker repository preparation # ################################# -# Load predefined Nexus image -docker load -i ${NEXUS_IMAGE_TAR} - -# Load all necessary images -for ARCHIVE in $(sed $'s/\r// ; /^#/d ; s/\:/\_/g ; s/\//\_/g ; s/$/\.tar/g' ${NXS_DOCKER_IMG_LIST} | awk '{ print $1 }'); do - docker load -i ${NXS_SRC_DOCKER_IMG_DIR}/${ARCHIVE} -done +if [ "${DOCKER_LOAD}" == "true" ]; then + # Load predefined Nexus image + docker load -i ${NEXUS_IMAGE_TAR} + # Load all necessary images + load_docker_images ${NXS_DOCKER_IMG_LIST} +fi ################################ # Nexus repository preparation # diff --git a/build/download/clean_docker_images.py b/build/download/clean_docker_images.py new file mode 100755 index 00000000..186bfd60 --- /dev/null +++ b/build/download/clean_docker_images.py @@ -0,0 +1,71 @@ +#! /usr/bin/env python3 +# -*- coding: utf-8 -*- + +# COPYRIGHT NOTICE STARTS HERE + +# Copyright 2019 © Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# COPYRIGHT NOTICE ENDS HERE + + +import argparse +import docker +import logging +import sys + +from downloader import AbstractDownloader +from docker_downloader import DockerDownloader + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument('image_lists', nargs='+', help='Images to keep') + parser.add_argument('--debug', '-d', action='store_true', help='Debugging messages') + args = parser.parse_args() + + if args.debug: + logging.basicConfig(level=logging.DEBUG, stream=sys.stdout) + else: + logging.basicConfig(level=logging.INFO, stream=sys.stdout, format='%(message)s') + + target = set() + for lst in args.image_lists: + target = target.union(AbstractDownloader.load_list(lst)) + + target = set(map(DockerDownloader.image_registry_name, target)) + + client = docker.client.DockerClient(version='auto') + + errors = 0 + for image in client.images.list(): + for tag in image.tags: + logging.debug('Checking {}'.format(tag)) + if tag not in target: + logging.debug('Image \'{}\' not in lists'.format(tag)) + logging.info('Removing: {}'.format(tag)) + try: + client.images.remove(tag) + logging.info('Removed: {}'.format(tag)) + except docker.errors.APIError as err: + errors += 1 + logging.exception(err) + else: + logging.debug('Image \'{}\' found in lists.'.format(tag)) + sys.exit(errors) + + +if __name__ == '__main__': + main() + diff --git a/build/download/downloader.py b/build/download/downloader.py index 64403300..7aece0cd 100644 --- a/build/download/downloader.py +++ b/build/download/downloader.py @@ -32,7 +32,7 @@ class AbstractDownloader(ABC): def __init__(self, list_type, *list_args): self._list_type = list_type self._data_list = {item: list_arg[1] for list_arg in list_args - for item in self._load_list(list_arg[0])} + for item in self.load_list(list_arg[0])} self._missing = self.missing() @property @@ -43,7 +43,7 @@ class AbstractDownloader(ABC): return self._list_type @staticmethod - def _load_list(path): + def load_list(path): """ Load list from file. :param path: path to file diff --git a/docs/images/vFWCL-dublin.jpg b/docs/images/vFWCL-dublin.jpg Binary files differnew file mode 100644 index 00000000..a943a5d4 --- /dev/null +++ b/docs/images/vFWCL-dublin.jpg diff --git a/docs/vFWCL-notes.rst b/docs/vFWCL-notes.rst new file mode 100644 index 00000000..17a49399 --- /dev/null +++ b/docs/vFWCL-notes.rst @@ -0,0 +1,337 @@ +************************************* +vFWCL on Dublin ONAP offline platform +************************************* + +|image0| + +This document is collecting notes we have from running vFirewall demo on offline Dublin platform +installed by ONAP offline installer tool. + +Overall it was much easier in compare with earlier version, however following steps are still needed. + +Some of the most relevant materials are available on following links: + +* `oom_quickstart_guide.html <https://docs.onap.org/en/dublin/submodules/oom.git/docs/oom_quickstart_guide.html>`_ +* `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ + + +.. contents:: Table of Contents + :depth: 2 + + + +Step 1. Preconditions - before ONAP deployment +============================================== + +Understanding of the underlying OpenStack deployment is required from anyone applying these instructions. + +In addition, installation-specific location of the helm charts on the infra node must be known. +In this document it is referred to as <helm_charts_dir> + +Snippets below are describing areas we need to configure for successfull vFWCL demo. + +Pay attention to them and configure it (ideally before deployment) accordingly. + +**1) <helm_charts_dir>/onap/values.yaml**:: + + + ################################################################# + # Global configuration overrides. + # !!! VIM specific entries are in APPC / Robot & SO parts !!! + ################################################################# + global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + nodePortPrefixExt: 304 + + # ONAP Repository + # Uncomment the following to enable the use of a single docker + # repository but ONLY if your repository mirrors all ONAP + # docker images. This includes all images from dockerhub and + # any other repository that hosts images for ONAP components. + #repository: nexus3.onap.org:10001 + repositoryCred: + user: docker + password: docker + + # readiness check - temporary repo until images migrated to nexus3 + readinessRepository: oomk8s + # logging agent - temporary repo until images migrated to nexus3 + loggingRepository: docker.elastic.co + + # image pull policy + pullPolicy: Always + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + enableDefaultStorageclass: false + parameters: {} + storageclassProvisioner: kubernetes.io/no-provisioner + volumeReclaimPolicy: Retain + + # override default resource limit flavor for all charts + flavor: unlimited + + # flag to enable debugging - application support required + debugEnabled: false + + ################################################################# + # Enable/disable and configure helm charts (ie. applications) + # to customize the ONAP deployment. + ################################################################# + aaf: + enabled: true + aai: + enabled: true + appc: + enabled: true + config: + openStackType: "OpenStackProvider" + openStackName: "OpenStack" + openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" + openStackServiceTenantName: "service" + openStackDomain: "default" + openStackUserName: "onap-tieto" + openStackEncryptedPassword: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" + cassandra: + enabled: true + clamp: + enabled: true + cli: + enabled: true + consul: + enabled: true + contrib: + enabled: true + dcaegen2: + enabled: true + pnda: + enabled: true + dmaap: + enabled: true + esr: + enabled: true + log: + enabled: true + sniro-emulator: + enabled: true + oof: + enabled: true + mariadb-galera: + enabled: true + msb: + enabled: true + multicloud: + enabled: true + nbi: + enabled: true + config: + # openstack configuration + openStackRegion: "Yolo" + openStackVNFTenantId: "1234" + nfs-provisioner: + enabled: true + policy: + enabled: true + pomba: + enabled: true + portal: + enabled: true + robot: + enabled: true + appcUsername: "appc@appc.onap.org" + appcPassword: "demo123456!" + openStackKeyStoneUrl: "http://10.20.30.40:5000" + openStackPublicNetId: "9403ceea-0738-4908-a826-316c8541e4bb" + openStackPublicNetworkName: "rc3-offline-network" + openStackTenantId: "b1ce7742d956463999923ceaed71786e" + openStackUserName: "onap-tieto" + ubuntu14Image: "trusty" + openStackPrivateNetId: "3c7aa2bd-ba14-40ce-8070-6a0d6a617175" + openStackPrivateSubnetId: "2bcb9938-9c94-4049-b580-550a44dc63b3" + openStackPrivateNetCidr: "10.0.0.0/16" + openStackSecurityGroup: "onap_sg" + openStackOamNetworkCidrPrefix: "10.0" + dcaeCollectorIp: "10.8.8.22" # this IP is taken from k8s host + vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPwF2bYm2QuqZpjuAcZDJTcFdUkKv4Hbd/3qqbxf6g5ZgfQarCi+mYnKe9G9Px3CgFLPdgkBBnMSYaAzMjdIYOEdPKFTMQ9lIF0+i5KsrXvszWraGKwHjAflECfpTAWkPq2UJUvwkV/g7NS5lJN3fKa9LaqlXdtdQyeSBZAUJ6QeCE5vFUplk3X6QFbMXOHbZh2ziqu8mMtP+cWjHNBB47zHQ3RmNl81Rjv+QemD5zpdbK/h6AahDncOY3cfN88/HPWrENiSSxLC020sgZNYgERqfw+1YhHrclhf3jrSwCpZikjl7rqKroua2LBI/yeWEta3amTVvUnR2Y7gM8kHyh Generated-by-Nova" + demoArtifactsVersion: "1.4.0" # Dublin prefered is 1.4.0 + demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" + scriptVersion: "1.4.0" # Dublin prefered is 1.4.0 + rancherIpAddress: "10.8.8.8" # this IP is taken from infra node + config: + # instructions how to generate this value properly are in OOM quick quide mentioned above + openStackEncryptedPasswordHere: "f7920677e15e2678b0f33736189e8965" + + sdc: + enabled: true + sdnc: + enabled: true + + replicaCount: 1 + + mysql: + replicaCount: 1 + so: + enabled: true + config: + openStackUserName: "onap-tieto" + openStackRegion: "RegionOne" + openStackKeyStoneUrl: "http://10.20.30.40:5000" + openStackServiceTenantName: "services" + # instructions how to generate this value properly are in OOM quick quide mentioned above + openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + so-catalog-db-adapter: + config: + openStackUserName: "onap-tieto" + openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" + # instructions how to generate this value properly are in OOM quick quide mentioned above + openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" + + uui: + enabled: true + vfc: + enabled: true + vid: + enabled: true + vnfsdk: + enabled: true + modeling: + enabled: true + + +**2) <helm_charts_dir>/robot/resources/config/eteshare/config/vm_properties.py**:: + + # following patch is required because in Dublin public network is hardcoded + # reported in TEST-166 and is implemented in El-Alto + # just add following row into file + GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK = '{{ .Values.openStackPublicNetworkName }}' + + + +Step 2. Preconditions - after ONAP deployment +============================================= + + +Run HealthChecks after successful deployment, all of them must pass + +Relevant robot scripts are under <helm_charts_dir>/oom/kubernetes/robot + +:: + + [root@tomas-infra robot]# ./ete-k8s.sh onap health + + 61 critical tests, 61 passed, 0 failed + 61 tests total, 61 passed, 0 failed + +very useful page describing commands for `manual checking of HC’s <https://wiki.onap.org/display/DW/Robot+Healthcheck+Tests+on+ONAP+Components#RobotHealthcheckTestsonONAPComponents-ApplicationController(APPC)Healthcheck>`_ + +Step 3. Patch public network +============================ + +This is the last part of correction for `TEST-166 <https://jira.onap.org/browse/TEST-166>`_ needed for Dublin branch. + +:: + + [root@tomas-infra helm_charts]# kubectl get pods -n onap | grep robot + onap-robot-robot-5c7c46bbf4-4zgkn 1/1 Running 0 3h15m + [root@tomas-infra helm_charts]# kubectl exec -it onap-robot-robot-5c7c46bbf4-4zgkn bash + root@onap-robot-robot-5c7c46bbf4-4zgkn:/# cd /var/opt/ONAP/ + root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/demo_preload.robot + root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/policy_check_vfw.robot + root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/validate_vfw.robot + + +Step 4. Set private key for robot when accessing VNFs +===================================================== + +This is workaround for ticket `TEST-167 <https://jira.onap.org/browse/TEST-167>`_, as of now robot is using following file as private key +*/var/opt/ONAP/robot/assets/keys/onap_dev.pvt* + +One can either set it to own private key, corresponding with public key inserted into VMs from *vnfPubKey* param +OR +set mount own private key into robot container and change GLOBAL_VM_PRIVATE_KEY in */var/opt/ONAP/robot/resources/global_properties.robot* + + +Step 5. robot init - demo services distribution +================================================ + +Run following robot script to execute both init_customer + distribute + +:: + + # demo-k8s.sh <namespace> init + + [root@tomas-infra robot]# ./demo-k8s.sh onap init + + + +Step 6. robot instantiateVFW +============================ + +Following tag is used for whole vFWCL testcase. It will deploy single heat stack with 3 VMs and set policies and APPC mount point for vFWCL to happen. + +:: + + # demo-k8s.sh <namespace> instantiateVFW + + root@tomas-infra robot]# ./demo-k8s.sh onap instantiateVFW + +Step 7. fix CloseLoopName in tca microservice +============================================= + +In Dublin scope, tca microservice is configured with hardcoded entries from `tcaSpec.json <https://gerrit.onap.org/r/gitweb?p=dcaegen2/analytics/tca.git;a=blob;f=dpo/tcaSpec.json;h=8e69c068ea47300707b8131fbc8d71e9a47af8a2;hb=HEAD#l278>`_ + +After updating operational policy within instantiateVFW robot tag execution, one must change CloseLoopName in tca to match with generated +value in policy. This is done in two parts: + +a) get correct value + +:: + + # from drools container, i.e. drools in Dublin is not mapped to k8s host + curl -k --silent --user 'demo@people.osaaf.org:demo123456!' -X GET https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops --insecure + + + # alternatively same value can be obtained from telemetry console in drools container + telemetry + https://localhost:9696/policy/pdp/engine> cd controllers/usecases/drools/facts/usecases/controlloops + https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops> get + HTTP/1.1 200 OK + Content-Length: 62 + Content-Type: application/json + Date: Tue, 25 Jun 2019 07:18:56 GMT + Server: Jetty(9.4.14.v20181114) + [ + "ControlLoop-vFirewall-da1fd2be-2a26-4704-ab99-cd80fe1cf89c" + ] + +b) update the tca microservice + +see Preconditions part in `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ +This step will be automated in El-Alto, it's tracked in `TEST-168 <https://jira.onap.org/browse/TEST-168>`_ + +Step 8. verify vFW +================== + +Verify VFWCL. This step is just to verify CL functionality, which can be also verified by checking DarkStat GUI on vSINK VM <sink_ip:667> + +:: + + # demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address> + # e.g. where 10.8.8.5 is IP from public network dedicated to vPKG VM + root@tomas-infra robot]# ./demo-k8s.sh onap vfwclosedloop 10.8.8.5 + +.. |image0| image:: images/vFWCL-dublin.jpg + :width: 387px + :height: 393px |